Detection of OPENVPN Sessions in Transit Traffic

A group of researchers from the University of Michigan published their results on Research IdenterPrinting capabilities to the OpenVPN servers during transit traffic monitoring. The study identified three ways to identify the OpenVPN protocol among other network packages, which can be used in traffic inspecting systems to block virtual networks based on OpenVPN.

Testing the proposed methods on the Internet provider Merit, with over a million users, showed the possibility of identifying 85% of OpenVPN sessions at a low level of false works. A toolkit was prepared for verification, which initially determined the traffic OpenVPN in passive mode and then certified the result’s correctness through an active check of the server. The researchers created a traffic flow of about 20 GBPS for experimentation.


During the experiment, the analyzer successfully identified 1718 out of 2000 OpenVPN connections installed by a stand-up client. This client used 40 different typical OpenVPN configurations, with the method working successfully for 39 of the configurations. Over eight days of the experiment, 3638 OpenVPN sessions were identified in transit traffic, with 3245 sessions confirmed. The proposed method’s upper boundary of false works is three orders of magnitude lower than previously proposed methods based on machine learning.

Commercial services’ protection against traffic tracking using OpenVPN was separately evaluated. Out of 41 tested VPN services, 34 cases had their OpenVPN traffic identified using methods to hide the traffic. Services that could not be detected used additional layers to hide traffic, such as throwing OpenVPN traffic through an additional encrypted tunnel. Some services successfully disguised traffic using Xor operation for distortion, additional compounds without proper random completion of traffic, or non-futs OpenVPN services for the same server.

/Reports, release notes, official announcements.