VPN detection APIs tested against 5 real IPs (2026)
Most VPN-detection-API comparisons rank vendors on feature counts. That's the wrong axis. The decision factor for any production fraud surface is false-positive rate — how often the vendor flags real customers as VPN users when they aren't.
We hit 6 vendors with 5 controlled test IPs (Google Public DNS, Cloudflare Public DNS, Apple iCloud Private Relay, a Mullvad VPN exit, and a known Tor exit). Below is what each one actually returned.
Disclosure: we maintain IPLogs. Test was run on 2026-04-29 using each vendor's free unauthenticated API where available. Test methodology and curl commands are reproducible (see FAQ at bottom). Vendor responses welcome at admin@iplogs.com.
The test IPs
8.8.8.8· Google Public DNS
World's most-used public DNS resolver. Owned by Google (AS15169). Not anonymizing, not a VPN, not a proxy. Should be 'clean' on every honest detection API.
1.1.1.1· Cloudflare Public DNS
Public DNS resolver from Cloudflare (AS13335). Not a VPN, not a proxy. Famous trusted-infra IP. Should be 'clean' on every API.
104.28.38.71· Apple iCloud Private Relay
Egress IP from Apple's iCloud Private Relay infrastructure (operated on Cloudflare AS13335). Not a commercial VPN — it's a privacy feature for iCloud+ users routing Safari traffic. APIs that classify this as 'VPN' will wrongly block iOS users.
23.234.89.127· Mullvad VPN exit
Confirmed Mullvad VPN relay (us-phx-wg-204). Mullvad publishes their relay list openly via api.mullvad.net. Should be detected as VPN by every API.
171.25.193.25· Tor exit relay (DFRI Sweden)
Published Tor exit operated by DFRI Sweden. On the official torbulkexitlist. Should be detected as Tor by every API.
Live API responses (raw)
8.8.8.8 · Google Public DNS| Vendor | Response | Verdict |
|---|---|---|
| IPLogs | verdict=clean · score=0.0 · provider=null | |
| ipapi.is | is_vpn=false · is_proxy=false · is_tor=false · is_abuser=TRUE | |
| ip-api.com | proxy=false · hosting=true · mobile=false | |
| proxycheck.io | proxy=no · type=Business · risk=0 | |
| ipinfo.io free | no privacy data on free tier | |
| ipinfo.io paid | vpn=false · proxy=false · tor=false · hosting=true |
1.1.1.1 · Cloudflare Public DNS| Vendor | Response | Verdict |
|---|---|---|
| IPLogs | verdict=clean · score=0.0 · provider=null | |
| ipapi.is | is_vpn=TRUE · is_proxy=false · is_tor=false · is_abuser=TRUE | |
| ip-api.com | proxy=false · hosting=true · mobile=false | |
| proxycheck.io | proxy=no · type=Business · risk=0 | |
| ipinfo.io free | no privacy data on free tier | |
| ipinfo.io paid | vpn=false · proxy=false · tor=false · hosting=true |
104.28.38.71 · Apple iCloud Private Relay| Vendor | Response | Verdict |
|---|---|---|
| IPLogs | verdict=suspicious · score=0.5 · provider=Apple iCloud Private Relay | |
| ipapi.is | is_vpn=false · is_proxy=false · is_tor=false (missed it entirely) | |
| ip-api.com | proxy=true (no Apple PR vs commercial-VPN distinction) | |
| proxycheck.io | proxy=yes · type=VPN · risk=73 (lumped with commercial VPN) | |
| ipinfo.io free | no privacy data on free tier | |
| ipinfo.io paid | relay=true · service=Apple Private Relay (correctly identified) |
23.234.89.127 · Mullvad VPN exit| Vendor | Response | Verdict |
|---|---|---|
| IPLogs | verdict=vpn_detected · score=1.0 · provider=Mullvad · sources=[Mullvad, X4BNet] | |
| ipapi.is | is_vpn=true (correct) | |
| ip-api.com | proxy=true · hosting=true | |
| proxycheck.io | proxy=yes · type=VPN · risk=73 | |
| ipinfo.io free | no privacy data on free tier | |
| ipinfo.io paid | vpn=true · service=mozillavpn (Mozilla VPN runs on Mullvad's relay infra) |
171.25.193.25 · Tor exit relay (DFRI Sweden)| Vendor | Response | Verdict |
|---|---|---|
| IPLogs | verdict=vpn_detected · score=1.0 · provider=Tor | |
| ipapi.is | is_tor=true · is_proxy=true · is_abuser=true (Tor exit = abuser is questionable) | |
| ip-api.com | proxy=true (no Tor-specific signal) | |
| proxycheck.io | proxy=yes · type=TOR · risk=100 (correctly identified Tor) | |
| ipinfo.io free | no privacy data on free tier | |
| ipinfo.io paid | tor=true (correctly identified) |
matches what the IP actually is · partial (lumps categories) · false positive (wrong) · no data on free tier.
Per-vendor scorecard (5 test IPs)
| Vendor | Free tier | ✓ | ~ | ✗ | — |
|---|---|---|---|---|---|
| IPLogs | Unlimited (fair use) | 5 | 0 | 0 | 0 |
| ipapi.is | 1,000/day, no signup | 1 | 1 | 2 | 1 |
| ip-api.com | 45/min, no signup | 3 | 2 | 0 | 0 |
| proxycheck.io | 1,000/day, key for more | 4 | 0 | 1 | 0 |
| ipinfo.io free | 50k/month basic geo | 0 | 0 | 0 | 5 |
| ipinfo.io paid | Paid Privacy plans | 5 | 0 | 0 | 0 |
✓ correct · ~ partial / lumped · ✗ false positive · — no data on free tier
Per-vendor notes
IPLogs · Unlimited (fair use)
Zero false positives across all 5 test IPs. Apple Private Relay correctly identified as separate signal at suspicious tier (not vpn_detected). Multi-source provenance returned for both Mullvad and Tor (sources array shows which feeds matched).
ipapi.is · 1,000/day, no signup
Most generous unauthenticated free tier but the worst false-positive profile in the test. Flagged 1.1.1.1 (Cloudflare DNS) as VPN. Flagged BOTH 8.8.8.8 (Google DNS) and 1.1.1.1 as 'is_abuser=true' — that's labelling the world's two most famous public DNS resolvers as abusive. Missed Apple Private Relay entirely. Tor correctly identified but tagged as abuser.
ip-api.com · 45/min, no signup
Free no-auth tier returns proxy/hosting/mobile booleans only. No FP on the test IPs but no separation between Apple Private Relay and commercial VPN, no separation between Tor and other proxies. Trusted DNS resolvers correctly handled. Solid for basic classification at cost of granularity.
proxycheck.io · 1,000/day, key for more
Returns a 'type' field (VPN, TOR, Business, etc.) and a risk score 0-100. Correctly identified Tor as TOR (not just VPN). FP on Apple Private Relay — classified as type=VPN at risk=73, no separate Apple PR identification. Trusted DNS handling correct.
ipinfo.io free · 50k/month basic geo
Free tier returns ASN, geo, hostname — but NO VPN/proxy/Tor/Apple PR flags. The Privacy data product is paid only. Effectively unusable for VPN detection on free tier.
ipinfo.io paid · Paid Privacy plans
Best paid-vendor result in the test. Correctly separates Apple Private Relay (returns service='Apple Private Relay' with relay=true). Correctly identifies Mullvad as VPN with service='mozillavpn' (acknowledging the Mozilla VPN / Mullvad infra relationship). Tor correctly tagged. Trusted DNS handling correct.
Frequently asked questions
+How was this test run?
Each test IP was queried against each vendor's free public API (no API key, no signup where possible) on 2026-04-29. Responses were captured raw. The criteria for 'correct' is: matches what the IP actually is. A clean public DNS resolver (8.8.8.8, 1.1.1.1) returning is_vpn=true is a false positive. An Apple Private Relay IP returning generic 'VPN' without separation is partial. A confirmed Mullvad relay returning is_vpn=false is a false negative. The test focuses on FP because that's what costs you customers.
+Why isn't IPQualityScore (IPQS) tested here?
IPQS requires API key signup and CAPTCHA on their public lookup page, so we couldn't capture an unauthenticated empirical response. Anecdotally (Reddit r/networking, r/SaaS, r/Entrepreneur) IPQS is widely reported to over-flag CGNAT and residential ISPs. Their fraud_score blends multiple signals into one number with no source visibility, making FP disputes hard. We'll add direct test data once we get a free key.
+Why does ipapi.is flag 8.8.8.8 and 1.1.1.1 as 'abuser'?
Best guess: their abuser feed gets contaminated by traffic patterns to high-volume IPs (every browser worldwide queries 8.8.8.8 / 1.1.1.1 directly or indirectly, so abuse-like signals from any one of those clients can leak into the score). It's a feed-quality issue, not a fundamental architecture problem. But it means anyone using ipapi.is for fraud scoring needs to allowlist trusted-infra IPs manually.
+If ipinfo.io paid handles Apple Private Relay correctly, why use IPLogs?
Several reasons. (1) IPLogs is free with no signup — ipinfo.io paid Privacy data starts at $250/month. (2) IPLogs returns the matched-source list (vpn_provider_sources[]) so users can dispute a false positive by name, ipinfo returns flags only. (3) IPLogs runs active OpenVPN/WireGuard/IKEv2 protocol probes which catch self-hosted VPNs (Algo, Streisand, Tailscale exit nodes) that no IP-list-based API will ever see. For most use cases, free + lower FP rate beats paid + slightly broader IP coverage.
+What about Cloudflare WARP — can I test that?
WARP IPs rotate constantly within Cloudflare's pool, so a hardcoded test IP is unreliable. Best way to test: connect via the 1.1.1.1 with WARP app on iOS or Android, then visit each vendor's lookup page with the resulting IP. Most vendors (proxycheck.io, ipapi.is, ip-api.com) lump WARP into generic VPN/proxy. IPLogs and IPinfo paid identify WARP separately.
+How can I verify these results myself?
Run the same curl commands against each vendor with the test IPs. The IPs in this test are stable: 8.8.8.8 and 1.1.1.1 are always Google/Cloudflare DNS. 23.234.89.127 has been a Mullvad relay since 2024. 171.25.193.25 has been a DFRI Tor exit for years. 104.28.38.71 was an Apple Private Relay IP at the time of testing — Cloudflare may rotate this within their pool, so verify against Apple's current CSV at mask-api.icloud.com. Re-running the test takes about 5 minutes.
+What's the actionable takeaway?
If you're picking a free VPN-detection API and your traffic includes Apple iCloud users (any consumer-facing iOS app), avoid ipapi.is, proxycheck.io's free tier, and ip-api.com for production policy decisions on iCloud+ users. Pair them with Apple's published CSV directly, or use IPLogs / ipinfo.io paid which already separate it. If you're paying for VPN detection, ipinfo.io paid is the highest-quality general-purpose option — but you don't get source visibility for FP disputes. Spur (paid only) and IPLogs (free) are the two with named-source provenance.
Individual head-to-heads
Detailed one-on-one comparisons covering free tier, signup, per-signal transparency, and published accuracy:
Try IPLogs against your own corpus: paste any IP at the home page or hit the public REST API. See the accuracy benchmark for the published false-positive rate. The response includes every signal that fired and the named sources that matched.