User-accessed Virtual Private Network systems allow authorized users remote access to protected or otherwise privileged networks while avoiding dependence on ISPs along the route for data confidentiality and integrity. This direct expression of the internet’s end-to-end principle of security is generally accepted as a highly successful design.

VPN services and technology advertising censorship circumvention, resistance to data retention, and anonymity as features are proliferating rapidly. But it is unclear that these security properties were included in the original design requirements of VPN protocols and product implementations. Experience with dedicated anonymity networks (e.g., Tor) shows that strong anonymity is not achieved by accident. The ‘P’ in VPN notwithstanding, not all privacy methods are equal or strongly anonymizing, which opens opportunities for attackers when VPN-based systems are used for anonymity or even simple censorship circumvention.

This paper evaluates VPN anonymity, security and privacy features including identity, geographic location, confidentiality of communications, and generalized security issues such as reachability and prevention of network tampering. We find many popular VPN products are susceptible to a variety of practical user deanonymization attacks. Weaknesses stem from lack of security analysis of the composition of VPNs, applications, and the TCP/IP stack on each respective operating system. Although we describe some potential mitigations for vendors, the primary goal of this paper is to raise awareness of the inherent risks which come from repurposing off-the-shelf VPN systems to provide strong anonymity.