How to Detect VPN Users on Your Website (2026 Guide)

Last updated April 2026 — refreshed for current tools, vendor pricing, and detection techniques.

Detecting VPN users on your website is a multi-signal problem: no single technique catches everything, and the wrong approach generates false positives that frustrate legitimate users. This guide covers every reliable detection method available in 2026 — from IP reputation APIs to browser-side fingerprinting — with concrete code examples, current vendor pricing, and a decision framework for choosing the right strategy for your risk profile.

What changed in 2026 — key updates for readers of the 2025 version:Residential proxies are now the hardest detection target. Commercial VPN detection APIs report 95–99% accuracy against known datacenter VPNs, but accuracy drops below 60% for residential proxy networks that route through real home IPs. MaxMind updated its residential proxy user-count data in March 2026 to improve flagging.iCloud Private Relay requires separate handling. Apple's relay routes traffic through Apple-controlled IP ranges, triggering VPN false positives if your detection logic doesn't distinguish it. Apple publishes its relay IP ranges and MaxMind, IPQualityScore, and Fingerprint now all tag Private Relay traffic distinctly.IPQualityScore pricing restructured. The free tier remains 1,000 lookups/month. The SMB+ plan (residential proxy detection included) now starts at $999/month. MaxMind's GeoIP Anonymous Plus database, which covers VPN + Tor + residential proxy, is a separate product from the base GeoIP2 line.IPinfo free tier significantly limited in 2025. Free requests now return country-level data only — not proxy/VPN classification. Paid plans start at $49/month for 150k requests.Fingerprint.com added a dedicated VPN Smart Signal to its device intelligence platform, combining IP lookup with TLS fingerprinting and behavioral signals.

TL;DR — Quick-Reference Tool Comparison

Why Detect VPN Users?

VPN detection serves three distinct business needs, each with different tolerance for false positives:

• Fraud prevention: VPNs are used to bypass geo-restrictions, commit payment fraud, create fake accounts, and evade bans. Fraud systems flag VPN connections as a risk signal — not necessarily a block trigger on their own.
• Regulatory compliance: Streaming platforms, gambling operators, and financial services face licensing or legal requirements to restrict content by jurisdiction. A user connecting from a UK-licensed VPN endpoint while physically in the US creates a compliance gap.
• Analytics integrity: VPN traffic skews geographic attribution in analytics platforms, pollutes A/B test audiences, and produces misleading conversion data.

The right response depends on which of these drives your use case. A fraud team might assign a risk score and allow low-risk VPN traffic through; a streaming platform might hard-block any non-residential IP in a restricted region.

Method 1: IP Reputation Databases and APIs

The most widely deployed technique. Vendors like MaxMind, IPQualityScore, IPinfo, and IP2Location maintain continuously updated databases that classify IP addresses by type: VPN, datacenter, public proxy, Tor exit node, residential proxy, and more.

How it works

• Each incoming request's IP is looked up against a known-bad IP list, typically via a REST API or local binary database.
• The response returns classification flags (is_vpn, is_proxy, is_tor, is_residential_proxy) plus metadata like ASN, ISP, and fraud score.
• Local binary databases (MaxMind MMDB format, IP2Location BIN format) enable sub-millisecond lookups with no network round-trip, at the cost of requiring scheduled updates.

Strengths and limitations

• Strengths: Fast (API: ~10–50ms; local DB: under 1ms with caching), high accuracy against major commercial VPN providers (95%+), well-documented SDKs in most languages.
• Limitations: Requires regular updates — a VPN provider can rotate to a fresh IP range within hours. Residential proxies that use real home IPs are hard to classify purely by IP reputation. Private/self-hosted VPNs on dedicated servers may not appear in any database.

Key vendors in 2026

MaxMind GeoIP2 Anonymous IP / Anonymous Plus — The Anonymous IP database (available as a weekly-updated MMDB file or via GeoIP Insights web service) classifies five anonymizer types: VPN, hosting/datacenter, public proxy, residential proxy, and Tor exit node. The newer Anonymous Plus database adds enhanced residential proxy signals and more granular confidence scores. MaxMind made significant updates to residential proxy user-count data in March 2026 to better detect single-household proxy IPs. Databases update weekly (Tuesdays). GeoLite2 is free but covers geolocation only — it does not include VPN/proxy flags. See MaxMind Anonymous IP docs.

IPQualityScore (IPQS) — Returns 25+ data points per lookup including fraud score, VPN/proxy/Tor/bot classification, and recent abuse activity. Claims 40% higher detection rates vs. competitors, with data refreshed within hours. Free tier: 1,000 lookups/month. Residential proxy detection requires the SMB+ plan ($999/month). Enterprise plan adds device fingerprinting, mobile SDK, and Fraud Fusion. See IPQS proxy detection.

IPinfo Privacy Detection — Identifies VPN, Tor, proxy, relay (including iCloud Private Relay), and residential proxy. Reports the specific privacy service name when available, plus behavioral signals (recency and frequency of proxy activity over the past 7 days). Note: in 2025, IPinfo limited the free tier to country-level data only — proxy/VPN classification requires a paid plan starting at $49/month for 150k requests. See IPinfo VPN detection.

IP2Location IP2Proxy — Available as daily-updated binary databases (PX1–PX12) or as a web service. PX1 covers country + proxy type; PX10 adds residential proxy detection; PX11 adds consumer privacy networks and enterprise private network flags; PX12 adds fraud scoring. The LITE tier (PX2) is free and covers basic VPN/proxy type classification. Verified by third-party security vendors for accuracy. See IP2Proxy docs.

VPNAPI.io — Specialized VPN-only detection API with a continuously maintained database. Returns is_vpn, is_proxy, is_tor, is_relay flags. Free tier: 1,000 requests/day. Paid plans from $19/month. Simpler than full fraud platforms if you only need VPN/proxy classification. See VPNAPI.io.

Code example: IPQS API (Python)

import requests

API_KEY = "your-ipqs-api-key"
IP_ADDRESS = "203.0.113.45"  # the connecting user's IP

url = f"https://ipqualityscore.com/api/json/ip/{API_KEY}/{IP_ADDRESS}"
params = {
    "strictness": 1,          # 0=lenient, 1=balanced, 2=strict, 3=most strict
    "allow_public_access_points": True,  # don't flag hotel/office IPs
    "fast": True,             # skip advanced checks for latency-sensitive paths
}

response = requests.get(url, params=params)
data = response.json()

is_vpn      = data.get("vpn", False)
is_proxy    = data.get("proxy", False)
is_tor      = data.get("tor", False)
fraud_score = data.get("fraud_score", 0)   # 0–100; 75+ is high-risk

if is_vpn or fraud_score >= 75:
    # escalate to challenge / step-up auth, or block based on your policy
    pass

Code example: MaxMind GeoIP2 Anonymous IP (Python)

import geoip2.database

# Download the MMDB file from MaxMind (weekly updates)
with geoip2.database.Reader("/path/to/GeoIP2-Anonymous-IP.mmdb") as reader:
    record = reader.anonymous_ip("203.0.113.45")
    print(record.is_anonymous_vpn)      # True/False
    print(record.is_hosting_provider)   # True/False
    print(record.is_public_proxy)       # True/False
    print(record.is_residential_proxy)  # True/False
    print(record.is_tor_exit_node)      # True/False

Install: pip install geoip2. The local MMDB lookup runs in under 1ms — cache the reader instance at startup rather than opening it per request.

Method 2: Geolocation and Timezone Mismatch

If a user's IP geolocates to Frankfurt but their browser reports Europe/New_York as the system timezone, the mismatch strongly suggests VPN or proxy use. This is a client-side signal, easy to implement, and adds meaningful signal when combined with IP lookup.

Browser timezone detection (JavaScript)

// Get browser-reported timezone
const browserTimezone = Intl.DateTimeFormat().resolvedOptions().timeZone;
// e.g. "America/New_York"

// Send to your backend alongside the IP for cross-reference
fetch("/api/check-location", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({ timezone: browserTimezone }),
});

On the server side, compare the timezone against the expected timezone for the IP's country/region. A user in Germany connecting from a US-based VPN exit will show a German browser timezone against a US IP.

GPS / device geolocation

Request navigator.geolocation.getCurrentPosition() and compare the returned coordinates against the IP-based location. This is the most accurate signal available — VPNs mask IP location but cannot move the physical device. Limitations: users frequently deny location permission, and some VPN browser extensions attempt to spoof GPS output in Chromium-based browsers.

• High confidence signal when available. A 1,500km+ gap between GPS coordinates and IP location is definitive.
• Request only on high-stakes flows (checkout, account creation) — asking for location on every page visit increases permission fatigue.

Method 3: WebRTC Leak Detection

WebRTC (Web Real-Time Communication) was designed for peer-to-peer connections and requires the browser to resolve real IP addresses — even when a VPN is active. In practice, many VPN users have WebRTC leaks that expose their actual IP, providing a ground-truth signal for your backend to compare against the reported VPN IP.

Browser behavior in 2026

• Chrome: Still leaks local and public IPs via WebRTC by default. No native setting to disable; requires an extension (WebRTC Network Limiter) or enterprise policy.
• Firefox: Can be fully disabled via about:config → media.peerconnection.enabled = false. VPN-savvy users typically do this.
• Safari: Partial mDNS obfuscation for local IPs; public IP still exposed in most configurations.
• Brave: Blocks WebRTC leaks by default. Brave users will not produce leaks.

Detecting WebRTC leaks (JavaScript)

function getWebRTCIPs(callback) {
  const ips = [];
  const pc = new RTCPeerConnection({ iceServers: [{ urls: "stun:stun.l.google.com:19302" }] });
  pc.createDataChannel("");
  pc.createOffer().then(offer => pc.setLocalDescription(offer));
  pc.onicecandidate = (event) => {
    if (!event || !event.candidate) {
      callback(ips);
      return;
    }
    const match = /(\d{1,3}(\.\d{1,3}){3})/.exec(event.candidate.candidate);
    if (match) ips.push(match[1]);
  };
}

getWebRTCIPs((leakedIPs) => {
  // Send leakedIPs to backend
  // If leakedIPs differ from the user's reported IP, VPN use is likely
  fetch("/api/webrtc-check", {
    method: "POST",
    body: JSON.stringify({ leaked: leakedIPs }),
  });
});

Note: Chrome 119+ uses mDNS candidates for local IPs, so local RFC-1918 addresses may be replaced with a .local hostname. The public IP leak via STUN remains effective for VPN detection.

Method 4: DNS Leak Detection

When a VPN is misconfigured, DNS queries may bypass the VPN tunnel and resolve through the user's real ISP — a "DNS leak." You can detect this server-side by running a controlled DNS lookup test:

1. Serve a unique subdomain per user session (e.g., sess-abc123.dns-check.yourdomain.com).
2. Monitor your authoritative DNS server for which resolver resolves that subdomain.
3. If the resolver's IP differs significantly from the user's HTTP connection IP — especially in a different country — it indicates a DNS leak revealing the real ISP.

This technique requires controlling your own DNS infrastructure and is more practical for high-security or compliance-driven applications than general-purpose websites.

Method 5: TCP/IP and TLS Fingerprinting

At the network layer, VPN connections introduce characteristics that differ from native connections:

• MTU/MSS values: VPN encapsulation reduces the effective Maximum Transmission Unit. An MTU of 1380 or 1420 instead of the standard 1500 is a fingerprint for common VPN protocols (WireGuard, OpenVPN).
• TCP/IP stack fingerprinting: Tools like p0f analyze TCP header fields (TTL, window size, options order) to infer the remote OS and connection type. A Windows client producing a TCP fingerprint consistent with a Linux VPN gateway is anomalous.
• TLS fingerprinting (JA3/JA4): The TLS ClientHello handshake is unique per client library and version. Fingerprint.com and SEON use TLS fingerprints as one signal in their VPN detection Smart Signals — a browser claiming to be Chrome but producing a non-Chrome TLS fingerprint indicates interception or tunneling.
• Port patterns: OpenVPN typically uses UDP 1194 or TCP 443; WireGuard uses UDP 51820; IPsec uses UDP 500/4500. These are weak signals on their own (modern VPNs use port 443 to blend with HTTPS) but can reinforce other signals.

Traffic fingerprinting at this level requires access to raw TCP/IP headers — practical for on-premises infrastructure or cloud WAFs, but not directly available to web application code in the browser.

Method 6: Browser and Device Fingerprinting

Browser fingerprinting collects stable device attributes — screen resolution, installed fonts, Canvas rendering, WebGL renderer, audio processing characteristics, hardware concurrency — and combines them into a persistent visitor identifier. When combined with IP detection, fingerprinting adds two valuable signals:

• Identity continuity across IP changes: A VPN user rotating through multiple exit IPs will still carry the same device fingerprint, allowing you to link sessions across IP changes and build a behavioral profile.
• Inconsistency detection: A browser whose navigator.platform claims to be macOS but whose WebGL renderer string matches a headless Linux VM is suspicious.

Fingerprint.com offers this as a managed platform. Their VPN Smart Signal (added in 2025) combines device fingerprinting with IP reputation lookup and TLS analysis, returning a single is_vpn boolean with confidence score. The platform is designed for fraud prevention scenarios where you need stable visitor IDs across sessions. Pricing: contact sales; enterprise tier. See Fingerprint VPN detection.

SEON combines device fingerprinting with digital footprint analysis (email, phone, social signals) for a holistic fraud score. Their device module detects VPN, residential proxy, mobile proxy, and Tor in real time using over 900 proprietary signals. Unlike pure IP-lookup tools, SEON scores the full user identity — useful when the decision is "is this person a fraud risk?" rather than "is this connection anonymized?" See SEON VPN detection.

Method 7: Behavioral and Anomaly Analysis

Machine learning models can flag VPN-typical behavior patterns without relying on IP databases:

• High IP sharing: Many distinct user sessions originating from the same IP (common on VPN exit nodes) is a strong signal. Legitimate shared IPs (offices, universities) produce similar patterns — use thresholds appropriate to your traffic mix.
• Rapid location changes: A single user account appearing in Tokyo at 09:00 and New York at 09:15 is physically impossible — this "impossible travel" pattern is classic VPN/account-sharing detection.
• Session velocity anomalies: VPN users cycling IPs often produce irregular session patterns — short sessions, repeated logins, or checkout attempts spread across many IPs.
• Click pattern analysis: Mouse movement, scroll behavior, and typing cadence are difficult to fake through a VPN and can distinguish automated scripts from human users.

Behavioral analysis is the only technique that can catch private, self-hosted VPNs that don't appear in any IP database. The tradeoff is model complexity and training data requirements. For teams without dedicated fraud engineering, commercial platforms like SEON or Fingerprint bundle behavioral analysis alongside IP lookup.

Special Case: iCloud Private Relay

iCloud Private Relay, available to iCloud+ subscribers on Apple devices, routes Safari traffic through two hops: an Apple ingress node (which knows the user's real IP but not the destination) and a CDN partner egress node (which knows the destination but not the real IP). The result is an anonymized IP from Apple's published relay ranges.

Key differences from a traditional VPN:

• Private Relay keeps users in their approximate geographic region — a user in Germany still appears to be in Germany, just on an Apple IP.
• Apple publishes its relay IP ranges at mask-api.icloud.com/egress-ip-ranges.csv. Update this list regularly — Apple rotates IP ranges.
• Private Relay traffic is not fraud-indicating — it's a standard privacy feature used by ordinary iCloud+ subscribers.

If your detection logic doesn't distinguish Private Relay from traditional VPN traffic, you will generate significant false positives among Safari/iOS users. MaxMind, IPQualityScore, and IPinfo all now tag Private Relay specifically as a relay or consumer_privacy_network flag distinct from is_vpn. Adjust your risk scoring accordingly: Private Relay alone should not trigger a hard block.

Recommended Architecture: Layered Detection

No single method is sufficient. Production systems should combine signals:

1. Server-side IP lookup (required baseline): Every request runs the connecting IP through MaxMind or IPQS. Fast, cheap, catches 95%+ of commercial VPN traffic.
2. Client-side timezone/GPS check (medium-risk flows): On account creation or checkout, compare browser timezone against IP-reported region. Flag mismatches as an additional risk signal.
3. WebRTC leak check (high-risk flows): On high-value transactions, run a client-side WebRTC leak test and report the discovered IPs to your backend. Only effective on browsers that haven't disabled WebRTC.
4. Device fingerprinting (fraud-intensive contexts): Use Fingerprint.com or SEON when you need persistent visitor identity across IP changes — valuable for account fraud and repeat offender detection.
5. Behavioral scoring (continuous): Track impossible travel, IP sharing rates, and session velocity at the account/session level. Flag anomalies for step-up authentication rather than immediate blocking.

How to Choose: Decision Framework

Accuracy: What to Expect

Published accuracy numbers are vendor self-reported unless otherwise noted. Use these as directional guidance:

• Commercial datacenter VPNs (ExpressVPN, NordVPN, Mullvad, etc.): 95–99% detection accuracy across major IP reputation databases. These providers are well-known and their IP ranges are widely catalogued.
• Tor exit nodes: Near-100% detection accuracy — Tor exit node lists are public and updated frequently.
• Public proxies: 90–95% — High turnover but frequently re-catalogued.
• Residential proxies (e.g., Bright Data, Oxylabs, Smartproxy): Detection accuracy varies widely, from below 60% for basic IP lookup up to 85–90% with behavioral signals added. These networks use real ISP-assigned home IP addresses — they look identical to legitimate user IPs without behavioral context.
• Private/self-hosted VPNs: Unreliable to detect via IP database alone. Behavioral signals (session patterns, impossible travel) are the primary lever.
• iCloud Private Relay: Detectable as relay traffic with updated vendor databases. Should not be treated as fraud — treat as a privacy tool.

IPQS claims 40% higher detection than competitors. GREIP reported 99.98% uptime over 90 days (2025). These are self-reported and not independently audited; treat all vendor accuracy claims accordingly. For critical systems, run a parallel evaluation period comparing two providers against your own labeled traffic before committing.

Common Pitfalls and Troubleshooting

Pitfall 1: Blocking legitimate users

Shared networks (hotel WiFi, corporate NAT, university networks) produce patterns similar to VPN traffic — many users behind a single IP. Set allow_public_access_points: true in IPQS or equivalent parameters in other APIs. Never hard-block solely on a single signal.

Pitfall 2: Stale IP databases

A local MaxMind MMDB file that hasn't been updated in 30+ days will miss recently launched VPN exit nodes. MaxMind updates its databases weekly; automate the download with a cron job or use the GeoIP Update tool (geoipupdate) which handles incremental updates. IPQS API calls always use real-time data — no stale database risk, but adds latency.

Pitfall 3: iCloud Private Relay false positives

If your detection flags all Apple relay IPs as VPN and blocks them, you are blocking ordinary iCloud+ subscribers using Safari on iPhone. Download Apple's current relay ranges from mask-api.icloud.com/egress-ip-ranges.csv and treat relay-flagged traffic separately from VPN-flagged traffic in your risk model.

Pitfall 4: Relying on WebRTC leaks as a primary signal

Brave users, Firefox users with WebRTC disabled, and users with privacy extensions will produce no WebRTC leak — they'll look identical to a well-configured VPN user. WebRTC leak detection is a bonus signal, not a baseline.

Pitfall 5: Regulatory and privacy compliance

In GDPR-covered jurisdictions, requesting device geolocation or running browser fingerprinting without user consent may require a legal basis. Browser fingerprinting in particular may constitute "processing" of personal data under GDPR Article 4(1). Disclose VPN detection practices in your privacy policy and ensure your legal basis (legitimate interests or consent) is documented if you operate in the EU/UK.

Pitfall 6: Underestimating residential proxies

Residential proxy networks (Bright Data, Oxylabs, Smartproxy, IPRoyal) are the fastest-growing evasion tool as of 2026. These use real home IP addresses bought from ISPs or obtained via SDK integrations in consumer apps. IP reputation databases catch a fraction of them. If residential proxy abuse is your threat model, add behavioral signals and consider a purpose-built platform like SEON or Fingerprint.

When to Block, Challenge, or Allow

The strongest pattern in fraud prevention is graduated response, not binary block/allow:

• Allow: Low fraud score, VPN flag only (no other signals), Private Relay traffic — do not disrupt legitimate privacy-conscious users.
• Challenge (step-up auth): VPN + timezone mismatch, or high fraud score on a non-critical action. Require email OTP or CAPTCHA before proceeding.
• Hard block: VPN + confirmed prior fraud, or regulatory hard-block requirement for geo-restricted content. Log the block reason for auditability.
• Risk-score and monitor: Store the VPN flag in session/user profile data. Use it as an input to downstream risk models without taking immediate action.

Building vs. Buying

For most teams, a managed IP reputation API is the right starting point. Self-hosted binary databases make sense when:

• Request volume exceeds ~1M/day (API costs become significant).
• Latency budget is under 5ms per request (no API round-trip possible).
• Compliance requirements prohibit sending IP addresses to third-party APIs.

Full fraud platforms (SEON, Fingerprint) make sense when VPN detection is one signal in a broader fraud prevention program — account takeover, payment fraud, loyalty abuse — and you need device fingerprinting, digital footprint analysis, and case management tooling in one platform.

If you're building or scaling a security-sensitive platform and need vetted developers with fraud prevention or backend API integration experience, Codersera's vetted remote developer network specializes in exactly this kind of infrastructure work.

FAQ

Can I detect all VPN users?

No. Commercial VPN providers using datacenter IP ranges are detected at 95%+ accuracy. Private VPNs, self-hosted WireGuard servers, and VPNs routing through residential proxy networks are significantly harder. A combination of IP lookup, behavioral analysis, and device fingerprinting gets you to 85–90% coverage in most threat models, but no system catches 100%.

Will VPN detection break iCloud Private Relay users?

It will if you don't handle it separately. Apple's relay IPs are published and all major detection APIs now flag Private Relay as a distinct category from VPN. Apply different risk treatment: relay traffic is privacy-motivated, not fraud-motivated, and comes from a defined geographic region.

How do I detect VPNs without hurting user experience?

Use graduated responses: assign a risk score, step up to verification on suspicious signals, and hard-block only confirmed bad actors. Never block on a single signal. Allow public access points (allow_public_access_points: true in IPQS, equivalent elsewhere). Test your false positive rate against your actual user base before deploying.

Is browser fingerprinting legal?

In the EU/UK, GDPR requires a legal basis for fingerprinting. "Legitimate interests" may apply for fraud prevention, but document your data protection impact assessment. In the US, California's CCPA/CPRA includes fingerprinting data as "sensitive personal information" in some contexts. Review with legal counsel before deploying fingerprinting in consumer-facing products.

What's the fastest VPN detection method for high-traffic sites?

A locally hosted binary database (MaxMind MMDB or IP2Location BIN format) queried with a native library runs in under 1ms with no network latency. Cache the database reader at process startup. Schedule weekly automated updates using MaxMind's geoipupdate CLI or IP2Location's scheduled download. At very high volume (>100M requests/day), pre-warm an in-memory hash of VPN IP ranges for O(1) lookup.

Can VPN users bypass WebRTC leak detection?

Yes. Brave blocks WebRTC leaks by default. Firefox users can disable WebRTC entirely. Chrome users with the WebRTC Network Limiter extension are also protected. Assume that any VPN user who cares about privacy has already addressed WebRTC leaks. Use WebRTC as a bonus signal to catch less-sophisticated users, not as a primary detection layer.

What's a residential proxy and why is it harder to detect?

A residential proxy routes traffic through IP addresses assigned by ISPs to real homes and apartments — the same IP class as your legitimate users. Unlike datacenter VPN IPs which are easy to identify by ASN (Amazon, Google Cloud, OVH, etc.), residential IPs belong to Comcast, BT, or Telstra ASNs. Detection requires behavioral analysis: session velocity, IP sharing rates, and cross-session pattern matching rather than IP classification alone.

Do I need to tell users I'm detecting VPNs?

Depends on jurisdiction and method. IP reputation lookup of a publicly-accessible IP address generally doesn't require disclosure. Browser fingerprinting and GPS geolocation requests typically do — include a disclosure in your privacy policy and ensure you have a documented legal basis under GDPR if applicable. For geo-blocking purposes, a brief "this content isn't available in your region" message is standard practice.

References & Further Reading

• MaxMind GeoIP Anonymous IP Database — Developer Documentation
• MaxMind minFraud Release Notes 2026
• IPQualityScore Proxy & VPN Detection API
• IPinfo Privacy Detection — Product Overview
• IP2Location IP2Proxy Database
• Fingerprint.com — How VPN Detection Works (2026)
• SEON — VPN Detection Tests: How to Spot Masked IPs & Stop Fraud
• VPNAPI.io — Specialized VPN Detection API