IP & VPN detection glossary

Plain-English definitions of the terms behind VPN, proxy, Tor, and datacenter IP detection — from ASN and CGNAT to residential proxies and Apple Private Relay.

Apple iCloud Private Relay: Apple iCloud Private Relay is a privacy feature for iCloud+ subscribers that sends Safari traffic through two relays so neither Apple nor the website sees both your identity and your destination. Egress IPs run on partner networks like Cloudflare. It is not a commercial VPN and shouldn't be blocked as one.
ASN (Autonomous System Number): An ASN, or autonomous system number, identifies a network that controls a block of IP addresses and announces routes for them on the internet (for example AS13335 is Cloudflare). ASNs reveal who owns an IP — an ISP, a hosting company, a VPN provider — which is central to classifying it.
CGNAT (Carrier-Grade NAT): CGNAT, or carrier-grade NAT, lets an ISP share one public IP among many subscribers by assigning them addresses in the 100.64.0.0/10 range. Common on mobile and some fibre networks, it means many users appear to come from the same public IP, which can trigger shared-reputation false positives.
Cloudflare WARP: Cloudflare WARP is a free privacy service that routes device traffic through Cloudflare's network (AS13335), often via the 1.1.1.1 app. It is not a commercial VPN for geo-spoofing — it optimizes routing and hides your IP from sites — so detection services should treat it as its own category, not a VPN.
Datacenter IP: A datacenter IP is an address that belongs to a hosting or cloud provider (AWS, Google Cloud, OVH, Hetzner) rather than a consumer ISP. Servers, VPN exits, scrapers, and bots run on datacenter IPs. A datacenter IP alone is not proof of a VPN, but it is rarely a real end-user.
IP geolocation: IP geolocation is the mapping of an IP address to an approximate physical location — country, region, and city — using databases that track which networks announce which ranges. It is accurate at the country level but coarse at the city level, and a VPN or proxy will geolocate to the exit server, not the user.
IP reputation: IP reputation is a risk assessment of an IP address based on its observed behavior and associations — appearances on abuse blocklists, history as a VPN or proxy exit, datacenter ownership, and threat-intel feed listings. A poor reputation raises the risk score a fraud or security system assigns to a request.
IPv4 vs IPv6: IPv4 and IPv6 are the two internet addressing schemes. IPv4 uses 32-bit addresses (about 4.3 billion, now exhausted), written like 203.0.113.5. IPv6 uses 128-bit addresses (effectively unlimited), written like 2001:db8::1. Both are in active use, so detection and geolocation must handle each as first-class.
JA3 / JA4 fingerprint: A JA3 (or newer JA4) fingerprint is a hash of the fields in a TLS ClientHello — the parameters a client offers when starting an encrypted connection. Because VPN clients, proxies, and automation tools assemble these fields differently from mainstream browsers, the fingerprint helps identify what software is really connecting.
Open proxy: An open proxy is a proxy server that accepts connections from anyone, often because it was misconfigured or deliberately left public. Attackers and scrapers abuse open proxies to hide their origin. Their IPs are widely catalogued in public feeds, which makes them easy to flag.
Proxy server: A proxy server is an intermediary that forwards your web requests, so the destination site sees the proxy's IP instead of yours. Unlike a VPN, a proxy usually works per-application (e.g., a browser) and often without encryption. Proxies are used for scraping, geo-unblocking, and hiding origin.
Public vs private IP address: A public IP address is globally routable and visible to every site you visit; a private IP (like 192.168.1.1 or 10.0.0.0/8) exists only inside a local network and can't be reached from the internet. Your router has a public IP on the outside and hands out private IPs to your devices via NAT.
Residential proxy: A residential proxy routes traffic through real consumer devices on ISP connections, so the exit IP looks like an ordinary home user rather than a datacenter. They are sold by proxy networks (often sourcing IPs from SDKs or compromised devices) and are the hardest anonymizer category to detect.
SOCKS5 proxy: A SOCKS5 proxy is a low-level proxy that forwards any TCP or UDP traffic between a client and destination, without interpreting the application protocol. It is popular for routing apps, torrents, and tooling through another IP. SOCKS5 proxies running on public ports can be detected by their handshake.
Tor exit node: A Tor exit node is the final relay in the Tor network — the server that sends your traffic to its destination. The destination site sees the exit node's IP, not yours. Exit node IPs are published openly by the Tor Project, which makes Tor traffic straightforward to detect.
VPN (Virtual Private Network): A VPN, or virtual private network, routes your internet traffic through an encrypted tunnel to a server run by the VPN provider. Websites then see the VPN server's IP address instead of your real one, masking your location and ISP. Commercial examples include NordVPN, Mullvad, and ProtonVPN.
VPN detection: VPN detection is the process of determining whether an IP address belongs to a VPN, proxy, or anonymizing service rather than a real residential or mobile connection. It combines IP reputation lists, ASN classification, and active network probing to produce a verdict, used for fraud prevention and geo-compliance.
WebRTC leak: A WebRTC leak is when a browser's real-time communication APIs reveal your true IP address even though you're behind a VPN or proxy. WebRTC gathers candidate IPs via STUN to establish peer connections, and those candidates can expose the underlying public or local IP a VPN was meant to hide.