Alarming: researchers can fingerprint and block eight out of ten top VPN providers

OpenVPN, the most widely used open-source VPN protocol for secure and private connections, can “be reliably detected and blocked at scale by network-based adversaries,” research has found. That affects eight out of top ten VPN providers.

If governments or ISPs wanted to block traffic routed with OpenVPN, they could easily do so – even with widely applied obfuscation techniques.

Researchers from the University of Michigan and other institutions demonstrated a two-phase system that performs passive filtering followed by active probing to fingerprint OpenVPN flows.

“We evaluated the practicality of our approach in partnership with a mid-size ISP, and we were able to identify the majority of vanilla and obfuscated OpenVPN flows with only negligible false positives, which supports that the techniques we describe would be practical even for adversaries averse to collateral damage,” the paper reads.

Certain governments around the world, including China and Russia, are seeking to restrict VPN access in an effort to maintain control and prevent citizens from bypassing surveillance and censorship measures.

Research demonstrates that it’s possible to accurately fingerprint connections using OpenVPN, the most popular protocol for commercial VPN services.

“We identify three fingerprints based on protocol features such as byte pattern, packet size, and server response,” researchers said.

While testing their approach with a million-user regional ISP, they were able to identify over 85% of OpenVPN flows with only negligible false positives. Their framework also successfully identified connections to 34 out of 41 “obfuscated” VPN configurations.


Researchers used Deep Packet Inspection (DPI) technologies to identify features such as byte pattern, packet size, and server responses to fingerprint OpenVPN traffic.

The authors warn sensitive users, such as journalists or political activists, not to expect unobservable VPN usage. Researchers also urge VPN providers to adopt more principled and robust obfuscation approaches.

“Alarmingly, out of the “top ten” VPN providers ranked by, eight provide obfuscation services of some sort, suggesting that being undetectable is within the providers’ threat model for their clients. Yet, all of them are flagged as suspect flows due to either insufficient encryption (Opcode) or insufficient obfuscation over packet length (ACK),” the paper reads. “Considering that these obfuscated VPN services usually claim to be “undetectable” or claim that the obfuscation “keeps you out of trouble,” this result is alarming as users who use these services may have a false sense of privacy and “unobservability.”

The paper also notes that four out of the top five VPN providers use XOR-based obfuscation, which is easily fingerprintable.

Researchers also suggest several strategies to prevent VPN traffic from throttling or blocking by ISPs or governments. In the short term, they suggest separating obfuscation servers from OpenVPN instances in the network address space, switching from static to random padding for obfuscation services, and others.

“In the long term, we fear that the cat and mouse game between censors and circumvention tools, such as the Great Firewall and Tor, will occur in the VPN ecosystem as well, and developers and providers will have to adapt their obfuscation strategies to the evolving adversaries,” the paper reads.

“We urge commercial VPN providers to adopt more standardized obfuscation solutions, such as Pluggable Transports, and to be more transparent about the techniques used by their obfuscated services.”