VPN Configure logoVPN Configure

Tools

Small, focused utilities for inspecting your connection and generating deployment profiles. Each tool runs in your browser with no account required.

IP Address Lookup

Instantly detect your public IP address and verify your current routing path.

Resolving public IP address...

Checking

VPN Configuration Builder

Automate your WireGuard and OpenVPN deployment profile files for network hardware.

Answer four questions about your hardware, threat model, and bandwidth requirements. The builder returns a recommended provider and a ready-to-flash profile.

DNS Leak Diagnostics

Analyze if your private DNS requests are leaking outside your encrypted VPN tunnel.

Queries a set of geographically distributed resolvers and compares the observed nameservers against your VPN exit node.

Integration Pending

WebRTC Leak Test

Verify if your browser's WebRTC API is bypassing your encrypted tunnel and exposing your local IP address.

Inspects the RTCPeerConnection candidate pool for host and server-reflexive addresses that would reveal your real network path outside the VPN tunnel.

Why Validate Your VPN Tunnel?

A VPN client that reports a connected state is not evidence of a sealed tunnel. Encrypted routing depends on every egress path — DNS, IPv6, and peer discovery — resolving through the same interface the tunnel controls. The diagnostics on this page verify that assumption end to end.

DNS resolution outside the tunnel

Operating systems often retain resolver bindings from the underlying interface after a tunnel is established. When that happens, name resolution traverses your ISP's recursive resolvers even though the transport is encrypted, restoring full ISP visibility over browsing metadata. A DNS leak check confirms the resolver endpoints observed by authoritative nameservers match the provider's advertised DNS infrastructure, not your access network.

Public IP and routing path integrity

IP masking is only effective when every outbound flow is bound to the tunnel interface. Split-tunnel misconfiguration, IPv6 fall-through, and transient tunnel degradation during network handoff can restore the origin address without any client-side indication. Comparing the resolved public address and ASN against the expected exit node establishes that the routing path has not silently reverted.

WebRTC and application-layer bypass

The browser's WebRTC stack enumerates host and server-reflexive ICE candidates independently of the system routing table. Without an explicit blockade, remote peers can observe local RFC1918 addresses and the public IP of the underlying interface, defeating the tunnel at the application layer. A WebRTC leak test enumerates the same candidate pool a peer would see and flags any address that originates outside the VPN interface.

Continuous verification, not one-time checks

Tunnel state changes with every network transition — Wi-Fi to cellular handoff, sleep and wake, DHCP lease renewal. Any of these events can trigger short intervals of tunnel degradation during which traffic exits the underlying interface. Treat these diagnostics as a checklist to run after each material change to your network posture, not a one-time acceptance test.