CameronMunroe
commented
5 months ago Any idea where we can find those IPs?
Open mineoturz opened 5 months ago
CameronMunroe
commented
5 months ago Any idea where we can find those IPs?
mineoturz
commented
5 months ago Unfortunately, not. I was hoping you had a way to do that.
I had connected and run a packet capture on a few but there were so many networks that it connected to it needed to be automated. I don't have a way to do that, but interested in helping find a way if you don't have one.
mineoturz
commented
5 months ago Also, I did want to ask. Have you encountered any issues when using the VPNs + datacenter lists as a firewall blacklist? I had set it and it ended up blocking a lot of common good servers. (Google, Microsoft, Apple, etc). Do you have any suggestions on how to get around that?
splitice
commented
5 months ago Your problem is that the datacenter list blocked the datacenters of Google, Microsoft, Apple etc?
mineoturz
commented
5 months ago Your problem is that the datacenter list blocked the datacenters of Google, Microsoft, Apple etc?
Haha, yes I suppose you're right. For some reason I thought it was a list of malicious/VPN hosting services blocks.
splitice
commented
5 months ago Any webhost can host a VPN or non eyeball service. That doesnt make them malicious.
OpenVPN runs just as well on Azure/AWS/Google Cloud as it does on some sketchy Russian VPS provider (if not better)
mineoturz
commented
5 months ago Understood. I guess I figured the majority of free VPN providers that have apps or software you can use are using a sketchy VPS, not just Azure/AWS/GCP. This seems to be the case in my small amount of testing but my research has been no where near comprehensive.
Lets say I'm an sysadmin at a school. I want to block VPNs so kids aren't accessing sites we've blocked during school hours. What's the best solution to this while also allowing for general web browsing and access to most common applications?
splitice
commented
5 months ago Deep packet inspection will always be the best solution combined with flow analysis for spotting the tricky stuff.
As for the topic if this issue, ASNs or lists can be added.
For example it looks like Tunnelbear operates from general web service provider space, so unless they publish a list that might be hard to add to the VPN list (some of their providers though could be added to datacenters e.g AS201924)
A bit of sluething and others might be found. PRs welcome.
mineoturz
commented
5 months ago Doesn't deep packet inspection require certs to be on every device to be inspected? How does this work in a BYOD environment?
Do any VPN providers publish the list of their servers?
splitice
commented
5 months ago No. To a properly implemented system its rather irrelevant. And some do, but not many.
--
Please keep disucssions on topic. We are building two lists in this repository, not consulting on deep packet inspection for school applications i.e your job.
mineoturz
commented
5 months ago I'd love to hear about your magical "properly implemented system" for inspecting encrypted BYOD traffic without certs.
Anyway, no prob. Sorry I can't help more with the networks related to the VPNs I provided. Do you have a somewhat automated way to collect the networks for them?
Free VPNS that use servers not contained in this list: