Ask a privacy advocate and a fraud analyst what a VPN is and you will get the same technical answer with opposite emotions. Both are right: the same tunnel that shields a journalist's browsing also lets a credential-stuffing operation appear to log in from a different country every few minutes.
If you run a website, an app, or a store, you don't get to choose which kind of VPN user shows up. What you can do is understand what a VPN actually changes about the traffic you receive, detect it reliably, and respond in a way that stops the attacker without ejecting the privacy-conscious customer. This post covers all three, building on the wider discipline of IP intelligence.
What Is a VPN?
A VPN — virtual private network — creates an encrypted tunnel between a user's device and a VPN server run by a provider. Once the tunnel is up, all of the device's internet traffic is wrapped in encryption, carried to that server, and released onto the open internet from there.
Two things follow from that design:
- On the user's side, their ISP, their coffee-shop Wi-Fi, and anyone else on the local network can no longer read or tamper with the traffic. They see only an encrypted stream to one server.
- On your side — the website receiving the visit — the connection arrives from the VPN server. The IP address, the geolocation derived from it, the network owner: all of it describes the tunnel's exit, not the person.
The protocols doing the wrapping (WireGuard, OpenVPN, IKEv2/IPsec) differ in age and performance, but the effect on your traffic is identical: the user's real IP address is replaced by a VPN IP address.
What a VPN Changes — and What It Doesn't
A common misconception, in both directions, is that a VPN makes a visitor invisible. It doesn't. It swaps one set of observable facts for another:
That last row matters as much as the first four. A VPN operates at the network layer only — everything above it (the browser fingerprint, the session, the account being used, the card being charged) passes through unchanged. And the swapped facts are not random: VPN exits cluster on identifiable infrastructure, which is precisely what makes detection possible.
Who Uses VPNs — and Why It's Complicated
Industry surveys consistently find that a large share of internet users — on the order of a quarter to a third — use a VPN at least occasionally. The overwhelming majority are doing nothing wrong:
- Privacy-conscious individuals who don't want their ISP or public Wi-Fi logging their browsing.
- Remote employees whose company routes traffic through a corporate VPN by policy — they often can't turn it off.
- Travelers and expats reaching services from abroad.
- Users in restrictive countries for whom a VPN is basic internet access.
This is why "just block VPNs" is a false-positive machine, a trap we covered in depth in detecting anonymized traffic without blocking real customers.
Why Attackers Rely on VPNs
The same IP-swapping property is load-bearing for almost every internet-scale attack, because the defender's cheapest controls — IP blocks, geo rules, velocity limits — all key on the source address:
- Credential stuffing and account takeover. Rotating VPN exits lets an attacker spread millions of login attempts across IPs so no single address trips a rate limit — the mechanics are covered in our account takeover and credential stuffing guide.
- Payment fraud and card testing. A stolen card issued in one country works better when the order appears to come from that country. A VPN makes the IP geolocation match the billing address on demand.
- Geo-restriction and sanctions evasion. Content licensing, regional pricing, gambling and finance compliance — all enforced by IP location, all bypassed by exiting in the right country.
- Promo and signup abuse. "One free trial per user" quietly becomes one per VPN exit.
- Reconnaissance and attack cover. Scanners, scrapers, and intrusion attempts route through VPNs so that blocking the observed IP burns nothing the attacker cares about.
The pattern to internalize: a VPN is not the attack — it is the attack's supply line. Which is why detecting it is worth doing, and why the detection result should feed a decision rather than trigger one by itself.
How to Detect VPN Traffic
You cannot see inside the encrypted tunnel — and you don't need to. VPN detection works by recognizing the exit server, and exit servers are surprisingly identifiable:
- Provider infrastructure is published. VPN apps need server lists to connect, so providers expose their endpoints — hostnames, IPs, config bundles. An IP that appears in a provider's current server list is a confirmed VPN exit.
- The network doesn't match a human. VPN servers overwhelmingly live in datacenter IP ranges — hosting ASNs where real consumers essentially never browse from. A "shopper" arriving from a hosting provider's network is already anomalous; several ASNs belong to VPN operators outright.
- The server answers like a VPN. Active probing — actually testing whether a machine responds to VPN protocol handshakes — turns a guess into evidence. This is the difference between "this IP is on a list" and "this machine is running a VPN service right now."
- The session contradicts the IP. A browser reporting a Karachi timezone and locale on an Amsterdam IP is a soft signal on its own, and a strong corroborator next to the others.
- Freshness decides accuracy. VPN providers rotate servers constantly. Detection backed by continuous re-checking stays accurate; a static list decays in weeks.
Each of these layers fails somewhere alone — small private VPNs on fresh cloud IPs dodge the lists, and corporate VPNs look nothing like commercial ones. For the full mechanics of how the layers back each other up, see how VPN and proxy detection actually works, the deep-dive companion to this post.
What to Do When You Detect a VPN
Detection is the easy half. The decision is where businesses either stop fraud or start losing customers:
- Treat
is_vpnas a weight, not a verdict. VPN use alone is weak evidence — remember the remote employee. VPN use plus a datacenter ASN plus recent abuse listings plus an IP-vs-billing-country mismatch is a different story. - Respond with friction, not walls. Step-up verification — an email confirmation, an OTP, a review hold — costs a legitimate VPN user seconds and costs an automated attack its economics.
- Reserve hard blocks for stacked evidence, and set the bar per action: a blog read from a VPN needs no response at all; a $900 first-time order might. Our guide to choosing an IP fraud score threshold covers the per-action framework.
How GeoIPHub Helps Companies Defend Against Cyber Attacks
The practical problem for a security or fraud team is not "is VPN detection possible" — it is getting the verdict, the context, and the evidence in one place, fast enough to act on every request. GeoIPHub packs that into a single lookup:
curl "https://api.geoiphub.com/v1/lookup?ip=203.0.113.42" \
-H "Authorization: Bearer YOUR_API_KEY"
# -> is_vpn, is_proxy, is_tor, is_residential_proxy,
# asn, org, connection_type ("datacenter" | "broadband" | "mobile"),
# country, city, blocklist_count, blocklist_sources,
# fraud_score (0-100), detection_methods
What each piece contributes to your defense:
is_vpn,is_proxy,is_toridentify the anonymizer family — and GeoIPHub's verdicts are backed by active probing that verifies infrastructure actually behaves like a VPN or proxy, not list membership alone. Tor gets its own treatment in how to detect Tor traffic by IP.connection_typeandasngive the context that separates a corporate VPN on a business network from a rotating exit on bulletproof hosting.blocklist_countandblocklist_sourcestell you whether this exit has been doing anything — a VPN IP with fresh abuse evidence is a very different risk than a clean one.fraud_scorefuses it all into a 0–100 number with thedetection_methodslisted, so your rules stay explainable when a customer asks why they were challenged.
Teams wire this into login endpoints to catch credential stuffing, signup flows to stop trial abuse, and WAF/SIEM pipelines to pre-score inbound traffic — the broader playbook is in preventing cyber attacks with IP geolocation. Every field ships on every plan, including the free tier — 1,500 requests per day, no field paywall.
Detecting VPN Orders at Your Shopify Checkout
Ecommerce is where VPN detection earns its keep in cash terms, because the cost of a miss is a chargeback and the cost of a false positive is a lost sale. Shopify stores have a clean integration point most merchants never use: every order records the IP address it was placed from (the browser_ip field on the order).
That enables a simple, high-leverage flow:
- Listen for the order-created webhook. The payload includes the buyer's IP alongside the billing and shipping details.
- Look the IP up with one GeoIPHub API call.
- Compare and score. Is it a VPN or proxy exit? A datacenter connection pretending to be a shopper? Does the IP's country contradict the billing country? Is the fraud score elevated?
- Act before fulfillment, not after. Tag the order, hold it for manual review, or require payment verification. Clean orders — the vast majority — flow through untouched.
A VPN order is not automatically a fraudulent order; a traveler buying from a hotel Wi-Fi VPN is real revenue. But a VPN exit plus an IP-vs-billing-country mismatch plus a first-time customer plus rush shipping is the classic stolen-card silhouette, and catching it pre-fulfillment is worth the one API call per order. The same IP layer also catches the newest checkout threat — automated buying agents — which we broke down in blocking AI shopping-agent fraud at checkout.
The Bottom Line
A VPN is an encrypted tunnel that swaps the user's real IP for a server's — a legitimate privacy tool that doubles as the standard cover for credential stuffing, payment fraud, and geo-evasion. Your site can't see through the tunnel, but it doesn't need to: the exits are detectable through provider infrastructure, network classification, and active probing. Detect them, score them in context, respond with friction instead of blanket blocks — and the VPN stops being a blind spot without ever costing you a real customer.
Test any IP right now in the free IP lookup tool — no signup — or grab a free API key and wire VPN detection into your login, signup, or checkout with the API docs.
Start Scoring Every IP in Real Time
GeoIPHub gives fraud, security, and engineering teams a single API for IP geolocation, VPN & proxy detection, threat intelligence, and an explainable 0–100 risk score.
Get Your Free API Key
Sign up in minutes — no credit card required. Upgrade only when you need more volume.
Frequently Asked Questions
What is a VPN in simple terms?
A VPN (virtual private network) is an encrypted tunnel between a user's device and a VPN server. All of the user's traffic travels through that tunnel and exits onto the internet from the VPN server, so every website they visit sees the server's IP address and location instead of the user's real ones.
Can websites detect that a visitor is using a VPN?
Yes, in most cases. A website cannot see inside the encrypted tunnel, but it can recognize the exit: commercial VPN servers live on published infrastructure, sit in datacenter IP ranges, and answer VPN protocol handshakes. IP intelligence services check an incoming IP against those signals and return a verdict such as is_vpn: true.
How can I tell if an IP address is a VPN?
Check the IP against the signals that expose VPN servers: known provider server lists, the ASN and whether the range belongs to hosting infrastructure, and active protocol probing that tests whether the machine actually answers VPN handshakes. The fastest way is a lookup against an IP intelligence API that combines these checks and returns is_vpn with the evidence behind it.
Should I block all VPN traffic on my website?
Usually not. A meaningful share of internet users browse through a VPN for entirely legitimate privacy or workplace reasons. The better pattern is to treat VPN use as one weighted input to a risk score: let low-risk VPN sessions through, add step-up verification when VPN use co-occurs with other risk signals, and reserve hard blocks for stacked evidence.
Can VPN traffic be detected on Shopify orders?
Yes. Shopify records the IP address the buyer placed the order from (the browser_ip field on the order). You can look that IP up against a VPN detection API when the order webhook fires, then tag or hold high-risk orders for review before fulfillment — a check that takes one API call per order.
How does GeoIPHub detect VPN IP addresses?
GeoIPHub combines provider infrastructure data, ASN and hosting classification, and active protocol probing that verifies a server actually behaves like a VPN endpoint — then returns is_vpn alongside is_proxy, is_tor, the connection type, abuse evidence, and a 0–100 fraud score, with the detection methods listed so you can see why an IP was flagged.
