// vpn & anonymity reference
How VPNs Mask Your IP Address
A technical deep-dive into how Virtual Private Networks hide your real IP, how detection works, what leaks expose you, and what each detection technique on the previous page actually measures.
What a VPN Does (and Doesn't Do)
A Virtual Private Network creates an encrypted tunnel between your device and a VPN server. All traffic is wrapped inside that tunnel, so websites, services, and intermediate networks see only the VPN server's IP — not yours.
What a VPN does: masks your public IP, encrypts traffic in transit, bypasses geo-restrictions, hides activity from your ISP.
What a VPN doesn't do: make you anonymous (the VPN provider sees your real IP and traffic), prevent browser fingerprinting, fix DNS leaks if misconfigured, or hide you from a determined adversary with legal reach.
WITHOUT VPN
──────────────────────────────────────────────────────
Your Device ISP / Network Website
[192.168.1.42] ──────── [plaintext] ─────────► [server]
sees: your IP + SNI sees: your IP
WITH VPN
──────────────────────────────────────────────────────
Your Device ISP / Network VPN Server Website
[192.168.1.42] ─── [encrypted tunnel] ─► [45.83.91.1] ─► [server]
sees: encrypted blob sees: VPN IP sees: VPN IP
can't read content
IP Masking — The Technical Path
When you connect to a VPN, your OS installs a virtual network interface (e.g. tun0 on Linux, utun on macOS). All packets are routed through it. The VPN client wraps each IP packet in its own protocol and ships it to the VPN server over UDP or TCP. The server decapsulates it, rewrites the source IP to its own, and forwards it outbound.
OS routing table is rewritten: 0.0.0.0/0 points at tun0. The only exception is the VPN server's own IP (still routed via your real gateway so the tunnel doesn't eat itself).
ip route / netstat -rn
VPN server performs SNAT (Source NAT) via iptables or nftables: rewrites the source address of every forwarded packet to the server's IP before it hits the internet.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
VPN Protocols Compared
The protocol determines how packets are encapsulated, which cipher suite protects them, and how negotiation works. Modern deployments use WireGuard or OpenVPN; legacy deployments still run L2TP/IPSec or PPTP.
| Protocol | Transport | Cipher | Overhead | Speed | Auditability |
|---|
| WireGuard | UDP 51820 | ChaCha20-Poly1305 / Curve25519 | Very low | Fastest | Open source, ~4k LoC |
| OpenVPN | UDP/TCP 1194 | AES-256-GCM / TLS | Medium | Good | Mature, widely audited |
| IKEv2/IPSec | UDP 500 / 4500 | AES-256-GCM / SHA-384 | Low–medium | Fast | Complex spec, varies |
| L2TP/IPSec | UDP 1701 | AES-256 (outer) | Double encap. | Slower | Legacy, deprecated |
| PPTP | TCP 1723 | MPPE (RC4 40/128) | Minimal | Fast | Broken — do not use |
| SSTP | TCP 443 (TLS) | AES-256-GCM | Medium | Medium | Windows-only, closed |
| Shadowsocks | TCP/UDP (any) | AES-GCM / ChaCha20 | Low | Fast | Proxy / obfuscation |
How VPN Detection Works
The IP Intelligence page uses several signals simultaneously. No single check is definitive — VPN determination is probabilistic. Here's what each signal actually measures:
01
proxycheck.io — Commercial Proxy Database
Queries a curated database of known proxy, VPN, and datacenter IP ranges. Returns proxy: yes/no, the detection type (VPN, SOCKS, HTTPS, TOR), and a risk score 0–100. This is the most reliable single signal — maintained databases cross-reference BGP ASN data, abuse reports, and voluntary disclosure by providers.
GET https://proxycheck.io/v2/{ip}?vpn=1&asn=1&risk=1
02
ASN Heuristic — Autonomous System Name Matching
Every IP block is registered to an AS (Autonomous System). Consumer ISPs have names like Comcast, Deutsche Telekom, BT. VPN providers and cloud hosts have names like M247, Choopa, Frantech, Hetzner, DigitalOcean. Matching the ASN description against a keyword list catches providers not yet in commercial databases.
AS name includes: vpn, proxy, hosting, datacenter, vps, dedicated...
03
BGP Prefix Analysis — Route Origin
BGP routing data (from api.bgpview.io) shows which AS announces your IP prefix and the network description. VPN exit nodes are often in small prefixes (/24 or narrower) announced by ASNs that operate no retail residential service. The RIR allocation date matters too — very recent allocations in known hosting ASNs are a strong signal.
GET https://api.bgpview.io/ip/{ip} → prefixes[].asn.description
04
WebRTC IP Delta — Real IP Leak Test
The browser's WebRTC stack (RTCPeerConnection) solicits ICE candidates from a STUN server. STUN responds with your reflexive address — the IP the STUN server sees, which may be your real IP even if you're behind a VPN proxy. If the WebRTC-reported public IP differs from the HTTP-reported IP, the VPN is leaking your true address.
new RTCPeerConnection({iceServers:[{urls:'stun:stun.l.google.com:19302'}]})
05
Carrier-Grade NAT (CGN) Detection
RFC 6598 reserves 100.64.0.0/10 for Carrier-Grade NAT — used by ISPs to share a single public IP among thousands of subscribers. A CGN IP indicates the visitor is behind their ISP's shared NAT, which is normal but means the "public" IP they present may be shared with others. Not a VPN, but relevant context.
100.64.0.0 – 100.127.255.255 (RFC 6598, Shared Address Space)
06
Risk Score
proxycheck.io's risk score (0–100) aggregates multiple sub-signals: IP reputation across abuse databases, known VPN exit history, ratio of anonymizing traffic from that IP, and cross-referenced blocklists. Scores above 75 indicate high confidence of anonymizing use. Scores 25–75 are ambiguous (could be a legitimate hosting provider).
risk: 0 = clean residential / 100 = confirmed VPN/proxy
Leak Vectors — Ways a VPN Fails to Hide You
Even a running VPN can expose your real identity through misconfiguration or browser behavior. These are the three main leak categories:
WebRTC Leak
The browser exposes your real IP via STUN even if all HTTP goes through the VPN tunnel. Occurs because WebRTC bypasses the OS routing table via direct UDP sockets. Fix: disable WebRTC in browser settings, or use a browser extension that forces WebRTC to use only the VPN interface.
DNS Leak
DNS queries may be sent to your ISP's resolver instead of the VPN provider's, revealing the domains you visit. Occurs when the OS DNS configuration isn't overridden by the VPN client, or when "split tunneling" routes DNS outside the tunnel. Fix: set DNS to the VPN provider's resolver or a trusted DoH/DoT endpoint.
IPv6 Leak
Most VPN tunnels only carry IPv4. If your ISP assigns you an IPv6 address and the VPN doesn't tunnel IPv6, your real IPv6 address is exposed to IPv6-capable destinations. Fix: disable IPv6 at the OS level while on VPN, or use a VPN client that explicitly routes and NATes IPv6.
The WebRTC leak is detected on the IP Intelligence page. If the WebRTC IP Delta field shows "DIFF", your real IP is visible to any website using WebRTC, even through a VPN. The local IPs panel also shows all browser-visible addresses.
Types of VPNs
NordVPN, Mullvad, ExpressVPN, Surfshark. Operate large networks of exit nodes across many countries. Run on rented datacenter infrastructure — which is exactly why their ASN names and IP ranges appear in detection databases.
High detectability · Easy to use · Shared exit IPs
Cisco AnyConnect, Palo Alto GlobalProtect, Zscaler. Connect remote employees to private corporate networks. Exit traffic usually appears to come from the company's own IP space — registered to the company, not a VPN provider.
Lower detectability · Org IP space · Access control focus
WireGuard or OpenVPN running on a personal VPS. The exit IP is a VPS IP — a datacenter range (DigitalOcean, Hetzner, Vultr, Linode). Very detectable by hosting ASN, but harder to attribute to a specific VPN provider. The ASN heuristic on the previous page catches these.
Medium detectability · Unique exit IP · Full control
Not a VPN but provides stronger anonymity via onion routing across three relay nodes. Exit node IPs are publicly listed by the Tor Project. Trivial to detect: any site can download the
bulk exit list and check. Very high latency; not suitable for streaming.
Very high detectability · Strongest anonymity · Slow
What Servers See — The Full HTTP Context
Beyond the IP address, a server receives a rich set of browser signals that can deanonymize even VPN users. IP masking is only one layer.
HTTP headers received by every web server:
──────────────────────────────────────────────────
X-Real-IP: 45.83.91.1 ← VPN exit IP (masked)
X-Forwarded-For: 45.83.91.1 ← proxy chain
User-Agent: Mozilla/5.0 (Win…) Chrome/124
Accept-Language: en-US,en;q=0.9 ← locale fingerprint
Accept-Encoding: gzip, deflate, br
Cookie: session=abc123… ← persistent identity
TLS ClientHello (before HTTP — seen by ISP & VPN):
──────────────────────────────────────────────────
SNI: example.com ← visible pre-TLS (ECH hides this)
Cipher suites: [TLS_AES_128_GCM…] ← browser fingerprint
Extensions: [ALPN, key_share] ← JA3/JA4 hash
Browser fingerprinting (canvas, fonts, screen resolution, timezone, WebGL renderer) can identify you across sessions regardless of IP. Tools like the EFF's Cover Your Tracks measure your fingerprint uniqueness.
Evasion vs. Detection — The Arms Race
Behavioral analysis (traffic patterns, timing), ML-based ASN classification, IPv6 leak correlation, JA3/JA4 TLS fingerprinting, canvas fingerprinting, WebGL renderer checks, battery API (deprecated), cross-site cookie tracking, and real-time BGP prefix databases updated by feeds from RPKI.
Residential proxy networks (real ISP IPs rented from users), obfuscation protocols (obfs4, Shadowsocks, V2Ray — look like normal HTTPS), split tunneling to route only specific traffic, ECH (Encrypted Client Hello) to hide SNI, browser isolation (Whonix, Tails), and rotating exit IPs.
Reverse DNS — What PTR Records Reveal
A PTR record maps an IP back to a hostname. ISPs and hosting providers assign these automatically. The format often encodes the IP itself and hints at the network type:
# Consumer ISP — reveals residential customer
c-73-123-45-67.hsd1.wa.comcast.net ← Comcast residential
pool-96-248-85-101.nycmny.fios.verizon.net
# Hosting / Datacenter — VPN candidate
45.83.91.1.static.choopa.net ← Choopa (known VPN host)
vps-0f5c3e.fra1.digitaloceanspaces.com
# VPN provider explicit PTR
exit.mullvad.net ← Mullvad VPN
nl-ams.nordvpn.com ← NordVPN exit node
# No PTR (NXDOMAIN)
no reverse DNS entry ← common for dynamic IPs
The Forward Confirmed Reverse DNS (FCrDNS) check validates that the PTR hostname resolves back to the original IP. Mail servers require this; a mismatch is a strong spam signal and also indicates possible IP spoofing or misconfiguration.