For OSINT pros, understanding VPNs is a critical skill. Whether you’re using them to hide your tracks, detecting that others are using them, or working them into your investigation, VPNs are a key part of the investigator’s toolkit.
No matter what (or who) you’re looking into, OSINT VPN knowledge can reveal not just that your target is using a virtual private network, but how and why it affects your investigation. In turn, correct OSINT VPN tactics can make your work safer and more effective than ever - seamlessly protecting you across different jurisdictions, platforms, and data sources.
This guide will dig deep into all the basics of VPN OSINT: we’ll cover the role of VPNs in open-source intelligence work, and the various types of VPNs you’ll encounter. All before finishing on the top techniques for detecting and using VPNs yourself. Let’s start digging.
What is a VPN?
A VPN, or Virtual Private Network, is like a digital tunnel. Like an underground subway track, it creates a hidden connection between two digital locations; in this case, a user and a remote network. This protected “tunnel” obscures your IP address - a unique series of numbers assigned to every internet-enabled device.
Like a subway passenger moving unseen between stops, the user’s exact location becomes unclear. A VPN can even make it seem like a user is accessing the internet from another location entirely. Plus, it shields digital traffic from eavesdroppers - like a couple of metres of Earth cutting off your phone signal.
For OSINT investigators, VPNs have a dual purpose: for OpSec, and as evidence. They can keep your investigation private, and prevent your work being detected by your targets. But they can also be detected; giving you a clear indicator that your target is doing something they don’t want others to see. This dual purpose is exactly what makes VPN OSINT so important
Want to tighten up your OpSec? Check out our guide to Wiping the Prints: Managing your Digital Footprint
Why VPNs Matter for OSINT
In the simplest terms, a VPN hides your traffic and your location. In an OSINT context, it’s clear to see the benefits for you as an investigator. VPNs are especially useful if you’re working in risky environments, or can’t afford to get caught by your target and traced back.
Sometimes, when you detect that a target is using one… it can feel like a dead end, with valuable information buried behind that digital tunnel. But luckily, with the right knowledge, that dead end can easily become an insight.
For example, it’s safe to assume a subject using a VPN might be doing something shady. You can also learn that they’re somebody tech-savvy, who knows the basics of operations security. Sudden changes in IP location patterns could signal a VPN switching on, and correlating these “jumps” with behavioural changes could help build up a narrative.
Types of VPN in OSINT
Not all VPNs are the same, and different VPN configurations are good for different things. Best of all for OSINT investigators, each one has its own unique fingerprint - that can easily be revealed and traced with the right techniques. Here are the most common classes of VPN you’ll encounter:
- Remote Access VPNs: The most common type of everyday VPN, and probably the one average users are most familiar with from their daily work life. It creates an encrypted connection between a personal device, and a remote network - connecting remote users to an internal company network.
- Site-to-Site VPNs: Businesses often use site-to-site VPNs to securely separate their different networks (e.g. splitting the HQ system from the office net). They aren’t typically user-initiated.
- Cloud VPNs: Cloud-based VPN services are scalable, simple-to-manage gateways to cloud resources. Like other types of VPN, but hosted entirely online without a physical server. You’ll most likely encounter these in VPN OSINT work around network security, or pen testing.
- SSL VPNs: SSL VPNs (or secure socket layer virtual private networks, officially) allow users to get secure browser or application-level access without a traditional client. They’re easy to detect in DNS logs, all thanks to their distinct handshake signatures.
- Peer-to-Peer (P2P) and Mix Network Protocols: Less common in corporate environments, but still in solid use across the net. P2P VPNs and mix networks decentralise their users’ connections without a central server, making them a little tougher to detect than their more common counterparts.
How to Detect VPNs With OSINT
Detecting VPNs with OSINT isn’t always easy, but it’s very possible with the right know-how. Here are a range of OSINT methods you can use to catch VPN-users in the act, and the tell-tale signs to spot one.
- DNS Analysis: Monitoring DNS data - like through passive DNS datasets - is a great way to spot unusual patterns, a key sign of VPN usage. If your target makes frequent queries to a known VPN provider domain, that’s solid proof. Look out for sudden high-entropy DNS answer sets, too.
- IP Address Tracking: Rapid changes in a target’s IP address are a kicker in OSINT VPN investigations. If you can see the IP address changing, that’s a clear sign a VPN is being used. Tools and logs that correlate timestamps with IP records are a great way to track.
- Network Traffic Patterns: VPNs create distinct traffic shape signatures. Although you might not be able to see the content the tunnel’s encrypting, you can see that it’s encrypting something. Look for consistent packet sizes, or recurring endpoints linked to known VPN providers.
- OSINT Tools: Some tools stand out for OSINT VPN work. Services like Maltego are excellent for pivoting OSINT infrastructure data to linked IP and DNS info, while OpenVas is good for scanning and correlating exposed VPN infrastructure.
Using VPNs as an OSINT Investigator
While detecting someone else’s VPN use is a useful skill, it’s equally important to know how to use them in our own OSINT work. Here’s how to make a strategic VPN OSINT setup work for you - ethically and tactically.
Change Your Location
By using a VPN service, you can do more targeted regional OSINT work - like travelling to your target’s country without even leaving your desk. Many VPN platforms allow you to use international versions of different search engines; so you can tailor your search results, access, or API availability based on a different geographic IP. You can access country-specific resources that otherwise block foreign IPs, and even compare results from different territories.
Maintain Your OpSec
VPNS are the safest way to do OSINT; especially for OSINT analysts working in sensitive environments. Using a VPN helps to prevent many different security risks: IP address tracking, accidental leaks, and even digital fingerprints you might unknowingly leave behind. VPN use also reduces the risk to yourself and others from bad actors, even in foreign nations.
Want to learn more about OSINT in a high-risk environment? Check out our guide to Playing with Fire: OSINT and China’s Great Firewall
Follow Best Practices
Always adopt VPN OSINT best practices when incorporating a service into your workflow:
- Choose Reputable Providers: Don’t fall for dodgy VPN services. Only select reputable providers and platforms with transparent privacy policies. Paid services are always preferable to free; choose wrong, and the VPN could log your data.
- Use Multiple Endpoints: Don’t always pick the same endpoints. Simulate moving from point to point by selecting different geographical locations every time. This will make you harder to track down.
- Keep Your Browser Environment Clean: VPNs should be just one part of a wider security toolkit: incognito mode, separate profiles, diverse usernames, and multiple devices alongside your VPN will make you impossible to pin down.
- Document Everything: It’s a golden rule of OSINT, and it still applies. Document every VPN service you use, and which endpoints and access points you selected, to create an audit trail of your investigatory logic.
See how VPN OSINT cracked a real case in our Case Study.
“If the GitHub user was still using the same VPN server, this was most likely the phishing boss himself. Thanks to OSINT industries, Harrison and Erlend had avoided accidentally disregarding the most conclusive intel so far.”
Read more: Darcula and the Magic Cat: How OSINT Unmasked A Phishing Tycoon
