You can't just blanket block all VPN access, that's not how the internet works... they could pick some common/well-known providers of VPN services and block their IPs/ASN/etc., but you can't just flip a switch and make all forms of VPN/proxy stop working, as there's no way to tell with certainty that someone is using one.
There are plenty of VPN and proxy detection services, either as a service (API) or downloadable database, which are surprisingly comprehensive. Disclaimer: I’ve run one since 2017. Years on, our primary data source is literally holding dozens of subscriptions to every commercial provider we can find, and enumerating the exit node IP addresses they use.<p>There are also other methods, like using zmap/zgrab to probe for servers that respond to VPN software handshakes, which can in theory be run against the entire IP space. (this also highlights non-commercial VPNs which are not generally the target of our detection, so we use this sparingly)<p>It will never cover every VPN or proxy in existence, but it gets pretty close.
> Years on, our primary data source is literally holding dozens of subscriptions to every commercial provider we can find, and enumerating the exit node IP addresses they use.<p>Assuming your VPN identification service operates commercially, I trust that you are in full compliance with all contractual agreements and Terms of Service for the services you utilize. Many of these agreements specifically prohibit commercial use, which could encompass the harvesting of exit node IP addresses and the subsequent sale of such information.
TOS are pretty meaningless in cases like this. It amounts to getting rejected as a customer and your account canceled.
Maybe the tables could be turned and we can build a service with dozens of subscriptions to every VPN detection service and report them for ToS violations ;)
> I trust that you are in full compliance with all contractual agreements and Terms of Service<p>Why? It's not like there's any real moral (or, likely, legal) reason to care beyond avoiding the service's ban hammer.
Tangent: if you hold access to all VPN providers, have you thought about also releasing benchmarks for them? I would be interested in knowing which ones offer the best bandwidth / peering (ping).
just out of curiosity: if i'm located in spain and i setup an ec2 or digital ocean instance in germany and use it as a socks proxy over ssh, do you will detect me?
That's a hosting service IP block. Some sites block them already. Netflix for instance.
It won’t end up in our proxy detection database, but we track hosting provider ranges separately: <a href="https://www.iplocate.io/data/hosting-providers/" rel="nofollow">https://www.iplocate.io/data/hosting-providers/</a>
Interesting. I assumed all VPNs switched to IPv6 by now, making detection much harder.
IPv6 isn't magically unrouteable, it just routes much larger blocks of "end IP addresses."<p>You just track and block /24 or /16 as necessary.
Many websites including Soundcloud are still only accessible through IPv4, so this is moot, even if VPNs support IPv6 it's enough to block their V4 exit nodes for Soundcloud.
> which are surprisingly comprehensive<p>How does the buyer even know what the precision and recall rates might be?
This will also cause problems with anyone that happens to (even accidentally/unknowingly) use apps that integrate services from companies such as BrightData/Luminati/HolaVPN/etc. where they sell idle time on your device/connection to their VPN/proxy customers.<p>The legitimate end-user will then no longer be able to use e.g. SoundCloud.
who's buying your service ?
GEOIP providers often sell a database of known VPN/Proxy endpoints. They take the approach of shoot first, ask questions later. Using one of these databases bans a lot of legitimate ip addresses that have seen been the source of known VPN or proxy traffic.<p>Its not <i>perfect</i> ofc, but its not meant to be. Its usually just used as a safety blanket for geoblocked intellectual property, like netflix.
Yes, and email is decentralized in theory...<p>If using a VPN for access is forbidden by the ToS, you only need to detect a VPN connection once to prove violation.<p>The IPv4 address space to consider is limited and it is technically absolutely feasible to exhaustively scrape and block the majority of VPN endpoints. Realistically any VPN provider will have some rather small IPv4 subnets make do, shit's expensive. More so, for the trivial case, VPN anonymization works best, when many people share one IP endpoint, naturally the spread is limited. There are VPN providers, some may even be trustworthy, which have the mission of "flying under the radar" with residential IPs and all, but they are way, waaaay more expensive. For most people that's no option.<p>IPv6 is a different matter, but with the very increase in tracking and access control discussed here, that may be even more of a reason, IPv6 is not going to be a thing any time soon....<p>Thinking about it, maybe this AI monetization FOMO and monopoly protectionism, will incidentally lead to a technological split of the web. IPv4 will become the "corpo net" and IPv6 will be the "alt net". I think there may be a chance to make IPv6 the cool internet of the people, right now!
> you only need to detect a VPN connection once to prove violation<p>But an IP address is not a person (legally in the US at least), and many IPv4 addresses get re-used fairly often. My home 5G internet changes IP every single day, and it's a constant struggle because other users often get my IP blocked for things I didn't do. I cannot even visit etsy.com for example. Just for fun I even checked 4chan and the IP was banned for CP, months before I ever had this particular IP (because I'm paranoid and track all that stuff).
> But an IP address is not a person (legally in the US at least)<p>That's a completely different matter (and still probably reasonable suspicion for a search, anyway). If an <i>account</i>/service ID evidently uses a service through a VPN there is no uncertainty of ToS violation. Of course someone could have hacked your account and used a VPN, it doesn't ultimately prove <i>you</i> did it, but nevertheless the account can be flagged/blocked correctly for VPN usage.<p>> many IPv4 addresses get re-used fairly often<p>The VPN's servers won't be using changing, "random" IPs. That's something ISPs do when assigning residential IPs. VPNs with residential IPs are not common. (I am not sure those VPNs are even really legal offerings.)<p>If your ISP uses NAT for its subnet space, you could argue it's technically similar to a VPN. However, same as with VPN exit scraping/discovery, those IP spaces can be determined and processed accordingly. I am also sure those ISP subnets for residential IPs are actually publicly defined and known. Eg. the Vodafon IP may get temporarily flagged for acute suspicious behavior, but won't get your account flagged for VPN violation, or even blocked permanently, since it's known to be the subnet of a mobile ISP, which uses NAT.<p>Additionally, I presume e.g. SoundCloud prohibits anonymizing VPNs, not everything that's technically a VPN or similar.
As long there isn't a critical risk, these kind of business decisions won't aim for certainity.<p>They probably assume some amount of collateral damage, a small number of VPN users still flying under the radar, the bulk of VPN users being properly targeted, and the vast majority of users not noticing anything.
It is easier to block all non-residential addresses, than block VPNs. As an added "bonus" it also kills personal VPNs running on VPS. VPNs in residential space exist but are sold as "premium" product.
Big part of the Internet blanket ban <i>countries</i>, why do you think VPNs are any different?
Hell, I remember malware (Trojans / RATs) from the 2000s that allowed you to use your victims IP as your personal proxy.
MTU detection is the easiest one. Sucks for people with ISPs that don't do 1500 bytes but those are rare.
> but those are rare.<p>yeah sure, if you ignore the existence of literally every mobile isp.
Isn‘t sub-1500 bytes the norm for residential internet access? (DOCSIS and DSL with PPPoE are the most common access protocols here in Germany)
Hard disagree... there are still a vast many providers around the world doing < 1500, such as PPPoE DSL.
<i>looks at Japan, UK (OpenReach), and a lot of other places still using PPPoE (on fiber!) for complicated reasons</i>
I keep wishing “privacy” company, Apple, would release a VPN such that no business would be able to block it as they’d lose too many customers
Unless Apple would make an anonymizing VPN connection mandatory, I don't see any difference to the situation as is. As long as people can be pressured to turn off the VPN, nobody loses any customers. Additionally, I don't think paying customers are the target, since they usually provide identifying information anyway.
If Apple started routing all iPhone/Mac traffic through some anonymizing VPN by default, services that block it would absolutely lose lots of customers.
Yes, but Apple wouldn't do this, because Apple is also at risk of losing customers when people get blocked by network security at work. We could also fantasize about Apple fighting all the tracking everywhere, including their own services...<p>Quite frankly, it's a bit silly to paint Apple as some privacy fortress, who wouldn't have to comply with law enforcement/intelligence to unmask/tap traffic. I mean, for a lot of people VPN choice is done considering legal jurisdictions somewhere far away. Apple could/would never possibly offer this level of protection.
It's a matter of numbers.<p>If 20% of people are using VPNs, blocking them is going to be a double-digit hit.
It sucks that we need rely on a big company to make a big, scaled-up change like that in order to move the needle. This looks like a pretty fatal flaw in the design of TCP/IP. IPs should be randomized periodically and they should all be equal. You shouldn't be able to tell someone's country from them, let alone their city, ISP, whether it's coming from a business or somewhere residential, whether they are a bot or a human. The Internet shouldn't have boundaries like this, and the fact that it still does shows there's still work to do.
They… do?
This comment would be more useful if you have the name of the product or linked to it. I’m also not aware of this offering and wasn’t able to find information on it.
Private relay is an Apple VPN-like service that only covers iOS safari. That means the SoundCloud app or desktop usage will not receive any privacy benefits.
Just tested Soundcloud with a PWA using iOS Safari and Private Relay enabled. It works fine, albeit a few annoying popups asking to download the app.
Private Relay also works in macOS Safari.
They’re not big enough and some sites will hard block it with other VPNs, like the government of Delaware. Bigger sites still soft block it like Instagram which will randomly ban accounts using it, or Google with captchas every couple of searches.
If this is true, i will cancel my subscription. I'm using tailscale and certainly won't use a service that wants to dictate me how to use my device.
Over five years of paid SoundCloud here, I thought something was wrong with my setup. If this continues I'll have to cancel, basically. What a pain.
Ironically, I can't read the Reddit post with my VPN.
Should be interesting to see how the internet blocks those of us who don't want to be fingerprinted, ID'd, or reveal our home IP addresses. YouTube already blocks embeds to login and prove I'm not a bot, funnily it doesn't work and embeds never play. Reddit will block me unless I'm signed in which I don't mind too much, but the daily beast and many others block me which is a shame because I'm a real human being using the internet as intended.<p>Instead of blocking or limiting features to whitelist users with approved behavioral patterns and limit / block those that don't -- such as loading a page and immediately commenting or doing things that normal humans don't do, they block IP addresses and ASNs.<p>I just close the browser tab and remind myself not to waste my time caring, there'll be other platforms.<p>My router is setup for WireGaurd and it'll never be disabled.<p>Shame on SoundCloud
>block those that don't -- such as loading a page and immediately commenting or doing things that normal humans don't do, they block IP addresses and ASNs.<p>As someone who has both spent quite a bit of time writing scrapers and later lots of headache on blocking malicious bots from accessing websites, I can tell you this has become futile. Bot makers aren't stupid. If you put in a check for how fast actions are performed, they will put in a sleep timer in their script. If you start blocking residential IPs because many people use it, you are probably just blocking a school or dormitory, while the real bots will quickly move to another IP once they smell something is off. Today with modern multimodal LLMs, you can bypass almost every "human-check" imaginable. And if they can't pass something, most of your users sure as hell won't either. Not because it is too hard, but because it will take too long to solve. The sweet 3-15s actionable human intelligence threshold has been passed by now. The cats and dogs type captchas were already solved more than 12 years ago by simple CV machine learning. The tech has progressed an insane amount since then. In the end I always ended up basically doing what SoundCloud did here if my service was sensitive: Block entire countries, all tor exit nodes and all known VPN ASNs. That will get it down by like 90%. Bear in mind that anyone who wants to put in some effort will still easily bypass this, but at least the low-effort guys from third world countries will take a while before they catch on. So you can go back to doing some actual work in the meantime.
> which is a shame because I'm a real human being using the internet as intended.<p>This is the main issue here, the web has become actively hostile to normal people in the quest to monetize every second of online activity.
"Actively hostile" is another of the common myths. See also: "corporations are evil".<p>"Completely indifferent" and "Corporations are completely amoral" are more accurate.<p>It's the difference between someone trying to drown you, versus someone trying to fish while you drown just off the bank. Same end, of course.
What do you think "evil" means? In the real world, there's no one holding up a platonic ideal of moral action and swearing to do the opposite, like some comic book antagonist. Real world evil <i>is</i> acting with complete amorality, because if you don't care about right or wrong in your pursuit of some goal, you inevitably will do some heinous shit.<p>That's not to say corporations don't come awfully close to the comic book concept of evil. By definition, a corporation's prime purpose is an uncaring commitment to making money, and if you've gone public, making <i>all</i> the money. That's awfully close to being the opposite of the "good" ideals of generosity and kindness.
I don't think they're evil, but to say that consumers aren't the fish seems a stretch.
In the nicest way possible: who cares? So "they" know my vile pornographic proclivities, my daily commute, and probably what color my poop was this morning. Then what? I get embarassed?<p>Snowden showed the NSA has taps upstream, so in my book: that's over. I'm fairly convinced if your company reaches a size where it could potentially be a national security threat, the government comes knocking (Facebook, Apple, Twitter, etc.), so that seems like it's over. You have the AI companies scraping god knows what. And, I imagine most countries have corollaries.<p>Really, all the bad actors I'd encounter in my daily travels would be ones who want to steal money from me. That's a simple ideology. I can handle that. My identity gets stolen, my bank account...there's multiple levels of billion dollar companies with vested interest in me not losing faith in "the system," so I'm not worried about it really.<p>If a company wants to associate my phone number to glean all my purchases forever in order to target tailored ads to me, fine. Again, it's in the spirit of taking my money, which is a simple ideology.<p>If the neighbors want to snoop on my traffic, hats off to them for having the capacity to live two lives: both theirs, and mine after they figure out my day-to-day dealings. Doubt they have time to do much about it. Hard enough to live one life in 24 hours.<p>If the government wants to try and keep tabs on everything to see who's making ICBMs and who isn't, or whatever else they want to do, that's their prerogative but it seems like a complex goal that doesn't affect me.
This only works so long as you're not interesting to anyone. You never know what past information associated with your identity will be weaponized against you. By the government, corporations, or individuals to justify harming you. Even if you're safe and secure in the belief that your neighbors will never turn on you, others are not so lucky.<p>Did you travel to get an abortion? Someone might be interested in charging you with a felony. Did you associate too closely with non-citizens? Maybe you're one too. Did you reserve a hotel room? Probably willing to pay more for flights there. Do you frequent hacker news? Might not be so in favor of the current political establishment.
You make a couple of good points. The necessity to commit a felony in the name of healthcare as traveling to get an abortion is shameful. I can't believe it's come to that. Have people been rounded up into camps and exterminated for innate human qualities and beliefs? Yes. And it's disgusting I have to type that as well.<p>But beyond that I disagree with your sentiment.<p>These things need to be stopped as they come. Withholding data and living a life of fearful "what ifs" cannot preemptively stop atrocity. Of course I'll never know what past information can be used against me in the future; weaponized in ways I cannot fathom. It's a possibility. Hindsight is 20/20, but "you can't predict the future," so how would I know? I have to live my life. I gotta do SOMETHING.<p>The crux of all of those "what ifs" is beholden to if the person correlating that data has social agency to act upon it. If that's the case, anyone could be my next predator. Anyone could be the next Hitler waiting to exterminate me based on my non-citizen camaraderie or political leanings.<p>Data is just a predictor, it is not the truth. If my life provided a data point for a yet-to-be-born hostile dictator to perjure me, I will deal with that when it comes, but I can't live my life out of fear.
Last night I was blocked from HBOMAX (or whatever brand they go by these days) for being on a VPN. That was the first time I've ever encountered something like that on HBOMAX. I wonder if there is some coordinating event here.
Did the error condition actually call out "VPN use" ? Did the HBO UI actually call out, by that term, a VPN ?<p>... or were you simply using a VPN and that's the most likely culprit for a general failure of the service ?<p>Genuinely curious ...
Ironic posting that on reddit who also blocks vpn access.
I'm in the UK, so I access Reddit through an Irish VPN all the time and have never had issues.
Still seems to work via the desktop interface while accessing the old.reddit version, at least it worked a couple of days ago for me, I can't speak for the new web version nor for their phone app, cause I'm not using those.
More will follow. I hope you collected what you need. For anything truly valuable, record the audio during playback and manually enter the metadata.
What's the motivation for blocking VPN read access for this and other services? Are AI scrapers using commercial VPNs to get around rate limiting?
Legislation. If a country requires age verification, identity verification, moderation, etc, it's easy enough to either block that traffic or enforce the local laws. However users can easily circumvent this with a VPN. For some countries, this traffic is still in scope, and so the only real way to prevent it is to block or impose the restrictions on all VPN users.<p>Could also be spam/abuse prevention. Credential stuffing often goes through VPNs, signup over VPN is a strong signal for future abuse or issues in various ways.
I suspect country level licensing, soundcloud I sometimes seen songs "not available in your country" or something along those lines
It doesn’t really matter if they’re using commercial VPNs or the same upstream providers as commercial VPNs. Blocking an ASN is a million times more effective than blocking single IPs (at the risk of blocking genuine customers). I’ve had customers reach out to me asking to be unbanned after I blocked a few ASNs that had hostile scrapers coming out of them. It’s a tough balance.<p>VPNs often use providers with excellent peering and networking - the same providers that scrapers would want to use.
AI scrappers made it so much worse. Now most things completely block VPN users who aren't logged in. Reddit and Youtube will refuse to load anything until you log in if you are on a VPN.
The irony is that I tried to access the link here but reddit blocks VPN access aggressively.
Your mileage may vary. Logged in and listened to a couple of tracks DHCP VPN which exits in Denver using Surfshark at 64.44.x.x about 1600 miles away.
Even Russia and Iran has issues blocking VPN country wide…curious what SoundCloud is going to be able to do. I’m guessing it’s to block AI scrapers but ironically, they have way more resources than your customers. SoundCloud will end up pissing off their paying customers and AI bots will still be able to scrape.
Well, goodbye SoundCloud (and all services doing the same thing).
They blocked *some* vpns. I was able to get it working just by switching location with my vpn provider.
I tried creating a SoundCloud account recently for uploading DJ sets to and it just outright wouldn't let me. Didn't matter whether I was or wasn't on a VPN, or whether I had clean cookies. Crappy bot detection. You can be sure I'm never paying for such a hostile service.
link for actual people <a href="https://www.reddit.com/r/SoundCloudMusic/comments/1pltd19/soundcloud_just_banned_vpn_access/" rel="nofollow">https://www.reddit.com/r/SoundCloudMusic/comments/1pltd19/so...</a>
I am so sick of these IP blocks. Same thing in Discord where a lot of servers deploy third-rate services like Double Counter that’s effectively a malware host. There’s nothing wrong with using VPN. I don’t want my IP exposed when my ISP doesn’t allow me to freely change it like they used to even a couple of years ago.
Yarr… when this happens to ye, it’s time to sail the high seas!
Exactly, and you should go deeper and encourage absolutely everyone in your surrounding to drop the service.
They're doing everything they can to make piracy the best option.
Uhhh. Unless people are now using SC completely differently from how I was using it, the media people publish on SC is far too niche to be available via piracy.
I think it's the thought that counts. Presumably they will get better at blocking all VPNs.
i’ve watched this VPN arms race get weird over the years... as a user i feel like the license wars always spill over onto my connection.<p>rights holders keep demanding geo fences and identity checks... service providers comply because they don't want to get sued.<p>BUT... the blunt tool is to block whole swaths of IPs... then we all scramble.<p>i think the conversation around Apple or any single company saving us is missing the point.<p>ALSO... even if a big platform rolled out an anonymizing proxy... regulators would still push for carve outs... copyright exemptions... law enforcement taps.<p>the root is the business model... ad targeting... licensing... fraud detection... all of which depend on tying a real person to a real IP.<p>HOWEVER... if enough of us treat VPN use as normal... the calculus changes.<p>blocking a few percent of weirdos is easy... blocking half your paying users is not.<p>i don't know the answer... but i suspect it's going to get more fragmented before it gets better.
Not the first,<p>Patreon also banned VPN<p>YouTube, Reddit - locked out, requiring to log into account, on pretense of security and care concerns, yeah to identify and track VPN users.
Doesn't reddit block VPNs as well?
Works for me most of the time. A couple of months ago, there was a period where a subset of the exit IPs were blocked for a short period each.
IME, only if you're not logged in.
i tunnel my internet through linode with wireguard - reddit blocks me if i'm not signed in.<p>with soundcloud, i just got a generic 403 from cloudfront<p>combine that with country-level internet filter, the internet is getting harder and harder to use :(
Well, most sites are going to block VPS IP spaces (which are published online) as it's ~100% bot activity.
ah if they are using cloudfront, they must be using the AWS managed WAF rule, which is pretty bad.<p>I used that once and got in trouble with the client since the ruleset was over blocking.
Strange, it works here (Taipei based vpn and logged in)
irony is this is posted on reddit, who also blocks VPN’s
Financial times does as well for me on certain browsers but not others. Pretty annoying.
<i>stares in Lidarr</i>
Doesn't really fulfill the same niche Soundcloud does. Most content on SC is non-commercial or just simply not available on any streaming service.<p>Lidarr relies on people ripping this music, and also adding the metadata to Musicbrainz, which just simply isn't going to happen for most SC uploads.
I thought for a moment while reading these comments that somehow SC had completely changed in terms of content and type of user. People seem to think it's a Spotify-like or something. I consumed essentially audio shitposts and DJ mix sets on SC, stuff that you're not going to find published in a pirateable form...
[dead]