How does IPLogs detect VPNs?

IPLogs combines seven detection layers: IP intelligence (known VPN servers, ASN classification, Tor exit lists), TCP/IP stack fingerprinting, TLS/JA3 fingerprinting, round-trip-time analysis (SNITCH and cross-layer RTT, NDSS 2025), active protocol probing (OpenVPN HARD_RESET, WireGuard, IKEv2, REALITY cert-switch), client-side signals (timezone, language, WebRTC leak), and port or network sanity checks. Results are scored and returned in under 2 seconds.

Is the IPLogs API really free?

Yes. The public API at https://iplogs.com/v1/check accepts POST requests with a JSON body containing an IP address and returns a full detection verdict. No signup, no API key, no rate limit for reasonable use. The source code is open on GitHub.

Can IPLogs detect residential proxies?

Partially. Residential-proxy IPs that originate from known hosting backbones (Leaseweb, CoLoCrossing, HostPapa) are flagged by the datacenter-ASN layer. True peer-to-peer residential proxies that tunnel through real ISP connections are the hardest category in the industry and require behavioral heuristics that IPLogs is actively researching.

What databases does IPLogs use for IP geolocation?

IPLogs uses MaxMind GeoLite2 City and ASN databases as the primary source, with ip-api.com as a free fallback for any IPs the local database does not cover. Tor exit nodes are refreshed hourly from check.torproject.org. Mullvad WireGuard relays are refreshed every 6 hours from the public Mullvad API.

Does IPLogs store my IP address?

Only in transient request logs for rate-limiting and abuse detection. No persistent database of individual lookups, no tracking cookies, no ads. See the privacy page for full detail.

How accurate is VPN detection?

Against ground-truth datasets of known VPN endpoints (NordVPN, Mullvad, SoftEther, PIA, ProtonVPN) the 7-layer pipeline achieves over 95% true-positive rate with under 1% false-positive rate for residential ISPs, trusted infrastructure (public DNS), and major CDNs (Cloudflare, Google, Fastly) which are allowlisted to prevent false alarms.

Russia's TSPU System: How Roskomnadzor Blocks VPNs at the ISP Level

Russia's TSPU: in-path, stateful DPI on 1M+ endpoints across 650 ASes. How it detects and throttles VPN traffic, and what separates it from China's GFW.

2026-04-22·12 min readrussiaTSPUroskomnadzorcensorship

Russia's censorship infrastructure, known as TSPU (Technical Measures for Combating Threats, Технические Средства Противодействия Угрозам), is less famous than China's Great Firewall but arguably more invasive at the ISP level. It is in-path and stateful, installed at over a million endpoints across 650 ASes, and deliberately targets residential users while leaving datacenter VPSes unfiltered. Here is what we know from the Xue et al. IMC 2022 paper — still the most authoritative technical reference — plus updates through 2026.

Architecture and scale

TSPU devices are manufactured by RDP.RU and distributed by Roskomnadzor, which also instructs ISPs on installation location.
Over 1 million endpoints across 650 ASes are confirmed to route through TSPU infrastructure.
70% of endpoints are within two network hops of the end user, consistent with installation before carrier-grade NAT.
Paths can traverse multiple TSPU devices: a TSPU close to the end user (symmetric visibility) and a TSPU at the transit ISP (upstream-only visibility).
Only residential networks are targeted. Datacenter VPSes show little to no TSPU-induced censorship in measurement. This has a direct consequence for VPN operators: Russia-based VPS exits work.

What TSPU actually blocks

TSPU operates several filtering primitives simultaneously. In-path stateful means the device terminates and reconstructs TCP streams rather than observing them passively, giving it more options than the GFW's mostly on-path model. Common mechanisms:

DNS-level blocks for domains on the Roskomnadzor registry. Delivered inline — the TSPU drops outbound DNS queries or returns refused/NXDOMAIN. Unlike the GFW it does not always inject forged answers.
SNI blocking on TLS 1.2. Plaintext SNI matches the registry, TCP stream is RST. ESNI and ECH are explicitly blocked.
VPN protocol identification. OpenVPN, IPSec, WireGuard, L2TP, and PPTP patterns are fingerprinted on known ports and — critically — non-known ports. This is the feature that drove the domestic VPN market to obfuscation protocols after 2022.
Throttling rather than blocking. TSPU can reduce bandwidth to a given IP or domain rather than drop it outright. Twitter was famously throttled rather than blocked during 2021; YouTube was throttled starting 2024.

What this means for VPN users in Russia

Three consequences flow from the TSPU design:

Direct OpenVPN or WireGuard connections on standard ports from a residential Russian IP will be recognized within seconds and throttled or blocked. This is why commercial VPN providers rolled out obfuscation defaults (NordVPN Obfuscated Servers, Mullvad Shadowsocks) specifically for Russian users.
Russian IP space as a VPN origin is difficult: ISPs are required to register VPN servers with Roskomnadzor and many providers avoid Russian infrastructure for legal reasons.
Because TSPU only targets residential networks, Russian VPN exits hosted in datacenters (Selectel, Russian AWS equivalents) tend to work for outbound users — but carry significant legal risk to operators.

How IPLogs detects TSPU-exposed VPN traffic

From outside Russia, you can still detect a client whose packets have traversed TSPU-aware proxies. The fingerprint of popular Russian obfuscation modes (AmneziaWG, REALITY-based proxies, Shadowsocks) differs from raw WireGuard or OpenVPN — and our active-probing layer targets those specifically. See the full 7-layer detection method for details.

Compared to China's GFW

Three key differences summarize the divergence between the two most important censorship regimes:

GFW is mostly on-path and stateless; TSPU is in-path and stateful.
GFW filters at national borders; TSPU filters at ISP residential networks within Russia.
GFW heavily uses response injection (DNS forgery, RST injection); TSPU mostly drops or throttles.

References

Xue et al., "TSPU: Russia's New Censorship Infrastructure for Internet Traffic Throttling and Blocking", ACM IMC 2022.
OONI Russia measurements (ongoing).
Roskomnadzor registry of blocked domains (public).

Check any IP against the 7-layer pipeline

The detection methods described above are all available through the IPLogs public API, free, no signup required.

Try the IP checker →