The Developer's Guide to VPN & Proxy Detection

VPN and proxy detection is one of the most requested features in IP intelligence APIs. This guide explains how it works — and where it falls short.

ASN-based detection

The simplest approach: check whether the IP's ASN belongs to a known VPN provider or datacenter. Companies like NordVPN, ExpressVPN, and Mullvad operate their own IP ranges. A single ASN lookup can flag large portions of their infrastructure.

The downside: residential proxy networks deliberately use residential ISP IPs, so ASN checks miss them entirely.

Reverse DNS heuristics

VPN servers often have revealing reverse DNS entries: vpn.example.com, exit.mullvad.net, nordvpn.com. Pattern matching on PTR records catches many commercial VPNs.

Port scanning

Standard VPN and proxy ports: 1194 (OpenVPN), 1723 (PPTP), 4500 (IPSec), 1080 (SOCKS5), 3128 (HTTP proxy), 8080, 8888. An IP with these ports open is a strong signal.

TLS certificate inspection

VPN endpoints often expose TLS certificates with organization names, common names, or SANs that reveal their purpose. Inspecting the certificate chain adds another detection layer.

Behavioral signals

Some signals require observing traffic patterns over time: unusually high request volume from a single IP, sequential user IDs from the same address, or geographic impossibilities (same user appearing in two countries within minutes).

Combining signals into a score

No single signal is definitive. OpenIPApi combines ASN ownership, reverse DNS, open ports, TLS fingerprints, and probe results into a threat score (0–100). Scores above 70 warrant review; above 85 typically mean block or challenge.