DEV Community: Evilork The latest articles on DEV Community by Evilork (@evilork). https://dev.to/evilork https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3891659%2Fca98d7b4-84af-41b9-b975-50714b5347e1.png DEV Community: Evilork https://dev.to/evilork en I Fingerprinted 6 Commercial VPNs in 200ms with Open-Source DPI. Here's the Wireshark Data Evilork Mon, 27 Apr 2026 01:00:36 +0000 https://dev.to/evilork/i-fingerprinted-6-commercial-vpns-in-200ms-with-open-source-dpi-heres-the-wireshark-data-164o https://dev.to/evilork/i-fingerprinted-6-commercial-vpns-in-200ms-with-open-source-dpi-heres-the-wireshark-data-164o <blockquote> <p>TL;DR: Modern DPI engines like nDPI detect OpenVPN/WireGuard traffic in under 200ms with 97% accuracy. I tested 6 commercial VPNs. 5 leaked their protocol immediately. Here’s exactly how, with packet captures.</p> </blockquote> <h2> The Problem Nobody Talks About </h2> <p>When you read “best VPN” articles, they all talk about the same things: speed, server count, no-logs policy, kill switch.</p> <p>Nobody talks about whether your ISP can <strong>see that you’re using a VPN at all</strong>.</p> <p>This matters more than you think:</p> <ul> <li> <strong>Crypto exchanges</strong> (Binance, OKX, Bybit) flag VPN IPs and require additional KYC, sometimes locking funds</li> <li> <strong>Payment processors</strong> (Stripe, Adyen) decline transactions from known VPN ranges</li> <li> <strong>State-level DPI</strong> in Russia/Iran/China actively profiles VPN users for further monitoring</li> <li> <strong>Anti-fraud systems</strong> at banks treat your account as high-risk</li> </ul> <p>If your VPN protocol is detectable - and 95% are - you’re not anonymous, you’re <strong>flagged</strong>.</p> <h2> The Test Setup </h2> <p>Hardware: Mac M4 Max + remote VPS for traffic mirroring.</p> <p>Tools:</p> <ul> <li> <strong>Wireshark</strong> for capture</li> <li> <strong>nDPI</strong> (the same library powering most ISP-grade DPI hardware)</li> <li> <strong>tshark</strong> for automated parsing </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Capture VPN handshake</span> <span class="nb">sudo </span>tshark <span class="nt">-i</span> en0 <span class="nt">-w</span> vpn_handshake.pcap <span class="nt">-a</span> duration:30 <span class="c"># Run through nDPI</span> ndpiReader <span class="nt">-i</span> vpn_handshake.pcap <span class="nt">-v</span> 2 | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"VPN|Detected"</span> <span class="c"># Measure time-to-detection</span> ndpiReader <span class="nt">-i</span> vpn_handshake.pcap <span class="nt">-j</span> output.json jq <span class="s1">'.flows[] | {proto: .detected_protocol_name, ms: .first_seen_ms}'</span> output.json </code></pre> </div> <p>I tested each VPN on default settings (what 95% of users use), then ran their “stealth mode” if available.</p> <h2> The Results </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Provider</th> <th>Default Protocol</th> <th>Time to Detect</th> <th>Stealth Mode</th> <th>TTD with Stealth</th> </tr> </thead> <tbody> <tr> <td>Provider A (mainstream, top-3 by revenue)</td> <td>OpenVPN</td> <td><strong>180ms</strong></td> <td>Obfuscated</td> <td>720ms</td> </tr> <tr> <td>Provider B (mainstream)</td> <td>WireGuard</td> <td><strong>90ms</strong></td> <td>None</td> <td>n/a</td> </tr> <tr> <td>Provider C (privacy-focused)</td> <td>IKEv2</td> <td><strong>250ms</strong></td> <td>None</td> <td>n/a</td> </tr> <tr> <td>Provider D (mainstream)</td> <td>OpenVPN+XOR</td> <td><strong>420ms</strong></td> <td>XOR scramble</td> <td>420ms (no improvement)</td> </tr> <tr> <td>Provider E (Asia-focused)</td> <td>Shadowsocks (legacy)</td> <td><strong>1,100ms</strong></td> <td>None</td> <td>n/a</td> </tr> <tr> <td>Provider F (indie, self-hosted)</td> <td><strong>VLESS Reality</strong></td> <td><strong>NOT DETECTED</strong></td> <td>n/a</td> <td>n/a</td> </tr> </tbody> </table></div> <p><strong>5 out of 6 leaked their VPN signature in under 1.5 seconds.</strong></p> <p>The one that didn’t is running VLESS+Reality, a protocol from the XRay project that’s been around since 2023 but mainstream VPNs refuse to adopt.</p> <h2> What Actually Gets Detected </h2> <p>Here’s a sanitized snippet from the nDPI output for Provider B (WireGuard):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"flow_id"</span><span class="p">:</span><span class="w"> </span><span class="mi">42</span><span class="p">,</span><span class="w"> </span><span class="nl">"src_ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"10.0.0.5"</span><span class="p">,</span><span class="w"> </span><span class="nl">"dst_ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"[redacted]"</span><span class="p">,</span><span class="w"> </span><span class="nl">"detected_protocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"WireGuard"</span><span class="p">,</span><span class="w"> </span><span class="nl">"protocol_category"</span><span class="p">:</span><span class="w"> </span><span class="s2">"VPN"</span><span class="p">,</span><span class="w"> </span><span class="nl">"confidence"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DPI"</span><span class="p">,</span><span class="w"> </span><span class="nl">"first_seen_ms"</span><span class="p">:</span><span class="w"> </span><span class="mi">90</span><span class="p">,</span><span class="w"> </span><span class="nl">"fingerprint"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"udp_payload_first_byte"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0x01"</span><span class="p">,</span><span class="w"> </span><span class="nl">"packet_size_pattern"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="mi">148</span><span class="p">,</span><span class="w"> </span><span class="mi">92</span><span class="p">,</span><span class="w"> </span><span class="mi">92</span><span class="p">],</span><span class="w"> </span><span class="nl">"handshake_signature"</span><span class="p">:</span><span class="w"> </span><span class="s2">"wg_initiation"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>WireGuard’s first packet ALWAYS starts with <code>0x01</code> followed by a fixed-size payload. There is no way to disguise this without modifying the protocol itself - and if you modify it, it’s no longer WireGuard.</p> <p><strong>This is the dirty secret of “modern” VPN protocols</strong>: they were designed for performance and security against passive eavesdroppers, NOT against active traffic analysis.</p> <h2> Why VLESS+Reality Wins </h2> <p>Reality doesn’t try to hide that you’re using a VPN. It doesn’t even try to obfuscate the traffic.</p> <p>It does something smarter: <strong>it pretends to be a real TLS connection to a real high-traffic website</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client → "Hi server.com, I want to connect" Server → [forwards initial handshake to actual server.com] [returns real TLS certificate from server.com] Client → [verifies it's the real server.com] [now switches to VPN tunnel under the same connection] </code></pre> </div> <p>To DPI, this looks 100% identical to:</p> <ul> <li>A user visiting microsoft.com</li> <li>A user visiting cloudflare.com</li> <li>A user visiting any whitelisted destination</li> </ul> <p>JA3 fingerprint matches Chrome. SNI matches a real CDN. Certificate is real. There’s literally nothing to detect.</p> <h2> The Code </h2> <p>If you want to test your own VPN, here’s a minimal script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">subprocess</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">sys</span> <span class="k">def</span> <span class="nf">test_vpn_fingerprint</span><span class="p">(</span><span class="n">interface</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">en0</span><span class="sh">"</span><span class="p">,</span> <span class="n">duration</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">30</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Capture and analyze VPN traffic for protocol fingerprinting.</span><span class="sh">"""</span> <span class="n">pcap_file</span> <span class="o">=</span> <span class="sh">"</span><span class="s">/tmp/vpn_test.pcap</span><span class="sh">"</span> <span class="n">json_file</span> <span class="o">=</span> <span class="sh">"</span><span class="s">/tmp/vpn_test.json</span><span class="sh">"</span> <span class="c1"># Capture traffic </span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">([</span> <span class="sh">"</span><span class="s">sudo</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tshark</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-i</span><span class="sh">"</span><span class="p">,</span> <span class="n">interface</span><span class="p">,</span> <span class="sh">"</span><span class="s">-w</span><span class="sh">"</span><span class="p">,</span> <span class="n">pcap_file</span><span class="p">,</span> <span class="sh">"</span><span class="s">-a</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">duration:</span><span class="si">{</span><span class="n">duration</span><span class="si">}</span><span class="sh">"</span> <span class="p">],</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="c1"># Analyze with nDPI </span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">([</span> <span class="sh">"</span><span class="s">ndpiReader</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-i</span><span class="sh">"</span><span class="p">,</span> <span class="n">pcap_file</span><span class="p">,</span> <span class="sh">"</span><span class="s">-j</span><span class="sh">"</span><span class="p">,</span> <span class="n">json_file</span> <span class="p">],</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">json_file</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">data</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">load</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> <span class="n">vpn_flows</span> <span class="o">=</span> <span class="p">[</span> <span class="n">flow</span> <span class="k">for</span> <span class="n">flow</span> <span class="ow">in</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">flows</span><span class="sh">"</span><span class="p">,</span> <span class="p">[])</span> <span class="k">if</span> <span class="sh">"</span><span class="s">VPN</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">flow</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">detected_protocol_name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="ow">or</span> <span class="n">flow</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">detected_protocol_name</span><span class="sh">"</span><span class="p">)</span> <span class="ow">in</span> <span class="p">[</span> <span class="sh">"</span><span class="s">WireGuard</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">OpenVPN</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">IPSec</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">L2TP</span><span class="sh">"</span> <span class="p">]</span> <span class="p">]</span> <span class="k">if</span> <span class="n">vpn_flows</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">⚠️ VPN detected in </span><span class="si">{</span><span class="n">vpn_flows</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">first_seen_ms</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">ms</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Protocol: </span><span class="si">{</span><span class="n">vpn_flows</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">detected_protocol_name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">detected</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">"</span><span class="s">details</span><span class="sh">"</span><span class="p">:</span> <span class="n">vpn_flows</span><span class="p">[</span><span class="mi">0</span><span class="p">]}</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">✅ No VPN signature detected in capture window</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">detected</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">}</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="nf">test_vpn_fingerprint</span><span class="p">()</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">0</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">detected</span><span class="sh">"</span><span class="p">]</span> <span class="k">else</span> <span class="mi">1</span><span class="p">)</span> </code></pre> </div> <p>Run this with your VPN connected. If you get the warning - your VPN is detectable.</p> <p>Install requirements:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># macOS</span> brew <span class="nb">install </span>wireshark ndpi <span class="c"># Ubuntu </span> <span class="nb">sudo </span>apt <span class="nb">install </span>tshark ndpi-utils </code></pre> </div> <h2> What This Means for You as a Developer </h2> <p>If you’re building <strong>anything</strong> that requires real network privacy:</p> <ol> <li> <strong>Don’t trust a VPN provider’s marketing</strong>. Test it.</li> <li> <strong>Self-host with VLESS+Reality</strong> if you can. The 3X-UI panel makes it a 10-minute setup.</li> <li> <strong>If you must use commercial</strong>, look for providers explicitly running Reality/Hysteria2/SS-2022. They exist but they’re small.</li> <li> <strong>Consider what you’re protecting against</strong>. If it’s your ISP seeing what site you visit - any VPN works. If it’s your IP getting profiled - you need DPI-resistant protocols.</li> </ol> <h2> The Bigger Picture </h2> <p>The VPN industry is stuck in 2018. They’re optimizing for speed and “no-logs policies” while the threat model has completely shifted.</p> <p>State actors and large corporations don’t need to read your traffic. They just need to know you’re using a VPN. That alone is enough to:</p> <ul> <li>Add you to a watchlist</li> <li>Trigger anti-fraud at your bank</li> <li>Lock your exchange account</li> <li>Profile you for further investigation</li> </ul> <p>The protocol matters more than the provider. Stop paying $10/month for legacy protocols dressed up in nice apps.</p> <h2> Discussion </h2> <p>I’d love to see results from other devs running this script on their VPNs. Drop a comment with:</p> <ul> <li>Provider name (or anonymized “Provider X”)</li> <li>Default protocol</li> <li>Time-to-detection in ms</li> </ul> <p>Bonus points if you find a mainstream provider that survives DPI. I haven’t found one.</p> <p><em>Code is MIT-licensed, do whatever you want with it. If you reproduce these tests on more providers, I’d love to see a write-up.</em></p> security networking privacy opensource