You switched VPN servers. You got a fresh IP. And yet โ€” the website still flagged you. How?

The answer often lies not in who you are now, but in what that IP address used to be.

VPN Protocols Leave Fingerprints

Every VPN connection uses a protocol โ€” a set of rules for how your device and the VPN server talk to each other. Popular ones include OpenVPN, WireGuard, and IKEv2. Each of these communicates over specific network ports: WireGuard typically uses port 51820, OpenVPN defaults to port 1194, and IKEv2 uses ports 500 and 4500.

These ports aren't arbitrary numbers. Each protocol was designed with a specific job in mind. WireGuard runs over UDP โ€” a fast, lightweight transport โ€” because it prioritizes speed and simplicity above all else. IKEv2 was built for mobile devices that frequently switch between networks (Wi-Fi to cellular and back), so it uses dedicated IPSec ports optimized for that reconnection behavior. OpenVPN is more flexible and can run on both UDP and TCP, but its default port is simply what its developers settled on when the protocol was created.

None of these protocols were designed to hide. They were designed to work well. Routing VPN traffic through port 443 requires extra configuration to make it look like regular web traffic โ€” and that disguise introduces overhead, can reduce speeds, and doesn't always play nicely with every firewall or network setup. So most VPN servers, by default, just use their native ports without bothering to camouflage themselves.

These ports aren't secret. And crucially, they're visible to anyone who scans the internet โ€” which plenty of organizations do, constantly.

The Internet Has a Long Memory

Services like Shodan and Censys crawl the entire public internet on a regular basis, recording which IP addresses respond on which ports. If an IP answered on port 51820 six months ago, that's in the database. It doesn't matter that the server was decommissioned, reassigned, or repurposed since then.

This creates a problem for VPN providers: even when they rotate their IP addresses โ€” handing back old ones to the hosting provider and getting new ones โ€” the new IPs may already have a history. A previous tenant on that address might have run a VPN server, a Tor exit node, or a proxy. The IP inherits that reputation, and detection systems treat it accordingly.

Why Port 443 Doesn't Always Save You

Some VPN providers route traffic through port 443 โ€” the same port used by regular HTTPS web traffic โ€” specifically to blend in. The idea is that blocking port 443 would break the entire web, so it's a safe hiding spot. It works, sometimes. But there are several layers of detection that see through it.

TLS fingerprinting. When your browser opens an HTTPS connection, it sends a "hello" message that lists its supported encryption methods in a specific order. Different software โ€” Chrome, Firefox, a VPN library โ€” produces a distinctly different fingerprint in this handshake. Detection systems have catalogued what a real browser looks like versus what common VPN libraries look like. Even if the traffic is on port 443, the handshake can give it away.

Missing or suspicious SNI. Every normal HTTPS connection includes a field called SNI (Server Name Indication), where the client announces which domain it wants to connect to โ€” for example, google.com. This is necessary because one server can host many websites, so it needs to know which certificate to use. A VPN server on port 443 often sends no SNI at all, or something clearly non-standard โ€” an IP address instead of a domain name, or a placeholder string. For a detection system, the absence of a real domain name in SNI is an immediate signal that this isn't ordinary browser traffic.

Certificate problems. A legitimate HTTPS server presents a certificate issued by a trusted authority for a real domain. VPN servers running on 443 often use self-signed certificates, or certificates issued to an IP address rather than a hostname โ€” both of which are highly unusual in normal web traffic and easy to flag.

Traffic patterns. Real web browsing has a recognizable rhythm: short bursts of requests, varying packet sizes, pauses between page loads. VPN traffic carrying encrypted tunneled data looks different โ€” more uniform packet sizes, more sustained throughput, different timing. Deep packet inspection systems don't need to break the encryption to notice that the shape of the traffic doesn't match what a browser does.

What This Means for You

If you're using a VPN for privacy and keep getting flagged or blocked, switching servers helps โ€” but it's not a guarantee. The new server's IP might already be on a list, not because it's a known VPN provider, but because of what ran on that address before.

The most reliable VPN providers manage this by actively monitoring the reputation of their IP pool and cycling out addresses that have accumulated too much history. Some also offer dedicated IPs โ€” an address used only by you โ€” which avoids the shared-history problem entirely, though it comes at a cost.

The Takeaway

Detection systems don't just look at who's using an IP right now. They look at everything that IP has ever done. Protocol fingerprints recorded by passive scanners create a long shadow that follows an address even after it changes hands โ€” and understanding that is the first step to knowing why your VPN might be less invisible than you think.

Curious what our free tool currently says about your connection? Check what type of connection it classifies you as โ€” try it here.