DEV Community

Cover image for How to Detect If a User Is Using a VPN with JavaScript
Jenuel Oras Ganawed
Jenuel Oras Ganawed

Posted on • Originally published at blog.jenuel.dev

How to Detect If a User Is Using a VPN with JavaScript

#webdev #programming #javascript #learning

In today's world of online privacy tools, VPNs (Virtual Private Networks) have become very common. If you're building an application, especially one involving security, fraud prevention, or geo-restricted content, you might wonder.

"Can I detect if a user is using a VPN?"

While it's tricky to detect VPNs purely from frontend JavaScript, one simple method is by using IP intelligence services like ipinfo.io. In this article, I'll show you how to detect VPN or proxy usage using just a few lines of JavaScript.

Basic Idea

Browsers don't directly expose network information like IP addresses for security reasons.So to find the user's IP (and whether it's associated with a VPN or proxy), we can call an external API like ipinfo.io, which provides detailed IP data, including privacy information.

Example Code

Here’s a simple function that checks if a user is likely using a VPN or a proxy:

async function checkVpnUsage() {
  const res = await fetch('https://ipinfo.io/json?token=YOUR_TOKEN');
  const data = await res.json();

  console.log('IP Info:', data);

  // Some services provide `privacy` or `proxy` fields
  if (data.privacy && (data.privacy.vpn || data.privacy.proxy)) {
    console.log('User is likely using a VPN or proxy.');
  } else {
    console.log('No VPN/proxy detected.');
  }
}

checkVpnUsage();
Enter fullscreen mode Exit fullscreen mode

How It Works

  • Fetch IP Data:We use fetch() to get JSON data from ipinfo’s API.

  • Check Privacy Fields:If the response contains a privacy object, and the vpn or proxy field is true, we assume the user is behind a VPN or proxy server.

  • Log the Result:We simply print the result to the console for now.

A Sample API Response

When you call https://ipinfo.io/json, you’ll get a response like this:

{
  "ip": "8.8.8.8",
  "city": "Mountain View",
  "region": "California",
  "country": "US",
  "org": "Google LLC",
  "privacy": {
    "vpn": true,
    "proxy": false,
    "relay": false,
    "hosting": true,
    "service": "Google Cloud"
  }
}
Enter fullscreen mode Exit fullscreen mode

Notice the privacy object — it tells you if the IP is linked to VPNs, proxies, or hosting services.

Things to Keep in Mind

  • You Need an API Token:Sign up at ipinfo.io to get a free token. Free plans usually allow around 1,000 API calls per month.

  • Detection Isn't Perfect:Some modern VPNs use residential IP addresses, making them harder to detect.

  • Consider Backend Validation:It’s safer to perform this check on the server-side too, to avoid users tampering with frontend JavaScript.

  • Respect Privacy:Be clear with users if you collect or act on their IP address or location.

Things to Keep in Mind

  • You Need an API Token:Sign up at ipinfo.io to get a free token. Free plans usually allow around 1,000 API calls per month.

  • Detection Isn't Perfect:Some modern VPNs use residential IP addresses, making them harder to detect.

  • Consider Backend Validation:It’s safer to perform this check on the server-side too, to avoid users tampering with frontend JavaScript.

  • Respect Privacy:Be clear with users if you collect or act on their IP address or location.

Example:

if (data.privacy && (data.privacy.vpn || data.privacy.proxy)) {
  alert('We detected a VPN or proxy. For a better experience, please disable it.');
}
Enter fullscreen mode Exit fullscreen mode

Their you go, I hope this short read gave you some insights 😁 cheers! 🍻

If you enjoy this article and would like to show your support, you can easily do so by buying me a coffee. Your contribution is greatly appreciated!

Buy Me A Coffee

Top comments (6)

Collapse
 
lexlohr profile image
Alex Lohr

Please keep in mind that in most civilized countries, you need the users' informed consert before sharing their data with third parties. Since the internet operates in almost all countries, you could face legal consequences.

Collapse
 
tallytarik profile image
Tal Tarik

Nice article! I also wrote about this recently here: dev.to/tallytarik/how-to-detect-vp... - but using a different service, IPLocate.io.

ipinfo is a great service but it's shockingly expensive - you need to be on a $249/month plan to get VPN detection.

Collapse
 
moopet profile image
Ben Sinclair

Can you give an example of a reason you might want to do this?

Collapse
 
mezian profile image
alaa mezain

I work in a company in the authentication team, Most of the time people who are trying to hack the system use VPN it will become handy if we are able to detect that, because knowing that the user is using VPN and also making a lot of calls to our API will help us to determine that this use is not legit .

Collapse
 
nevodavid profile image
Nevo David

Cool trick, always been curious if these IP APIs really catch all the VPN users though - you ever find it gives more false positives or does it mostly work as expected?

Collapse
 
everettwimberlyd profile image
EverettWimberly

Detecting VPN use with JavaScript is tricky, as it usually requires server-side checks or third-party services beyond what client-side code can reveal. Want me to explain the main methods?

Some comments may only be visible to logged-in visitors. Sign in to view all comments.