How Can You Tell if Someone Is Using a VPN?

How Can You Tell if Someone Is Using a VPN?

With the rise of cybercrime costing America 16.9 billion in 2019 on identity theft alone, it has never been more important to protect yourself online. VPNs or virtual private networks help keep users’ information safe from those who would exploit them, but there is a darker side to VPNs. Cybercriminals make use of VPNs to mask their fraudulent activity, so many companies and internet-based businesses make use of VPN detection to protect themselves.

You can tell if someone is using a VPN if all packages are destined to one server or by DNS leaks, geo inconsistencies, or use of blacklisted VPN IPs. You may also compare inconsistencies in operating systems and signs from packet capture metadata. However, it is best to use a combined approach.

Although VPN providers embrace emerging technology daily to avoid detection, there are still a few ways to test if users are using VPNs and proxy connections online. If you would like to know several ways to detect VPN use online, read on.

Why Do You Need a VPN? 

When surfing the web or conducting transactions online on an unsecured WiFi network, you might expose your private information and browsing habits to outside agencies. This exposure raises concerns about whether your online security and privacy are protected. VPNs help keep your information, such as your browsing history, online activities, online transactions, and emails encrypted and anonymous.

When browsing your Facebook while waiting in line at the store or checking your bank balance at a coffee shop, your information is open to those in your network reach. Unless you logged into a password-protected private WiFi network while surfing the web, your password or any data transmitted might be open to eavesdroppers using the same network.

The least sinister of those who mighty prey on your online information are called Data brokers. Data brokers sell your online activity information to companies for marketing purposes. There are 4000 data brokering companies worldwide; for example, Acxiom has servers collecting data for over 500 million internet users at 3,000 data points per person

Even more sobering results from Javelin’s 2020 fraud survey identify that fraud reached $16.9 billion in 2019. They also found that criminals are targeting smaller numbers of targets with more complex strategies and far-reaching damage. Add to that botnets and PUPs, Phishing, and DDoS attacks, and it seems like it’s the wild west out there, so you should be armed.

How Does a VPN Protect Your Privacy?

VPNs create an encrypted data tunnel between your network and your point of connection or exit node, operated by a VPN service provider. Because all your internet activities are channeled through this secure tunnel, your IP address is rerouted through the VPN server and shows their IP. In this way, your location and information are masked against external agencies that might steal your data and information.

Abnormal Use of a Single IP Address

VPNs servers that regularly rotate their IP addresses are more challenging to detect for VPN activity than recurring IP addresses. If the website keeps receiving an influx of the same IP address over time may alert the site to VPN use. Tracking cookies may also alert sites to VPN usage by giving away an inconsistent location with your VPN IP address. 

This kind of detection is more likely when an individual uses a public VPN because VPN detection services have a regularly updated list of blacklisted IPs to detect VPN behavior. Private VPNs are harder to pinpoint because they show up as an address, which is part of a subnet used by ISP clients.

VPN detection also highlights multiple accounts created from a single IP address and large amounts of encrypted data moving to an unknown location. VPN detection uses traffic to monitor whether users are using a VPN or not. Under normal circumstances, users request information from a variety of sites, and each site has its IP address. However, when a VPN is used, all packages are sent to a single server.

If a website uses a package capture, they can discover whether a device is sending all of its traffic to one IP. This traffic flow is a clear indication that a VPN is in use. However, specific tools such as Psiphon can obfuscate these obvious indications by providing single and multi-hop architecture to circumvent censorship.

Geographical Inconsistencies

If users turn on their VPN after connecting to a website, they may give away their VPN status due to location or region anomalies. If your location changes between your IP and your VPN, certain websites with sophisticated detection can pick up sudden location changes to tag your VPN. This detection is because your browser fingerprint through which they identify you will no longer match the previous location’s fingerprint.

Inadvertent Leaks of Information

Even though you might feel your information is secure, users are often unaware of potential leaks in the VPN that encrypt their data. There are ways that you may compromise your VPN security and your identity without you being aware of them. These include:

DNS Leaks

These leaks occur when your DNS (domain name system) requests travel to your ISP instead of your VPN provider. The DNS ordinarily is a directory that translates domain names into IP addresses. For example, if you wished to visit a website, your computer sends a DNS query to the DNS server, which converts the URL into the site’s IP address. 

When you use a VPN, it should send your DNS to your VPN provider, so your search is not exposed to your ISP. If your VPN is faulty and allows your request to go straight to ISP, it exposes the site to both your ISP and anyone who may be tracking your activity. Reverse DNS (rDNS) goes a step further, and like DNS links a domain name and IP address, rDNS associates an IP address to a hostname, which may identify the owner of the IP.

WebRTC Leaks

Web Real-time Communication (WebRTC) allows us to access content without plugins and is often used for browser-based apps like Skype for Web and Google hangouts. It is useful but has consequences for VPN users who might expose their IP to websites they visit via Javascript. 

Perfect Forward Secrecy Package Patterns 

To break through the encryption provided by a VPN is incredibly difficult and relies on encryption keys to decode the protected data. Perfect Forward Secrecy is a feature of key agreement protocols and prevents retroactive encoding or encrypted information. A key’s compromise will only ever expose information exchanged in a particular session by generating a unique key for each session that a user initiates.

PFS generates similar-sized packages each time a new key is generated, so an observer may notice a series of identical packages on a package capture and confirm PF and concurrently VPN activity.

Inconsistencies in OS and Fingerprint Data

Most operating systems (OS) create packets with specific values, such as Linux, which sets the default packet TTL (Time-to-Live) to 64, while Windows typically sets their default packet TTL to 128. TTL is a visible part of a captured package, so one can determine which OS most likely created the packet. One can also look for signs in the packet construction such as length and maximum segment size (MMS) as a potential signature of a specific operating system.

If you have specialized knowledge of your target, if, for instance, you know that they operate on a windows system, and the captured packets show a Linux signature, it may be evidence of a VPN.

The Multi-Approach for VPN Detection

Most systems utilize a multifaceted approach to determine VPN usage and include a sixfold method of determining suspicious online behavior. These include:

  • Source IP
  • Destination IP
  • Protocol (TCP/UDP)
  • Source port
  • Destination port
  • DNP activity comparisons

Thus, if you wish to protect your VPN, you should include multi-hop features that allow you to connect to two servers at one time and utilize obfuscated servers. Lastly, don’t forget your VPN killswitch so that you won’t leak your IP due to technical glitches.


Although VPNs are essential to protect those online, they may also hide cybercriminal activities that may harm your operation. There are many ways that you may tell that someone is using a VPN, and you shouldn’t rely on just one method to determine VPN use. VPN servers keep abreast of advances in detection and may be challenging to pinpoint, so it is best to use multiple approaches to best detect VPN use. 


Mark Lewis

Security nerd with a Data Privacy First mindset!

Recent Posts