ProtonVPN spoofing network traffic


I've been using the ProtonVPN for a little while now and noticed some funky business going on with my network traffic.

I was testing one of my servers firewall rules making sure iptables was indeed working because sometimes it'll lie to you. Using good ol' netcat here I would try out a port that I knew was open (443) and a port that I knew wasn't opened (22). Both connections reported established.

test_port www.cozynet.org 443
Connection to www.cozynet.org (209.222.4.133) 443 port [tcp/https] succeeded!
test_port www.cozynet.org 22
Connection to www.cozynet.org (209.222.4.133) 22 port [tcp/ssh] succeeded!

Hang on, wait what? Port 22 is supposed to be blocked!

At first I thought maybe something was wrong with iptables and that it was leaving everything wide open to the world, but after a little investigating the culprit wasn't there. Also nothing is listening on that port anyhow, so how is it establishing a handshake?

Perhaps it was with netcat which is what I'm using in my test_port script in the above example. So I tried nmap and a few other tools, but they were all reporting established connections too.

By this point I decided to try these tools on one of my old servers which hasn't been touched in ages, knowing that at least it would prove who's right and who's wrong. And again netcat and nmap were reporting established connections to ports I know are blocked!

Me at my desk trying to figure out what's going on.

Short of throwing my laptop out the window, I hop onto another computer and BOOM! - the connections fail as they should. My laptop apparently was lying to me, so I dig into what in the world was going on and narrowed it down to ProtonVPN.

ProtonVPN is spoofing SYN/ACK responses where it should be failing. I don't know why, but maybe it's a means to deter people from using their VPN for nefarious port scanning by yeilding false results? I couldn't find much on the web about it except for this guys blog which goes into more detail than I was willing to spend the time of day on.

I suppose that if you should run into the same situation as me, then just remember to turn off the VPN.

P.S. I'm thinking of writing more short posts like these aimed mostly at technology, DIY, and "How To" stuff.

Date: 2025-12-18

Thanks for reading my blog!



Comments:

Please by polite and refrain from using vulgar and derogatory language. Comments are moderated.


    [Back to top]