Single-signal test
VPN detection test
A VPN hides your IP — but does your setup leak the fact that you're using one? These are the tells any website can check.
Hiding your IP is not the same as hiding your VPN
When your VPN is on, websites see the exit server's address instead of yours — that part works. But websites can still ask a different question: is this visitor masking themselves? Fraud scoring, streaming geo-enforcement and bot detection all ask it constantly, and they rarely need an IP database to get an answer. Your browser volunteers the clues. Its clock says Karachi while the IP says Frankfurt. WebRTC coughs up an address the VPN never touched. The connection resolves to a hosting company's reverse DNS instead of a residential ISP.
The checks above cover the tells that are testable purely in your browser, against the connection data this server derived for you (visible on the dashboard). They are real signals used by real detection systems — and unlike IP-list lookups, they are tells you can actually fix yourself: align your system timezone with your exit region, and close the WebRTC side door (the WebRTC leak test walks through how).
The honest limits of this test
A “Consistent” verdict here does not mean your VPN is undetectable — commercial detection services additionally match your IP against curated lists of datacenter ranges and known VPN providers, which catches most exits regardless of how clean your browser behaves. That requires server-side reputation data this free tool deliberately doesn't ship. What this page tells you is whether you are adding extra tells on top — the ones under your control. Fixing them improves your consistency story everywhere, whether or not a site also runs IP-list checks.
Frequently asked questions
- How do websites detect VPN use?
- Three main ways: lists of known datacenter and VPN-provider IP ranges; consistency checks like comparing your browser timezone with your IP's region; and side channels like WebRTC revealing an address that differs from your apparent IP. This page tests the consistency and side-channel tells in your browser.
- My timezone mismatches — does every site see that?
- Any site that checks, sees it. Both values are trivially readable: the IP region from any geolocation database, your clock from one JavaScript call. Streaming services and fraud systems routinely compare them. Setting your device clock region to match your VPN exit removes this tell.
- Is using a VPN bad for privacy then?
- No — a VPN genuinely hides your traffic from your ISP and your IP from websites. But it doesn't make you anonymous: your browser fingerprint stays identical with the VPN on or off, which is exactly how trackers re-identify VPN users. Treat a VPN as one layer, not the whole answer.
- Why doesn't this test check VPN IP databases?
- Datacenter/VPN-range detection requires server-side infrastructure and commercial IP-reputation data — that's planned as a separate detection API. This MVP tests the client-side tells honestly rather than pretending to a database lookup it doesn't have.
This is one signal of many. The SysLeak exposure dashboard combines your IP, fingerprint and WebRTC results into a single Exposure Score.