You’re in Berlin trying to watch a show that’s only available on US Netflix. Or you’re in the US trying to access BBC iPlayer (UK-only). The streaming service knows your IP, looks up your country, and serves you a different catalog. This is geo-restriction, and it’s everywhere in modern streaming.
This post walks through why streaming content is region-locked at all, how the technical enforcement works, the ongoing arms race with VPN users, and the implications for anyone building or operating a region-aware service.
Why Content Is Geo-Restricted
The simple answer: licensing. Content owners (studios, distributors) sell rights region-by-region. A show might be:
- Licensed to Netflix US, but to Amazon Prime in the UK.
- Licensed to Disney+ in Canada, but to local broadcasters in France.
- Held exclusively for the local market by a producer who hasn’t sold international rights yet.
The streaming service doesn’t control the catalog globally; they control it per-territory. Geo-restriction is how they enforce the contract.
The reasons content owners sell regionally:
- Maximize revenue — Charge different prices in different markets.
- Existing local deals — A US studio may already have a French distributor with exclusive rights.
- Release windows — Content might be in cinema in one market and streaming in another.
- Regulatory — Some content can’t legally be shown in certain countries.
Most viewers find this annoying. Studios find it lucrative. Streaming services are stuck in the middle implementing the enforcement.
Technical Enforcement
The mechanics are straightforward:
- User requests content.
- Service looks up the user’s IP via geolocation. (See how to geolocate an IP.)
- Maps country to entitlement for the specific content.
- If entitled: serve. If not: show “not available in your region.”
The lookup is fast — country-level data via a hosted API or CDN header takes milliseconds. The decision is the easy part.
The hard part is VPN/proxy detection, because users routinely route around geo-restrictions.
The VPN Arms Race
Geo-restriction enforcement is one of the biggest ongoing IP-detection battles. Both sides:
The user side
- Subscribe to a VPN service (Surfshark, NordVPN, ExpressVPN, etc.) with exit nodes in the desired country.
- Configure the VPN, open the streaming app, watch the regional catalog.
The service side
- Detect VPN exit nodes by ASN (most VPNs use hosting ASNs).
- Maintain blocklists of known VPN IPs (commercial threat-intel).
- Detect “too many distinct users from one IP” patterns.
- Use behavioral signals (device fingerprint, account history) to suspect VPN use.
- Show “VPN detected” error and force user to disable VPN.
The result: VPN providers constantly rotate IPs and add residential-proxy exit options. Streaming services constantly improve their detection. The cat-and-mouse continues, with each side incrementally evolving.
How Streaming Services Detect VPNs
Modern detection uses multiple signals:
ASN classification
The single strongest signal. VPN exit nodes run on hosting ASNs (AWS, OVH, dedicated VPN-provider ASNs). Real residential users come from ISP ASNs. The Ip2Geo API and similar return ASN type inline; a hosting ASN on streaming traffic is almost certainly a VPN.
Threat-intel feeds
Commercial feeds (Spamhaus, IP2Location’s VPN database, IPQualityScore) maintain lists of known VPN exit IPs. Streaming services subscribe.
IP density
A residential IP serves ~1-3 distinct users (a household). A VPN IP serves hundreds or thousands. Watching for high distinct-user counts per IP catches new VPN endpoints before threat feeds do.
Connection patterns
VPN users often disconnect and reconnect (switching servers), leaving short session lengths. Real users have longer sessions per IP.
Mismatch signals
User’s billing country says Brazil, IP says US, account history says US. Something’s off.
Device fingerprinting
Browser fingerprint suggests a Brazilian user (locale, timezone), IP says US. Mismatch flagged.
The result: services can detect commercial VPN use with ~90%+ accuracy. The remaining ~10% is what users are still successfully exploiting.
Residential Proxy Networks
The newer evolution: residential proxies. Networks of real consumer devices (often Android phones, IoT devices, or volunteer browser-extension users) that rent out their bandwidth as exit nodes.
The traffic looks identical to legitimate residential traffic — because it is legitimate residential traffic. Detection becomes much harder:
- ASN looks residential because it is.
- One device per IP because that’s how home internet works.
- Behavioral fingerprint matches a real consumer device.
The cost is much higher per gigabyte than commercial VPNs. Users who need to bypass restrictions for streaming pay $50-100/month for residential proxy access. For most casual users, commercial VPNs are cheap and “good enough” even with imperfect bypass rates.
For more on this, see residential proxies explained.
Geofencing in Practice
The streaming case is the most visible, but geofencing shows up in many contexts:
- Compliance: Gambling, alcohol, or cannabis sales restricted by jurisdiction.
- Pricing: Showing local currency and pricing tiers.
- Content: News services with different editions per country.
- Sports: Live broadcasts with regional blackouts.
- Government services: Online services restricted to residents.
For all of these, the technical mechanism is similar to streaming. The political/legal pressure varies — sports leagues actively litigate VPN circumvention; news organizations usually don’t.
Edge Cases and Failures
A few classes of users get caught in the crossfire:
Mobile carriers exiting via different countries
Some mobile networks (especially in smaller countries) route international roaming traffic through gateways in other countries. A user physically in country X is geolocated to country Y. Streaming says “not available.”
IPv6 with geolocation gaps
Some IPv6 prefixes are poorly mapped in geolocation databases. A user with IPv6 gets “unknown country” — services usually default to “block.”
Recent IP allocations
A new IP block, recently allocated, takes time to appear in geolocation databases. New ISP customers can be misidentified.
Multi-WAN setups
A household with both fiber and 5G failover might appear to switch countries when fiber drops. Streaming session breaks until the user reconnects.
For these legitimate users, “your VPN is blocked” is confusing. Better UX is offering an appeal mechanism, but most streaming services don’t.
What This Means for Application Developers
If you operate a service with geo-restrictions:
Use country-level geo for entitlement
City-level is usually too granular. Country is the unit of licensing and regulation.
Use ASN data for VPN detection
Single best signal. ASN classification + your own behavioral observations catch most VPN traffic.
Provide a clear error message
“Content not available in your region” should be the message. If they’re using a VPN, they know why; don’t accuse innocent users.
Have an appeal process
Real users get false-positived. An email path to manually review (with logs) preserves user trust.
Don’t permanently ban
A user who tries to bypass once shouldn’t be permanently locked out. Soft enforcement (kick out of session) beats hard bans.
Match licensing precision
If the license says “EU only,” “EU” is your geo filter — not “Germany only” because that’s where most EU traffic comes from.
What This Means for Users
If you’re a user navigating geo-restrictions:
- For occasional access: A commercial VPN works most of the time. Bypass rates of ~60-80% for major streaming services in 2026.
- For reliable access: Residential proxies, but they’re expensive.
- For travel: Most services offer 30-day “travel” allowances where you can access your home catalog from abroad. Use that instead of fighting VPN detection.
- For privacy: VPNs help your ISP not know your streaming activity even if they don’t bypass geo-restrictions.
The Future
A few directions in 2026:
More aggressive VPN detection
Streaming services have substantially more resources to spend on detection than VPN users. The arms race is going to tilt toward services over time.
Residential-proxy bans
Commercial residential proxy networks are increasingly recognized; major services are blocking them too.
Server-side device attestation
Some services are experimenting with hardware attestation (Apple App Attest, Android Play Integrity) to require “real device” alongside geo-checks. Much harder to bypass.
Single global catalogs (slow trend)
The licensing industry is slowly consolidating. As streaming services own more content directly (Netflix Originals, Apple TV+), the regional licensing problem matters less. But “slowly” is the operative word.
TL;DR
- Geo-restriction exists for licensing — content owners sell rights regionally.
- Enforcement is via IP geolocation + VPN detection.
- VPN detection uses ASN classification, threat-intel feeds, density and behavioral signals.
- Residential proxies are the newer evolution that’s much harder to detect.
- Real users get false-positived — especially mobile carriers, IPv6 with gaps, newly allocated IPs.
- For application developers, treat geo-restriction as licensing enforcement, not a hard security barrier. Provide appeals.
- For users, expect ~60-80% VPN bypass rates for major services in 2026; residential proxies more reliable but expensive.
Geo-restriction is one of the most visible applications of IP geolocation in the consumer internet. The technical mechanics are simple; the cat-and-mouse with VPNs and the licensing politics are what make it complicated. For the broader geofencing pattern, see geofencing 101; for the technical building blocks, how to geolocate an IP.