ToS I’m using as a bit of a nebulous phrase. If there is filtering involved, there exists a list of dos and donts - in your example, that base filtering case seems to have a lot of leeway in defining what “objectionable advertising and content” is. They could (not a great move but could) say “VPNs are objectionable”.

I still stand by that the correct move to contact IT - if the network isn’t showing it’s ToS on launch, either as the flyer with the password, captive portal, or equivalent, they could request the network terms from IT (or equivalent service desk/management). If there is not in fact a ToS,… Then it’s really become a lawyer matter. I am not a lawyer - I’ll defer that discussion of a network that enforces a policy without showing a ToS to the experts in the field.

I hesitate to say if OP has the green light if they’re not advertising terms. Clearly there is some policy the network is enforcing against OP, and a (as they put it) a faceless network admin making the changes. Even if it’s not a formal legalese policy, it could be just a simple list of what not to do. Communication between OP and their faceless network admin is going to be the key to successful resolution.

Guest networks are in a bit of a different category for that because we (collectively as IT in general) expect people to be placing tunneling protocols to protect themselves on a guest network, but a company may object to and block any non-standardized VPN that isn’t run by corporate on their internal network.