Paste any IPv4 or IPv6 address to get an instant verdict. IPLogs cross-references 13 intelligence sources (Mullvad, PIA, IVPN, AirVPN, Surfshark, IPVanish, AzireVPN per-relay APIs, plus X4BNet, FireHOL, CINS, Tor Project, Apple Private Relay, AbuseIPDB) and runs active OpenVPN, WireGuard and IKEv2 probes — all under two seconds, free, no signup, no API key.
Your IP address is the unique number the internet uses to route traffic to your device — shown live at the top of this page. It is assigned by your ISP or mobile carrier and is visible to every website you visit. IPLogs goes further than a plain “what is my IP” lookup: it tells you whether that IP is flagged as a VPN, proxy, Tor exit, or datacenter address, and exactly why.
A public IP is the address the world sees — what we check above. A private IP (like 192.168.1.1 or a 100.64.0.0/10carrier-NAT address) only exists inside your local network and can't be looked up from the internet. IPLogs supports both IPv4 and IPv6 — paste any address into the search bar above to check one other than your own.
Most commercial "VPN checker" services reduce the problem to a single question: does this IP address appear on a blacklist? That approach breaks the moment a provider adds new servers, shuffles its ranges, or runs on residential proxies. IPLogs instead runs a seven-layer pipeline that combines IP-reputation lookups with active network measurement, TLS fingerprinting, round-trip-time analysis from the SNITCH paper (NDSS 2025), and client-side fingerprints — producing a single 0-to-1 score and a human-readable verdict in under two seconds.
Every layer is deterministic, and the API returns the exact signal set that produced the verdict so you can reason about false positives rather than treat the result as a black box. The public README lives on GitHub.
Matches the IP against a curated database of VPN servers (NordVPN, Mullvad, SoftEther, PIA, ProtonVPN), datacenter ASNs, Tor exit nodes refreshed hourly, and known residential-proxy hosting backbones.
Inspects TCP window size, MSS, and TTL for kernel-level anomalies. Commercial VPN servers commonly expose Linux kernel defaults while claiming to be Windows or iOS clients.
Hashes the TLS ClientHello using JA3/JA4. VPN clients emit distinct fingerprints (OpenVPN, WireGuard wrappers, REALITY-based stacks) that differ from native browsers.
Runs the SNITCH (NDSS 2025) TCP vs TLS RTT differential and cross-layer RTT checks. A mismatched round-trip between the transport and TLS handshake reveals middle-box relays.
Sends lightweight protocol probes (OpenVPN HARD_RESET, WireGuard handshake init, IKEv2 SA_INIT, REALITY cert-switch via SNI fuzzing) and measures silent-drop differentials on well-known VPN ports.
Checks browser timezone, language, and WebRTC ICE candidates against the IP geolocation. A browser reporting America/New_York from a Frankfurt IP is a strong VPN tell.
Flags non-standard service ports, mismatched reverse DNS, and hosting-provider network patterns that indicate the endpoint is not a real end-user device.
The detection engine is exposed as a single POST endpoint at https://iplogs.com/v1/check. Pass a JSON body with an optional ip field (omit it to check the caller's IP) and get back the full verdict, score, confidence, signal set, and IP metadata.
curl -X POST https://iplogs.com/v1/check \
-H 'content-type: application/json' \
-d '{"ip":"8.8.8.8"}'
{
"verdict": "clean",
"score": 0.1,
"is_vpn": false,
"confidence": 0.2,
"ip_info": {
"ip": "8.8.8.8",
"asn": "AS15169",
"org": "Google LLC",
"country": "United States",
"city": "Mountain View",
"type": "datacenter"
},
"signals": [ /* 25+ checks */ ]
}Full reference, rate-limits, response fields, and client SDKs: iplogs.com/docs.
Gate high-risk actions (signup, checkout, password reset) behind a VPN check. Flag sessions originating from known VPN, proxy, or Tor endpoints for additional verification.
Enforce streaming or regulatory geo-restrictions by blocking access from commercial VPN exits while still allowing the vast majority of legitimate traffic.
Most scraping fleets rotate through hosting-provider IPs. The datacenter-ASN layer flags these at line rate without needing CAPTCHAs.
Instrument your own servers to log the detection verdict for every inbound connection. Every verdict cites the exact signals that produced it, so you can reason about edge cases without guessing.
Inspect traffic for proxy-farm origin during media-buy verification. Cross-reference the ASN, org, and active-probe signals to build evidence of mis-attributed clicks.
Record a cryptographically-verifiable detection verdict alongside each privileged request for SOC 2, ISO 27001, or internal audit trails.
Your public IP address is the unique number your ISP or mobile carrier assigns to your connection, used to route internet traffic to you and visible to every site you visit. It is shown live at the top of this page, along with whether it is a VPN, proxy, Tor, or datacenter IP.
Open iplogs.com and your public IP is displayed at the top of the page automatically — no setup required. It works on phones, laptops, and tablets, and supports both IPv4 and IPv6. To check a different address, paste it into the search bar.
Seven layers: IP intelligence (VPN lists, ASN classification, Tor exits), TCP/IP fingerprinting, TLS/JA3 fingerprinting, SNITCH round-trip-time analysis, active protocol probing (OpenVPN, WireGuard, IKEv2, REALITY), client-side signals (timezone, language, WebRTC leak), and port / network sanity.
Yes. Public API, no key, no quota for reasonable use. If you hammer it from one IP we may rate-limit, but no payment wall, ever.
Partially. Hosting-backed residential proxy IPs (Leaseweb, CoLoCrossing, HostPapa, Ace Data Centers) are flagged by the datacenter-ASN layer. Truly peer-to-peer residential proxies that run over real consumer ISP connections are the hardest category in the industry and require behavioral heuristics we are actively researching.
MaxMind GeoLite2 City + ASN as primary, with ip-api.com as a free fallback for IPs not covered locally. Tor exits refresh hourly from check.torproject.org. Mullvad WireGuard relays refresh every six hours from the Mullvad public API.
Only in transient request logs for rate limiting and abuse detection. No persistent database of individual lookups, no tracking cookies, no ads.
On the most recent ground-truth benchmark, IPLogs records a 0.3% false-positive rate and 0.9% false-negative rate across a ~1,100-IP corpus validated against Team Cymru, detecting 100% of Mullvad relays and Tor exits. Full methodology and results are published at iplogs.com/accuracy.
Email admin@iplogs.com with your use case, expected volume, and SLA requirements. For sustained multi-million-request workloads we can discuss a dedicated deployment and commercial terms.
Look up any IPv4 address, autonomous system, country, or known VPN provider to see the same 7-layer verdict that powers the home page check.
Everything for integrating, understanding, and evaluating IP detection: implementation guides, a plain-English glossary, the accuracy benchmark, downloadable datasets, and how IPLogs compares to other APIs.