TLS MitM downgrade it all to 1.2, then snoop the certificate and use that to identify is one way to monitor. Block anything that won't permit downgrade unless you can whitelist.
Proprietary VPNs have signatures within call set up process unless they're intentionally being obfuscated.
Two ways to increase the amount you catch some more. Takes care alongside the dull stuff of all IPSEC, all Watch guard, various Proprietary, various hiding behind TLS.
The rest traffic analysis.
I imagine they'll do this in stages with basic identification from IP and port in-line, interesting/unknown stuff kicked over to the next level of analysis with applications DPI'd and if TLS and not known okay if TLS 1.2 certificate is snooped if 1.3 attempt downgrade to 1.2. Other apps depends on policy.
After this see what's up. If using a known bad certificate: block, if downgrade refused: block.
If a flow is still unknown IPFix or NetFlow from ISP. If the customer has a flow the DPI can't categorise open for a long period carying a lot of traffic relative to rest of the traffic it's a VPN tunnel. If there is no other traffic they've a VPN on their router.
Lowering the bar completely if the system can't categorise it, disrupt it.
At least some of the blocking kit is out of line, and is sending either forged TCP resets or ICMP Unreachable messages of some sort to break things. If there's a basic check inline that can just drop things that fail its quick checks.