7 things your ISP still sees when using a VPN

Share or tell us what you think in the comments!

Tracking and logging internet activity by your ISP is now a common practice since data retention laws and regulations were introduced. Using a VPN service protects you from all this tracking by encrypting private data and prevents ISP to monitor what you do online, but there are still a few things that your ISP still sees when using a VPN.

A VPN is used to protect your personal data from ISPs, governments, and eavesdroppers. This service encrypts your internet traffic end-to-end so that outsiders are not able to read it. However, when internet traffic made via VPN travels through your ISP’s infrastructure it is relatively easy for ISP to tell the fact that you are using a VPN service. Besides the fact that you are using a VPN, the time and the amount of data you transfer via their infrastructure is also visible. While connection time and amount of data is quite general information but there are some other things your ISP can tell as well.

Some ISPs or even government country-wide firewalls use multiple complex methods to determine if a connection is made using a VPN and these are the 3 main ways to identify that a connection is made through a VPN:

  1. VPN server IP detection
  2. Port number detection
  3. Deep Packet Inspection

When you initiate a connection to a VPN server what your ISP can tell is your real IP address and where you try to connect – which in this case is not a website’s, but a VPN server’s IP address. While the destination’s IP address does not really say much on its own, but it is easy to tell who the owner of this IP address is by doing a little research. It is possible to find out that a particular IP or even a range of IP addresses belong to a certain VPN provider. Actually, nowadays even blacklists of VPN server IP addresses exist which are used to massively block VPN providers’ servers. These lists are mostly used by governments that try to censor content or streaming providers such as Netflix or BBC to limit the access to their services.

It is not only about the VPN server’s IP address but about yours as well. ISPs usually have a relation between IP addresses and their own client IDs so they know the location and the client information associated with the address they provide their services to. ISP knows that it is you who use a VPN if you do it from your own apartment.

Sometimes only IP address is not enough to identify that a connection is made through a VPN, but it is possible to detect the port to which the connection is made to. When a VPN connection is initiated it uses certain VPN protocols for negotiating the rules and encryption standards. Different VPN protocols use different port numbers, for example, a well known OpenVPN UDP protocol uses port number 1194, or IKEv2 protocol uses UDP ports 500 and 4500 to establish the connection. These port numbers are specifically used for VPN, therefore, it is easy to tell that you are using a VPN.

The IP address and port number detection is called a shallow packet inspection – it only inspects IP packet’s headers, but not the payload inside the packet. A packet sent via the internet has two main parts IP packet header and packet payload:

  • IP packet header contains information such as IP address, Port number, Protocol used and other data
  • Packet Payload is the deeper part of the packet that contains bits of data sent and this is actually the part that is encrypted by strong encryption VPN services provide.
Simplified IPv4 internet packet structure

When ISP uses DPI – Deep Packet Inspection – it not only analyses IP header information but also tries to look inside the packet what data it carries. DPI is a combination of sophisticated methods that try to find patterns that resemble VPN traffic, however, it really can not tell what kind of data it is inside the packet payload part. ISP does not see the actual data inside it and does not really know where you actually try to connect or what you download since it is encrypted.
To avoid being detected by DPI or blocked by ISP firewalls, VPNs use stealth and obfuscation techniques: they try to use different ports or common protocols when initiating a connection so that all traffic resembles a general HTTPS traffic, which is way harder to spot and block.

So considering in mind how ISP monitors internet traffic, …

  1. The fact that you are using VPN
  2. Your IP address
  3. VPN server IP address
  4. VPN protocol used
  5. The time you connected to the VPN server
  6. Amount of data used
  7. Encrypted data stream

This question is not so straight forward to answer. ISP is just another business that has a primary intention to earn a profit, but while doing so it has to comply with the laws and legislations as well. Since laws differ from country to country, especially regarding VPN usage, it depends how much ISP cares if you use a VPN or not. In western world countries where VPNs are allowed to be used, ISP does not really care about the fact that you are using one, however it’s a different story in countries where usage of VPNs are illegal. Government agencies and ISPs develop techniques to detect and block such connections where VPNs are considered illegal. So to say it shortly, ISP is a business that mostly cares about the profit and not really that you use a VPN, but in some countries where it is not legal ISPs might care about it to some extent.

It is not that difficult to detect a VPN connection without obfuscation techniques, but then to what extent ISPs might do something for you as an internet user?

Yes, once ISP detects that the connection is made via VPN it can block such connections by blocking the servers IP address, or by filtering out a stream of packets with DPI. But rarely ISPs that are based in the United States or Europe do that, and as it was told before – they do not really care about it. In the countries like China, UAE, Iran – once VPN is detected it is usually blocked by country-wide firewalls and in some cases you might also get fined if caught.

Throttling is a way to reduce your bandwidth thus resulting in slower internet speeds. ISPs have that power to limit the internet usage once they suspect that a VPN connection was established, however it’s not that common practice. To avoid throttling you might try stealth VPN traffic or use a different port, thus reducing the chance your VPN connection will be detected.

Nowadays ISPs has advanced techniques such as Deep Packet Inspection to determine if the connection was made through a VPN. ISP can tell just a few things such as the fact of VPN usage, timing, data transmitted and what’s your and VPN server’s IP. What it can not tell is what kind of data is inside a VPN tunnel and where you actually connect, the only thing ISP can see is an encrypted gibberish data stream, therefore VPN is a good tool to protect your privacy.


Share or tell us what you think in the comments!

Add a Comment

Your email address will not be published. Required fields are marked *