https://medium.com/@ValdikSS/detecting-vpn-and-its-configuration-and-proxy-users-on-the-server-side-1bcc59742413 and http://witch.valdikss.org.ru/ This script caught my VPN running wrapped in both SSL and SSH, also the cipher and compression. I have disabled TCP timestamps and still it captures my VPN usage. After adding a custom mssfix value of 1250 to my OVPN directives I finally fool this script. The worry now is I make myself more identifiable by having a custom MTU value.
Kind of interesting. It seems to depend on the VPN provider among other factors. It didn't detect a router vpn connection. With the Windows OpenVPN client, it found one provider but not another. The one it got has a very simple .ovpn configuration. The one that it didn't detect has a much more complicated configuration with this line in the file, "script-security 2" and specific mtu and fragment values. The tunnel in my router has a pretty basic configuration so using a router tunnel might work for this method like it does with WebRTC.
Why do I care? Any site that I visit can see the VPN exit IP address. And it's not that hard to accumulate a database of all VPN exit IP addresses, or at least those for major providers. Even without that, it's unusual to have an IP address from a hosting provider, no?
There is a fix found in AirVpn Forum WITCH? — VPN and proxy detector. Can detect OpenVPN cipher, MAC and compression usage.
By itself this isn't such a big deal but it is another server level metadata analysis tool and combined with a few more, can quickly profile a VPN user. It is also very quick and dirty compared to going though a database of VPN IPs.
