Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
158 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

OpenVPN is Open to VPN Fingerprinting (2403.03998v1)

Published 6 Mar 2024 in cs.CR

Abstract: VPN adoption has seen steady growth over the past decade due to increased public awareness of privacy and surveillance threats. In response, certain governments are attempting to restrict VPN access by identifying connections using "dual use" DPI technology. To investigate the potential for VPN blocking, we develop mechanisms for accurately fingerprinting connections using OpenVPN, the most popular protocol for commercial VPN services. We identify three fingerprints based on protocol features such as byte pattern, packet size, and server response. Playing the role of an attacker who controls the network, we design a two-phase framework that performs passive fingerprinting and active probing in sequence. We evaluate our framework in partnership with a million-user ISP and find that we identify over 85% of OpenVPN flows with only negligible false positives, suggesting that OpenVPN-based services can be effectively blocked with little collateral damage. Although some commercial VPNs implement countermeasures to avoid detection, our framework successfully identified connections to 34 out of 41 "obfuscated" VPN configurations. We discuss the implications of the VPN fingerprintability for different threat models and propose short-term defenses. In the longer term, we urge commercial VPN providers to be more transparent about their obfuscation approaches and to adopt more principled detection countermeasures, such as those developed in censorship circumvention research.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (76)
  1. How China Detects and Blocks Shadowsocks. In ACM Internet Measurement Conference (IMC), 2020.
  2. Stealth VPN - Astrill VPN. https://www.astrill.com/features/vpn-protocols/stealth-vpn.
  3. Comparison of machine-learning algorithms for classification of vpn network traffic flow using time-related features. In Journal of Cyber Security Technology, 2017.
  4. Traffic classification on the fly. In Computer Communication Review, Association for Computing Machinery, 2006.
  5. BolehVPN Traffic Obfuscation Keeps You out of Trouble. https://www.vpnmentor.com/blog/bolehvpn-traffic-obfuscation-keeps-you-out-of-trouble/.
  6. E. Crist and J. Keijser. Mastering OpenVPN. Packt Publishing, 2015.
  7. Cryptostorm - Port Stripping v2. https://cryptostorm.is/blog/port-striping-v2.
  8. Tor: The second-generation onion router. In 13th USENIX Security Symposium (USENIX Security 04).
  9. Analyzing china’s blocking of unpublished tor bridges. In 8th USENIX Workshop on Free and Open Communications on the Internet (FOCI 18).
  10. A search engine backed by Internet-wide scanning. In 22nd ACM Conference on Computer and Communications Security, 2015.
  11. Examining How the Great Firewall Discovers Hidden Circumvention Servers. In Proceedings of the 2015 Internet Measurement Conference.
  12. Analyzing the great firewall of china over space and time. Proceedings on Privacy Enhancing Technologies, 2015.
  13. Detecting Probe-resistant Proxies. In Network and Distributed System Security, 2020.
  14. A NetFlow Sequence Attention Network for Virtual Private Network Traffic Detection. In International Conference on Web Information Systems Engineering.
  15. VPN Traffic Classification Based on Payload Length Sequence. In 2020 International Conference on Networking and Network Applications (NaNA).
  16. Monitoring network neutrality: A survey on traffic differentiation detection. IEEE Communications Surveys & Tutorials, 2018.
  17. Characterization of Encrypted and VPN Traffic Using Time-Related Features. In the 2nd International Conference on Information Systems Security and Privacy(ICISSP), 2016.
  18. Hide.me: Security Hardened OpenVPN Config with Traffic Obfuscation. https://hide.me/en/blog/security-hardened-openvpn-config-with-traffic-obfuscation/.
  19. H. Hoogstraaten. Evaluating server-side internet proxy detection methods (MSc thesis). 2018.
  20. The Parrot Is Dead: Observing Unobservable Network Communications. In 2013 IEEE S&P.
  21. LZR: Identifying unexpected internet services. In 30th USENIX Security Symposium (USENIX Security 21).
  22. A large-scale analysis of deployed traffic differentiation practices. In Proceedings of the ACM Special Interest Group on Data Communication. SIGCOMM, 2019.
  23. libprotoident: Library for application protocol identification. https://github.com/wanduow/libprotoident.
  24. Deep packet: a novel approach for encrypted traffic classification using deep learning. In Soft Comput 24, 2019.
  25. MASSCAN: Mass IP port scanner. https://github.com/robertdavidgraham/masscan.
  26. Multilayer Perceptron Neural Network for Detection of Encrypted VPN Network Traffic. In 2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA).
  27. Identifying traffic differentiation in mobile networks. In IMC’15.
  28. MullvadVPN: Intro to Shadowsocks. https://mullvad.net/en/help/intro-shadowsocks/.
  29. nDPI: Open Deep Packet Inspection Library. https://www.ntop.org/products/deep-packet-inspection/ndpi/.
  30. OpenVPN Reliability Layer module. http://build.openvpn.net/doxygen/group__reliable.html#details.
  31. Nim Programming Language. https://nim-lang.org/.
  32. Obfs3 threat model. https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/tree/doc/obfs3.
  33. Learning more about the GFW’s active probing system. https://blog.torproject.org/learning-more-about-gfws-active-probing-system.
  34. The History of OpenVPN. https://openvpn.net/blog/the-history-of-openvpn/.
  35. Question about tls-crypt and port 443 firewall ducking. https://sourceforge.net/p/openvpn/mailman/message/35560747/.
  36. OpenVPNXORPatch. https://github.com/clayface/openvpn_xorpatch.
  37. OpenVPN Traffic Identification Using Traffic Fingerprints and Statistical Characteristics. In Internation Conference on Trustworthy Computing and Services, 2012.
  38. PFRING ZC (Zero Copy). https://www.ntop.org/products/packet-capture/pf_ring/pf_ring-zc-zero-copy/.
  39. Pluggable transports. https://pluggabletransports.info/.
  40. Port shadows via network alchemy. https://breakpointingbad.com/2021/09/08/Port-Shadows-via-Network-Alchemy.html.
  41. Pywinauto. https://github.com/pywinauto/pywinauto.
  42. VPNalyzer: Systematic Investigation of the VPN Ecosystem. In Network and Distributed System Security, 2022.
  43. Decentralized Control: A Case Study of Russia. In Network and Distributed System Security, 2020.
  44. Attention to companies using vpn services in operation. https://rkn.gov.ru/news/rsoc/news73628.htm.
  45. Selenium. https://www.selenium.dev/.
  46. W. Seltzer. Infrastructures of censorship and lessons from copyright resistance. In Workshop on Free and Open Communications on the Internet (FOCI), 2011.
  47. Investigating Large Scale HTTPS Interception in Kazakhstan. In Proceedings of the 2020 ACM Internet Measurement Conference.
  48. Measuring the Deployment of Network Censorship Filters at Global Scale. In Network and Distributed System Security, 2020.
  49. Surfshark camouflage. https://surfshark.com/features.
  50. Hardening OpenVPN Security. https://openvpn.net/community-resources/hardening-openvpn-security/.
  51. Blind In/On-Path Attacks and Applications to VPNs. In 30th USENIX Security Symposium (USENIX Security 21).
  52. Top10VPN: VPN Reviews. https://www.top10vpn.com/.
  53. Tor In China – The Onion Router. http://www.mediafactory.org.au/2015-media6-deepweb/2015/10/01/tor-in-china/.
  54. Stealth VPN Unblock Websites, Firewalls and VPN Blocks. https://torguard.net/stealth-vpn.php.
  55. GFW probes based on Tor’s SSL cipher list. https://gitlab.torproject.org/legacy/trac/-/issues/4744.
  56. SoK: Towards Grounding Censorship Circumvention in Empiricism. In 2016 IEEE Symposium on Security and Privacy (SP).
  57. Tunnelblick and openvpnxorpatch. https://tunnelblick.net/cOpenvpn_xorpatch.html.
  58. Summary on Recently Discovered V2Ray Weaknesses. https://gfw.report/blog/v2ray_weaknesses/en/.
  59. Indian Parliamentary Committee Wants To Ban VPN Services In India. https://www.indiatimes.com/technology/news/vpn-ban-indian-govt-vpn-services-in-india-548493.html.
  60. Chinese government orders ISPs to block personal VPN use. https://privateinternetaccess.com/blog/great-firewall-china-chinese-government-orders-isps-block-personal-vpn-use-february-1st/.
  61. China’s firewall technology upgrades virtual private network management and control tightening. https://www.rfa.org/mandarin/yataibaodao/cyl-12212012155229.html.
  62. VPN Downloads surge in response to Hong Kong Security Law. https://www.bloomberg.com/news/articles/2020-05-22/vpn-downloads-surge-in-response-to-hong-kong-security-law.
  63. PTA sets deadline for VPN users to register by June 30th. https://privateinternetaccess.com/blog/the-coming-pakistan-vpn-ban-pta-sets-deadline-for-vpn-users-to-register-by-june-30th/.
  64. Rain throttles Internet speeds for customers on VPNs. https://mybroadband.co.za/news/internet/384642-rain-throttles-internet-speeds-for-customers-on-vpns.html.
  65. Biggest VPN Trends for 2020: Possibilities and Dangers. https://openvpn.net/blog/biggest-vpn-trends-for-2020-possibilities-and-dangers/.
  66. How Chameleon Defeats VPN Blocking. https://www.vyprvpn.com/features/chameleon.
  67. Seeing through network-protocol obfuscation. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015.
  68. End-to-end encrypted traffic classification with one-dimensional convolution neural networks. In 2017 IEEE International Conference on Intelligence and Security Informatics (ISI).
  69. Redirecting DNS for Ads and Profit. In USENIX Workshop on Free and Open Communicationson the Internet, 2011.
  70. Finding proxy users at the service using anomaly detection. In 2016 IEEE Conference on Communications and Network Security (CNS). IEEE.
  71. P. Winter and S. Lindskog. How the great firewall of china is blocking tor. In 2nd USENIX Workshop on Free and Open Communications on the Internet (FOCI 12), Bellevue, WA, Aug. USENIX Association.
  72. WireGuard with obfuscation support. https://github.com/net4people/bbs/issues/88.
  73. WireGuard - Let’s talk about obfuscation again. https://lists.zx2c4.com/pipermail/wireguard/2018-September/003289.html.
  74. Tapdance: End-to-middle anticensorship without flow blocking. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association.
  75. The Zeek Network Security Monitor. https://zeek.org/.
  76. Oh-Pwn-VPN! Security Analysis of OpenVPN-Based Android Apps. In CANS, 2017.
Citations (20)
View on Semantic Scholar

Summary

  • The paper introduces a robust two-phase system combining passive filtering and active probing that identifies over 85% of vanilla and 67% of obfuscated OpenVPN flows.
  • It details how specific handshake opcodes, ACK sequences, and server responses to malformed packets enable effective fingerprinting using over 15TB of real-world ISP traffic.
  • The research warns that current obfuscation methods are inadequate, urging VPN providers to adopt advanced random padding and standardized techniques to improve anonymity.

An Analysis of OpenVPN Fingerprinting Vulnerabilities

The research paper titled "OpenVPN is Open to VPN Fingerprinting" provides a comprehensive investigation into the susceptibility of OpenVPN, a prevalent protocol for commercial VPN services, to fingerprinting attacks. The paper is motivated by the increasing efforts of ISPs and governments to track or block VPN traffic as a means of maintaining control over data flows within their networks, utilizing deep packet inspection (DPI) technologies.

Key Contributions and Findings

This paper proposes a robust, two-phase system for identifying OpenVPN traffic through a combination of passive filtering and active probing. The analysis considers several real-world scenarios, leveraging insights into protocol features that are potentially susceptible to fingerprinting. The researchers focus on the following key aspects:

  1. Fingerprinting Mechanisms: The authors identify three features for fingerprinting OpenVPN traffic: opcode patterns in the handshake messages, distinct ACK packet sequences during initial communication, and server behavior when faced with malformed packets.
  2. Infrastructure and Methodology: The paper leverages a collaboration with Merit, a regional ISP, to deploy their framework on a server monitoring 20% of the ISP's traffic. This deployment ramps up to 15 TB of traffic processed per day, scrutinizing over 2 billion flows for potential OpenVPN connections.
  3. Results in Control and Real-world Traffic: The system successfully identifies over 85% of vanilla OpenVPN flows and more than two-thirds of tested obfuscated configurations. The latter highlights the inadequacies of many current obfuscation methods in achieving unobservability, defying some providers' claims of being undetectable.
  4. Sources of Vulnerability: Many "obfuscation" techniques such as XOR patches, tunnel-based methods without proper padding, and co-location with non-obfuscated servers render these VPN services vulnerable. For instance, vanishing patterns in byte-level packet attributes and packet size distributions are effectively exploited for detection.
  5. Active Probing Success: The active probing phase proves particularly effective at confirming OpenVPN servers, even those that use HMAC protections to thwart unsolicited packets.

Implications and Future Directions

Practical Implications: The paper demonstrates that identifying OpenVPN traffic can be achieved with minimal false positives, making it feasible for censoring authorities to block or throttle VPNs efficiently. It raises concerns about the reliability of current obfuscation techniques advertised by commercial VPN providers.

Theoretical Implications: The paper underlines the broader challenge in designing camouflaged network protocols. The fingerprinting vulnerabilities identified here, despite ongoing obfuscation attempts, reveal the necessity for more advanced techniques in maintaining the anonymity and usability of VPNs in censorious environments.

Recommendations for Mitigation: The authors suggest short-term safeguards for VPN providers, including server isolation practices and the use of random padding. In the long term, they advocate for the adoption of standardized obfuscation technologies, akin to strategies used in other circumvention tools such as Tor.

Conclusion

The research provides poignant insights into the open vulnerabilities within VPN ecosystems, particularly focusing on OpenVPN's susceptibility to DPI techniques. This paper serves as a catalyst for further research and development in obfuscation methodologies and highlights the necessity for VPNs to evolve continuously in the face of increasingly sophisticated network adversaries. The call to action for VPN providers is clear: to develop more resilient, transparent, and standardized protections against monitoring and censorship attempts.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown
Youtube Logo Streamline Icon: https://streamlinehq.com

YouTube

HackerNews

  1. OpenVPN Is Open to VPN Fingerprinting (144 points, 59 comments)
Reddit Logo Streamline Icon: https://streamlinehq.com

Reddit

  1. OpenVPN is Open to VPN Fingerprinting (5 points, 0 comments)
  2. OpenVPN is Open to VPN Fingerprinting (2 points, 2 comments)
  3. OpenVPN Is Open to VPN Fingerprinting (1 point, 1 comment)