How VPN Detection Works: What Websites Can See

The pitch every VPN service makes is some version of "be invisible online." The reality is more interesting. A modern website that wants to know whether you're using a VPN has six or seven different ways to find out, most of them probabilistic, some of them airtight. The combined signal is usually strong enough that streaming platforms, banks, ticketing sites, and dating apps can flag you within milliseconds of opening the page — before you've even loaded a script, let alone tried to log in.

This is a tour of how that detection actually works. None of it is exotic; all of it is mechanical. Once you see the pieces, the cat-and-mouse dynamic between VPN providers and detection services makes more sense, and you'll have a better sense of why some sites catch you and others don't.

The basic signal: your IP address

Every TCP connection you make reveals an IP address to the other side. That's not optional — it's how the response packets find their way back to you. Without a VPN, that IP belongs to your ISP, sits inside a residential network, and geolocates roughly to where you live. With a VPN, the IP belongs to the VPN provider, sits inside a data centre somewhere in the world, and geolocates wherever the exit server is. Both are "real" IPs in the eyes of the network — neither is a lie. The question detection has to answer is whether the IP you arrived on looks like a residential customer or like something else.

Everything in the rest of this post is some method of answering that question with more or less confidence.

Method 1: IP reputation databases

The most common method, and the one that does most of the work. Companies like Spur, IPQualityScore, MaxMind, and IP2Location maintain large databases of IPs they've identified as belonging to VPN providers, web proxies, Tor exit nodes, or open proxies. A website that wants to know whether your IP is a VPN sends an API query, gets back a yes/no plus a confidence score plus a category, and acts accordingly.

The databases get built by working the problem from the other side: the detection services literally subscribe to every major VPN provider, enumerate every exit IP, and add them to the database. They monitor BGP changes around hosting providers, ingest user reports, and partner with ISPs for ground truth. A new VPN exit usually shows up in the major databases within hours to days.

If you want to see what these databases say about your current IP, that's exactly what the VPN & proxy check does — it queries the same kinds of reputation feeds a streaming service or anti-fraud system would, and shows you the result.

Method 2: ASN and hosting provider

Every IP on the public internet belongs to an Autonomous System Number — a numeric identifier (typically 4-6 digits) for the network operator that announces routes for that IP block. Comcast residential is ASN 7922. Verizon Wireless is ASN 6167. DigitalOcean is ASN 14061. Hetzner is ASN 24940. AWS spans dozens of ASNs but they're all clearly Amazon.

VPN servers almost always run inside data centres, which means their public IPs sit inside ASNs operated by cloud and hosting providers. A website that sees a connection from ASN 14061 can be confident this is not a residential Comcast user in suburban Atlanta — it's a virtual machine somewhere. That alone isn't proof of a VPN (legitimate businesses run in data centres too), but combined with other signals it's strong.

Some newer services counter this with residential IP networks — they pay real ISP customers to route VPN traffic through home connections, so the exit IP looks residential. This works against ASN detection but raises ethical questions; some such networks have been accused of bundling participation with free software downloads without clearly informing the participants.

Method 3: Data centre vs residential classification

Closely related to ASN but not identical. IP geolocation databases (MaxMind GeoIP, IPinfo, and similar) classify each IP into a usage type: residential, business, hosting / data centre, mobile, or unknown. The classification draws on ASN data, BGP routing, reverse DNS hostnames (a PTR record like ec2-12-34-56-78.compute-1.amazonaws.com is unambiguous), and direct observation of how the IP is used.

A "data centre" classification is a near-certain VPN/proxy signal — the only people connecting from a data-centre IP are bots, automated tooling, or someone behind a VPN. Some websites flat-out block all data-centre IPs at the edge. That's why the same VPN can load most sites fine but fail at one streaming service: that service decided "no data centres" was acceptable collateral.

This is distinct from ASN because IP blocks get transferred between organisations over time. The classification databases track current use, not the original allocation.

Method 4: DNS leaks

When you connect to a VPN, two kinds of traffic should go through the tunnel: your HTTP/HTTPS traffic (so the website sees the VPN's IP) and your DNS queries (so the resolver you ask is the VPN's, not your ISP's). If only the HTTP traffic gets tunnelled and DNS queries leak to your ISP's resolver, a website can detect that mismatch.

The mechanism: the website embeds a unique-per-visit hostname pointing at a DNS server they control. When your browser resolves that hostname, the request goes to your recursive resolver, which then queries the website's authoritative server. The authoritative server logs which resolver IP did the lookup. If the resolver IP geolocates to California but your HTTP connection geolocates to the Netherlands, that's a DNS leak — strong evidence of an imperfectly-configured VPN tunnel. Even when the conclusion isn't "VPN" specifically, the inconsistency alone is a flag.

Most modern VPN clients handle this correctly out of the box. Older configurations, manual OpenVPN setups, and split-tunnel setups (where you explicitly route some traffic outside the tunnel) are the common sources of leaks.

Method 5: WebRTC leaks

The other major leak class. WebRTC's ICE candidate gathering involves the browser discovering its own reachable network addresses — local LAN addresses, public address as seen by a STUN server, and any TURN relay address. A webpage that creates a WebRTC peer connection can read this candidate list from JavaScript, with no user prompt and no microphone or camera permission needed.

Pre-mitigation, this could leak your real public IP through the VPN — the STUN traffic would sometimes bypass the tunnel and reveal the real address. Modern browsers ship with mDNS obfuscation (random .local hostnames in place of raw private addresses) and route STUN through the tunnel correctly in most configurations, so the worst version of the leak is mostly closed. But older browsers, embedded WebRTC stacks, and certain split-tunnel setups still leak. The WebRTC leak test shows your real exposure in about four seconds, and our piece on WebRTC leaks explained walks through the mechanism in detail.

Method 6: Behavioural and timing analysis

The fuzziest category, but cumulatively powerful. Many users from one IP is a proxy signal — residential IPs serve one household, a VPN exit might carry hundreds. Geographic impossibility (logged in from New York at 14:02, then Amsterdam at 14:07) flags an account regardless of whether the new IP is "known VPN." Port scans sometimes find characteristic open ports — OpenVPN on 1194/udp, WireGuard on 51820/udp — though commercial clients increasingly firewall those.

TCP/IP fingerprinting goes deeper: tunnelled traffic has subtly different MTU, TTL, and TCP window characteristics. None of these individually is conclusive, but combined with reputation data they yield a high-confidence answer.

What detection can't do

Detection flags an IP as "looks like a VPN" with some confidence level. It doesn't identify the person behind it. If you connect to a NordVPN exit and a streaming service blocks you, they know they blocked someone using NordVPN — not which NordVPN user.

Residential VPN IPs, when available, are genuinely much harder to detect. The reputation databases catch up, but the cycle is longer and the false-positive cost of blocking residential ranges is far higher than blocking a data centre. Detection is also probabilistic, not deterministic — corporate NATs, university networks, Starlink terminals, and iCloud Private Relay sessions can all look like a VPN to a naive detector.

Why sites detect at all

The motivations vary, but they cluster:

• Streaming services — Netflix, Disney+, BBC iPlayer, Hulu — enforce geographic licensing terms. The content they're allowed to show you depends on where the rights-holder says you are, which depends on what the IP says you are.
• Banks and payment processors use VPN signals as one input into fraud scoring. A login from a known VPN exit isn't an instant block, but it raises the friction (extra MFA prompts, transaction limits, account review).
• E-commerce sites sometimes adjust pricing by region. VPN detection prevents customers from arbitraging away regional discounts.
• Online games use it for anti-cheat and region locking — proxies are often used to evade matchmaking or to coordinate exploits.
• Sanctions compliance — services that legally cannot operate in certain countries use IP geolocation as their first filter. A VPN exit in a sanctioned country looks the same as a real user there, which is precisely what the compliance team wants to keep out.

The arms race

VPN providers add new IP ranges, rotate exits, build residential proxy networks, and quietly modify their client software to defeat fingerprinting tells. Detection services subscribe to new VPNs, monitor BGP announcements, watch for new ASN allocations, and feed user-reported false positives back into the model. Neither side wins permanently. The interesting consequence is that which VPN provider you use, how recently they rotated, and which exit you connect to all materially affect detection — there's no such thing as "VPN works on Netflix" as a stable property; it's true on Tuesday, broken on Thursday, fixed again the next week.

Your IP is the loudest signal you send. Everything else is supporting evidence — but the IP starts the conversation.

To see what your setup looks like from a detector's perspective, start with the VPN & proxy check — it shows your IP, ASN, geolocation, usage classification, and reputation-feed verdict. The WebRTC leak test covers Method 5, the browser fingerprint tool shows the parallel ID layer (fingerprinting usually runs alongside VPN detection, not instead of it), and the IP lookup tool shows the same outside view any website gets.