diff --git a/cmd/outline-ss-server/main.go b/cmd/outline-ss-server/main.go
index 816a196b..2bd9c8b7 100644
--- a/cmd/outline-ss-server/main.go
+++ b/cmd/outline-ss-server/main.go
@@ -16,6 +16,7 @@ package main
 
 import (
 	"container/list"
+	"context"
 	"flag"
 	"fmt"
 	"log/slog"
@@ -28,6 +29,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/Jigsaw-Code/outline-sdk/transport"
 	"github.com/Jigsaw-Code/outline-sdk/transport/shadowsocks"
 	"github.com/Jigsaw-Code/outline-ss-server/ipinfo"
 	"github.com/Jigsaw-Code/outline-ss-server/service"
@@ -61,7 +63,7 @@ type SSServer struct {
 	stopConfig  func() error
 	lnManager   service.ListenerManager
 	natTimeout  time.Duration
-	m           *outlineMetricsCollector
+	m           *outlineMetrics
 	replayCache service.ReplayCache
 }
 
@@ -85,13 +87,13 @@ func (s *SSServer) loadConfig(filename string) error {
 }
 
 func (s *SSServer) NewShadowsocksStreamHandler(ciphers service.CipherList) service.StreamHandler {
-	authFunc := service.NewShadowsocksStreamAuthenticator(ciphers, &s.replayCache, s.m)
+	authFunc := service.NewShadowsocksStreamAuthenticator(ciphers, &s.replayCache, s.m.tcpServiceMetrics)
 	// TODO: Register initial data metrics at zero.
-	return service.NewStreamHandler(authFunc, s.m, tcpReadTimeout)
+	return service.NewStreamHandler(authFunc, tcpReadTimeout)
 }
 
 func (s *SSServer) NewShadowsocksPacketHandler(ciphers service.CipherList) service.PacketHandler {
-	return service.NewPacketHandler(s.natTimeout, ciphers, s.m)
+	return service.NewPacketHandler(s.natTimeout, ciphers, s.m, s.m.udpServiceMetrics)
 }
 
 type listenerSet struct {
@@ -196,7 +198,10 @@ func (s *SSServer) runConfig(config Config) (func() error, error) {
 					return err
 				}
 				slog.Info("Shadowsocks TCP service started.", "address", ln.Addr().String())
-				go service.StreamServe(ln.AcceptStream, sh.Handle)
+				go service.StreamServe(ln.AcceptStream, func(ctx context.Context, conn transport.StreamConn) {
+					connMetrics := s.m.AddOpenTCPConnection(conn)
+					sh.Handle(ctx, conn, connMetrics)
+				})
 
 				pc, err := lnSet.ListenPacket(addr)
 				if err != nil {
@@ -243,7 +248,7 @@ func (s *SSServer) Stop() error {
 }
 
 // RunSSServer starts a shadowsocks server running, and returns the server or an error.
-func RunSSServer(filename string, natTimeout time.Duration, sm *outlineMetricsCollector, replayHistory int) (*SSServer, error) {
+func RunSSServer(filename string, natTimeout time.Duration, sm *outlineMetrics, replayHistory int) (*SSServer, error) {
 	server := &SSServer{
 		lnManager:   service.NewListenerManager(),
 		natTimeout:  natTimeout,
@@ -348,7 +353,10 @@ func main() {
 	}
 	defer ip2info.Close()
 
-	metrics := newPrometheusOutlineMetrics(ip2info)
+	metrics, err := newPrometheusOutlineMetrics(ip2info)
+	if err != nil {
+		slog.Error("Failed to create Outline Prometheus metrics. Aborting.", "err", err)
+	}
 	metrics.SetBuildInfo(version)
 	r := prometheus.WrapRegistererWithPrefix("shadowsocks_", prometheus.DefaultRegisterer)
 	r.MustRegister(metrics)
diff --git a/cmd/outline-ss-server/metrics.go b/cmd/outline-ss-server/metrics.go
index 740bd489..c5641411 100644
--- a/cmd/outline-ss-server/metrics.go
+++ b/cmd/outline-ss-server/metrics.go
@@ -31,20 +31,140 @@ import (
 // `now` is stubbable for testing.
 var now = time.Now
 
-type tcpCollector struct {
-	// NOTE: New metrics need to be added to `newTCPCollector()`, `Describe()` and
-	// `Collect()`.
+func NewTimeToCipherVec(proto string) (prometheus.ObserverVec, error) {
+	vec := prometheus.NewHistogramVec(
+		prometheus.HistogramOpts{
+			Name:    "time_to_cipher_ms",
+			Help:    "Time needed to find the cipher",
+			Buckets: []float64{0.1, 1, 10, 100, 1000},
+		}, []string{"proto", "found_key"})
+	return vec.CurryWith(map[string]string{"proto": proto})
+}
+
+type proxyCollector struct {
+	// NOTE: New metrics need to be added to `newProxyCollector()`, `Describe()` and `Collect()`.
+	dataBytesPerKey      *prometheus.CounterVec
+	dataBytesPerLocation *prometheus.CounterVec
+}
+
+func newProxyCollector(proto string) (*proxyCollector, error) {
+	dataBytesPerKey, err := prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Name: "data_bytes",
+			Help: "Bytes transferred by the proxy, per access key",
+		}, []string{"proto", "dir", "access_key"}).CurryWith(map[string]string{"proto": proto})
+	if err != nil {
+		return nil, err
+	}
+	dataBytesPerLocation, err := prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Name: "data_bytes_per_location",
+			Help: "Bytes transferred by the proxy, per location",
+		}, []string{"proto", "dir", "location", "asn"}).CurryWith(map[string]string{"proto": proto})
+	if err != nil {
+		return nil, err
+	}
+	return &proxyCollector{
+		dataBytesPerKey:      dataBytesPerKey,
+		dataBytesPerLocation: dataBytesPerLocation,
+	}, nil
+}
+
+func (c *proxyCollector) Describe(ch chan<- *prometheus.Desc) {
+	c.dataBytesPerKey.Describe(ch)
+	c.dataBytesPerLocation.Describe(ch)
+}
+
+func (c *proxyCollector) Collect(ch chan<- prometheus.Metric) {
+	c.dataBytesPerKey.Collect(ch)
+	c.dataBytesPerLocation.Collect(ch)
+}
+
+func (c *proxyCollector) addClientTarget(clientProxyBytes, proxyTargetBytes int64, accessKey string, clientInfo ipinfo.IPInfo) {
+	addIfNonZero(clientProxyBytes, c.dataBytesPerKey, "c>p", accessKey)
+	addIfNonZero(clientProxyBytes, c.dataBytesPerLocation, "c>p", clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN))
+	addIfNonZero(proxyTargetBytes, c.dataBytesPerKey, "p>t", accessKey)
+	addIfNonZero(proxyTargetBytes, c.dataBytesPerLocation, "p>t", clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN))
+}
+
+func (c *proxyCollector) addTargetClient(targetProxyBytes, proxyClientBytes int64, accessKey string, clientInfo ipinfo.IPInfo) {
+	addIfNonZero(targetProxyBytes, c.dataBytesPerKey, "p<t", accessKey)
+	addIfNonZero(targetProxyBytes, c.dataBytesPerLocation, "p<t", clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN))
+	addIfNonZero(proxyClientBytes, c.dataBytesPerKey, "c<p", accessKey)
+	addIfNonZero(proxyClientBytes, c.dataBytesPerLocation, "c<p", clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN))
+}
+
+type tcpConnMetrics struct {
+	tcpServiceMetrics *tcpServiceMetrics
+	tunnelTimeMetrics *tunnelTimeMetrics
+
+	localAddr  net.Addr
+	clientAddr net.Addr
+	clientInfo ipinfo.IPInfo
+	accessKey  string
+}
+
+var _ service.TCPConnMetrics = (*tcpConnMetrics)(nil)
+
+func newTCPConnMetrics(tcpServiceMetrics *tcpServiceMetrics, tunnelTimeMetrics *tunnelTimeMetrics, clientConn net.Conn, clientInfo ipinfo.IPInfo) *tcpConnMetrics {
+	tcpServiceMetrics.openConnection(clientInfo)
+	return &tcpConnMetrics{
+		tcpServiceMetrics: tcpServiceMetrics,
+		tunnelTimeMetrics: tunnelTimeMetrics,
+		localAddr:         clientConn.LocalAddr(),
+		clientAddr:        clientConn.RemoteAddr(),
+		clientInfo:        clientInfo,
+	}
+}
+
+func (cm *tcpConnMetrics) AddAuthenticated(accessKey string) {
+	cm.accessKey = accessKey
+	ipKey, err := toIPKey(cm.clientAddr, accessKey)
+	if err == nil {
+		cm.tunnelTimeMetrics.startConnection(*ipKey)
+	}
+}
+
+func (cm *tcpConnMetrics) AddClosed(status string, data metrics.ProxyMetrics, duration time.Duration) {
+	cm.tcpServiceMetrics.proxyCollector.addClientTarget(data.ClientProxy, data.ProxyTarget, cm.accessKey, cm.clientInfo)
+	cm.tcpServiceMetrics.proxyCollector.addTargetClient(data.TargetProxy, data.ProxyClient, cm.accessKey, cm.clientInfo)
+	cm.tcpServiceMetrics.closeConnection(status, duration, cm.accessKey, cm.clientInfo)
+	ipKey, err := toIPKey(cm.clientAddr, cm.accessKey)
+	if err == nil {
+		cm.tunnelTimeMetrics.stopConnection(*ipKey)
+	}
+}
+
+func (cm *tcpConnMetrics) AddProbe(status, drainResult string, clientProxyBytes int64) {
+	cm.tcpServiceMetrics.addProbe(cm.localAddr.String(), status, drainResult, clientProxyBytes)
+}
+
+type tcpServiceMetrics struct {
+	proxyCollector *proxyCollector
+	// NOTE: New metrics need to be added to `newTCPCollector()`, `Describe()` and `Collect()`.
 	probes               *prometheus.HistogramVec
 	openConnections      *prometheus.CounterVec
 	closedConnections    *prometheus.CounterVec
 	connectionDurationMs *prometheus.HistogramVec
+	timeToCipherMs       prometheus.ObserverVec
 }
 
-var _ prometheus.Collector = (*tcpCollector)(nil)
+var _ prometheus.Collector = (*tcpServiceMetrics)(nil)
+var _ service.ShadowsocksConnMetrics = (*tcpServiceMetrics)(nil)
 
-func newTCPCollector() *tcpCollector {
+func newTCPCollector() (*tcpServiceMetrics, error) {
 	namespace := "tcp"
-	return &tcpCollector{
+	proxyCollector, err := newProxyCollector(namespace)
+	if err != nil {
+		return nil, err
+	}
+	timeToCipherVec, err := NewTimeToCipherVec(namespace)
+	if err != nil {
+		return nil, err
+	}
+	return &tcpServiceMetrics{
+		proxyCollector: proxyCollector,
+		timeToCipherMs: timeToCipherVec,
 		probes: prometheus.NewHistogramVec(prometheus.HistogramOpts{
 			Namespace: namespace,
 			Name:      "probes",
@@ -75,49 +195,116 @@ func newTCPCollector() *tcpCollector {
 					float64(7 * 24 * time.Hour.Milliseconds()), // Week
 				},
 			}, []string{"status"}),
-	}
+	}, nil
 }
 
-func (c *tcpCollector) Describe(ch chan<- *prometheus.Desc) {
+func (c *tcpServiceMetrics) Describe(ch chan<- *prometheus.Desc) {
+	c.proxyCollector.Describe(ch)
+	c.timeToCipherMs.Describe(ch)
 	c.probes.Describe(ch)
 	c.openConnections.Describe(ch)
 	c.closedConnections.Describe(ch)
 	c.connectionDurationMs.Describe(ch)
 }
 
-func (c *tcpCollector) Collect(ch chan<- prometheus.Metric) {
+func (c *tcpServiceMetrics) Collect(ch chan<- prometheus.Metric) {
+	c.proxyCollector.Collect(ch)
+	c.timeToCipherMs.Collect(ch)
 	c.probes.Collect(ch)
 	c.openConnections.Collect(ch)
 	c.closedConnections.Collect(ch)
 	c.connectionDurationMs.Collect(ch)
 }
 
-func (c *tcpCollector) openConnection(clientInfo ipinfo.IPInfo) {
+func (c *tcpServiceMetrics) openConnection(clientInfo ipinfo.IPInfo) {
 	c.openConnections.WithLabelValues(clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN)).Inc()
 }
 
-func (c *tcpCollector) closeConnection(clientInfo ipinfo.IPInfo, status, accessKey string, duration time.Duration) {
+func (c *tcpServiceMetrics) closeConnection(status string, duration time.Duration, accessKey string, clientInfo ipinfo.IPInfo) {
 	c.closedConnections.WithLabelValues(clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN), status, accessKey).Inc()
 	c.connectionDurationMs.WithLabelValues(status).Observe(duration.Seconds() * 1000)
 }
 
-func (c *tcpCollector) addProbe(listenerId, status, drainResult string, clientProxyBytes int64) {
+func (c *tcpServiceMetrics) addProbe(listenerId, status, drainResult string, clientProxyBytes int64) {
 	c.probes.WithLabelValues(listenerId, status, drainResult).Observe(float64(clientProxyBytes))
 }
 
-type udpCollector struct {
-	// NOTE: New metrics need to be added to `newUDPCollector()`, `Describe()`
-	// and `Collect()`.
+func (c *tcpServiceMetrics) AddCipherSearch(accessKeyFound bool, timeToCipher time.Duration) {
+	foundStr := "false"
+	if accessKeyFound {
+		foundStr = "true"
+	}
+	c.timeToCipherMs.WithLabelValues(foundStr).Observe(timeToCipher.Seconds() * 1000)
+}
+
+type udpConnMetrics struct {
+	udpServiceMetrics *udpServiceMetrics
+	tunnelTimeMetrics *tunnelTimeMetrics
+
+	clientAddr net.Addr
+	clientInfo ipinfo.IPInfo
+	accessKey  string
+}
+
+var _ service.UDPConnMetrics = (*udpConnMetrics)(nil)
+
+func newUDPConnMetrics(udpServiceMetrics *udpServiceMetrics, tunnelTimeMetrics *tunnelTimeMetrics, accessKey string, clientAddr net.Addr, clientInfo ipinfo.IPInfo) *udpConnMetrics {
+	udpServiceMetrics.addNatEntry()
+	ipKey, err := toIPKey(clientAddr, accessKey)
+	if err == nil {
+		tunnelTimeMetrics.startConnection(*ipKey)
+	}
+	return &udpConnMetrics{
+		udpServiceMetrics: udpServiceMetrics,
+		tunnelTimeMetrics: tunnelTimeMetrics,
+		accessKey:         accessKey,
+		clientAddr:        clientAddr,
+		clientInfo:        clientInfo,
+	}
+}
+
+func (cm *udpConnMetrics) AddPacketFromClient(status string, clientProxyBytes, proxyTargetBytes int64) {
+	cm.udpServiceMetrics.addPacketFromClient(status, clientProxyBytes, proxyTargetBytes, cm.accessKey, cm.clientInfo)
+}
+
+func (cm *udpConnMetrics) AddPacketFromTarget(status string, targetProxyBytes, proxyClientBytes int64) {
+	cm.udpServiceMetrics.addPacketFromTarget(status, targetProxyBytes, proxyClientBytes, cm.accessKey, cm.clientInfo)
+}
+
+func (cm *udpConnMetrics) RemoveNatEntry() {
+	cm.udpServiceMetrics.removeNatEntry()
+
+	ipKey, err := toIPKey(cm.clientAddr, cm.accessKey)
+	if err == nil {
+		cm.tunnelTimeMetrics.stopConnection(*ipKey)
+	}
+}
+
+type udpServiceMetrics struct {
+	proxyCollector *proxyCollector
+	// NOTE: New metrics need to be added to `newUDPCollector()`, `Describe()` and `Collect()`.
 	packetsFromClientPerLocation *prometheus.CounterVec
 	addedNatEntries              prometheus.Counter
 	removedNatEntries            prometheus.Counter
+	timeToCipherMs               prometheus.ObserverVec
 }
 
-var _ prometheus.Collector = (*udpCollector)(nil)
+var _ prometheus.Collector = (*udpServiceMetrics)(nil)
+var _ service.ShadowsocksConnMetrics = (*tcpServiceMetrics)(nil)
 
-func newUDPCollector() *udpCollector {
+func newUDPCollector() (*udpServiceMetrics, error) {
 	namespace := "udp"
-	return &udpCollector{
+	proxyCollector, err := newProxyCollector(namespace)
+	if err != nil {
+		return nil, err
+	}
+	timeToCipherVec, err := NewTimeToCipherVec(namespace)
+	if err != nil {
+		return nil, err
+	}
+	return &udpServiceMetrics{
+		proxyCollector: proxyCollector,
+		timeToCipherMs: timeToCipherVec,
 		packetsFromClientPerLocation: prometheus.NewCounterVec(
 			prometheus.CounterOpts{
 				Namespace: namespace,
@@ -136,44 +323,48 @@ func newUDPCollector() *udpCollector {
 				Name:      "nat_entries_removed",
 				Help:      "Entries removed from the UDP NAT table",
 			}),
-	}
+	}, nil
 }
 
-func (c *udpCollector) Describe(ch chan<- *prometheus.Desc) {
+func (c *udpServiceMetrics) Describe(ch chan<- *prometheus.Desc) {
+	c.proxyCollector.Describe(ch)
+	c.timeToCipherMs.Describe(ch)
 	c.packetsFromClientPerLocation.Describe(ch)
 	c.addedNatEntries.Describe(ch)
 	c.removedNatEntries.Describe(ch)
 }
 
-func (c *udpCollector) Collect(ch chan<- prometheus.Metric) {
+func (c *udpServiceMetrics) Collect(ch chan<- prometheus.Metric) {
+	c.proxyCollector.Collect(ch)
+	c.timeToCipherMs.Collect(ch)
 	c.packetsFromClientPerLocation.Collect(ch)
 	c.addedNatEntries.Collect(ch)
 	c.removedNatEntries.Collect(ch)
 }
 
-func (c *udpCollector) addPacketFromClient(clientInfo ipinfo.IPInfo, status string) {
-	c.packetsFromClientPerLocation.WithLabelValues(clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN), status).Inc()
-}
-
-func (c *udpCollector) addNatEntry() {
+func (c *udpServiceMetrics) addNatEntry() {
 	c.addedNatEntries.Inc()
 }
 
-func (c *udpCollector) removeNatEntry() {
+func (c *udpServiceMetrics) removeNatEntry() {
 	c.removedNatEntries.Inc()
 }
 
-// Converts a [net.Addr] to an [IPKey].
-func toIPKey(addr net.Addr, accessKey string) (*IPKey, error) {
-	hostname, _, err := net.SplitHostPort(addr.String())
-	if err != nil {
-		return nil, fmt.Errorf("failed to create IPKey: %w", err)
-	}
-	ip, err := netip.ParseAddr(hostname)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create IPKey: %w", err)
+func (c *udpServiceMetrics) addPacketFromClient(status string, clientProxyBytes, proxyTargetBytes int64, accessKey string, clientInfo ipinfo.IPInfo) {
+	c.packetsFromClientPerLocation.WithLabelValues(clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN), status).Inc()
+	c.proxyCollector.addClientTarget(clientProxyBytes, proxyTargetBytes, accessKey, clientInfo)
+}
+
+func (c *udpServiceMetrics) addPacketFromTarget(status string, targetProxyBytes, proxyClientBytes int64, accessKey string, clientInfo ipinfo.IPInfo) {
+	c.proxyCollector.addTargetClient(targetProxyBytes, proxyClientBytes, accessKey, clientInfo)
+}
+
+func (c *udpServiceMetrics) AddCipherSearch(accessKeyFound bool, timeToCipher time.Duration) {
+	foundStr := "false"
+	if accessKeyFound {
+		foundStr = "true"
 	}
-	return &IPKey{ip, accessKey}, nil
+	c.timeToCipherMs.WithLabelValues(foundStr).Observe(timeToCipher.Seconds() * 1000)
 }
 
 // Represents the clients that are or have been active recently. They stick
@@ -190,22 +381,21 @@ type IPKey struct {
 	accessKey string
 }
 
-type tunnelTimeCollector struct {
+type tunnelTimeMetrics struct {
 	ip2info       ipinfo.IPInfoMap
 	mu            sync.Mutex // Protects the activeClients map.
 	activeClients map[IPKey]*activeClient
 
-	// NOTE: New metrics need to be added to `newTunnelTimeCollector()`,
-	// `Describe()` and `Collect()`.
+	// NOTE: New metrics need to be added to `newTunnelTimeMetrics()`, `Describe()` and `Collect()`.
 	tunnelTimePerKey      *prometheus.CounterVec
 	tunnelTimePerLocation *prometheus.CounterVec
 }
 
-var _ prometheus.Collector = (*tunnelTimeCollector)(nil)
+var _ prometheus.Collector = (*tunnelTimeMetrics)(nil)
 
-func newTunnelTimeCollector(ip2info ipinfo.IPInfoMap) *tunnelTimeCollector {
+func newTunnelTimeMetrics(ip2info ipinfo.IPInfoMap) *tunnelTimeMetrics {
 	namespace := "tunnel_time"
-	return &tunnelTimeCollector{
+	return &tunnelTimeMetrics{
 		ip2info:       ip2info,
 		activeClients: make(map[IPKey]*activeClient),
 
@@ -222,12 +412,12 @@ func newTunnelTimeCollector(ip2info ipinfo.IPInfoMap) *tunnelTimeCollector {
 	}
 }
 
-func (c *tunnelTimeCollector) Describe(ch chan<- *prometheus.Desc) {
+func (c *tunnelTimeMetrics) Describe(ch chan<- *prometheus.Desc) {
 	c.tunnelTimePerKey.Describe(ch)
 	c.tunnelTimePerLocation.Describe(ch)
 }
 
-func (c *tunnelTimeCollector) Collect(ch chan<- prometheus.Metric) {
+func (c *tunnelTimeMetrics) Collect(ch chan<- prometheus.Metric) {
 	tNow := now()
 	c.mu.Lock()
 	for ipKey, client := range c.activeClients {
@@ -239,7 +429,7 @@ func (c *tunnelTimeCollector) Collect(ch chan<- prometheus.Metric) {
 }
 
 // Calculates and reports the tunnel time for a given active client.
-func (c *tunnelTimeCollector) reportTunnelTime(ipKey IPKey, client *activeClient, tNow time.Time) {
+func (c *tunnelTimeMetrics) reportTunnelTime(ipKey IPKey, client *activeClient, tNow time.Time) {
 	tunnelTime := tNow.Sub(client.startTime)
 	slog.LogAttrs(nil, slog.LevelDebug, "Reporting tunnel time.", slog.String("key", ipKey.accessKey), slog.Duration("duration", tunnelTime))
 	c.tunnelTimePerKey.WithLabelValues(ipKey.accessKey).Add(tunnelTime.Seconds())
@@ -249,7 +439,7 @@ func (c *tunnelTimeCollector) reportTunnelTime(ipKey IPKey, client *activeClient
 }
 
 // Registers a new active connection for a client [net.Addr] and access key.
-func (c *tunnelTimeCollector) startConnection(ipKey IPKey) {
+func (c *tunnelTimeMetrics) startConnection(ipKey IPKey) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	client, exists := c.activeClients[ipKey]
@@ -262,7 +452,7 @@ func (c *tunnelTimeCollector) startConnection(ipKey IPKey) {
 }
 
 // Removes an active connection for a client [net.Addr] and access key.
-func (c *tunnelTimeCollector) stopConnection(ipKey IPKey) {
+func (c *tunnelTimeMetrics) stopConnection(ipKey IPKey) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	client, exists := c.activeClients[ipKey]
@@ -277,41 +467,42 @@ func (c *tunnelTimeCollector) stopConnection(ipKey IPKey) {
 	}
 }
 
-type outlineMetricsCollector struct {
-	ipinfo.IPInfoMap
+type outlineMetrics struct {
+	ip2info ipinfo.IPInfoMap
 
-	tcpCollector        *tcpCollector
-	udpCollector        *udpCollector
-	tunnelTimeCollector *tunnelTimeCollector
+	tcpServiceMetrics *tcpServiceMetrics
+	udpServiceMetrics *udpServiceMetrics
+	tunnelTimeMetrics *tunnelTimeMetrics
 
-	// NOTE: New metrics need to be added to `newPrometheusOutlineMetrics()` and
-	// `collectors()`.
-	buildInfo            *prometheus.GaugeVec
-	accessKeys           prometheus.Gauge
-	ports                prometheus.Gauge
-	dataBytes            *prometheus.CounterVec
-	dataBytesPerLocation *prometheus.CounterVec
-	timeToCipherMs       *prometheus.HistogramVec
+	// NOTE: New metrics need to be added to `newPrometheusOutlineMetrics()`, `Describe()` and `Collect()`.
+	buildInfo  *prometheus.GaugeVec
+	accessKeys prometheus.Gauge
+	ports      prometheus.Gauge
 	// TODO: Add time to first byte.
 }
 
-var _ prometheus.Collector = (*outlineMetricsCollector)(nil)
-var _ service.TCPMetrics = (*outlineMetricsCollector)(nil)
-var _ service.UDPMetrics = (*outlineMetricsCollector)(nil)
+var _ prometheus.Collector = (*outlineMetrics)(nil)
+var _ service.UDPMetrics = (*outlineMetrics)(nil)
 
 // newPrometheusOutlineMetrics constructs a Prometheus metrics collector that uses
 // `ip2info` to convert IP addresses to countries. `ip2info` may be nil.
-func newPrometheusOutlineMetrics(ip2info ipinfo.IPInfoMap) *outlineMetricsCollector {
-	tcpCollector := newTCPCollector()
-	udpCollector := newUDPCollector()
-	tunnelTimeCollector := newTunnelTimeCollector(ip2info)
+func newPrometheusOutlineMetrics(ip2info ipinfo.IPInfoMap) (*outlineMetrics, error) {
+	tcpServiceMetrics, err := newTCPCollector()
+	if err != nil {
+		return nil, err
+	}
+	udpServiceMetrics, err := newUDPCollector()
+	if err != nil {
+		return nil, err
+	}
+	tunnelTimeMetrics := newTunnelTimeMetrics(ip2info)
 
-	return &outlineMetricsCollector{
-		IPInfoMap: ip2info,
+	return &outlineMetrics{
+		ip2info: ip2info,
 
-		tcpCollector:        tcpCollector,
-		udpCollector:        udpCollector,
-		tunnelTimeCollector: tunnelTimeCollector,
+		tcpServiceMetrics: tcpServiceMetrics,
+		udpServiceMetrics: udpServiceMetrics,
+		tunnelTimeMetrics: tunnelTimeMetrics,
 
 		buildInfo: prometheus.NewGaugeVec(prometheus.GaugeOpts{
 			Name: "build_info",
@@ -325,70 +516,57 @@ func newPrometheusOutlineMetrics(ip2info ipinfo.IPInfoMap) *outlineMetricsCollec
 			Name: "ports",
 			Help: "Count of open Shadowsocks ports",
 		}),
-		dataBytes: prometheus.NewCounterVec(
-			prometheus.CounterOpts{
-				Name: "data_bytes",
-				Help: "Bytes transferred by the proxy, per access key",
-			}, []string{"dir", "proto", "access_key"}),
-		dataBytesPerLocation: prometheus.NewCounterVec(
-			prometheus.CounterOpts{
-				Name: "data_bytes_per_location",
-				Help: "Bytes transferred by the proxy, per location",
-			}, []string{"dir", "proto", "location", "asn"}),
-		timeToCipherMs: prometheus.NewHistogramVec(
-			prometheus.HistogramOpts{
-				Name:    "time_to_cipher_ms",
-				Help:    "Time needed to find the cipher",
-				Buckets: []float64{0.1, 1, 10, 100, 1000},
-			}, []string{"proto", "found_key"}),
-	}
+	}, nil
 }
 
-func (m *outlineMetricsCollector) collectors() []prometheus.Collector {
-	return []prometheus.Collector{
-		m.tcpCollector,
-		m.udpCollector,
-		m.tunnelTimeCollector,
-
-		m.buildInfo,
-		m.accessKeys,
-		m.ports,
-		m.dataBytes,
-		m.dataBytesPerLocation,
-		m.timeToCipherMs,
-	}
+func (m *outlineMetrics) Describe(ch chan<- *prometheus.Desc) {
+	m.tcpServiceMetrics.Describe(ch)
+	m.udpServiceMetrics.Describe(ch)
+	m.tunnelTimeMetrics.Describe(ch)
+	m.buildInfo.Describe(ch)
+	m.accessKeys.Describe(ch)
+	m.ports.Describe(ch)
 }
 
-func (m *outlineMetricsCollector) Describe(ch chan<- *prometheus.Desc) {
-	for _, collector := range m.collectors() {
-		collector.Describe(ch)
-	}
+func (m *outlineMetrics) Collect(ch chan<- prometheus.Metric) {
+	m.tcpServiceMetrics.Collect(ch)
+	m.udpServiceMetrics.Collect(ch)
+	m.tunnelTimeMetrics.Collect(ch)
+	m.buildInfo.Collect(ch)
+	m.accessKeys.Collect(ch)
+	m.ports.Collect(ch)
 }
 
-func (m *outlineMetricsCollector) Collect(ch chan<- prometheus.Metric) {
-	for _, collector := range m.collectors() {
-		collector.Collect(ch)
+func (m *outlineMetrics) getIPInfoFromAddr(addr net.Addr) ipinfo.IPInfo {
+	ipInfo, err := ipinfo.GetIPInfoFromAddr(m.ip2info, addr)
+	if err != nil {
+		slog.LogAttrs(nil, slog.LevelWarn, "Failed client info lookup.", slog.Any("err", err))
+		return ipInfo
+	}
+	if slog.Default().Enabled(nil, slog.LevelDebug) {
+		slog.LogAttrs(nil, slog.LevelDebug, "Got info for IP.", slog.String("IP", addr.String()), slog.Any("info", ipInfo))
 	}
+	return ipInfo
 }
 
-func (m *outlineMetricsCollector) SetBuildInfo(version string) {
+func (m *outlineMetrics) SetBuildInfo(version string) {
 	m.buildInfo.WithLabelValues(version).Set(1)
 }
 
-func (m *outlineMetricsCollector) SetNumAccessKeys(numKeys int, ports int) {
+func (m *outlineMetrics) SetNumAccessKeys(numKeys int, ports int) {
 	m.accessKeys.Set(float64(numKeys))
 	m.ports.Set(float64(ports))
 }
 
-func (m *outlineMetricsCollector) AddOpenTCPConnection(clientInfo ipinfo.IPInfo) {
-	m.tcpCollector.openConnection(clientInfo)
+func (m *outlineMetrics) AddOpenTCPConnection(clientConn net.Conn) *tcpConnMetrics {
+	clientAddr := clientConn.RemoteAddr()
+	clientInfo := m.getIPInfoFromAddr(clientAddr)
+	return newTCPConnMetrics(m.tcpServiceMetrics, m.tunnelTimeMetrics, clientConn, clientInfo)
 }
 
-func (m *outlineMetricsCollector) AddAuthenticatedTCPConnection(clientAddr net.Addr, accessKey string) {
-	ipKey, err := toIPKey(clientAddr, accessKey)
-	if err == nil {
-		m.tunnelTimeCollector.startConnection(*ipKey)
-	}
+func (m *outlineMetrics) AddUDPNatEntry(clientAddr net.Addr, accessKey string) service.UDPConnMetrics {
+	clientInfo := m.getIPInfoFromAddr(clientAddr)
+	return newUDPConnMetrics(m.udpServiceMetrics, m.tunnelTimeMetrics, accessKey, clientAddr, clientInfo)
 }
 
 // addIfNonZero helps avoid the creation of series that are always zero.
@@ -405,72 +583,15 @@ func asnLabel(asn int) string {
 	return fmt.Sprint(asn)
 }
 
-func (m *outlineMetricsCollector) AddClosedTCPConnection(clientInfo ipinfo.IPInfo, clientAddr net.Addr, accessKey, status string, data metrics.ProxyMetrics, duration time.Duration) {
-	m.tcpCollector.closeConnection(clientInfo, status, accessKey, duration)
-	addIfNonZero(data.ClientProxy, m.dataBytes, "c>p", "tcp", accessKey)
-	addIfNonZero(data.ClientProxy, m.dataBytesPerLocation, "c>p", "tcp", clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN))
-	addIfNonZero(data.ProxyTarget, m.dataBytes, "p>t", "tcp", accessKey)
-	addIfNonZero(data.ProxyTarget, m.dataBytesPerLocation, "p>t", "tcp", clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN))
-	addIfNonZero(data.TargetProxy, m.dataBytes, "p<t", "tcp", accessKey)
-	addIfNonZero(data.TargetProxy, m.dataBytesPerLocation, "p<t", "tcp", clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN))
-	addIfNonZero(data.ProxyClient, m.dataBytes, "c<p", "tcp", accessKey)
-	addIfNonZero(data.ProxyClient, m.dataBytesPerLocation, "c<p", "tcp", clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN))
-
-	ipKey, err := toIPKey(clientAddr, accessKey)
-	if err == nil {
-		m.tunnelTimeCollector.stopConnection(*ipKey)
-	}
-}
-
-func (m *outlineMetricsCollector) AddUDPPacketFromClient(clientInfo ipinfo.IPInfo, accessKey, status string, clientProxyBytes, proxyTargetBytes int) {
-	m.udpCollector.addPacketFromClient(clientInfo, status)
-	addIfNonZero(int64(clientProxyBytes), m.dataBytes, "c>p", "udp", accessKey)
-	addIfNonZero(int64(clientProxyBytes), m.dataBytesPerLocation, "c>p", "udp", clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN))
-	addIfNonZero(int64(proxyTargetBytes), m.dataBytes, "p>t", "udp", accessKey)
-	addIfNonZero(int64(proxyTargetBytes), m.dataBytesPerLocation, "p>t", "udp", clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN))
-}
-
-func (m *outlineMetricsCollector) AddUDPPacketFromTarget(clientInfo ipinfo.IPInfo, accessKey, status string, targetProxyBytes, proxyClientBytes int) {
-	addIfNonZero(int64(targetProxyBytes), m.dataBytes, "p<t", "udp", accessKey)
-	addIfNonZero(int64(targetProxyBytes), m.dataBytesPerLocation, "p<t", "udp", clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN))
-	addIfNonZero(int64(proxyClientBytes), m.dataBytes, "c<p", "udp", accessKey)
-	addIfNonZero(int64(proxyClientBytes), m.dataBytesPerLocation, "c<p", "udp", clientInfo.CountryCode.String(), asnLabel(clientInfo.ASN))
-}
-
-func (m *outlineMetricsCollector) AddUDPNatEntry(clientAddr net.Addr, accessKey string) {
-	m.udpCollector.addNatEntry()
-
-	ipKey, err := toIPKey(clientAddr, accessKey)
-	if err == nil {
-		m.tunnelTimeCollector.startConnection(*ipKey)
-	}
-}
-
-func (m *outlineMetricsCollector) RemoveUDPNatEntry(clientAddr net.Addr, accessKey string) {
-	m.udpCollector.removeNatEntry()
-
-	ipKey, err := toIPKey(clientAddr, accessKey)
-	if err == nil {
-		m.tunnelTimeCollector.stopConnection(*ipKey)
-	}
-}
-
-func (m *outlineMetricsCollector) AddTCPProbe(status, drainResult, listenerId string, clientProxyBytes int64) {
-	m.tcpCollector.addProbe(listenerId, status, drainResult, clientProxyBytes)
-}
-
-func (m *outlineMetricsCollector) AddTCPCipherSearch(accessKeyFound bool, timeToCipher time.Duration) {
-	foundStr := "false"
-	if accessKeyFound {
-		foundStr = "true"
+// Converts a [net.Addr] to an [IPKey].
+func toIPKey(addr net.Addr, accessKey string) (*IPKey, error) {
+	hostname, _, err := net.SplitHostPort(addr.String())
+	if err != nil {
+		return nil, fmt.Errorf("failed to create IPKey: %w", err)
 	}
-	m.timeToCipherMs.WithLabelValues("tcp", foundStr).Observe(timeToCipher.Seconds() * 1000)
-}
-
-func (m *outlineMetricsCollector) AddUDPCipherSearch(accessKeyFound bool, timeToCipher time.Duration) {
-	foundStr := "false"
-	if accessKeyFound {
-		foundStr = "true"
+	ip, err := netip.ParseAddr(hostname)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create IPKey: %w", err)
 	}
-	m.timeToCipherMs.WithLabelValues("udp", foundStr).Observe(timeToCipher.Seconds() * 1000)
+	return &IPKey{ip, accessKey}, nil
 }
diff --git a/cmd/outline-ss-server/metrics_test.go b/cmd/outline-ss-server/metrics_test.go
index 83d57a40..44e1887b 100644
--- a/cmd/outline-ss-server/metrics_test.go
+++ b/cmd/outline-ss-server/metrics_test.go
@@ -50,27 +50,42 @@ func init() {
 	logging.SetLevel(logging.INFO, "")
 }
 
+type fakeConn struct {
+	net.Conn
+}
+
+func (c *fakeConn) LocalAddr() net.Addr {
+	return fakeAddr("127.0.0.1:9")
+}
+
+func (c *fakeConn) RemoteAddr() net.Addr {
+	return fakeAddr("127.0.0.1:10")
+}
+
 func TestMethodsDontPanic(t *testing.T) {
-	ssMetrics := newPrometheusOutlineMetrics(nil)
+	ssMetrics, _ := newPrometheusOutlineMetrics(nil)
 	proxyMetrics := metrics.ProxyMetrics{
 		ClientProxy: 1,
 		ProxyTarget: 2,
 		TargetProxy: 3,
 		ProxyClient: 4,
 	}
-	ipInfo := ipinfo.IPInfo{CountryCode: "US", ASN: 100}
+	addr := fakeAddr("127.0.0.1:9")
 	ssMetrics.SetBuildInfo("0.0.0-test")
 	ssMetrics.SetNumAccessKeys(20, 2)
-	ssMetrics.AddOpenTCPConnection(ipInfo)
-	ssMetrics.AddAuthenticatedTCPConnection(fakeAddr("127.0.0.1:9"), "0")
-	ssMetrics.AddClosedTCPConnection(ipInfo, fakeAddr("127.0.0.1:9"), "1", "OK", proxyMetrics, 10*time.Millisecond)
-	ssMetrics.AddUDPPacketFromClient(ipInfo, "2", "OK", 10, 20)
-	ssMetrics.AddUDPPacketFromTarget(ipInfo, "3", "OK", 10, 20)
-	ssMetrics.AddUDPNatEntry(fakeAddr("127.0.0.1:9"), "key-1")
-	ssMetrics.RemoveUDPNatEntry(fakeAddr("127.0.0.1:9"), "key-1")
-	ssMetrics.AddTCPProbe("ERR_CIPHER", "eof", "127.0.0.1:443", proxyMetrics.ClientProxy)
-	ssMetrics.AddTCPCipherSearch(true, 10*time.Millisecond)
-	ssMetrics.AddUDPCipherSearch(true, 10*time.Millisecond)
+
+	tcpMetrics := ssMetrics.AddOpenTCPConnection(&fakeConn{})
+	tcpMetrics.AddAuthenticated("0")
+	tcpMetrics.AddClosed("OK", proxyMetrics, 10*time.Millisecond)
+	tcpMetrics.AddProbe("ERR_CIPHER", "eof", proxyMetrics.ClientProxy)
+
+	udpMetrics := ssMetrics.AddUDPNatEntry(addr, "key-1")
+	udpMetrics.AddPacketFromClient("OK", 10, 20)
+	udpMetrics.AddPacketFromTarget("OK", 10, 20)
+	udpMetrics.RemoveNatEntry()
+
+	ssMetrics.tcpServiceMetrics.AddCipherSearch(true, 10*time.Millisecond)
+	ssMetrics.udpServiceMetrics.AddCipherSearch(true, 10*time.Millisecond)
 }
 
 func TestASNLabel(t *testing.T) {
@@ -81,11 +96,12 @@ func TestASNLabel(t *testing.T) {
 func TestTunnelTime(t *testing.T) {
 	t.Run("PerKey", func(t *testing.T) {
 		setNow(time.Date(2010, 1, 2, 3, 4, 5, .0, time.Local))
-		ssMetrics := newPrometheusOutlineMetrics(nil)
+		ssMetrics, _ := newPrometheusOutlineMetrics(nil)
 		reg := prometheus.NewPedanticRegistry()
 		reg.MustRegister(ssMetrics)
 
-		ssMetrics.AddAuthenticatedTCPConnection(fakeAddr("127.0.0.1:9"), "key-1")
+		connMetrics := ssMetrics.AddOpenTCPConnection(&fakeConn{})
+		connMetrics.AddAuthenticated("key-1")
 		setNow(time.Date(2010, 1, 2, 3, 4, 20, .0, time.Local))
 
 		expected := strings.NewReader(`
@@ -103,11 +119,12 @@ func TestTunnelTime(t *testing.T) {
 
 	t.Run("PerLocation", func(t *testing.T) {
 		setNow(time.Date(2010, 1, 2, 3, 4, 5, .0, time.Local))
-		ssMetrics := newPrometheusOutlineMetrics(&noopMap{})
+		ssMetrics, _ := newPrometheusOutlineMetrics(&noopMap{})
 		reg := prometheus.NewPedanticRegistry()
 		reg.MustRegister(ssMetrics)
 
-		ssMetrics.AddAuthenticatedTCPConnection(fakeAddr("127.0.0.1:9"), "key-1")
+		connMetrics := ssMetrics.AddOpenTCPConnection(&fakeConn{})
+		connMetrics.AddAuthenticated("key-1")
 		setNow(time.Date(2010, 1, 2, 3, 4, 10, .0, time.Local))
 
 		expected := strings.NewReader(`
@@ -126,9 +143,10 @@ func TestTunnelTime(t *testing.T) {
 
 func TestTunnelTimePerKeyDoesNotPanicOnUnknownClosedConnection(t *testing.T) {
 	reg := prometheus.NewPedanticRegistry()
-	ssMetrics := newPrometheusOutlineMetrics(nil)
+	ssMetrics, _ := newPrometheusOutlineMetrics(nil)
 
-	ssMetrics.AddClosedTCPConnection(ipinfo.IPInfo{}, fakeAddr("127.0.0.1:9"), "key-1", "OK", metrics.ProxyMetrics{}, time.Minute)
+	connMetrics := ssMetrics.AddOpenTCPConnection(&fakeConn{})
+	connMetrics.AddClosed("OK", metrics.ProxyMetrics{}, time.Minute)
 
 	err := promtest.GatherAndCompare(
 		reg,
@@ -139,74 +157,72 @@ func TestTunnelTimePerKeyDoesNotPanicOnUnknownClosedConnection(t *testing.T) {
 }
 
 func BenchmarkOpenTCP(b *testing.B) {
-	ssMetrics := newPrometheusOutlineMetrics(nil)
-	ipinfo := ipinfo.IPInfo{CountryCode: "US", ASN: 100}
+	ssMetrics, _ := newPrometheusOutlineMetrics(nil)
+	conn := &fakeConn{}
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		ssMetrics.AddOpenTCPConnection(ipinfo)
+		ssMetrics.AddOpenTCPConnection(conn)
 	}
 }
 
 func BenchmarkCloseTCP(b *testing.B) {
-	ssMetrics := newPrometheusOutlineMetrics(nil)
-	ipinfo := ipinfo.IPInfo{CountryCode: "US", ASN: 100}
-	addr := fakeAddr("127.0.0.1:9")
+	ssMetrics, _ := newPrometheusOutlineMetrics(nil)
+	connMetrics := ssMetrics.AddOpenTCPConnection(&fakeConn{})
 	accessKey := "key 1"
 	status := "OK"
 	data := metrics.ProxyMetrics{}
-	timeToCipher := time.Microsecond
 	duration := time.Minute
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		ssMetrics.AddAuthenticatedTCPConnection(addr, accessKey)
-		ssMetrics.AddClosedTCPConnection(ipinfo, addr, accessKey, status, data, duration)
-		ssMetrics.AddTCPCipherSearch(true, timeToCipher)
+		connMetrics.AddAuthenticated(accessKey)
+		connMetrics.AddClosed(status, data, duration)
 	}
 }
 
 func BenchmarkProbe(b *testing.B) {
-	ssMetrics := newPrometheusOutlineMetrics(nil)
+	ssMetrics, _ := newPrometheusOutlineMetrics(nil)
+	connMetrics := ssMetrics.AddOpenTCPConnection(&fakeConn{})
 	status := "ERR_REPLAY"
 	drainResult := "other"
 	data := metrics.ProxyMetrics{}
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		ssMetrics.AddTCPProbe(status, drainResult, "127.0.0.1:12345", data.ClientProxy)
+		connMetrics.AddProbe(status, drainResult, data.ClientProxy)
 	}
 }
 
 func BenchmarkClientUDP(b *testing.B) {
-	ssMetrics := newPrometheusOutlineMetrics(nil)
-	clientInfo := ipinfo.IPInfo{CountryCode: "ZZ", ASN: 100}
+	ssMetrics, _ := newPrometheusOutlineMetrics(nil)
+	addr := fakeAddr("127.0.0.1:9")
 	accessKey := "key 1"
+	udpMetrics := ssMetrics.AddUDPNatEntry(addr, accessKey)
 	status := "OK"
-	size := 1000
-	timeToCipher := time.Microsecond
+	size := int64(1000)
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		ssMetrics.AddUDPPacketFromClient(clientInfo, accessKey, status, size, size)
-		ssMetrics.AddUDPCipherSearch(true, timeToCipher)
+		udpMetrics.AddPacketFromClient(status, size, size)
 	}
 }
 
 func BenchmarkTargetUDP(b *testing.B) {
-	ssMetrics := newPrometheusOutlineMetrics(nil)
-	clientInfo := ipinfo.IPInfo{CountryCode: "ZZ", ASN: 100}
+	ssMetrics, _ := newPrometheusOutlineMetrics(nil)
+	addr := fakeAddr("127.0.0.1:9")
 	accessKey := "key 1"
+	udpMetrics := ssMetrics.AddUDPNatEntry(addr, accessKey)
 	status := "OK"
-	size := 1000
+	size := int64(1000)
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		ssMetrics.AddUDPPacketFromTarget(clientInfo, accessKey, status, size, size)
+		udpMetrics.AddPacketFromTarget(status, size, size)
 	}
 }
 
 func BenchmarkNAT(b *testing.B) {
-	ssMetrics := newPrometheusOutlineMetrics(nil)
+	ssMetrics, _ := newPrometheusOutlineMetrics(nil)
 	addr := fakeAddr("127.0.0.1:9")
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		ssMetrics.AddUDPNatEntry(addr, "key-0")
-		ssMetrics.RemoveUDPNatEntry(addr, "key-0")
+		udpMetrics := ssMetrics.AddUDPNatEntry(addr, "key-0")
+		udpMetrics.RemoveNatEntry()
 	}
 }
diff --git a/cmd/outline-ss-server/server_test.go b/cmd/outline-ss-server/server_test.go
index e8a47f0f..20729a06 100644
--- a/cmd/outline-ss-server/server_test.go
+++ b/cmd/outline-ss-server/server_test.go
@@ -20,7 +20,10 @@ import (
 )
 
 func TestRunSSServer(t *testing.T) {
-	m := newPrometheusOutlineMetrics(nil)
+	m, err := newPrometheusOutlineMetrics(nil)
+	if err != nil {
+		t.Fatalf("Failed to create Prometheus metrics: %v", err)
+	}
 	server, err := RunSSServer("config_example.yml", 30*time.Second, m, 10000)
 	if err != nil {
 		t.Fatalf("RunSSServer() error = %v", err)
diff --git a/internal/integration_test/integration_test.go b/internal/integration_test/integration_test.go
index f72d835b..f847f761 100644
--- a/internal/integration_test/integration_test.go
+++ b/internal/integration_test/integration_test.go
@@ -27,7 +27,6 @@ import (
 
 	"github.com/Jigsaw-Code/outline-sdk/transport"
 	"github.com/Jigsaw-Code/outline-sdk/transport/shadowsocks"
-	"github.com/Jigsaw-Code/outline-ss-server/ipinfo"
 	"github.com/Jigsaw-Code/outline-ss-server/service"
 	"github.com/Jigsaw-Code/outline-ss-server/service/metrics"
 	logging "github.com/op/go-logging"
@@ -131,13 +130,16 @@ func TestTCPEcho(t *testing.T) {
 	}
 	replayCache := service.NewReplayCache(5)
 	const testTimeout = 200 * time.Millisecond
-	testMetrics := &service.NoOpTCPMetrics{}
-	authFunc := service.NewShadowsocksStreamAuthenticator(cipherList, &replayCache, testMetrics)
-	handler := service.NewStreamHandler(authFunc, testMetrics, testTimeout)
+	testMetrics := &statusMetrics{}
+	authFunc := service.NewShadowsocksStreamAuthenticator(cipherList, &replayCache, &fakeShadowsocksMetrics{})
+	handler := service.NewStreamHandler(authFunc, testTimeout)
 	handler.SetTargetDialer(&transport.TCPDialer{})
 	done := make(chan struct{})
 	go func() {
-		service.StreamServe(func() (transport.StreamConn, error) { return proxyListener.AcceptTCP() }, handler.Handle)
+		service.StreamServe(
+			func() (transport.StreamConn, error) { return proxyListener.AcceptTCP() },
+			func(ctx context.Context, conn transport.StreamConn) { handler.Handle(ctx, conn, testMetrics) },
+		)
 		done <- struct{}{}
 	}()
 
@@ -181,13 +183,21 @@ func TestTCPEcho(t *testing.T) {
 	echoRunning.Wait()
 }
 
+type fakeShadowsocksMetrics struct {
+}
+
+var _ service.ShadowsocksConnMetrics = (*fakeShadowsocksMetrics)(nil)
+
+func (m *fakeShadowsocksMetrics) AddCipherSearch(accessKeyFound bool, timeToCipher time.Duration) {
+}
+
 type statusMetrics struct {
-	service.NoOpTCPMetrics
+	service.NoOpTCPConnMetrics
 	sync.Mutex
 	statuses []string
 }
 
-func (m *statusMetrics) AddClosedTCPConnection(clientInfo ipinfo.IPInfo, ip net.Addr, accessKey string, status string, data metrics.ProxyMetrics, duration time.Duration) {
+func (m *statusMetrics) AddClosed(status string, data metrics.ProxyMetrics, duration time.Duration) {
 	m.Lock()
 	m.statuses = append(m.statuses, status)
 	m.Unlock()
@@ -201,11 +211,14 @@ func TestRestrictedAddresses(t *testing.T) {
 	require.NoError(t, err)
 	const testTimeout = 200 * time.Millisecond
 	testMetrics := &statusMetrics{}
-	authFunc := service.NewShadowsocksStreamAuthenticator(cipherList, nil, testMetrics)
-	handler := service.NewStreamHandler(authFunc, testMetrics, testTimeout)
+	authFunc := service.NewShadowsocksStreamAuthenticator(cipherList, nil, &fakeShadowsocksMetrics{})
+	handler := service.NewStreamHandler(authFunc, testTimeout)
 	done := make(chan struct{})
 	go func() {
-		service.StreamServe(service.WrapStreamAcceptFunc(proxyListener.AcceptTCP), handler.Handle)
+		service.StreamServe(
+			service.WrapStreamAcceptFunc(proxyListener.AcceptTCP),
+			func(ctx context.Context, conn transport.StreamConn) { handler.Handle(ctx, conn, testMetrics) },
+		)
 		done <- struct{}{}
 	}()
 
@@ -246,35 +259,44 @@ func TestRestrictedAddresses(t *testing.T) {
 
 // Metrics about one UDP packet.
 type udpRecord struct {
-	clientInfo        ipinfo.IPInfo
+	clientAddr        net.Addr
 	accessKey, status string
-	in, out           int
+	in, out           int64
 }
 
-// Fake metrics implementation for UDP
-type fakeUDPMetrics struct {
-	up, down []udpRecord
-	natAdded int
+type fakeUDPConnMetrics struct {
+	clientAddr net.Addr
+	accessKey  string
+	up, down   []udpRecord
 }
 
-var _ service.UDPMetrics = (*fakeUDPMetrics)(nil)
+var _ service.UDPConnMetrics = (*fakeUDPConnMetrics)(nil)
 
-func (m *fakeUDPMetrics) GetIPInfo(ip net.IP) (ipinfo.IPInfo, error) {
-	return ipinfo.IPInfo{CountryCode: "QQ"}, nil
+func (m *fakeUDPConnMetrics) AddPacketFromClient(status string, clientProxyBytes, proxyTargetBytes int64) {
+	m.up = append(m.up, udpRecord{m.clientAddr, m.accessKey, status, clientProxyBytes, proxyTargetBytes})
 }
-func (m *fakeUDPMetrics) AddUDPPacketFromClient(clientInfo ipinfo.IPInfo, accessKey, status string, clientProxyBytes, proxyTargetBytes int) {
-	m.up = append(m.up, udpRecord{clientInfo, accessKey, status, clientProxyBytes, proxyTargetBytes})
+func (m *fakeUDPConnMetrics) AddPacketFromTarget(status string, targetProxyBytes, proxyClientBytes int64) {
+	m.down = append(m.down, udpRecord{m.clientAddr, m.accessKey, status, targetProxyBytes, proxyClientBytes})
 }
-func (m *fakeUDPMetrics) AddUDPPacketFromTarget(clientInfo ipinfo.IPInfo, accessKey, status string, targetProxyBytes, proxyClientBytes int) {
-	m.down = append(m.down, udpRecord{clientInfo, accessKey, status, targetProxyBytes, proxyClientBytes})
+func (m *fakeUDPConnMetrics) RemoveNatEntry() {
+	// Not tested because it requires waiting for a long timeout.
 }
-func (m *fakeUDPMetrics) AddUDPNatEntry(clientAddr net.Addr, accessKey string) {
-	m.natAdded++
+
+// Fake metrics implementation for UDP
+type fakeUDPMetrics struct {
+	connMetrics []fakeUDPConnMetrics
 }
-func (m *fakeUDPMetrics) RemoveUDPNatEntry(clientAddr net.Addr, accessKey string) {
-	// Not tested because it requires waiting for a long timeout.
+
+var _ service.UDPMetrics = (*fakeUDPMetrics)(nil)
+
+func (m *fakeUDPMetrics) AddUDPNatEntry(clientAddr net.Addr, accessKey string) service.UDPConnMetrics {
+	cm := fakeUDPConnMetrics{
+		clientAddr: clientAddr,
+		accessKey:  accessKey,
+	}
+	m.connMetrics = append(m.connMetrics, cm)
+	return &m.connMetrics[len(m.connMetrics)-1]
 }
-func (m *fakeUDPMetrics) AddUDPCipherSearch(accessKeyFound bool, timeToCipher time.Duration) {}
 
 func TestUDPEcho(t *testing.T) {
 	echoConn, echoRunning := startUDPEchoServer(t)
@@ -289,7 +311,7 @@ func TestUDPEcho(t *testing.T) {
 		t.Fatal(err)
 	}
 	testMetrics := &fakeUDPMetrics{}
-	proxy := service.NewPacketHandler(time.Hour, cipherList, testMetrics)
+	proxy := service.NewPacketHandler(time.Hour, cipherList, testMetrics, &fakeShadowsocksMetrics{})
 	proxy.SetTargetIPValidator(allowAll)
 	done := make(chan struct{})
 	go func() {
@@ -339,33 +361,28 @@ func TestUDPEcho(t *testing.T) {
 	snapshot := cipherList.SnapshotForClientIP(netip.Addr{})
 	keyID := snapshot[0].Value.(*service.CipherEntry).ID
 
-	if testMetrics.natAdded != 1 {
-		t.Errorf("Wrong NAT add count: %d", testMetrics.natAdded)
+	if len(testMetrics.connMetrics) != 1 {
+		t.Errorf("Wrong NAT count: %d", len(testMetrics.connMetrics))
 	}
-	if len(testMetrics.up) != 1 {
-		t.Errorf("Wrong number of packets sent: %v", testMetrics.up)
+	if len(testMetrics.connMetrics[0].up) != 1 {
+		t.Errorf("Wrong number of packets sent: %v", testMetrics.connMetrics[0].up)
 	} else {
-		record := testMetrics.up[0]
-		require.Equal(t, "XL", record.clientInfo.CountryCode.String())
-		if record.clientInfo.CountryCode != "XL" ||
-			record.accessKey != keyID ||
-			record.status != "OK" ||
-			record.in <= record.out ||
-			record.out != N {
-			t.Errorf("Bad upstream metrics: %v", record)
-		}
-	}
-	if len(testMetrics.down) != 1 {
-		t.Errorf("Wrong number of packets received: %v", testMetrics.down)
+		record := testMetrics.connMetrics[0].up[0]
+		require.Equal(t, conn.LocalAddr(), record.clientAddr, "Bad upstream metrics")
+		require.Equal(t, keyID, record.accessKey, "Bad upstream metrics")
+		require.Equal(t, "OK", record.status, "Bad upstream metrics")
+		require.Greater(t, record.in, record.out, "Bad upstream metrics")
+		require.Equal(t, int64(N), record.out, "Bad upstream metrics")
+	}
+	if len(testMetrics.connMetrics[0].down) != 1 {
+		t.Errorf("Wrong number of packets received: %v", testMetrics.connMetrics[0].down)
 	} else {
-		record := testMetrics.down[0]
-		if record.clientInfo.CountryCode != "XL" ||
-			record.accessKey != keyID ||
-			record.status != "OK" ||
-			record.in != N ||
-			record.out <= record.in {
-			t.Errorf("Bad upstream metrics: %v", record)
-		}
+		record := testMetrics.connMetrics[0].down[0]
+		require.Equal(t, conn.LocalAddr(), record.clientAddr, "Bad downstream metrics")
+		require.Equal(t, keyID, record.accessKey, "Bad downstream metrics")
+		require.Equal(t, "OK", record.status, "Bad downstream metrics")
+		require.Greater(t, record.out, record.in, "Bad downstream metrics")
+		require.Equal(t, int64(N), record.in, "Bad downstream metrics")
 	}
 }
 
@@ -382,13 +399,16 @@ func BenchmarkTCPThroughput(b *testing.B) {
 		b.Fatal(err)
 	}
 	const testTimeout = 200 * time.Millisecond
-	testMetrics := &service.NoOpTCPMetrics{}
-	authFunc := service.NewShadowsocksStreamAuthenticator(cipherList, nil, testMetrics)
-	handler := service.NewStreamHandler(authFunc, testMetrics, testTimeout)
+	testMetrics := &service.NoOpTCPConnMetrics{}
+	authFunc := service.NewShadowsocksStreamAuthenticator(cipherList, nil, &fakeShadowsocksMetrics{})
+	handler := service.NewStreamHandler(authFunc, testTimeout)
 	handler.SetTargetDialer(&transport.TCPDialer{})
 	done := make(chan struct{})
 	go func() {
-		service.StreamServe(service.WrapStreamAcceptFunc(proxyListener.AcceptTCP), handler.Handle)
+		service.StreamServe(
+			service.WrapStreamAcceptFunc(proxyListener.AcceptTCP),
+			func(ctx context.Context, conn transport.StreamConn) { handler.Handle(ctx, conn, testMetrics) },
+		)
 		done <- struct{}{}
 	}()
 
@@ -446,13 +466,16 @@ func BenchmarkTCPMultiplexing(b *testing.B) {
 	}
 	replayCache := service.NewReplayCache(service.MaxCapacity)
 	const testTimeout = 200 * time.Millisecond
-	testMetrics := &service.NoOpTCPMetrics{}
-	authFunc := service.NewShadowsocksStreamAuthenticator(cipherList, &replayCache, testMetrics)
-	handler := service.NewStreamHandler(authFunc, testMetrics, testTimeout)
+	testMetrics := &service.NoOpTCPConnMetrics{}
+	authFunc := service.NewShadowsocksStreamAuthenticator(cipherList, &replayCache, &fakeShadowsocksMetrics{})
+	handler := service.NewStreamHandler(authFunc, testTimeout)
 	handler.SetTargetDialer(&transport.TCPDialer{})
 	done := make(chan struct{})
 	go func() {
-		service.StreamServe(service.WrapStreamAcceptFunc(proxyListener.AcceptTCP), handler.Handle)
+		service.StreamServe(
+			service.WrapStreamAcceptFunc(proxyListener.AcceptTCP),
+			func(ctx context.Context, conn transport.StreamConn) { handler.Handle(ctx, conn, testMetrics) },
+		)
 		done <- struct{}{}
 	}()
 
@@ -521,7 +544,7 @@ func BenchmarkUDPEcho(b *testing.B) {
 	if err != nil {
 		b.Fatal(err)
 	}
-	proxy := service.NewPacketHandler(time.Hour, cipherList, &service.NoOpUDPMetrics{})
+	proxy := service.NewPacketHandler(time.Hour, cipherList, &service.NoOpUDPMetrics{}, &fakeShadowsocksMetrics{})
 	proxy.SetTargetIPValidator(allowAll)
 	done := make(chan struct{})
 	go func() {
@@ -565,7 +588,7 @@ func BenchmarkUDPManyKeys(b *testing.B) {
 	if err != nil {
 		b.Fatal(err)
 	}
-	proxy := service.NewPacketHandler(time.Hour, cipherList, &service.NoOpUDPMetrics{})
+	proxy := service.NewPacketHandler(time.Hour, cipherList, &service.NoOpUDPMetrics{}, &fakeShadowsocksMetrics{})
 	proxy.SetTargetIPValidator(allowAll)
 	done := make(chan struct{})
 	go func() {
diff --git a/service/shadowsocks.go b/service/shadowsocks.go
new file mode 100644
index 00000000..97329c3a
--- /dev/null
+++ b/service/shadowsocks.go
@@ -0,0 +1,22 @@
+// Copyright 2024 The Outline Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package service
+
+import "time"
+
+// ShadowsocksConnMetrics is used to report Shadowsocks related metrics on connections.
+type ShadowsocksConnMetrics interface {
+	AddCipherSearch(accessKeyFound bool, timeToCipher time.Duration)
+}
diff --git a/service/tcp.go b/service/tcp.go
index 54f90cf7..8637663b 100644
--- a/service/tcp.go
+++ b/service/tcp.go
@@ -30,21 +30,16 @@ import (
 
 	"github.com/Jigsaw-Code/outline-sdk/transport"
 	"github.com/Jigsaw-Code/outline-sdk/transport/shadowsocks"
-	"github.com/Jigsaw-Code/outline-ss-server/ipinfo"
 	onet "github.com/Jigsaw-Code/outline-ss-server/net"
 	"github.com/Jigsaw-Code/outline-ss-server/service/metrics"
 	"github.com/shadowsocks/go-shadowsocks2/socks"
 )
 
-// TCPMetrics is used to report metrics on TCP connections.
-type TCPMetrics interface {
-	ipinfo.IPInfoMap
-
-	// TCP metrics
-	AddOpenTCPConnection(clientInfo ipinfo.IPInfo)
-	AddAuthenticatedTCPConnection(clientAddr net.Addr, accessKey string)
-	AddClosedTCPConnection(clientInfo ipinfo.IPInfo, clientAddr net.Addr, accessKey string, status string, data metrics.ProxyMetrics, duration time.Duration)
-	AddTCPProbe(status, drainResult string, listenerId string, clientProxyBytes int64)
+// TCPConnMetrics is used to report metrics on TCP connections.
+type TCPConnMetrics interface {
+	AddAuthenticated(accessKey string)
+	AddClosed(status string, data metrics.ProxyMetrics, duration time.Duration)
+	AddProbe(status, drainResult string, clientProxyBytes int64)
 }
 
 func remoteIP(conn net.Conn) netip.Addr {
@@ -119,19 +114,13 @@ func findEntry(firstBytes []byte, ciphers []*list.Element) (*CipherEntry, *list.
 
 type StreamAuthenticateFunc func(clientConn transport.StreamConn) (string, transport.StreamConn, *onet.ConnectionError)
 
-// ShadowsocksTCPMetrics is used to report Shadowsocks metrics on TCP connections.
-type ShadowsocksTCPMetrics interface {
-	// Shadowsocks TCP metrics
-	AddTCPCipherSearch(accessKeyFound bool, timeToCipher time.Duration)
-}
-
 // NewShadowsocksStreamAuthenticator creates a stream authenticator that uses Shadowsocks.
 // TODO(fortuna): Offer alternative transports.
-func NewShadowsocksStreamAuthenticator(ciphers CipherList, replayCache *ReplayCache, metrics ShadowsocksTCPMetrics) StreamAuthenticateFunc {
+func NewShadowsocksStreamAuthenticator(ciphers CipherList, replayCache *ReplayCache, metrics ShadowsocksConnMetrics) StreamAuthenticateFunc {
 	return func(clientConn transport.StreamConn) (string, transport.StreamConn, *onet.ConnectionError) {
 		// Find the cipher and acess key id.
 		cipherEntry, clientReader, clientSalt, timeToCipher, keyErr := findAccessKey(clientConn, remoteIP(clientConn), ciphers)
-		metrics.AddTCPCipherSearch(keyErr == nil, timeToCipher)
+		metrics.AddCipherSearch(keyErr == nil, timeToCipher)
 		if keyErr != nil {
 			const status = "ERR_CIPHER"
 			return "", nil, onet.NewConnectionError(status, "Failed to find a valid cipher", keyErr)
@@ -163,16 +152,14 @@ func NewShadowsocksStreamAuthenticator(ciphers CipherList, replayCache *ReplayCa
 
 type streamHandler struct {
 	listenerId   string
-	m            TCPMetrics
 	readTimeout  time.Duration
 	authenticate StreamAuthenticateFunc
 	dialer       transport.StreamDialer
 }
 
 // NewStreamHandler creates a StreamHandler
-func NewStreamHandler(authenticate StreamAuthenticateFunc, m TCPMetrics, timeout time.Duration) StreamHandler {
+func NewStreamHandler(authenticate StreamAuthenticateFunc, timeout time.Duration) StreamHandler {
 	return &streamHandler{
-		m:            m,
 		readTimeout:  timeout,
 		authenticate: authenticate,
 		dialer:       defaultDialer,
@@ -190,7 +177,7 @@ func makeValidatingTCPStreamDialer(targetIPValidator onet.TargetIPValidator) tra
 
 // StreamHandler is a handler that handles stream connections.
 type StreamHandler interface {
-	Handle(ctx context.Context, conn transport.StreamConn)
+	Handle(ctx context.Context, conn transport.StreamConn, connMetrics TCPConnMetrics)
 	// SetTargetDialer sets the [transport.StreamDialer] to be used to connect to target addresses.
 	SetTargetDialer(dialer transport.StreamDialer)
 }
@@ -253,18 +240,12 @@ func StreamServe(accept StreamAcceptFunc, handle StreamHandleFunc) {
 	}
 }
 
-func (h *streamHandler) Handle(ctx context.Context, clientConn transport.StreamConn) {
-	clientInfo, err := ipinfo.GetIPInfoFromAddr(h.m, clientConn.RemoteAddr())
-	if err != nil {
-		slog.Warn("Failed client info lookup", "err", err)
-	}
-	slog.LogAttrs(nil, slog.LevelDebug, "Got info for IP.", slog.Any("info", clientInfo), slog.String("IP", clientConn.RemoteAddr().String()))
-	h.m.AddOpenTCPConnection(clientInfo)
+func (h *streamHandler) Handle(ctx context.Context, clientConn transport.StreamConn, connMetrics TCPConnMetrics) {
 	var proxyMetrics metrics.ProxyMetrics
 	measuredClientConn := metrics.MeasureConn(clientConn, &proxyMetrics.ProxyClient, &proxyMetrics.ClientProxy)
 	connStart := time.Now()
 
-	id, connError := h.handleConnection(ctx, measuredClientConn, &proxyMetrics)
+	connError := h.handleConnection(ctx, measuredClientConn, connMetrics, &proxyMetrics)
 
 	connDuration := time.Since(connStart)
 	status := "OK"
@@ -272,7 +253,7 @@ func (h *streamHandler) Handle(ctx context.Context, clientConn transport.StreamC
 		status = connError.Status
 		slog.LogAttrs(nil, slog.LevelDebug, "TCP: Error", slog.String("msg", connError.Message), slog.Any("cause", connError.Cause))
 	}
-	h.m.AddClosedTCPConnection(clientInfo, clientConn.RemoteAddr(), id, status, proxyMetrics, connDuration)
+	connMetrics.AddClosed(status, proxyMetrics, connDuration)
 	measuredClientConn.Close() // Closing after the metrics are added aids integration testing.
 	slog.LogAttrs(nil, slog.LevelDebug, "TCP: Done.", slog.String("status", status), slog.Duration("duration", connDuration))
 }
@@ -327,7 +308,7 @@ func proxyConnection(ctx context.Context, dialer transport.StreamDialer, tgtAddr
 	return nil
 }
 
-func (h *streamHandler) handleConnection(ctx context.Context, outerConn transport.StreamConn, proxyMetrics *metrics.ProxyMetrics) (string, *onet.ConnectionError) {
+func (h *streamHandler) handleConnection(ctx context.Context, outerConn transport.StreamConn, connMetrics TCPConnMetrics, proxyMetrics *metrics.ProxyMetrics) *onet.ConnectionError {
 	// Set a deadline to receive the address to the target.
 	readDeadline := time.Now().Add(h.readTimeout)
 	if deadline, ok := ctx.Deadline(); ok {
@@ -341,10 +322,10 @@ func (h *streamHandler) handleConnection(ctx context.Context, outerConn transpor
 	id, innerConn, authErr := h.authenticate(outerConn)
 	if authErr != nil {
 		// Drain to protect against probing attacks.
-		h.absorbProbe(outerConn, outerConn.LocalAddr().String(), authErr.Status, proxyMetrics)
-		return id, authErr
+		h.absorbProbe(outerConn, connMetrics, authErr.Status, proxyMetrics)
+		return authErr
 	}
-	h.m.AddAuthenticatedTCPConnection(outerConn.RemoteAddr(), id)
+	connMetrics.AddAuthenticated(id)
 
 	// Read target address and dial it.
 	tgtAddr, err := getProxyRequest(innerConn)
@@ -353,7 +334,7 @@ func (h *streamHandler) handleConnection(ctx context.Context, outerConn transpor
 	if err != nil {
 		// Drain to prevent a close on cipher error.
 		io.Copy(io.Discard, outerConn)
-		return id, onet.NewConnectionError("ERR_READ_ADDRESS", "Failed to get target address", err)
+		return onet.NewConnectionError("ERR_READ_ADDRESS", "Failed to get target address", err)
 	}
 
 	dialer := transport.FuncStreamDialer(func(ctx context.Context, addr string) (transport.StreamConn, error) {
@@ -364,17 +345,17 @@ func (h *streamHandler) handleConnection(ctx context.Context, outerConn transpor
 		tgtConn = metrics.MeasureConn(tgtConn, &proxyMetrics.ProxyTarget, &proxyMetrics.TargetProxy)
 		return tgtConn, nil
 	})
-	return id, proxyConnection(ctx, dialer, tgtAddr, innerConn)
+	return proxyConnection(ctx, dialer, tgtAddr, innerConn)
 }
 
 // Keep the connection open until we hit the authentication deadline to protect against probing attacks
 // `proxyMetrics` is a pointer because its value is being mutated by `clientConn`.
-func (h *streamHandler) absorbProbe(clientConn io.ReadCloser, addr, status string, proxyMetrics *metrics.ProxyMetrics) {
+func (h *streamHandler) absorbProbe(clientConn io.ReadCloser, connMetrics TCPConnMetrics, status string, proxyMetrics *metrics.ProxyMetrics) {
 	// This line updates proxyMetrics.ClientProxy before it's used in AddTCPProbe.
 	_, drainErr := io.Copy(io.Discard, clientConn) // drain socket
 	drainResult := drainErrToString(drainErr)
 	slog.LogAttrs(nil, slog.LevelDebug, "Drain error.", slog.Any("err", drainErr), slog.String("result", drainResult))
-	h.m.AddTCPProbe(status, drainResult, addr, proxyMetrics.ClientProxy)
+	connMetrics.AddProbe(status, drainResult, proxyMetrics.ClientProxy)
 }
 
 func drainErrToString(drainErr error) string {
@@ -389,20 +370,13 @@ func drainErrToString(drainErr error) string {
 	}
 }
 
-// NoOpTCPMetrics is a [TCPMetrics] that doesn't do anything. Useful in tests
+// NoOpTCPConnMetrics is a [TCPConnMetrics] that doesn't do anything. Useful in tests
 // or if you don't want to track metrics.
-type NoOpTCPMetrics struct{}
+type NoOpTCPConnMetrics struct{}
 
-var _ TCPMetrics = (*NoOpTCPMetrics)(nil)
+var _ TCPConnMetrics = (*NoOpTCPConnMetrics)(nil)
 
-func (m *NoOpTCPMetrics) AddClosedTCPConnection(clientInfo ipinfo.IPInfo, clientAddr net.Addr, accessKey string, status string, data metrics.ProxyMetrics, duration time.Duration) {
-}
-func (m *NoOpTCPMetrics) GetIPInfo(net.IP) (ipinfo.IPInfo, error) {
-	return ipinfo.IPInfo{}, nil
-}
-func (m *NoOpTCPMetrics) AddOpenTCPConnection(clientInfo ipinfo.IPInfo) {}
-func (m *NoOpTCPMetrics) AddAuthenticatedTCPConnection(clientAddr net.Addr, accessKey string) {
-}
-func (m *NoOpTCPMetrics) AddTCPProbe(status, drainResult string, listenerId string, clientProxyBytes int64) {
+func (m *NoOpTCPConnMetrics) AddAuthenticated(accessKey string) {}
+func (m *NoOpTCPConnMetrics) AddClosed(status string, data metrics.ProxyMetrics, duration time.Duration) {
 }
-func (m *NoOpTCPMetrics) AddTCPCipherSearch(accessKeyFound bool, timeToCipher time.Duration) {}
+func (m *NoOpTCPConnMetrics) AddProbe(status, drainResult string, clientProxyBytes int64) {}
diff --git a/service/tcp_test.go b/service/tcp_test.go
index 428f70e0..a4efcb2e 100644
--- a/service/tcp_test.go
+++ b/service/tcp_test.go
@@ -16,6 +16,7 @@ package service
 
 import (
 	"bytes"
+	"context"
 	"errors"
 	"fmt"
 	"io"
@@ -28,7 +29,6 @@ import (
 
 	"github.com/Jigsaw-Code/outline-sdk/transport"
 	"github.com/Jigsaw-Code/outline-sdk/transport/shadowsocks"
-	"github.com/Jigsaw-Code/outline-ss-server/ipinfo"
 	"github.com/Jigsaw-Code/outline-ss-server/service/metrics"
 	logging "github.com/op/go-logging"
 	"github.com/shadowsocks/go-shadowsocks2/socks"
@@ -214,6 +214,15 @@ func BenchmarkTCPFindCipherRepeat(b *testing.B) {
 	}
 }
 
+// Stub implementation for shadowsocks authentication metrics.
+type fakeShadowsocksMetrics struct {
+}
+
+var _ ShadowsocksConnMetrics = (*fakeShadowsocksMetrics)(nil)
+
+func (m *fakeShadowsocksMetrics) AddCipherSearch(accessKeyFound bool, timeToCipher time.Duration) {
+}
+
 // Stub metrics implementation for testing replay defense.
 type probeTestMetrics struct {
 	mu          sync.Mutex
@@ -222,31 +231,27 @@ type probeTestMetrics struct {
 	closeStatus []string
 }
 
-var _ TCPMetrics = (*probeTestMetrics)(nil)
+var _ TCPConnMetrics = (*probeTestMetrics)(nil)
+var _ ShadowsocksConnMetrics = (*fakeShadowsocksMetrics)(nil)
 
-func (m *probeTestMetrics) AddClosedTCPConnection(clientInfo ipinfo.IPInfo, clientAddr net.Addr, accessKey string, status string, data metrics.ProxyMetrics, duration time.Duration) {
+func (m *probeTestMetrics) AddClosed(status string, data metrics.ProxyMetrics, duration time.Duration) {
 	m.mu.Lock()
 	m.closeStatus = append(m.closeStatus, status)
 	m.mu.Unlock()
 }
 
-func (m *probeTestMetrics) GetIPInfo(net.IP) (ipinfo.IPInfo, error) {
-	return ipinfo.IPInfo{}, nil
-}
-func (m *probeTestMetrics) AddOpenTCPConnection(clientInfo ipinfo.IPInfo) {
-}
-
-func (m *probeTestMetrics) AddAuthenticatedTCPConnection(clientAddr net.Addr, accessKey string) {
+func (m *probeTestMetrics) AddAuthenticated(accessKey string) {
 }
 
-func (m *probeTestMetrics) AddTCPProbe(status, drainResult string, listenerId string, clientProxyBytes int64) {
+func (m *probeTestMetrics) AddProbe(status, drainResult string, clientProxyBytes int64) {
 	m.mu.Lock()
 	m.probeData = append(m.probeData, clientProxyBytes)
 	m.probeStatus = append(m.probeStatus, status)
 	m.mu.Unlock()
 }
 
-func (m *probeTestMetrics) AddTCPCipherSearch(accessKeyFound bool, timeToCipher time.Duration) {}
+func (m *probeTestMetrics) AddCipherSearch(accessKeyFound bool, timeToCipher time.Duration) {
+}
 
 func (m *probeTestMetrics) countStatuses() map[string]int {
 	counts := make(map[string]int)
@@ -280,11 +285,14 @@ func TestProbeRandom(t *testing.T) {
 	cipherList, err := MakeTestCiphers(makeTestSecrets(1))
 	require.NoError(t, err, "MakeTestCiphers failed: %v", err)
 	testMetrics := &probeTestMetrics{}
-	authFunc := NewShadowsocksStreamAuthenticator(cipherList, nil, testMetrics)
-	handler := NewStreamHandler(authFunc, testMetrics, 200*time.Millisecond)
+	authFunc := NewShadowsocksStreamAuthenticator(cipherList, nil, &fakeShadowsocksMetrics{})
+	handler := NewStreamHandler(authFunc, 200*time.Millisecond)
 	done := make(chan struct{})
 	go func() {
-		StreamServe(WrapStreamAcceptFunc(listener.AcceptTCP), handler.Handle)
+		StreamServe(
+			WrapStreamAcceptFunc(listener.AcceptTCP),
+			func(ctx context.Context, conn transport.StreamConn) { handler.Handle(ctx, conn, testMetrics) },
+		)
 		done <- struct{}{}
 	}()
 
@@ -357,12 +365,15 @@ func TestProbeClientBytesBasicTruncated(t *testing.T) {
 	require.NoError(t, err, "MakeTestCiphers failed: %v", err)
 	cipher := firstCipher(cipherList)
 	testMetrics := &probeTestMetrics{}
-	authFunc := NewShadowsocksStreamAuthenticator(cipherList, nil, testMetrics)
-	handler := NewStreamHandler(authFunc, testMetrics, 200*time.Millisecond)
+	authFunc := NewShadowsocksStreamAuthenticator(cipherList, nil, &fakeShadowsocksMetrics{})
+	handler := NewStreamHandler(authFunc, 200*time.Millisecond)
 	handler.SetTargetDialer(makeValidatingTCPStreamDialer(allowAll))
 	done := make(chan struct{})
 	go func() {
-		StreamServe(WrapStreamAcceptFunc(listener.AcceptTCP), handler.Handle)
+		StreamServe(
+			WrapStreamAcceptFunc(listener.AcceptTCP),
+			func(ctx context.Context, conn transport.StreamConn) { handler.Handle(ctx, conn, testMetrics) },
+		)
 		done <- struct{}{}
 	}()
 
@@ -392,12 +403,15 @@ func TestProbeClientBytesBasicModified(t *testing.T) {
 	require.NoError(t, err, "MakeTestCiphers failed: %v", err)
 	cipher := firstCipher(cipherList)
 	testMetrics := &probeTestMetrics{}
-	authFunc := NewShadowsocksStreamAuthenticator(cipherList, nil, testMetrics)
-	handler := NewStreamHandler(authFunc, testMetrics, 200*time.Millisecond)
+	authFunc := NewShadowsocksStreamAuthenticator(cipherList, nil, &fakeShadowsocksMetrics{})
+	handler := NewStreamHandler(authFunc, 200*time.Millisecond)
 	handler.SetTargetDialer(makeValidatingTCPStreamDialer(allowAll))
 	done := make(chan struct{})
 	go func() {
-		StreamServe(WrapStreamAcceptFunc(listener.AcceptTCP), handler.Handle)
+		StreamServe(
+			WrapStreamAcceptFunc(listener.AcceptTCP),
+			func(ctx context.Context, conn transport.StreamConn) { handler.Handle(ctx, conn, testMetrics) },
+		)
 		done <- struct{}{}
 	}()
 
@@ -428,12 +442,15 @@ func TestProbeClientBytesCoalescedModified(t *testing.T) {
 	require.NoError(t, err, "MakeTestCiphers failed: %v", err)
 	cipher := firstCipher(cipherList)
 	testMetrics := &probeTestMetrics{}
-	authFunc := NewShadowsocksStreamAuthenticator(cipherList, nil, testMetrics)
-	handler := NewStreamHandler(authFunc, testMetrics, 200*time.Millisecond)
+	authFunc := NewShadowsocksStreamAuthenticator(cipherList, nil, &fakeShadowsocksMetrics{})
+	handler := NewStreamHandler(authFunc, 200*time.Millisecond)
 	handler.SetTargetDialer(makeValidatingTCPStreamDialer(allowAll))
 	done := make(chan struct{})
 	go func() {
-		StreamServe(WrapStreamAcceptFunc(listener.AcceptTCP), handler.Handle)
+		StreamServe(
+			WrapStreamAcceptFunc(listener.AcceptTCP),
+			func(ctx context.Context, conn transport.StreamConn) { handler.Handle(ctx, conn, testMetrics) },
+		)
 		done <- struct{}{}
 	}()
 
@@ -471,11 +488,14 @@ func TestProbeServerBytesModified(t *testing.T) {
 	require.NoError(t, err, "MakeTestCiphers failed: %v", err)
 	cipher := firstCipher(cipherList)
 	testMetrics := &probeTestMetrics{}
-	authFunc := NewShadowsocksStreamAuthenticator(cipherList, nil, testMetrics)
-	handler := NewStreamHandler(authFunc, testMetrics, 200*time.Millisecond)
+	authFunc := NewShadowsocksStreamAuthenticator(cipherList, nil, &fakeShadowsocksMetrics{})
+	handler := NewStreamHandler(authFunc, 200*time.Millisecond)
 	done := make(chan struct{})
 	go func() {
-		StreamServe(WrapStreamAcceptFunc(listener.AcceptTCP), handler.Handle)
+		StreamServe(
+			WrapStreamAcceptFunc(listener.AcceptTCP),
+			func(ctx context.Context, conn transport.StreamConn) { handler.Handle(ctx, conn, testMetrics) },
+		)
 		done <- struct{}{}
 	}()
 
@@ -503,7 +523,7 @@ func TestReplayDefense(t *testing.T) {
 	testMetrics := &probeTestMetrics{}
 	const testTimeout = 200 * time.Millisecond
 	authFunc := NewShadowsocksStreamAuthenticator(cipherList, &replayCache, testMetrics)
-	handler := NewStreamHandler(authFunc, testMetrics, testTimeout)
+	handler := NewStreamHandler(authFunc, testTimeout)
 	snapshot := cipherList.SnapshotForClientIP(netip.Addr{})
 	cipherEntry := snapshot[0].Value.(*CipherEntry)
 	cipher := cipherEntry.CryptoKey
@@ -528,7 +548,10 @@ func TestReplayDefense(t *testing.T) {
 
 	done := make(chan struct{})
 	go func() {
-		StreamServe(WrapStreamAcceptFunc(listener.AcceptTCP), handler.Handle)
+		StreamServe(
+			WrapStreamAcceptFunc(listener.AcceptTCP),
+			func(ctx context.Context, conn transport.StreamConn) { handler.Handle(ctx, conn, testMetrics) },
+		)
 		done <- struct{}{}
 	}()
 
@@ -582,7 +605,7 @@ func TestReverseReplayDefense(t *testing.T) {
 	testMetrics := &probeTestMetrics{}
 	const testTimeout = 200 * time.Millisecond
 	authFunc := NewShadowsocksStreamAuthenticator(cipherList, &replayCache, testMetrics)
-	handler := NewStreamHandler(authFunc, testMetrics, testTimeout)
+	handler := NewStreamHandler(authFunc, testTimeout)
 	snapshot := cipherList.SnapshotForClientIP(netip.Addr{})
 	cipherEntry := snapshot[0].Value.(*CipherEntry)
 	cipher := cipherEntry.CryptoKey
@@ -598,7 +621,10 @@ func TestReverseReplayDefense(t *testing.T) {
 
 	done := make(chan struct{})
 	go func() {
-		StreamServe(WrapStreamAcceptFunc(listener.AcceptTCP), handler.Handle)
+		StreamServe(
+			WrapStreamAcceptFunc(listener.AcceptTCP),
+			func(ctx context.Context, conn transport.StreamConn) { handler.Handle(ctx, conn, testMetrics) },
+		)
 		done <- struct{}{}
 	}()
 
@@ -652,12 +678,15 @@ func probeExpectTimeout(t *testing.T, payloadSize int) {
 	cipherList, err := MakeTestCiphers(makeTestSecrets(5))
 	require.NoError(t, err, "MakeTestCiphers failed: %v", err)
 	testMetrics := &probeTestMetrics{}
-	authFunc := NewShadowsocksStreamAuthenticator(cipherList, nil, testMetrics)
-	handler := NewStreamHandler(authFunc, testMetrics, testTimeout)
+	authFunc := NewShadowsocksStreamAuthenticator(cipherList, nil, &fakeShadowsocksMetrics{})
+	handler := NewStreamHandler(authFunc, testTimeout)
 
 	done := make(chan struct{})
 	go func() {
-		StreamServe(WrapStreamAcceptFunc(listener.AcceptTCP), handler.Handle)
+		StreamServe(
+			WrapStreamAcceptFunc(listener.AcceptTCP),
+			func(ctx context.Context, conn transport.StreamConn) { handler.Handle(ctx, conn, testMetrics) },
+		)
 		done <- struct{}{}
 	}()
 
diff --git a/service/udp.go b/service/udp.go
index 119bd66f..2d08a709 100644
--- a/service/udp.go
+++ b/service/udp.go
@@ -25,23 +25,19 @@ import (
 	"time"
 
 	"github.com/Jigsaw-Code/outline-sdk/transport/shadowsocks"
-	"github.com/Jigsaw-Code/outline-ss-server/ipinfo"
 	onet "github.com/Jigsaw-Code/outline-ss-server/net"
 	"github.com/shadowsocks/go-shadowsocks2/socks"
 )
 
-// UDPMetrics is used to report metrics on UDP connections.
-type UDPMetrics interface {
-	ipinfo.IPInfoMap
-
-	// UDP metrics
-	AddUDPPacketFromClient(clientInfo ipinfo.IPInfo, accessKey, status string, clientProxyBytes, proxyTargetBytes int)
-	AddUDPPacketFromTarget(clientInfo ipinfo.IPInfo, accessKey, status string, targetProxyBytes, proxyClientBytes int)
-	AddUDPNatEntry(clientAddr net.Addr, accessKey string)
-	RemoveUDPNatEntry(clientAddr net.Addr, accessKey string)
+// UDPConnMetrics is used to report metrics on UDP connections.
+type UDPConnMetrics interface {
+	AddPacketFromClient(status string, clientProxyBytes, proxyTargetBytes int64)
+	AddPacketFromTarget(status string, targetProxyBytes, proxyClientBytes int64)
+	RemoveNatEntry()
+}
 
-	// Shadowsocks metrics
-	AddUDPCipherSearch(accessKeyFound bool, timeToCipher time.Duration)
+type UDPMetrics interface {
+	AddUDPNatEntry(clientAddr net.Addr, accessKey string) UDPConnMetrics
 }
 
 // Max UDP buffer size for the server code.
@@ -87,12 +83,13 @@ type packetHandler struct {
 	natTimeout        time.Duration
 	ciphers           CipherList
 	m                 UDPMetrics
+	ssm               ShadowsocksConnMetrics
 	targetIPValidator onet.TargetIPValidator
 }
 
 // NewPacketHandler creates a UDPService
-func NewPacketHandler(natTimeout time.Duration, cipherList CipherList, m UDPMetrics) PacketHandler {
-	return &packetHandler{natTimeout: natTimeout, ciphers: cipherList, m: m, targetIPValidator: onet.RequirePublicIP}
+func NewPacketHandler(natTimeout time.Duration, cipherList CipherList, m UDPMetrics, ssMetrics ShadowsocksConnMetrics) PacketHandler {
+	return &packetHandler{natTimeout: natTimeout, ciphers: cipherList, m: m, ssm: ssMetrics, targetIPValidator: onet.RequirePublicIP}
 }
 
 // PacketHandler is a running UDP shadowsocks proxy that can be stopped.
@@ -123,9 +120,9 @@ func (h *packetHandler) Handle(clientConn net.PacketConn) {
 			break
 		}
 
-		var clientInfo ipinfo.IPInfo
 		keyID := ""
 		var proxyTargetBytes int
+		var targetConn *natconn
 
 		connError := func() (connError *onet.ConnectionError) {
 			defer func() {
@@ -145,22 +142,15 @@ func (h *packetHandler) Handle(clientConn net.PacketConn) {
 			cipherData := cipherBuf[:clientProxyBytes]
 			var payload []byte
 			var tgtUDPAddr *net.UDPAddr
-			targetConn := nm.Get(clientAddr.String())
+			targetConn = nm.Get(clientAddr.String())
 			if targetConn == nil {
-				var locErr error
-				clientInfo, locErr = ipinfo.GetIPInfoFromAddr(h.m, clientAddr)
-				if locErr != nil {
-					slog.Warn("Failed client info lookup.", "err", locErr)
-				}
-				debugUDPAddr("Got info for IP.", clientAddr, slog.Any("info", clientInfo))
-
 				ip := clientAddr.(*net.UDPAddr).AddrPort().Addr()
 				var textData []byte
 				var cryptoKey *shadowsocks.EncryptionKey
 				unpackStart := time.Now()
 				textData, keyID, cryptoKey, err = findAccessKeyUDP(ip, textBuf, cipherData, h.ciphers)
 				timeToCipher := time.Since(unpackStart)
-				h.m.AddUDPCipherSearch(err == nil, timeToCipher)
+				h.ssm.AddCipherSearch(err == nil, timeToCipher)
 
 				if err != nil {
 					return onet.NewConnectionError("ERR_CIPHER", "Failed to unpack initial packet", err)
@@ -175,14 +165,12 @@ func (h *packetHandler) Handle(clientConn net.PacketConn) {
 				if err != nil {
 					return onet.NewConnectionError("ERR_CREATE_SOCKET", "Failed to create UDP socket", err)
 				}
-				targetConn = nm.Add(clientAddr, clientConn, cryptoKey, udpConn, clientInfo, keyID)
+				targetConn = nm.Add(clientAddr, clientConn, cryptoKey, udpConn, keyID)
 			} else {
-				clientInfo = targetConn.clientInfo
-
 				unpackStart := time.Now()
 				textData, err := shadowsocks.Unpack(nil, cipherData, targetConn.cryptoKey)
 				timeToCipher := time.Since(unpackStart)
-				h.m.AddUDPCipherSearch(err == nil, timeToCipher)
+				h.ssm.AddCipherSearch(err == nil, timeToCipher)
 
 				if err != nil {
 					return onet.NewConnectionError("ERR_CIPHER", "Failed to unpack data from client", err)
@@ -210,7 +198,9 @@ func (h *packetHandler) Handle(clientConn net.PacketConn) {
 			slog.LogAttrs(nil, slog.LevelDebug, "UDP: Error", slog.String("msg", connError.Message), slog.Any("cause", connError.Cause))
 			status = connError.Status
 		}
-		h.m.AddUDPPacketFromClient(clientInfo, keyID, status, clientProxyBytes, proxyTargetBytes)
+		if targetConn != nil {
+			targetConn.metrics.AddPacketFromClient(status, int64(clientProxyBytes), int64(proxyTargetBytes))
+		}
 	}
 }
 
@@ -244,9 +234,7 @@ type natconn struct {
 	net.PacketConn
 	cryptoKey *shadowsocks.EncryptionKey
 	keyID     string
-	// We store the client information in the NAT map to avoid recomputing it
-	// for every downstream packet in a UDP-based connection.
-	clientInfo ipinfo.IPInfo
+	metrics   UDPConnMetrics
 	// NAT timeout to apply for non-DNS packets.
 	defaultTimeout time.Duration
 	// Current read deadline of PacketConn.  Used to avoid decreasing the
@@ -324,12 +312,12 @@ func (m *natmap) Get(key string) *natconn {
 	return m.keyConn[key]
 }
 
-func (m *natmap) set(key string, pc net.PacketConn, cryptoKey *shadowsocks.EncryptionKey, keyID string, clientInfo ipinfo.IPInfo) *natconn {
+func (m *natmap) set(key string, pc net.PacketConn, cryptoKey *shadowsocks.EncryptionKey, keyID string, connMetrics UDPConnMetrics) *natconn {
 	entry := &natconn{
 		PacketConn:     pc,
 		cryptoKey:      cryptoKey,
 		keyID:          keyID,
-		clientInfo:     clientInfo,
+		metrics:        connMetrics,
 		defaultTimeout: m.timeout,
 	}
 
@@ -352,14 +340,14 @@ func (m *natmap) del(key string) net.PacketConn {
 	return nil
 }
 
-func (m *natmap) Add(clientAddr net.Addr, clientConn net.PacketConn, cryptoKey *shadowsocks.EncryptionKey, targetConn net.PacketConn, clientInfo ipinfo.IPInfo, keyID string) *natconn {
-	entry := m.set(clientAddr.String(), targetConn, cryptoKey, keyID, clientInfo)
+func (m *natmap) Add(clientAddr net.Addr, clientConn net.PacketConn, cryptoKey *shadowsocks.EncryptionKey, targetConn net.PacketConn, keyID string) *natconn {
+	connMetrics := m.metrics.AddUDPNatEntry(clientAddr, keyID)
+	entry := m.set(clientAddr.String(), targetConn, cryptoKey, keyID, connMetrics)
 
-	m.metrics.AddUDPNatEntry(clientAddr, keyID)
 	m.running.Add(1)
 	go func() {
-		timedCopy(clientAddr, clientConn, entry, keyID, m.metrics)
-		m.metrics.RemoveUDPNatEntry(clientAddr, keyID)
+		timedCopy(clientAddr, clientConn, entry, keyID)
+		connMetrics.RemoveNatEntry()
 		if pc := m.del(clientAddr.String()); pc != nil {
 			pc.Close()
 		}
@@ -387,8 +375,7 @@ func (m *natmap) Close() error {
 var maxAddrLen int = len(socks.ParseAddr("[2001:db8::1]:12345"))
 
 // copy from target to client until read timeout
-func timedCopy(clientAddr net.Addr, clientConn net.PacketConn, targetConn *natconn,
-	keyID string, sm UDPMetrics) {
+func timedCopy(clientAddr net.Addr, clientConn net.PacketConn, targetConn *natconn, keyID string) {
 	// pkt is used for in-place encryption of downstream UDP packets, with the layout
 	// [padding?][salt][address][body][tag][extra]
 	// Padding is only used if the address is IPv4.
@@ -456,25 +443,28 @@ func timedCopy(clientAddr net.Addr, clientConn net.PacketConn, targetConn *natco
 		if expired {
 			break
 		}
-		sm.AddUDPPacketFromTarget(targetConn.clientInfo, keyID, status, bodyLen, proxyClientBytes)
+		targetConn.metrics.AddPacketFromTarget(status, int64(bodyLen), int64(proxyClientBytes))
 	}
 }
 
+// NoOpUDPConnMetrics is a [UDPConnMetrics] that doesn't do anything. Useful in tests
+// or if you don't want to track metrics.
+type NoOpUDPConnMetrics struct{}
+
+var _ UDPConnMetrics = (*NoOpUDPConnMetrics)(nil)
+
+func (m *NoOpUDPConnMetrics) AddPacketFromClient(status string, clientProxyBytes, proxyTargetBytes int64) {
+}
+func (m *NoOpUDPConnMetrics) AddPacketFromTarget(status string, targetProxyBytes, proxyClientBytes int64) {
+}
+func (m *NoOpUDPConnMetrics) RemoveNatEntry() {}
+
 // NoOpUDPMetrics is a [UDPMetrics] that doesn't do anything. Useful in tests
 // or if you don't want to track metrics.
 type NoOpUDPMetrics struct{}
 
 var _ UDPMetrics = (*NoOpUDPMetrics)(nil)
 
-func (m *NoOpUDPMetrics) GetIPInfo(net.IP) (ipinfo.IPInfo, error) {
-	return ipinfo.IPInfo{}, nil
-}
-func (m *NoOpUDPMetrics) AddUDPPacketFromClient(clientInfo ipinfo.IPInfo, accessKey, status string, clientProxyBytes, proxyTargetBytes int) {
-}
-func (m *NoOpUDPMetrics) AddUDPPacketFromTarget(clientInfo ipinfo.IPInfo, accessKey, status string, targetProxyBytes, proxyClientBytes int) {
-}
-func (m *NoOpUDPMetrics) AddUDPNatEntry(clientAddr net.Addr, accessKey string) {
-}
-func (m *NoOpUDPMetrics) RemoveUDPNatEntry(clientAddr net.Addr, accessKey string) {
+func (m *NoOpUDPMetrics) AddUDPNatEntry(clientAddr net.Addr, accessKey string) UDPConnMetrics {
+	return &NoOpUDPConnMetrics{}
 }
-func (m *NoOpUDPMetrics) AddUDPCipherSearch(accessKeyFound bool, timeToCipher time.Duration) {}
diff --git a/service/udp_test.go b/service/udp_test.go
index f94238c5..8ba00af3 100644
--- a/service/udp_test.go
+++ b/service/udp_test.go
@@ -24,7 +24,6 @@ import (
 	"time"
 
 	"github.com/Jigsaw-Code/outline-sdk/transport/shadowsocks"
-	"github.com/Jigsaw-Code/outline-ss-server/ipinfo"
 	onet "github.com/Jigsaw-Code/outline-ss-server/net"
 	logging "github.com/op/go-logging"
 	"github.com/shadowsocks/go-shadowsocks2/socks"
@@ -93,33 +92,42 @@ func (conn *fakePacketConn) Close() error {
 }
 
 type udpReport struct {
-	clientInfo                         ipinfo.IPInfo
+	clientAddr                         net.Addr
 	accessKey, status                  string
-	clientProxyBytes, proxyTargetBytes int
+	clientProxyBytes, proxyTargetBytes int64
 }
 
 // Stub metrics implementation for testing NAT behaviors.
-type natTestMetrics struct {
-	natEntriesAdded int
+type fakeUDPConnMetrics struct {
+	clientAddr      net.Addr
+	accessKey       string
 	upstreamPackets []udpReport
 }
 
-var _ UDPMetrics = (*natTestMetrics)(nil)
+var _ UDPConnMetrics = (*fakeUDPConnMetrics)(nil)
 
-func (m *natTestMetrics) GetIPInfo(net.IP) (ipinfo.IPInfo, error) {
-	return ipinfo.IPInfo{}, nil
+func (m *fakeUDPConnMetrics) AddPacketFromClient(status string, clientProxyBytes, proxyTargetBytes int64) {
+	m.upstreamPackets = append(m.upstreamPackets, udpReport{m.clientAddr, m.accessKey, status, clientProxyBytes, proxyTargetBytes})
 }
-func (m *natTestMetrics) AddUDPPacketFromClient(clientInfo ipinfo.IPInfo, accessKey, status string, clientProxyBytes, proxyTargetBytes int) {
-	m.upstreamPackets = append(m.upstreamPackets, udpReport{clientInfo, accessKey, status, clientProxyBytes, proxyTargetBytes})
+func (m *fakeUDPConnMetrics) AddPacketFromTarget(status string, targetProxyBytes, proxyClientBytes int64) {
 }
-func (m *natTestMetrics) AddUDPPacketFromTarget(clientInfo ipinfo.IPInfo, accessKey, status string, targetProxyBytes, proxyClientBytes int) {
+func (m *fakeUDPConnMetrics) RemoveNatEntry() {
 }
-func (m *natTestMetrics) AddUDPNatEntry(clientAddr net.Addr, accessKey string) {
-	m.natEntriesAdded++
+
+type natTestMetrics struct {
+	connMetrics []fakeUDPConnMetrics
 }
-func (m *natTestMetrics) RemoveUDPNatEntry(clientAddr net.Addr, accessKey string) {
+
+var _ UDPMetrics = (*natTestMetrics)(nil)
+
+func (m *natTestMetrics) AddUDPNatEntry(clientAddr net.Addr, accessKey string) UDPConnMetrics {
+	cm := fakeUDPConnMetrics{
+		clientAddr: clientAddr,
+		accessKey:  accessKey,
+	}
+	m.connMetrics = append(m.connMetrics, cm)
+	return &m.connMetrics[len(m.connMetrics)-1]
 }
-func (m *natTestMetrics) AddUDPCipherSearch(accessKeyFound bool, timeToCipher time.Duration) {}
 
 // Takes a validation policy, and returns the metrics it
 // generates when localhost access is attempted
@@ -128,7 +136,7 @@ func sendToDiscard(payloads [][]byte, validator onet.TargetIPValidator) *natTest
 	cipher := ciphers.SnapshotForClientIP(netip.Addr{})[0].Value.(*CipherEntry).CryptoKey
 	clientConn := makePacketConn()
 	metrics := &natTestMetrics{}
-	handler := NewPacketHandler(timeout, ciphers, metrics)
+	handler := NewPacketHandler(timeout, ciphers, metrics, &fakeShadowsocksMetrics{})
 	handler.SetTargetIPValidator(validator)
 	done := make(chan struct{})
 	go func() {
@@ -162,18 +170,12 @@ func TestIPFilter(t *testing.T) {
 
 	t.Run("Localhost allowed", func(t *testing.T) {
 		metrics := sendToDiscard(payloads, allowAll)
-		assert.Equal(t, metrics.natEntriesAdded, 1, "Expected 1 NAT entry, not %d", metrics.natEntriesAdded)
+		assert.Equal(t, len(metrics.connMetrics), 1, "Expected 1 NAT entry, not %d", len(metrics.connMetrics))
 	})
 
 	t.Run("Localhost not allowed", func(t *testing.T) {
 		metrics := sendToDiscard(payloads, onet.RequirePublicIP)
-		assert.Equal(t, 0, metrics.natEntriesAdded, "Unexpected NAT entry on rejected packet")
-		assert.Equal(t, 2, len(metrics.upstreamPackets), "Expected 2 reports, not %v", metrics.upstreamPackets)
-		for _, report := range metrics.upstreamPackets {
-			assert.Greater(t, report.clientProxyBytes, 0, "Expected nonzero input packet size")
-			assert.Equal(t, 0, report.proxyTargetBytes, "No bytes should be sent due to a disallowed packet")
-			assert.Equal(t, report.accessKey, "id-0", "Unexpected access key: %s", report.accessKey)
-		}
+		assert.Equal(t, 0, len(metrics.connMetrics), "Unexpected NAT entry on rejected packet")
 	})
 }
 
@@ -187,9 +189,9 @@ func TestUpstreamMetrics(t *testing.T) {
 
 	metrics := sendToDiscard(payloads, allowAll)
 
-	assert.Equal(t, N, len(metrics.upstreamPackets), "Expected %d reports, not %v", N, metrics.upstreamPackets)
-	for i, report := range metrics.upstreamPackets {
-		assert.Equal(t, i+1, report.proxyTargetBytes, "Expected %d payload bytes, not %d", i+1, report.proxyTargetBytes)
+	assert.Equal(t, N, len(metrics.connMetrics[0].upstreamPackets), "Expected %d reports, not %v", N, metrics.connMetrics[0].upstreamPackets)
+	for i, report := range metrics.connMetrics[0].upstreamPackets {
+		assert.Equal(t, int64(i+1), report.proxyTargetBytes, "Expected %d payload bytes, not %d", i+1, report.proxyTargetBytes)
 		assert.Greater(t, report.clientProxyBytes, report.proxyTargetBytes, "Expected nonzero input overhead (%d > %d)", report.clientProxyBytes, report.proxyTargetBytes)
 		assert.Equal(t, "id-0", report.accessKey, "Unexpected access key name: %s", report.accessKey)
 		assert.Equal(t, "OK", report.status, "Wrong status: %s", report.status)
@@ -215,7 +217,7 @@ func setupNAT() (*fakePacketConn, *fakePacketConn, *natconn) {
 	nat := newNATmap(timeout, &natTestMetrics{}, &sync.WaitGroup{})
 	clientConn := makePacketConn()
 	targetConn := makePacketConn()
-	nat.Add(&clientAddr, clientConn, natCryptoKey, targetConn, ipinfo.IPInfo{CountryCode: "ZZ"}, "key id")
+	nat.Add(&clientAddr, clientConn, natCryptoKey, targetConn, "key id")
 	entry := nat.Get(clientAddr.String())
 	return clientConn, targetConn, entry
 }
@@ -480,7 +482,7 @@ func TestUDPEarlyClose(t *testing.T) {
 	}
 	testMetrics := &natTestMetrics{}
 	const testTimeout = 200 * time.Millisecond
-	s := NewPacketHandler(testTimeout, cipherList, testMetrics)
+	s := NewPacketHandler(testTimeout, cipherList, testMetrics, &fakeShadowsocksMetrics{})
 
 	clientConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.ParseIP("127.0.0.1"), Port: 0})
 	if err != nil {