Proxima Gateway
Proxima Gateway
Firewall

VPN & proxy detection

Block requests originating from anonymous proxy networks

VPN detection refuses traffic from clients behind known anonymous-proxy or VPN providers. It's a quick way to keep automated tooling, abuse networks, and bot farms out of your gateway without writing a single rule.

How it works

The firewall consults the GeoIP ip-index.mmdb lookup for each incoming request. If the IP is flagged as hosting, vpn, or anonymous_proxy and Block VPN/Proxy is enabled, the request is dropped with 403 Forbidden before any backend work.

Configuration

Sidebar → Firewall → General card:

  • Block VPN/Proxy — master toggle

That's the whole control surface. There's no allow-list of "good" VPNs — if a customer needs to use one for legitimate reasons, add their IP to the firewall whitelist so they bypass this check.

What gets blocked

The check is only as good as the lookup database. Today that means:

  • ✅ Most commercial VPN exits (NordVPN, ExpressVPN, Mullvad, etc.)
  • ✅ Datacenter ranges that are commonly used as proxies (DigitalOcean, AWS, OVH, Hetzner, etc. — when flagged as hosting)
  • ✅ Tor exit nodes (when present in the index)
  • ⚠️ Mobile carriers — sometimes flagged as "hosting" in error; whitelist the relevant ASNs if your traffic is mostly mobile

What doesn't get blocked

  • ❌ Residential proxy networks that route through real home IPs (these aren't in the index)
  • ❌ Custom VPNs people run on their own VPS (the IP looks like a cloud IP, but the GeoIP index might not flag it)

For these, combine VPN detection with auto-ban and rate limiting.

Interaction with other firewall rules

The order of checks per request:

  1. Image redirect (if image_url set and path matches /images/*) → bypass
  2. Whitelist hit → bypass everything below
  3. Banned IP → drop
  4. VPN/proxy check → drop if enabled and flagged
  5. Rate limit → drop or throttle if over limit
  6. MAC protection → drop if MAC invalid, rate exceeded, or too many MACs per IP
  7. Country block → drop if blocked
  8. Forward to backend

Audit

Blocked-by-VPN requests show up in the firewall stats counter (vpnBlockedCount exposed via /internal/firewall/stats) and in the proxy log with User: BLOCKED-VPN.

Auto-ban

Sliding-window automatic banning for abusive IPs

MAC Protection

Per-device rate limiting for MAG/STB endpoints using MAC addresses

On this page

How it worksConfigurationWhat gets blockedWhat doesn't get blockedInteraction with other firewall rulesAudit