This page lists technical fingerprints of VPN providers and ways to manually query and verify them. The verification methods are provided for reference; use them at your own risk, in non-intrusive ways and in compliance with applicable laws and ISP policies. This applies especially to nmap.[a] Verification instructions are written for users of Linux-based operating systems, but should be largely OS-independent. This page focuses on discovery methods in the IPv4 address space, though some may also be adjusted to work with IPv6.
Verification methods
edit- Using OpenSSL:
openssl s_client -connect <host>:<port>
- Using shodan
- Using nmap:[b]
sudo nmap -sS --script ssl-cert.nse <host or host range> -p<port1,port2,port3...portn OR port1-portn> -Pn -v
- Using cURL:
curl -k -v "https://<host>:<Port>"
X-Cache
edit- Using shodan
- Using reqbin: Plug the IP in and check the headers
- Using cURL:
curl --head --show-error "http://<host>:<port>"
- Using nmap:[c]
sudo nmap -A <host or host range> -p<port1,port2,port3...portn OR port1-portn> -Pn
- Using ike-scan:[d]
sudo ike-scan <host>
Providers
editAirVPN
edit- airvpn.org
- Privacy-focused, tied to the torrenting crowd
- SSL certificate served on port 89:
CN = *.airservers.org
BulletVPN
edit- bulletvpn.net
- Webhost, and occasionally mixed, ranges, sometimes obscure providers.
- DNS:
<cc><number>.bulletvpn.com
[e]
Cyberghost/Zenmate
edit- cyberghostvpn.com and zenmate.com
- SSL certificate served on port 9002:
blade<n>.<city>-rack<n>.nodes.gen4.ninja
- Flagged as "Cyberghost/Zenmate" by Spur
- Shares a parent company (kape) with PIA
- expressvpn.com
- No reliable fingerprint, but often hosted on webhosts with WHOIS outputs like
VPN-CONSUMER-NETWORK
FlyGateVPN
edit- SSL cert: awsprivate.com, flygateaccount.com
FreeVPN
edit- freevpn.com
- Not free, despite the name
- Mildly dodgy, starting with the fact that the website doesn't support HTTPS
- Does not appear to be currently flagged by spur, at least not reliably
- Probably enumerable[f]
- Webhost ranges
- Hostnames:
cc.freevpn.com
- SSL certificate:
CN = *.ocservvpn.com
HideMyAss
edit- hidemyass.com[g]
- DNS:
*.hma.rocks
and*.prcdn.net
- WHOIS:
AVAST Software s.r.o.
HotSpot VPN
edit- hotspotvpn.org
- Dodgy-ish[h] VPN provider
- Running nginx on port 80[i]
VPN (IKE)
on UDP port 500, fingerprint:[j]Main Mode Handshake returned HDR=(CKY-R=8b8ba44921f420b9) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
Integrity VPN
edit- integrity.st
- Whitelabel service selling to ISPs
- Hostnames:
<cc>-<o3>-<o4>.integrity.st
, wherecc
is the country code, ando3
ando4
are the third and fourth octet of the exit IP address, respectively[k]
IPVanish
edit- ipvanish.com
- Webhost ranges.
- SSL certificate served on port 443:
CN = *.vpn.ipvanish.com
- (Sometimes) WHOIS:
Mudhook Marketing Inc
Ivacy
edit- Offers both a corporate VPN (McAfee Web Gateway Cloud Service) and a personal one (McAfee Safe Connect VPN). The personal VPN appears to be technically indistinguishable from TunnelBear nodes (see there). For the corporate VPN service:
- SSL certificate served on port 443:
CN = *.wps.mcafeesaas.com
- SSL certificate served on port 8081:
CN = *.wgcs.mcafee-cloud.com
- SSL certificate served on port 443:
- mullvad.net
- Large-ish, privacy-focused VPN provider
- IPv6 and Wireguard support, default connections are OpenVPN (users can choose between TCP and UDP)
- No good fingerprints, but exclusively on webhost ranges
- Mostly M247, plus some other hosting providers and some directly owned servers
- Server list at https://mullvad.net/en/servers/
- Entry and exit nodes are split
- nordvpn.com
- Large provider, often, but not always, on easily identifiable webhost ranges
- Provides API for queries
- No reliable fingerprint, but
VPN (IKE)
on UDP port 500 - DNS:
<cc><number>.nordvpn.com
[m]
- avira.com
- Owned by an antivirus developer; users may not necessarily be attempting to obfuscate their IP
- SSL certificate served on port 443:
CN = *.phantom.avira-vpn.com
- privateinternetaccess.com
- SSL certificate served on port 443:
CN = *.privateinternetaccess.com
- Large provider, usually on webhost ranges, but there have been unusual occurences like this one, where the servers are on seemingly non-webhost ranges (in this case, an Israeli public WiFi provider)
- Shares a parent company (kape) with Cyberghost/Zenmate
- DNS:
<cc>.privacy.network
or<cc>-<city>.privacy.network
. [n]
- Provided by Apple as part of the iCloud suite
- Exits are in the same rough region as users' actual IPs
- Akamai and Cloudflare ranges
- All exits can be verified at https://mask-api.icloud.com/egress-ip-ranges.csv
- See also m:Apple iCloud Private Relay
- protonvpn.com
- Large-ish provider
- Provides API for queries
- No reliable fingerprint, but
VPN (IKE)
on UDP port 500 - Entry and exit nodes are split
- Webhost ranges
- purevpn.com
- WHOIS:
pointtoserver.com
,ptoserver.com
,PureVPN-NET
,GZ Systems Limited
- DNS:
<cc><(optional) number>-<VPN-protocol>-<optional: (udp|tcp)>.ptoserver.com
[o]
RapidVPN
edit- rapidvpn.com
- SSL certificate served on port 443:
CN = *.rapidvpn.com
- surfshark.com
- SSL certificate served on port 443:
CN = *.prod.surfshark.com
- Large-ish VPN company. Usually on webhosts, but there is a large number of different ones involved and many of them have slightly annoying range assignment patterns
- Many end nodes with activity on Wikipedia
- Often blocks of a handful adjacent IPs, e.g.
127.0.0.1-127.0.0.5
- Some clearly designated ranges, often /24s with netnames like
SURFSH-<o1>-<o2>-<o3>-0
, whereo1
,o2
ando3
are the first through third octet of the base IP[p] - ASN209854 (
SURFSHARK, VG
) is tracked at User:AntiCompositeBot/ASNBlock
- tunnelbear.com
- DNS:
<country_code>.lazerpenguin.com
Urban VPN
edit- urban-vpn.com
- Squid HTTP proxy on ports 80 and 3128:
X-Cache: MISS from p-$cc.biscience.com X-Cache-Lookup: NONE from p--$cc.biscience.com:3128
- Dodgy "free" VPN service provided by biscience, a "digital intelligence" company
- Supposedly P2P, but that does not seem to be the case
- Webhost ranges
- Parent company also runs a large residential proxy service
VPN Gate
edit- See vpngate.net
- Uses the SoftEther VPN protocol
- Port 5555 serves a page over HTTPS with SoftEther VPN text
curl -v -k https://<ip>:5555
- Some nodes: WHOIS:
SoftEther Corporation
- Some nodes: SSL certificate served on port 443:
CN = *.opengw.net
WorldVPN
edit- worldvpn.net
- See #FreeVPN.
Notes
edit- ^ See also nmap#Legal issues.
- ^
-sS
(stealth scan) is the default scanning method for scans executed as root. If more detailed results are required,-sV
can be used to determine (or guess) the operating system and service versions of the target host. The-Pn
switch makes nmap skip host discovery, meaning that it will execute the specified scanning functions without sending initial pings to determine whether the target machine is online. In most cases, using this switch will be necessary because most modern machines block ping probes. Nmap scans may be sped up by using the-T
parameter with numeric values between 0 and 5 (e.g. by appending-T4
), with 5 providing the quickest, and 0 providing the slowest scan speeds. Note that faster scans tend to be more intrusive and may not detect open ports when used against slow or unreliable networks. If only the execution of the certificate script is desired and no port scan should be executed, the-sn
switch can be used. - ^ Note that
nmap -A
is a relatively aggressive and easily detectable scan. - ^ Hosts can be specified in multiple ways; either as a single IP (
127.0.0.1
), a CIDR block (127.0.0.1/24
), a start-end range (127.0.0.1-127.10.10.10
) or inIPNetwork:NetMask
format (127.0.0.1:255.255.255.0
). The default for both the source and destination port is 500 UDP; if a different one is desired, this can be specified with the -s (source) and -d (destination) switches, e.g.sudo ike-scan -d450 -s450 127.0.0.1/24
. - ^ <cc> stands for "country code. E.g.
cai03.bulletvpn.com
,ann01.bulletvpn.com
- ^ Current data is based on a single datapoint, but if the fingerprints are consistent, they are easy to query.
- ^ Blacklisted link.
- ^ It appears that clicking "Contact Us" on the website does nothing but append
/#
to the URL without actually sending you anywhere. - ^ Not certain if this is universal.
- ^ The output of the
HDR=(CYK-R= [...])
field varies. - ^ E.g. The Swedish exit node
85.24.253.12
has the hostnamese-253-12.integrity.st
- ^ E.g.
hk-ovpn-udp2.dns2use.com
,my2-ovpn-udp.dns2use.com
. Outliers exist, e.g.vlbr-usvc1.dns2use.com
. - ^ E.g.
tr46.nordvpn.com
. - ^ E.g.
us-california.privacy.network
. - ^ E.g.
lv-ipsec.ptoserver.com
,no2-ovpn-udp.pointtoserver.com
- ^ E.g.
SURFSH-62-197-148-0
for the62.197.148.0/24
IP block