Still Visible With VPN On? Here’s Every Leak You’re Missing
Still Visible With VPN On? Here’s Every Leak You’re MissingA VPN hides your IP. Cool. That’s about 20% of what can expose you online.
Most people turn on a VPN and assume they’re invisible. They’re not. Your browser is a snitch — leaking your identity through dozens of channels your VPN doesn’t even touch. IP address is just the front door. Sites are watching the windows, the chimney, and the basement.
This post covers everything that can expose you even WITH a VPN running — and every free tool to test each vector. Not “check my IP” basics. The full paranoid audit.
🔍 Layer 1 — IP & Network Leaks (The Stuff Your VPN Should Handle But Often Doesn't)
Your VPN tunnels your traffic. But “your traffic” isn’t always ALL your traffic. Here’s what leaks through the cracks.
The 4 Leak Types
| Leak Type | What Happens | Why It’s Dangerous |
|---|---|---|
| DNS Leak | Your DNS queries go to your ISP instead of through the VPN | ISP sees every site you visit — VPN is useless |
| WebRTC Leak | Browser’s real-time communication API exposes your real local + public IP | Works even behind a VPN — JavaScript-based, happens silently |
| IPv6 Leak | VPN tunnels IPv4 but your device still uses IPv6 directly | Your real IPv6 address is fully exposed to every site |
| IP Leak | VPN drops connection silently, traffic routes through ISP | No kill switch = naked browsing without knowing it |
Free Test Tools
| Tool | What It Tests | Link |
|---|---|---|
| BrowserLeaks | IP, DNS, WebRTC, Canvas, WebGL, Fonts, Audio — the most complete single tool | browserleaks.com |
| DNSLeakTest | DNS + WebRTC specifically — extended test reveals all resolvers | dnsleaktest.com |
| IPLeak.net | IP, DNS, WebRTC, torrenting IP — all in one page | ipleak.net |
| IPCheck.ing | Open-source — IP, DNS, WebRTC, latency, Whois, DNS records | ipcheck.ing |
| Do I Leak (Top10VPN) | IP, DNS, WebRTC + torrent IP leak — tests before/after VPN | top10vpn.com/tools/do-i-leak |
| ProPrivacy Leak Test | Fully automated IPv4, IPv6, DNS, WebRTC in one click | proprivacy.com/tools/vpn-leak-tool |
How to Fix Each Leak
| Leak | Fix |
|---|---|
| DNS | Force VPN’s DNS in app settings. Or manually set DNS to 1.1.1.1 / 9.9.9.9 / 8.8.8.8 |
| WebRTC | Firefox: about:config → media.peerconnection.enabled = false. Chrome: install uBlock Origin → settings → check “prevent WebRTC leak.” Brave: Settings → search “WebRTC” → “Default public interface only” |
| IPv6 | Disable IPv6 on your OS. Or use a VPN that explicitly blocks IPv6 traffic. Windows: disable Teredo (netsh interface teredo set state disabled) |
| IP (kill switch) | Enable your VPN’s kill switch. Or use firewall rules that block all non-VPN traffic |
🧬 Layer 2 — Browser Fingerprinting (Why Your VPN Means Nothing If Your Browser Is Unique)
Here’s the part that scares people: sites can identify you without your IP address. Your browser itself is the fingerprint — and 99.5% of browsers are uniquely identifiable.
What Gets Fingerprinted
| Vector | How It Works | Uniqueness |
|---|---|---|
| Canvas | Site draws a hidden image via HTML5 Canvas API → reads pixel data → your GPU/driver combo produces a unique hash | High — different per GPU + driver + OS |
| WebGL | Reads your GPU vendor + renderer string. VMs show “SwiftShader” or “Google Inc.” — instant flag | Very high — exposes exact hardware |
| AudioContext | Generates inaudible sound via Web Audio API → measures processing differences → unique per audio stack | 99.6% accuracy when combined with other vectors |
| Font enumeration | Probes installed system fonts — each OS/user combo has a different list | Medium-high — varies by OS + installed software |
| Screen/Display | Resolution, color depth, device pixel ratio, window size | Medium — narrows you to device class |
| Navigator properties | User agent, platform, language, timezone, CPU cores, RAM, plugins | Combined = very high uniqueness |
| TLS/JA3 fingerprint | The way your browser initiates HTTPS connections — cipher suites, extensions, order — produces a unique hash | Identifies your exact browser + version before any page loads |
The TLS Fingerprint Nobody Talks About
Your TLS handshake happens before any webpage loads. It’s the first thing a server sees. JA3 (created by Salesforce in 2017) and its successor JA4 hash the cipher suites, extensions, and elliptic curves from your ClientHello packet into a fingerprint.
What this means: Cloudflare, Akamai, and every major WAF knows what software you’re running from the first millisecond of connection — before your user-agent, before your cookies, before anything.
VPNs don’t touch this. Incognito mode doesn’t touch this. Only your actual browser application determines your TLS fingerprint.
Free Fingerprint Test Tools
| Tool | What It Tests | Best For | Link |
|---|---|---|---|
| CreepJS | The hardest test — detects JS tampering, prototype lies, anti-fingerprint failures. 1.5k+ GitHub stars. Research-grade | Catching spoofing failures | abrahamjuliot.github.io/creepjs |
| BrowserLeaks | Canvas, WebGL, Audio, Fonts, JS, WebRTC, DNS, geo — each as separate deep-dive pages | Technical deep-dives per vector | browserleaks.com |
| AmIUnique | Research project — compares your fingerprint against millions of profiles, shows uniqueness per attribute | Seeing how unique you actually are | amiunique.org |
| Cover Your Tracks (EFF) | Tests tracking protection + fingerprint uniqueness. Run by the Electronic Frontier Foundation | Quick pass/fail on tracking resistance | coveryourtracks.eff.org |
| Pixelscan | All-in-one: fingerprint + IP + proxy + DNS + bot detection + blacklist. The hardest checker used by anti-detect browser users | Final exam — if you pass Pixelscan, you’re solid | pixelscan.net |
| IPhey | Quick trust score for your digital identity — canvas, WebGL, WebRTC, timezone/language consistency | Fast pass/fail check | iphey.com |
| BrowserScan | Fingerprint authenticity score + detailed breakdown. Free, no account needed | Scoring how “normal” you look | browserscan.net |
| Whoer | Anonymity score (0-100%) + DNS + WebRTC + browser metadata | Quick anonymity grade | whoer.net |
| Audio Fingerprint Test | Specifically tests AudioContext fingerprinting — shows your exact audio hash | Isolating audio-based tracking | scrapfly.io/web-scraping-tools/audio-fingerprint |
| JA3/JA4 TLS Fingerprint | Shows your exact TLS fingerprint + compares against 125k+ real browser profiles | Checking if your TLS handshake is flagged | scrapfly.io/web-scraping-tools/ja3-fingerprint |
📂 CreepJS — Why It's the Hardest Test
CreepJS is open-source (GitHub) and specifically designed to break anti-fingerprinting tools. It detects:
- Prototype lies (when extensions modify JS API behavior)
- Canvas/WebGL/Audio inconsistencies
- Headless browser artifacts (Puppeteer, Playwright, Selenium)
- Timezone/locale mismatches
- Missing APIs that should exist in a real browser
If you pass CreepJS with a clean trust score — your setup is legit. If CreepJS flags you — sites with serious anti-fraud (banks, streaming, e-commerce) will catch you too.
🏠 Layer 3 — IP Intelligence (How Sites Know You're on a VPN Before the Page Loads)
Even if your VPN hides your real IP, the replacement IP can betray you. IP intelligence databases classify every IP address on the internet.
How IP Classification Works
Every IP has metadata: the ISP that owns it, the ASN (Autonomous System Number), the type of network, and behavioral signals. Companies like MaxMind, IPinfo, IP2Location, and IPLocate maintain databases that categorize IPs into types:
| IP Type | What It Means | VPN Detection Risk |
|---|---|---|
| Datacenter | IP belongs to a hosting provider (AWS, DigitalOcean, OVH, etc.) |  Instant flag — real people don’t browse from servers |
| Residential | IP belongs to a home ISP (Comcast, Airtel, Vodafone, etc.) |  Looks normal — this is what sites expect |
| Mobile/Cellular | IP belongs to a mobile carrier | Looks normal — shared NAT makes it even harder to track |
| Commercial/Business | IP belongs to a business ISP |  Acceptable but sometimes flagged for consumer sites |
| Known VPN | IP is in a VPN provider’s known range | Blacklisted — MaxMind’s Anonymous IP database catalogs these |
| Tor exit node | IP is a known Tor exit | Blocked almost everywhere |
| Residential proxy | Real residential IP rerouted through proxy network | Hardest to detect — but IPinfo and MaxMind are getting better |
The Detection Stack
Sites don’t just check one thing. They stack signals:
- IP type (datacenter = flag)
- ASN reputation (known VPN ASN = flag)
- Geolocation mismatch (IP says London, timezone says Mumbai = flag)
- Connection type (hosting provider for a “residential” user = flag)
- Behavioral (1000 accounts from same IP range = flag)
Free IP Check Tools
| Tool | What It Shows | Link |
|---|---|---|
| Fraudlogix VPN Check | Detects VPN, proxy, Tor — shows if your IP is flagged | fraudlogix.com/vpn-ip-address-check |
| NodeData VPN Detection | Tests if sites would detect your VPN | nodedata.io/vpn-detection-test |
| IPinfo | Full IP data: ASN, ISP, type, VPN/proxy detection, geolocation | ipinfo.io |
| MaxMind Demo | Industry standard — tests IP against their GeoIP + Anonymous IP database | maxmind.com |
| IPLocate | Free tier: geolocation, ASN, hosting detection, privacy/threat flags | iplocate.io |
| Whoer | Shows your IP type + anonymity percentage | whoer.net |
| Pixelscan | IP reputation check + proxy/VPN detection as part of full audit | pixelscan.net |
Residential vs Datacenter — The Arms Race
Most VPNs give you datacenter IPs. Sites know this. That’s why “stealth” matters more than “encryption.”
Residential VPNs (like some plans from NordVPN, Surfshark, or dedicated residential proxy providers) route traffic through real home IPs. These are much harder to detect — but IP intelligence companies are building databases specifically to catch peer-to-peer residential proxy networks.
The honest truth: No single IP type is undetectable forever. The detection databases update daily.
🛡️ Layer 4 — Anti-Detect Browsers (When a VPN Isn't Enough)
If you need to manage multiple accounts, pass anti-fraud systems, or appear as a completely different person online — VPNs and incognito mode won’t cut it. Anti-detect browsers create isolated browser environments where every fingerprint parameter is spoofed independently.
How They Work
Each “profile” gets its own:
- Canvas/WebGL/Audio fingerprint
- User agent + platform
- Screen resolution + fonts
- Timezone + language + locale
- WebRTC configuration
- Cookies + storage (isolated)
- Proxy assignment (different IP per profile)
The goal: every profile looks like a different real person on a different real device.
Anti-Detect Browser Comparison
| Browser | Engine | Best For | Free Tier | Fingerprint Quality | Proxy Handling | Price (paid) |
|---|---|---|---|---|---|---|
| Multilogin | Chromium (Mimic) + Firefox (Stealthfox) | Enterprises, max security | 3 profiles | Best in class — daily tested on 50+ sites | Built-in residential proxies | From $99/mo |
| GoLogin | Orbita (Chromium-based) | Beginners, small teams | 3 profiles | Good — preset-based | Built-in + BYO | From $49/mo |
| AdsPower | Sun (Chromium) + Flower (Firefox) | Automation, e-commerce | 2 profiles | Decent — auto-configured | BYO only | From $9/mo |
| Linken Sphere | Custom | Power users, OSINT | None | Granular — 25+ manual params | BYO only | From $30/mo |
| Octo Browser | Chromium | Performance marketers | None | Strong — comparable to Multilogin | BYO only | From €29/mo |
| Dolphin Anty | Chromium | Affiliate marketers | 10 profiles | Good | BYO only | From $89/mo |
| Undetectable | Chromium | Local storage, speed | 5 profiles | Good — local profile storage = faster | BYO only | From $49/mo |
The Honest Take
- Multilogin is the gold standard — but expensive when you include proxies
- GoLogin is the best entry point — easiest to use, good enough for most people
- AdsPower wins on automation (RPA, synchronizer) — popular in Asia
- Linken Sphere is for people who want to configure every WebGL hash manually — overkill for most
Testing Your Anti-Detect Setup
After setting up any profile, run it through this checklist:
- Pixelscan — the hardest test. Green = solid
- IPhey — quick trust score
- CreepJS — catches JS spoofing failures
- BrowserLeaks — deep-dive each vector individually
If all 4 show green/consistent — your profile passes. If any flags — fix before using.
🌐 Layer 5 — Traffic Analysis & DPI (When Your ISP Can See Through Your VPN)
Your ISP can’t read your encrypted traffic. But they can see the shape of it. Deep Packet Inspection (DPI) identifies VPN protocols by their traffic patterns — even when encrypted.
Protocol Detection Rates (Real-World 2025 Data from Russia/China/Iran)
| Protocol | Detection Rate | How Long Until Blocked | Notes |
|---|---|---|---|
| OpenVPN | 100% | Seconds | Fingerprinted years ago. Dead in censored countries |
| WireGuard | 100% | Minutes | Statistical analysis catches the pattern |
| Shadowsocks (original) | 95% | Hours | Was the standard — now detected by updated DPI |
| Trojan | 90% | Days | Mimics HTTPS but active probing exposes it |
| VMess (V2Ray) | 80% | Days-weeks | Distinctive packet structure under TLS |
| VLESS + TLS + WebSocket + CDN | <5% | 10+ months running | Current gold standard for DPI bypass |
(Data sourced from a VPN operator running infrastructure in Russia since 2020)
The Obfuscation Toolkit
| Tool/Protocol | What It Does | Best For | Link |
|---|---|---|---|
| Xray-core (VLESS + REALITY) | Latest evolution — impersonates real TLS sites, passes active probing | Strongest DPI bypass available | github.com/XTLS/Xray-core |
| V2Ray | VMess/VLESS protocols with multiple transports (WebSocket, gRPC, HTTP/2) | Flexible anti-censorship proxy | v2ray.com |
| Shadowsocks | Lightweight SOCKS5 proxy — needs V2Ray plugin + WebSocket + nginx for modern use | Legacy but still useful with plugins | shadowsocks.org |
| obfs4 | Tor pluggable transport — transforms traffic into random noise | Tor users in censored countries | Built into Tor Browser |
| SoftEther VPN | Multi-protocol — can mimic HTTPS/HTTP traffic | Networks that only allow web traffic | softether.org |
| Shadowrocket (iOS) | $2.99 — supports VLESS, VMess, Shadowsocks, Trojan. Installs as VPN profile | Best iOS client for all these protocols | App Store |
How DPI Actually Works
- Protocol signature matching — DPI knows what OpenVPN/WireGuard packets look like
- Statistical analysis — packet size distribution + timing patterns reveal tunneled traffic
- Active probing — firewall sends test requests to suspected servers. If the server responds like a proxy instead of a real web server → blocked
- TLS fingerprinting — JA3/JA4 hashes identify non-browser TLS stacks
Why VLESS + REALITY Works
REALITY (built into Xray-core) doesn’t just wrap traffic in TLS — it steals the TLS certificate of a real website. When DPI probes the server, it responds exactly like the real site. No fake certificates, no self-signed certs, no distinctive handshake. The server IS a normal website to any observer.
Combined with a CDN (like Cloudflare), your traffic is indistinguishable from the billions of normal HTTPS requests flowing through Cloudflare’s network every second.
🧪 The Full Audit Checklist — Test Everything in 10 Minutes
Run these in order. Fix anything red before trusting your setup.
| Step | Test | Tool | What You Want to See |
|---|---|---|---|
| 1 | IP address | ipleak.net | VPN IP only — no real IP visible |
| 2 | DNS servers | dnsleaktest.com (extended) | Only VPN’s DNS servers — not your ISP’s |
| 3 | WebRTC | browserleaks.com/webrtc | No local/public IP exposed |
| 4 | IPv6 | browserleaks.com/ip | No IPv6 address visible (or VPN’s IPv6 only) |
| 5 | IP type | ipinfo.io | “Residential” or “ISP” — not “Hosting” or “VPN” |
| 6 | Browser fingerprint | pixelscan.net | Consistent, no red flags |
| 7 | Deep fingerprint | abrahamjuliot.github.io/creepjs | Clean trust score, no detected lies |
| 8 | Canvas/WebGL/Audio | browserleaks.com/canvas | Unique but consistent hash (not blocked/blank) |
| 9 | TLS fingerprint | scrapfly.io/web-scraping-tools/ja3-fingerprint | Matches a real browser profile |
| 10 | Overall anonymity | whoer.net | 70%+ anonymity score |
If you pass all 10: You’re actually invisible — not just “VPN invisible.”
If anything fails: Fix that specific vector. Most failures come from WebRTC leaks (step 3) or IP type detection (step 5).
Your VPN is one layer. Your browser is another. Your traffic shape is a third. Real invisibility requires all three — and testing every one of them.
!