User:Blablubbs/VPN Verification

This page lists technical fingerprints of VPN providers and ways to manually query and verify them. The verification methods are provided for reference; use them at your own risk, in non-intrusive ways and in compliance with applicable laws and ISP policies. This applies especially to nmap.^[a] Verification instructions are written for users of Linux-based operating systems, but should be largely OS-independent. This page focuses on discovery methods in the IPv4 address space, though some may also be adjusted to work with IPv6.

Verification methods edit

SSL certificate edit

Using OpenSSL:

openssl s_client -connect <host>:<port>

Using shodan

Using nmap:^[b]

sudo nmap -sS --script ssl-cert.nse <host or host range> -p<port1,port2,port3...portn OR port1-portn> -Pn -v

Using cURL:
```
curl -k -v "https://<host>:<Port>"
```

X-Cache edit

Using shodan
Using reqbin: Plug the IP in and check the headers

Using cURL:

curl --head --show-error "http://<host>:<port>"

Using nmap:^[c]

sudo nmap -A <host or host range> -p<port1,port2,port3...portn OR port1-portn> -Pn

IKE Handshake edit

Using ike-scan:^[d]
```
sudo ike-scan <host>
```

Providers edit

AirVPN edit

airvpn.org
Privacy-focused, tied to the torrenting crowd
SSL certificate served on port 89: CN = *.airservers.org

BulletVPN edit

bulletvpn.net
Webhost, and occasionally mixed, ranges, sometimes obscure providers.
DNS: <cc><number>.bulletvpn.com^[e]

Cyberghost/Zenmate edit

cyberghostvpn.com and zenmate.com
SSL certificate served on port 9002: blade<n>.<city>-rack<n>.nodes.gen4.ninja
Flagged as "Cyberghost/Zenmate" by Spur
Shares a parent company (kape) with PIA

ExpressVPN edit

expressvpn.com
No reliable fingerprint, but often hosted on webhosts with WHOIS outputs like VPN-CONSUMER-NETWORK

FlyGateVPN edit

SSL cert: awsprivate.com, flygateaccount.com

FreeVPN edit

freevpn.com
Not free, despite the name
Mildly dodgy, starting with the fact that the website doesn't support HTTPS
Does not appear to be currently flagged by spur, at least not reliably
Probably enumerable^[f]
Webhost ranges
Hostnames: cc.freevpn.com
SSL certificate: CN = *.ocservvpn.com

HideMyAss edit

hidemyass.com^[g]
DNS: *.hma.rocks and *.prcdn.net
WHOIS: AVAST Software s.r.o.

HotSpot VPN edit

hotspotvpn.org
Dodgy-ish^[h] VPN provider
Running nginx on port 80^[i]

VPN (IKE) on UDP port 500, fingerprint:^[j]

Main Mode Handshake returned HDR=(CKY-R=8b8ba44921f420b9) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)

Integrity VPN edit

integrity.st
Whitelabel service selling to ISPs
Hostnames: <cc>-<o3>-<o4>.integrity.st, where cc is the country code, and o3 and o4 are the third and fourth octet of the exit IP address, respectively^[k]

IPVanish edit

ipvanish.com
Webhost ranges.
SSL certificate served on port 443: CN = *.vpn.ipvanish.com
(Sometimes) WHOIS: Mudhook Marketing Inc

Ivacy edit

ivacy.com
DNS: <cc><number>-<protocol>-<(tcp|udp)>.dns2use.com^[l]

McAfee edit

Offers both a corporate VPN (McAfee Web Gateway Cloud Service) and a personal one (McAfee Safe Connect VPN). The personal VPN appears to be technically indistinguishable from TunnelBear nodes (see there). For the corporate VPN service:
- SSL certificate served on port 443: CN = *.wps.mcafeesaas.com
- SSL certificate served on port 8081: CN = *.wgcs.mcafee-cloud.com

Mullvad edit

mullvad.net
Large-ish, privacy-focused VPN provider
IPv6 and Wireguard support, default connections are OpenVPN (users can choose between TCP and UDP)
No good fingerprints, but exclusively on webhost ranges
Mostly M247, plus some other hosting providers and some directly owned servers
Server list at https://mullvad.net/en/servers/
Entry and exit nodes are split

NordVPN edit

nordvpn.com
Large provider, often, but not always, on easily identifiable webhost ranges
Provides API for queries
No reliable fingerprint, but VPN (IKE) on UDP port 500
DNS: <cc><number>.nordvpn.com^[m]

Phantom Avira VPN edit

avira.com
Owned by an antivirus developer; users may not necessarily be attempting to obfuscate their IP
SSL certificate served on port 443: CN = *.phantom.avira-vpn.com

Private Internet Access edit

privateinternetaccess.com
SSL certificate served on port 443: CN = *.privateinternetaccess.com
Large provider, usually on webhost ranges, but there have been unusual occurences like this one, where the servers are on seemingly non-webhost ranges (in this case, an Israeli public WiFi provider)
Shares a parent company (kape) with Cyberghost/Zenmate
DNS: <cc>.privacy.network or <cc>-<city>.privacy.network. ^[n]

Private Relay edit

Provided by Apple as part of the iCloud suite
Exits are in the same rough region as users' actual IPs
Akamai and Cloudflare ranges
All exits can be verified at https://mask-api.icloud.com/egress-ip-ranges.csv
See also m:Apple iCloud Private Relay

ProtonVPN edit

protonvpn.com
Large-ish provider
Provides API for queries
No reliable fingerprint, but VPN (IKE) on UDP port 500
Entry and exit nodes are split
Webhost ranges

PureVPN edit

purevpn.com
WHOIS: pointtoserver.com, ptoserver.com, PureVPN-NET, GZ Systems Limited
DNS: <cc><(optional) number>-<VPN-protocol>-<optional: (udp|tcp)>.ptoserver.com^[o]

RapidVPN edit

rapidvpn.com
SSL certificate served on port 443: CN = *.rapidvpn.com

Surfshark edit

surfshark.com
SSL certificate served on port 443: CN = *.prod.surfshark.com
Large-ish VPN company. Usually on webhosts, but there is a large number of different ones involved and many of them have slightly annoying range assignment patterns
Many end nodes with activity on Wikipedia
Often blocks of a handful adjacent IPs, e.g. 127.0.0.1-127.0.0.5
Some clearly designated ranges, often /24s with netnames like SURFSH-<o1>-<o2>-<o3>-0, where o1, o2 and o3 are the first through third octet of the base IP^[p]
ASN209854 (SURFSHARK, VG) is tracked at User:AntiCompositeBot/ASNBlock

TunnelBear edit

tunnelbear.com
DNS: <country_code>.lazerpenguin.com

Urban VPN edit

urban-vpn.com

Squid HTTP proxy on ports 80 and 3128:

X-Cache: MISS from p-$cc.biscience.com 
X-Cache-Lookup: NONE from p--$cc.biscience.com:3128

Dodgy "free" VPN service provided by biscience, a "digital intelligence" company
Supposedly P2P, but that does not seem to be the case
Webhost ranges
Parent company also runs a large residential proxy service

VPN Gate edit

See vpngate.net
Uses the SoftEther VPN protocol
Port 5555 serves a page over HTTPS with SoftEther VPN text
```
curl -v -k https://<ip>:5555
```
Some nodes: WHOIS: SoftEther Corporation
Some nodes: SSL certificate served on port 443: CN = *.opengw.net

WorldVPN edit

worldvpn.net
See #FreeVPN.

Notes edit

^ See also nmap#Legal issues.
^ -sS (stealth scan) is the default scanning method for scans executed as root. If more detailed results are required, -sV can be used to determine (or guess) the operating system and service versions of the target host. The -Pn switch makes nmap skip host discovery, meaning that it will execute the specified scanning functions without sending initial pings to determine whether the target machine is online. In most cases, using this switch will be necessary because most modern machines block ping probes. Nmap scans may be sped up by using the -T parameter with numeric values between 0 and 5 (e.g. by appending -T4), with 5 providing the quickest, and 0 providing the slowest scan speeds. Note that faster scans tend to be more intrusive and may not detect open ports when used against slow or unreliable networks. If only the execution of the certificate script is desired and no port scan should be executed, the -sn switch can be used.
^ Note that nmap -A is a relatively aggressive and easily detectable scan.
^ Hosts can be specified in multiple ways; either as a single IP (127.0.0.1), a CIDR block (127.0.0.1/24), a start-end range (127.0.0.1-127.10.10.10) or in IPNetwork:NetMask format (127.0.0.1:255.255.255.0). The default for both the source and destination port is 500 UDP; if a different one is desired, this can be specified with the -s (source) and -d (destination) switches, e.g. sudo ike-scan -d450 -s450 127.0.0.1/24.
^ <cc> stands for "country code. E.g. cai03.bulletvpn.com, ann01.bulletvpn.com
^ Current data is based on a single datapoint, but if the fingerprints are consistent, they are easy to query.
^ Blacklisted link.
^ It appears that clicking "Contact Us" on the website does nothing but append /# to the URL without actually sending you anywhere.
^ Not certain if this is universal.
^ The output of the HDR=(CYK-R= [...]) field varies.
^ E.g. The Swedish exit node 85.24.253.12 has the hostname se-253-12.integrity.st
^ E.g. hk-ovpn-udp2.dns2use.com, my2-ovpn-udp.dns2use.com. Outliers exist, e.g. vlbr-usvc1.dns2use.com.
^ E.g. tr46.nordvpn.com.
^ E.g. us-california.privacy.network.
^ E.g. lv-ipsec.ptoserver.com, no2-ovpn-udp.pointtoserver.com
^ E.g. SURFSH-62-197-148-0 for the 62.197.148.0/24 IP block

[1] See also nmap#Legal issues.

[2] -sS (stealth scan) is the default scanning method for scans executed as root. If more detailed results are required, -sV can be used to determine (or guess) the operating system and service versions of the target host. The -Pn switch makes nmap skip host discovery, meaning that it will execute the specified scanning functions without sending initial pings to determine whether the target machine is online. In most cases, using this switch will be necessary because most modern machines block ping probes. Nmap scans may be sped up by using the -T parameter with numeric values between 0 and 5 (e.g. by appending -T4), with 5 providing the quickest, and 0 providing the slowest scan speeds. Note that faster scans tend to be more intrusive and may not detect open ports when used against slow or unreliable networks. If only the execution of the certificate script is desired and no port scan should be executed, the -sn switch can be used.

[3] Note that nmap -A is a relatively aggressive and easily detectable scan.

[4] Hosts can be specified in multiple ways; either as a single IP (127.0.0.1), a CIDR block (127.0.0.1/24), a start-end range (127.0.0.1-127.10.10.10) or in IPNetwork:NetMask format (127.0.0.1:255.255.255.0). The default for both the source and destination port is 500 UDP; if a different one is desired, this can be specified with the -s (source) and -d (destination) switches, e.g. sudo ike-scan -d450 -s450 127.0.0.1/24.

[5] <cc> stands for "country code. E.g. cai03.bulletvpn.com, ann01.bulletvpn.com

[6] Current data is based on a single datapoint, but if the fingerprints are consistent, they are easy to query.

[7] Blacklisted link.

[fn2-8] It appears that clicking "Contact Us" on the website does nothing but append /# to the URL without actually sending you anywhere.

[fn3-9] Not certain if this is universal.

[10] The output of the HDR=(CYK-R= [...]) field varies.

[11] E.g. The Swedish exit node 85.24.253.12 has the hostname se-253-12.integrity.st

[12] E.g. hk-ovpn-udp2.dns2use.com, my2-ovpn-udp.dns2use.com. Outliers exist, e.g. vlbr-usvc1.dns2use.com.

[13] E.g. tr46.nordvpn.com.

[14] E.g. us-california.privacy.network.

[15] E.g. lv-ipsec.ptoserver.com, no2-ovpn-udp.pointtoserver.com

[16] E.g. SURFSH-62-197-148-0 for the 62.197.148.0/24 IP block

[a]

[b]

[c]

[d]

[e]

[f]

[g]

[h]

[i]

[j]

[k]

[l]

[m]

[n]

[o]

[p]