Did you know that a website can tell whether or not you are using a VPN depending on your IP address? Agencies and third parties can ask for the IP addresses run by a VPN provider and detect you. Alternatively, they can infer through Whois/DNS contact information or investigate how software patches are propagated from popular VPN providers to various servers.

This detection is possible when someone is using a public VPN service. However, a private one can go undetected by whoever is looking you up because there is no information to prove to a website that your IP is derived from a VPN. Rather, it shows something like an address as part of a subnet used by the ISP for clients. To break down ways in which websites detect VPN usage, here are possible pointers.

  • VPN services have a list of blacklisted IPs and a website can use it to compare this with their visitors’ IPs
  • Numerous accounts created from one IP address
  • Geo-location inconsistency whereby an account registered in one country seems to receive data from another country
  • A lot of encrypted data moving to an unknown location

Non-technical indicators

Some signs of VPN usage are not technical. The easiest indications are human errors and daily habits. Check out more ways to detect a VPN client.

  • Unintended network traffic

The vast majority of VPNs come as software that needs to be installed on a computer. It is not easy to make sure that all traffic flows through the internet only when the VPN is on. Sometimes, the computer could reboot or the internet connectivity might be cut short. Whether a VPN has a kill switch or not, there is nothing that can be done if a system reboots itself.

  • Leaks from careless human OpSec (operational security)

Most of the most important information may leak through seemingly trivial details. While many cautious internet users take a lot of time to monitor sensitive data, they end up forgetting small details that finally expose their identities. For instance, past browsing history can reveal an anonymous individual, such as the case of Hillary Clinton’s assistant who once got distracted while surfing from a public network, and his identity was leaked and got tracked. In other instances, observers can check activity cycles to detect a targeted individual’s time zone or special characters in messages that pinpoint a particular language that corresponds to a particular country.

  • All data packages directed to one IP address

Normally, people request information from numerous sites and every site has its own IP address. But when a VPN is used, all package are destined to a single server. If a package capture reveals that a device sends all its traffic to one IP, this is a clear sign of a proxy or VPN in use. However, a VPN user can circumvent censorship with Psiphon which prevents the detection to a certain extent. The tool achieves this by splitting the tunnel mode for the traffic leaving your country.

Technical methods

  • OpenWRT r

Agencies can use sniffing software known as an OpenWRT router VM to test for VPNs on virtual devices. The software captures the VM network which can then be used to analyze the traffic. In essence, the setup is installed on routers on the web or within the internet provider’s network. This strategic approach requires technical know-how about the converging points of interest where the targeted traffic flows. All traffic coming from the virtual device flows through the OpenWRT router, so it becomes the best platform to place data collection tools. Only a few code lines are needed to eliminate the IP address protection by a VPN and reveal the real IP of the user as well as their ISP. Once the ISP is configured, it becomes easier to know who the user really is.

  • Predictable PFS re-keys

Normally, VPN traffic is encrypted to safeguard it from prying eyes. The encryption is so effective that there is no way data can be forced to reveal the actual content. Breaking an encryption is extremely hard. In fact, surveillance agencies collect it hoping that one day they might figure out a way to decrypt it when the computer technology reaches its peak. They also hope to find the keys used to encode the data. However, the Perfect Forward Secrecy prevents this. The technology is used to produce secret codes that encrypt VPN traffic occasionally. A key is destroyed after a while and a new one created to replace it. That is why the encrypted packets are hard to decipher after a while because the key that was initially used no longer exists. Most VPNs support PFS and similar package sizes are generated every time a new key is generated. So, if an observer notices a series of identical package in a package capture, then they will know that a new key cycle has taken place, indicating the use of PF and further confirming a VPN connection.

After connecting to a VPN, all the traffic is encrypted to an IP. This is what interested parties observe to know immediately that a VPN is in use. Even though the current world requires data encryption, some requests don’t actually need encryption such as NNTP queries and DNS lookups.