If I use a VPN, can an enterprise proxy insert itself in the middle?

Question

I'm using the guest Wi-Fi at a large corporation, and connecting to a commercial VPN provider via the OpenVPN client. I do not know one way or another if a proxy is used on the guest wi-fi, but I know that a proxy is used on the main network. I noticed that a particular website was timing out. I'm not sure why, but I immediately thought that somehow a proxy had inserted itself into the mix. Looking around, I found an old question where the answers said "too bad so sad". However, that was 6 years ago, and certainly a lot has changed.

Is it possible for Windows 10 to silently connect to a proxy, even if I am running an OpenVPN client and connecting to a commercial VPN provider? If so, would the proxy have any control or visibility into what my web browsing was?

It's my understanding that the VPN should go through or around the proxy and therefore the proxy should only see encrypted traffic to the VPN provider. However, enterprises typically have ways to break the rules by throwing lots of money at the problem. However, a transparent SSL proxy should require a custom certificate or root store to be added to the PC, which I have not done, nor was prompted to do so.

Answer 1

The answer is simple, although there are some items to clear up:

1. Yes, a proxy can put itself in the middle, and if you are using a network at a large corporation, it's virtually guaranteed that there are servers (aka proxies) between you and the internet. There is always someone between you and the internet.
2. However, that doesn't mean that the proxy can intercept your VPN traffic. Intercepting your traffic is impossible unless you installed their root certificate on your machine (which you didn't).
3. However (again), that doesn't mean that there can't be other ways for them to cause trouble for your attempts to browse the web

To jump to the chase, the most relevant question is whether or not your DNS traffic is going through your VPN. This question is a good starting place for that. If your DNS requests are going through the VPN then in general you should be able to browse the internet without issue (although note that there are still other ways that a VPN might leak information about your internet traffic).

However, if your DNS requests are not going through the VPN, then it is possible for the network to detect and block your traffic at the DNS level (which is where pretty much all browser requests start). Most computers are setup so that they automatically get the location of the DNS server from whoever is providing internet access - in this case, the corporation you are visiting. If you are using the DNS servers of the corporation, then they can absolutely track the domains you visit and block you from viewing anything they consider objectionable.

Unfortunately, it can sometimes be difficult to make sure your DNS requests are going through your VPN. Most computers, unless otherwise configured, will check with your ISP (in this case, the corporation) for hints on where to go for DNS resolution. As a result it is very easy for your ISP to retain control over the DNS requests on your computer. Of course a good VPN should attempt to make sure that all DNS traffic goes through the VPN channel as well, but it isn't always that simple. DNS resolution can be a complicated dance between your computers networking system and your browser, and just because you installed a VPN, there's no guarantee that all DNS traffic is going through it, especially if any network configuration has been changed on either your computer or browser. See the question linked above for a starting point.

So, if the "ISP" is handling your DNS traffic, then they can track what domains you visit and block your access. However, they would not be able to view the actual traffic you send to that domain, including the list of URLs you visit.