Connection Analysis

Aggregates multiple signals to estimate how easily websites can detect your VPN. Checks whether your IP belongs to a known VPN provider or datacenter (via ASN/org name matching), whether your browser timezone and language conflict with your IP's geolocation, and whether your IP is flagged as a proxy. The resulting percentage reflects how many detection heuristics fire — higher means more detectable.

Queries api64.ipify.org, which supports both IPv4 and IPv6 responses. If your browser connects via IPv6 (indicated by a colon-separated address), it means IPv6 traffic may be bypassing your VPN tunnel. Most VPNs only tunnel IPv4 by default, so an exposed IPv6 address can reveal your real ISP and approximate location.

Retrieves geolocation data associated with your public IP address from ipapi.co's database. IP geolocation works by mapping IP ranges to physical locations using data from regional internet registries, ISPs, and commercial datasets. With a VPN active, this should show the VPN server's location — not yours. Accuracy varies (city-level is often approximate).

Checks your IP's organization name (from ipapi.co) against known VPN providers (NordVPN, ExpressVPN, Mullvad, etc.) and datacenter/hosting companies (AWS, DigitalOcean, OVH, Hetzner, etc.). Residential IPs are considered clean; datacenter or VPN-branded IPs are flagged because websites use this same technique to detect and block VPN users.

Probes Cloudflare's 1.1.1.1 and Google's 8.8.8.8 DNS resolvers by making direct HTTPS requests to their diagnostic endpoints. If successful, it confirms your browser can reach these public resolvers. The DNS provider field cross-references your IP's ISP — if it matches a residential ISP while on a VPN, your DNS queries are likely leaking outside the VPN tunnel to your ISP's default resolver.

Measures round-trip latency by sending 5 sequential fetch requests to /cdn-cgi/trace (a Cloudflare endpoint on your own domain) with cache-busting, timing each request in milliseconds. Reports average, min, max, and jitter (mean deviation from average). Connection timing uses the Performance Resource Timing API to break down DNS lookup, TLS handshake, and time-to-first-byte from the browser's internal connection metrics. VPNs add overhead at each layer.

Measures download throughput by fetching a 2 MB payload from Cloudflare's public speed test endpoint (speed.cloudflare.com/__down). Calculates megabits per second from total bytes received divided by elapsed time. If the Cloudflare endpoint is unreachable (CORS blocked), falls back to 10 parallel fetches to /cdn-cgi/trace on your own domain. VPN encryption and routing overhead typically reduce speeds by 10–30% compared to a direct connection.

Estimates the Maximum Transmission Unit by timing sequential fetches with different implied payload sizes. VPN tunnels encapsulate your traffic in an additional protocol layer (WireGuard, OpenVPN, IPSec), which reduces the effective MTU from the standard 1500 bytes to typically 1280–1420 bytes. An MTU below ~1450 bytes is a strong indicator that traffic is being tunneled through a VPN.

Fetches /cdn-cgi/trace, a built-in diagnostic endpoint available on every Cloudflare-hosted site. Returns the Cloudflare datacenter code your request was routed to (e.g., IAD = Washington DC), the country code derived from your IP, the TLS version and HTTP protocol used, and whether Cloudflare WARP is active. The datacenter location reveals where your traffic exits — with a VPN, it should match the VPN server's region, not your physical location.

Extracts TLS version from the Cloudflare trace endpoint and connection protocol from the Performance Resource Timing API (nextHopProtocol). Your TLS Client Hello has a unique fingerprint (known as JA3/JA4) based on supported cipher suites, extensions, and elliptic curves. Some VPNs alter your TLS fingerprint by terminating and re-establishing TLS connections, while others pass it through unchanged. The JA3 hash itself requires server-side inspection and isn't accessible client-side.

Displays the HTTP response headers returned by Cloudflare's trace endpoint, plus the full parsed trace data. Headers like cf-ray reveal the Cloudflare datacenter, server shows the edge server, and alt-svc indicates available alternative protocols. In a full server-side setup, request headers like x-forwarded-for, cf-connecting-ip, and via can reveal proxy chains and your real IP even behind a VPN — that data requires a Worker endpoint to echo back.

Reads browser properties directly from JavaScript APIs: Intl.DateTimeFormat for timezone, navigator.languages for language preferences, navigator.platform for OS, screen.width/height and devicePixelRatio for display info, navigator.deviceMemory and hardwareConcurrency for hardware specs, and the Network Information API for connection type. None of these change when you connect to a VPN — they persist across sessions and uniquely identify your browser/device combination.

Creates an invisible HTML5 Canvas element and draws specific shapes, gradients, text with different fonts, and emoji onto it. The resulting pixel data is converted to a data URL and hashed with SHA-256. Due to differences in GPU drivers, font rendering engines, antialiasing, and sub-pixel rendering across hardware and OS combinations, the same drawing commands produce slightly different pixel outputs — creating a unique fingerprint that survives VPN connections, incognito mode, and cookie clearing.

Queries the WebGL API for GPU information: gl.getParameter(VENDOR) and gl.getParameter(RENDERER) return the browser's reported GPU, while the WEBGL_debug_renderer_info extension reveals the actual hardware vendor and model (e.g., "NVIDIA Corporation" / "GeForce RTX 3080"). These values are combined and hashed with SHA-256. Your GPU identity is hardware-specific and completely unaffected by VPN usage — it's one of the strongest device identifiers available to websites.

Creates an OfflineAudioContext and generates a triangle wave oscillator at 10kHz, runs it through a DynamicsCompressor node, then renders 1 second of audio offline. Reads a 500-sample slice of the output buffer (samples 4500–5000), sums their absolute values, and hashes the result with SHA-256. Differences in audio processing hardware, drivers, and the browser's audio pipeline implementation produce subtly different floating-point outputs — enough to create a unique device fingerprint that persists across VPN sessions.

Creates a 200×60 WebGL canvas and renders a fragment shader that computes complex trigonometric functions (sin, cos, fract) per pixel. Reads back all 48,000 RGBA pixel values with gl.readPixels and hashes them with SHA-256. Different GPUs compute floating-point shader math with subtly different precision and rounding — two identical shader programs on different GPU hardware produce different pixel outputs. The pixel variance metric measures how much variation exists in the output, with higher variance indicating more unique rendering behavior.

Queries multiple hardware-related browser APIs: 'ontouchstart' and maxTouchPoints for touchscreen capability, user agent string parsing for device type heuristics (mobile/tablet/desktop), navigator.getBattery() for charging status and level, navigator.mediaDevices.enumerateDevices() for camera/microphone/speaker counts (IDs are not accessed), and navigator.getGamepads for controller support. These hardware signals are device-specific and completely unchanged by VPN connections — they contribute to a stable cross-session device fingerprint.

Tests 36 common fonts by measuring text rendering width on an invisible Canvas. For each font, draws a test string using that font with a fallback to monospace, sans-serif, and serif baselines. If the measured width differs from the baseline, the font is installed. Different operating systems, language packs, and applications install different font sets — Windows has Calibri and Segoe UI, macOS has Helvetica Neue and SF Pro, Linux has Liberation Sans. The combination of installed fonts is highly identifying and unaffected by VPN usage.

Tests media codec support by calling canPlayType() on a video element with specific MIME types for H.264, H.265, VP8, VP9, and AV1 (video) and AAC, MP3, Opus, Vorbis, and FLAC (audio). Checks DRM support by requesting MediaKeySystemAccess for Widevine (Chrome/Firefox), FairPlay (Safari), and PlayReady (Edge). Also reports navigator.pdfViewerEnabled and the plugin count. Codec and DRM availability varies by browser, OS, and licensing — Chrome on Windows supports Widevine but not FairPlay, making this a strong browser/OS identifier.

Evaluates JavaScript math functions at extreme values: Math.tan(-1e300), Math.atan2(π, e), Math.sinh(1), and Math.expm1(1). Different JavaScript engines (V8 in Chrome, SpiderMonkey in Firefox, JavaScriptCore in Safari) use different underlying C math libraries with subtly different floating-point precision. Also checks Intl API formatting: NumberFormat for currency rendering, DateTimeFormat for date display, and Collator for locale/sort settings. These combined values are hashed to create a fingerprint that identifies your browser engine, OS locale, and regional settings — none of which change with a VPN.

Combines 13+ individual fingerprint signals (canvas hash, WebGL hash, audio hash, GPU render hash, font hash, math hash, screen dimensions, CPU cores, device memory, platform, touch points, timezone, and languages) into a single SHA-256 hash. This composite identifier is highly stable across browsing sessions and is completely unaffected by VPN usage, incognito mode, or cookie clearing. The stability rating indicates how many signals were successfully collected — more signals means a more reliable and unique identifier. This is the same technique commercial fingerprinting services use to track users without cookies.

Inspired by the FPMON research from Bundeswehr University Munich (RC3 2020). Tests 30 browser APIs across two categories: "Sensitive" APIs (9) have legitimate purposes — screen resolution for layout, timezone for scheduling, language for localization. "Aggressive" APIs (21) are primarily used for fingerprinting — AudioContext, WebGL debug info, device memory, battery status, Bluetooth/USB access, keyboard layout. Each API is probed with a try/catch to determine if it's accessible or blocked. The fingerprint surface percentage represents what fraction of your browser's identifying information is exposed to any website you visit. Privacy-hardened browsers (Brave strict, Firefox with resistFingerprinting) block many aggressive APIs.

Runs 5 independent leak tests that feed into the Privacy Score above. Each test checks whether a specific channel of information bypasses your VPN: WebRTC (local IP exposure via STUN), IPv6 (dual-stack tunnel bypass), DNS (ISP resolver leakage), timezone (browser vs IP country mismatch), and language (browser locale vs IP country mismatch). A good VPN should pass all 5 — any failure means some identifying information about your real location or identity is leaking despite the VPN connection. See the Privacy Score breakdown above for detailed explanations of each check.

Monitors your public IP address by polling api.ipify.org every 2 seconds. Records the initial IP as your baseline, then logs every subsequent check with a timestamp. If your IP ever changes — even briefly — it means your VPN connection dropped and traffic was routed through your real ISP before the VPN reconnected. A proper VPN kill switch should block all internet traffic when the tunnel drops, preventing any packets from leaking. Start monitoring, then manually disconnect and reconnect your VPN to test.

Queries your public IP from 3 independent endpoints simultaneously: api.ipify.org, ipapi.co, and /cdn-cgi/trace (Cloudflare). If all 3 report the same IP, all traffic is routed through the same path (full tunnel). If different endpoints return different IPs, split tunneling is active — meaning some traffic goes through the VPN while other traffic goes direct. This can happen intentionally (VPN split tunnel settings) or as a bug. Any IP inconsistency is a potential privacy leak.