actually, i lied. ICMP messages can be dropped by one of the next hops in the path. you'd have to tracepath/traceroute to find out how far into their network you can get also they may have allowed UDP in general, or at least not blocked it on whatever paths or ports. there are tools to explore all of this if you are curious. you didn't say what kind of VPN you were using also. some use UDP. that's why i suggested that also. i get why you are interested though. this ISP's security guys are obviously lazy or stupid.

From the modem I can also fire a traceroute, it immediately returns a timeout. Instead dig works. I told that in a previous repky, the VPN uses WireGuard. It seems to me a classic Occam's razor situation.