Frequently asked questions
Detailed answers about how IPLogs detects VPNs, what we can and can't see, rate limits, accuracy, and API integration.
What is a VPN detection service?
- A VPN detection service examines an IP address and a set of behavioral signals to decide whether the endpoint is a commercial VPN, a residential or datacenter proxy, a Tor exit node, or a real end-user device. High-quality services combine IP reputation data, active probing, TLS and TCP fingerprints, and round-trip-time heuristics rather than relying on a single blacklist.
How does IPLogs detect VPNs?
- Seven layers: (1) IP intelligence — curated VPN server lists, ASN classification, hourly-refreshed Tor exit list; (2) TCP/IP stack fingerprinting — MSS, TTL, window anomalies; (3) TLS/JA3 fingerprinting — matches ClientHello hashes to known VPN client libraries; (4) RTT analysis — SNITCH TCP vs TLS differential and cross-layer RTT checks from NDSS 2025; (5) active probing — OpenVPN HARD_RESET, WireGuard handshake init, IKEv2 SA_INIT, REALITY cert-switch; (6) client signals — timezone, language, WebRTC ICE leak; (7) port and network sanity.
Can IPLogs detect residential proxies?
- Hosting-backed residential proxies that share IPs with known datacenter ASNs (Leaseweb, CoLoCrossing, HostPapa, Ace Data Centers, Colocation America) are reliably flagged by the datacenter-ASN layer. Peer-to-peer residential proxies that route traffic through real consumer ISP connections are the hardest category in the industry and require behavioral heuristics that IPLogs is actively researching. For the highest-confidence residential-proxy detection, combine IPLogs with session behavior analytics (mouse movement, typing cadence).
Can IPLogs detect Tor exits?
- Yes. The Tor exit-node list is fetched from check.torproject.org once an hour. Any IP in the current list matches the tor_exit signal at weight 0.95, producing a vpn_detected verdict.
How is IPLogs different from IPQualityScore, IPHub, or GetIPIntel?
- IPLogs has no signup requirement on its free tier, exposes every detection signal in the API response (not just a score), and has no commercial VPN business that creates a conflict of interest. Commercial services have larger enterprise support teams and longer-established SLAs, so the right choice depends on integration volume and compliance needs.
Is there a rate limit?
- Soft limit of roughly 60 requests per minute per source IP. You'll receive HTTP 429 if you exceed it. No daily quota, no monthly cap. For sustained high volume, email admin@iplogs.com to discuss a dedicated tier.
Does IPLogs store my IP address?
- Only in transient request logs used for rate-limiting and abuse detection. Logs rotate automatically. There is no persistent database of individual lookups, no tracking cookies, no advertising integrations, and no third-party analytics.
How accurate is the detection?
- Against ground-truth datasets of known commercial VPN endpoints (NordVPN, Mullvad, SoftEther, Private Internet Access, ProtonVPN) the seven-layer pipeline achieves a true-positive rate above 95% with under 1% false positives on residential ISPs. Trusted infrastructure — public DNS anycast addresses and major CDNs (Cloudflare, Google, Fastly, Akamai, Microsoft, Apple, Meta, Netflix) — is explicitly allowlisted to prevent false alarms.
Does IPLogs work with IPv6?
- IPv4 is the primary target today. IPv6 support is tracked on GitHub. Most VPN providers still advertise IPv4 endpoints, so the IPv4-only result set is representative for the majority of real-world traffic.
What if I need dedicated infrastructure for very high volume?
- Email admin@iplogs.com with your use case. For sustained multi-million-request workloads we can discuss a dedicated deployment, commercial terms, and SLAs. The public free tier is intended for small and medium integrations.
What databases does IPLogs use?
- MaxMind GeoLite2 City and ASN MMDB files as the primary source. ip-api.com as the free fallback for IPs not covered locally. Tor exit nodes from check.torproject.org (hourly refresh). Mullvad WireGuard relays from api.mullvad.net (6-hour refresh). Additional VPN server lists can be loaded via the EXTRA_VPN_LIST environment variable.
How do I report a false positive?
- Email admin@iplogs.com with the IP address, the verdict you received, and what the IP actually is (residential, corporate, cloud workload, etc). False positives are taken seriously and investigated within a few days.
Can IPLogs be used for bot detection?
- Indirectly. A large fraction of scraping and bot traffic originates from datacenter IPs — these are flagged by the datacenter-ASN layer without CAPTCHAs. For human-vs-bot discrimination (headless browser detection, automation frameworks) combine IPLogs with a behavioral analytics tool.
Is IPLogs GDPR compliant?
- IPLogs does not store personal data beyond transient request logs. IP addresses are personal data under GDPR, so operators integrating IPLogs into production applications must document the lawful basis for processing (typically legitimate interest for fraud prevention) and include IPLogs in their data-processing register. A data-processing agreement is available on request.