User:Blablubbs/VPN Verification

This page lists technical fingerprints of VPN providers and ways to manually query and verify them. The verification methods are provided for reference; use them at your own risk, in non-intrusive ways and in compliance with applicable laws and ISP policies. This applies especially to nmap. Verification instructions are written for users of Linux-based operating systems, but should be largely OS-independent. This page focuses on discovery methods in the IPv4 address space, though some may also be adjusted to work with IPv6.

SSL certificate

 * Using OpenSSL: openssl s_client -connect :
 * Using shodan
 * Using nmap:sudo nmap -sS --script ssl-cert.nse -p -Pn -v
 * Using cURL: curl -k -v "https:// :"

X-Cache

 * Using shodan
 * Using reqbin: Plug the IP in and check the headers
 * Using cURL: curl --head --show-error "http:// : "
 * Using nmap: sudo nmap -A -p -Pn

IKE Handshake

 * Using ike-scan: sudo ike-scan

AirVPN

 * airvpn.org
 * Privacy-focused, tied to the torrenting crowd
 * SSL certificate served on port 89:

BulletVPN

 * bulletvpn.net
 * Webhost, and occasionally mixed, ranges, sometimes obscure providers.
 * DNS:  .bulletvpn.com

Cyberghost/Zenmate

 * cyberghostvpn.com and zenmate.com
 * SSL certificate served on port 9002:
 * Flagged as "Cyberghost/Zenmate" by Spur
 * Shares a parent company (kape) with PIA

ExpressVPN

 * expressvpn.com
 * No reliable fingerprint, but often hosted on webhosts with WHOIS outputs like VPN-CONSUMER-NETWORK

FlyGateVPN

 * SSL cert: awsprivate.com, flygateaccount.com

FreeVPN

 * freevpn.com
 * Not free, despite the name
 * Mildly dodgy, starting with the fact that the website doesn't support HTTPS
 * Does not appear to be currently flagged by spur, at least not reliably
 * Probably enumerable
 * Webhost ranges
 * Hostnames:
 * SSL certificate:

HideMyAss

 * hidemyass.com
 * DNS: *.hma.rocks and *.prcdn.net
 * WHOIS: AVAST Software s.r.o.

HotSpot VPN

 * hotspotvpn.org
 * Dodgy-ish VPN provider
 * Running nginx on port 80
 * VPN (IKE) on UDP port 500, fingerprint: Main Mode Handshake returned HDR=(CKY-R=8b8ba44921f420b9) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)

Integrity VPN

 * integrity.st
 * Whitelabel service selling to ISPs
 * Hostnames: --.integrity.st, where cc is the country code, and o3 and o4 are the third and fourth octet of the exit IP address, respectively

IPVanish

 * ipvanish.com
 * Webhost ranges.
 * SSL certificate served on port 443:
 * (Sometimes) WHOIS: Mudhook Marketing Inc

Ivacy

 * ivacy.com
 * DNS:  - -<(tcp

McAfee

 * Offers both a corporate VPN (McAfee Web Gateway Cloud Service) and a personal one (McAfee Safe Connect VPN). The personal VPN appears to be technically indistinguishable from TunnelBear nodes (see there). For the corporate VPN service:
 * SSL certificate served on port 443:
 * SSL certificate served on port 8081:

Mullvad

 * mullvad.net
 * Large-ish, privacy-focused VPN provider
 * IPv6 and Wireguard support, default connections are OpenVPN (users can choose between TCP and UDP)
 * No good fingerprints, but exclusively on webhost ranges
 * Mostly M247, plus some other hosting providers and some directly owned servers
 * Server list at https://mullvad.net/en/servers/
 * Entry and exit nodes are split

NordVPN

 * nordvpn.com
 * Large provider, often, but not always, on easily identifiable webhost ranges
 * Provides API for queries
 * No reliable fingerprint, but VPN (IKE) on UDP port 500
 * DNS:  .nordvpn.com

Phantom Avira VPN

 * avira.com
 * Owned by an antivirus developer; users may not necessarily be attempting to obfuscate their IP
 * SSL certificate served on port 443:

Private Internet Access

 * privateinternetaccess.com
 * SSL certificate served on port 443:
 * Large provider, usually on webhost ranges, but there have been unusual occurences like this one, where the servers are on seemingly non-webhost ranges (in this case, an Israeli public WiFi provider)
 * Shares a parent company (kape) with Cyberghost/Zenmate
 * DNS: .privacy.network or - .privacy.network.

Private Relay

 * Provided by Apple as part of the iCloud suite
 * Exits are in the same rough region as users' actual IPs
 * Akamai and Cloudflare ranges
 * All exits can be verified at https://mask-api.icloud.com/egress-ip-ranges.csv
 * See also Apple iCloud Private Relay

ProtonVPN

 * protonvpn.com
 * Large-ish provider
 * Provides API for queries
 * No reliable fingerprint, but VPN (IKE) on UDP port 500
 * Entry and exit nodes are split
 * Webhost ranges

PureVPN

 * purevpn.com
 * WHOIS: pointtoserver.com, ptoserver.com, PureVPN-NET, GZ Systems Limited
 * DNS: <(optional) number>--<optional: (udp

RapidVPN

 * rapidvpn.com
 * SSL certificate served on port 443:

Surfshark

 * surfshark.com
 * SSL certificate served on port 443:
 * Large-ish VPN company. Usually on webhosts, but there is a large number of different ones involved and many of them have slightly annoying range assignment patterns
 * Many end nodes with activity on Wikipedia
 * Often blocks of a handful adjacent IPs, e.g. 127.0.0.1-127.0.0.5
 * Some clearly designated ranges, often /24s with netnames like SURFSH----0, where o1, o2 and o3 are the first through third octet of the base IP
 * ASN209854 (SURFSHARK, VG) is tracked at User:AntiCompositeBot/ASNBlock

TunnelBear

 * tunnelbear.com
 * DNS: <country_code>.lazerpenguin.com

Urban VPN
X-Cache-Lookup: NONE from p--$cc.biscience.com:3128
 * urban-vpn.com
 * Squid HTTP proxy on ports 80 and 3128: X-Cache: MISS from p-$cc.biscience.com
 * Dodgy "free" VPN service provided by biscience, a "digital intelligence" company
 * Supposedly P2P, but that does not seem to be the case
 * Webhost ranges
 * Parent company also runs a large residential proxy service

VPN Gate

 * See vpngate.net
 * Uses the SoftEther VPN protocol
 * Port 5555 serves a page over HTTPS with SoftEther VPN text curl -v -k https://<ip>:5555
 * Some nodes: WHOIS: SoftEther Corporation
 * Some nodes: SSL certificate served on port 443:

WorldVPN

 * worldvpn.net
 * See.