OpenVPN session detection method
In the articles on security and vulnerabilities that I have shared here on the blog, they usually mention that no system, hardware or implementation is safe, since no matter how much it claims to be 100% reliable, the news about detected vulnerabilities has shown us the opposite. .
The reason for mentioning this is that recently a group of researchers from the University of Michigan conducted a study on identifying OpenVPN-based VPN connections, which shows us that the use of VPNs does not ensure that our instance on the network is secure.
The method used by the researchers is called “VPN Fingerprinting”, which monitor transit traffic and in the study carried out Three effective methods were discovered to identify the OpenVPN protocol among other network packets, which can be used in traffic inspection systems to block virtual networks that use OpenVPN.
In the tests carried out on the network of the Internet provider Merit, which has more than a million users, showed that these methods could identify 85% of OpenVPN sessions with a low level of false positives. To carry out the tests, a set of tools was used that detected OpenVPN traffic in real time in passive mode and then verified the accuracy of the result through an active check with the server. During the experiment, the analyzer created by the researchers handled a traffic flow with an intensity of approximately 20 Gbps.
The identification methods used are based on the observation of OpenVPN-specific patterns in unencrypted packet headers, ACK packet sizes and server responses.
- At First case, it is linked to a pattern in the "operation code" field» in the packet header during the connection negotiation stage, which changes predictably depending on the connection configuration. Identification is achieved by identifying a specific sequence of opcode changes in the first few packets of the data flow.
- The second method is based on the specific size of the ACK packets used in OpenVPN during the connection negotiation stage. Identification is done by recognizing that ACK packets of a given size occur only in certain parts of the session, such as when initiating an OpenVPN connection where the first ACK packet is typically the third data packet sent in the session.
- El Third method involves an active check by requesting a connection reset, where the OpenVPN server sends a specific RST packet in response. Importantly, this check does not work when using tls-auth mode, as the OpenVPN server ignores requests from unauthenticated clients via TLS.
The results of the study showed that the analyzer was able to successfully identify 1.718 out of 2.000 test OpenVPN connections established by a fraudulent client using 40 different typical OpenVPN configurations. The method worked successfully for 39 of the 40 configurations tested. Additionally, during the eight days of the experiment, a total of 3.638 OpenVPN sessions were identified in transit traffic, of which 3.245 sessions were confirmed as valid.
Importantly The proposed method has an upper limit of false positives three orders of magnitude smaller than previous methods based on the use of machine learning. This suggests that the methods developed by the University of Michigan researchers are more accurate and efficient at identifying OpenVPN connections in network traffic.
The performance of OpenVPN traffic sniffing protection methods on commercial services was evaluated through separate tests. Of the 41 VPN services tested that used OpenVPN traffic cloaking methods, traffic was identified in 34 cases. The services that could not be detected used additional layers on top of OpenVPN to hide traffic, such as forwarding OpenVPN traffic through an additional encrypted tunnel. Most of the services successfully identified used XOR traffic distortion, additional layers of obfuscation without adequate random traffic padding, or the presence of non-obfuscated OpenVPN services on the same server.
If you are interested in learning more about it, you can consult the details at the following link.