ZeroTrace OSINT
VPN Detection
Installed and running VPN clients, active VPN interfaces, DNS-leak self-test, WebRTC-leak warning, and current-public-IP verification.
The VPN detection tool is the toolkit's network self-check. It tells you what VPN software is installed, what is running, what interfaces are currently routing traffic, whether DNS is leaking outside the VPN, and what the public internet sees as your exit IP.
For investigators who routinely run sensitive queries under a VPN, this is the tool you run before the investigation, not after.
What you get
| Section | What it surfaces |
|---|---|
| Installed clients | Common commercial VPN clients detected from process paths and known install locations |
| Running clients | Of those, which are currently running |
| Active VPN interfaces | TUN, TAP, WireGuard interfaces currently routing traffic, with RX / TX byte counters |
| System DNS resolvers | Which resolvers your OS will hit for DNS lookups |
| DNS leak status | Whether your DNS queries are routing through the VPN or going direct |
| Current public IP | What the public internet sees as your IP |
| Current public ASN / country | Geolocation context for the public IP (auto-composed via IP geolocation) |
| WebRTC leak warning | Browser-based testing instructions (the toolkit cannot test WebRTC for your browser; it tells you how) |
Installed clients
The tool detects a curated catalog of VPN clients, including:
- Commercial — Mullvad, NordVPN, ExpressVPN, ProtonVPN, Surfshark, IVPN, Windscribe, PIA, Hide.me, OVPN, AirVPN.
- Open-source — OpenVPN, WireGuard (CLI and GUI variants), Tailscale, Twingate, ZeroTier.
- Browser-based — extension VPNs (detected via system-level processes only; in-browser-only ones won't show).
The detection is process-path-based and registry-based (Windows). For VPNs the catalog does not know, the tool surfaces "unknown VPN-like process" entries when patterns match.
Active VPN interfaces
The tool enumerates the OS's network interfaces and identifies which are likely VPN tunnels:
- TUN / TAP virtual interfaces.
- WireGuard interfaces.
- Interfaces with names matching known VPN-client conventions.
For each, the tool surfaces:
- Interface name.
- Assigned IP and netmask.
- RX / TX byte counters (per-platform:
/proc/net/devon Linux,GetIfTable2on Windows,getifaddrson macOS). - Whether the interface is currently being used for traffic.
A "no active VPN interface detected" result means traffic is going via your normal network.
DNS leak self-test
The tool issues DNS queries through the system resolver and checks where the resolution actually happens:
- Resolves a known set of test domains.
- Checks the IP returned and the latency profile.
- Compares the resolver IP against the VPN's expected DNS server.
- Flags leak if DNS resolution is happening outside the VPN.
A DNS leak means: even if your traffic is encrypted through the VPN, your DNS queries reveal which domains you are visiting. For sensitive investigations, this is a confidentiality break.
A DNS leak is the most common way investigators think they are anonymous when they are not. Before any sensitive investigation behind a VPN, run this self-test. If the test flags a leak, fix the leak before proceeding — typically by configuring your VPN client to push its own DNS, or by setting your OS to use the VPN's DNS explicitly.
WebRTC leak warning
WebRTC, the real-time communication API in browsers, can reveal a client's real IP even when traffic is going through a VPN. The toolkit cannot test your browser's WebRTC behaviour from outside the browser — but it can tell you exactly how to test it yourself:
- Open your browser.
- Visit a known WebRTC test page (the tool provides URLs).
- Compare the IPs reported against your VPN's public exit IP.
- If a non-VPN IP appears, your browser is leaking via WebRTC.
The remediation depends on the browser:
- Chrome / Chromium — install a WebRTC-blocking extension.
- Firefox — set
media.peerconnection.enabledtofalseinabout:config(with side effects to legitimate WebRTC apps). - Safari — fewer leak vectors out of the box, but check anyway.
Current public IP
The tool issues a request to a known IP-echo service and returns the IP the public internet sees. Auto-composed IP geolocation shows the country, ASN, and hosting / residential / VPN classification.
A successful VPN connection produces:
- Your public IP equals the VPN's exit IP, not your real IP.
- The hosting flag often shows "datacenter" (because VPN exits are typically in datacenters).
- The country matches the VPN exit you selected.
If any of these does not match, your VPN is not doing what you think it is.
Pivots
| Click on... | Pivot to |
|---|---|
| Current public IP | IP geolocation, ASN, IP reputation |
| Active interface IP | (no pivot — informational) |
| DNS resolver IP | IP geolocation, ASN |
| WebRTC test URL | Opens in browser |
Sources
- All process and interface enumeration runs locally.
- DNS leak test issues real DNS queries through the system resolver.
- The current-public-IP probe uses a small dedicated IP-echo service (named on the result).
- Bundled catalogs of VPN clients and known leak-test endpoints.
The tool runs fully on-device for everything except the public-IP probe.