IPASIS - IP Reputation and Risk Intelligence API
🔒

VPN Provider IP Address Directory 2026

The hosting ASNs behind major commercial VPNs — NordVPN, ExpressVPN, Surfshark, Proton, Mullvad and more. Look up any VPN IP or detect VPN traffic in real time.

14+ Providers MappedASN-Based Detection

How Do You Tell If an IP Belongs to a VPN?

Commercial VPNs don't run their own networks — they rent servers from a handful of hosting providers. NordVPN, Surfshark, PIA, IPVanish and CyberGhost all run primarily on M247 (AS9009); ExpressVPN and VyprVPN sit on Datacamp (AS60068). That makes the Autonomous System Number (ASN) the most reliable VPN signal: individual server IPs rotate, but the hosting ASN and its announced ranges stay stable.

A request from a residential ISP that suddenly resolves to a known VPN hosting range is a classic anonymization signal — useful for fraud scoring, account-takeover defense, and geo-compliance.

Why Flag VPN Traffic?

⚠️ Risk Indicators

  • • Multi-accounting and bonus/promo abuse
  • • Geo-restriction and licensing evasion
  • • Payment fraud and chargebacks
  • • Account takeover from anonymized IPs
  • • Scraping and automated signups at scale

✅ Legitimate Uses

  • • Privacy-conscious consumers
  • • Remote workers on corporate VPNs
  • • Users on public Wi-Fi
  • • People in censored or surveilled regions
  • • Travellers accessing home services

Best practice: don't hard-block all VPNs. Apply risk-based friction — step-up verification, velocity limits, or manual review — and weigh the VPN signal alongside IP reputation and behavior.

Major VPN Providers & Their Hosting ASNs

14 providers

Sample IPs are representative of each provider's hosting ranges (server IPs rotate). Click an ASN to explore the full network, or an IP for live threat intelligence.

VPN ProviderHosting ASNSample IPNotes
NordVPNAS9009 · M247 Ltd185.156.46.1Largest consumer VPN; most servers on M247 ranges
SurfsharkAS9009 · M247 Ltd146.70.0.1Now part of the Nord group; shares M247 infrastructure
Private Internet Access (PIA)AS9009 · M247 Ltd156.146.56.1Large server fleet across M247 datacenters
IPVanishAS9009 · M247 Ltd37.120.156.1Tier-1 VPN running primarily on M247
CyberGhostAS9009 · M247 Ltd45.86.163.1Kape-owned VPN, heavy M247 footprint
Proton VPNAS9009 · M247 Ltd89.40.180.1Mix of owned infrastructure and M247-hosted exit nodes
MullvadAS9009 · M247 Ltd146.70.50.1Privacy-focused VPN; uses M247 plus dedicated rented hosts
ExpressVPNAS60068 · Datacamp Limited138.199.0.1Runs on Datacamp/CDN77 ranges across global PoPs
VyprVPNAS60068 · Datacamp Limited143.244.40.1Golden Frog VPN, largely Datacamp-hosted
WindscribeAS30633 · Leaseweb209.58.128.1Multi-host VPN, significant Leaseweb presence
hide.meAS30633 · Leaseweb209.58.147.1Uses Leaseweb and other commercial datacenters
TorGuardAS8100 · QuadraNet Enterprises198.8.80.1Privacy VPN with QuadraNet and other US hosts
Self-hosted (WireGuard / OpenVPN)AS14061 · DigitalOcean64.225.0.1DIY VPNs on cheap VPS — still datacenter traffic, still detectable
Self-hosted (Algo / Outline)AS20473 · Vultr Holdings45.32.0.1One-click VPS VPNs; the IP is a hosting range, not residential

VPN Providers by Hosting ASN

A small number of hosting ASNs carry most commercial VPN traffic. Detecting these networks catches many providers at once.

AS90097 providers

M247 Ltd

NordVPNSurfsharkPrivate Internet Access (PIA)IPVanishCyberGhostProton VPNMullvad
AS600682 providers

Datacamp Limited

ExpressVPNVyprVPN
AS306332 providers

Leaseweb

Windscribehide.me
AS81001 provider

QuadraNet Enterprises

TorGuard
AS140611 provider

DigitalOcean

Self-hosted (WireGuard / OpenVPN)
AS204731 provider

Vultr Holdings

Self-hosted (Algo / Outline)

How to Detect VPN Traffic with IPASIS

IPASIS classifies VPN, proxy, Tor, and datacenter IPs in real-time (<20ms latency) by combining hosting-ASN intelligence with live range data and behavioral signals:

  • ASN and announced-range matching for known VPN hosts (M247, Datacamp, Leaseweb…)
  • Datacenter vs. residential classification (a "consumer" IP on a hosting ASN is a red flag)
  • Reverse-DNS, WHOIS, and port fingerprints of commercial VPN gateways
  • Historical abuse data and threat-intelligence feeds
curl -X POST https://api.ipasis.com/v1/detect \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "ip": "185.156.46.1"
  }'

# Response:
{
  "ip": "185.156.46.1",
  "vpn": true,
  "proxy": false,
  "tor": false,
  "datacenter": true,
  "trust_score": 78,
  "asn": {
    "number": 9009,
    "name": "M247 Ltd",
    "risk_level": "high"
  },
  "threats": ["vpn", "anonymizer"],
  "recommendation": "step_up_verification"
}
View API DocsFree Tier: 3,000 req/month

Flagging VPN Traffic (Code Examples)

Express.js Middleware

const ipasis = require('@ipasis/node');

app.use(async (req, res, next) => {
  const result = await ipasis.detect(req.ip);

  // Risk-based, not a hard block
  if (result.vpn && result.trust_score < 50) {
    req.requireStepUp = true;
  }

  next();
});

Next.js Middleware

import { NextResponse } from 'next/server';
import { detect } from '@ipasis/node';

export async function middleware(req) {
  const ip = req.ip || req.headers.get('x-forwarded-for');
  const result = await detect(ip);

  if (result.vpn) {
    const res = NextResponse.next();
    res.headers.set('x-vpn', 'true');
    return res;
  }
}

Related Resources

🧅

Tor Exit Node List

Live database of Tor exit nodes and their ASNs

🔄

Residential Proxy Detection

Techniques for spotting proxied residential traffic

🚨

High-Risk ASNs

Hosting networks most associated with abuse

Detect VPN Traffic in Real Time

Free tier includes 3,000 requests per month. No credit card required. Classify VPN, proxy, Tor, and datacenter IPs with a single REST call.

Get API KeyCheck an IP
← Back to Threat Categories