How to Detect VPN and Proxy Users on Your Website
March 25, 2026
VPNs and proxies are privacy tools that mask a user's real IP address. For most internet users, that's a perfectly legitimate use case. But for businesses running signup flows, processing payments, or gating content by region, masked IPs create real problems.
The question isn't whether VPN users are "bad" — it's whether hiding location and identity correlates with higher fraud risk in your specific context. Spoiler: it usually does.
Why VPN Detection Matters
When a user connects through a VPN, you lose several important signals:
- Geographic location — The IP resolves to the VPN server, not the user's real city or country. Geolocation-based fraud rules become useless.
- ISP information — Instead of seeing "Comcast, residential" you see "DigitalOcean, datacenter." The connection context disappears.
- IP reputation — VPN IP addresses are shared across thousands of users. If one user commits fraud from a VPN IP, that reputation data can't be linked back to the individual.
For businesses, this means:
- Free tier abuse — Users create multiple accounts from different VPN IPs to bypass limits. Each account looks like it's from a different country and ISP.
- Chargeback fraud — A customer in the US uses a UK VPN to make a purchase, then disputes the charge claiming it was unauthorized because the location "doesn't match."
- Content licensing issues — Streaming services and region-locked content get bypassed, creating licensing compliance problems.
- Promotional abuse — Location-based promotions and pricing get exploited when users can appear to be anywhere.
Types of IP Masking
Not all hidden IPs are the same. Understanding the differences helps you calibrate your response.
Commercial VPNs
Services like NordVPN, ExpressVPN, and Surfshark route traffic through their server network. These are the most common and generally the easiest to detect because the providers operate known IP ranges.
Detection difficulty: Low to medium. Most commercial VPN IP ranges are well-catalogued.
Proxy Servers
HTTP or SOCKS proxies route web traffic through an intermediary server. They don't encrypt all traffic like VPNs, but they do mask the user's real IP.
Detection difficulty: Medium. Proxy servers are often hosted on datacenter infrastructure, making them detectable via datacenter IP checks.
Tor (The Onion Router)
Tor routes traffic through multiple volunteer-operated nodes, making it extremely difficult to trace. Tor exit nodes — the final hop before reaching your server — maintain published lists.
Detection difficulty: Low for exit nodes (the list is public). Very high for Tor bridges and hidden services.
Residential Proxies
The hardest to detect. These route traffic through real residential IP addresses, often through compromised devices or peer-to-peer networks. The traffic appears to come from a normal home internet connection.
Detection difficulty: High. These IPs look identical to legitimate residential users. Detection relies on behavioral analysis and known residential proxy provider IP pools.
How VPN Detection Works
IP intelligence services use multiple detection methods:
1. IP Range Matching
Commercial VPN providers operate on known IP ranges, typically allocated to datacenter hosting providers. Databases maintain mappings of IP ranges to VPN providers, updated continuously as providers add and rotate infrastructure.
2. Datacenter IP Detection
Most VPN servers run on cloud infrastructure (AWS, Google Cloud, Hetzner, OVH, etc.). If an IP belongs to a datacenter rather than a residential ISP, it's a strong signal that the user is using a VPN, proxy, or automated tool.
3. Connection Fingerprinting
Advanced detection examines TCP/IP headers, TLS fingerprints, and WebRTC leaks. A connection claiming to be from a residential browser but showing datacenter-typical TCP window sizes or missing WebRTC data raises flags.
4. Behavioral Patterns
IP addresses that generate traffic from hundreds of different "users" in short periods are likely VPN exit points. Pattern analysis across time identifies shared infrastructure even when individual requests look normal.
Implementing VPN Detection
The API Approach
The simplest implementation is calling an IP intelligence API at signup or checkout:
curl -X POST https://api.fidro.io/v1/validate \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"ip": "198.51.100.42", "country_code": "US"}'
The response includes VPN, proxy, Tor, and datacenter detection:
{
"risk_score": 62,
"data": {
"checks": {
"vpn": true,
"proxy": false,
"tor": false,
"datacenter": true,
"location_match": false
},
"location": {
"country_code": "NL",
"city": "Amsterdam",
"isp": "DigitalOcean, LLC"
}
}
}
In this example, the user claims to be in the US but their IP is a DigitalOcean datacenter in Amsterdam running a VPN. The location_match: false flag confirms the geographic mismatch.
Decision Framework
Don't just block all VPN users. Use the detection as one input in a risk assessment:
| Scenario | VPN? | Other Signals | Action |
|---|---|---|---|
| New signup | Yes | Disposable email | Block |
| New signup | Yes | Gmail, no other red flags | Allow, flag for monitoring |
| Payment | Yes | Billing country matches VPN country | Allow |
| Payment | Yes | Billing country ≠ VPN country | Require additional verification |
| Free tier | Yes | Multiple signups from same VPN IP | Block, likely abuse |
| Returning user | Yes | Previously used residential IP | Allow, note the change |
The key principle: VPN detection adds context, not a verdict. Combine it with email validation, geolocation matching, and account history to make nuanced decisions.
Code Example: Express Middleware
async function fraudCheck(req, res, next) {
const ip = req.headers['x-forwarded-for']?.split(',')[0] || req.ip;
try {
const response = await fetch('https://api.fidro.io/v1/validate', {
method: 'POST',
headers: {
'Authorization': `Bearer ${process.env.FIDRO_API_KEY}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({ ip, email: req.body.email }),
});
const result = await response.json();
// Block high-risk: VPN + disposable email combo
if (result.data.checks.vpn && result.data.checks.disposable_email) {
return res.status(403).json({
error: 'Please disable your VPN and use a permanent email address.',
});
}
// Flag moderate risk for review
req.riskScore = result.risk_score;
next();
} catch (err) {
// Fail open — don't block users if API is unavailable
next();
}
}
VPN vs. Proxy vs. Tor: Quick Reference
| Property | VPN | Proxy | Tor |
|---|---|---|---|
| Encrypts all traffic | Yes | No (usually) | Yes |
| Masks IP address | Yes | Yes | Yes |
| Speed impact | Moderate | Low | High |
| Detection difficulty | Low-Medium | Medium | Low (exit nodes) |
| Typical use | Privacy, geo-bypass | Web scraping, geo-bypass | Anonymity |
| Fraud correlation | Medium | Medium-High | High |
When NOT to Block VPN Users
VPN detection should inform your decisions, not replace them. There are legitimate reasons to allow VPN traffic:
- Privacy-conscious users — Some people use VPNs for everyday browsing and will abandon your product if blocked.
- Corporate networks — Employees behind corporate VPNs are legitimate users whose traffic routes through datacenter IPs.
- Censorship circumvention — Users in countries with internet restrictions rely on VPNs to access your product at all.
- Remote workers — Developers and knowledge workers frequently use VPNs, especially when working from public WiFi.
A blanket VPN block loses these users. A risk-based approach keeps them while still catching fraud.
Try It Yourself
Want to see what VPN and proxy detection looks like in practice? Use Fidro's free VPN detector tool to check any IP address instantly — no signup required.
For production use, the Fidro API includes VPN, proxy, Tor, and datacenter detection in every validation request. The free plan includes 200 lookups per month.
