How does IPLogs detect VPNs?

IPLogs combines seven detection layers: IP intelligence (known VPN servers, ASN classification, Tor exit lists), TCP/IP stack fingerprinting, TLS/JA3 fingerprinting, round-trip-time analysis (SNITCH and cross-layer RTT, NDSS 2025), active protocol probing (OpenVPN HARD_RESET, WireGuard, IKEv2, REALITY cert-switch), client-side signals (timezone, language, WebRTC leak), and port or network sanity checks. Results are scored and returned in under 2 seconds.

Is the IPLogs API really free?

Yes. The public API at https://iplogs.com/v1/check accepts POST requests with a JSON body containing an IP address and returns a full detection verdict. No signup, no API key, no rate limit for reasonable use. The source code is open on GitHub.

Can IPLogs detect residential proxies?

Partially. Residential-proxy IPs that originate from known hosting backbones (Leaseweb, CoLoCrossing, HostPapa) are flagged by the datacenter-ASN layer. True peer-to-peer residential proxies that tunnel through real ISP connections are the hardest category in the industry and require behavioral heuristics that IPLogs is actively researching.

What databases does IPLogs use for IP geolocation?

IPLogs uses MaxMind GeoLite2 City and ASN databases as the primary source, with ip-api.com as a free fallback for any IPs the local database does not cover. Tor exit nodes are refreshed hourly from check.torproject.org. Mullvad WireGuard relays are refreshed every 6 hours from the public Mullvad API.

Does IPLogs store my IP address?

Only in transient request logs for rate-limiting and abuse detection. No persistent database of individual lookups, no tracking cookies, no ads. See the privacy page for full detail.

How accurate is VPN detection?

Against ground-truth datasets of known VPN endpoints (NordVPN, Mullvad, SoftEther, PIA, ProtonVPN) the 7-layer pipeline achieves over 95% true-positive rate with under 1% false-positive rate for residential ISPs, trusted infrastructure (public DNS), and major CDNs (Cloudflare, Google, Fastly) which are allowlisted to prevent false alarms.

Research notes

Long-form, citation-backed posts on VPN detection, national censorship systems, and the TLS / TCP fingerprint research that powers modern IP classification. Written for engineers and security researchers.

How the Great Firewall of China Works in 2026 — A Technical Explainer
Research-backed GFW explainer: asymmetric filtering, QUIC censorship, Wallbleed DNS leak, Geedge Networks docs, and what it means for VPN users.
2026-04-22·14 min readgreat firewallchinacensorship
How VPN Detection Actually Works — The Research-Backed 7-Layer Method
The 7 layers a modern VPN detector combines: IP intel, TCP/TLS fingerprints, SNITCH RTT (NDSS 2025), active probing, client signals. With citations.
2026-04-22·18 min readVPN detectionJA3SNITCH
Russia's TSPU System: How Roskomnadzor Blocks VPNs at the ISP Level
Russia's TSPU: in-path, stateful DPI on 1M+ endpoints across 650 ASes. How it detects and throttles VPN traffic, and what separates it from China's GFW.
2026-04-22·12 min readrussiaTSPUroskomnadzor
Iran's Internet Censorship: NIN, SIAM, and Mobile-Side Surveillance
Iran's layered censorship: National Information Network, SIAM mobile surveillance (2022 leak), CCDOC blocklist, and the technical stack behind each.
2026-04-22·11 min readiranSIAMNIN
JA3 and JA4 Fingerprinting Explained: How TLS Reveals Your VPN Client
JA3 and JA4 hash the TLS ClientHello to reliably identify the client library. Why Chrome looks different from Firefox, and OpenVPN from both. Full breakdown.
2026-04-22·13 min readJA3JA4TLS fingerprinting
China's 'Great Unplug' (April 2026): Inside the Physical VPN Server Takedown
April 1, 2026: thousands of VPN proxy nodes physically unplugged after leaked notices ordered datacenters to cut all circumvention servers. What we know.
2026-04-22·11 min readChinagreat firewallVPN crackdown
FBI vs SocksEscort: The 369,000-IP Residential Proxy Botnet Takedown (March 2026)
FBI + Europol dismantled SocksEscort: 369,000 compromised routers across 163 countries. What AVrecon did, how the botnet ran, and why detection matters.
2026-04-22·12 min readFBIresidential proxybotnet
Iran's 52-Day Internet Blackout (2026): Technical Anatomy of the Longest National Shutdown
Iran offline for 1,224 consecutive hours — longest national disruption on record. What the blackout looks like technically and which tools still work.
2026-04-22·10 min readIraninternet shutdownblackout
Russia's 150-Ruble Mobile VPN Tax: How Roskomnadzor Is Pricing VPNs Out (2026)
Russia blocked 469 VPN services and added a 150-RUB/GB surcharge on international mobile traffic above 15 GB/month. How the policy and TSPU enforce it.
2026-04-22·9 min readRussiaTSPUVPN tax
REALITY, Xray, and AmneziaWG: The 2026 Anti-Censorship Protocol Stack Explained
REALITY, Xray and AmneziaWG: the three protocols carrying anti-censorship in 2026. How each defeats DPI and which combination survives today's Great Firewall.
2026-04-22·14 min readREALITYXrayAmneziaWG
How to Detect VPN Users in 2026: A Developer's Guide (JavaScript + Server)
Code-first guide to detecting VPN, proxy, Tor and datacenter IPs. JS signals (WebRTC, timezone, language) + server signals (ASN, JA3, RTT) and how to combine.
2026-04-22·15 min readdeveloper guideJavaScriptVPN detection
VPN Detection API Comparison (2026): IPQualityScore, IPHub, GetIPIntel, Spur, IPinfo, IPLogs
Side-by-side comparison of the six most-used IP intelligence and VPN detection APIs in 2026 — pricing, signals, accuracy, free tier. Honest, no affiliates.
2026-04-22·13 min readcomparisonIPQualityScoreSpur

How the Great Firewall of China Works in 2026 — A Technical Explainer

How VPN Detection Actually Works — The Research-Backed 7-Layer Method

Russia's TSPU System: How Roskomnadzor Blocks VPNs at the ISP Level

Iran's Internet Censorship: NIN, SIAM, and Mobile-Side Surveillance

JA3 and JA4 Fingerprinting Explained: How TLS Reveals Your VPN Client

China's 'Great Unplug' (April 2026): Inside the Physical VPN Server Takedown

FBI vs SocksEscort: The 369,000-IP Residential Proxy Botnet Takedown (March 2026)

Iran's 52-Day Internet Blackout (2026): Technical Anatomy of the Longest National Shutdown

Russia's 150-Ruble Mobile VPN Tax: How Roskomnadzor Is Pricing VPNs Out (2026)

REALITY, Xray, and AmneziaWG: The 2026 Anti-Censorship Protocol Stack Explained

How to Detect VPN Users in 2026: A Developer's Guide (JavaScript + Server)

VPN Detection API Comparison (2026): IPQualityScore, IPHub, GetIPIntel, Spur, IPinfo, IPLogs