undefined | Better HN

0 pointsMacha1y ago0 comments

There are two types of VPN detection people are worried about:

- Endpoints (e.g. Netflix or video game) detecting VPNs and blocking users of VPNs from their server because they don't trust the user to not be bypassing their rules

- Middleboxes (e.g. airport wifi or the great firewall) detecting VPNs and blocking the user from the internet because they don't want the user to have unfiltered internet access.

The latter group have a lot more tools to see if something is VPN traffic since they have access to the entire (encrypted) traffic, so can do stuff like checking are you constantly exchanging the vast majority of your requests through a few hosts.

The former don't have as much information, but they have one really easy, really effective option, which is to contract with one of the IP classification databases that lets them see if the client is on a home internet connection. If it's not, they can just block you. Watching Netflix from your EC2 instance isn't going to be that reliable. And it's hard for the VPN providers to reliably get IPs that look residential, residential service usually prohibits such uses, companies that run both residential and business services still usually run them separately from an infra perspective as it makes their life easier, and even if you found an ISP to co-operate and let you use their residential addresses to run your VPN, the databases can just mark the entire ISP as having this kind of use, which would hurt the ISP's users, which counts as a strong disincentive for an ISP to become known for this kind of business.

So for VPNs to bypass blocks by remote services, it means they're going from (most legitimate) shopping around ISPs willing to host them on residential IPs on the down low to the more sketchy end buying residential IP traffic from places that sell residential IP space from e.g. malware or software that buries this detail in its T&Cs. There's also the Tor exit node route of using your users as a sort of mesh network to get residential IPs, but legitimate VPN providers are not going to do that because of the risk it exposes their users to legal liability.

This is not really something that can be fixed with protocol updates like Proton is doing here - the protocol updates are more about evading the middleware style traffic analysis mentioned here

0 comments

devilbunny1y ago

The endpoint blocking is pretty easy to bypass if you run your own VPN (e.g., Tailscale with an exit node in your home network, or an OpenVPN server).

My workplace recently blocked all VPN exiting traffic, even on the guest network. I found this quite bothersome, as I do prefer to tunnel everything through my house. I never use public WiFi without VPN; not because I'm doing illegal things, nor because I think it keeps the NSA from spying if they want to (after all, they can just monitor my house). It keeps the coffeeshop and airport and hotel networks from watching my moves, though.

It also doesn't trigger multi-location detection on Netflix, etc.

KolmogorovComp1y ago

> There's also the Tor exit node route of using your users as a sort of mesh network to get residential IPs, but legitimate VPN providers are not going to do that because of the risk it exposes their users to legal liability.

Could there be a middle ground? Unless using encrypted DNS, the VPN has access to the website name, and could use a list of legitimate services that ban VPNs (like Netflix) and only then use their users as a mesh.