Support for VPN and TOR browser detection

[DanujaSW]

Hi,

I have been testing the dpi with several VPNs to see if these apps are detected. The following are the undetected VPNs from my testing:

1. Ultrasurf
2. Cloudfare WARP (1.1.1.1)
3. Tunnel Bear
4. Turbo VPN

In addition to these VPNs, I have tested using TOR browser. This was undetected as well.

I have included the PCAPs for each of these tests for your reference in the following link: PCAPs google drive link

May I know if there is a strategy to support such application detection?

[IvanNardi]

@DanujaSW , thanks for your report. At first glance, it seems that at least some of these files have been captured when the vpn was already on. If that is the case, could you try again on this order, please?

• start capturing the traffic
• activate the vpn

The initial packets of the flows might be quite useful...

[DanujaSW]

@IvanNardi I have taken the PCAPs according to your specifications and included them in the link below: PCAP files with VPN turned on after capturing starts

Please let me know if you need any additional information from me to help with your analysis.

[IvanNardi]

@DanujaSW ,could you share 3/4 other examples of Warp traffic (captured as the last one), please? I am going to take a closer look at it...

[IvanNardi]

TOR classification might be not perfect, but I think that is more than fine...

ivan@ivan-Latitude-E6540:~/svnrepos/nDPI(warp)$ ./example/ndpiReader -t -i ~/Downloads/VPN-testing-28.06.2024/tor-browser.pcap 
[...]
Detected protocols:
    Unknown              packets: 344           bytes: 22634         flows: 32           
    HTTP                 packets: 112           bytes: 6636          flows: 12           
    MDNS                 packets: 83            bytes: 6911          flows: 2            
    NetBIOS              packets: 12            bytes: 1104          flows: 1            
    DHCP                 packets: 24            bytes: 8616          flows: 2            
    ICMP                 packets: 202           bytes: 39867         flows: 9            
    IGMP                 packets: 60            bytes: 3530          flows: 3            
    TLS                  packets: 11226         bytes: 8726895       flows: 149          
    ICMPV6               packets: 6             bytes: 516           flows: 1            
    YouTube              packets: 144           bytes: 59132         flows: 8            
    Skype_Teams          packets: 225           bytes: 30638         flows: 8            
    Google               packets: 1611          bytes: 1323566       flows: 35           
    LLMNR                packets: 11            bytes: 825           flows: 11           
    Tor                  packets: 112660        bytes: 111446056     flows: 16         <------------------------------
    QUIC                 packets: 500           bytes: 206042        flows: 12           
    Github               packets: 254           bytes: 68027         flows: 22           
    Microsoft            packets: 1193          bytes: 194457        flows: 147          
    Microsoft365         packets: 3453          bytes: 1045531       flows: 449          
    GoogleServices       packets: 638           bytes: 233855        flows: 54           
    Teams                packets: 4809          bytes: 1490571       flows: 537          
    Cybersec             packets: 1169          bytes: 143444        flows: 229          
    TunnelBear           packets: 329           bytes: 47852         flows: 28 

[DanujaSW]

@DanujaSW ,could you share 3/4 other examples of Warp traffic (captured as the last one), please? I am going to take a closer look at it...

@IvanNardi I will get back to you with this info on as soon as possible on Monday since my test setup is in my office.

Thank you for the update to tunnelbear detection.

As for the TOR classification, there might be an error on my side. I will check on it further. Thx for the clarification.

[DanujaSW]

@IvanNardi I have uploaded the PCAPs for Warp traffic as you requested in the link below: Cloudfare Warp packet captures

Please let me know if you need any further information

[DanujaSW]

@IvanNardi Thanks for the updates. We will do further testing with the updated code and let you know how it goes.

[DanujaSW]

@IvanNardi , the detection works for Cloudfare Warp. I have included the testing results below:

• For cloudfare1111warp-test2.pcap

  Detected protocols:
  Unknown              packets: 39            bytes: 3500          flows: 5            
  DNS                  packets: 142           bytes: 19883         flows: 55           
  HTTP                 packets: 46            bytes: 2784          flows: 5            
  MDNS                 packets: 233           bytes: 30497         flows: 4            
  DHCP                 packets: 16            bytes: 5720          flows: 2            
  IPSec                packets: 16            bytes: 5226          flows: 8            
  ICMP                 packets: 658           bytes: 55842         flows: 26           
  IGMP                 packets: 99            bytes: 5896          flows: 5            
  TLS                  packets: 1300          bytes: 348607        flows: 110          
  ICMPV6               packets: 4             bytes: 344           flows: 1            
  Facebook             packets: 55            bytes: 16580         flows: 6            
  YouTube              packets: 8194          bytes: 8624404       flows: 49           
  Google               packets: 260           bytes: 122010        flows: 14           
  WhatsApp             packets: 318           bytes: 50778         flows: 6            
  LLMNR                packets: 16            bytes: 1200          flows: 10           
  QUIC                 packets: 7388          bytes: 7913644       flows: 6            
  Github               packets: 19            bytes: 2670          flows: 7            
  Instagram            packets: 105           bytes: 42549         flows: 10           
  Microsoft            packets: 246           bytes: 54464         flows: 25           
  Microsoft365         packets: 253           bytes: 65383         flows: 47           
  Cloudflare           packets: 150184        bytes: 153156480     flows: 19           
  MQTT                 packets: 12            bytes: 808           flows: 2            
  GoogleServices       packets: 402           bytes: 182484        flows: 26           
  Teams                packets: 319           bytes: 99519         flows: 44           
  Cybersec             packets: 236           bytes: 51438         flows: 40           
  CloudflareWarp       packets: 182           bytes: 55562         flows: 8            
  Protobuf             packets: 12            bytes: 720           flows:

• For cloudfare1111warp-test3.pcap

  Detected protocols:
  Unknown              packets: 21            bytes: 1855          flows: 3            
  DNS                  packets: 43            bytes: 5986          flows: 17           
  MDNS                 packets: 108           bytes: 14238         flows: 2            
  NTP                  packets: 2             bytes: 180           flows: 1            
  DHCP                 packets: 8             bytes: 2860          flows: 2            
  WhatsAppCall         packets: 3648          bytes: 611086        flows: 12           
  ICMP                 packets: 465           bytes: 36897         flows: 5            
  IGMP                 packets: 43            bytes: 2510          flows: 4            
  TLS                  packets: 1490          bytes: 317271        flows: 84           
  ICMPV6               packets: 6             bytes: 500           flows: 2            
  Facebook             packets: 47            bytes: 9356          flows: 6            
  YouTube              packets: 553           bytes: 483490        flows: 13           
  Skype_Teams          packets: 22            bytes: 2758          flows: 6            
  Google               packets: 82            bytes: 18096         flows: 8            
  WhatsApp             packets: 228           bytes: 46879         flows: 8            
  LLMNR                packets: 7             bytes: 525           flows: 5            
  FacebookMessenger    packets: 52            bytes: 10744         flows: 4            
  QUIC                 packets: 168           bytes: 53942         flows: 4            
  Instagram            packets: 152           bytes: 59016         flows: 16           
  Microsoft            packets: 13            bytes: 1799          flows: 5            
  Cloudflare           packets: 102060        bytes: 108182708     flows: 2            
  MQTT                 packets: 4             bytes: 250           flows: 2            
  LinkedIn             packets: 72            bytes: 15830         flows: 4            
  GoogleServices       packets: 218           bytes: 56403         flows: 14           
  WhatsAppFiles        packets: 1248          bytes: 1006248       flows: 6            
  Teams                packets: 74            bytes: 33542         flows: 6            
  Cybersec             packets: 32            bytes: 3513          flows: 12           
  CloudflareWarp       packets: 46            bytes: 14406         flows: 2            
  Protobuf             packets: 7             bytes: 420           flows: 1      

Currently working on testing TunnelBear detection.

[IvanNardi]

@DanujaSW, I don't know if it is feasible for you, but I would like if you could capture some warp traffic using MASQUE as transport (the previous captures use Wireguard). It seems that you can change that, according to https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/ in "Device tunnel protocol" section.

The new code should handle also MASQUE, but I would like to test it with a real trace...

[DanujaSW]

@IvanNardi, I will set up the captures as you requested. It will require a small change in my test setup. I will get the results to you as soon as possible tomorrow morning.

[DanujaSW]

@IvanNardi , From what I could find, MASQUE has not been released in open beta mode yet. The most recent information I could find was in the comments under the following post: https://www.reddit.com/r/CloudFlare/comments/1cb8tn2/zero_trust_warp_tunneling_with_a_masque/ Where a Cloudflare member mentioned yesterday that they had just started rolling out the update in stages.

Tried downloading the beta Warp client and logging into a Zero-trust account on my device. This still does not give an option to switch over to Masque from WireGuard.

The following are the only modes available to set in warp-cli mode

Arguments:
  <MODE>  [possible values: warp, doh, warp+doh, dot, warp+dot, proxy, tunnel_only]

Please let me know if you are aware of another method to set up Warp with Masque. I will keep checking if there is an option to do so as well.

[IvanNardi]

Please let me know if you are aware of another method to set up Warp with Masque

No, I don't. I hoped that MASQUE beta was more available

[IvanNardi]

Bottom line:

• TOR, TunnelBear and Warp should be fine
• Ultrasulf and TurboVPN might use some kind of obfuscation or proprietary protocol so it is not easy to detect them

Note that most of the "VPN apps" are some kind of simple wrapper above Wireguard/OpenVPN/IPSec: in most cases nDPI identify their traffic as such

@DanujaSW, thanks for all the traces that you provided: they were very useful

[DanujaSW]

@IvanNardi , Thank you for your help with this issue and the changes you made. They helped us out a lot.

I will keep up with the CloudFlare MASQUE situation and run the tests on it when the beta becomes available. I will let you know if there are any updates.