Although VPNs have made numerous lives easier, not everyone is a fan. Regardless of the cause, governments, institutions, organizations, and others around the globe have never stopped tracing, detecting, and blocking a VPN. Furthermore, many authorities have downright declared them illegal. We won’t debate the legality of VPNs, though. As covered in previous articles, a VPN is as harmless as you make it out to be. While many have accepted the intrusion of this tech, some remain vigilant. However, today’s article is not about VPN blocking. Rather, it is an attempt at glimpsing a running VPN. Whether it is possible, and if so, how can you detect a VPN?
Disclaimer – We do not condone bypassing VPN blocks placed under law. We advise the proper and legal use of VPNs and recommend our readers adhere to the law at all times. The current article is subjective and offers no legal repose. Although we have included ways to prevent VPN blocking, it is for informational purposes only—we do not promote it.
How does VPN tunneling work?
First, to learn more about the detection process, we need to understand how a VPN works. A VPN is a network of clients and servers connected by a virtual tunnel. This tunnel is the focus here. Everything a VPN does, and everything that occurs on the network, happens within this tunnel. Your ISP (Internet Service Provider) plays the role of the intermediary between your device and the public network. With the absence of a VPN, your data goes through the ISP and communicates with the internet websites. However, this connection is transparent. Your data remains bare for ISP to gander. Since there is no added security like encryption, anyone can intercept and steal it.
A VPN covers the whole process with an opaque tunnel—it’s where the magic is. VPN security protocols are responsible for the creation and maintenance of the VPN tunneling process. Although the VPN encryption profiles also play a critical role in securing your data, the entire encapsulation process is subject to the tunnel.
Thus, the detection of VPN is somewhat simple. As long as you can spot the tunnel, you can know for a fact a VPN is in play. Honestly, spotting a tunnel is not that hard. A VPN can isolate the nature of your data traffic from the ISP, but it can’t hide the volume or direction. An ISP remains an overseer throughout the process. Therefore, it is feasible they can spot the anomaly when a large volume of data travels to and from an IP address (the VPN server).
Can you detect a VPN?
In one word – yes. While blocking a VPN may be a complicated and demanding process, detecting one is not. Anyone with access to your network can figure out whether you have employed a VPN or not. This is for two obvious reasons. One, your traffic will appear gibberish during an interception. Two, the volume towards some particular IP address will stand out. Furthermore, websites you visit can also detect the use of a VPN. They can similarly notice the influx of communication requests from some specific IP address. Ergo, they can flag the address to monitor activity. It won’t take them long to recognize that a VPN is in play.
Having said that, while detecting a VPN is easy, it doesn’t change the fact your data remains encrypted. Meaning, a person, or organization can notice and understand that you are using a VPN. However, they still won’t know what you are using it for or why. Then the question stands, “If you can’t know what a VPN is doing due to encryption, what is the use of detecting one?”
It is simple – blocking. Unless you can notice and trace a VPN, you can’t bar it. Thus, effective VPN detection and tracing don’t target encryption, as it is next to impossible to crack the modern ciphers. But organizations and authorities pay heed to VPN and their detection to block their access.
How can you detect a VPN?
There are different approaches one can take when it comes to VPN detection. These are:
- VPN end:
- Nontechnical indicators
- Technical indicators
- Provider end:
- VPN server IP address
- Protocol and port numbers
- Alternate technology – DPI (Deep Packet Inspection)
- Third-party intrusion:
- Tracking cookies
- Browser fingerprinting
- VPN logs
- DNS/IP leaks
- Money trails
Non-technical indicators are as follows:
- Irregular network traffic – There is often a gap between the launch of the VPN software and the computer reboot. One can’t ascertain which packets the device sends over during the boot-up. Thus, the traffic before the VPN launch and after will differ. It will create an irregularity that is easy to discover.
- No unencrypted data packets – When the VPN is running, every data packet that flows out of the client will be subject to encryption. Thus, the ISP can easily detect a VPN by examining the data packets over time. In this case, the lack of unencrypted packets raises a red flag.
- Data leaks from VPN (Software vulnerability) – A VPN is prone to issues. Moreover, the software can have fallacies. IT can lead to unintentional leaks such as IP or DNS addresses. By comparing the leaked addresses to the normal one, an overseeing authority can determine whether the VPN is at play or not.
- Human error – A VPN mostly gets discovered owing to the human factor. Remember that VPNs are not foolproof and installed to end-user devices. Thus, any error on the part of the user can make the VPN activity glow. Such mistakes include but aren’t limited to forgetting to turn the VPN on, engaging in sensitive communication over an unprotected network, and turning off the VPN in the background.
- All data gets directed to a single IP – Lastly, everyone knows that while the VPN is on, the traffic gets redirected towards a specific IP address. This movement itself is suspicious enough to raise an alarm.
Technical indicators are harder to spot, and the requisite is having sufficient background in the information and technology fields. However, you can do so by inspecting a data packet from the suspicious network. All you need to utilize is:
Authorities can install what we call a snuffing appendage on a VM (virtual machine). They place an OpenWRT r router within the network with the required software installed. The router monitors the VM network and figures out the existence of a VPN. This method can also render the privacy enjoyed by a VPN user moot. Only a few lines of code will tear the protection of the fake IP and notify the network/authorities of the actual user’s IP address in real-time. Thankfully, this approach requires physical implementation and devices. Thus, it is very limited in application.
Predictable PFS re-keys
VPN encrypts every outgoing data packet. The process is very effective, as it is near impossible to hack the data itself. However, VPNs employ familiar encryption techniques that have their specific signature. By analyzing the encrypted packets, an overseer can recognize these signatures and determine the role of VPNs.
Third party intrusion
- Tracking cookies – Websites employ cookies to collect data. These cookies are traceable. Now, granted, they can trace the data back to a source as there is a VPN server in between. However, most websites can use such cookies to identify VPN use.
- Browser fingerprinting – It is an advanced methodology that can identify your browser patterns. Once they have enough data, they can recognize you no matter how or where you ping your IP address. Browser fingerprinting targets your habits and analyzes them without involving encrypted data.
- VPN logs – Some VPNs keep logs. Now, no matter the cause, such logs are harmful to the users as they represent the record of the user activity unhindered by encryption or proxies. Thus, by accessing your VPN logs, an interested party can do much more than detect VPNs.
- DNS/IP leaks – A leak can reveal your real-time location. Be it IP or DNS, if it leaks, anyone monitoring your traffic can figure out the role of the VPN.
- Money trails – VPNs need a subscription, and these are paid ones. How? Most users rely on banking cards (ATM/Debit/Credit cards). Now, these cards contain your PII (Personal Identifiable Information). Someone can follow the money trail and figure out the VPN usage.
Alternate ways to detect a VPN
Here are 3 more methods of identifying VPN use:
- The IP address of the VPN server – Authorities can mark a few vendors and their known servers. Thus, any activity on those IP addresses can reveal the use of VPNs.
- Protocols and corresponding ports – Some protocols use exclusive ports to connect to the internet. Monitoring such ports can unveil VPNs.
- Technology like DPI – Some countries have advanced technology that renders VPNs moot. One such tech is the Deep Packet Inspection, where attention is on the data packets and any abnormalities.