> "pure HTTPS port 443 -- you literally can't block it without breaking the web."

Sure you can, you do Man In The Middle certificate inspection and then filter it aggressively like it was HTTP; that's the product companies like ZScaler offer, and basically any business/enterprise firewall device - internet filtering to protect your company and prevent or detect data exfiltration and malicious activity. Or perhaps you could say that does 'break the web' but companies do it anyway and pay a lot of money so they can do it. (ZScaler is a $23Bn market cap company).

Honestly, at that point I'd just run SSH over WebSockets with websocat. WebRTC only adds extra complexity. Tailscale DERP relay servers also run over port 80/443 anyway.

In the company where my father works some HTTPS services are blocked too…