How can I detect a VPN connection (even just in some cases) to get the real location of the user

  • I'm creating a web site, I would like to allow people to sign-up only from their "real" physical location (not using a VPN).

    I was thinking maybe comparing local and server time... what else...?

    Would it be a check what DNS is used and if it is one of the open DNS IPs... Or if it is possible to know that IP ranges that registered for VPN companies?

    Are you trying to detect that someone connecting to your server is doing so using a VPN?

    Incoming VPN, VPN traversing your network, transparent VPN upstream of you?

    You could add a second factor to your sign-up process, like sending/receiving an SMS or even a landline call, then using the number to guess the location.

    People concerned about their privacy (for whatever reason) are going to be annoyed at you. Comparing local/server time isn't going to work - so long as NTP is on you'd have roughly the same UTC time, but "local time" (displayed) can be whatever you want it to. What happens if I sign up on vacation in your target timezone? What about when I go back home? What happens if I sign up while flying on an airplane (no DNS entry for middle-of-the-ocean...)?

    I highly doubt it always works. I have a zero per-packet overhead VPN with zero plaintext headers lying around. It's not hard to do if you're willing to pay the price in administrative complexity.

  • Finding out that a user is using a VPN service provider isn't that difficult. Most of them have static IP addresses for their exit gateways, so it could just be using a list of known IP addresses to identify VPNs. And even when they don't have a list, a simple reverse DNS lookup might tell them that the IP has a hostname which is obviously a VPN provider and not one assigned by a normal internet service provider.

    Deanonymizing a VPN user, however, can be more of a challenge, because most VPN services are designed especially to prevent this. Possible attack vectors are browser fingerprinting and talkative browser plugins which say more about the user than they should.

    I've heard about plugins like flash potentially leaking info. I'm curious, do you know what info they could actually leak? Surely if I'm behind a NAT router even locally running code doesn't know my external IP address anyway, so couldn't pass that on (anything else they could leak?)

    @fpghost There is enough to write about Flash alone for a separate question. I would recommend you to write a new question asking about Flash in particular with no mention of threatmetrix.

    De-anonymizing is not necessarily the point, in this case they just want to know that "a" user is on a VPN, they don't care who or if they are unique from other users, since they probably just throw up a "sorry, we don't allow users from VPNs" message anyway.

    So the obvious follow up question would be, how to circumvent around even these ways, and just be undetectable for stupid websites trying to find out my location and 'profiling' me even after paying a hefty sum of money to VPN services?

  • Given that the VPN headers around each packet will take up space and then disappear, they could be looking at packet size vs MTU to come up with a way of guessing (it would be a wild guess) that the user is behind a VPN because their packets are consistently smaller than other streams.

    An even wilder guess would be that they are looking at round trip time (more precisely, how long from when a tcp ack is sent to when the next packet returns). Most computers are fast enough to turn around in microseconds. So for a given host (single IP sending requests) if some/all users are behind a vpn that really leads off to distant parts of the world, the variation in RTT will be huge (120ms for some, 30 ms for others, etc) which can form a fingerprint of who is unique and what might be a VPN vs just a NAT (where there are many users but the RTTs are almost identical.)

    This sounds like it's _almost_ feasible, though with a considerable amount of false positives. For example, the MTU over OpenVPN will be 45 bytes smaller than the route's actual MTU. Which of course, you cannot reliably know (pinging them with DF set could work, though).

    I like the packet size idea. Sneaky. No matter what, though, you're going to add an extra round trip to the first request (at the very least); that may be undesirable. It's certainly prohibitive for many websites that pride themselves on their speed. Unless, of course, you already know the smallest MTU for the route, but that would require all sorts of dark magic.

  • In general you will not be able to know if someone is coming from a VPN.

    You may be able to find some IP ranges of some companies that offer VPN, but this information is not going to be readably available and will become stale very quickly. Even if you mange to find a good list and keep it up to date it will never be comprehensive. When working for a multinational I could choose to route my traffic through anyone of their offices. Any individual with a internet connection could offer VPN services to their friends. If you are trying to guess location by IP address you will also need to try and detect TOR users, or black list all TOR exit nodes.

    Also note some ISP's offer IP addresses that are not correctly geo-located, this can lead to false positives and false negatives.

    In addition to VPNs, you'll need to look for proxy servers, and those are even harder to spot (VPNs are usually commercial, while open proxies are usually accidentally created).

    So, I talked to a company that claims they can do that by checking the used proxy somehow... only problem... their minimum package (software as service) starts at $10,000

    Ohhh if price is important I can do all that and more for only $5000 a year. And I bet I can beat their published false positive and false negative rates ... if only they published any. Slightly more seriously it is easy to do badly, hard to do well, and impossible to do perfectly. The link you supplied in the comment gives me no idea if these people are doing a bad job or just an imperfect job.

    The sales rep on the phone told me that the way they do it is somehow following the proxies used by the server and in *MOST* cases they can tell the real ISP that is being used... I don't understand how checking the proxies, so I don't know about that, but I'm trying to see if I can at least get the name of the real DNS used (most users are not aware that it would expose their real ISP), same way like is doing it... any idea where to start?

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM