Avoiding VPN detection

Routers
1

Hello,

I use a Flint 3 as my home router with a Wireguard VPN server on it, and a Slate Plus as a travel router connecting to it.

It works great, it’s stable, I’m very happy with it.

Now the issue is that some websites / CDNs have started detected VPN usage, I presume based on the MTU. For example https://johnoliversjunk.com/

image
image976×590 51.8 KB

And it’s clear that it’s possible for websites to detect your MTU http://speedguide.net:8080/

image
image1052×224 23.2 KB

And that’s a tell-tale of someone using a VPN. It can also be used by your employer to detect that you’re using a VPN.

So I’ve started exploring solutions, one I came up with, that I haven’t tried yet, would be to use a GRE tunnel over WireGuard. GRE allows packet fragmentation and recombination. Both the routers support GRE tunnels, at least in UCI. I’m aware of the performance downsides of that, but that’s still better than being detected!

Does anyone have experience with this? Any recommendation from GL-INET themselves?

Thanks!

2

Hi

MTU-based VPN detection is not reliable because it only reflects the MTU of packets received by the server, not the MTU of the local device.

Many network types naturally use smaller MTU values. For example:

  • PPPoE typically uses 1482
  • Each MPLS label adds about 4 bytes of overhead
  • Cellular networks often use MTUs like 1428 or 1420

In some cases, when the data center and destination servers are directly connected, you may even see jumbo-frame-level MTU measurements, even while using a VPN.

image
image205×120 3.09 KB

4

Hi Will,

I don’t think this is very relevant. No method of VPN detection is “100% reliable”, the problem is that these methods are still being used (actually quite reliably if you ask me). You can indeed “expect” certain CIDRs, to have certain MTUs. For example a residential ISP will have at least 1492 (for PPPoE), while some mobile networks will have 1420 or whatever. It’s “easy” to detect outliers, and it seems like it is being done.

5

The key point is that every device along the transmission path may adjust the MTU, which makes it impossible to accurately determine the MTU of the original outgoing packet.
This is why MTU-based VPN detection is inherently unreliable.

However, if you believe modifying the MTU is necessary, you can
on the server side:

image
image1323×775 43.6 KB

and then update the exported WireGuard profile by setting the MTU value to 1500

image
image405×233 4.83 KB