TLDR: In UniFi’s traffic stats, are the “Apps” labels fairly accurate, based on both destination IP address and network protocol, or is it a “best guess” and only accurate for the most popular services?
I own a small business, and while I’m fairly comfortable managing our office’s UniFi installation and a few users, I’m certainly not an IT professional.
I try to keep an eye on the traffic stats, especially on the VLANs where IoT devices are isolated, and for traffic to TOR, VPNs etc. Recently, a few devices that I expect to be making OpenVPN or WireGuard connections to private servers started showing up in the UniFi controller’s stats as connecting to free public VPN services. Specifically, traffic from several IP cameras used to show up as “OpenVPN Tunnel” or something similar, but now shows traffic to “HotspotShield”. An Android device we manage via our own WireGuard server on AWS shows traffic to the “Hola” VPN service.
I suspect UniFi is just mislabeling our traffic because it’s similar, but what do y’all think?. With many controllers now reporting anonymized data, I’m sure Ubiquiti sees a lot of reported traffic destined for those free VPN services, but I would think the traffic stats would be categorized by IP address or domain. Does anyone here know how the “Apps” labels are applied?
The only queries in our DNS server logs from those devices are for the servers we use to manage them, although I suppose an attacker might not query the DHCP-assigned DNS server. The cameras are isolated on one VLAN and the Android device on another, so DNS is the only thing on the LAN they should be able to access.
What say you, Reddit? Should I ignore it or freak out?