Tracking VPN and Proxy Users

There are similar challenges for network administrators in corporate networks and those running firewalls for authoritarian regimes about the use of proxies and VPN services.  The issue is that not only do they allow individuals the freedom to conduct their internet activity without being tracked, a VPN will also prevent most aspects of logging taking place too.

If you imagine a company network it means that an individual could potentially conduct all sorts of behaviour from a company computer whilst sitting in a corporate office whilst at work.   They could be downloading films, streaming Netflix or something perhaps much more sinister even.  Obviously this is potentially a risk to both the network infrastructure and also potentially to the company’s reputation.

So how do you block the use of VPNs and proxies?  For a corporate network there are actually many more options, and the simplest is probably to stop any sort of VPN and proxy being used in the first place.   You can lock down the advanced settings in a web browser quite simply, for example the Internet Explorer Administration Kit (IEAK) allows you to configure and deploy an IE package which cannot be modified onto every client in your organisation.  This stops proxies being used manually and VPN clients can be blocked by ensuring that  standard users have no administrative access to their desktops.

It is certainly easier to block any installation than trying to track the use of VPNs particularly some of the most sophisticated ones.   For example although you could potentially monitor logs in firewalls and routers for specific IP addresses which looked like VPNs some services allow you to switch to a range of IP addresses – Hide My VPN like the one in this video demonstrates:

As you can see if a service is rotated then identifying the VPN by it’s IP address is much more difficult.  However blocking installation of the highlighted service Identity Cloaker can also be difficult as it has a mobile version which can be run directly from a USB disk.

You can see that proxies are fairly irrelevant today as they can be easily blocked, also most content filters can detect their use too.   Significantly their use has now dropped globally for additional reasons mainly that they are mostly detected by websites which operate regional restrictions.   It is the more sophisticated Virtual private networks which are the difficulty, particularly those equipped with various VPN hider technologies and advanced encryption.

Does BBC Block VPN Programs from iPlayer

For years people have used VPNs for all sorts of reasons, but it’s origin lay quite simply in the security they provided.  International companies will normally insist that their employees use VPN services when remotely connecting back to their servers using the internet.  It makes sense, otherwise important information and credentials would be trusted to the owners of coffee shop wifi or the administrator of your local Premier Lodge or hotel chain.

The concept is simple, create an encrypted tunnel which ensures that all the data which normally is passed in clear text instead is encrypted and unreadable.  Of course, this security means that as well as being safe from computer criminals and identity thieves – it’s also secure from intelligence services and state controlled snoopers too.  It should come as no surprise that anyone who opposes free speech generally hates VPNs and the protection that they give.

So when we hear stories about different organisations and companies from the Netflix to the Chinese Government trying to block VPNs what are they doing.  Well it depends, obviously the situation that leads to thousands of BBC iPlayer VPN not working is going to be slightly different to the Chinese throwing billions at the great firewall of China.   However the general techniques are basically the same as a small company want to achieve the same thing.

One of the most common options is to block the ports used by these services.  Most VPN tunnelling protocols operate on standard ports, e.g using PPTP or LTP.  They need to establish these connections to transfer and receive data, without them the service won’t function.  Other methods include identifying and blocking specific IP addresses or ranges which are being used by VPN services.   It is these two methods that are mostly used by the big media companies like Hulu and the BBC.

Many Rumors – Does BBC Block VPN ?

In reality this does actually happen but not in any sophisticated method.  Many companies providing VPN services have been blocked but largely because of their own issues.   Using BBC logos and overloading servers are too of the main reasons they have been blocked. It’s not the BBC iplayer detecting VPN services, it’s seeing thousand of individuals using the same IP address accessing the service which is the problem.

In many instances this is very likely to happen, there was a report that NordVPN was blocked by BBC iPlayer for example.  This was largely true simply because they are the largest legitimate VPN provider with millions of users.  Don’t worry though Nord have allocated specific IP addresses now specifically for access so it works ok as long as you use those.  Nord VPN is very good value and you can get some great deals at the moment too if you want to watch the BBC abroad.

Just make sure you use the BBC enabled VPN servers.does BBC Block VPN

If you don’t mind spending a little more and want something even more secure then a program called Identity Cloaker doesn’t have as many users and has optimized it’s UK servers for accessing the BBC.  I’ve used it without problems for ten years now and it certainly smashes the rumours that BBC iPlayer is not working through VPN programs.

The reality is that although many VPN services have been blocked it’s not actually that easy to achieve unless the company is careless or greedy.  Normally it’s just a numbers game but even then if IP addresses are rotated carefully there shouldn’t be an issue.  The BBC doesn’t have the time and budget to technically spot and block VPN services in any other way other than mentioned above.

These methods can be time consuming though and it’s possible to switch address and some services allow you to configure alternative ports too. The Chinese Government as you would expect have gone one step forward and use more sophisticated techniques like deep packet inspection.   These involved looking at the data itself to identify if a VPN is being used to transport it.  For example if you are unable to read any data because none of it’s in clear text then there is the likelihood that it is being encrypted.   Of course, there are other methods which encrypt data like SSL so you need to be careful that you don’t block other traffic, it’s a risk that the Chinese would probably be happy to take however.

Even these methods are not foolproof and VPN companies can scramble things like the meta data to make identifying the use of a VPN even harder.  It is worthwhile noting that many people in China still use VPNs routinely and so if the huge resources available to the Chinese State can’t block their use.  there’s little likelihood that our BBC VPN workaround is going to stop working in the foreseeable future as long as we choose the right company to use.


TCP Extensions – Virtual Circuits

TCP provides lots of additional services which have been added over it’s lifetime one of the more useful ones is that of the virtual circuit transport service. There are three distinct phases in the life of any TCP connection – establishment, transferring data and termination.    There are many applications including things like remote login and those that enable file transfer which are perfectly suited to using a virtual circuit type service.    Many other applications are suited better towards a transaction based service which is basically a client request followed by a server response.  This can be explained by briefly detailing it’s characteristics:

1: Any overhead of connection establishment and the subsequent termination should be minimized.  Ideally one request should be sent followed by the corresponding receive before any other packets are sent.

2: Latency should be reduced to the sum of the round trip time (RTT) plus the server processing time (SPT).

3: Server should be capable of detecting duplicate requests and not processing them again.

A very important application uses this type of service which forms the very backbone of the internet – the Domain Name System (DNS).   Other common applications such as the BBC VPN many people use to bypass the numerous region locking systems which exist online.   The other important decision that an application developer must consider is whether to use UDP or TCP for the transport.  The difficulty is that TCP simply provides too many features for an efficient transaction whilst  UDP doesn’t really provide enough.   Normally UDP is used simply because it avoids the overhead of TCP connections but this involves adding the features that are required like retransmission, dynamics timeouts and congestion avoidance.

The solution that is a better alternative than this is to provide an additional transport layer to provide more efficient handling for the transactions.  The transaction protocol which is commonly used now by many applications is called T/TCP defined in RFC 379 – extending the TCP protocol for transactions.

Remember most TCPs require 7 segments to open and close a connection.  An additional three more segments are added to deal with the requests and replies (initial and the one responding to the ACK).  In addition it may be necessary to add extra control bits to deal with other functionality and connection information required to complete the transactions properly.

Further Reading:

James Hibbert: Polskie Proxy, Haber Press, 2017



BBC News Proxy Streaming from Outside the UK

The BBC haven’t always streamed the BBC News over the internet, in fact it was noticeably missing from the initial releases of the BBC iPlayer for a few years. There are a few other programmes which were omitted, for example there was always a delay put on Match of the Day presumably for contractual reasons. However now that BBC has it’s own dedicated 24 hour News channel, it’s great news to see that it’s simultaneously broadcast live online on their web site.

Using a bbc news proxy

You can see the tab illustrated which leads to the live TV streaming section including the BBC News channel.   However many people outside the UK will have problems finding this link as it simply doesn’t exist on the version you get outside the UK.  It’s called the ‘International version’ and anyone not in the UK will be redirected to this site.   The site is good but it’s missing all the TV stations and the BBC iPlayer functionality, even if you go there directly you’ll get blocked whenever you try and play anything.

A BBC News Proxy in Action

Yet fear not, millions (and that’s not an exaggeration) watch the BBC News and all UK TV channels from all over the world.  When you appreciate the amount of programmes available on the BBC iPlayer and ITV Hub for example you’ll realise why people make the effort.  For many of us online access to the BBC iPlayer is way more valuable than a cable subscription which can cost a small fortune.

For those of us feeling a little bit stranded in mainland Europe after the disappointment over Brexit it genuinely feels like a lifeline.  Access to proper journalism is only appreciated when you have relied on social media for a while.

Like this post for example found on Facebook !

Got me worried, I can tell you !  Can you guess which European country I’m trying to access the BBC News from.  Anyway it apparently is slightly misleading and it wasn’t due to UK passport holders being segregated into different queues.  It was apparently a training exercise for customs staff at  the airport that caused the problems.

It was actually mentioned on the BBC show – Newsnight which I watch every evening 1030 GMT via the live streaming function on the BBC site.   You can even stream the last few episodes from the iPlayer link too – BBC Newsnight on iPlayer

UK Proxy BBC  – the News and All the British TV Channels

Ironically Brexit would have actually made accessing the BBC online content for free a little bit more difficult.  The EU’s digital marketplace initiatives where forcing them to make the BBC accessible across Europe for all license fee holders.  This would have been great for legitimate viewers but would have probably involved an authentication process for everyone.

Anyway that’s unlikely to happen now and you can still watch the BBC by routing your connection through a proxy server based in the UK.  To be more specific it’s really a VPN which is harder to detect, but functions in almost the same way.  Don’t be worried about lots of rumours that the BBC is blocking all VPN programs that’s not entirely true.  Many have been blocked but the secure ones like Identity Cloaker still work perfectly,

Here’s a quick video entitled – BBC News Streaming over the Internet which you can also watch below:

As you can see the trick is to hide your location before you connect to the website. By logging on to a server physically located in the UK, you can access any of the BBC without issue simply because it will see the server’s UK address and not your real one. It has the added bonus of adding a layer of security and privacy to your internet connection too. This is because the connection between your computer and the VPN server is entirely encrypted which means both your identity is private but also all credentials you pass through the VPN are safe too.

It should be added that all the media companies try and block access to their sites through intermediary servers like proxies and VPNs. However there are still several companies who’s servers work perfectly well for accessing the BBC from anywhere in the world.

Further Reading about changing your IP address to a UK one  –