Tracking VPN and Proxy Users

There are similar challenges for network administrators in corporate networks and those running firewalls for authoritarian regimes about the use of proxies and VPN services.  The issue is that not only do they allow individuals the freedom to conduct their internet activity without being tracked, a VPN will also prevent most aspects of logging taking place too.

If you imagine a company network it means that an individual could potentially conduct all sorts of behaviour from a company computer whilst sitting in a corporate office whilst at work.   They could be downloading films, streaming Netflix or something perhaps much more sinister even.  Obviously this is potentially a risk to both the network infrastructure and also potentially to the company’s reputation.

So how do you block the use of VPNs and proxies?  For a corporate network there are actually many more options, and the simplest is probably to stop any sort of VPN and proxy being used in the first place.   You can lock down the advanced settings in a web browser quite simply, for example the Internet Explorer Administration Kit (IEAK) allows you to configure and deploy an IE package which cannot be modified onto every client in your organisation.  This stops proxies being used manually and VPN clients can be blocked by ensuring that  standard users have no administrative access to their desktops.

It is certainly easier to block any installation than trying to track the use of VPNs particularly some of the most sophisticated ones.   For example although you could potentially monitor logs in firewalls and routers for specific IP addresses which looked like VPNs some services allow you to switch to a range of IP addresses – Hide My VPN like the one in this video demonstrates:

As you can see if a service is rotated then identifying the VPN by it’s IP address is much more difficult.  However blocking installation of the highlighted service Identity Cloaker can also be difficult as it has a mobile version which can be run directly from a USB disk.

You can see that proxies are fairly irrelevant today as they can be easily blocked, also most content filters can detect their use too.   Significantly their use has now dropped globally for additional reasons mainly that they are mostly detected by websites which operate regional restrictions.   It is the more sophisticated Virtual private networks which are the difficulty, particularly those equipped with various VPN hider technologies and advanced encryption.

VPN Blocking on the Rise

For years people have used VPNs for all sorts of reasons, but it’s origin lay quite simply in the security they provided.  International companies will normally insist that their employees use VPN services when remotely connecting back to their servers using the internet.  It makes sense, otherwise important information and credentials would be trusted to the owners of coffee shop wifi or the administrator of your local Premier Lodge or hotel chain.

The concept is simple, create an encrypted tunnel which ensures that all the data which normally is passed in clear text instead is encrypted and unreadable.  Of course, this security means that as well as being safe from computer criminals and identity thieves – it’s also secure from intelligence services and state controlled snoopers too.  It should come as no surprise that anyone who opposes free speech generally hates VPNs and the protection that they give.

So when we hear stories about different organisations and companies from the Netflix to the Chinese Government trying to block VPNs what are they doing.  Well it depends, obviously the situation that leads to thousands of BBC iPlayer VPN not working is going to be slightly different to the Chinese throwing billions at the great firewall of China.   However the general techniques are basically the same as a small company want to achieve the same thing.

One of the most common options is to block the ports used by these services.  Most VPN tunnelling protocols operate on standard ports, e.g using PPTP or LTP.  They need to establish these connections to transfer and receive data, without them the service won’t function.  Other methods include identifying and blocking specific IP addresses or ranges which are being used by VPN services.   It is these two methods that are mostly used by the big media companies like Hulu and the BBC.

These methods can be time consuming though and it’s possible to switch address and some services allow you to configure alternative ports too. The Chinese Government as you would expect have gone one step forward and use more sophisticated techniques like deep packet inspection.   These involved looking at the data itself to identify if a VPN is being used to transport it.  For example if you are unable to read any data because none of it’s in clear text then there is the likelihood that it is being encrypted.   Of course, there are other methods which encrypt data like SSL so you need to be careful that you don’t block other traffic, it’s a risk that the Chinese would probably be happy to take however.

Even these methods are not foolproof and VPN companies can scramble things like the meta data to make identifying the use of a VPN even harder.  It is worthwhile noting that many people in China still use VPNs routinely and so if the huge resources available to the Chinese State can’t block their use – we should be ok to have a BBC VPN like this for the foreseeable future.



TCP Extensions – Virtual Circuits

TCP provides lots of additional services which have been added over it’s lifetime one of the more useful ones is that of the virtual circuit transport service. There are three distinct phases in the life of any TCP connection – establishment, transferring data and termination.    There are many applications including things like remote login and those that enable file transfer which are perfectly suited to using a virtual circuit type service.    Many other applications are suited better towards a transaction based service which is basically a client request followed by a server response.  This can be explained by briefly detailing it’s characteristics:

1: Any overhead of connection establishment and the subsequent termination should be minimized.  Ideally one request should be sent followed by the corresponding receive before any other packets are sent.

2: Latency should be reduced to the sum of the round trip time (RTT) plus the server processing time (SPT).

3: Server should be capable of detecting duplicate requests and not processing them again.

A very important application uses this type of service which forms the very backbone of the internet – the Domain Name System (DNS).   Other common applications such as the BBC VPN many people use to bypass the numerous region locking systems which exist online.   The other important decision that an application developer must consider is whether to use UDP or TCP for the transport.  The difficulty is that TCP simply provides too many features for an efficient transaction whilst  UDP doesn’t really provide enough.   Normally UDP is used simply because it avoids the overhead of TCP connections but this involves adding the features that are required like retransmission, dynamics timeouts and congestion avoidance.

The solution that is a better alternative than this is to provide an additional transport layer to provide more efficient handling for the transactions.  The transaction protocol which is commonly used now by many applications is called T/TCP defined in RFC 379 – extending the TCP protocol for transactions.

Remember most TCPs require 7 segments to open and close a connection.  An additional three more segments are added to deal with the requests and replies (initial and the one responding to the ACK).  In addition it may be necessary to add extra control bits to deal with other functionality and connection information required to complete the transactions properly.

Further Reading:

James Hibbert: Polskie Proxy, Haber Press, 2017



BBC News Streaming from Outside the UK

The BBC haven’t always streamed the BBC News over the internet, in fact it was noticeably missing from the initial releases of the BBC iPlayer for a few years. There are a few other programmes which were omitted, for example there was always a delay put on Match of the Day presumably for contractual reasons. However now that BBC has it’s own dedicated 24 hour News channel, it’s great news to see that it’s simultaneously broadcast live online on their web site.

You can see the tab illustrated which leads to the live TV streaming section including the BBC News channel.   However many people outside the UK will have problems finding this link as it simply doesn’t exist on the version you get outside the UK.  It’s called the ‘International version’ and anyone not in the UK will be redirected to this site.   The site is good but it’s missing all the TV stations and the BBC iPlayer functionality, even if you go there directly you’ll get blocked whenever you try and play anything.

Here’s a quick video entitled – BBC News Streaming over the Internet which you can also watch below:

As you can see the trick is to hide your location before you connect to the website. By logging on to a server physically located in the UK, you can access any of the BBC without issue simply because it will see the server’s UK address and not your real one. It has the added bonus of adding a layer of security and privacy to your internet connection too. This is because the connection between your computer and the VPN server is entirely encrypted which means both your identity is private but also all credentials you pass through the VPN are safe too.

It should be added that all the media companies try and block access to their sites through intermediary servers like proxies and VPNs. However there are still several companies who’s servers work perfectly well for accessing the BBC from anywhere in the world.

Irish Proxy for Watching RTE PLayer Live

RTE is the national broadcaster of the Republic of Ireland and has been involved in broadcasting TV channels since 1961.  It was actually an early adopter of radio broadcasting yet Ireland was relatively slow in getting involved in TV broadcasts – the BBC was involved in the 1920s for example.  There was some television broadcasting in Ireland through the Northern Ireland services run by the BBC although this was completely unofficial.

The Irish Government until the late 1950s considered TV to be a luxury which wasn’t a priority however it changed it’s opinion as the popularity rose.  A committee was formed to investigate how to set up an Irish broadcasting service (for the lowest possible outlay) and it’s initial form was something like the commercial services from the UK.

The first broadcast was on New Years Eve, 1961 at 19:00 hours and included a speech from the President who described what the service would be.   Many other messages were then broadcast from religious figures before a live concert was shown live from the Gresham Hotel in Dublin.

The Irish people took to the new medium almost immediately particularly as a way to discuss topics and current affairs.   Suddenly topics like abortion, religion and contraception were discussed openly in chat shows and tv studios broadcast across Ireland.  The origin of many of these chat shows lies with the first and arguably the most famous one – The Late Late Show which began in July 1962 and which still runs today.

Although RTE was relatively late to the world of TV broadcasting, however it caught up quickly.  In 1962, RTE expanded it’s broadcasts to include 625 line transmissions several years ahead of the BBC for instance.  In 1969, RTE broadcast the Wimbledon finals in colour over the next few years more and more broadcasts were transmitted in colour.

Rte has expanded it’s channels over the last few years and also branched out into the world of internet broadcasting. RTE Player is the channels broadcasting application and it can be found at the following address – Unfortunately the channel is not directly available over the internet outside Ireland although they can be accessed in certain areas. In Northern Ireland particularly near the border there is some overspill of the signal. Also the channels were made available over Sky although there has been some disputes over licensing so certain events usually sports shows are not available in Northern Ireland.

Using a Proxy to Watch the BBC Iplayer in USA

You’d never hear the word ‘proxy’ outside of an IT department a few years ago, but now everyone uses them. This post is specifically how to use a proxy to watch the BBC iPlayer application in the USA. Now firstly a quick introduction to the problem, the internet is not open or unrestricted in fact it’s more compartmentalised than ever before. One of the reasons, is a technology called ‘region locking’ or ‘geo-targeting’ which have very similar meanings.

These technologies are basically designed to ensure that certain websites are only accessible from specific physical locations. It sounds crazy, but it’s true – where you are based physically has a huge impact on what you can access online. I’m not talking about the stupid filtering that paranoid governments do either, these restrictions are deployed by the web sites themselves. Mostly it’s to do with money, profit or copyright laws but they affect a huge proportion of the world’s best web sites.

I would certainly put the BBC and it’s application BBC iPLayer as one of the best web sites on the internet. You get access to all the BBC broadcasts live, something like six or seven 24 hour TV channels plus all the radio channels. You can also watch stuff for about six weeks after using the BBC iPlayer, all quality programmes with not an advert to be seen. Unfortunately it’s only accessible in the UK, if you try and access from the USA you’ll get blocked.

Which is where our friend the proxy comes in, a server that sits between you and the web site you visit basically hiding your real location. The trick is to use a proxy server that sits in the country you need access to, which for the BBC is of course the United Kingdom.

So here we go – How to watch the BBC iPlayer USA simply by using a proxy server.

As you can see this is on a computer, the software demonstrated is called Identity Cloaker and actively hides your true location when you visit any website. In this instance, the BBC sees the UK proxy server and assumes that is your location and as such everything works, you can even watch the BBC News.

Now a few years ago pretty much any proxy server would work, even the free ones you could find online. However this has now changed and there’s a few things you should bare in mind when looking for a way to watch the BBC iplayer in the USA.

Speed – it’s everything when streaming video, otherwise whatever you’re watching will buffer all the time.
Discretion – don’t sign up to a proxy/vpn service which openly advertises bypassing the BBC blocks and has it’s logos all over the site. They will get blocked or closed down.
Security – last year the BBC started actively blocking these connections from proxies. They need to be securely configured so as not to be detected.
Other Countries – If you want to access websites and TV stations in other countries, you’ll need access to proxies in those countries too.

Identity Cloaker is our recommendation because of it’s speed and security, plus it’s very reasonably priced.   Try the 10 day trial first to make sure it works well for you.  Although the core program is software to run on your computer/laptop you can also connect through from a tablet or smartphone by creating the connection manually.  It’s easy to do and there’s a guide here.

How to use a US IP Proxy Server

There used to be a time when configuring and using a US IP proxy server was only for the technologically advanced. However times have changed and now millions of people with limited technical knowledge use IP proxies every day for many mundane situations.

One of the most common uses for an IP proxy is to access content that is restricted by region locking. For instance if you try and access any of the mainstream US media sites like ABC, NBC or Hulu from outside the USA then you’ll find that the majority of the site is inaccessible. The sames goes for lots of other media sites across the world – all inaccessible outside their domestic market.

It kind of makes a mockery of the global communication medium that we call the internet. It certainly wasn’t designed to restrict and block access based on your physical location however that is how it has turned out. Which is why for a US citizen travelling or living abroad a US IP proxy server is so useful.

Using a US IP Proxy Server

The fact is that most of these websites determine your location by looking at your IP address and where it’s registered to. This will of course determine your physical location, however if you connect through a proxy server then the IP address of the server will be revealed and not your own. Therefore someone on holiday in Europe who connected to the internet through a US IP proxy server would appear to be in the US. Here’s a quick video which demonstrates this in action:

As you can see in the demonstration, the software is used to connect to a network of different proxies. In this particular example a US proxy is selected in order to access the film and movie site Hulu. Without using the proxy then the site won’t be accessible as the content is only licensed for US based users. However you can see that there are many different countries available in the software which can be used to watch or access web sites in other countries.

Connecting through a Canadian proxy would give you access to all the Canadian websites, using a French proxy would give you a French IP address and the ability to watch sites like M6 Replay.

As you can see from the video there is no real technical knowledge required as it’s all taken care of by the software. There are a whole host of these programs available now which you can install easily and then change your IP address to whichever you need. It is worth remembering though that when your connection is routed through a specific country then your browsing will be tailored to that country.

Someone connected through a US IP proxy will for example get the US version of Google complete with US related search results. It is obviously not a major issue but it can be confusing if you forget!

How to Switch IP Address Quickly

Many of us now use VPNs and proxy servers routinely to hide our real IP addresses. The reasons are many however for most us it’s either to bypass the thousands of region locks which exist online or simply to hide our real location and identity. Investing in a VPN solution is usually a wise move, providing protection for when you’re online either at home or using an insecure wifi connection in a cafe or hotel for example. When you connect through a VPN or proxy your real ip address is hidden and the website you visit has no way of logging your location.

How to Change IP Address Quickly

The problem is that for region locking uses, having a single additional IP address is rarely enough. The problem is that all these regional filters are based on different locations, so you often require addresses based in a variety of countries and being able to change address quickly is essential. Here’s a quick demonstration of some software called Identity Cloaker which facilitates this:

You can see that the software that controls the connection sits in the task bar and you can enable the VPN or switch it to use another server whenever you like. So for example if you where trying to watch the BBC you’d need a UK IP proxy but to watch ABC or CNN live streams you’d need a US proxy and IP address. All you need to do is open the control panel and switch to the appropriate country.

A few of the biggest VPN providers now provide multiple servers across different countries so you can switch like this. It makes sense to use one of these rather than the companies who charge additional for each country you sign up for. Using these companies you’ll find information on how to change IP address quickly as the subscription covers all their servers. Most of the sites cover countries like USA, Canada, UK, France and Germany whereas for other countries you might need to search around.

One of the difficult countries to get a proxy or VPN in is Australia, simply because the internet costs tend to be much higher there and it’s expensive to include Australian servers in their infrastructure. There are a few around though and you can find a few around, but remember to watch BBC iPlayer in Australia you need a UK proxy not an Australian one. Although any one based in Australia would be advised to use a local proxy when they’re not trying to bypass region locks simply because of the speed.

There is another reason why you should regularly rotate and change your IP address and that’s to keep the fact that you’re using a secure connection private. If you don’t switch addresses, any ISP logs will show the use of a proxy as all requests will be routed through the one specific IP address. Switching this address periodically makes it much more difficult to detect.

Detecting the Proxies

There’s no doubt that your online experience can be extremely limited from certain countries. More and more countries are seeking to take control over things like access to social media, political and religious websites and worryingly even many of the independent news sources available online. The practice of filtering and censorship grows everyday and there’s little sign of this trend reversing.

Most of the time, censorship of the internet is justified by a fight on crime, child abuse or other illegal practice. Generally those aims are flexible and can be extended to suit whatever the State decides, often the associated legislation is particularly vague to allow whatever interpretation is needed. Most countries who heavily police the internet have ‘catch all’ phrases which can cover pretty much anything they decide at the time. All over the world innocent journalists, bloggers and web users have been imprisoned for little more than expressing the ‘wrong opinion’ online, sometimes all it takes is a ‘like’ on a Facebook post to land people in trouble.

For people unfortunate enough to live in such places, using the internet safely involves protecting both their internet connection and maintaining anonymity. There are simple things like using pseudonyms and never putting any real information in social media profiles for instance. Yet ultimately it is the technical details which are most important, hiding your real ip address is vital.

This is because it doesn’t matter what information you leave online, your IP address can be linked to your physical location. Obviously in a public access point like a cafe or library this isn’t as important but if you’re using a home internet connection you have to be even more careful. This is why proxies and VPN are so important as they sit between you and the website you’re visiting in order to hide your location. Instead of your own IP being left, instead it’s that of the VPN/proxy that you are using.

Here’s an example of such a service being used, not for security but instead to fool the region locking of a big media site – it’s called a proxy for Netflix you can see it here.

In this scenario, Netflix is not able to see the true location of the viewer only that of the proxy server which allows full access. However using proxies to hide your location is fraught with dangers simply because they are relatively insecure. Firstly they do nothing to hide or secure any information you transmit and secondly proxies are by default set up to transmit a X-Forwarded-For HTTP header when they contact any server. This can be used to both detect the presence of the proxy and worse the originators IP address.

Any decent anonymous proxy server would be configured to not send this header but remember it is default behaviour and any upgrade or misconfiguration could easily override these changes. The danger is that as soon as any misconfiguration happens, the proxy will be identified and picked up by services such as IP2Location which maintain extensive databases of proxies, VPNs and TOR nodes.

In the case of media sites this simply means that attempts to bypass the region locks won’t work but for a political activist in somewhere like Thailand, China or Turkey then the repercussions can be much more serious.
Additional Reading

Using a VPN/Proxy on Different Devices

For the internet free spirit who wants full access to the web without restrictions, filters or logs then using a proxy or VPN is pretty much essential. I say that, although the use of proxies is pretty much in terminal decline at least as far as bypassing blocks such as the region restrictions applied by big media sites. A proxy or VPN server operates in a very similar way fundamentally by acting as a buffer to forward and receive requests to hide your location. This means that whatever web sites you visit they will only see the proxy/VPN and never your real location additionally your ISP will only log the visit to the proxy not the end destination.

However a VPN server crucially adds an additional layer – that of encryption which protects the data being transmitted and is almost impossible to detect. The problem is that nowadays even the most cleverly configured proxy server is fairly easy for web sites to detect, if the site enforces region locking it will normally just block access from a proxy. A VPN though is much more difficult to detect and most sites cannot directly detect the use of a VPN although they can use other methods. So if you want to hide your identity from a snooping government, or want to watch Hulu from outside the USA, you’re going to need a VPN service not a proxy. Ignore the hundreds of free proxies available online, most are completely useless now and are often used to steal user credentials and passwords!

A VPN (virtual private network) service is somewhat more sophisticated than a proxy so will need an additional service to make it run. A proxy can be used simply by configuring it’s settings in most standard web browsers but that’s because it merely transparently forwards and receives data without protecting it in any way. A VPN actually sets up an encrypted tunnel between the client and the server which obviously needs some software component to run. Most VPN providers will provide some client connection software to establish the connection on their PC, you can see an example in this video:

If you watch the whole video it shows you the difference between a proxy and a VPN, demonstrating the client software of a program called Identity Cloaker in action.

How Does a VPN Work on other Devices?

This is what often confuses people, after all how does your smart phone or tablet use a VPN after all it’s the platform that many of us use to watch TV or movies sites. You can of course still configure a proxy on these devices but as mentioned these are largely useless now and should be avoided unless you have a specific need (and technical knowledge). For most of these devices there are only two options – use an application specifically designed for the device to enable the VPN connection or use the device’s own operating system to establish the connection.

It’s generally better to use the second option, that is to manually connect to your VPn service using the devices own operating system. This for example is how you connect a VPN using an iPad in this post. All you need as you can see is the login and user authentication details, input them into the VPN configuration screen and save the connection. You can then enable the VPN connection whenever you wish.

It’s worth remembering what actually happens when you establish a VPN connection either through some client software or as illustrated on a computer tablet manually. Firstly an encrypted tunnel is established, making sure all your data is hidden from view, secondly your IP address is effectively hidden all web sites will only see the address of the VPN server. This is what allows people to bypass the myriad of region blocks on large media websites – the ability to use the IP address of the VPN server rather than your own. This is why most VPN services offer a range of servers in different countries so that you can use a UK one for the BBC iPlayer, a USA one for Netflix and Hulu and so on.