17

I know that my ISP can detect when I am using a VPN, but can it see which protocol I am using?

elsadek
  • 1,782
  • 2
  • 17
  • 53
E. M.
  • 171
  • 1
  • 4
  • 3
    Wireshark can identify the protocol based on packet analysis, OpenVPN for example, Do the test. – Kate Apr 13 '21 at 19:04

2 Answers2

22

Yes, probably. Most VPN protocols are not designed to hide the fact that they're VPN protocols, nor what kind of protocol they are. See for instance this paper which details fingerprinting OpenVPN.

If you run all your traffic through a VPN, the fact that you're using a VPN is quite easily visible - as all traffic will be destined for a single destination - which is quite unlike normal usage patterns.

If you're interested in hiding the fact that you're using a VPN, and what VPN, you should probably look into what's used in totalitarian states, such as China, which routinely blocks all attempts at VPNs out of China. Tor is one such system.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
  • 1
    It might not be *that* unusual of a usage pattern. The same pattern would be seen when connecting to a remote session (SSH, RDP, …) and working remotely. Though only if you're not doing any other web browsing on the side on your end. – Konrad Rudolph Apr 14 '21 at 07:41
  • 5
    @KonradRudolph and if you don't even have a web browser open, and no automatic updates for your operating system, no Microsoft apps that phone home, no Google apps that phone home, you type at 30000000 WPM, ... – user253751 Apr 14 '21 at 09:40
  • 1
    @user253751 I considered adding that caveat to the comment but this isn’t necessarily true: even when you use a VPN, not *all* network traffic necessarily goes via the VPN. Often that’s unnecessary and costly. – Konrad Rudolph Apr 14 '21 at 09:43
  • 1
    @user253751, in fact all of that is not a problem. There are VPNs where the local client simply sets up the local routes such that *all* traffic goes over the VPN. Even local browsing or your local Windows Update would run over the VPN. This was the case in my company's infrastructure, for example, before it was changed when everybody went home due to COVID and the VPN infrastructure was overloaded thus. – AnoE Apr 14 '21 at 10:54
  • @AnoE yes and therefore it does not look like "someone using SSH" because when you use SSH at home, you usually also have a browser open, Windows Update, maybe Office, probably some Google apps on your phone connected to Wi-Fi, ... – user253751 Apr 14 '21 at 11:10
  • @user253751, ok... I'm not sure what we're discussing, but I guess it's fine. ;) – AnoE Apr 14 '21 at 11:12
  • @KonradRudolph Completely leaving aside whether VPN and SSH traffic look alike, I think you are dramatically overestimating how common SSH traffic is. – Daniel Wagner Apr 14 '21 at 18:07
  • @DanielWagner I’m not (and I did consider mentioning this, and cut it for brevity’s sake). The only point I’m making is that usage patterns alone won’t tell you whether a user is using a VPN or SSH (maybe they do, I’m merely commenting on the specific assertion in the answer and it’s not as easy as “all traffic goes to a single address”, which might also be the case with SSH + SSH tunnelling, and might not be the case for a VPN). – Konrad Rudolph Apr 14 '21 at 18:18
  • 1
    @KonradRudolph I'd consider SSH tunnelling a VPN for all intents and purposes. – vidarlo Apr 14 '21 at 18:20
  • @vidarlo any tunnel, in fact. There are also browser based VPN plugins, and some enterprises use terminal servers for browser traffic. The browser IP is not the same as for the command line. As for split tunneling, it generally does not get to the ISP as it would mostly be used for local nodes such as printers and file servers. – mckenzm Apr 14 '21 at 19:33
2

Yes they could, but they would need to do this actively. Some degree of effort is required. If you are one user in many that share an ISP connection there would need to be filtering, grouping going on. They also might not care. Your employer will care if you are breaking rules though. A disproportionate level of SSL traffic on 443 to a single address might be noticeable. (They have to keep some ports open).

But your ISP, unless they have a real reason to care, they won't. VPN's are pretty much mandatory for protecting personal information or joining your private network.

I daresay a very large number or people have been working from home lately. That's a lot of VPN traffic.

You probably have more to fear from a provider if it is not "your" VPN. They may say they don't "keep" logs, but that does not mean someone else is not archiving traffic.

mckenzm
  • 469
  • 2
  • 6
  • It's worth highlighting that last part. Third party VPN providers are less trustworthy than your real-world ISP. Even if you think the various things they enable (e.g. copyright infringement, fooling streaming services about your location) are OK, consider this: using a third-party VPN indicates you're doing something you want to keep secret — you've self-identified as "interesting". If I were an intelligence agency, I'd be running *multiple* "competing" third-party VPN providers myself, so that I could inspect all that juicy traffic without having to get warrants or cooperation from ISPs. – al45tair Apr 15 '21 at 06:17
  • 1
    @alastair Using a 3rd party VPN does NOT imply I want to keep a secret. I want to keep ALL my secrets. My ISP can know I sent encrypted TCP/IP packets to the VPN server, and received encrypted TCP/IP packets from the VPN server. Can my ISP decrypt the packets? Design says no, but if your ISP has a technological government funded agency behind it ... Tracking the unencrypted packets from/to the VPN server and the desired URI can he done, but associating a particular packet with a particular VPN packet can't be done. – waltinator Apr 17 '21 at 23:31
  • @waltinator You're only keeping "your secrets" from your ISP, however. (Possibly you're also trying to disguise your actual location from third parties.). Also, there is one party who can track the traffic right back to you — the VPN provider themselves. And, as I say, they're likely considerably less trustworthy than your actual ISP, and you're feeding all your traffic through them. – al45tair Apr 18 '21 at 13:32
  • 1
    @alastair Support your assertion "they (VPN provider) are likely less trustworthy .. ". Explain what you mean by "trustworthy". VPNs can be designed to change packet routing (within their multi-node internal networks) on a per-packet level. My ISP is subject to the court of my jurisdiction. – waltinator Apr 18 '21 at 17:31
  • @waltinator Who runs your third-party VPN provider? From which country? Could you sue them if they do something wrong? Are you sure? Contrast with typical ISPs, who tend to be large public companies in the same jurisdiction as you (hence you could sue). Additionally, even *if* your third-party VPN provider means to be trustworthy, they're likely to be very small, and therefore (unlike large public companies, who can and do refuse requests from governments) totally unable to resist pressure from their own government. – al45tair Apr 19 '21 at 05:59
  • @waltinator Further, at least in the West, your ISP is likely subject to lots of legislation surrounding privacy, and government will only be able to obtain data from it by following a strict set of rules (which likely includes some form of sign-off from a judge or court; even intelligence agencies in the West have oversight). As for your VPN provider… well, who knows? It might very well turn out to be the GRU, fishing for something juicy to blackmail you with. – al45tair Apr 19 '21 at 06:11
  • 1
    "Virtual Private Networks" is a field of research and practice in Computer Science and Industry. You seem to lack familiarity with this field. – waltinator Apr 19 '21 at 16:58