Anti-VPN Bungee/Waterfall


#1

Looking for the Bukkit version?
Find it here!


Single / Personal bungees
Simply drop the jar into your “plugins” folder. The auto-generated config should default to reasonable values for you, but you may modify it if you wish.

Multiple bungees / Large networks
Drop the jar into the plugins folder and configure the “sql” section to use MySQL instead of SQLite. RabbitMQ and/or Redis are optional but highly recommended if you have multiple bungees.

# This is the backing data for everything
# SQL is used as long-term storage and cross-network updates every few seconds
# Try to use an SQL source each server has access to, if possible
# You may choose to use MySQL or SQLite
# An SQL database of SOME description is required
sql:
  # The type of database to use. May be either MySQL or SQLite
  type: 'sqlite'
  # Number of connections to use. Cannot be lower than 1
  # Recommended 2+ for parallel queries
  threads: 2
  mysql:
    address: '127.0.0.1'
    port: 3306
    user: ''
    pass: ''
    database: 'avpn'
  sqlite:
    file: 'avpn.db'

# Redis is used as a cache so lookups can be VERY fast
# This is used in both the expensive and non-expensive lookups
# It also provides the ability to push instant updates across the network
# Redis is entirely optional
redis:
  enabled: false
  address: ''
  port: 6379
  pass: ''

# Messaging is used to push instant commands across the network
# If you don't have/use Redis you can use this to update faster than SQL
# Even if you use Redis, this can be used as a backup source
# Messaging is entirely optional
messaging:
  # The type of messaging to use
  # Values can be 'bungee' ('default') or 'rabbit'
  # If 'default' or 'bungee' is selected on servers connected to this Bungee, please be sure to set this to 'bungee'!
  type: 'bungee'
  # Values to fill in if using Rabbit messaging
  rabbit:
    address: ''
    port: 5672
    user: 'guest'
    pass: 'guest'

# Where VPN-checking sources are defined
# Beware the more sources that are included (and fail) the worse the performance and the more the lag
sources:
  # The amount of time to globally cache results across all sources
  # This should be as high as possible to avoid rate-limits but as low as possible to ensure results are always up-to-date and accurate
  cacheTime: '6hours'
  # The order to try results in
  order:
    - 'iphub'
    - 'proxycheck'
    - 'getipintel'
    - 'ipqualityscore'
    - 'ipdetector'
    - 'vpnblocker'
    - 'voxprox'
    - 'shodan'
  # https://iphub.info/
  # Results updated Sep 6, 2018
  # Error rate: 0%
  # NordVPN detection rate: 90.48%
  # Cryptostorm detection rate: 90%
  # False-flagged homes: 20%
  iphub:
    enabled: false
    # API key to use (Required for this service, free one available at https://iphub.info/apiKey/newFree )
    key: ''
    # The block type at which an IP is considered "bad"
    block: 1
  # https://proxycheck.io
  # Results updated Sep 6, 2018
  # Error rate: 5%
  # NordVPN detection rate: 85.71%
  # Cryptostorm detection rate: 94.74%
  # False-flagged homes: 10%
  proxycheck:
    enabled: true
    # Optional API key to use
    key: ''
  # https://www.getipintel.net/
  # Results updated Sep 6, 2018
  # Error rate: 5%
  # NordVPN detection rate: 90.48%
  # Cryptostorm detection rate: 100%
  # False-flagged homes: 40%
  getipintel:
    enabled: true
    # Contact e-mail in case things go wrong. Required
    contact: '[email protected]'
    # Threshold above which an IP is considered "bad"
    threshold: 0.98
  # https://www.ipqualityscore.com/
  # Results updated Sep 6, 2018
  # Error rate: 0%
  # NordVPN detection rate: 90.48%
  # Cryptostorm detection rate: 85%
  # False-flagged homes: 40%
  ipqualityscore:
    enabled: false
    # API key to use (Required for this service, free one available at https://www.ipqualityscore.com/create-account )
    key: ''
    # Threshold above which an IP is considered "bad"
    threshold: 0.65
  # https://ipdetector.info
  # Error rate: 0%
  # NordVPN detection rate: 61.9%
  # Cryptostorm detection rate: 90%
  # False-flagged homes: 0%
  ipdetector:
    enabled: true
    # Optional API key to use
    key: 'free'
  # https://vpnblocker.net/usage
  # Error rate: 0%
  # NordVPN detection rate: 66.67%
  # Cryptostorm detection rate: 70%
  # False-flagged homes: 10%
  vpnblocker:
    enabled: true
    # Optional API key to use
    key: ''
  # https://www.voxprox.com
  # Error rate: 0%
  # NordVPN detection rate: 66.67%
  # Cryptostorm detection rate: 70%
  # False-flagged homes: 40%
  voxprox:
    enabled: false
    # API key to use (Required for this service)
    key: ''
  # https://www.shodan.io/
  # Error rate: 94.52%
  # NordVPN detection rate: 89.47%
  # Cryptostorm detection rate: 0%
  # False-flagged homes: 0%
  shodan:
    enabled: false
    # API key to use (Required for this service)
    key: ''

# List of IPs to ignore for checking
ignore:
  - '127.0.0.1'
  - 'localhost'
  - '::1'

# The amount of time before in-memory caches expire after non-use
# This prevents many sequential lookups from using more expensive networking constantly
cacheTime: '1minute'
# The message to kick VPN users with
kickMessage: '&cPlease disconnect from your proxy or VPN before re-joining!'
# When true, logs some extra output to the console so you can see if/why things might be failing
debug: false
# When true, checks are done off the player login thread
# You may want to set this to false in cases where you want to be absolutely sure you kick VPN users immediately
# In most cases, this should be set to true because using the login thread can cause slower player logins
# This is only available on the Bungee versions because it's guaranteed the player will be connected to the Bungee for a while
# In the Bukkit version, certain sertups with async set to true would allow players to bypass the check if they are quick enough
async: true
# When true, will kick players found to be using VPNs
# Disable this is you intend to use your own kicking/tagging systems using the API
kick: true
# When zero or above, will use a "consensus" algorithm instead of a "cascade" algorithm
# Cascade: Will try each enabled API in order and use the first one that returns a value
# Consensus: Will try each enabled API at once and then compare the ratio of results to the value below
# For example, if you set "consensus" to 0.6 then at least 60% of the APIs must agree that the IP is a VPN
# This value can range between 0 and 1 (or less than zero to use cascade)
consensus: -1.0

stats:
  # Whether or not to send anonymous usage statistics to bStats
  # True: Send anonymous stats; let the author know how well the plugin is doing and how it's used!
  # False: Do not send stats and make the author sad :(
  usage: true
  # Whether or not to send anonymous errors to the author
  # True: Send errors anonymously to Rollbar and/or GameAnalytics so the author can fix them!
  # False: Do not send errors and wonder why any bugs you encounter haven't beeen fixed
  errors: true

update:
  # Whether or not to automatically check for updates and notify the console if found
  check: true
  # Whether or not to notify players with the avpn.admin permission node
  notify: true

# Config version, no touchy plz
version: 2.3


/avpnreload - Reloads the plugin configuration. This will disconnect and reconnect (if appropriate) any services configured in the config.yml file.
/avpntest - Test an IP through the various (enabled) services. Note that this forces a check so will use credits every time it’s run.
/avpncheck - Check an IP using the default system. This will return exactly the same value as any other API call.
/avpnscore - Scores a particular source based on a pre-made list of known good and bad IPs. Note that this forces a check so will use credits every time it’s run.


avpn.admin - allows access to the /avpnreload, /avpntest, /avpncheck, and /avpnscore commands
avpn.bypass - players with this node bypass the filter entirely


Please consider donating to support this free plugin!
[CENTER][/CENTER]


According to the GDPR, you must specify that you are storing IP information to your players in a privacy policy when using this plugin (actually you need that if you’re running a vanilla server without this plugin because of server logs). Depending on how data provided from this API is used, you may be required to manually remove some data from the databases.
Disclaimer: I am a plugin developer, not a lawyer. This information is provided as a “best guess” and is not legal advice.


Maven

<repository>
  <id>egg82-ninja</id>
  <url>https://www.myget.org/F/egg82-java/maven/</url>
</repository>

[SIZE=4]Latest Repo[/SIZE]
https://www.myget.org/feed/egg82-java/package/maven/ninja.egg82.plugins/AntiVPN

[SIZE=4]API usage[/SIZE]

VPNAPI.getInstance();
...
boolean isVPN(String ip, [boolean expensive]);
ImmutableMap<String, Optional<Boolean>> test(String ip); // WARNING: Does not cache results
double consensus(String ip, [boolean expensive]);
Optional<Boolean> getResult(String ip, String sourceName); // WARNING: Does not cache results[/CODE]

Example - Detect if a player is using a VPN (cascade)

VPNAPI api = VPNAPI.getInstance();
if (api.isVPN(playerIp)) {
    // Do something
}

Example - Detect if a player is using a VPN (consensus)

VPNAPI api = VPNAPI.getInstance();
if (api.consensus(playerIp) >= threshold) { // Anywhere from 0.0 to 1.0
    // Do something
}

Example - See which services detect a given IP as a VPN

VPNAPI api = VPNAPI.getInstance();
ImmutableMap<String, Optional<Boolean>> response = api.test(ip);
for (Entry<String, Optional<Boolean>> kvp : response) {
    // Do something
}

Example - Get the most updated result from a specified provider

VPNAPI api = VPNAPI.getInstance();
Optional<Boolean> result = api.getResult(playerIp);
if (!result.isPresent()) {
    // Error- ran out of credits, too many attempts, etc etc
    return;
}
if (result.get().booleanValue()) {
    // Do something
} else {
    // Do something else
}
Services that didn't make the cut

stopforumspam
Error rate: 0%
NordVPN detection rate: 38.1%
Cryptostorm detection rate: 10%
False-flagged homes: 0%

ip2proxy (no servers)
Error rate: 0%
NordVPN detection rate: 28.57%
Cryptostorm detection rate: 10%
False-flagged homes: 0%

ip2proxy (servers)
Error rate: 0%
NordVPN detection rate: 28.57%
Cryptostorm detection rate: 15%
False-flagged homes: 0%

Download available on Spigot: https://www.spigotmc.org/resources/anti-vpn-bungee.58716/
Source available on GitHub: https://github.com/egg82/AntiVPN


#2

Can confirm, lovely little code.


#3

Lovely project, tkx dude