Opening a VPN tunnel back to the mothership can be blocked. I can vouch that plenty of real security-conscious sites take steps that would prevent that for working for you. There are plenty of sites that seem to do a full whitelist-only connection list for their external network, with things in between checking the protocol internals to the extent they can too.
You can push a VPN connection over any port, but honestly, given some of the scrutiny I've been put through for some of the network stuff I've put out, I still wouldn't care to guarantee that some high-security customer out there wouldn't notice that your "HTTP connection" is actually a VPN connection. By the time you're writing something deceptive enough to get through that, you're running the risk of some very nasty stories being run in the security press about your practices.
It is not the case that everybody in the world just throws all their devices on to the network and then lets everything on it have unfettered outbound access.
And of course it's fine to block connections you don't recognize, or to whitelist connections in the first place. But I maintain that within a network of devices you own, the solution to untrustworthy devices on your network is to use more trustworthy devices, not to weaken internet standards for everyone else.
the solution to untrustworthy devices on your network is to use more trustworthy devices
This kind of "oh, only buy perfect end devices" is just as worthless advice as "oh, only buy service from perfect ISPs that don't make you want to encrypt traffic."
It doesn't have to be perfect. It should, however, not actively work against its owner, and the manufacturer should provide enough information and access that the device's owner can be reasonably confident that the device is acting in their interests.
You can push a VPN connection over any port, but honestly, given some of the scrutiny I've been put through for some of the network stuff I've put out, I still wouldn't care to guarantee that some high-security customer out there wouldn't notice that your "HTTP connection" is actually a VPN connection. By the time you're writing something deceptive enough to get through that, you're running the risk of some very nasty stories being run in the security press about your practices.
It is not the case that everybody in the world just throws all their devices on to the network and then lets everything on it have unfettered outbound access.