Bad Neighbors: On Understanding VPN Provider Networks

TL;DR

This study conducts a large-scale analysis of VPN provider networks to evaluate their security configurations, revealing widespread lack of traffic filtering that could expose internal networks or other customers.

Contribution

The paper introduces an automated measurement system to assess VPN providers' network security and uncovers prevalent misconfigurations and vulnerabilities.

Findings

Most VPN providers lack proper traffic filtering towards internal networks.

Many VPN endpoints inadvertently expose internal or other customers' networks.

Findings have been disclosed to providers with recommendations for improvement.

Abstract

Virtual Private Network (VPN) solutions are used to connect private networks securely over the Internet. Besides their benefits in corporate environments, VPNs are also marketed to privacy-minded users to preserve their privacy, and to bypass geolocation-based content blocking and censorship. This has created a market for turnkey VPN services offering a multitude of vantage points all over the world for a monthly price. While VPN providers are heavily using privacy and security benefits in their marketing, such claims are generally hard to measure and substantiate. While there exist some studies on the VPN ecosystem, all prior works omit a critical part in their analyses: (i) How well do the providers configure and secure their own network infrastructure? and (ii) How well are they protecting their customers from other customers? To answer these questions, we have developed an automated measurement system with which we conduct a large-scale analysis of VPN providers and their thousands of VPN endpoints. Considering the fact that VPNs work internally using non-Internet-routable IP addresses, they might enable access to otherwise inaccessible networks. If not properly secured, this can inadvertently expose internal networks of these providers, or worse, even other clients connected to their services. Our results indicate a widespread lack of traffic filtering towards internally routable networks on the majority of tested VPN service providers, even in cases where no other VPN customers were directly exposed. We have disclosed our findings to the affected providers and other stakeholders, and offered guidance to improve the situation.