They can determine a connection to their network is through an OpenVPN server even if that server has a clean/normal IP address? Is there some otherwise basic tell that the host is running a VPN server? Could Palo Alto Network also identify say a different VPN server, such as Wireguard?
This paper is about detecting the connection between the VPN client and the VPN server---the first segment of the connection you describe. It's unsurprising that OpenVPN can be fingerprinted, as like most VPN protocols, it was not designed with contravention of fingerprinting as a goal. The counter-censorship or network policy bypass application of VPNs is a relatively modern concept and the modifications made to meet it tend to be haphazard. OpenVPN predates this kind of application being a design goal.
To address your direct question, whether or not a service can detect that you are reaching it with a VPN service in the middle, the answer is a soft maybe. There are several heuristic methods, but they will not be entirely reliable and using them will risk false positives. Most service operators probably wouldn't go beyond filtering of known VPN services, which is of course widely implemented.
One reliable method is active probing of the traffic source, which is sometimes done, but it comes with some hazards for the service operator and is often easy to defeat.
My understanding after talking to OpenVPN developers is that a known header is exchanged PRIOR to starting a TLS session, thus making it extremely easy to detect (and block).
literal bytes. this is one of the primary methods modern IDS/IPS engines, like Snort and Suricata for example, use to fingerprint traffic types and otherwise indicators of compromise.
OpenVPN traffic, even encrypted, can look unique enough somewhere in the 'stream' (to borrow the IDS/IPS term) to be reliably idenitfied.
Thanks, I didn't know that. So if you have a VPN server at home and you bounce through it from a foreign location to a corporate job then perhaps the employer could identify the connection is a relay.
I'm talking about the part of the connection outgoing from the VPN, not the incoming traffic to the VPN, to be clear. I know for example that China can do deep packet inspection and that there are a number of projects to attempt to thwart this technique. But you seem to be saying that the part after the VPN can be identified?
No, the article is about you connecting to your home from the corporate network over OpenVPN. The case you are describing, while possible, is highly unlikely to be detected unless you are using a public VPN. Most of the time your employer just cares to check a box saying employees are working from the US and has no incentive to go the extra mile to active traffic monitoring and deep packet inspection. Hell, some are so incompetent, a CTO once said employees can work offshore as long as they are using Remote Desktop to a VM in the US because then they are “telecommuting”, but they can’t connect over the corporate VPN.
I'm talking about the part of the connection outgoing from the VPN
your understanding is correct—that the 'segment' between VPN server and final destination/employer's public-facing infrastucture is no longer traversing a VPN tunnel and therefore could not be fingerprinted as VPN traffic.
if using a public VPN service provider, it would be identified, however (quite easily and at very low technical cost mind you), based on source address, as public VPN service provider netblocks are well-documented.
