DPI and VPNs: It's obfuscated...

Sebastian Müller portrait

By Sebastian Müller
Published on: 21.08.2023

In our blog post "VPN and visibility: the paradox of secure networking" back in 2020, we discussed the role of deep packet inspection (DPI) for virtual private networks (VPNs). VPNs gained new momentum during the pandemic, as more employees were stranded at home and found themselves in an urgent need of stable, secure and fast access to their respective corporate networks. They resorted to private lines which later doubled up as an avenue for the rest of the family to access personal communication or entertainment apps, such as WhatsApp, Netflix, Amazon Prime. The spillover effect of this can be seen in the surge of private use of VPN in the pandemic’s aftermath. Regular folks got used to having unlimited access to the Internet, securely and privately.

New obfuscation techniques

Three years on, the evolution of VPN continues to propel its growth. This includes the adoption of advanced obfuscation techniques, for example, encryption and tunnelling. Encryption converts regular text into ciphertext and requires special keys for decryption. Tunnelling, similarly, encapsulates data before it is channeled through the Internet, rendering any form of interception impossible. Continuous advancements in obfuscation techniques drive more robust and secure VPN services. New encryption protocols, such as TLS 1.3, ESNI and QUIC, alongside proprietary protocols, progressively hide more packet-related information, creating well-armored data channels. These techniques add to a host of other VPN features, such as kill switch, anti-tracking and leak protection. Collectively, these features ensure a high level of privacy and security for users.

When it comes to network control, network administrators require full transparency. VPNs are everything but transparent. This puts the onus on today’s networks to detect and decipher any active VPN service in real-time. Identifying a VPN service is critical in determining the level of access and scrutiny that is needed across different flows, as well as in meting out appropriate network policies. Equally important is, of course, to know what is transpiring ‘inside’ a VPN while thousands of data pieces are moved in and out of the network using up valuable network resources.

Internet censorship – Psiphon’s story

ipoque’s DPI engines R&S®PACE 2 and R&S®vPACE provide real-time classification of VPN services. These engines detect hundreds of VPN services, leveraging statistical, behavioral and heuristic analysis alongside encrypted traffic intelligence (ETI), which uses techniques such as deep learning (DL) and machine learning (ML).

What is the implication of this to the network? Let us take the example of Psiphon, a VPN service used to circumvent Internet censorship. Psiphon employs encryption, SSH and HTTP proxy technology to obfuscate traffic. Its users are typically trying to access news sites, games, videos and others that are blocked in their locality. The service, however, does not guarantee anonymity or privacy.

ipoque’s DPI and ML technologies enable the detection of both the Psiphon application and the Psiphon protocol. This allows internet service providers (ISPs), such as mobile and fixed line operators, to improve regulatory compliance by limiting its usage and commissioning further investigation into the applications being accessed. It also enables ISPs to maintain net neutrality, allowing the propagation of a free Internet, and enabling content providers to understand the real demand for their web applications.

My network, my rules

For users looking for anonymous browsing and prioritizing privacy, there are hundreds of standard VPN services that combine concealment of IP addresses with features such as no-logs policy. Examples of these are Nord VPN, Cyber Ghost and Surfshark VPN. These services are critical to users accessing the Internet on an unsecured connection like a public Wi-Fi. VPNs safeguard users against leakage of personal information in the event of hacking and are highly effective in staving off cyber-attacks, such as phishing and DDoS. However, most VPN services use obfuscation techniques, such as encryption and dynamic IP addresses, that create huge blind spots in network monitoring. R&S®PACE 2 and R&S®vPACE attenuate these blind spots by seamlessly identifying hundreds of VPN protocols and applications – whether these are popular services, like Express VPN, Ultra VPN or IPVanish, or any of the lesser known ones. This allows ISPs to control user access to thousands of unauthorized sites. It also enables enterprises to prioritize enterprise applications and throttle down the speeds and bandwidth across traffic from personal VPNs.

With the growth in shadow IT, identifying not only the VPN protocols and applications but also the underlying applications, such as Zoom or Google Drive, can greatly aid in supporting productive work across an enterprise. The ability of R&S®PACE 2 and R&S®vPACE to combine protocol and application insights can reveal, for example, the use of a personal VPN to browse a competitor’s website and to download their resources. Another scenario relates to the use of a personal VPN to speed up large file downloads from colleagues across the globe. By deploying R&S®PACE 2 and R&S®vPACE on the network, enterprises can gather sufficient insights helping them to institute effective IT policies.

What is onion routing?

TOR, which stands for The Onion Routing, is a protocol that creates a ‘VPN’ effect by using a collaborative community-driven infrastructure. It combines servers hosted by volunteers and uses multiple layers of encryption to mask the identities of users. ISPs only see the entry nodes while website and application providers only see the exit nodes, with no traceable trail between the two. Fortunately, R&S®PACE 2 and R&S®vPACE can easily detect a TOR protocol or application despite the Obfsproxy bridges used to hide their presence. This enables local enforcement authorities to monitor extended web activities, specifically potentially illegal activities.

Not all TOR activities are malicious. A sudden surge in the use of TOR was observed during times of uncertainty when anonymous access to restricted sites became vital. Being able to identify TOR traffic allows ISPs and national regulators to refine network access policies and provide controlled access for TOR users as means of supporting their information needs. This includes support for journalists and whistle-blowers.

A question of trust and honor

VPNs are not immune to cyber-threats. In fact, they make a great hideaway for malware. Between 2021 and 2022, a trojanized version of Psiphon for Android was infecting devices with the DAAM Android Botnet. As a result, applications were compromised with unauthorized call recordings, configuration changes and collection of PII1. In addition, less reputable VPN solutions are known for collecting user details and sharing these with third parties. According to Top10VPN, only 15% of the twenty most popular ad-supported free VPN iOS applications in the United States honor user preferences to not be tracked by advertisers2. This is exacerbated when host servers are located in jurisdictions with weak data protection laws. ipoque’s next-generation DPI technology comes with a rich repository of VPN signatures that can accurately identify each service and the underlying activities. This enables network administrators to determine the risk exposure and vulnerabilities associated with the use of each VPN service, allowing pro-active threat mitigation measures. With the introduction of a new breed of VPN-like services, such as Apple’s Private Relay3, a browser-based encryption tool, ipoque can help ISPs keep tabs on the underlying applications, for example iCloud, and implement granular threat prevention policies.

At the end of the day, VPN services are only as good as the purpose they support, and as reliable as the trust users put in them. DPI puts VPN services to the real test, ensuring that users get the privacy and security they need, while keeping threats and network abuse at bay.


[1] Restore Privacy - Trojanized Psiphon App Infects Android Phones with Ransomware
[2] Top10VPN - Free VPN iOS App ‘Request to Track’ Compliance Investigation
[3] Apple’s iCloud Plus bundles a VPN, private email, and HomeKit camera storage

Sebastian Müller portrait

Sebastian Müller

Contact me on LinkedIn

Sebastian is a passionate DPI thought leader guiding a cross-functional team to build the networks of the future with leading traffic analytics capabilities. He has over ten years of dedicated experience in the telecom and cybersecurity domain, providing him with deep understanding of market requirements and customer needs. When he’s not at work, you can either find him on his road bike or hiking in the mountains.

Email: Seb.Mueller@rohde-schwarz.com
ipoque blog - discover the latest news and trends in IP network analytics

Sign up for the ipoque newsletter

Stay informed about the latest advances and trends in
deep packet inspection and network traffic visibility