What Is A Vpn Or Proxy Server
What’s The Difference Between a Proxy and a VPN? – Varonis
The Internet can be a scary place: we’re under near constant attack from ransomware and botnets – on work computers, personal devices, even smart home devices like thermostats and baby monitors.
If you’re security conscious, you might be thinking about setting up a Virtual Private Network (VPN) or a proxy server.
Discover the Top 5 Remote Security Threats to your workforce with our Free Whitepaper
“It’s a new world of remote work and this was a jumpstart on securing it. ”
Proxy and VPN Defined
Both VPNs and proxies enable a higher degree of privacy than you might otherwise have, allowing you to access the internet anonymously by hiding your IP in various ways. But how they do that is quite different.
A proxy acts as a gateway – it’s ideal for basic functions like anonymous web browsing and managing (or circumventing) content restrictions. Proxy servers excel at IP masking and misdirection, making them good for viewing geographically limited content. They allow users to bypass content restrictions and monitoring, or enforce website content restrictions – so that you can’t log into certain web pages on company time.
A VPN client on your computer establishes a secure tunnel with the VPN server, replacing your local ISP routing. VPN connections encrypt and secure all of your network traffic, not just the HTTP or SOCKS calls from your browser like a proxy server.
VPNs are great when you need to use the WIFI at a local coffee shop: using a VPN instead of the potentially completely unencrypted local WIFI adds another layer of privacy – who knows who is lurking on that network, just sitting in the corner sipping coffee and waiting to steal your credit card digits?
Proxy and VPN Drawbacks
If you’re using proxy servers to mask your internet activity, you might see performance issues that prevent you from streaming or downloading the thing you are trying to get. High ping times and other traffic on the proxy server can cause web pages to load slowly. For this reason, some users pay for a private proxy server which limits the number of users that access it, speeding up your connections.
Proxies are also vulnerable to security exploits: they can be open to attack, allowing the bad guys to infiltrate networks or steal private data. Some proxies can still track (and store) your browsing habits, as well as recording usernames and passwords – rendering that promise of anonymity null.
VPNs can also suffer from performance issues, depending on proximity to the VPN server you’re connecting with. VPNs use a local client to create the connection to the VPN server, so any local CPU or memory issues will slow down the connections. VPNs are typically more expensive to use (and maintain) than a proxy server, and they are often more complex to manage.
Just like proxy servers, VPNs can’t guarantee anonymity while browsing. Neither of these services will always encrypt your traffic all the way to the web server. A VPN only guarantees an end-to-end encrypted connection if you use the HTTPS protocol when you go to a new web address. Your data will be encrypted to the VPN, but from that point on, it could be unencrypted to the web server. For some sites, this may be irrelevant: an information-only webpage with no login or payment options for example, but for any sites that require a login or online payments – or any sensitive data – make sure the website is enabled to use HTTPS. Remember, the S stands for moderately more secure.
Proxy and VPN Benefits
The biggest argument to use a VPN instead of a proxy is the total encryption for all traffic you get with the VPN. Dollar for dollar, a VPN is more secure than a similarly priced proxy. VPN providers maintain their own networks and you use their IP addresses for your connections. The top VPN providers advertise a logless policy, which means they don’t have data to provide to anyone about your browsing habits.
If you’re an IT business owner charged with the security of data and users, there are advantages to both, and you likely have both configured for your company. For users in the network, you might route traffic through a proxy server to log web traffic, protect the organization from malware or other attacks, and enforce a web content policy.
When users are operating out of the office, you will want to use a VPN to create a secure connection to access the company resources (email, internal shares, etc. ).
Proxy vs VPN: Which is Right for me?
Privacy and security matter these days, regardless of if it’s your company data or your own personal data you need to protect. Make sure you’re investing time and money into the correct tools for your security goals: both proxies and VPNs add an additional layer of security and privacy to your data.
If you want to enable your team to work remotely with secure access to the company resources, set up and maintain a VPN users to access the network with the VPN.
If your concerns are more around “what websites are my users hitting, ” a proxy server is a better tool.
To get the most bang for the buck (and to protect your data as a security-aware citizen), sign up for a well-regarded VPN service. For the most part, VPN services allow you to use servers in different locations to work around content restrictions. If you need to use a free proxy server occasionally for that purpose as well, just be aware of the risks.
If you’re just starting to implement your data security strategy on an enterprise level, there are more complex attack vectors to account for. Insider threats, APTs, privileged account escalations – along with plain old social engineering – are just as dangerous to your data as an unencrypted data stream.
Neither a proxy nor a VPN will protect you from 100% of the cybersecurity threats your company will encounter: they won’t stop an insider from stealing personal data, a ransomware attack, or a coordinated infiltration effort.
Varonis Edge adds perimeter telemetry to security analytics – monitoring proxy, VPN, and DNS to help bridge that gap: you’ll be able to see when an attacker breaks through a VPN, get alerts when sensitive data is uploaded to external websites, more. See how it works with a 1:1 demo – and discover how Varonis helps secure your data from perimeter attacks.
How easy is it to detect a VPN is being used? | Comparitech
@lahmstache November 29, 2017
Virtual Private Networks (VPNs) solve a lot of privacy problems. Since a VPN usually encrypts your traffic between your computer and the VPN provider, it makes it very difficult for an observer to view your traffic to see what you’re up to. However, there are many people who want to be able to hide the fact that they’re using a VPN at all; such as people in countries that ban VPNs, or other situations where VPN usage is not generally allowed or blocked through technical means. In this article, we focus on the type of data an observer can collect from network packet captures and how that data can be used to detect VPN use.
Contents [hide]Background on the problemTesting methodologyNon-technical sources of VPN indicatorsTell-tale signs from packet metadataInconsistencies in operating system and packet fingerprint dataInsufficient obfuscation techniques from VPN providersIn summary
Background on the problem
The burning question is “why”? Who cares if someone discovers you’re running a VPN? If the traffic is heavily encrypted anyhow, what’s the problem?
It’s true that in many situations and in many countries, it doesn’t matter at all if an observer detects the use of a VPN. However, there are many countries that ban the use of VPNs and it’s therefore important for VPN users in those countries to know how they can be discovered.
In order to determine whether a VPN is in use, an observer has to have access to a router in which the target traffic is passing through. In the case of a targeted victim, an attacker may expend great resources to identify a way in which to take over a router that particular victim uses. In the case of nation-state surveillance, effective detection would require the control of a lot of routers. When you combine those two things—an organisation that cares if you’re using and VPN and also has the ability to control a large number of routers—that usually indicates a nation-level threat actor.
Keep in mind that this article deals with ways in which VPN usage can be discovered by observers. It doesn’t necessarily mean that the data encrypted within the VPN tunnel is easier to exploit.
Testing methodology
Without access to state-level resources, my testing platform and methodology is a little smaller in scale. I created a small internal network using three Virtual Machines (VM) with VirtualBox. The network topology is as such:
I installed packet sniffing software on the OpenWRT router VM and then tested various VPN configurations on the other two virtual machines. The packet sniffing software, tcpdump, allowed me to capture the VMs network traffic for analysis. In a more realistic setup, the packet capturing software would probably be installed in routers on the Internet, or at least within the ISP’s network. The strategic placement of analysis software would require some knowledge of the convergence points of interest on the internet where the target traffic is likely to be flowing. In my testing network, I know with 100% certainty that all the traffic to and from my virtual machines is going to pass through that OpenWRT router. It’s therefore the best place for me to place my collection tools.
Non-technical sources of VPN indicators
Not all sources of data that indicate VPN usage are technical. While some are very technical, such as packet analysis, some are very non-technical, such as human error and daily routine.
Unintended network traffic
Most VPN users have client software that must be launched in order for the the VPN to be established. It’s very difficult to ensure that no traffic passes over the internet prior to the VPN being established when a computer boots up. Even those VPNs with kill switches may not be able to do anything about traffic that passes during system boot up.
To test this, I set the auto-connect and kill switch options of VyprVPN in the Windows virtual machine. I then shutdown the Windows machine, started a packet capture on the OpenWRT router, and started the Windows machine. That generated a lot of packets and of interest are these two sequences.
First, we can see a lot of pings to a similar range of IPs. I did not purposely group these packets – this is how they were sent organically:
This suggests that something is trying to enumerate servers. A very common cause of this type of traffic in a VPN scenario is a VPN client attempting to determine the fastest server. One method to do this is to send an ICMP packet (known as a ping) to a set of servers to see which ones comes back the fastest.
We can see from the first screenshot that 209. 99. 63. 34 returned the fastest in 99 milliseconds. Further down in the packet capture, we suddenly see that most of the traffic from that point on is encrypted and is destined for 209. 34
The next piece of the puzzle is to find out what is at those IPs. Using IP WHOIS which states the registered owner of an IP, we can see that all but one of these IPs belong to the YHC Corporation and resolve to servers in the Data Foundry data center:
209. 108. 46
OrgName: YHC Corporation
OrgTechEmail:
209. 109. 167
209. 113. 70
209-99-115-97
209. 117. 82
209. 21. 36
209. 22. 46
209. 60. 34
209. 61. 42
209. 62. 34
OrgName: Powerhouse Management, Inc.
209. 67. 41
209. 72. 70
209. 75. 93. 94. 37
209. 95. 40
A logical next step would be to scan those IPs to see what services they are running. I won’t supply details on how to do that, but my testing shows that the default connection banners that most servers display have been removed from the VyprVPN servers so there’s no obvious tell-tale that these IPs are running a VPN server.
There isn’t much you can do about how your computer acts prior to being booted up. Therefore, if you want to obfuscate this type of setup sequence, you’ll need to run a VPN “in front” of your computer. Running the VPN client on your router instead of running a client on your computer is one way to do this. You will still run into the same startup sequences when the router restarts, but that is usually less often than your computer.
No unencrypted packets
As I mentioned above, once the pings were complete, the packet capture shows encrypted traffic to the fastest IP. If an observer sees only encrypted packets and not a single unencrypted packet, that can be a sign there is a VPN in use. While the world is moving quickly towards encrypting as much data as possible on the web, there are still some requests which are typically not encrypted. Among these are DNS lookup queries, NNTP (time server) queries and a smattering of other protocol requests such as FTP and Telnet which are sometimes in use in some of our applications, but do not support encryption at all.
Leaks from sloppy human operational security (OpSec)
A great deal of meaningful data can be obtained from a target by using seemingly trivial information. Many people spend a lot of time and effort mitigating what they perceive as the “important” stuff only to be identified by trivial information they did not think of. Some examples include the long memory of the internet that revealed Hillary Clinton’s email administrator was most likely a guy named Paul Combetta; Dread Pirate Roberts, AKA Ross Ulbricht, the alleged mastermind of the illegal Silk Road internet marketplace, was prosecuted largely due to data on his laptop that was physically taken from him while distracted at a public library.
Less dramatically, observers can frequently use things like activity cycles to pin down a target’s timezone or the presence of special characters in a message to identify a language layout corresponding to a target’s country. There is no complete list of things to take into account when considering operational security because coming up with new ways to cross-reference data is mostly an exercise in imagination and resources.
However, there are some specific things that pertain to packet capturing which can identify VPN use.
PFS re-keys are predictable
Since VPN traffic is usually encrypted, it’s generally hidden from prying eyes. Encryption works because it is very hard to “brute force” encrypted data to expose its clear text content. In fact, breaking encryption is so hard that large scale surveillance projects sometimes just collect all the data they can in the hopes that they will be able to break the encryption at some future date when computer power increases, or they are able to obtain the keys that were used to encrypt the data. Perfect Forward Secrecy (PFS) is a method that can be used to prevent the latter scenario.
Perfect Forward Secrecy re-generates the encryption keys used to encrypt the VPN traffic periodically. When a new key pair is generated, the previous pair is destroyed. This means that any collected encrypted packets cannot be decrypted at a later date because the key used to encrypt them no longer exists.
OpenVPN supports PFS. While capturing data for this article, I dropped the key cycling rate down to 10 seconds in order to capture that process taking place. I found that when the key regeneration took place, the following sequence of packets was generated:
09:01:48. 461276 IP vpn > vpn: UDP, length 94
09:01:54. 749114 IP vpn > vpn: UDP, length 65
09:01:58. 895381 IP vpn > vpn: UDP, length 86
09:01:58. 951091 IP vpn > vpn: UDP, length 94
09:01:58. 951614 IP vpn > vpn: UDP, length 259
09:01:59. 007916 IP vpn > vpn: UDP, length 94
09:01:59. 008027 IP vpn > vpn: UDP, length 94
09:01:59. 008265 IP vpn > vpn: UDP, length 94
09:01:59. 008300 IP vpn > vpn: UDP, length 94
09:01:59. 062927 IP vpn > vpn: UDP, length 256
09:01:59. 106521 IP vpn > vpn: UDP, length 575
The notable thing about this sequence is that the packet sizes are identical each time the key regeneration took place. Therefore, whenever I saw a sequence of packets with these sizes in my packet capture, I knew key cycling was taking place:
94
65
86
259
256
575
Arguably, any repeating process would theoretically generate a repeated sequence of packets like this, but it can still be used as an indicator that PFS may be in play. Coupled with other data, this information could be enough to confirm a VPN connection.
All packets destined to the same IP
During the normal course of internet use, people and computers request data from many different sites. Each of those sites has a different IP address. When using a VPN, every single packet is destined to the VPN server. The VPN server peels the VPN encryption layer off each packet to reveal the real packet and then sends it on its way to its actual destination. The VPN server does the same with responses. It receives response packets, wraps them in an encryption layer, and then sends the packet to the user’s computer.
A packet capture that shows a computer sending 100% of its traffic to a single IP is a good indicator that a VPN or proxy is in use.
Psiphon is an internet censorship circumvention tool. It has an interesting function that can combat this to some degree. It has split tunnel mode which essentially only uses the Psiphon tunnel for traffic that leaves your own country.
To see how this looks at the packet level, I launched Psiphon and tested two sites. I am in Canada and here’s a sample of traffic that is destined to our own domain registrar. In this case, my destination is clearly visible in the packet capture.
8:30:14. 213668 IP 192. 168. 1. 210. 58787 > Flags [. ], ack 1026833, win 64240, length 0
08:30:14. 229178 IP > 192. 58787: Flags [. ], seq 1026833:1028293, ack 715, win 5094, length 1460
08:30:14. 229427 IP > 192. ], seq 1028293:1031213, ack 715, win 5094, length 2920
08:30:14. 229781 IP 192. ], ack 1031213, win 64240, length 0
I then visited the Comparitech website which is hosted in the United States:
8:29:48. 028789 IP > 192. 58659: Flags [P. ], seq 107809:108277, ack 19080, win 1392, length 468
08:29:48. 029101 IP 192. 58659 > Flags [. ], ack 108277, win 856, length 0
08:29:48. 029306 IP 192. 58659 > Flags [P. ], seq 19080:19132, ack 108277, win 856, length 52
08:29:48. 108658 IP > 192. 58659: Flags [. ], ack 19132, win 1392, length 0
Note how the traffic destined for the US is sent to a Linode server instead of to Linode is a very large server company and it’s not unusual at all to see traffic destined for a Linode server. Psiphon further obfuscates that traffic by using an SSH tunnel to hide any trace of a VPN. As well, the reverse DNS (rDNS) for the Psiphon server at Linode does not betray its association to Psiphon; the rDNS just shows Linode owns the IP, which is expected. There is more on rDNS in the obfuscation section later on in this article.
Inconsistencies in operating system and packet fingerprint data
Although TCP networking is operating system agnostic, different operating systems create packets with some different values. For example, the default packet Time-To-Live (TTL) value varies in packets created on different systems. Most Windows system will set the packet TTL to 128 by default whereas most Linux systems will set it to 64. Since the TTL is a visible part of captured packet, it’s possible to determine which OS most likely created that packet. There are also other tell-tale signs in packet construction such as length and Maximum Segment Size (MSS) which also vary from operating system to operating system.
The snippet below is part of a packet generated from a Windows system. Note the ttl 127 value on the last line is set to 127. This is because the TTL is expressed in number of “hops”. Every time a packet traverses a device such as a router, its TTL is decremented by one. In this case, the TTL started at 128 but since I captured it on the router—after one hop—it is now 127. However, I can still tell that it was never 64 so this is likely a packet created on a Windows system.
08:08:51. 657495 IP (tos 0x0, ttl 64, id 32150, offset 0, flags [DF], proto UDP (17), length 177)
> 192. 2. 139. 59414: 40501 3/0/0 CNAME, CNAME, A 104. 35. 212 (149)
08:08:51. 659278 IP (tos 0x0, ttl 127, id 3890, offset 0, flags [DF], proto TCP (6), length 52)
A packet captured from a Linux machine has a TTL of 63 after its first hop. This is because most Linux machines set the initial value of the packet TTL to 64.
08:15:55. 913493 IP (tos 0x0, ttl 63, id 41443, offset 0, flags [DF], proto UDP (17), length 56)
192. 48635 > 47200+ A? (28)
But, so what? Why can it be important to know what operating system created a packet?
If an observer has specialized knowledge of a target it can matter a lot. If the target is known to use Windows—perhaps as a member of large organization that uses Windows throughout—but packets captured from that target show that they were likely created on a Linux machine, that is a good indicator that a VPN or proxy of some kind is in use. It’s worth noting that virtually all VPN servers are run on Linux or Unix-like servers.
It’s possible to adjust the packet parameters on most systems but very few people go to this length.
Insufficient obfuscation techniques from VPN providers
There’s more to network analysis than just collecting packets. Ancillary processes such as DNS can play a role. Many VPN users are aware of DNS because sending DNS queries in the clear is one way for an observer to determine where you’re visiting or about to visit. However, fewer users are aware of Reverse DNS (rDNS). Much like DNS associates a domain name to an IP address, rDNS associates an IP address to an hostname and the hostname name usually identifies the owner of the IP. In addition, most programming libraries and operating systems come with some version of the standard gethostnameby*() functions which extend a system’s ability to associate IPs and hostnames.
Reverse DNS is not as critical as “normal” DNS because rDNS plays no part in the routing of traffic. Rather, it is used primarily as a means to identify IP ownership. Only the owner of an IP address can associate an rDNS record to it. Therefore, checking the rDNS record of an IP address provides a reasonable assurance of who owns it, or at least, who the owner wants you to think owns it. Note that rDNS is not required and many IP addresses do not have rDNS entries at all.
Let’s look at the example of the domain The DNS A record provided by a standard DNS query shows this IP address:
$ dig +short
31. 13. 35
Now let’s use a reverse DNS query or the gethostnamebyaddr() function to see who owns that IP:
$ host -n 31. 35
domain name pointer
We can see from this that Facebook actually owns that IP address. However, most sites do not own their own IPs; they are leased and belong to arbitrary organizations or perhaps owned by less obvious entities. Amazon is an example of a large computing provider that is used by many companies. An rDNS query for the IP address of many internet services simply shows that Amazon owns the IP and therefore the information is of little use in determining who operates the IP. Another example is Google. Google is a little more subtle in its rDNS entries, but it still maintains ownership information. Here’s how the reverse DNS looks for a Google IP:
216. 58. 207. 46
$ host -n 216. 46
Google owns the domain, so we can see that this IP does in fact belong to Google.
In the world of VPNs, address resolution tools can potentially be used to see if the IP your traffic is destined for belongs to a VPN. For example, a default tcpdump command on the OpenWRT router will attempt to resolve the IPs that it sees in the TCP packets. It seems to primarily use gethostbyaddress() to do this and it’s therefore sometimes possible to see where packets are destined. A default tcpdump capture of an IPVanish session illustrates this:
08:23:14. 485768 IP > 192. 51061: UDP, length 1441
08:23:14. 485847 IP > 192. 486144 IP > 192. 486186 IP > 192. 51061: UDP, length 385
The IPVanish client for Windows provides three configurations: a standard OpenVPN connection, an OpenVPN connection using HTTPS, and an obfuscated connection.
The packets above were captured during a session using the obfuscated OpenVPN connection setting, yet WireShark is still able to provide destination information.
In summary
When determining VPN usage, there are very few “silver bullets”. It usually takes a number of techniques or observations to compile enough indicators which indicate a VPN is in use, and even then it can be hard to be 100% sure. Companies that have a vested interest in disallowing VPN usage such as Netflix and other streaming services have full-time teams dedicated to just this problem. In other cases, many eastern European and Middle Eastern countries) ban VPN usage and have similar teams to ferret out VPN users.
Should You be Using VPN in India? Understanding its Laws and Privacy
While there are no laws that ban the use of virtual private networks in India, users should be judicious in how such services are Last Updated:February 20, 2020, 01:51 ISTFOLLOW US ON:FacebookTwitterInstagramTelegramGoogle NewsVPN, which stands for Virtual Private Network, is a rather common tool that is used by millions of users across the world. For many, VPNs are seen as effective tools to safely communicate and transfer files on the internet, and in some cases, as a workaround to location specific restriction to information imposed for specific reasons. While VPNs remain effective enterprise tools to enable remote collaboration on sensitive files, the public use of VPNs have often come across controversial scrutiny.
Benefits of using VPNs in India
Like other parts of the world, Indians often put VPNs to use for a variety of purposes. Put simply, a VPN masks your traffic to make it look like your IP address, or your location, is based elsewhere. Now, given the nature of this tool, it is often misconstrued that using a VPN is directly related to illegal activities. In truth, using a VPN has far greater implications than simply bypassing location restrictions, such as accessing websites that are banned for a specific area.
With today’s tense climate of cyber security, the biggest advantage provided by a VPN is keeping you secure as you browse online. Most VPNs that are worth their salt not only anonymise your actual internet address, but also offer industry standard 256-bit AES encryption to secure you from anyone tracking your online activity. This can be absolutely critical in helping you protect your data, especially during financial transactions. While it is not absolutely unbreakable, it is still exponentially safer to use a secure network to make your transactions, so that your passwords, card details and other such sensitive elements are not stolen.
Furthermore, using a VPN can let you access region-specific websites that may be legal, but not accessible in your country. This can help you read a wider selection of articles from publications across the web, or even view content that has been made elsewhere.
Is it legal?
With such benefits at hand, it is absolutely crucial to note that the simple activity of using a VPN is not illegal in India. In fact, there are absolutely no laws around using a VPN in India, so as long as you are using a VPN for no illegal activities, there should be nothing for you to worry about.
That said, the reason why VPNs get such a bad reputation is for their use in activities that are deemed illegal in India. The biggest and most common use case here lies in accessing content blacklisted by the Indian government (such as pornography), or torrent sites that facilitate the distribution of pirated content. The latter is the most common case of prosecution, and it is copyright infringement and creation of pirated content, and not the use of VPN, that can land you in legal trouble.
What are the charges?
As a result, if you are tracked down while using a website that lets you view, download and distribute content that is illegally uploaded (i. e. hosted online without paying due royalties to the creator), the Indian government may prosecute you under Sections 63, 63A, 65 and 65A of the Copyright Act, 1957 under the Constitution of India. If you are caught downloading an unauthorised copy of a movie, or streaming it from a website that hosts it illegally, then you may be subjected to legal prosecution amounting to up to three years of imprisonment, and a penalty of up to Rs 3, 00, 000.
As a result, you as a user of the internet in India are completely in the clear to use a VPN service, and doing so is in fact recommendable given the risks of malware and ransomware floating around across various parts of the internet. However, it is important for users to exercise their judgement, and avoid accessing any website or content that can amount to copyright infringement by the definition of the internet in India.
Frequently Asked Questions about what is a vpn or proxy server
How do I know if I have a proxy or VPN?
The VPN server does the same with responses. It receives response packets, wraps them in an encryption layer, and then sends the packet to the user’s computer. A packet capture that shows a computer sending 100% of its traffic to a single IP is a good indicator that a VPN or proxy is in use.Nov 29, 2017
Is VPN proxy illegal?
While there are no laws that ban the use of virtual private networks in India, users should be judicious in how such services are used. VPN, which stands for Virtual Private Network, is a rather common tool that is used by millions of users across the world.Feb 20, 2020
Do I need a VPN and a proxy?
Do you need a proxy if you have a VPN? … A VPN and proxy server both mask your IP address. But a VPN will also encrypt the data you send and receive, something that a proxy server doesn’t do. If you are already using a VPN, then, connecting to a website or app through a proxy server would be an unnecessary step.
