How accurate is VPN detection?

Modern VPN detection APIs achieve 95-99% accuracy for commercial VPN services by maintaining databases of known VPN server IP ranges, ASN data, and hosting provider records. Detection rates for smaller or self-hosted VPNs are lower, but these represent a small fraction of VPN traffic.

Can I detect the difference between a VPN and a proxy?

Yes. Fidro's API returns separate flags for VPN, proxy, Tor, and data center connections. Each type has different risk implications and your application logic should treat them differently.

Should I block all VPN users?

No. Blanket VPN blocking excludes privacy-conscious users, corporate employees, and users in restrictive regions. Use VPN detection as one signal in a composite risk score instead.

Does VPN detection work with IPv6?

Yes. Fidro's API supports both IPv4 and IPv6 addresses. The same detection techniques apply across both protocols.

How fast is the VPN detection API?

Fidro responds in under 200ms for IP analysis requests, fast enough to run inline during page loads, form submissions, or API calls without any noticeable delay.

VPN Detection API for Developers: How to Detect and Handle VPN Users

Roughly 30% of internet users worldwide connect through a VPN at least occasionally. For most, VPNs serve a legitimate purpose: privacy, security on public Wi-Fi, or bypassing regional content restrictions.

But for developers building applications that rely on accurate user identification, VPNs create real problems. A VPN masks the user's true IP address, breaking IP-based geolocation, undermining fraud detection, and making it harder to detect multi-accounting.

Why Your Application Needs VPN Detection

1. Fraud Prevention

Fraudsters use VPNs to disguise their location during payment fraud and account takeover attacks. A billing address in Texas but an IP in Romania is a risk signal worth investigating.

2. Abuse Prevention

Free-tier abuse and multi-accounting often involve VPNs. A user creates an account, claims a free trial, then connects through a different VPN server to create another account.

3. Geo-Restriction Enforcement

Licensing agreements and regulatory compliance often require geo-fencing. Without VPN detection, users can trivially bypass these controls.

How VPN Detection Works Technically

IP Range Database Matching

Commercial VPN providers operate thousands of servers with known IP ranges. Looking up a user's IP against these databases catches the majority of VPN traffic.

ASN Analysis

Every IP belongs to an Autonomous System. The ASN owner reveals whether traffic comes from a residential ISP (normal), a known VPN provider (flagged), or a hosting company (suspicious).

Hosting Provider Detection

Data center IPs are rarely used by regular internet users. Traffic from cloud hosting providers is typically bots, VPN servers, or API integrations.

Calling the Fidro VPN Detection API

curl -X POST https://api.fidro.io/v1/validate \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"ip": "185.234.72.19"}'

Response:

{
  "ip": "185.234.72.19",
  "vpn": true,
  "proxy": false,
  "tor": false,
  "datacenter": true,
  "risk_score": 75,
  "country": "NL",
  "city": "Amsterdam",
  "isp": "NordVPN"
}

Combined Email and IP Check

For signup flows, check both in a single request:

curl -X POST https://api.fidro.io/v1/validate \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"email": "user@example.com", "ip": "185.234.72.19"}'

A VPN user with a legitimate email gets a lower risk score than a VPN user with a disposable email.

Node.js Integration

async function detectVPN(ip) {
  const response = await fetch('https://api.fidro.io/v1/validate', {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${process.env.FIDRO_API_KEY}`,
      'Content-Type': 'application/json',
    },
    body: JSON.stringify({ ip }),
  });

  const data = await response.json();
  return {
    isAnonymized: data.vpn || data.proxy || data.tor,
    isDatacenter: data.datacenter,
    riskScore: data.risk_score,
    details: data,
  };
}

// Usage in Express
app.post('/api/login', async (req, res) => {
  const ip = req.headers['x-forwarded-for'] || req.ip;
  const vpnCheck = await detectVPN(ip);

  if (vpnCheck.isAnonymized) {
    req.session.requiresMFA = true;
  }
  // Continue with login flow...
});

How to Handle VPN Users

Strategy 1: Allow and Log

Do nothing visible but log the detection for analytics.

Strategy 2: Allow with Extra Verification

Let VPN users proceed but require MFA or email confirmation. This adds friction only for anonymized users.

Strategy 3: Flag for Review

Allow the action but flag for manual review. Works well for payment flows.

Strategy 4: Block

Reserve for high-confidence fraud where VPN is combined with other strong signals:

if (vpnCheck.details.tor && riskCheck.disposable && riskCheck.risk_score > 80) {
  return res.status(403).json({ error: 'This request could not be processed.' });
}

When NOT to Block VPNs

Privacy-conscious users run VPNs at all times. These are often tech-savvy early adopters you want as customers.

Corporate VPN users are required to route all traffic through a corporate VPN. Blocking them blocks entire organizations.

Users in restrictive regions rely on VPNs to access the global internet.

The right approach: Use VPN detection as one input in a composite risk score:

VPN alone: Low risk. Log it, maybe require email verification.
VPN + disposable email: Medium risk. Require additional verification.
VPN + disposable email + new account + high-value action: High risk. Block or review.

For more detail, see IP Intelligence: How to Detect VPNs, Proxies, and Tor at Signup and How to Detect VPN and Proxy Users on Your Website.

Getting Started

Try the VPN detector and IP checker with your own IP
Read the API documentation
Sign up for the free plan: 200 requests per month
Review the features page for full detection capabilities

VPN detection is not about blocking privacy. It is about having accurate data to make smart decisions.