WITCH? — VPN and proxy detector.

Discussion in 'privacy technology' started by Gitmo East, Jul 27, 2015.

  1. Gitmo East

    Gitmo East Registered Member

    Joined:
    Jul 28, 2013
    Posts:
    106
    https://medium.com/@ValdikSS/detecting-vpn-and-its-configuration-and-proxy-users-on-the-server-side-1bcc59742413
    and
    http://witch.valdikss.org.ru/

    This script caught my VPN running wrapped in both SSL and SSH, also the cipher and compression.
    I have disabled TCP timestamps and still it captures my VPN usage.
    After adding a custom mssfix value of 1250 to my OVPN directives I finally fool this script.
    The worry now is I make myself more identifiable by having a custom MTU value.
     
    Last edited by a moderator: Jul 27, 2015
  2. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Kind of interesting. It seems to depend on the VPN provider among other factors. It didn't detect a router vpn connection. With the Windows OpenVPN client, it found one provider but not another. The one it got has a very simple .ovpn configuration. The one that it didn't detect has a much more complicated configuration with this line in the file, "script-security 2" and specific mtu and fragment values. The tunnel in my router has a pretty basic configuration so using a router tunnel might work for this method like it does with WebRTC.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Why do I care? Any site that I visit can see the VPN exit IP address. And it's not that hard to accumulate a database of all VPN exit IP addresses, or at least those for major providers. Even without that, it's unusual to have an IP address from a hosting provider, no?
     
  4. Timok

    Timok Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    51
    Location:
    Germany
  5. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    By itself this isn't such a big deal but it is another server level metadata analysis tool and combined with a few more, can quickly profile a VPN user. It is also very quick and dirty compared to going though a database of VPN IPs.
     
Loading...