VPN adoption has seen steady growth over the past decade due to increased public awareness of privacy and surveillance threats. In response, certain governments are attempting to restrict VPN access by identifying connections using "dual use" DPI technology. To investigate the potential for VPN blocking, we develop mechanisms for accurately fingerprinting connections using OpenVPN, the most popular protocol for commercial VPN services. We identify three fingerprints based on protocol features such as byte pattern, packet size, and server response. Playing the role of an attacker who controls the network, we design a two-phase framework that performs passive fingerprinting and active probing in sequence. We evaluate our framework in partnership with a million-user ISP and find that we identify over 85% of OpenVPN flows with only negligible false positives, suggesting that OpenVPN-based services can be effectively blocked with little collateral damage. Although some commercial VPNs implement countermeasures to avoid detection, our framework successfully identified connections to 34 out of 41 "obfuscated" VPN configurations. We discuss the implications of the VPN fingerprintability for different threat models and propose short-term defenses. In the longer term, we urge commercial VPN providers to be more transparent about their obfuscation approaches and to adopt more principled detection countermeasures, such as those developed in censorship circumvention research.

翻译：过去十年中，由于公众对隐私和监控威胁的意识增强，虚拟专用网络（VPN）的使用率稳步增长。作为回应，某些政府正试图通过使用“双重用途”深度包检测（DPI）技术识别连接，以限制VPN访问。为探究VPN被屏蔽的可能性，我们开发了针对OpenVPN（商业VPN服务中最常用的协议）连接进行精确指纹识别的机制。我们基于字节模式、数据包大小及服务器响应等协议特征，识别出三种指纹。通过扮演控制网络的攻击者角色，我们设计了一个两阶段框架，依次执行被动指纹识别与主动探测。我们与拥有百万用户规模的互联网服务提供商（ISP）合作评估该框架，发现它能识别超过85%的OpenVPN流量，且误报率可忽略不计，这表明基于OpenVPN的服务可在几乎不产生附带损害的情况下被有效屏蔽。尽管某些商业VPN采用反制措施以避免检测，但我们的框架仍成功识别了41个“混淆型”VPN配置中的34个连接。我们讨论了VPN指纹可识别性对不同威胁模型的影响，并提出了短期防御方案。长远来看，我们敦促商业VPN提供商提高其混淆方法的透明度，并采纳更严谨的检测反制措施，例如审查规避研究中开发的方案。