I remember years ago someone made a site that detects if you are using a vpn based on some packets latency, and it was pretty accurate! Unfortunately, I don’t know what’s the website now.
ProtonVPN passes too which is funny because I'm solving so many captchas I could power an entire captcha solving saas all by myself. So I'm not entirely convinced by this method.
And the site seems to tend to detect mullvad's wireguard as 'openvpn' while mullvad's openvpn is undetected by it. Perhaps that's what the parent is referring to.
All Vypr obfuscation options pass. I'm surprised more people don't use VyprVPN, but then again, it's professional options are limited. I.e. surfshark's ability to choose specific data centers and IPs.But I bought 5 years of Vypr for like 50 bucks 3 years ago, so I'm pretty invested
Edit: I forgot I use VyprVPN because of it's verified no-log, does anyone else know of a better service with verified history of denying log access / having active subpoena dead man's switch notices?
This is a part of the attempt that the site does to retrieve the NTLM hash of your Windows account password. See https://hackerone.com/reports/1054382 for more details.
All those firewalls with Application Control IPS (Checkpoint, Palo Alto Network, Fortinet etc.) can already block OpenVPN connections, so this is no surprise that you can fingerprint them.
you have the cart before the horse here. modern IPS uses, and has been using, more or less the same methodology the researchers mention in their abstract (full disclosure: i read no further): "[. . .] fingerprints based on protocol features such as byte pattern, packet size, and server response."
this technique has been around for a very long time and is no way novel. applying it to OpenVPN traffic specifically isn't either.
They can determine a connection to their network is through an OpenVPN server even if that server has a clean/normal IP address? Is there some otherwise basic tell that the host is running a VPN server? Could Palo Alto Network also identify say a different VPN server, such as Wireguard?
This paper is about detecting the connection between the VPN client and the VPN server---the first segment of the connection you describe. It's unsurprising that OpenVPN can be fingerprinted, as like most VPN protocols, it was not designed with contravention of fingerprinting as a goal. The counter-censorship or network policy bypass application of VPNs is a relatively modern concept and the modifications made to meet it tend to be haphazard. OpenVPN predates this kind of application being a design goal.
To address your direct question, whether or not a service can detect that you are reaching it with a VPN service in the middle, the answer is a soft maybe. There are several heuristic methods, but they will not be entirely reliable and using them will risk false positives. Most service operators probably wouldn't go beyond filtering of known VPN services, which is of course widely implemented.
One reliable method is active probing of the traffic source, which is sometimes done, but it comes with some hazards for the service operator and is often easy to defeat.
My understanding after talking to OpenVPN developers is that a known header is exchanged PRIOR to starting a TLS session, thus making it extremely easy to detect (and block).
literal bytes. this is one of the primary methods modern IDS/IPS engines, like Snort and Suricata for example, use to fingerprint traffic types and otherwise indicators of compromise.
OpenVPN traffic, even encrypted, can look unique enough somewhere in the 'stream' (to borrow the IDS/IPS term) to be reliably idenitfied.
Thanks, I didn't know that. So if you have a VPN server at home and you bounce through it from a foreign location to a corporate job then perhaps the employer could identify the connection is a relay.
I'm talking about the part of the connection outgoing from the VPN, not the incoming traffic to the VPN, to be clear. I know for example that China can do deep packet inspection and that there are a number of projects to attempt to thwart this technique. But you seem to be saying that the part after the VPN can be identified?
No, the article is about you connecting to your home from the corporate network over OpenVPN. The case you are describing, while possible, is highly unlikely to be detected unless you are using a public VPN. Most of the time your employer just cares to check a box saying employees are working from the US and has no incentive to go the extra mile to active traffic monitoring and deep packet inspection. Hell, some are so incompetent, a CTO once said employees can work offshore as long as they are using Remote Desktop to a VM in the US because then they are “telecommuting”, but they can’t connect over the corporate VPN.
I'm talking about the part of the connection outgoing from the VPN
your understanding is correct—that the 'segment' between VPN server and final destination/employer's public-facing infrastucture is no longer traversing a VPN tunnel and therefore could not be fingerprinted as VPN traffic.
if using a public VPN service provider, it would be identified, however (quite easily and at very low technical cost mind you), based on source address, as public VPN service provider netblocks are well-documented.
How do these fingerprinting schemes work when the handshake protocol is not merely obfuscated, but actually encrypted?
i.e. if one uses the tls-crypt option?
As I understand it, that encrypts the handshake protocol such that simple data value matching will not work, and one would have to either use length and/or timing matches.
This was the case over a decade ago as well, at the time obfsproxy[0] was one of the more reliable methods for establishing and maintaining openvpn connections in the more censorship heavy countries.
I have a basic question somewhat related to this topic. When I am using Mullvad VPN, many websites block access. (E.g. Lowe's or Michaels.com etc). They force me to disable VPN and I don't like it.
My question is how do they detect that I am using a VPN and is there any workaround to access their site when I continue using VPN?
I would be surprised if wireguard was fingerprint resistant.
If you want to avoid a Mitm from detecting that you are using a VPN your best bet is probably to use some kind of tunnel that looks like regular https traffic. which means it uses TLS either with TCP or QUIC on port 443.
This required research and publication on arxiv? OpenVPN is meant for access control to/between private networks, not for skirting public access controls put in place on your immediate, local upstream. The default config even encourages the use of the defined ports.
It seems like other VPN vendors are slapping obfuscation on top of OpenVPN and advertising their service as unobservable. This paper contests that claim
Default config with port 1194 is super common with "anonymous" VPN providers. It can very well be fingerprinted. But I hope the data in transit would be secure. Maybe not from NSA.
correct. it sorta depends on what OpenVPNs goals are...
the boilerplate of the corporate face insists its for your businesses and their connectivity, so you could argue that confidentiality doesnt really include clandestine or obfuscated traffic presence at all.
However, you could also argue for OpenVPN (and several others) that as a security tool they should at least consider Goguen and Meseguer type noninterference as a conformant operation model by reducing the awareness of the traffic.
A simple search "OpenVPN traffic detection" leads you to many pages on how this is not a thing OpenVPN tries to do and how to detect it. This whole paper is no more notable than a stack overflow question and answer, maybe less than something on quora.
Fingerprinting? This is just clickbait. Identifying that the murder weapon was a knife isn't remotely the same as getting the fingerprint of the killer.
Context matters. In this case "fingerprinting" refers to fingerprinting of the protocol by a DPI system, and the problem the author is concerned with is the ability to use a VPN at all.
It really is fingerprinting. It’s just showing the fingerprint of the service and not the user. This is a very normal usage of the word for people interested in identifying specific types of traffic. Lots of things different things have detectable fingerprints that are useful within certain contexts.
Fingerprinting doesnt mean "uniquely identified an individual", it just means "uniquely identifies some aspect of the target". You could fingerprint 'firefox' amongst all browsers, or in this case they are fingerprinting OpenVPN amongst all traffic.
it is. what if we know that only one person had said knife and then this "fingerprint" would be 100% empirical support. So yes sometimes just noting a VPN was used with said foreknowledge is enough to correlate and prove something.
