It is pretty hard to tell in fact.
If you were a national security risk, the GI guys could enter your router and know for sure easy enough, but beyond that it could be human error or captured packet analysis that gets you caught.
I read some interesting articles a while ago on this.
Some things I can remember ....
End points and the amount of send traffic is important to look at and even the easiest thing to see is that all (100%) end points come from same IP (VPN server). Another is that some traffic is un-encrypted (un-important things as deemed by ISPs), while a VPN and a good VPN will show all traffic as encrypted.
This would take some dedication to catch but is possible.
Human error or lack of how VPNs work is another way to be detected.
At start up (for instance), your VPN is not initialized for a certain time period, till the connection is established first thru the real IP, or something like that and that is VPN and system dependent too. But that is something that can be detected easy enough by a server.
If a group are using windows systems and that is been established thru the server already for instance, and are connected to a Linux VPN (which most VPNs are) and the connections are showing as linux, then that is easily seen.
Servers may not like VPNs mostly for the fact that multiple users may be seen on same IPs and stuff like that, that send kaos and confesses the system
Servers that allow more then one connection defiantly do not like VPNs ... In the cases the user/client could sell or give one of his connections to his buddy down the street and he could use that on another IP and at same time, type of thing. That would be like using a VPN thru one device in your home and using your correct IP thru another device in your home.... that would show as two IPs and therefore a no no...
Does not matter how many times your IP changes , that is not a real indication that a VPN is in use. It matters about them end points thou and that is where you would need to capture the packet and analysis that.
In reality, I can send you my code and you could log on at your location without an issue, so that would be like the IP changing from across the country or even the world.
If we get this done while communicating on-line and do it say maybe tens times in a row and quickly, it will work and with no consequences.
So IP changes do not matter so much unless the server is already physically dedicated to investigating that one connection and the IP changes are just a hint that something may be a miss.
Severs and ISPs sometimes will subscribe to a 'Block Chain' list and if any IPs are seen from that list then they will be banned.
VPNs will sometimes only use certain block chain in their IPs