How does IPLogs detect VPNs?

IPLogs combines seven detection layers: IP intelligence (known VPN servers, ASN classification, Tor exit lists), TCP/IP stack fingerprinting, TLS/JA3 fingerprinting, round-trip-time analysis (SNITCH and cross-layer RTT, NDSS 2025), active protocol probing (OpenVPN HARD_RESET, WireGuard, IKEv2, REALITY cert-switch), client-side signals (timezone, language, WebRTC leak), and port or network sanity checks. Results are scored and returned in under 2 seconds.

Is the IPLogs API really free?

Yes. The public API at https://iplogs.com/v1/check accepts POST requests with a JSON body containing an IP address and returns a full detection verdict. No signup, no API key, no rate limit for reasonable use. The source code is open on GitHub.

Can IPLogs detect residential proxies?

Partially. Residential-proxy IPs that originate from known hosting backbones (Leaseweb, CoLoCrossing, HostPapa) are flagged by the datacenter-ASN layer. True peer-to-peer residential proxies that tunnel through real ISP connections are the hardest category in the industry and require behavioral heuristics that IPLogs is actively researching.

What databases does IPLogs use for IP geolocation?

IPLogs uses MaxMind GeoLite2 City and ASN databases as the primary source, with ip-api.com as a free fallback for any IPs the local database does not cover. Tor exit nodes are refreshed hourly from check.torproject.org. Mullvad WireGuard relays are refreshed every 6 hours from the public Mullvad API.

Does IPLogs store my IP address?

Only in transient request logs for rate-limiting and abuse detection. No persistent database of individual lookups, no tracking cookies, no ads. See the privacy page for full detail.

How accurate is VPN detection?

Against ground-truth datasets of known VPN endpoints (NordVPN, Mullvad, SoftEther, PIA, ProtonVPN) the 7-layer pipeline achieves over 95% true-positive rate with under 1% false-positive rate for residential ISPs, trusted infrastructure (public DNS), and major CDNs (Cloudflare, Google, Fastly) which are allowlisted to prevent false alarms.

How the Great Firewall of China Works in 2026 — A Technical Explainer

Research-backed GFW explainer: asymmetric filtering, QUIC censorship, Wallbleed DNS leak, Geedge Networks docs, and what it means for VPN users.

2026-04-22·14 min readgreat firewallchinacensorshipGFW

The Great Firewall of China (GFW) is the world's largest operating network-censorship system, and it has evolved dramatically in the last three years. This post distills every verified technical finding from peer-reviewed research up to April 2026: asymmetric filtering, the first-ever nation-wide QUIC censorship deployment, a buffer over-read vulnerability in DNS-injector memory, and the documents leaked from the two organizations that build the GFW — Geedge Networks and the MESA Lab.

The GFW is not one firewall — it is thousands of middleboxes

Contrary to popular language, "the Great Firewall" is not a single appliance on a single border router. It is a distributed network of middleboxes installed at China's international gateway routers (IGRs) and at provincial-to-ISP boundaries. Most of the time these middleboxes operate on-path, not in-path: they tap the traffic, observe it, and inject forged responses. They do not drop packets inline. This is important for circumvention research: you can sometimes outrace an on-path censor with a faster legitimate response.

The S&P 2025 paper "A Wall Behind A Wall"(Wu & Zohaib) was the first to publish measurements showing that the GFW is asymmetric. Earlier research had assumed the GFW applied the same rules in both directions. Wu and Zohaib tested 10,000 domains and found 68 that were blocked only when probed from inside China — including google.com, nyt.com, and docker.com. Other domains were blocked only from outside, suggesting the GFW maintains separate inbound and outbound blocklists. The paper also documents a second filtering layer inside Henan province that operates on outbound provincial traffic only — the first known regional firewall deployment in China.

QUIC censorship — new as of April 2024

Until 2024, QUIC (the UDP-based HTTP/3 transport) was largely uncensored. This changed on April 7, 2024, when the GFW began to decrypt QUIC Initial packets at scale and match SNI values against its blocklist. When a forbidden SNI is observed, the GFW drops all subsequent UDP packets sharing the same server IP, destination IP, and destination port for over 100 seconds of residual blocking.

The implementation has documented weaknesses. It does not track Connection IDs, instead using the UDP 4-tuple with a 60-second timeout. It does not reassemble QUIC Initials split across multiple datagrams — which Chrome's September 2024 changes inadvertently exploited by making Initials too large for a single datagram. It exempts connections where the source port does not exceed the destination port. And as of December 2024 it explicitly unblocks QUIC connections that carry an ECH extension. The QUIC blocklist is a distinct list — about 60% of the DNS blocklist in domain count — suggesting independent policy maintenance.

See Zohaib et al., USENIX Security 2025, for the full measurement methodology and the 4-tuple tracking proof. The paper is open access.

Wallbleed — the GFW's memory disclosure bug

In NDSS 2025, a team from GFW Report, CU Boulder, and UMass Amherst published Wallbleed: a buffer over-read vulnerability in the GFW's DNS injection middleboxes. A crafted DNS query with an oversized label length prefix caused the injector to read up to 125 bytes beyond the packet boundary from its own process memory, embedding those leaked bytes in the DNS response sent back to the prober. By analogy to Heartbleed, but in state-operated censorship infrastructure.

Vulnerability existed from at least October 2021.
Partially patched September 2022 and again June 2023.
Fully patched by March 2024.
3.1 billion Wallbleed responses collected over two years.
Leaked memory confirmed Linux x86_64 architecture (70,497 pointer examples), and recovered fragments of SSDP, HTTP, TLS, SMTP, and DNS traffic — proving the middleboxes process far more than DNS.
The forged-response IP pool is fixed, ordered, and cyclic. For one query name (4.tt) researchers recovered a list of 592 IP addresses used in rotation.

Who builds it? Geedge Networks and the MESA Lab

The September 2025 Geedge Networks + MESA Lab leak identified the two organizations that develop and operate the GFW. Geedge Networks, founded in 2018 in Hainan with chief scientist Fang Binxing (the "father of the GFW"), sells four commercial products:

Tiangou Secure Gateway (TSG) — flagship DPI and filtering product. Blocks VPNs, can inject malicious code into websites, can launch DDoS attacks.
Cyber Narrator — operator UI for monitoring users in specific geographic regions.
TSG Galaxy — long-term data storage and analytics tier.
Network Zodiac — infrastructure health and deployment monitoring.

MESA Lab is based at the Institute of Information Engineering in the Chinese Academy of Sciences. It has operated the SAPP platform at national scale since 2014. Exports of Geedge products have been identified in Kazakhstan, Pakistan, Myanmar, Ethiopia, and other countries — turning the GFW into a product, not just a national artifact.

What this means for VPN detection

The GFW's research output has directly informed the techniques that commercial VPN-detection services use. Three threads to call out:

Active probing. The GFW pioneered active probing of suspected obfuscated VPN servers — sending follow-up connections to endpoints that handshake unusually and measuring silent-drop behavior. The same technique is used by IPLogs and similar services to detect OpenVPN, WireGuard, IKEv2, and REALITY endpoints from outside China.
SNI and JA3 matching. Extracting the SNI from TLS ClientHello and hashing the full ClientHello with JA3/JA4 are inexpensive, high-signal detection primitives — used by the GFW for blocking and by defenders for fraud prevention.
Protocol fingerprinting.OpenVPN's HARD_RESET opcode, WireGuard's handshake init, and IKEv2's SA_INIT have distinct on-wire patterns that any detection engine can fingerprint without decrypting the session.

Try it yourself

Curious whether a specific IP is a VPN, a Tor exit, or a datacenter? Paste it into the home-page checker. Every detection runs the same 7-layer pipeline described above and returns the full signal set — no black-box verdict.

References

Wu & Zohaib et al., "A Wall Behind A Wall: Emerging Regional Censorship in China", IEEE S&P 2025.
Zohaib et al., "Shining Light on the Inner Workings of QUIC Censorship in China", USENIX Security 2025.
Fan et al., "Wallbleed: A Memory Disclosure Vulnerability in the Great Firewall of China", NDSS 2025.
Hoang et al., "How Great is the Great Firewall? Measuring China's DNS Censorship", USENIX Security 2021.
Geedge Networks / MESA Lab leak analyses, September 2025 (see Wired, Amnesty Tech, GFW Report).

Check any IP against the 7-layer pipeline

The detection methods described above are all available through the IPLogs public API, free, no signup required.

Try the IP checker →