Privacy on the internet isn't a single setting — it's the sum of what every layer of your connection leaks. The IP address gives away your rough location and ISP. The browser leaks a fingerprint built from dozens of technical details. DNS queries and WebRTC can punch straight through a VPN if they're not configured to use the tunnel. This page walks through each exposure and points to the tool that measures it.
Test your privacy
A tool for each exposure. Run them together for a full picture, or individually to chase a specific leak.
What your connection reveals
Every request you make carries your public IP address — there's no way around it, because the server needs somewhere to send the response. From that single number, a receiving site learns a surprising amount: your approximate location (country reliably, city often, street almost never), your ISP, the ASN that announces your IP block, and whether the address looks like a residential connection, a mobile carrier, or a datacenter.
There's also a party you connect through rather than to: your ISP. Without encryption of the name-resolution step, your ISP sees every domain you look up even when the page content itself is HTTPS. That's the gap encrypted DNS (DoH/DoT) closes, and the gap a DNS leak re-opens. The lesson is that privacy has two audiences — the sites you visit and the network you traverse — and a tool that protects you from one may do nothing about the other. A VPN hides your IP from the destination site and shifts what your ISP can see, which is why it's the single highest-leverage change for most people; but it introduces a new party (the VPN provider) who now occupies your ISP's old vantage point, so the choice of provider matters as much as the decision to use one.
What it does not reveal, on its own, is your identity. An IP is not a name. But combine it with a browser fingerprint, a logged-in account, or a tracking cookie, and the gap closes fast. The mental model that trips people up is assuming "hidden unless I log in" — in reality the default is "broadly visible, and trivially correlated across sites that share a tracking network". Start by seeing your own exposure with the IP Lookup, then work through the leaks below.
There's a second-order exposure most people miss: correlation over time. A single visit reveals a snapshot. But ad networks and analytics platforms that appear on thousands of sites stitch those snapshots together — the same fingerprint seen on a news site, a shopping site, and a forum builds a behavioural profile that no single visit would suggest. The IP can change (dynamic addresses, mobile carriers, a VPN) while the fingerprint stays constant, or vice versa; trackers use whichever signal is stable to bridge the gaps. Reducing exposure means thinking about all the signals at once, not just hiding the IP.
VPN and proxy detection
A VPN replaces your real IP with the VPN server's IP for anyone you connect to. That defeats simple IP-based tracking and geo-restriction — but it's also detectable, and a growing industry exists to detect it.
Detection works on three main signals. Datacenter ASN matching: VPN exit nodes live in hosting providers (AWS, OVH, M247, Hetzner), and traffic from a residential user that suddenly appears to originate from a datacenter ASN is an obvious tell. Known-VPN IP lists: commercial threat-intel vendors continuously scan the major VPN providers and publish their exit ranges. Tor exit node lists: the Tor project publishes these itself, so Tor is trivially identifiable. None of this is perfect — residential-IP VPNs and freshly-rotated ranges slip through — but it catches the bulk of commodity VPN traffic.
There are subtler signals too. Latency mismatch: if your IP geolocates to Amsterdam but your round-trip times suggest a host on the US east coast, that inconsistency hints at a tunnel. Timezone and language mismatch: a browser set to America/New_York connecting from a Frankfurt IP raises a flag. MTU and TCP fingerprinting: VPN tunnels often have a characteristic reduced MTU and TLS-stack signature. Individually these are weak, but detectors combine them with the IP-level signals into a confidence score rather than a yes/no — which is why VPN detection feels probabilistic and occasionally catches innocent users on unusual networks.
This is why a streaming service or bank may flag your VPN even though it's "working" in the sense of hiding your real IP. Detection isn't the same as a leak — the service simply recognises the exit as a VPN and blocks it on policy. Check what any IP looks like to a detector with the VPN & Proxy Check: it reports datacenter status, Tor membership, and known-VPN signals for your apparent address or any IP you enter.
Detection cuts both ways, and it's worth being clear-eyed about the legitimate uses. Fraud teams use it to flag a login from a datacenter IP that doesn't match the account's history. Sanctions-compliance systems use it to enforce geography rules they're legally required to honour. Abuse mitigation uses it to rate-limit scrapers and credential-stuffing bots that hide behind commodity VPNs. The same signal that a privacy-conscious user finds intrusive is, from the other side of the connection, a reasonable defence against automated abuse. Understanding what detectors see is the first step in deciding what you're comfortable exposing — and in recognising when a "VPN blocked" message is policy rather than a flaw in your setup.
Proxies sit alongside VPNs in the detection landscape. A forward proxy or residential proxy network routes traffic through other people's connections to look like ordinary residential users — harder to detect than a datacenter VPN, but increasingly fingerprinted by the same vendors through behavioural and timing analysis. The arms race never really ends; the practical takeaway is that no IP-level obfuscation is permanently invisible, and anything that matters should assume the IP will eventually be classified correctly.
Browser and connection leaks
A VPN only protects what actually travels through the tunnel. Three common leaks route around it.
WebRTC leaks are the most notorious. WebRTC is the browser API behind video calls, and to establish peer-to-peer connections it uses STUN to discover the device's own public IP. That discovery happens at the OS networking layer — below the SOCKS proxy most VPN clients install — so the real IP is exposed to any web page running a few lines of JavaScript, even with the VPN active. The WebRTC Leak Test runs exactly those probes and shows what your browser hands over.
DNS leaks happen when your traffic goes through the VPN but your DNS queries don't — they fall back to the OS's configured resolver, usually your ISP's. The traffic is encrypted, but your ISP still sees a list of every domain you visit. The DNS Leak Test sends queries to resolvers worldwide and reports which resolver actually answered, so you can confirm DNS is going through the tunnel.
DNS leaks are sneakier than WebRTC because they're silent — nothing breaks, the pages load, and you'd never notice without testing. The usual culprits are Windows' Smart Multi-Homed Name Resolution (which queries every network interface in parallel and uses whichever answers first), split-tunnel VPN configurations that route web traffic but not DNS, and routers that hard-code a DNS server. The robust fix is a VPN with a built-in kill switch and its own resolver, plus disabling any OS-level DNS override while connected. The principle behind all three browser leaks is the same: a VPN secures a route, and anything that takes a different route — a different protocol, a different network stack, a different API — escapes it.
Browser fingerprinting doesn't need your IP at all. Canvas rendering, the WebGL renderer string, the AudioContext signature, installed fonts, screen resolution, timezone, and language preferences combine into an identifier unique enough to single you out of millions — and it survives incognito mode and cookie clearing because none of those inputs are cookies. The Browser Fingerprint tool computes your fingerprint and shows how rare each component is.
Two more leaks round out the set. IPv6 leakage catches VPNs that only tunnel IPv4: if your connection is dual-stack and the VPN ignores IPv6, every IPv6-capable site sees your real address while you believe you're protected. The fix is either a VPN that tunnels both stacks or disabling IPv6 while connected. And geolocation-API permission bypasses IP entirely — if you've ever granted a site location access, it can use Wi-Fi triangulation and GPS, which a VPN does nothing to mask. These are quieter than WebRTC but defeat a VPN just as completely, and they're worth auditing in your browser's site-permission settings.
What your browser tells every site
Before any tracking script runs, your browser has already introduced itself. The User-Agent header declares the browser, version, OS, and rendering engine on every single request. Modern Chrome has frozen much of the legacy UA string and moved detail into Client Hints (Sec-CH-UA and friends), which sites must explicitly request — a privacy improvement, but the basics still ship by default.
The UA is a fingerprinting input in its own right: the exact combination of browser build, OS version, and platform narrows you considerably before any other signal is added. The User Agent tool parses your current UA and Client Hints into named fields so you can see precisely what every site reads on the first byte.
Beyond the User-Agent, the browser volunteers a stack of headers on every request that each carry a little entropy: Accept-Language reveals your language and regional preferences, Accept-Encoding and Accept vary subtly by browser, and the order in which headers are sent is itself a fingerprinting signal that some anti-bot systems key on. None of these is individually identifying, but the privacy lesson is consistent across every layer of this page: identity online is built from the accumulation of weak signals, not any single strong one. That's also why the most effective privacy posture is blending in — a common browser, common settings, common headers — rather than standing out with an exotic, heavily-customised configuration.
Common privacy scenarios
"Is my VPN actually working?"
Three checks, together. VPN & Proxy Check confirms your apparent IP is the VPN's exit and not your real address. WebRTC Leak Test catches the browser-level leak that the IP check alone can't see. DNS Leak Test confirms DNS queries are also going through the tunnel rather than your ISP's resolver. All three must pass to call the setup tight — a VPN that hides your IP but leaks WebRTC is giving you a false sense of security.
"Am I being fingerprinted?"
Almost certainly, yes — the question is how unique your fingerprint is. Run the Browser Fingerprint tool to see your canvas hash, WebGL renderer, and the rest, plus a uniqueness estimate. The counter-intuitive lesson: installing lots of privacy extensions or spoofing your user agent often makes you more identifiable, not less, because it pushes you into a rare configuration. The largest crowd to hide in is a stock, up-to-date browser.
"Why does a site know my location with a VPN on?"
Usually one of three things. A WebRTC leak is exposing your real IP — test with the WebRTC Leak Test. A DNS leak is revealing your queries to your ISP and, through it, your region — test with the DNS Leak Test. Or you're signed into an account that already knows where you are, or you previously granted the browser's Geolocation API permission, which uses Wi-Fi and GPS rather than IP and ignores the VPN entirely. Rule out the leaks first, then check site permissions.
"What can I actually hide, and what can't I?"
A VPN or Tor reliably hides your real IP from the sites you visit — that part works. What no network-level tool hides: your browser fingerprint (run the Fingerprint tool to see it), anything you voluntarily disclose by logging in, and traffic-analysis signals like timing and volume. The honest summary is that hiding your IP raises the cost of casual tracking and defeats geo-restriction, but a determined, well-resourced observer who can correlate fingerprints and account activity is a different threat model entirely. Match the tool to the threat: a VPN for ISP-level snooping and geo-blocks, a hardened browser for fingerprinting, and operational discipline (separate identities, no cross-login) for anything that genuinely needs to stay unlinked.
Learn more
The deep-dive posts below cover the mechanics behind each leak and detection method.