12
4
I registered a virtual private server with a dedicated public IP and set up my own private VPN on it. Out of curiosity, I tried to access Netflix over it and I got the famous "You seem to be using an unblocker or proxy" screen.
I have always thought that Netflix simply maintains a blacklist of public VPN providers. But in this case I'm using my own private IP. How is it possible that Netflix is able to detect my VPN? Isn't it kind of a point of a VPN that it should not be detectable?
Note that the server is set up in a country where Netflix is actually very limited. Therefore it seems unlikely that anybody would run a public VPN to provide access to Netflix here and got all IPs owned by this provider blacklisted as a result.
Is it possible that Netflix simply detects a running instance of a VPN server (OpenVPN in my case) on my IP? Can that be prevented? I moved it from the default port (1194) but that didn't help.
1Couldn't you test your hypothesis that maybe all IPs owned by this VPS provider have been blacklisted? Go to Netflix directly from your VPS itself and see what happens. – Spiff – 2016-12-27T19:41:52.487
It's Relatively easy task to detect a vpn connection. – Ramhound – 2016-12-27T20:11:39.553
The VPS is just a small Ubuntu installation that I access over ssh. I cannot think of a simple way how to actually test this because this screen only appears once I hit the play button. I can't really do that from a CLI browser. @Ramhound, can you be more specific? Provide a source? – tobik – 2016-12-27T20:41:11.797
3@Ramhound - I'm curious (and, to be honest skeptical) - how can the VPN connection be relatively easily detected? – davidgo – 2016-12-27T20:54:30.167
Netflix would like to provide all of their services globally but to comply with licensing they must impose restrictions based on geographic location. One of the primary uses of a VPN is to evade such restrictions. Apparently they have the technology to detect this but obviously they have published no details. According to Netflix terms of service they may ban users who they suspect are attempting to evade these restrictions. – LMiller7 – 2016-12-27T21:22:06.053
5@LMiller7 You are right but I don't think this is relevant here. The point is that if they are technically capable of detecting VPNs, it has quite big security implications. So I'm curious how it works. – tobik – 2016-12-27T21:31:29.393
@davidgo a vpn will leak information unless specifically configured not to do so. An entire SE question on this subject: http://security.stackexchange.com/questions/71774/how-can-i-detect-a-vpn-connection-even-just-in-some-cases-to-get-the-real-loca
– Ramhound – 2016-12-28T00:10:07.4733That's not really convincing. It's mainly about identifying users coming from common VPN providers. That does not apply to me. The rest (packet size, round trip time) sounds a lot like guessing. – tobik – 2016-12-28T00:18:07.363
1@Ramhound the VPN is not leaking any infomatation - in fact the lead answer pretty much says "VPN's are known by the endpoint IP, which does not apply here". The bit about MTU makes assumptions which may not hold true. Its is true that DNS can give hints if this is not correctly configured - but its trivial to use 8.8.8.8 and 8.8.4.4 which will subvert it. – davidgo – 2016-12-28T01:54:15.740