# How to Detect VPN and Proxy Users on Your Website

> VPNs and proxies hide a user's real location and identity. Learn how VPN detection works, when to block VPN users, and how to implement IP intelligence in your application.

**Author:** Matt King | **Published:** March 25, 2026 | **Category:** IP Intelligence

---

VPNs and proxies are privacy tools that mask a user's real IP address. For most internet users, that's a perfectly legitimate use case. But for businesses running signup flows, processing payments, or gating content by region, masked IPs create real problems.

The question isn't whether VPN users are "bad" — it's whether hiding location and identity correlates with higher fraud risk in your specific context. Spoiler: it usually does.

## Why VPN Detection Matters

When a user connects through a VPN, you lose several important signals:

- **Geographic location** — The IP resolves to the VPN server, not the user's real city or country. Geolocation-based fraud rules become useless.
- **ISP information** — Instead of seeing "Comcast, residential" you see "DigitalOcean, datacenter." The connection context disappears.
- **IP reputation** — VPN IP addresses are shared across thousands of users. If one user commits fraud from a VPN IP, that reputation data can't be linked back to the individual.

For businesses, this means:

- **Free tier abuse** — Users create multiple accounts from different VPN IPs to bypass limits. Each account looks like it's from a different country and ISP.
- **Chargeback fraud** — A customer in the US uses a UK VPN to make a purchase, then disputes the charge claiming it was unauthorized because the location "doesn't match."
- **Content licensing issues** — Streaming services and region-locked content get bypassed, creating licensing compliance problems.
- **Promotional abuse** — Location-based promotions and pricing get exploited when users can appear to be anywhere.

## Types of IP Masking

Not all hidden IPs are the same. Understanding the differences helps you calibrate your response.

### Commercial VPNs
Services like NordVPN, ExpressVPN, and Surfshark route traffic through their server network. These are the most common and generally the easiest to detect because the providers operate known IP ranges.

**Detection difficulty:** Low to medium. Most commercial VPN IP ranges are well-catalogued.

### Proxy Servers
HTTP or SOCKS proxies route web traffic through an intermediary server. They don't encrypt all traffic like VPNs, but they do mask the user's real IP.

**Detection difficulty:** Medium. Proxy servers are often hosted on datacenter infrastructure, making them detectable via datacenter IP checks.

### Tor (The Onion Router)
Tor routes traffic through multiple volunteer-operated nodes, making it extremely difficult to trace. Tor exit nodes — the final hop before reaching your server — maintain published lists.

**Detection difficulty:** Low for exit nodes (the list is public). Very high for Tor bridges and hidden services.

### Residential Proxies
The hardest to detect. These route traffic through real residential IP addresses, often through compromised devices or peer-to-peer networks. The traffic appears to come from a normal home internet connection.

**Detection difficulty:** High. These IPs look identical to legitimate residential users. Detection relies on behavioral analysis and known residential proxy provider IP pools.

## How VPN Detection Works

IP intelligence services use multiple detection methods:

### 1. IP Range Matching
Commercial VPN providers operate on known IP ranges, typically allocated to datacenter hosting providers. Databases maintain mappings of IP ranges to VPN providers, updated continuously as providers add and rotate infrastructure.

### 2. Datacenter IP Detection
Most VPN servers run on cloud infrastructure (AWS, Google Cloud, Hetzner, OVH, etc.). If an IP belongs to a datacenter rather than a residential ISP, it's a strong signal that the user is using a VPN, proxy, or automated tool.

### 3. Connection Fingerprinting
Advanced detection examines TCP/IP headers, TLS fingerprints, and WebRTC leaks. A connection claiming to be from a residential browser but showing datacenter-typical TCP window sizes or missing WebRTC data raises flags.

### 4. Behavioral Patterns
IP addresses that generate traffic from hundreds of different "users" in short periods are likely VPN exit points. Pattern analysis across time identifies shared infrastructure even when individual requests look normal.

## Implementing VPN Detection

### The API Approach

The simplest implementation is calling an IP intelligence API at signup or checkout:

```bash
curl -X POST https://api.fidro.io/v1/validate \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"ip": "198.51.100.42", "country_code": "US"}'
```

The response includes VPN, proxy, Tor, and datacenter detection:

```json
{
  "risk_score": 62,
  "data": {
    "checks": {
      "vpn": true,
      "proxy": false,
      "tor": false,
      "datacenter": true,
      "location_match": false
    },
    "location": {
      "country_code": "NL",
      "city": "Amsterdam",
      "isp": "DigitalOcean, LLC"
    }
  }
}
```

In this example, the user claims to be in the US but their IP is a DigitalOcean datacenter in Amsterdam running a VPN. The `location_match: false` flag confirms the geographic mismatch.

### Decision Framework

Don't just block all VPN users. Use the detection as one input in a risk assessment:

| Scenario | VPN? | Other Signals | Action |
|----------|------|---------------|--------|
| New signup | Yes | Disposable email | Block |
| New signup | Yes | Gmail, no other red flags | Allow, flag for monitoring |
| Payment | Yes | Billing country matches VPN country | Allow |
| Payment | Yes | Billing country ≠ VPN country | Require additional verification |
| Free tier | Yes | Multiple signups from same VPN IP | Block, likely abuse |
| Returning user | Yes | Previously used residential IP | Allow, note the change |

The key principle: **VPN detection adds context, not a verdict.** Combine it with email validation, geolocation matching, and account history to make nuanced decisions.

### Code Example: Express Middleware

```javascript
async function fraudCheck(req, res, next) {
  const ip = req.headers['x-forwarded-for']?.split(',')[0] || req.ip;

  try {
    const response = await fetch('https://api.fidro.io/v1/validate', {
      method: 'POST',
      headers: {
        'Authorization': `Bearer ${process.env.FIDRO_API_KEY}`,
        'Content-Type': 'application/json',
      },
      body: JSON.stringify({ ip, email: req.body.email }),
    });

    const result = await response.json();

    // Block high-risk: VPN + disposable email combo
    if (result.data.checks.vpn && result.data.checks.disposable_email) {
      return res.status(403).json({
        error: 'Please disable your VPN and use a permanent email address.',
      });
    }

    // Flag moderate risk for review
    req.riskScore = result.risk_score;
    next();
  } catch (err) {
    // Fail open — don't block users if API is unavailable
    next();
  }
}
```

## VPN vs. Proxy vs. Tor: Quick Reference

| Property | VPN | Proxy | Tor |
|----------|-----|-------|-----|
| Encrypts all traffic | Yes | No (usually) | Yes |
| Masks IP address | Yes | Yes | Yes |
| Speed impact | Moderate | Low | High |
| Detection difficulty | Low-Medium | Medium | Low (exit nodes) |
| Typical use | Privacy, geo-bypass | Web scraping, geo-bypass | Anonymity |
| Fraud correlation | Medium | Medium-High | High |

## When NOT to Block VPN Users

VPN detection should inform your decisions, not replace them. There are legitimate reasons to allow VPN traffic:

- **Privacy-conscious users** — Some people use VPNs for everyday browsing and will abandon your product if blocked.
- **Corporate networks** — Employees behind corporate VPNs are legitimate users whose traffic routes through datacenter IPs.
- **Censorship circumvention** — Users in countries with internet restrictions rely on VPNs to access your product at all.
- **Remote workers** — Developers and knowledge workers frequently use VPNs, especially when working from public WiFi.

A blanket VPN block loses these users. A risk-based approach keeps them while still catching fraud.

## Try It Yourself

Want to see what VPN and proxy detection looks like in practice? Use Fidro's [free VPN detector tool](/tools/vpn-detector) to check any IP address instantly — no signup required.

For production use, the [Fidro API](/docs) includes VPN, proxy, Tor, and datacenter detection in every validation request. The free plan includes 200 lookups per month.

---

## Frequently Asked Questions

### What is the difference between a VPN and a proxy?

A VPN encrypts all traffic from a device and routes it through a remote server, changing the apparent IP address and location. A proxy only routes traffic from a specific application (usually a browser). VPNs provide stronger privacy but both mask the user's real IP address.

### Can you detect all VPN users?

No detection method catches 100% of VPN usage. Commercial VPN providers rotate IP addresses and some use residential IPs that are harder to detect. However, IP intelligence databases like Fidro identify the vast majority of commercial VPN and proxy services by tracking known IP ranges, datacenter ownership, and connection patterns.

### Should I block all VPN users?

Usually not. Many legitimate users use VPNs for privacy, especially in countries with internet censorship. A better approach is to use VPN detection as one signal in a broader risk score — combining it with email validation, geolocation matching, and behavioral analysis to make nuanced decisions.

### How does VPN detection work technically?

VPN detection uses multiple methods: matching IPs against known VPN provider ranges, identifying datacenter-hosted IPs (most VPNs run on cloud infrastructure), detecting protocol signatures, and analysing connection patterns. IP intelligence APIs maintain databases of millions of known VPN, proxy, and Tor exit node addresses.

### What is a datacenter IP and why does it matter?

A datacenter IP belongs to a hosting provider like AWS, Google Cloud, or DigitalOcean rather than a residential ISP. Most legitimate web browsing comes from residential or mobile IPs. Traffic from datacenter IPs often indicates VPN usage, automated bots, or scraping — though some legitimate corporate traffic also originates from datacenters.