Map Background

How to Identify a VPN IP Address?

VPN users hiding from websites and services. Can be prevented using a VPN API.

Many businesses and online services are currently looking for solutions to help bring in organic users. And at the same time protect themselves from malicious users. Most of the time, a VPN user can bring nuisance to your business. Such users can affect your website analytics and allow them to hide behind a different IP address. Doing so, can promotes fraud, spam, and attacks to VPN users. Having a VPN also allows a user to spoof their actual location. This can create issues where the software or website will base a user’s location off of the VPN’s server location. Instead of showing their true location, VPN users will have the ability to bypass geo-blocking or geo-fencing techniques. In this article, we will teach you how to identify a VPN IP address.

Detection Techniques for Identifying VPN IP Addresses

Identifying a VPN IP address.

Find VPN Servers Based on their Open Ports

A VPN server will typically have ports open in order for a user to connect to a VPN server. Without these ports open, there is no way for the user to connect to the VPN server. However, you can detect the common ports that are associated with common VPN protocols by scanning them. Provided below are the common ports that are usually open based on the VPN protocol:

OpenVPN TCP Ports: 1194, 1197, 1198, 8080, 9201

OpenVPN UDP Ports: 1194, 502, 501, 443, 110, 80

PPTP Ports: 1723 (TCP)

SSTP Ports: 443 (TCP)

L2TP Ports: 500 (UDP), 1701 (TCP), 4500 (UDP)

IKEv2 Ports: 500 (UDP), 4500 (UDP)

IPSec Ports: 500 (UDP), 4500 (UDP)

However, scanning for ports are typically frowned upon by many people. In fact, you can be breaking your hosting provider’s Terms of Service if you scan ports within their servers. Instead of scanning the ports yourself, you can use third-party services. Websites just like shodan.io, can tell you what ports are open in an IP address.

Look for the owner of the VPN Server’s IP Address

Allowing to find the owner or the hosting provider of a VPN can be a dead giveaway. When company’s purchase an IP address, they must report their IP address to their regional Internet registry. This allows the Internet registry to create a whois database on the person or entity that owns that IP address. This information is typically free and can be searched online. Many VPN detection softwares identifies the owner of the IP address and see if the owner is a hosting provider. Though, it can be difficult process due to many IP addresses being deallocated and reallocated everyday.

Many data centers house VPN servers.

Though, there are downsides to this method. Denying multiple hosting providers can give you many false positives. In many cases, there are internet service provider who serve to residential users, businesses, and hosting services. Also, cooperate networks can be labeled as a VPN due to their affiliation to VPN providers or data centers.

Identify all Blacklisted Lists on IP Addresses

You can also check out blacklisted IP addresses. Doing so can prevent your website or business from getting attacks or becoming a victim of fraud. Nowadays, there are hundreds of websites that provide free IP address lists that are typically blacklisted on other sites. These IP addresses can be banned from the site due to many reasons, ranging from spam to DDoS attacks. Applying those IP addresses to your firewall list can reduce your chances of getting an ill-natured users on your website or service. Not only that, but theses IP addresses can also be a proxy server’s IP address. Which can (almost) kill two birds with one stone.

Nevertheless, there are also some downfalls with this method as well. While some blacklisted lists may be reliable sources, there are some lists that may not be as reliable or may ban users unexpectedly or with no good reasons, especially since these lists are self-reported. Furthermore, some of these reported IP addresses can also contain legitimate IP addresses, where no VPN or proxy servers were used at all, but can be banned due to unfortunate reasons, such as spam or fraud.

Now, you might say that this is a good thing, but banning a bunch of residential or mobile carrier IP addresses are typically a bad idea. These addresses can be rotated pretty often, where the offender can request a new IP address from it’s carrier or internet provider. Then, the blacklisted IP address can be repurposed to a potential user or buyer who has no intention to cause any harm to your website or service. This is why you should typically avoid banning individual addresses.

Attempt to use Reverse DNS Lookups for checking VPN addresses

Either using websites, CLI, or scripts, you can identify if an IP address is a VPN based on looking at their hostname. With the hostname, this allows you to identify if the VPN is using a hostname that is related to a VPN provider. Like all of the methods above, there are flaws to this technique. This method doesn’t work too often, due to the fact that many IP addresses will not have a hostname or will not have a hostname that links themselves to the VPN provider’s networks.

Consider using a VPN Detection API To Identify VPNs

Use a VPN and Proxy API Detection Tool to determine VPN servers.

While all of the previous VPN blocking techniques have their issues, the best method is to leave VPN detection to the professionals, where they do all the heavy lifting for your website or company. Although, there are many proxy and VPN IP address blockers out there today, none of them offers the special features and detection algorithms that we use.

Our API service not only identifies proxy servers and VPN servers, but also Tor Nodes as well. Not only that, but our API also offers location information that can detect what city a user is in and the network information of an IP address, which can show you the entity that owns that IP address.

Not only that, but we also have crawlers and bots working around the clock searching online for information about the status and the uses of each IP address. Our detection algorithm took months for us to create, which uses data science and deep learning to identify if an IP address is a threat (either VPN, proxy, and/or Tor Node.) On top of that, we obtain our data from dozens of sources, which our algorithm also verifies the data and see if there are any discrepancies. Though, rest assure, our algorithm does not do all of the data validations on VPNAPI.io, we also have manual review of our data as well, where we would manually confirm and verify the our data.

If you are interested in our VPN Detection API, please check out our homepage, where you can find more information about our services and test our detection algorithm: vpnapi.io

Icon