Finding hardware VPNs with nmap or similar?

I am working with a cybersecurity "team" to map out my school's network. We are doing this because our IT department is rather incompetent, and we need to set up some infrastructure for our team, so the only way to make it happen is to figure things out ourselves and go present it to them without having to ask any questions.

From what I can see, all the schools are connected to the county's central office through either a VPN or a physical link. They go from there through some switches/routers onto the public internet.

I am using ZenMap/nMap to figure things out, and have been able to find a lot so far, however I can't seem to confirm/deny my VPN suspicion. Is there a way to tell when traffic is traversing a VPN? If I had to guess, this is either Windows Server's VPN, or it is a Cisco/HP/Adtran hardware VPN. I don't know much about any of those, but based on the IT team's past nature I am guessing that would be their choice.

(Note: Please do not tell me to try and reason with the IT department. Myself and my teachers have tried that for nearly 5 years now. It doesn't work.)

Thanks guys!

There is probably a better way of doing it but if you can check the MTU of packets you send over the suspected vpn, if it is bellow 1500 or whatever the maximum should be then you can assume it's a vpn. If you know what the overhead for different vpn protocols are and the MTU comes back at what you would expect the maximum of the VPN to be that would be a pretty good indication.

You should be able to test it easily by doing a ping and disabling packet fragmentation.

Can I get the MTU from the ping tool at command prompt in Windows, or do I need to use something else? nmap? wireshark?

Should be able to do it in Windows. Try ping ip -f -l 1500 if there's a vpn or something else which is lowering your MTU that should fail, then just lower your packet size until you find the highest one that works and that's your MTU.

So if I'm understanding Wikipedia right, MTU is just the max amount of data contained in a single packet. So why does that lower over a VPN?

The VPN tunnel imposes an overhead. So the VPN packet is 1500 but the packet inside the tunnel will be 1450 or something.

I believe your idea worked. In my brief fiddling with it just now pinging the internet-facing L3 switch, I can only get it to work with a 1450 MTU. <1450 tells me it needs to be fragmented.

Do you happen to know a way to test this on an HP ProCurve switch? I may be able to get access to one on the other side of the suspected VPN, so if it doesn't have the 1450 maximum there, that really narrows down where it stops and starts.

If you can run ping on the switch (unlikely) you can do the same thing. But the options for the Linux version of ping are different so you'll want to look that up. Otherwise see if you can get access (physical or ssh) to something on the other end.

Is 1500 the default? Because I am pinging some things on the local subnet (that I know are physically connected to the same switch as the machine I'm pinging from) and I'm not able to use anything bigger than 1450 there either. Can this be set by DHCP or group policy or something?

1500 is the default. Not sure why it's not working. Maybe try pinging with UDP as TCP has overhead as well. Not sure what the option is for that.

Doesn't Windows ping tool use ICMP? I thought that didn't use TCP.

Edit: Never mind. According to the internet, ICMP ends up adding 28 bytes to the length. Using 1472 in Windows ping tool works, 1473 does not, so MTU everywhere must be 1500.