I've seen no definitive information about the nature of these residential proxies. They might be NordVPN customers in the US. Or they might have installed some app with a bundled proxy server. Or it could even be outright malware.

But in any case, it'd be cool if people could determine whether their devices are being used as NordVPN exits.

I've run about 300 tests so far, on a few of NordVPN's US servers. And I've hacked a simple test script, using hashed "X-Akamai-Pragma-Client-IP" values.[0]

Just save the code block at the top as "test.sh" or whatever. Then do "chmod u+x", and execute. It'll prompt "IPv4 to search for?". Type an IPv4, and hit "Enter".

This is howling in the void, I know. But so it goes.

0) https://pastebin.com/YYc9Kuax

At least some of those residential ISP IPs seem to be Cisco Catalyst switches. Might that be evidence of carrier-grade NAT? But if so, how could NordVPN be proxying traffic? Hole punching, I guess.

Interesting. So their US exits must look at the target URL, and use a residential proxy if it's Disney+ (and perhaps, other juicy sites).

I'm in the process of doing this for all 1537 of NordVPN's US servers.

Did you use the NordVPN client, or stock OpenVPN?

And if the NordVPN client, what OS?

I used the NordVPN CLI client version 3.4.0-1 from a Debian bullseye PC

EDIT: package from https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/

Thanks.

So far, using the stock openvpn package in Debian, it doesn't look like the Disney+ circumvention is happening for NordVPN's US servers.

I'm guessing that the NordVPN client must do it.

And if that's the case, it may merely route traffic directly through the residential proxy, and not first through a NordVPN server. Which wouldn't be good, because someone investigating the residential proxy would see the users IP address, rather than the exit IP address of the VPN server.

Well, I had only little time to dig further but I can confirm your findings that OpenVPN alone behaves as it should while the NordVPN client acts differently. However, wireshark says I am only communicating with the NordVPN server when connected through their client. I would love to know where the difference in configuration is. I always assumed NordVPN would just call OpenVPN with the public ovpn configs. They call the OpenVPN client with a config that is shortly deleted after OpenVPN starts but can be extracted when swapping the openvpn binary. It looks unsuspicious. A management unix socket is opened to control the OpenVPN client. I would like to know how the communication is configured.

I'm also testing now with NordVPN CLI v3.4.0-1 in a Debian 10.1.0 x64 VM with standard Gnome desktop.

I used the default settings. In particular, I didn't enable "obfuscate", which I gather uses two hops.

I'm using a crude infinite while script.[0]

And so far, I haven't come across any servers with unexpected "akamai-x-get-client-ip" for Disney.

But then, there are well over 1000 US server IPs.

So did you enable "obfuscate"? Or "CyberSec"? Or other options?

It would also help if you could share which servers showed unexpected "akamai-x-get-client-ip" for Disney.

0) https://pastebin.com/hz5due96

Damn, I can be such a dumbass.

I was testing "www.disney.com", not "www.disneyplus.com".

Now I always see residential proxies for US servers. Or SSL certificate failures, occasionally.

Edit: That's using either the Windows GUI client, or the Linux terminal client in Debian. Not using "Obfuscate", "CyberSec", or other non-default options. But residential proxies aren't used for "www.disney.com" or "paypal.com".

Also, with the stock openvpn in Debian, I don't see residential proxies being used for "www.disneyplus.com".