Removing the tunnel definition (two-way ping)

WEB технологии и их применение
,
1

Removing the definition of the tunnel (two-way ping)

ChatGPT Image Nov 11, 2025, 17_58_30
ChatGPT Image Nov 11, 2025, 17_58_301536×1024 193 KB

Sometimes sites or services try to detect that you are connected via VPN.
One of the simplest checks is the “two-way ping”.

It works simply:
the service compares latency in both directions — client → server and back server → client.
If it sees an extra “hop” (for example, client → VPN → site, and the reply goes site → VPN → client),
it concludes that there is a tunnel between you.

To avoid lighting up on such checks, you can just disable responses to ICMP requests — it is through them that ping is performed.

Заметка:

Important: complete ICMP disablement may affect server monitoring.
If you use Uptime Kuma, BetterStack, Zabbix and similar services — it is better to allow ping only from trusted IPs.

:wrench: Option via UFW

If you have UFW active, open the file /etc/ufw/before.rules:

nano /etc/ufw/before.rules

And add a block with an ICMP ban:


# Block ICMP-echo and other ICMP types

-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

Then restart UFW to apply changes:

ufw disable && ufw enable

:brick: Option directly via iptables

If UFW is not used — you can set the rule directly:

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p icmp -j DROP

To completely disable ping responses:

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "net.ipv4.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf
sysctl -p
Заметка:

Before making changes, be sure to save the current rules or make a backup.
If you make a mistake in the configuration you can lose SSH access.

:light_bulb: What to remember

  • Checks of “two-way ping” are not the only way to detect VPNs.
    Some services analyze TTL, routing, TCP behavior and other parameters.
  • This method is not a “panacea,” but it greatly reduces the likelihood of detection.
  • For some configurations you can restrict ICMP only by country, subnet, or addresses (via iptables -s or nftables).

:white_check_mark: Summary

If the goal is to hide VPN or proxy traffic from simple checks like “two-way ping” —
disabling ICMP responses is a simple measure.

The main thing is to test after changes to avoid losing connectivity and breaking monitoring.
Better to start with partial restriction (for example, allow ping from your IP), and then — completely close ICMP.

2 Likes