Open mineoturz opened 5 months ago
Any idea where we can find those IPs?
Unfortunately, not. I was hoping you had a way to do that.
I had connected and run a packet capture on a few but there were so many networks that it connected to it needed to be automated. I don't have a way to do that, but interested in helping find a way if you don't have one.
Also, I did want to ask. Have you encountered any issues when using the VPNs + datacenter lists as a firewall blacklist? I had set it and it ended up blocking a lot of common good servers. (Google, Microsoft, Apple, etc). Do you have any suggestions on how to get around that?
Your problem is that the datacenter list blocked the datacenters of Google, Microsoft, Apple etc?
Your problem is that the datacenter list blocked the datacenters of Google, Microsoft, Apple etc?
Haha, yes I suppose you're right. For some reason I thought it was a list of malicious/VPN hosting services blocks.
Any webhost can host a VPN or non eyeball service. That doesnt make them malicious.
OpenVPN runs just as well on Azure/AWS/Google Cloud as it does on some sketchy Russian VPS provider (if not better)
Understood. I guess I figured the majority of free VPN providers that have apps or software you can use are using a sketchy VPS, not just Azure/AWS/GCP. This seems to be the case in my small amount of testing but my research has been no where near comprehensive.
Lets say I'm an sysadmin at a school. I want to block VPNs so kids aren't accessing sites we've blocked during school hours. What's the best solution to this while also allowing for general web browsing and access to most common applications?
Deep packet inspection will always be the best solution combined with flow analysis for spotting the tricky stuff.
As for the topic if this issue, ASNs or lists can be added.
For example it looks like Tunnelbear operates from general web service provider space, so unless they publish a list that might be hard to add to the VPN list (some of their providers though could be added to datacenters e.g AS201924)
A bit of sluething and others might be found. PRs welcome.
Doesn't deep packet inspection require certs to be on every device to be inspected? How does this work in a BYOD environment?
Do any VPN providers publish the list of their servers?
No. To a properly implemented system its rather irrelevant. And some do, but not many.
--
Please keep disucssions on topic. We are building two lists in this repository, not consulting on deep packet inspection for school applications i.e your job.
I'd love to hear about your magical "properly implemented system" for inspecting encrypted BYOD traffic without certs.
Anyway, no prob. Sorry I can't help more with the networks related to the VPNs I provided. Do you have a somewhat automated way to collect the networks for them?
Free VPNS that use servers not contained in this list: