How does IPLogs detect VPNs?

IPLogs combines seven detection layers: IP intelligence (known VPN servers, ASN classification, Tor exit lists), TCP/IP stack fingerprinting, TLS/JA3 fingerprinting, round-trip-time analysis (SNITCH and cross-layer RTT, NDSS 2025), active protocol probing (OpenVPN HARD_RESET, WireGuard, IKEv2, REALITY cert-switch), client-side signals (timezone, language, WebRTC leak), and port or network sanity checks. Results are scored and returned in under 2 seconds.

Is the IPLogs API really free?

Yes. The public API at https://iplogs.com/v1/check accepts POST requests with a JSON body containing an IP address and returns a full detection verdict. No signup, no API key, no rate limit for reasonable use. The source code is open on GitHub.

Can IPLogs detect residential proxies?

Partially. Residential-proxy IPs that originate from known hosting backbones (Leaseweb, CoLoCrossing, HostPapa) are flagged by the datacenter-ASN layer. True peer-to-peer residential proxies that tunnel through real ISP connections are the hardest category in the industry and require behavioral heuristics that IPLogs is actively researching.

What databases does IPLogs use for IP geolocation?

IPLogs uses MaxMind GeoLite2 City and ASN databases as the primary source, with ip-api.com as a free fallback for any IPs the local database does not cover. Tor exit nodes are refreshed hourly from check.torproject.org. Mullvad WireGuard relays are refreshed every 6 hours from the public Mullvad API.

Does IPLogs store my IP address?

Only in transient request logs for rate-limiting and abuse detection. No persistent database of individual lookups, no tracking cookies, no ads. See the privacy page for full detail.

How accurate is VPN detection?

Against ground-truth datasets of known VPN endpoints (NordVPN, Mullvad, SoftEther, PIA, ProtonVPN) the 7-layer pipeline achieves over 95% true-positive rate with under 1% false-positive rate for residential ISPs, trusted infrastructure (public DNS), and major CDNs (Cloudflare, Google, Fastly) which are allowlisted to prevent false alarms.

Iran's 52-Day Internet Blackout (2026): Technical Anatomy of the Longest National Shutdown

Iran offline for 1,224 consecutive hours — longest national disruption on record. What the blackout looks like technically and which tools still work.

2026-04-22·10 min readIraninternet shutdownblackoutStarlink

By April 20, 2026 Iran had been substantially offline for 52 consecutive days, or roughly 1,224 hours — making it the longest nationwide internet disruption ever recorded. The blackout began on January 8, 2026 alongside violent protests, and has transformed Iran from a heavily-filtered but mostly-connected internet into one of the most isolated digital environments in the world. Here is what the blackout technically looks like, what circumvention tools still work, and why the policy has escalated from filtering to disconnection.

Anatomy of the blackout

The Iranian shutdown is not a single cut. It is a layered degradation:

Fixed broadband: Most domestic fiber and DSL connections work only inside the domestic National Information Network (NIN / SHOMA). International routing is administratively null-routed at the backbone.
Mobile data: Intermittently cut, including full disabling of mobile network antennas in protest hotspots. When mobile data is up, it is NIN-only.
Satellite: Iran is actively jamming satellite downlink signals using military-grade mobile jammers. Starlink terminals, while physically smuggle-able, often cannot maintain a usable link under the jamming.
Whitelist filternet: Most Iranian users are restricted to a small whitelist of approved websites — mostly domestic services, a handful of approved news outlets, and regulated e-commerce.

The Starlink death-penalty escalation

In 2026 Iran criminalized possession and operation of Starlink terminals. Under the new legislation, operators face prison sentences of up to 10 years — or, for offenses classified as aiding hostile foreign powers, execution. This is the harshest documented legal penalty globally for using a satellite internet terminal. The law targets not only terminal operators but anyone facilitating their sale, concealment, or onward distribution.

What still works, barely

Despite the blackout's severity, some connectivity persists:

Cellular fallback to 2G voice/SMS remains functional in most of the country and is the primary communication channel for Iranians coordinating basic logistics.
NIN-internal services — domestic banking, Snapp (ride-hailing), Digikala (e-commerce), and government-approved messaging apps still operate on the closed intranet.
Short windows of international access have appeared sporadically, typically during business hours in major cities. These windows are used aggressively by VPN users while they last.
Cross-border SIMs smuggled in from Iraq, Turkey, and the UAE provide intermittent international access for border-region users.

VPN usage and detection during the blackout

Reports indicate VPN app download attempts surged 500% in the first days of the blackout. The most widely-used circumvention stacks inside Iran in 2026 are:

Xray with VLESS + REALITY targeting Cloudflare or Microsoft edge IPs (traffic that the regime cannot easily block without breaking legitimate services).
AmneziaWG— Amnezia's obfuscated WireGuard. The obfuscation stage randomizes the initial handshake packet shape so the traffic does not match the WireGuard DPI signature.
Psiphon and Outline with Shadowsocks transport, historically dominant in Iran but increasingly blocked in 2026.

From the other side of the internet — that is, from our perspective as detectors — what does Iranian circumvention traffic look like?

Most appears to originate from European datacenter ASNs (Hetzner AS24940, OVH AS16276, Contabo) where Iranians rent small VPS endpoints as personal exits.
REALITY-wrapped traffic is indistinguishable from normal TLS without an active cert-switch probe. We flag it via active_probe_reality when SNI fuzzing causes the server to swap to a fallback certificate.
AmneziaWG traffic, absent active probing, looks like random UDP. IPLogs' nonstandard-port signal and WireGuard handshake probe catch a meaningful fraction of real deployments.

The technology export angle

The surveillance and DPI infrastructure enabling Iran's blackout was largely built with technology supplied by Huawei and ZTE — a significant geopolitical detail. The playbook the Iranian government is running closely resembles the toolkit China sells as Geedge Networks products (see our GFW explainer). The export of this technology stack — not just to Iran but also to Kazakhstan, Pakistan, Ethiopia, and Myanmar — is the story behind the story.

References

Amnesty International, "Internet shutdown in Iran hides violations in escalating deadly crackdown", January 2026.
Chatham House, "Iran's internet shutdown signals a new stage of digital isolation", January 2026.
Al Jazeera, "Iran expands limited internet access but restrictions remain for most", April 20, 2026.
Index on Censorship, "Offline by decree: Iran's war on the internet", March 2026.
Carnegie Endowment, "Iran Wields Wartime Internet Access as a Political Tool", March 2026.

Check any IP against the 7-layer pipeline

The detection methods described above are all available through the IPLogs public API, free, no signup required.

Try the IP checker →