Netflix do it with a good amount of success I thought.

Self hosting a vpn is still beyond the vast majority of consumers and every big player in the market has their ip ranges mapped thoroughly.

You use deep packet inspection to detect and block VPN protocols. Ask the Egyptian gov!

That isn't at all the same problem: Netflix is trying to block being accessed by a VPN, while China/Russia/etc. want to block users from talking to a VPN.

How do you block "talking" to a VPN?

When packets traverse the edge router, IX, cable (landing) station, .. if they're recognised as VPN traffic, then the server's IP (or IP / port) is added to a blacklist, every subsequent packet is dropped.

https://en.wikipedia.org/wiki/Deep_packet_inspection

Yup; this is why VPN over HTTPS is a thing.

HTTPS has whole series of side-channel leaks, which can be exploited to fingerprint the tunnelled protocol: many implementations don't add padding or active probing resistance.

Sizable communications with an uncommon IP can be singled out by netflow analysis.

But yes, it usually works.

You will start with blocking their websites. Then you might want to reverse-engineer it just a little bit (for example to find out which domains they connect to) and block those domains. Usually that's enough to block most of people from using it.