Good afternoon,

we started having issues recently where users on our network started see error messages from these streaming service providers. that they are using vpn / proxy . these sites are typicaly residential blocks consists few hondre users. the issue seems to be caused by few users running VPN cient, namely Windscribe. Mikroitk won't be able to tell us much detail about who is using what VPN client and we obviously cannot just block VPN all together. we are in the UK.

My question is

• is anyone facing the same issue?
  what other solution there is, apart from deploying expensive firewall or assigning massive amount of public IP addresses ?
  is there a black list somewhere we can approach and get this white-listed? I've tried BBC itself, they have already plainly refused.

one of the site has got IPv6 but my understanding is , even with IPv6 enabled, we still have to keep IPv4 running, and that still leave the possibility for users / services to go through IPv4, and get the public IPv4 address black listed anyway.

Advise customers to move away from windscribe as its use is blocking access to NETFLIX for all users..... ???

I don't have a Windscribe-VPN account, so i can't test this...
But maybe one or more Firewall-Rules to identify Windscribe-Traffic via L7 or TLS-Host could help
Analoge to users that block Youtube, Facebook and co..

Advise customers to move away from windscribe as its use is blocking access to NETFLIX for all users..... ???

Since when do people care about others especially if they are negatively affected themselves ?
Doesn't work that way...

My suggestion would also be to block Windscribe. Maybe with some web page in between explaining why it is blocked.
They might still complain, but they will know why.

Advise customers to move away from windscribe as its use is blocking access to NETFLIX for all users..... ???

My suggestion would also be to block Windscribe. Maybe with some web page in between explaining why it is blocked.
They might still complain, but they will know why.

This is not going to be easy.
As per Windscribe documentation, it is actually "a set of tools" and different protocols are possible.


Windscribe VPN Protocols and Ports
Windscribe VPN utilises the following VPN protocols: IKEv2 (default), OpenVPN (UDP and TCP, both), Stealth and Websocket Stealth.
Though there is no mention of WireGuard being in use on their official website, the protocol was available in the free Windscribe client for PC that I installed, but that might just be it.
To increase your chances of a successful connection in the world of port-restricting networks, Windscribe supports a multitude of ports, namely: 21, 22, 53, 80, 143, 443, 587, 1194, 3306, 8080, 8443, 54783, 65142.

As an ISP, not that easy to block ports like 22, 53 , 80 or 443 to start with. (actually, a ISP should not be blocking any outbound ports!)
Mikrotik has no advanced products capable of performing some DPI or work with signatures in order to identify Windscribe.
Perhaps you could get yourself a subscription, and try all VPN-entrypoints and see if you can block certain IP-ranges or something ? But then tomorrow there will be a another VPN-service.

https://cybercrew.uk/software/windscribe-vpn-review/

Conceptual problem...
How can your own IP be blacklisted if you use a VPN ?
Isn't the purpose of a VPN to obfuscate just that ??

thank you all for your input, it's much appreciated.

here is what I've done so far:

as far as blocking Wdinscribe, I've put 300+ destination IP that I've found related to windscribe service, into my firewall and blocked them all. still not working. reading other posts on the forum, I don't think Mikroitk firewall is going to be able to block VPN unless we know every single IP they use.

as for telling users to not use it. ....well.. nobody had come forward, few did, and said this was disabled, but made no difference to the situation
further more, there are huge number of other VPN clients which can be the problem around the next corner .

hats off to holvoetn, I did wonder the the same thing. here is where I've got for you:
1. when bbc reply my question , it suggested to disable the VPN client but also clear catch and cookies. this lead me to think iPlayer might have something on the local machine that see the traces of VPN client. maybe?
2. some of this VPN services, especially the cheap once, don't always provide servers around the world for all VPN users and tunnel their traffic out of it. Instead, or in addition, they might use the IP of each VPN client, for another client. so someone based in the UK, while you are using the VPN services to reach the US, but others might use your IP to reach the UK at the same time. I have no reference to this theory but it is quite believable and technically do-able.

These "free" VPNs turn your PC / network into a VPN endpoint for other users, which is why you get blocked or receive abuse reports. Best solution is to enforce TOS against such clients, this isn't easily solved on a technical level due to wide array of ports and protocols used to bypass firewalls.

PS: my focus is now on 3 things:

how to remove the IP from the black-list
if this list is maintained by the BBC or amazon themselves, I have no chance
if this is by a 3rd party service, then we can at least try and explaining the situation.

in the meantime, I am searching for good deal on leasing public IPv4 addresses
information on this are welcome

finally. does anyone know, if IPv4 and IPv6 are both available on the customer CPE router, would BBC, Amazon and Netflix prefer IPv6 ?

finally. does anyone know, if IPv4 and IPv6 are both available on the customer CPE router, would BBC, Amazon and Netflix prefer IPv6 ?

Don't think they prefer anything. They've got their endpoints/services listening on IPv4 / IPv6 and whatever comes in is fine.

These "free" VPNs turn your PC / network into a VPN endpoint for other users, which is why you get blocked or receive abuse reports. Best solution is to enforce TOS against such clients, this isn't easily solved on a technical level due to wide array of ports and protocols used to bypass firewalls.

thank you for confirming this. indeed I've tried to establish some sort of T&C with the building management company . their challenge is that you can say all you want in there but if you cannot find the person responsible to enforce it, the T&C is worthless.

again, I've tried to use firewall rule to find out which internal IP has been accessing those external IPs used by Windscribe . the problem comes back to incomplete data, so you never going to catch everybody.

Block everything.
Someone is going to complain

Block everything.
Someone is going to complain

I'd love to do that....unfortunately we have got a lot more remote workers compared to 2 years ago

At some point you are going to have to throw in the towel.
Legal netflix users will still get their netflix no?
So if vpn users do not, too bad.

As long as lawful customers public IP address is not affected, who cares.

Soo, i took a quick Look at Windscribe
And I must say, I am impressed with this VPN-Solution.
In contains a lot of Tools and Strategies to circumvent firewall and dns restriction
Thank god the Developers don't do Malware and Viruses

I did some Test:
I was able to cripple the "Emergency Connect" Feature and all VPN to "Germany"
The Windows-App from Windscribe as a very in-deep LOG-Feature.
While playing around with it, i was able to "pull" all IP's and Domains for "Germany"
After setting up my firewall in Mikrotik, NO VPN connection were possible.

I will observe in the next few days if it works on the long run !

Legal netflix users will still get their netflix no?

no, as the public IP appearsto be blaclisted so everyone is affected.

While playing around with it, i was able to "pull" all IP's and Domains for "Germany"

what did you do? just catch the destination IP of your VPN tunnel?

I am still analysing the VPN with Procmon, Wireshark and co...
still looking for an easy Solution to Block the Service.

I was quickly able to Block any VPN-Connection to "Germany / Frankfurt Castle"
after "blocking" TCP53 and UDP53 (aka. DNS). The Windscribe-VPN-Client,
will still able to resolve domains via HTTPS/443 and create VPN-Tunnels.
But NOW if you look in the LOG-File, you will find a list of IP-Address that you can add to an Address-List/Firewall.

Log-Exemple
"Location nodes:
node1 = {ip1 = 45.87.212.34, ip2 = 45.87.212.35, ip3 = 45.87.212.36};
node2 = {ip1 = 185.104.184.130, ip2 = 185.104.184.131, ip3 = 185.104.184.132};
node3 = {ip1 = 193.176.87.194, ip2 = 193.176.87.195, ip3 = 193.176.87.196};
node4 = {ip1 = 89.249.65.26, ip2 = 89.249.65.27, ip3 = 89.249.65.28};
node5 = {ip1 = 185.189.112.66, ip2 = 185.189.112.67, ip3 = 185.189.112.68};
node6 = {ip1 = 45.87.212.18, ip2 = 45.87.212.19, ip3 = 45.87.212.20};
node7 = {ip1 = 45.87.212.66, ip2 = 45.87.212.67, ip3 = 45.87.212.68};
node8 = {ip1 = 193.27.14.178, ip2 = 193.27.14.179, ip3 = 193.27.14.180}; "


P.S: The following IP's don't seam to be the same, as the one's you get when connected to VPN.
for exemple: The App connect to Server 185.189.112.66 by my WAN IP was 185.189.112.125.

Just in case someone else want's to try
I attached a Basic Firewall-Script to Block a sample of Windscribe-Servers

I don't know how long this will work .
But on the 11.11.2021, it worked for following Servers:

Germany Frankfurt - Castle
France Paris - Seine
United Kingdom London - Custard
United Kingdom London - Crumpets
Canada East Montreal - Expo 67
Canada East Toronto - The 6
Canada East Toronto - Comfort Zone
Canada West Vancouver - Granville
Canada West Vancouver - Vansterdam

Conny finally figures it out at age 99 but misses his kids and grandkids growing up.

The futility of it all!!

....
https://www.bing.com/videos/search?q=wh ... M%3DHDRSC3

is anyone facing the same issue?
what other solution there is, apart from deploying expensive firewall or assigning massive amount of public IP addresses ?

Not directly, although we have come across similar from companies we provide support/consultancy for.

If you have a hundreds of clients behind NAT and a reasonable proportion of them are using the same service at the same time, be it BBC / Amazon / Netflix, their monitoring systems become suspicious. Then it likely only needs a few clients using acting as exit points for VPN tunnels to become listed. AFAIK there is no easy way to fix this, and I suspect it could afflict any ISP using CGNAT or large hotels too.

Could Windscribe be a red herring as they appear to have their own exit points which would be the addresses to become listed. Maybe some peer-to-peer VPN system where clients also act as exit points.

It's quite common that various streaming sites block VPN providers.