diff --git a/README.md b/README.md
index 8567ba22..d12045b2 100644
--- a/README.md
+++ b/README.md
@@ -42,11 +42,7 @@ To fetch and update MMDB files from [DB-IP](https://db-ip.com), you can do somet
 
 ## Full Working Example: Try It!
 
-Fetch dependencies for this demo:
-```
-GO111MODULE=off go get github.com/prometheus/prometheus/cmd/...
-```
-If that doesn't work, download the [prometheus](https://prometheus.io/download/) binary directly.
+Download the [Prometheus](https://prometheus.io/download/) binary.
 
 
 ### Run the server
@@ -60,7 +56,7 @@ In production, you may want to specify `-ip_country_db` to get per-country metri
 ### Run the Prometheus scraper for metrics collection
 On Terminal 2, start prometheus scraper for metrics collection:
 ```
-$(go env GOPATH)/bin/prometheus --config.file=cmd/outline-ss-server/prometheus_example.yml
+prometheus --config.file=cmd/outline-ss-server/prometheus_example.yml
 ```
 
 ### Run the SOCKS-to-Shadowsocks client
diff --git a/cmd/outline-ss-server/metrics.go b/cmd/outline-ss-server/metrics.go
index 6eee3269..531c16ba 100644
--- a/cmd/outline-ss-server/metrics.go
+++ b/cmd/outline-ss-server/metrics.go
@@ -16,7 +16,10 @@ package main
 
 import (
 	"fmt"
+	"net"
+	"net/netip"
 	"strconv"
+	"sync"
 	"time"
 
 	"github.com/Jigsaw-Code/outline-ss-server/ipinfo"
@@ -25,8 +28,14 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 )
 
+const namespace = "shadowsocks"
+
+// `now` is stubbable for testing.
+var now = time.Now
+
 type outlineMetrics struct {
 	ipinfo.IPInfoMap
+	*tunnelTimeCollector
 
 	buildInfo            *prometheus.GaugeVec
 	accessKeys           prometheus.Gauge
@@ -49,49 +58,158 @@ type outlineMetrics struct {
 var _ service.TCPMetrics = (*outlineMetrics)(nil)
 var _ service.UDPMetrics = (*outlineMetrics)(nil)
 
+// Converts a [net.Addr] to an [IPKey].
+func toIPKey(addr net.Addr, accessKey string) (*IPKey, error) {
+	hostname, _, err := net.SplitHostPort(addr.String())
+	if err != nil {
+		return nil, fmt.Errorf("failed to create IPKey: %w", err)
+	}
+	ip, err := netip.ParseAddr(hostname)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create IPKey: %w", err)
+	}
+	return &IPKey{ip, accessKey}, nil
+}
+
+// Represents the clients that are or have been active recently. They stick
+// around until they are inactive, or get reported to Prometheus, whichever
+// comes last.
+type activeClient struct {
+	info      ipinfo.IPInfo
+	connCount int // The active connection count.
+	startTime time.Time
+}
+
+type IPKey struct {
+	ip        netip.Addr
+	accessKey string
+}
+
+type tunnelTimeCollector struct {
+	ip2info       ipinfo.IPInfoMap
+	mu            sync.Mutex // Protects the activeClients map.
+	activeClients map[IPKey]*activeClient
+
+	tunnelTimePerKey      *prometheus.CounterVec
+	tunnelTimePerLocation *prometheus.CounterVec
+}
+
+func (c *tunnelTimeCollector) Describe(ch chan<- *prometheus.Desc) {
+	c.tunnelTimePerKey.Describe(ch)
+	c.tunnelTimePerLocation.Describe(ch)
+}
+
+func (c *tunnelTimeCollector) Collect(ch chan<- prometheus.Metric) {
+	tNow := now()
+	c.mu.Lock()
+	for ipKey, client := range c.activeClients {
+		c.reportTunnelTime(ipKey, client, tNow)
+	}
+	c.mu.Unlock()
+	c.tunnelTimePerKey.Collect(ch)
+	c.tunnelTimePerLocation.Collect(ch)
+}
+
+// Calculates and reports the tunnel time for a given active client.
+func (c *tunnelTimeCollector) reportTunnelTime(ipKey IPKey, client *activeClient, tNow time.Time) {
+	tunnelTime := tNow.Sub(client.startTime)
+	logger.Debugf("Reporting tunnel time for key `%v`, duration: %v", ipKey.accessKey, tunnelTime)
+	c.tunnelTimePerKey.WithLabelValues(ipKey.accessKey).Add(tunnelTime.Seconds())
+	c.tunnelTimePerLocation.WithLabelValues(client.info.CountryCode.String(), asnLabel(client.info.ASN)).Add(tunnelTime.Seconds())
+	// Reset the start time now that the tunnel time has been reported.
+	client.startTime = tNow
+}
+
+// Registers a new active connection for a client [net.Addr] and access key.
+func (c *tunnelTimeCollector) startConnection(ipKey IPKey) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	client, exists := c.activeClients[ipKey]
+	if !exists {
+		clientInfo, _ := ipinfo.GetIPInfoFromIP(c.ip2info, net.IP(ipKey.ip.AsSlice()))
+		client = &activeClient{info: clientInfo, startTime: now()}
+		c.activeClients[ipKey] = client
+	}
+	client.connCount++
+}
+
+// Removes an active connection for a client [net.Addr] and access key.
+func (c *tunnelTimeCollector) stopConnection(ipKey IPKey) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	client, exists := c.activeClients[ipKey]
+	if !exists {
+		logger.Warningf("Failed to find active client")
+		return
+	}
+	client.connCount--
+	if client.connCount <= 0 {
+		c.reportTunnelTime(ipKey, client, now())
+		delete(c.activeClients, ipKey)
+	}
+}
+
+func newTunnelTimeCollector(ip2info ipinfo.IPInfoMap, registerer prometheus.Registerer) *tunnelTimeCollector {
+	return &tunnelTimeCollector{
+		ip2info:       ip2info,
+		activeClients: make(map[IPKey]*activeClient),
+
+		tunnelTimePerKey: prometheus.NewCounterVec(prometheus.CounterOpts{
+			Namespace: namespace,
+			Name:      "tunnel_time_seconds",
+			Help:      "Tunnel time, per access key.",
+		}, []string{"access_key"}),
+		tunnelTimePerLocation: prometheus.NewCounterVec(prometheus.CounterOpts{
+			Namespace: namespace,
+			Name:      "tunnel_time_seconds_per_location",
+			Help:      "Tunnel time, per location.",
+		}, []string{"location", "asn"}),
+	}
+}
+
 // newPrometheusOutlineMetrics constructs a metrics object that uses
-// `ipCountryDB` to convert IP addresses to countries, and reports all
-// metrics to Prometheus via `registerer`.  `ipCountryDB` may be nil, but
+// `ip2info` to convert IP addresses to countries, and reports all
+// metrics to Prometheus via `registerer`. `ip2info` may be nil, but
 // `registerer` must not be.
 func newPrometheusOutlineMetrics(ip2info ipinfo.IPInfoMap, registerer prometheus.Registerer) *outlineMetrics {
 	m := &outlineMetrics{
 		IPInfoMap: ip2info,
 		buildInfo: prometheus.NewGaugeVec(prometheus.GaugeOpts{
-			Namespace: "shadowsocks",
+			Namespace: namespace,
 			Name:      "build_info",
 			Help:      "Information on the outline-ss-server build",
 		}, []string{"version"}),
 		accessKeys: prometheus.NewGauge(prometheus.GaugeOpts{
-			Namespace: "shadowsocks",
+			Namespace: namespace,
 			Name:      "keys",
 			Help:      "Count of access keys",
 		}),
 		ports: prometheus.NewGauge(prometheus.GaugeOpts{
-			Namespace: "shadowsocks",
+			Namespace: namespace,
 			Name:      "ports",
 			Help:      "Count of open Shadowsocks ports",
 		}),
 		tcpProbes: prometheus.NewHistogramVec(prometheus.HistogramOpts{
-			Namespace: "shadowsocks",
+			Namespace: namespace,
 			Name:      "tcp_probes",
 			Buckets:   []float64{0, 49, 50, 51, 73, 91},
 			Help:      "Histogram of number of bytes from client to proxy, for detecting possible probes",
 		}, []string{"port", "status", "error"}),
 		tcpOpenConnections: prometheus.NewCounterVec(prometheus.CounterOpts{
-			Namespace: "shadowsocks",
+			Namespace: namespace,
 			Subsystem: "tcp",
 			Name:      "connections_opened",
 			Help:      "Count of open TCP connections",
 		}, []string{"location", "asn"}),
 		tcpClosedConnections: prometheus.NewCounterVec(prometheus.CounterOpts{
-			Namespace: "shadowsocks",
+			Namespace: namespace,
 			Subsystem: "tcp",
 			Name:      "connections_closed",
 			Help:      "Count of closed TCP connections",
 		}, []string{"location", "asn", "status", "access_key"}),
 		tcpConnectionDurationMs: prometheus.NewHistogramVec(
 			prometheus.HistogramOpts{
-				Namespace: "shadowsocks",
+				Namespace: namespace,
 				Subsystem: "tcp",
 				Name:      "connection_duration_ms",
 				Help:      "TCP connection duration distributions.",
@@ -106,49 +224,51 @@ func newPrometheusOutlineMetrics(ip2info ipinfo.IPInfoMap, registerer prometheus
 			}, []string{"status"}),
 		dataBytes: prometheus.NewCounterVec(
 			prometheus.CounterOpts{
-				Namespace: "shadowsocks",
+				Namespace: namespace,
 				Name:      "data_bytes",
 				Help:      "Bytes transferred by the proxy, per access key",
 			}, []string{"dir", "proto", "access_key"}),
 		dataBytesPerLocation: prometheus.NewCounterVec(
 			prometheus.CounterOpts{
-				Namespace: "shadowsocks",
+				Namespace: namespace,
 				Name:      "data_bytes_per_location",
 				Help:      "Bytes transferred by the proxy, per location",
 			}, []string{"dir", "proto", "location", "asn"}),
 		timeToCipherMs: prometheus.NewHistogramVec(
 			prometheus.HistogramOpts{
-				Namespace: "shadowsocks",
+				Namespace: namespace,
 				Name:      "time_to_cipher_ms",
 				Help:      "Time needed to find the cipher",
 				Buckets:   []float64{0.1, 1, 10, 100, 1000},
 			}, []string{"proto", "found_key"}),
 		udpPacketsFromClientPerLocation: prometheus.NewCounterVec(
 			prometheus.CounterOpts{
-				Namespace: "shadowsocks",
+				Namespace: namespace,
 				Subsystem: "udp",
 				Name:      "packets_from_client_per_location",
 				Help:      "Packets received from the client, per location and status",
 			}, []string{"location", "asn", "status"}),
 		udpAddedNatEntries: prometheus.NewCounter(
 			prometheus.CounterOpts{
-				Namespace: "shadowsocks",
+				Namespace: namespace,
 				Subsystem: "udp",
 				Name:      "nat_entries_added",
 				Help:      "Entries added to the UDP NAT table",
 			}),
 		udpRemovedNatEntries: prometheus.NewCounter(
 			prometheus.CounterOpts{
-				Namespace: "shadowsocks",
+				Namespace: namespace,
 				Subsystem: "udp",
 				Name:      "nat_entries_removed",
 				Help:      "Entries removed from the UDP NAT table",
 			}),
 	}
+	m.tunnelTimeCollector = newTunnelTimeCollector(ip2info, registerer)
 
 	// TODO: Is it possible to pass where to register the collectors?
 	registerer.MustRegister(m.buildInfo, m.accessKeys, m.ports, m.tcpProbes, m.tcpOpenConnections, m.tcpClosedConnections, m.tcpConnectionDurationMs,
-		m.dataBytes, m.dataBytesPerLocation, m.timeToCipherMs, m.udpPacketsFromClientPerLocation, m.udpAddedNatEntries, m.udpRemovedNatEntries)
+		m.dataBytes, m.dataBytesPerLocation, m.timeToCipherMs, m.udpPacketsFromClientPerLocation, m.udpAddedNatEntries, m.udpRemovedNatEntries,
+		m.tunnelTimeCollector)
 	return m
 }
 
@@ -165,6 +285,13 @@ func (m *outlineMetrics) AddOpenTCPConnection(clientInfo ipinfo.IPInfo) {
 	m.tcpOpenConnections.WithLabelValues(clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN)).Inc()
 }
 
+func (m *outlineMetrics) AddAuthenticatedTCPConnection(clientAddr net.Addr, accessKey string) {
+	ipKey, err := toIPKey(clientAddr, accessKey)
+	if err == nil {
+		m.tunnelTimeCollector.startConnection(*ipKey)
+	}
+}
+
 // addIfNonZero helps avoid the creation of series that are always zero.
 func addIfNonZero(value int64, counterVec *prometheus.CounterVec, lvs ...string) {
 	if value > 0 {
@@ -179,7 +306,7 @@ func asnLabel(asn int) string {
 	return fmt.Sprint(asn)
 }
 
-func (m *outlineMetrics) AddClosedTCPConnection(clientInfo ipinfo.IPInfo, accessKey, status string, data metrics.ProxyMetrics, duration time.Duration) {
+func (m *outlineMetrics) AddClosedTCPConnection(clientInfo ipinfo.IPInfo, clientAddr net.Addr, accessKey, status string, data metrics.ProxyMetrics, duration time.Duration) {
 	m.tcpClosedConnections.WithLabelValues(clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN), status, accessKey).Inc()
 	m.tcpConnectionDurationMs.WithLabelValues(status).Observe(duration.Seconds() * 1000)
 	addIfNonZero(data.ClientProxy, m.dataBytes, "c>p", "tcp", accessKey)
@@ -190,6 +317,11 @@ func (m *outlineMetrics) AddClosedTCPConnection(clientInfo ipinfo.IPInfo, access
 	addIfNonZero(data.TargetProxy, m.dataBytesPerLocation, "p<t", "tcp", clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN))
 	addIfNonZero(data.ProxyClient, m.dataBytes, "c<p", "tcp", accessKey)
 	addIfNonZero(data.ProxyClient, m.dataBytesPerLocation, "c<p", "tcp", clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN))
+
+	ipKey, err := toIPKey(clientAddr, accessKey)
+	if err == nil {
+		m.tunnelTimeCollector.stopConnection(*ipKey)
+	}
 }
 
 func (m *outlineMetrics) AddUDPPacketFromClient(clientInfo ipinfo.IPInfo, accessKey, status string, clientProxyBytes, proxyTargetBytes int) {
@@ -207,12 +339,22 @@ func (m *outlineMetrics) AddUDPPacketFromTarget(clientInfo ipinfo.IPInfo, access
 	addIfNonZero(int64(proxyClientBytes), m.dataBytesPerLocation, "c<p", "udp", clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN))
 }
 
-func (m *outlineMetrics) AddUDPNatEntry() {
+func (m *outlineMetrics) AddUDPNatEntry(clientAddr net.Addr, accessKey string) {
 	m.udpAddedNatEntries.Inc()
+
+	ipKey, err := toIPKey(clientAddr, accessKey)
+	if err == nil {
+		m.tunnelTimeCollector.startConnection(*ipKey)
+	}
 }
 
-func (m *outlineMetrics) RemoveUDPNatEntry() {
+func (m *outlineMetrics) RemoveUDPNatEntry(clientAddr net.Addr, accessKey string) {
 	m.udpRemovedNatEntries.Inc()
+
+	ipKey, err := toIPKey(clientAddr, accessKey)
+	if err == nil {
+		m.tunnelTimeCollector.stopConnection(*ipKey)
+	}
 }
 
 func (m *outlineMetrics) AddTCPProbe(status, drainResult string, port int, clientProxyBytes int64) {
diff --git a/cmd/outline-ss-server/metrics_test.go b/cmd/outline-ss-server/metrics_test.go
index 18cc3d13..8087d6e5 100644
--- a/cmd/outline-ss-server/metrics_test.go
+++ b/cmd/outline-ss-server/metrics_test.go
@@ -15,15 +15,36 @@
 package main
 
 import (
+	"net"
+	"strings"
 	"testing"
 	"time"
 
 	"github.com/Jigsaw-Code/outline-ss-server/ipinfo"
 	"github.com/Jigsaw-Code/outline-ss-server/service/metrics"
 	"github.com/prometheus/client_golang/prometheus"
+	promtest "github.com/prometheus/client_golang/prometheus/testutil"
 	"github.com/stretchr/testify/require"
 )
 
+type noopMap struct{}
+
+func (*noopMap) GetIPInfo(ip net.IP) (ipinfo.IPInfo, error) {
+	return ipinfo.IPInfo{}, nil
+}
+
+type fakeAddr string
+
+func (a fakeAddr) String() string  { return string(a) }
+func (a fakeAddr) Network() string { return "" }
+
+// Sets the processing clock to be t until changed.
+func setNow(t time.Time) {
+	now = func() time.Time {
+		return t
+	}
+}
+
 func TestMethodsDontPanic(t *testing.T) {
 	ssMetrics := newPrometheusOutlineMetrics(nil, prometheus.NewPedanticRegistry())
 	proxyMetrics := metrics.ProxyMetrics{
@@ -32,14 +53,16 @@ func TestMethodsDontPanic(t *testing.T) {
 		TargetProxy: 3,
 		ProxyClient: 4,
 	}
+	ipInfo := ipinfo.IPInfo{CountryCode: "US", ASN: 100}
 	ssMetrics.SetBuildInfo("0.0.0-test")
 	ssMetrics.SetNumAccessKeys(20, 2)
-	ssMetrics.AddOpenTCPConnection(ipinfo.IPInfo{CountryCode: "US", ASN: 100})
-	ssMetrics.AddClosedTCPConnection(ipinfo.IPInfo{CountryCode: "US", ASN: 100}, "1", "OK", proxyMetrics, 10*time.Millisecond)
-	ssMetrics.AddUDPPacketFromClient(ipinfo.IPInfo{CountryCode: "US", ASN: 100}, "2", "OK", 10, 20)
-	ssMetrics.AddUDPPacketFromTarget(ipinfo.IPInfo{CountryCode: "US", ASN: 100}, "3", "OK", 10, 20)
-	ssMetrics.AddUDPNatEntry()
-	ssMetrics.RemoveUDPNatEntry()
+	ssMetrics.AddOpenTCPConnection(ipInfo)
+	ssMetrics.AddAuthenticatedTCPConnection(fakeAddr("127.0.0.1:9"), "0")
+	ssMetrics.AddClosedTCPConnection(ipInfo, fakeAddr("127.0.0.1:9"), "1", "OK", proxyMetrics, 10*time.Millisecond)
+	ssMetrics.AddUDPPacketFromClient(ipInfo, "2", "OK", 10, 20)
+	ssMetrics.AddUDPPacketFromTarget(ipInfo, "3", "OK", 10, 20)
+	ssMetrics.AddUDPNatEntry(fakeAddr("127.0.0.1:9"), "key-1")
+	ssMetrics.RemoveUDPNatEntry(fakeAddr("127.0.0.1:9"), "key-1")
 	ssMetrics.AddTCPProbe("ERR_CIPHER", "eof", 443, proxyMetrics.ClientProxy)
 	ssMetrics.AddTCPCipherSearch(true, 10*time.Millisecond)
 	ssMetrics.AddUDPCipherSearch(true, 10*time.Millisecond)
@@ -50,17 +73,75 @@ func TestASNLabel(t *testing.T) {
 	require.Equal(t, "100", asnLabel(100))
 }
 
+func TestTunnelTimePerKey(t *testing.T) {
+	setNow(time.Date(2010, 1, 2, 3, 4, 5, .0, time.Local))
+	reg := prometheus.NewPedanticRegistry()
+	ssMetrics := newPrometheusOutlineMetrics(nil, reg)
+
+	ssMetrics.AddAuthenticatedTCPConnection(fakeAddr("127.0.0.1:9"), "key-1")
+	setNow(time.Date(2010, 1, 2, 3, 4, 20, .0, time.Local))
+
+	expected := strings.NewReader(`
+	# HELP shadowsocks_tunnel_time_seconds Tunnel time, per access key.
+	# TYPE shadowsocks_tunnel_time_seconds counter
+	shadowsocks_tunnel_time_seconds{access_key="key-1"} 15
+`)
+	err := promtest.GatherAndCompare(
+		reg,
+		expected,
+		"shadowsocks_tunnel_time_seconds",
+	)
+	require.NoError(t, err, "unexpected metric value found")
+}
+
+func TestTunnelTimePerLocation(t *testing.T) {
+	setNow(time.Date(2010, 1, 2, 3, 4, 5, .0, time.Local))
+	reg := prometheus.NewPedanticRegistry()
+	ssMetrics := newPrometheusOutlineMetrics(&noopMap{}, reg)
+
+	ssMetrics.AddAuthenticatedTCPConnection(fakeAddr("127.0.0.1:9"), "key-1")
+	setNow(time.Date(2010, 1, 2, 3, 4, 10, .0, time.Local))
+
+	expected := strings.NewReader(`
+	# HELP shadowsocks_tunnel_time_seconds_per_location Tunnel time, per location.
+	# TYPE shadowsocks_tunnel_time_seconds_per_location counter
+	shadowsocks_tunnel_time_seconds_per_location{asn="",location="XL"} 5
+`)
+	err := promtest.GatherAndCompare(
+		reg,
+		expected,
+		"shadowsocks_tunnel_time_seconds_per_location",
+	)
+	require.NoError(t, err, "unexpected metric value found")
+}
+
+func TestTunnelTimePerKeyDoesNotPanicOnUnknownClosedConnection(t *testing.T) {
+	reg := prometheus.NewPedanticRegistry()
+	ssMetrics := newPrometheusOutlineMetrics(nil, reg)
+
+	ssMetrics.AddClosedTCPConnection(ipinfo.IPInfo{}, fakeAddr("127.0.0.1:9"), "key-1", "OK", metrics.ProxyMetrics{}, time.Minute)
+
+	err := promtest.GatherAndCompare(
+		reg,
+		strings.NewReader(""),
+		"shadowsocks_tunnel_time_seconds",
+	)
+	require.NoError(t, err, "unexpectedly found metric value")
+}
+
 func BenchmarkOpenTCP(b *testing.B) {
 	ssMetrics := newPrometheusOutlineMetrics(nil, prometheus.NewRegistry())
+	ipinfo := ipinfo.IPInfo{CountryCode: "US", ASN: 100}
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		ssMetrics.AddOpenTCPConnection(ipinfo.IPInfo{CountryCode: "ZZ", ASN: 100})
+		ssMetrics.AddOpenTCPConnection(ipinfo)
 	}
 }
 
 func BenchmarkCloseTCP(b *testing.B) {
 	ssMetrics := newPrometheusOutlineMetrics(nil, prometheus.NewRegistry())
-	clientInfo := ipinfo.IPInfo{CountryCode: "ZZ", ASN: 100}
+	ipinfo := ipinfo.IPInfo{CountryCode: "US", ASN: 100}
+	addr := fakeAddr("127.0.0.1:9")
 	accessKey := "key 1"
 	status := "OK"
 	data := metrics.ProxyMetrics{}
@@ -68,7 +149,7 @@ func BenchmarkCloseTCP(b *testing.B) {
 	duration := time.Minute
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		ssMetrics.AddClosedTCPConnection(clientInfo, accessKey, status, data, duration)
+		ssMetrics.AddClosedTCPConnection(ipinfo, addr, accessKey, status, data, duration)
 		ssMetrics.AddTCPCipherSearch(true, timeToCipher)
 	}
 }
@@ -115,7 +196,7 @@ func BenchmarkNAT(b *testing.B) {
 	ssMetrics := newPrometheusOutlineMetrics(nil, prometheus.NewRegistry())
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		ssMetrics.AddUDPNatEntry()
-		ssMetrics.RemoveUDPNatEntry()
+		ssMetrics.AddUDPNatEntry(fakeAddr("127.0.0.1:9"), "key-0")
+		ssMetrics.RemoveUDPNatEntry(fakeAddr("127.0.0.1:9"), "key-0")
 	}
 }
diff --git a/internal/integration_test/integration_test.go b/internal/integration_test/integration_test.go
index bfb03d4a..ec9338d6 100644
--- a/internal/integration_test/integration_test.go
+++ b/internal/integration_test/integration_test.go
@@ -186,7 +186,7 @@ type statusMetrics struct {
 	statuses []string
 }
 
-func (m *statusMetrics) AddClosedTCPConnection(clientInfo ipinfo.IPInfo, accessKey, status string, data metrics.ProxyMetrics, duration time.Duration) {
+func (m *statusMetrics) AddClosedTCPConnection(clientInfo ipinfo.IPInfo, ip net.Addr, accessKey string, status string, data metrics.ProxyMetrics, duration time.Duration) {
 	m.Lock()
 	m.statuses = append(m.statuses, status)
 	m.Unlock()
@@ -267,10 +267,10 @@ func (m *fakeUDPMetrics) AddUDPPacketFromClient(clientInfo ipinfo.IPInfo, access
 func (m *fakeUDPMetrics) AddUDPPacketFromTarget(clientInfo ipinfo.IPInfo, accessKey, status string, targetProxyBytes, proxyClientBytes int) {
 	m.down = append(m.down, udpRecord{clientInfo, accessKey, status, targetProxyBytes, proxyClientBytes})
 }
-func (m *fakeUDPMetrics) AddUDPNatEntry() {
+func (m *fakeUDPMetrics) AddUDPNatEntry(clientAddr net.Addr, accessKey string) {
 	m.natAdded++
 }
-func (m *fakeUDPMetrics) RemoveUDPNatEntry() {
+func (m *fakeUDPMetrics) RemoveUDPNatEntry(clientAddr net.Addr, accessKey string) {
 	// Not tested because it requires waiting for a long timeout.
 }
 func (m *fakeUDPMetrics) AddUDPCipherSearch(accessKeyFound bool, timeToCipher time.Duration) {}
diff --git a/ipinfo/ipinfo.go b/ipinfo/ipinfo.go
index dd3c239e..dcc63843 100644
--- a/ipinfo/ipinfo.go
+++ b/ipinfo/ipinfo.go
@@ -45,40 +45,28 @@ const (
 	unknownLocation CountryCode = "ZZ"
 )
 
-// GetIPInfoFromAddr is a helper function to extract the IP address from the [net.Addr]
-// and call [IPInfoMap].GetIPInfo.
+// GetIPInfoFromIP is a helper function to call [IPInfoMap].GetIPInfo using a [net.IP].
 // It uses special country codes to indicate errors:
-//   - "XA": failed to extract the IP from the address ("A" is for "Address").
 //   - "XL": IP is not global ("L" is for "Local").
 //   - "XD": database error looking up the country code ("D" is for "DB").
 //   - "ZZ": lookup returned an empty country code (same as the Unicode unknown location).
-func GetIPInfoFromAddr(ip2info IPInfoMap, addr net.Addr) (IPInfo, error) {
+func GetIPInfoFromIP(ip2info IPInfoMap, ip net.IP) (IPInfo, error) {
 	var info IPInfo
 	if ip2info == nil {
 		// Location is disabled. return empty info.
 		return info, nil
 	}
 
-	if addr == nil {
-		info.CountryCode = errParseAddr
-		return info, fmt.Errorf("address cannot be nil")
-	}
-	hostname, _, err := net.SplitHostPort(addr.String())
-	if err != nil {
-		info.CountryCode = errParseAddr
-		return info, fmt.Errorf("failed to split hostname and port: %w", err)
-	}
-	ip := net.ParseIP(hostname)
 	if ip == nil {
 		info.CountryCode = errParseAddr
-		return info, errors.New("failed to parse address as IP")
+		return info, errors.New("IP cannot be nil")
 	}
 
 	if !ip.IsGlobalUnicast() {
 		info.CountryCode = localLocation
 		return info, nil
 	}
-	info, err = ip2info.GetIPInfo(ip)
+	info, err := ip2info.GetIPInfo(ip)
 	if err != nil {
 		info.CountryCode = errDbLookupError
 	}
@@ -87,3 +75,30 @@ func GetIPInfoFromAddr(ip2info IPInfoMap, addr net.Addr) (IPInfo, error) {
 	}
 	return info, err
 }
+
+// GetIPInfoFromAddr is a helper function to extract the IP address from the [net.Addr]
+// and call [IPInfoMap].GetIPInfo.
+// It uses special country codes to indicate errors:
+//   - "XA": failed to extract the IP from the address ("A" is for "Address").
+//   - "XL": IP is not global ("L" is for "Local").
+//   - "XD": database error looking up the country code ("D" is for "DB").
+//   - "ZZ": lookup returned an empty country code (same as the Unicode unknown location).
+func GetIPInfoFromAddr(ip2info IPInfoMap, addr net.Addr) (IPInfo, error) {
+	var info IPInfo
+	if addr == nil {
+		info.CountryCode = errParseAddr
+		return info, errors.New("address cannot be nil")
+	}
+	hostname, _, err := net.SplitHostPort(addr.String())
+	if err != nil {
+		info.CountryCode = errParseAddr
+		return info, fmt.Errorf("failed to split hostname and port: %w", err)
+	}
+	ip := net.ParseIP(hostname)
+	if ip == nil {
+		info.CountryCode = errParseAddr
+		return info, errors.New("failed to parse address as IP")
+	}
+
+	return GetIPInfoFromIP(ip2info, ip)
+}
diff --git a/ipinfo/ipinfo_test.go b/ipinfo/ipinfo_test.go
index 27f4132f..720758df 100644
--- a/ipinfo/ipinfo_test.go
+++ b/ipinfo/ipinfo_test.go
@@ -46,47 +46,104 @@ func (a *badAddr) Network() string {
 	return "bad"
 }
 
-func TestGetIPInfoFromAddr(t *testing.T) {
+func TestGetIPInfoFromIPIPInfoDisabledReturnsEmptyIPInfo(t *testing.T) {
 	var emptyInfo IPInfo
-	noInfoMap := &noopMap{}
 
-	// IP info disabled
-	info, err := GetIPInfoFromAddr(nil, nil)
+	info, err := GetIPInfoFromIP(nil, net.IPv4(127, 0, 0, 1))
+
 	require.Equal(t, emptyInfo, info)
 	require.NoError(t, err)
+}
+
+func TestGetIPInfoFromIPNilAddressReturnsError(t *testing.T) {
+	info, err := GetIPInfoFromIP(&noopMap{}, nil)
 
-	// Nil address
-	info, err = GetIPInfoFromAddr(noInfoMap, nil)
 	require.Error(t, err)
 	require.Equal(t, errParseAddr, info.CountryCode)
+}
+
+func TestGetIPInfoFromIPLocalhostAddressReturnsLocalLocation(t *testing.T) {
+	info, err := GetIPInfoFromIP(&noopMap{}, net.IPv4(127, 0, 0, 1))
+
+	require.NoError(t, err)
+	require.Equal(t, localLocation, info.CountryCode)
+}
+
+func TestGetIPInfoFromIPLocalNetworkAddressReturnsUnknownLocation(t *testing.T) {
+	info, err := GetIPInfoFromIP(&noopMap{}, net.IPv4(10, 0, 0, 1))
+
+	require.NoError(t, err)
+	require.Equal(t, unknownLocation, info.CountryCode)
+}
+
+func TestGetIPInfoFromIPNoCountryFoundReturnsUnknownLocation(t *testing.T) {
+	info, err := GetIPInfoFromIP(&noopMap{}, net.IPv4(8, 8, 8, 8))
+
+	require.NoError(t, err)
+	require.Equal(t, unknownLocation, info.CountryCode)
+}
+
+func TestGetIPInfoFromIPFailedDBLookupReturnsError(t *testing.T) {
+	info, err := GetIPInfoFromIP(&badMap{}, net.IPv4(8, 8, 8, 8))
+
+	require.Error(t, err)
+	require.Equal(t, errDbLookupError, info.CountryCode)
+}
+
+func TestGetIPInfoFromAddrIPInfoDisabledReturnsEmptyIPInfo(t *testing.T) {
+	var emptyInfo IPInfo
+
+	info, err := GetIPInfoFromAddr(nil, &badAddr{"127.0.0.1:port"})
+
+	require.Equal(t, emptyInfo, info)
+	require.NoError(t, err)
+}
+
+func TestGetIPInfoFromAddrNilAddressReturnsError(t *testing.T) {
+	info, err := GetIPInfoFromAddr(&noopMap{}, nil)
 
-	// Can't split host:port in address
-	info, err = GetIPInfoFromAddr(noInfoMap, &badAddr{"host-no-port"})
 	require.Error(t, err)
 	require.Equal(t, errParseAddr, info.CountryCode)
+}
+
+func TestGetIPInfoFromAddrHostNoPortReturnsError(t *testing.T) {
+	info, err := GetIPInfoFromAddr(&noopMap{}, &badAddr{"host-no-port"})
 
-	// Host is not an IP
-	info, err = GetIPInfoFromAddr(noInfoMap, &badAddr{"host-is-not-ip:port"})
 	require.Error(t, err)
 	require.Equal(t, errParseAddr, info.CountryCode)
+}
+
+func TestGetIPInfoFromAddrHostIsNotIPReturnsError(t *testing.T) {
+	info, err := GetIPInfoFromAddr(&noopMap{}, &badAddr{"host-is-not-ip:port"})
+
+	require.Error(t, err)
+	require.Equal(t, errParseAddr, info.CountryCode)
+}
+
+func TestGetIPInfoFromAddrLocalhostAddressReturnsLocalLocation(t *testing.T) {
+	info, err := GetIPInfoFromAddr(&noopMap{}, &badAddr{"127.0.0.1:port"})
 
-	// Localhost address
-	info, err = GetIPInfoFromAddr(noInfoMap, &badAddr{"127.0.0.1:port"})
 	require.NoError(t, err)
 	require.Equal(t, localLocation, info.CountryCode)
+}
+
+func TestGetIPInfoFromAddrLocalNetworkAddressReturnsUnknownLocation(t *testing.T) {
+	info, err := GetIPInfoFromAddr(&noopMap{}, &badAddr{"10.0.0.1:port"})
 
-	// Local network address
-	info, err = GetIPInfoFromAddr(noInfoMap, &badAddr{"10.0.0.1:port"})
 	require.NoError(t, err)
 	require.Equal(t, unknownLocation, info.CountryCode)
+}
+
+func TestGetIPInfoFromAddrNoCountryFoundReturnsUnknownLocation(t *testing.T) {
+	info, err := GetIPInfoFromAddr(&noopMap{}, &badAddr{"8.8.8.8:port"})
 
-	// No country found
-	info, err = GetIPInfoFromAddr(noInfoMap, &badAddr{"8.8.8.8:port"})
 	require.NoError(t, err)
 	require.Equal(t, unknownLocation, info.CountryCode)
+}
+
+func TestGetIPInfoFromAddrFailedDBLookupReturnsError(t *testing.T) {
+	info, err := GetIPInfoFromAddr(&badMap{}, &badAddr{"8.8.8.8:port"})
 
-	// Failed DB lookup
-	info, err = GetIPInfoFromAddr(&badMap{}, &badAddr{"8.8.8.8:port"})
 	require.Error(t, err)
 	require.Equal(t, errDbLookupError, info.CountryCode)
 }
diff --git a/service/tcp.go b/service/tcp.go
index 71deaf8d..9761d8f3 100644
--- a/service/tcp.go
+++ b/service/tcp.go
@@ -41,7 +41,8 @@ type TCPMetrics interface {
 
 	// TCP metrics
 	AddOpenTCPConnection(clientInfo ipinfo.IPInfo)
-	AddClosedTCPConnection(clientInfo ipinfo.IPInfo, accessKey, status string, data metrics.ProxyMetrics, duration time.Duration)
+	AddAuthenticatedTCPConnection(clientAddr net.Addr, accessKey string)
+	AddClosedTCPConnection(clientInfo ipinfo.IPInfo, clientAddr net.Addr, accessKey string, status string, data metrics.ProxyMetrics, duration time.Duration)
 	AddTCPProbe(status, drainResult string, port int, clientProxyBytes int64)
 }
 
@@ -151,6 +152,7 @@ func NewShadowsocksStreamAuthenticator(ciphers CipherList, replayCache *ReplayCa
 			}
 			return id, nil, onet.NewConnectionError(status, "Replay detected", nil)
 		}
+
 		ssr := shadowsocks.NewReader(clientReader, cipherEntry.CryptoKey)
 		ssw := shadowsocks.NewWriter(clientConn, cipherEntry.CryptoKey)
 		ssw.SetSaltGenerator(cipherEntry.SaltGenerator)
@@ -262,7 +264,7 @@ func (h *tcpHandler) Handle(ctx context.Context, clientConn transport.StreamConn
 	measuredClientConn := metrics.MeasureConn(clientConn, &proxyMetrics.ProxyClient, &proxyMetrics.ClientProxy)
 	connStart := time.Now()
 
-	id, connError := h.handleConnection(ctx, h.port, measuredClientConn, &proxyMetrics)
+	id, connError := h.handleConnection(ctx, h.port, clientInfo, measuredClientConn, &proxyMetrics)
 
 	connDuration := time.Since(connStart)
 	status := "OK"
@@ -270,7 +272,7 @@ func (h *tcpHandler) Handle(ctx context.Context, clientConn transport.StreamConn
 		status = connError.Status
 		logger.Debugf("TCP Error: %v: %v", connError.Message, connError.Cause)
 	}
-	h.m.AddClosedTCPConnection(clientInfo, id, status, proxyMetrics, connDuration)
+	h.m.AddClosedTCPConnection(clientInfo, clientConn.RemoteAddr(), id, status, proxyMetrics, connDuration)
 	measuredClientConn.Close() // Closing after the metrics are added aids integration testing.
 	logger.Debugf("Done with status %v, duration %v", status, connDuration)
 }
@@ -325,7 +327,7 @@ func proxyConnection(ctx context.Context, dialer transport.StreamDialer, tgtAddr
 	return nil
 }
 
-func (h *tcpHandler) handleConnection(ctx context.Context, listenerPort int, outerConn transport.StreamConn, proxyMetrics *metrics.ProxyMetrics) (string, *onet.ConnectionError) {
+func (h *tcpHandler) handleConnection(ctx context.Context, listenerPort int, clientInfo ipinfo.IPInfo, outerConn transport.StreamConn, proxyMetrics *metrics.ProxyMetrics) (string, *onet.ConnectionError) {
 	// Set a deadline to receive the address to the target.
 	readDeadline := time.Now().Add(h.readTimeout)
 	if deadline, ok := ctx.Deadline(); ok {
@@ -342,6 +344,7 @@ func (h *tcpHandler) handleConnection(ctx context.Context, listenerPort int, out
 		h.absorbProbe(listenerPort, outerConn, authErr.Status, proxyMetrics)
 		return id, authErr
 	}
+	h.m.AddAuthenticatedTCPConnection(outerConn.RemoteAddr(), id)
 
 	// Read target address and dial it.
 	tgtAddr, err := getProxyRequest(innerConn)
@@ -392,12 +395,14 @@ type NoOpTCPMetrics struct{}
 
 var _ TCPMetrics = (*NoOpTCPMetrics)(nil)
 
-func (m *NoOpTCPMetrics) AddClosedTCPConnection(clientInfo ipinfo.IPInfo, accessKey, status string, data metrics.ProxyMetrics, duration time.Duration) {
+func (m *NoOpTCPMetrics) AddClosedTCPConnection(clientInfo ipinfo.IPInfo, clientAddr net.Addr, accessKey string, status string, data metrics.ProxyMetrics, duration time.Duration) {
 }
 func (m *NoOpTCPMetrics) GetIPInfo(net.IP) (ipinfo.IPInfo, error) {
 	return ipinfo.IPInfo{}, nil
 }
 func (m *NoOpTCPMetrics) AddOpenTCPConnection(clientInfo ipinfo.IPInfo) {}
+func (m *NoOpTCPMetrics) AddAuthenticatedTCPConnection(clientAddr net.Addr, accessKey string) {
+}
 func (m *NoOpTCPMetrics) AddTCPProbe(status, drainResult string, port int, clientProxyBytes int64) {
 }
 func (m *NoOpTCPMetrics) AddTCPCipherSearch(accessKeyFound bool, timeToCipher time.Duration) {}
diff --git a/service/tcp_test.go b/service/tcp_test.go
index b29adcb1..e3742806 100644
--- a/service/tcp_test.go
+++ b/service/tcp_test.go
@@ -223,7 +223,7 @@ type probeTestMetrics struct {
 
 var _ TCPMetrics = (*probeTestMetrics)(nil)
 
-func (m *probeTestMetrics) AddClosedTCPConnection(clientInfo ipinfo.IPInfo, accessKey, status string, data metrics.ProxyMetrics, duration time.Duration) {
+func (m *probeTestMetrics) AddClosedTCPConnection(clientInfo ipinfo.IPInfo, clientAddr net.Addr, accessKey string, status string, data metrics.ProxyMetrics, duration time.Duration) {
 	m.mu.Lock()
 	m.closeStatus = append(m.closeStatus, status)
 	m.mu.Unlock()
@@ -234,6 +234,10 @@ func (m *probeTestMetrics) GetIPInfo(net.IP) (ipinfo.IPInfo, error) {
 }
 func (m *probeTestMetrics) AddOpenTCPConnection(clientInfo ipinfo.IPInfo) {
 }
+
+func (m *probeTestMetrics) AddAuthenticatedTCPConnection(clientAddr net.Addr, accessKey string) {
+}
+
 func (m *probeTestMetrics) AddTCPProbe(status, drainResult string, port int, clientProxyBytes int64) {
 	m.mu.Lock()
 	m.probeData = append(m.probeData, clientProxyBytes)
diff --git a/service/udp.go b/service/udp.go
index 5ac3880b..d57b8e8a 100644
--- a/service/udp.go
+++ b/service/udp.go
@@ -36,8 +36,8 @@ type UDPMetrics interface {
 	// UDP metrics
 	AddUDPPacketFromClient(clientInfo ipinfo.IPInfo, accessKey, status string, clientProxyBytes, proxyTargetBytes int)
 	AddUDPPacketFromTarget(clientInfo ipinfo.IPInfo, accessKey, status string, targetProxyBytes, proxyClientBytes int)
-	AddUDPNatEntry()
-	RemoveUDPNatEntry()
+	AddUDPNatEntry(clientAddr net.Addr, accessKey string)
+	RemoveUDPNatEntry(clientAddr net.Addr, accessKey string)
 
 	// Shadowsocks metrics
 	AddUDPCipherSearch(accessKeyFound bool, timeToCipher time.Duration)
@@ -80,7 +80,7 @@ func findAccessKeyUDP(clientIP net.IP, dst, src []byte, cipherList CipherList) (
 		cipherList.MarkUsedByClientIP(entry, clientIP)
 		return buf, id, cryptoKey, nil
 	}
-	return nil, "", nil, errors.New("could not find valid cipher")
+	return nil, "", nil, errors.New("could not find valid UDP cipher")
 }
 
 type packetHandler struct {
@@ -357,11 +357,11 @@ func (m *natmap) del(key string) net.PacketConn {
 func (m *natmap) Add(clientAddr net.Addr, clientConn net.PacketConn, cryptoKey *shadowsocks.EncryptionKey, targetConn net.PacketConn, clientInfo ipinfo.IPInfo, keyID string) *natconn {
 	entry := m.set(clientAddr.String(), targetConn, cryptoKey, keyID, clientInfo)
 
-	m.metrics.AddUDPNatEntry()
+	m.metrics.AddUDPNatEntry(clientAddr, keyID)
 	m.running.Add(1)
 	go func() {
 		timedCopy(clientAddr, clientConn, entry, keyID, m.metrics)
-		m.metrics.RemoveUDPNatEntry()
+		m.metrics.RemoveUDPNatEntry(clientAddr, keyID)
 		if pc := m.del(clientAddr.String()); pc != nil {
 			pc.Close()
 		}
@@ -475,6 +475,8 @@ func (m *NoOpUDPMetrics) AddUDPPacketFromClient(clientInfo ipinfo.IPInfo, access
 }
 func (m *NoOpUDPMetrics) AddUDPPacketFromTarget(clientInfo ipinfo.IPInfo, accessKey, status string, targetProxyBytes, proxyClientBytes int) {
 }
-func (m *NoOpUDPMetrics) AddUDPNatEntry()                                                    {}
-func (m *NoOpUDPMetrics) RemoveUDPNatEntry()                                                 {}
+func (m *NoOpUDPMetrics) AddUDPNatEntry(clientAddr net.Addr, accessKey string) {
+}
+func (m *NoOpUDPMetrics) RemoveUDPNatEntry(clientAddr net.Addr, accessKey string) {
+}
 func (m *NoOpUDPMetrics) AddUDPCipherSearch(accessKeyFound bool, timeToCipher time.Duration) {}
diff --git a/service/udp_test.go b/service/udp_test.go
index 27756e3d..30aae003 100644
--- a/service/udp_test.go
+++ b/service/udp_test.go
@@ -113,10 +113,11 @@ func (m *natTestMetrics) AddUDPPacketFromClient(clientInfo ipinfo.IPInfo, access
 }
 func (m *natTestMetrics) AddUDPPacketFromTarget(clientInfo ipinfo.IPInfo, accessKey, status string, targetProxyBytes, proxyClientBytes int) {
 }
-func (m *natTestMetrics) AddUDPNatEntry() {
+func (m *natTestMetrics) AddUDPNatEntry(clientAddr net.Addr, accessKey string) {
 	m.natEntriesAdded++
 }
-func (m *natTestMetrics) RemoveUDPNatEntry()                                                 {}
+func (m *natTestMetrics) RemoveUDPNatEntry(clientAddr net.Addr, accessKey string) {
+}
 func (m *natTestMetrics) AddUDPCipherSearch(accessKeyFound bool, timeToCipher time.Duration) {}
 
 // Takes a validation policy, and returns the metrics it