VPN Detection

Unmask VPN users hiding behind encrypted tunnels

VerifyWall identifies connections from hundreds of commercial VPN providers, giving you visibility into who is masking their true location.

Get API KeyRead the Docs

What it is

Virtual Private Networks (VPNs) route internet traffic through encrypted tunnels, replacing the user's real IP address with one from the VPN provider. While VPNs have legitimate privacy uses, they are frequently used by bad actors to bypass geographic restrictions, evade IP-based bans, and hide their identity during fraudulent signups.

Why it matters for SaaS

SaaS platforms face unique risks from VPN users. Free trial abusers use VPNs to create unlimited accounts from seemingly different locations. Fraudsters hide behind VPNs to avoid detection when using stolen payment methods. And competitors may use VPNs to scrape your data or abuse your API without revealing their corporate IP addresses.

How VerifyWall detects it

VerifyWall maintains comprehensive IP intelligence databases covering major commercial VPN providers (NordVPN, ExpressVPN, Surfshark, etc.) as well as smaller services. We identify VPN exit nodes through a combination of IP range analysis, behavioral heuristics, and real-time monitoring of VPN provider infrastructure changes. When a VPN IP is detected, the "vpn" reason is flagged in the API response.

Risk score impact

+50 points

VPN detection adds 50 points to the risk score, placing the check in medium risk territory. Combined with other signals, this quickly pushes a user into high-risk territory.

API response example

When this threat type is detected, the API returns a response like this:

{
  "data": {
    "id": "a1b2c3...",
    "type": "checks",
    "attributes": {
      "subject": "185.220.101.42",
      "subject_type": "ip",
      "risk_score": 50,
      "risk_level": "medium",
      "reasons": [
        "vpn"
      ],
      "details": {
        "ip": "185.220.101.42",
        "country_code": "NL",
        "is_vpn": true,
        "is_tor": false,
        "is_datacenter": false
      }
    }
  }
}

Frequently asked questions

Does VPN detection block all VPN users?

No. VerifyWall provides a risk signal, not an automatic block. You decide how to handle VPN users based on your risk tolerance — you might require additional verification for VPN users while still allowing access.

How frequently is the VPN IP database updated?

Our VPN IP database is updated every six hours. VPN providers regularly rotate their IP addresses, and our monitoring systems track these changes to maintain high accuracy.

Can VerifyWall detect VPN browser extensions?

VerifyWall detects VPN traffic at the IP level. If a browser extension routes traffic through a VPN server, the resulting IP address will be detected. However, split-tunnel configurations where only some traffic goes through the VPN may not be caught if the API request comes from the real IP.

Related resources

Integration Guides

Ready to protect your platform?

Start detecting vpn threats in minutes with a single API call.

Get Started FreeAPI Documentation