I’ve set up a personal/private VPN, with a server running at my house, and I’ll connect to it when I’m away from home. I like that this makes my location seem as though it’s coming from my house, and it’s pretty “invisible” that I’m running a VPN.
When I look at browserleaks.com, almost everything looks great. All of the IP addresses, country, region, etc. show as if I’m browsing from my house. However, the TCP/IP Fingerprint section says “Link: generic tunnel or VPN”. I’m surprised it can tell.
From a little googling, it looks like the MTU and/or MSS might be what this section is keying off of? My MTU right now is 1420. Is this what browserleaks is working off of, and if so, how can I change it?
They can tell by looking at packet size. When your traffic goes through a VPN, the VPN headers takeup a certain amount of space in the packet. As a result, browserleaks.com is seeing a uniform packet size that falls in line with common bone technology. They are expecting to see 1500 bytes, but the are seeing smaller packets.
This is a standard technique for identifying VPN traffic without having to rely on source IP.
I don’t think there’s any way to hide the physical tunnel in that sense. The data is fully encrypted but the fact that you are using a VPN is not hidden in any real way.
Gotcha, yeah that sounds like what I was starting to read about regarding MTU/MSS. So is there a solution to make the packet size normal? Can I set the packet size on my VPN to 1500 bytes? Any downsides to that? (I assume so)
I know some countries use DPI, deep packet inspection, to see the type of traffic it is. If you’re using a default port, that is a dead giveaway, and I’m sure some other stuff.
The most obvious one is streams of encrypted data – by inference. But I think, depending on the type of VPN, you’ll also see the L2 or L3 headers. It’s been too many years since my days as a network guy, but I can remember enforcing a no VPN policy in our world and seeing a VPN in use wasn’t an issue at all. You can probably get your fill of info by searching terms like “VPN and WireShark” for a good description. In the end I think you’ll find that identifying that there’s a VPN being used and seeing what the VPN is being used FOR are two very different matters.
Every application that uses the network over the internet will get packaged. You have a sender and receiver. In this case vpn cliënt and vpn server. The client sends traffic to the vpn client, and packages the regular traffic and encrypts that. Then it’s sent like any other package to the vpn server. So basically what your router and others see is not the regular traffic, but the encrypted VPN-traffic. The VPN-server will handle the inside package to where you actually want to communicate with, e.g. a web server.
Basically it’s just wrapped layer around the regular traffic.
Delays could be caused by a ton of things, slow internet connection, a shitty ancient router, a router that’s doing a bunch of packet sniffing for e.g. ad blocking, all kinds of stuff.
I agree that if I was trying to detect people using a VPN, delays would be a hint. But they’re not a smoking gun.
What do you mean streams of encrypted data? By the time a packet gets to the final recipient, the encryption from the VPN has already been stripped away. Of course most internet traffic will still be encrypted via SSL but that’s true of 99% of internet traffic today and not at all connected with using a VPN.
Right, I understand all of that. That still doesn’t make it clear how the final recipient of the packet (e.g. browserleaks.com) could tell that I’m using a VPN.
The data being transmitted will show up on most sniffer style programs as “encrypted data” or similar. By watching, you’ll see patterns. It’s by inference in a case like this. It’s still pretty easy to determine a full time encrypted connection from an on demand one from the same source addresses.
That’s what I’m trying to tell. It’s a VPN-client to VPN-server, meaning application traffic. The server needs to handle that incoming traffic. Since the server knows how to handle it, humans can also have their ways to understand what traffic they are dealing with. For example OpenVPN or IPsec might be directly recognized, because of the port. Using VPN is not secretive, it’s about the layer to simulate a private link.