I rented a VPS, installed there a firewall, docker. In docker I run wireguard, changed default ports for it, blocked all other ports with firewall and even disabled icmp protocol. Recently I found out that some websites block my connection while I’m being connected to VPN. Started investigate why it happens, discovered that services like whatismyipaddress.com, identify my VPS server as a VPN service. It definatelly answers the question why some websites block my connection, but doesn`t answer how I was detected. Ports changed, VPS is completely fresh how am I compromised ?
Also, it happened multiple times with different hosting providers. I tried ovh cloud and then switched to digital ocean but problem persist.
It’s fairly simple to identify a VPS based on its IP address. Every IP range is owned by a specific entity. For example, if you check a random OVH IP (like this one: https://whois.domaintools.com/116.206.98.1), you’ll see that it belongs to OVH. When they notice it belongs to a hosting service, they assume it’s a VPN.
They also use other methods to figure out if an IP is a residential address. If it’s not, they conclude it’s a VPN.
So if you want to stay undetected using VPN you have to have a residential IP address.
It definatelly answers the question why some websites block my connection, but doesn`t answer how I was detected.
Each IP address range is associated with an autonomous service provider (AS) that is identified via an Autonomous System Number (ASN).
This information is broadcast globally via BGP, which ASN manages which IP ranges.
There are companies that have made a business out of it to sell and classify such information and associated services.
If you are renting a VPS and tunneling traffics through it. It is being consider as private proxy. It is very easy to determine data center ranges using IP address. You can try your server IP address in https://www.ip2location.io and see if your VPS has been detected as data center.
I also installed wireguard on several vps, none of the vps ip addresses are detected by whatismyipaddress.com as a vpn service. Probably because I filter the incoming port used for wireguard.
Iptables example
-A INPUT -p udp -m set --match-set my_isp_network_prefix src -m udp --dport 38371 -j ACCEPT
Where “my_isp_network_prefix” is the rules ipset. My ISP just allocated a few /24 subnets for the city I live in, so this was pretty easy to create ipset rules.
Most (almost all big names) hosting companies have been associated with IP ranges or ASNs. As far as I know, finding an IP range that will be detected as a residential or ISP proxy/VPN is nearly impossible.