Real connectivity tests. WebRTC media, QUIC / HTTP-3 and WebTransport all ride UDP — if UDP egress is blocked (TCP-only proxy, many anti-detect setups), they fail even though the APIs exist.

From the SYN reaching our server: TTL → the OS terminating TCP (UA says Windows but TTL=Linux ⇒ a Linux proxy/VPS in front), MSS < 1460 ⇒ a VPN/tunnel. JA3 = TLS-stack fingerprint.

Akamai-style: SETTINGS · WINDOW_UPDATE · PRIORITY · pseudo-header order — captured on a separate :8443 listener (main server untouched). Must match genuine Chrome of your version.

Compares the IP your QUIC / HTTP-3 connection arrives on with your TCP one. Different IPs ⇒ UDP/QUIC is bypassing the proxy (real-IP leak). WebTransport rides the same QUIC.

Resolves a unique *.dnsleak.veyvi.com and checks which resolver hit our authoritative DNS. If it sits in a different region than your IP, your real ISP's DNS may be leaking past the proxy.

We exercise the CDM (generate a real license request) and check robustness — a spoofed Widevine fails this even if it claims support.