How does IPLogs detect VPNs?

IPLogs combines seven detection layers: IP intelligence (known VPN servers, ASN classification, Tor exit lists), TCP/IP stack fingerprinting, TLS/JA3 fingerprinting, round-trip-time analysis (SNITCH and cross-layer RTT, NDSS 2025), active protocol probing (OpenVPN HARD_RESET, WireGuard, IKEv2, REALITY cert-switch), client-side signals (timezone, language, WebRTC leak), and port or network sanity checks. Results are scored and returned in under 2 seconds.

Is the IPLogs API really free?

Yes. The public API at https://iplogs.com/v1/check accepts POST requests with a JSON body containing an IP address and returns a full detection verdict. No signup, no API key, no rate limit for reasonable use. The source code is open on GitHub.

Can IPLogs detect residential proxies?

Partially. Residential-proxy IPs that originate from known hosting backbones (Leaseweb, CoLoCrossing, HostPapa) are flagged by the datacenter-ASN layer. True peer-to-peer residential proxies that tunnel through real ISP connections are the hardest category in the industry and require behavioral heuristics that IPLogs is actively researching.

What databases does IPLogs use for IP geolocation?

IPLogs uses MaxMind GeoLite2 City and ASN databases as the primary source, with ip-api.com as a free fallback for any IPs the local database does not cover. Tor exit nodes are refreshed hourly from check.torproject.org. Mullvad WireGuard relays are refreshed every 6 hours from the public Mullvad API.

Does IPLogs store my IP address?

Only in transient request logs for rate-limiting and abuse detection. No persistent database of individual lookups, no tracking cookies, no ads. See the privacy page for full detail.

How accurate is VPN detection?

Against ground-truth datasets of known VPN endpoints (NordVPN, Mullvad, SoftEther, PIA, ProtonVPN) the 7-layer pipeline achieves over 95% true-positive rate with under 1% false-positive rate for residential ISPs, trusted infrastructure (public DNS), and major CDNs (Cloudflare, Google, Fastly) which are allowlisted to prevent false alarms.

China's 'Great Unplug' (April 2026): Inside the Physical VPN Server Takedown

April 1, 2026: thousands of VPN proxy nodes physically unplugged after leaked notices ordered datacenters to cut all circumvention servers. What we know.

2026-04-22·11 min readChinagreat firewallVPN crackdown2026

In the first week of April 2026, thousands of commercial VPN proxy operators serving users inside China opened their monitoring dashboards to find every single endpoint offline. This was not a software block — the servers had been physically disconnected from datacenter racks. The Chinese internet community coined it "the Great Unplug". Here is what we know, what we can verify, and what it means for the future of VPN use inside China.

Timeline and scale

Starting around April 1, 2026, internal notices leaked to multiple Chinese-language outlets instructed all Chinese datacenters to completely block outbound access to non-Chinese destinations and to delist any customer service categorized as VPN, proxy, or "dedicated line". Reporting from China Digital Times and Vision Times corroborates that physical disconnections followed: power cables pulled, network uplinks cut, rack space reclaimed.

By mid-April a user-facing component emerged: China Telecom began sending SMS notices to prepaid subscribers stating that international roaming would be disabled from April 22. X (Twitter) screenshots of the notices went viral inside circumvention communities. Mobile SIMs, not just fixed-line VPN endpoints, are now part of the enforcement surface.

What actually broke

Shadowsocks, V2Ray, Trojan traffic previously wrapped in TLS on the Chinese side are now being detected by machine-learning DPI. The Q2 2026 GFW upgrade reportedly correlates timing patterns, packet sizes, and TLS fingerprint drift across millions of concurrent flows.
Commercial VPN providers hosting exits inside China (rare but it existed for corporate traffic) lost their physical infrastructure.
Residential proxy services that relied on Chinese IPs as exit nodes to enable geo-unblocked access into Chinese platforms (Douyin, Bilibili, WeChat) lost their IP pools.

What still works (for now)

Reports from inside China in late April 2026 converge on a narrow set of tools still functional:

Xray VLESS + REALITY on personal VPS. REALITY borrows the TLS certificate of a real website (e.g. Apple, Microsoft) during handshake, making DPI blocking extremely costly because false positives would take out collateral services.
AmneziaWG — an obfuscated WireGuard fork developed by the Amnezia team. The obfuscation layer randomizes initial packet shapes so pattern-based DPI cannot classify the connection as WireGuard.
Cloudflare WARP-tunneled custom proxies. As long as Cloudflare edge is reachable (it has been intermittently blocked in 2026), traffic wrapped in Cloudflare's TLS terminators is extraordinarily hard to disambiguate from normal CDN traffic.

Implications for VPN detection

The Great Unplug is instructive for detectors on the other side of the internet. Three signals have grown in reliability:

Chinese outbound traffic originating from datacenter ASNs has effectively vanished. A request claiming to be from a Chinese consumer but routed through AS4134 (China Telecom Backbone) on an IP assigned to a commercial datacenter is now almost certainly a misattribution or fraud attempt.
Residential Chinese IPs on commercial VPN ASNs are bug signals. The April crackdown reinforced that no legitimate VPN operator is running exit servers inside China in 2026 — those that try get physically unplugged.
REALITY-style TLS-camouflage traffic is detectable via SNI fuzzing. The canonical detection technique is to fuzz the SNI (repeat the handshake with a slightly-perturbed server name) and observe whether the server switches to a fallback certificate — a near-perfect REALITY tell. IPLogs implements this as the active_probe_reality signal.

What comes next

A Cybercrime Prevention Law draft circulating in China as of April 2026 proposes individual fines up to 500,000 RMB (≈ $69,000) for hosting circumvention services. Anti-fraud apps mandatorily installed on Chinese smartphones have added new telemetry that surfaces "wall-jumping" activity to regional police. A previously-secret VPN-detection patent filed by the Ministry of Public Security was unsealed in March 2026, describing techniques that mirror research-community work on TCP/TLS RTT differentials (cf. the SNITCH paper from NDSS 2025).

The direction of travel is clear: protocol-level obfuscation is buying less time than it used to, and the arms race is shifting toward statistical and behavioral detection. For both defenders and circumvention tool builders, the lesson is the same — one layer is never enough.

Check any IP now

If you are building a product that needs to reliably distinguish commercial VPN exits, datacenter IPs, Tor exits, and real end-user devices, paste any IPv4 into the home-page checker and you will get the full 7-layer verdict — including the REALITY cert-switch probe that directly targets the tools that currently still work inside China.

References

Vision Times, "China's Telecom Crackdown May Block All Overseas Internet Access, Leaked Notice Suggests", April 11, 2026.
China Digital Times, "Documents Raise Fear of Further Crackdown on Great Firewall Circumvention Tools", April 2026.
Sunset Browser, "China's GFW in Q2 2026: What Still Works?", 2026.
Zohaib et al., "Shining Light on the Inner Workings of QUIC Censorship in China", USENIX Security 2025.

Check any IP against the 7-layer pipeline

The detection methods described above are all available through the IPLogs public API, free, no signup required.

Try the IP checker →