Proxy, VPN, and Tor Detection
Cross-checks 20+ signals (IP reputation, Tor lists, data center ASNs, timezone, language, OS voices, and keyboard layout) to flag proxies, VPNs, and Tor exit nodes with confidence.
See It In Action
This is what a real result looks like. Visit the live tool to analyze your own connection.
Proxy / VPN / Tor Detector
Detect if you're behind a proxy, VPN, or Tor network. We combine IP reputation with 20+ browser signals.
Your IP
185.220.101.34
Detected via: REMOTE_ADDR
Strong indicators that you're behind a proxy or VPN. This IP is a known Tor network exit node. Your IP places you in Germany but your browser settings match Greece.
IP location
🇩🇪 Germany
Frankfurt
From MaxMind GeoIP
Browser claims
🇬🇷 GR
Consistency: 22/100
From timezone, language, voices
Findings (5)
-
HIGH
Tor exit node Infrastructure
This IP is a known Tor network exit node.
-
MEDIUM
Data center IP Infrastructure
This IP is classified as a data center / hosting provider (Hetzner Online).
-
MEDIUM
Timezone mismatch Locale
Your browser reports timezone Europe/Athens (GR) but your IP is in Germany.
-
LOW
Language mismatch Locale
Your browser language el-GR suggests GR but your IP is in Germany.
-
LOW
System voice locale mismatch Locale
Your OS speech voices suggest GR, CY but your IP is in Germany.
Score breakdown
Infrastructure
95
of 95 possible
Network
0
of 30 possible
Locale
22
of 25 possible
Fingerprint
0
of 10 possible
Want to continuously monitor suspicious IPs hitting your services?
Create a Free AccountHow We Detect Proxies
No single signal is conclusive. We score 4 independent groups and combine them into a weighted verdict.
Infrastructure
Tor exit lists, public proxy databases, residential proxy ASNs, data center ranges, iCloud Private Relay.
Network
AbuseIPDB history, DNS blocklists, reverse DNS keywords, open proxy/Tor ports (opt-in).
Locale
Timezone, browser language, OS speech voices, keyboard layout, WebRTC availability, clock skew.
Fingerprint
Hardware concurrency, screen resolution, WebGL renderer (SwiftShader/llvmpipe), connection type.
What We Catch
Real examples of how cross-validation catches VPN users that single-signal tools miss.
"UK VPN, but I'm really in Greece"
A user with a London-based commercial VPN shows the VPN's UK exit IP, but their browser timezone is Europe/Athens, language is el-GR, and their OS speech voices include Greek. Strong mismatch → VPN detected.
"The Etc/UTC giveaway"
Tor Browser always sets timezone to Etc/UTC and language to en-US. The combination is vanishingly rare for real users. Confirmed by cross-referencing with the official Tor exit list.
"The Hetzner / AWS / OVH trap"
Real users don't browse from cloud servers. An IP in a commercial data center ASN (Hetzner, OVH, AWS, DigitalOcean) is almost always a proxy, bot, or headless scraper. Detected via AbuseIPDB usage type and our curated ASN list.
"iCloud Private Relay: not suspicious"
Apple's Private Relay is technically a proxy, but it's a privacy service, not a fraud signal. We detect it via Apple's published egress ranges and label it separately. Green verdict, not red.
Your privacy
All browser signals are collected by your own browser and sent once to our server for analysis. If you opt in to port probing, we only probe your own observed IP, never third parties. Results are cached per IP for 10 minutes to avoid duplicate lookups. We do not sell data or share it with any third party.
Want to monitor suspicious IPs on your own services?
Metric Tower can continuously scan your targets, alert you on new open ports, DNS changes, and expired certificates, and score every visitor's connection against our full reputation stack.
10-day free trial. No credit card required.