ℹ️ Please note this research is from 2016 when Opera has first added their browser "VPN", even before the "Chinese deal" was closed. They have since introduced some real VPN apps but this below is not about them.
🕵️ Some folks also like to use this article to show a proof that the Opera browser is a spyware or that Opera sells all your data to 3rd parties or something like that. This article here doesn't say anything like that.
When setting up (that's immediately when user enables it in settings) Opera VPN sends few API requests to https://api.surfeasy.com to obtain credentials and proxy IPs, see below, also see The Oprah Proxy.
The browser then talks to a proxy de0.opera-proxy.net
(when VPN location is set to Germany), it's IP address can only be resolved from within Opera when VPN is on, it's 185.108.219.42
(or similar, see below). It's an HTTP/S proxy which requires auth.
When loading a page with Opera VPN enabled, the browser sends a lot of requests to de0.opera-proxy.net
with Proxy-Authorization
request header.
The Proxy-Authorization
header decoded: CC68FE24C34B5B2414FB1DC116342EADA7D5C46B:9B9BE3FAE674A33D1820315F4CC94372926C8210B6AEC0B662EC7CAD611D86A3
(that's sha1(device_id):device_password
, where device_id
and device_password
come from the POST /v2/register_device
API call, please note that this decoded header is from another Opera installation and thus contains different device_id
and device_password
than what is shown below)
These creds can be used with the de0.opera-proxy.net
even when connecting from a different machine, it's just an HTTP proxy anyway.
When you use the proxy on a different machine (with no Opera installed), you'll get the same IP as when using Opera's VPN, of course.
This Opera "VPN" is just a preconfigured HTTP/S proxy protecting just the traffic between Opera and the proxy, nothing else. It's not a VPN.
They even call it Secure proxy (besides calling it VPN, sure) in Opera settings.
The API calls are:
- https://api.surfeasy.com/v2/register_subscriber
- https://api.surfeasy.com/v2/register_device
- https://api.surfeasy.com/v2/geo_list
- https://api.surfeasy.com/v2/discover
I have automated the API calls and have built The Oprah Proxy, a simple Python script which will fetch the credentials for you. It will also list available locations and proxies.
@AgapovAlexsey: "how you get post data in chrome://net-internals/#events"? i recived only data lengh
—Enlarge the window and look to the right
@sponnusa: "This has stopped working."
—Forked & fixed - https://github.com/nampud/oprah-proxy
(spaze should patch this - or update the main article to say its broken)
@tjleon1: "I have a concern that my private data may still be in the hands of Google"
Google does not see your IP address. spaze commented Apr 24, 2016:
—Hostnames are resolved remotely, when using Opera's "VPN", DNS requests do not leak.
Interesting: http://dnsleak.com appears to show a DNS leak but https://dnsleaktest.com does not
This is probably good enough for use with open WiFi hotspots, etc. If you have a greater concern you should use a real VPN.
https://addons.mozilla.org/en-US/firefox/addon/pac-reloader/
Local file path syntax for various browsers
https://www.cisco.com/c/en/us/td/docs/security/web_security/connector/connector3000/PACAP.html
https://www.surfeasy.com/vpn-browser-extension-chrome/