TransitPacket

Is That Login Legit? How to Tell If an IP Is Coming Through a VPN or Proxy

A practical guide for freelance IT consultants and small MSPs: how to use IP Lookup and ASN Lookup to assess whether a client's login from an unfamiliar location is a real connection or worth a closer look — a strong signal, not a verdict.

A client messages you: "I got an alert that someone logged into my account from Germany — that wasn't me, or... wait, was I on a VPN?" This is the specific, narrower question that comes up constantly and deserves a better answer than a shrug: is this login coming from a VPN, a proxy, or a hosting/datacenter range — or does it look like an ordinary residential connection from wherever the client claims to have been?

Start with IP Lookup — what does the network actually look like

Run the login IP through IP Lookup and note the organization and country. A generic-sounding cloud or hosting name (AWS, DigitalOcean, Hetzner, OVH) or an organization you don't recognize as an ISP is your first clue. A named regional ISP or mobile carrier in a country the client can plausibly explain (a trip, a client visit, a relative's house) is a different picture entirely — this step alone won't settle it, but it tells you which direction to look.

ASN Lookup — where the real signal is

Run the same IP through ASN Lookup. This is the tool that actually distinguishes "residential connection somewhere unexpected" from "VPN, proxy, or datacenter" — and the heuristics are fairly reliable, though never absolute:

  • Residential or mobile ISP ASN — a regional broadband provider or mobile carrier's ASN is consistent with an actual person connecting from an actual home or phone network. This is what you'd expect from someone genuinely traveling or working from an unusual location.
  • Hosting or cloud provider ASN — real people don't typically connect to a login page directly from a datacenter's own IP range. An ASN belonging to AWS, DigitalOcean, Hetzner, OVH, or similar is a strong signal the traffic is routed through infrastructure, not a home connection — consistent with a VPN, proxy, or automated access.
  • Known VPN or proxy provider ASN — some commercial VPN services have their own recognizable ASN or organization name in registry data, which is about as close to a direct answer as you'll get. Not every VPN shows this clearly; many just look like generic hosting-provider ASNs instead.

None of this is a certainty — it's a strong, practical signal built on how these networks are actually structured, not a lookup that returns "yes, this was a VPN."

Why this isn't a verdict

Be honest about the limits here, both with yourself and with the client. Legitimate remote workers use VPNs constantly — a corporate VPN, a privacy tool, a client's own IT policy requiring one. A hosting-provider or VPN-associated ASN is genuinely consistent with a real, authorized login just as much as it's consistent with something worth investigating further. The finding is "this is the kind of network a VPN or proxy typically uses," not "this proves the login wasn't the client." Treat it as a reason to ask a direct follow-up question, not as grounds to declare the account compromised.

Putting it together — how to talk to the client

Lead with the finding and a direct question, not an alarm:

"I checked the IP from that login — it's coming through a network type commonly used by VPNs and hosting services, not a typical home or mobile connection. Were you using a VPN at the time, or does that not sound familiar?"

If they confirm a VPN or remote-work setup, you're done — that's a satisfying, concrete answer instead of a shrug. If they say no, that's the point where it becomes a real security conversation: recommend a password reset and a closer look at account activity, rather than assuming either innocence or compromise before you've actually asked.

Bookmark this page — it's built to be the reference you pull up any time a client asks whether a login from somewhere unexpected was really them.

FAQ

The client says they were using their company VPN — does that explain a hosting-provider ASN?

Yes, often. Plenty of legitimate corporate VPNs route traffic through commercial hosting or cloud infrastructure rather than a dedicated residential-style network, so a hosting-provider ASN is genuinely consistent with a corporate VPN, not just a red flag. If the client can name the VPN provider or IT policy involved, that's a real, checkable explanation — ask before assuming the worst.

Can I tell exactly which VPN service someone used?

Sometimes, not always. Some VPN providers' IP ranges are well-documented enough that ASN Lookup's organization name will say something recognizable (a known VPN or proxy provider's name). Many others route through generic commercial hosting providers with no VPN-specific branding at all, in which case you can say "this is consistent with a VPN or hosting-based connection" but not name the specific service — that's a real limit of this method, not a gap in how you're using the tools.

How does this fit with the other guides?

Investigating a Suspicious IP Address covers general triage for attack-shaped activity — failed logins, scanning, spoofed identity. This guide is narrower: specifically assessing whether one single login from an unexpected location is plausibly the actual person or worth a follow-up question. Use that guide when something looks like an attack; use this one when a client simply asks "was that really me?"