paint-brush
OpenVPN Detection Risks: Scaling Attacks and Calls for Stronger Obfuscationby@virtualmachine
New Story

OpenVPN Detection Risks: Scaling Attacks and Calls for Stronger Obfuscation

by Virtual Machine TechJanuary 14th, 2025
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

This research shows OpenVPN's vulnerability to detection and blocking at scale, urging VPN providers to adopt stronger, standardized obfuscation methods.
featured image - OpenVPN Detection Risks: Scaling Attacks and Calls for Stronger Obfuscation
Virtual Machine Tech HackerNoon profile picture

Authors:

(1) Diwen Xue, University of Michigan;

(2) Reethika Ramesh, University of Michigan;

(3) Arham Jain, University of Michigan;

(4) Arham Jain, Merit Network, Inc.;

(5) J. Alex Halderman, University of Michigan;

(6) Jedidiah R. Crandall, Arizona State University/Breakpointing Bad;

(7) Roya Ensaf, University of Michigan.

Abstract and 1 Introduction

2 Background & Related Work

3 Challenges in Real-world VPN Detection

4 Adversary Model and Deployment

5 Ethics, Privacy, and Responsible Disclosure

6 Identifying Fingerprintable Features and 6.1 Opcode-based Fingerprinting

6.2 ACK-based Fingerprinting

6.3 Active Server Fingerprinting

6.4 Constructing Filters and Probers

7 Fine-tuning for Deployment and 7.1 ACK Fingerprint Thresholds

7.2 Choice of Observation Window N

7.3 Effects of Packet Loss

7.4 Server Churn for Asynchronous Probing

7.5 Probe UDP and Obfuscated OpenVPN Servers

8 Real-world Deployment Setup

9 Evaluation & Findings and 9.1 Results for control VPN flows

9.2 Results for all flows

10 Discussion and Mitigations

11 Conclusion

12 Acknowledgement and References

Appendix

11 Conclusion

We have demonstrated that OpenVPN, even with widely applied obfuscation techniques, can be reliably detected and blocked at-scale by network-based adversaries. Inspired by previous real-world censorship events, we designed a twophase system that performs passive filtering followed by active probing to fingerprint OpenVPN flows. We evaluated the practicality of our approach in partnership with a mid-size ISP, and we were able to identify the majority of vanilla and obfuscated OpenVPN flows with only negligible false positives, which supports that the techniques we describe would be practical even for adversaries averse to collateral damage.


Users worldwide rely on VPNs to protect their security and privacy and to escape Internet censorship, yet the ease of fingerprinting OpenVPN traffic and the commodification of DPI technologies bring monitoring and blocking of popular VPN services within reach for almost any network operator. We propose several short-term mitigations that can help defend against these threats, but in the long term, we urge VPN providers to adopt more resilient and better standardized obfuscation approaches.


This paper is available on arxiv under CC BY 4.0 DEED license.