tl;dr: It was a DNS leak. Thanks to @user2675345 for the tip off!
Here is the page I got when I accessed a blocked site:
I first tried pinging a few websites and saw that their IP addresses were the same. As can be seen in this image:
both youtube.com and metacafe.com, which are both blocked, have 176.12.107.179
as their IP. Unsurprisingly, navigating to this IP in a browser yields the "Requested Site Blocked" page shown above. Pinging www.google.com on the other hand, results in a legit IP pointing to Google.
So the urls were getting mapped to the wrong IP. I used dig to inspect the DNS entries and confirm this.
Indeed, the DNS entry for youtube.com had 176.12.107.179
as it's IP.
I then used Wireshark to check out the DNS requests and saw that the requests weren't coming from the IP of the server I was SSH'ed into, but from my local IP address.
Even though I was using an SSH tunnel, my DNS requests were not going through the tunnel. Also, they seemed to be going to an IP address on the same network. So it looks like the router onboard the bus was acting as a DNS server and giving out bad DNS answers for sites on its blacklist.
This is a very serious vulnerability. Not only could an eavesdropper see all of the websites I was going to, but the person controlling the router/DNS server could easily route me to a malicious version of youtube, rather than to the "Requested Site Blocked" page. And ll the while, I'm thinking that my traffic is all going through the SSH tunnel and I'm completely secure.