VPN & Proxy Detection Database
Identify users hiding behind VPNs, proxies, and anonymizers with a downloadable database covering 1,000+ providers. Query locally on your own infrastructure - no third-party API calls, no user data shared externally. Works alongside your existing WAF and firewall rules as an additional signal, not a replacement for them.
How VPN & proxy detection works
Our VPN and proxy database is built by continuously monitoring the IP infrastructure of commercial VPN providers, open proxies, residential proxy networks, and data center ranges. The result is a comprehensive IP-to-threat mapping you can query in microseconds.
IP Range Collection
We aggregate IP ranges from over 1,000+ VPN services, proxy networks, and data centers. Our collectors identify both well-known commercial providers (NordVPN, ExpressVPN, Surfshark) and lesser-known regional services.
Classification & Verification
Each IP range is classified by type: commercial VPN, SOCKS/HTTP proxy, residential proxy, or data center. We verify entries against multiple sources and remove stale IPs that are no longer active.
Residential Proxy Detection
Residential proxies are the hardest to detect because they use real ISP IPs. We identify residential proxy networks by monitoring known providers like Bright Data, Oxylabs, and SOAX, as well as peer-to-peer proxy networks.
Monthly Database Updates
VPN providers frequently rotate their IP ranges. Our database is updated monthly to ensure you have accurate, current data. Download the latest version and replace your local copy with a simple script.
Detection coverage
What's included in the database
The VPN & Proxy database is delivered as CSV and JSON files. Each record contains the following fields so you can make informed decisions about incoming traffic.
| Field | Type | Description |
|---|---|---|
| ip_start | string | Start of the IP range (IPv4 or IPv6) |
| ip_end | string | End of the IP range |
| provider | string | Name of the VPN or proxy provider (e.g., NordVPN, ExpressVPN) |
| type | enum | Classification: vpn, proxy, residential_proxy, datacenter_proxy, open_proxy |
| country | string | Country code where the exit node is located (ISO 3166-1 alpha-2) |
| is_residential | boolean | Whether the IP belongs to a residential proxy network |
| risk_level | enum | Risk classification: low, medium, high, critical |
| last_seen | date | Date the IP was last confirmed active as a VPN/proxy endpoint |
Use cases for VPN & proxy detection
From stopping payment fraud to enforcing content licensing, VPN and proxy detection is critical for any application that needs to know who its users really are.
Payment Fraud Prevention
Block fraudulent transactions from users hiding behind VPNs to bypass geo-restrictions or disguise their true location. Match billing addresses against actual IP geolocation.
Multi-Account Prevention
Detect users creating multiple accounts through different VPN servers to abuse sign-up bonuses, promotions, or referral programs.
Content Licensing Enforcement
Ensure that geo-restricted content is only accessible from licensed regions. Identify users bypassing geographic restrictions with VPN connections.
Account Takeover Detection
Flag login attempts from VPN IPs when the account has no history of VPN usage. Combine with geolocation data to detect impossible travel patterns.
Ad Fraud Mitigation
Prevent click fraud and impression fraud by detecting traffic originating from VPN and proxy infrastructure used by click farms and bots.
Scraping & Competitive Intelligence Defense
Identify scrapers hiding behind rotating residential proxies and VPNs to steal your pricing data, product listings, or proprietary content.
Query locally in your own code
Load the VPN/proxy database into MySQL, PostgreSQL, Redis, or even a flat file. Query it directly from your application with zero network overhead.
prepare(
"SELECT provider, type, country, risk_level, is_residential
FROM vpn_ips
WHERE ip_start <= INET6_ATON(:ip)
AND ip_end >= INET6_ATON(:ip)
LIMIT 1"
);
$stmt->execute(['ip' => $ip]);
return $stmt->fetch(PDO::FETCH_ASSOC) ?: null;
}
// Usage in your registration or checkout flow
$ip = $_SERVER['REMOTE_ADDR'];
$result = check_vpn($pdo, $ip);
if ($result) {
// IP matched - decide what to do
if ($result['risk_level'] === 'critical') {
http_response_code(403);
exit('Access denied.');
}
if ($result['is_residential']) {
// Residential proxy - higher risk, may want extra verification
require_captcha();
}
// Log for review
log_threat('vpn_detected', $ip, $result);
}import sqlite3
import ipaddress
# Load the AntiProxies CSV into SQLite on first run
# Then query locally - no network calls needed
def check_vpn(db_path: str, ip: str) -> dict | None:
"""Check if an IP belongs to a known VPN or proxy."""
conn = sqlite3.connect(db_path)
conn.row_factory = sqlite3.Row
ip_int = int(ipaddress.ip_address(ip))
row = conn.execute(
"""SELECT provider, type, country, risk_level, is_residential
FROM vpn_ips
WHERE ip_start <= ? AND ip_end >= ?
LIMIT 1""",
(ip_int, ip_int)
).fetchone()
conn.close()
return dict(row) if row else None
# Example: check during user registration
result = check_vpn("antiproxies_vpn.db", request.remote_addr)
if result and result["risk_level"] in ("high", "critical"):
abort(403, "Suspicious connection detected.")Related reading
How VPN Detection Actually Works
Six methods for identifying VPN traffic, from IP database matching to protocol fingerprinting.
BlogProxy vs VPN vs Tor: Understanding the Differences
How each anonymization technology works, who uses them, and how to detect them.
BlogResidential Proxies: The Hardest Threat to Detect
Why residential proxies bypass traditional detection and what actually works against them.
BlogMobile Proxies: Why They're the Hardest Traffic to Block
How mobile carrier IPs enable fraud that IP blocking alone can't stop.
Want to see what's in the database?
Download once, query as many times as you need. €99/year for all 22 databases, unlimited servers, and a full year of monthly updates. No usage limits, no per-query fees, no data leaving your servers.