I remember years ago someone made a site that detects if you are using a vpn based on some packets latency, and it was pretty accurate! Unfortunately, I don’t know what’s the website now.
All those firewalls with Application Control IPS (Checkpoint, Palo Alto Network, Fortinet etc.) can already block OpenVPN connections, so this is no surprise that you can fingerprint them.
you have the cart before the horse here. modern IPS uses, and has been using, more or less the same methodology the researchers mention in their abstract (full disclosure: i read no further): "[. . .] fingerprints based on protocol features such as byte pattern, packet size, and server response."
this technique has been around for a very long time and is no way novel. applying it to OpenVPN traffic specifically isn't either.
They can determine a connection to their network is through an OpenVPN server even if that server has a clean/normal IP address? Is there some otherwise basic tell that the host is running a VPN server? Could Palo Alto Network also identify say a different VPN server, such as Wireguard?
How do these fingerprinting schemes work when the handshake protocol is not merely obfuscated, but actually encrypted?
i.e. if one uses the tls-crypt option?
As I understand it, that encrypts the handshake protocol such that simple data value matching will not work, and one would have to either use length and/or timing matches.
This was the case over a decade ago as well, at the time obfsproxy[0] was one of the more reliable methods for establishing and maintaining openvpn connections in the more censorship heavy countries.
I have a basic question somewhat related to this topic. When I am using Mullvad VPN, many websites block access. (E.g. Lowe's or Michaels.com etc). They force me to disable VPN and I don't like it.
My question is how do they detect that I am using a VPN and is there any workaround to access their site when I continue using VPN?
This required research and publication on arxiv? OpenVPN is meant for access control to/between private networks, not for skirting public access controls put in place on your immediate, local upstream. The default config even encourages the use of the defined ports.
It seems like other VPN vendors are slapping obfuscation on top of OpenVPN and advertising their service as unobservable. This paper contests that claim
Default config with port 1194 is super common with "anonymous" VPN providers. It can very well be fingerprinted. But I hope the data in transit would be secure. Maybe not from NSA.
correct. it sorta depends on what OpenVPNs goals are...
the boilerplate of the corporate face insists its for your businesses and their connectivity, so you could argue that confidentiality doesnt really include clandestine or obfuscated traffic presence at all.
However, you could also argue for OpenVPN (and several others) that as a security tool they should at least consider Goguen and Meseguer type noninterference as a conformant operation model by reducing the awareness of the traffic.
A simple search "OpenVPN traffic detection" leads you to many pages on how this is not a thing OpenVPN tries to do and how to detect it. This whole paper is no more notable than a stack overflow question and answer, maybe less than something on quora.
Fingerprinting? This is just clickbait. Identifying that the murder weapon was a knife isn't remotely the same as getting the fingerprint of the killer.
Context matters. In this case "fingerprinting" refers to fingerprinting of the protocol by a DPI system, and the problem the author is concerned with is the ability to use a VPN at all.
Fingerprinting doesnt mean "uniquely identified an individual", it just means "uniquely identifies some aspect of the target". You could fingerprint 'firefox' amongst all browsers, or in this case they are fingerprinting OpenVPN amongst all traffic.
it is. what if we know that only one person had said knife and then this "fingerprint" would be 100% empirical support. So yes sometimes just noting a VPN was used with said foreknowledge is enough to correlate and prove something.
[+] [-] tamimio|2 years ago|reply
[+] [-] madars|2 years ago|reply
[+] [-] fastily|2 years ago|reply
[+] [-] patrakov|2 years ago|reply
[deleted]
[+] [-] guardiangod|2 years ago|reply
[+] [-] nickburns|2 years ago|reply
this technique has been around for a very long time and is no way novel. applying it to OpenVPN traffic specifically isn't either.
[+] [-] lilsoso|2 years ago|reply
[+] [-] riedel|2 years ago|reply
[+] [-] dfawcus|2 years ago|reply
i.e. if one uses the tls-crypt option?
As I understand it, that encrypts the handshake protocol such that simple data value matching will not work, and one would have to either use length and/or timing matches.
[+] [-] gruez|2 years ago|reply
https://www.usenix.org/conference/usenixsecurity23/presentat...
[+] [-] clwg|2 years ago|reply
[0]https://blog.torproject.org/obfsproxy-next-step-censorship-a...
[+] [-] codecutter|2 years ago|reply
My question is how do they detect that I am using a VPN and is there any workaround to access their site when I continue using VPN?
[+] [-] teddanson2|2 years ago|reply
You might be able to get around this by paying a provider like ProtonVPN extra for a static IP outside of the known range associated with ProtonVPN
[+] [-] niceice|2 years ago|reply
[+] [-] Timber-6539|2 years ago|reply
[+] [-] some_furry|2 years ago|reply
[+] [-] thwarted|2 years ago|reply
[+] [-] dc-programmer|2 years ago|reply
[+] [-] grubbs|2 years ago|reply
[+] [-] nimbius|2 years ago|reply
the boilerplate of the corporate face insists its for your businesses and their connectivity, so you could argue that confidentiality doesnt really include clandestine or obfuscated traffic presence at all.
However, you could also argue for OpenVPN (and several others) that as a security tool they should at least consider Goguen and Meseguer type noninterference as a conformant operation model by reducing the awareness of the traffic.
[+] [-] gsich|2 years ago|reply
Of course it's also meant for that.
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] mianos|2 years ago|reply
[+] [-] mianos|2 years ago|reply
I can't say this would be much more of a weekend project with spicy.
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] jerhewet|2 years ago|reply
https://www.doileak.com/classic.html
[+] [-] LegitShady|2 years ago|reply
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] iLoveOncall|2 years ago|reply
[+] [-] riehwvfbk|2 years ago|reply
[+] [-] JamesSwift|2 years ago|reply
[+] [-] rileymat2|2 years ago|reply
[+] [-] sfmike|2 years ago|reply
[+] [-] unknown|2 years ago|reply
[deleted]