According to Surfshark, one of the most popular virtual private network (VPN) providers, over 1.6 billion people have used a VPN, translating to about 31% of all internet users or one-fifth of the global population. And you're likely one of them.

What is a VPN?

From a high-level perspective, a VPN works by intentionally spoofing a user's IP address to make it look like that user is in a country they are not. This action shields the user's data and traffic through the VPN rather than directly from the website to their device. With many VPN providers, users are even able to select the location of their VPN, whether it is somewhere else in the country or a country in another part of the world entirely. 

VPN is a set of protocols and technologies developed to provide Internet access to private network resources. The original purpose focused on solving the security problems of corporate, government, and scientific networks. VPNs have moved from corporate to consumer technology in recent decades with slightly different goals.

Why do people use a VPN?

VPNs are a popular solution for Internet users for many reasons. Some of the most common reasons revolve around better data privacy and protection while accessing unsecured public WiFi networks, protecting their privacy from apps and websites that may want to track their users, and offering more peace of mind while working remotely as an employee or employer.

Additionally, VPNs have risen in popularity due to the added benefit of a user's ability to access blocked content within a specific country. This practice is legal in the U.S. and most other countries as well. Internet users use VPNs to discover hidden discounts or lower prices on things such as flights and hotels. VPN providers even promote this use as an added value to using a VPN.

Those goals could include:

• Adding a superficial security layer when communicating over the Internet (accessing a public resource)
• Preventing anyone from sniffing packets (deep packet inspection) where application-level protocols don't ensure strong enough encryption (being connected to an untrusted WiFi network and using HTTP). 
• An additional layer of anonymity, fighting censorship or hiding the user's country of origin.

Those are legitimate purposes, although they could also indicate nefarious behavior, like someone trying to hide an IP address previously blocked, making VPN detection an essential feature in fraud protection capabilities.

How are VPNs misused?

VPNs are a prevalent solution for Internet users to enhance their privacy and data security while browsing the Internet for various reasons. However, this enhanced privacy and data security has led to the rise of cybercriminals using VPNs for illegal and fraudulent purposes.

Distributing malware and identity theft

Cybercriminals can use VPNs to aid in criminal activities, including distributing malware or identity theft. They use VPNs to shield their identity, location, and activities from targeted sites and individuals, and also from law enforcement in their home country or the countries of the websites they're targeting, making it much harder to track down the actual cybercriminal. Additionally, they could target the VPN and exploit one of the known 500 VPN vulnerabilities to gain access to sensitive data.

Click fraud

Businesses that advertise online risk billions of dollars due to click fraud. Click fraud occurs when a fraudster using a VPN connection artificially inflates clicks on a pay-per-click (PPC) advertising campaign, depletes the campaign's funds, and prevents actual users or visitors from viewing or visiting the intended ads. It allows fraudsters or click bots to hide their physical location and quickly cycle through numerous IP addresses.

Overview of VPN detection methods

VPNs can be detected through simple mechanisms like comparing the actual browser timezone with the target server's exit node or by using databases that store information about whether a given IP address belongs to the VPN. Or it could be based on more advanced methods like TCP/IP fingerprinting and other information present in the network traffic.

Database validation

IP address databases are a cornerstone in the arsenal of methods for detecting VPN use in browsers. These databases contain information about IP addresses, including their affiliation with known VPN or proxy services. Cross-matching a user's IP address with these databases can determine whether the user is associated with a VPN or Proxy.

Several widely used IP address databases have gained widespread use in VPN detection. Services such as MaxMind, Udger, and IPinfo are known for their accuracy and extensive databases. These databases are constantly updating their information to ensure it is current. Despite their effectiveness in identifying the IP addresses of public VPNs and proxy servers, this method is unsuitable for detecting private self-hosted and corporate VPNs.

The practice of checking IP addresses against these databases raises privacy concerns. Users may only be comfortable having their IP addresses queried against databases with explicit consent. In addition, because these databases contain information about VPNs, proxy services, and associated IP addresses, there is the potential for disclosure or misuse of the data. User consent, data protection, and transparency in the discovery process must be prioritized to address these issues and ensure responsible VPN discovery.

Time zone mismatch

Time zone mismatch detection is an interesting technique in VPN detection. It utilizes the web browser API to display the browser's local time zone based on device location or system settings. When a visitor uses a VPN to connect to a server located in a different geographic region, this can result in a noticeable discrepancy between the time zone returned by the browser and the time zone of the geographic area of their IP address.

For example, for a website, a user located in New York City appears to be browsing the web from Tokyo because of the VPN server's location. This mismatch can be a sign of VPN or proxy use, as it shows an attempt to hide one's IP address. However, simply changing the time zone in the system settings is sufficient to pass it.

You can implement logic to detect impossible travel to improve the accuracy of time zone mismatch detection, which involves analyzing IP address changes between different regions and determining whether these changes occur in an unreasonably short period. For example, if an identified user's IP address suddenly goes from New York to Tokyo in seconds, this is a red flag.

Such rapid changes suggest a VPN or proxy service, where the user's connection travels vast distances. Also, to use this technique, the IP address device identity needs to be known to detect a change of IP address accurately, and Fingerprint Pro is suitable for this purpose.

Transmission Control Protocol (TCP) /IP Detection

The technique of analyzing TCP and IP packets is far from new, but it remains an effective tool to solve the problem of VPN detection. Collecting and analyzing information about the attributes of the connection at different network layers makes it possible to gain knowledge about the properties of the client device, such as the type and version of the operating system, network configuration, and more.

It is possible to familiarize with the implementation of these techniques with the help of several utilities:

1. p0f: The p0f utility is a tool for passively fingerprinting the TCP/IP stack. This utility does not create additional traffic (that's why fingerprinting is passive) and allows you to determine the operating system's current browser version.
   
   In some cases, uptime uses mainly SYN and SYN+ACK TCP handshake requests. The tool also has a detailed Readme and its own fingerprint format and database. On the downside, this utility, as well as the fingerprint database, has not been updated for a long time, which affects the accuracy of OS detection.
   
   However, p0f is a good tool for use during the passive reconnaissance stage in a network penetration test and has been the inspiration for similar modern tools such as zardaxt.py or satori.
2. Nmap: The reasonably well-known Nmap utility also uses the TCP/IP stack fingerprint operating system discovery module. However, unlike p0f, the methods used in this utility are active rather than passive, as the utility sends a series of transport layer requests for detection. The utility has an extensive database of fingerprints and detailed documentation. In addition to OS detection, the utility has a wide range of techniques for scanning the network ports and identifying services and their versions to provide a complete profile of the network and network devices.
3. satori: Also worth mentioning is the satori utility written in Python, which implements methods for passive OS detection using fingerprinting of not only the TCP/IP stack but also SSL, DHCP, and HTTP, which was inspired by p0f.

OS mismatch

From analyzing the TCP/IP packets exchanged between the device and the web server, they can discover the device's operating system, which indicates an OS mismatch when compared to the browser's operating system. Inconsistencies detected in this case may indicate the presence of a VPN, proxy server, or Apple's iCloud Private Relay.

It is possible to recognize the operating system from the browser in different ways, for example, by parsing the user agent string or checking for unique JavaScript properties. Combining these methods will provide greater accuracy since spoofing of the user agent string is possible even with the built-in browser features. You can learn more about these methods and their implementation in our source-available library FingerprintJS.

Extracting operating system information using TCP packet fields

It is also possible to extract operating system information from TCP packet fields. For example, the order and presence of specific options (additional fields in the TCP header that provide extra information or functionality for the TCP connection) in the SYN request TCP handshake allows you to distinguish between different implementations of network protocols, which in turn can be used to specify the OS of the device, this is because macOS, Linux and Windows use other implementations of the network stack.

In a typical case, the operating system information reported by the browser should match the information contained in the packet fields. However, using a VPN can cause inconsistencies. For example, a user running on a Windows machine may use a VPN server hosted on a Linux system, resulting in a mismatch between the OS specified by the browser and the OS detected by packet inspection.

While this method can be effective, it also presents some challenges. Some VPNs specifically modify packet headers, making it difficult to detect such differences. In addition, legitimate factors such as changing the user agent string can lead to false positives.

Maximum Transmission Unit (MTU)

Having touched on the TCP/IP packet inspection, we should also talk about the method of determining VPN utilization by MTU values. Different VPN protocols, such as OpenVPN, L2TP, WireGuard, PPTP, etc., use different MTU values to optimize data transmission over network infrastructures.

For example, OpenVPN, a universal VPN protocol, allows flexible MTU customization. Users can modify MTU values according to specific network conditions, ensuring efficient data transmission. In contrast, protocols such as L2TP over IPsec or PPTP have predefined MTU values to ensure compatibility and reliability in different types of networks. However, it is possible to change the MTU.

While MTU analysis may indicate the use of a VPN, these values can also change by cause of legitimate network configuration or other factors unrelated to VPNs. Therefore, the detection process should consider the specific VPN protocol and its corresponding MTU values to minimize false positives and maintain accurate detection results.

Other VPN detection techniques

While this article focuses primarily on a few highly accurate VPN detection methods, it is important to note other ways that are often used but need revisions due to various disadvantages.

Port Scanning

Port scanning involves actively probing a user's device for open network ports, which could reveal the presence of a VPN or proxy. However, this method raises serious privacy issues, involving intrusive actions on a user's system without their consent, potentially violating their online privacy rights. 

Furthermore, port scanning can result in false positives, misidentifying VPN users when ports are configured for legitimate reasons, such as corporate network setups or firewall configurations. Therefore, while port scanning may offer insights into VPN detection, its privacy-invasive nature and potential for inaccuracies make it a less ethical and less reliable option in this context.

WebRTC IP address leakage 

WebRTC, being a critical technology for real-time communication, can inadvertently transmit the user's IP address, potentially compromising the user's privacy. However, using WebRTC IP address leakage as a VPN detection method is undesirable because modern browsers and some VPNs have mechanisms that reduce the likelihood of such leaks.

DNS IP address leakage

A DNS (Domain Name System) leak occurs when a user's DNS queries bypass the VPN tunnel, which can expose the user's real IP address. Although an IP address discovered due to a DNS leak can be helpful for VPN detection, these leaks are rare because many VPN providers use secure DNS servers to prevent such leaks.

Latency Test

Measuring network latency provides a method for determining VPN, but it is indirect and inaccurate. It can give false positives if users connect to geographically distant servers or have network performance issues unrelated to the VPN.

HTTP/Proxy Headers 

Analyzing HTTP headers can reveal the use of VPN or proxy services. However, modern VPNs do not allow this method, and tech-savvy users can modify these headers to mimic non-VPN-related traffic, making this method less reliable.

Detecting VPN Browser Extensions

Discovering VPN extensions in the browser can detect VPNs, but is not complete as many users use standalone VPN apps that hide the device's actual IP address for all traffic, whether from the browser or not, making this technique less effective.

Thus, while these methods can provide some insight into VPN detection, each has its limitations and can produce false positive or negative results. Combining multiple detection methods remains the most reliable approach to determine VPN usage and accurately minimize erroneous conclusions.

Tor

Tor is also worth mentioning. Tor, short for The Onion Router, is a well-known anonymity network. Detection of the Tor network involves recognizing the IP addresses associated with Tor nodes and output relays. Tor user traffic passes through a series of servers, and the IP address of the exit relay becomes visible when the user goes out to the open Internet. Identification of these IP addresses can indicate the use of the Tor network.

Tor users are well aware of the detection method and often employ countermeasures to protect their anonymity. They may configure Tor bridges, use obfuscation techniques, or use VPNs, creating additional detection challenges. These countermeasures illustrate the constant cat-and-mouse game between privacy-conscious users and those trying to identify their browsing practices.

Why should you implement VPN detection?

VPN detection helps better identify visitors and users — good and bad. By ensuring every visitor is who they claim to be, businesses can better protect themselves and their users from many security and fraud threats.

Benefits include:

• Higher user identification accuracy: As mentioned earlier, VPNs can hide a visitor or user's actual location, making it harder to accurately associate the user with their account or previous sessions. 
• Better website security: Those using VPNs often conduct nefarious actions such as account takeovers, credit card fraud, and cyberattacks. VPN detection helps you keep your website secure by blocking access from suspicious IP addresses and reducing the risk of fraudulent activities. Additionally, you could block users using a VPN altogether if desired preemptively. 
• Improved identification and UX: With seamless, behind-the-scenes VPN detection, you don't have to add friction to the user experience by blocking VPN usage on your site. You can allow users to visit your website as they prefer, but you can ensure their security by identifying VPN usage from bad actors. 

Conclusion

VPN usage has drastically increased over the last few years, with a third of all internet users having used a VPN. While there are many added security and user experience benefits for an internet user to utilize a VPN provider, there's the darker side of fraudulent activities conducted through VPN usage, including malware distribution, click fraud, and identity theft. 

We showed several VPN detection methods, which range from simple timezone mismatch that correlates with anonymizing services usage to more advanced techniques that inspect the packet structure to search for known deviations from the standard and are therefore able to detect underlying VPN protocols. 

VPN detection remains an important tool in the fraud detection toolchain and helps catch suspicious actors before they can perform any malicious actions. Fingerprint offers VPN detection as part of its Smart Signals device intelligence offering and several other device intelligence signals, including IP blocklist matching and Browser bot detection. Smart Signals allows users to reveal the true intentions of every user with access to the most accurate real-time device intelligence available.