How long does a complete VPN audit take?

About 10 to 15 minutes the first time, the time to chain the 7 verifications in methodological order. Our [testing protocol](/methodology) documents the exact sequence. To renew after every major VPN update, OS update (Windows feature updates, macOS releases) or browser update (Firefox, Chrome sometimes auto-enable DoH after updates). Once per quarter is enough for personal use.

If my VPN passes the 7 steps, am I really anonymous?

No, and it's an essential distinction to understand. You're protected against the most common IP leaks — that's the VPN audit objective. But anonymity also depends on your cookies, logged accounts (Google, Facebook still know you despite VPN), browser fingerprint, and behavioral habits. A VPN doesn't erase Google, nor Facebook, nor your YouTube history. For strict journalistic anonymity (whistleblower, protected source), you'd need to stack Tor on top of VPN, dedicated machine, complete OPSEC — a VPN audit alone doesn't suffice in that case.

Which of the 7 steps is most critical?

WebRTC and DNS leak — they're the two most frequent and least visible leaks to the naked eye. A malicious site can recover your real IP via WebRTC despite active VPN if the option isn't blocked at browser or VPN level. Same for DNS that reveals your domain history to your ISP without any visible signal. The 5 other steps (public IP, IPv6, kill switch, speed, logs) are important but less frequently exploitable as an immediate leak vector.

Can a free VPN pass these 7 steps?

Very rarely, and that's the brutal conclusion after audit. Across the 6 free VPNs we tested in May 2026 (Proton VPN Free, Windscribe Free, Hide.me Free, AtlasVPN Free, and 2 lesser-known VPNs), none passed all 7 steps. Recurring failures: no kill switch option (step 5), no WebRTC protection (step 3), no published independent audit (step 7), sometimes connection logs explicitly retained. If security matters, paying is unavoidable.

Verify a VPN is secure: complete 7-step audit (2026 method)

Activating a VPN is one thing. Verifying it does what it promises is another. Most users click "Connect", see a green checkmark, and consider the matter closed. Except this indicator light in the app says nothing about what your traffic actually reveals to visited sites. This methodical 7-step audit takes about 10 minutes and tells you exactly where you stand — not what the provider wants to show in its marketing interface.

Step 1 — Verify the observed public IP

The most basic test but also the most quickly revealing of major configuration issues. Open the My IP tool without VPN, note the displayed address and ISP name (Orange, Free, SFR, Bouygues in France). Activate your VPN, reload the page: the IP must have changed, and the ISP must switch to a name like Tefincom (NordVPN subsidiary), Tata Communications, M247 (used by several VPNs), or another datacenter host.

30-second red flag: if the IP hasn't changed after activation, your VPN isn't connected or it's routing your traffic without masking the IP — rare but existing case on certain poorly configured enterprise setups (proxy + VPN neutralizing each other). Fix: restart the VPN client, verify the active network connection.

Also note the detected country: it must match the VPN server you selected. A difference (selected server "Netherlands" but detected country "Germany") indicates either a geographically misadvertised server, or imprecise geolocation from the MaxMind/IP2Location database — not critical in itself, but worth watching if you target a specific streaming catalog (unblocking depends on Netflix-detected geolocation, not declared server).

Step 2 — Test DNS leaks

You can have an IP masked by VPN but see your DNS queries go directly to your ISP's servers. Result: your ISP knows which sites you visit (DNS resolution logs), even if the sites themselves see the VPN's IP. It's the most frequent and least visible leak — hence its criticality in any serious audit.

Quick test: visit dnsleaktest.com, launch an "Extended Test" (not the insufficient "Standard Test"), wait 10-20 seconds. The tool lists DNS servers that responded. Compare with your ISP's DNS servers: if match, leak confirmed.

For complete methodology and fixes by OS (Windows SMHNR to disable, browser DoH to disable, IPv6 to tunnel), see our complete DNS leak test guide. Most serious VPNs push their own DNS servers when active; on less reliable VPNs, the OS decides — and the OS usually takes the ISP DNS server by default.

Step 3 — Audit WebRTC leaks

WebRTC is designed for browser P2P communication (video conferencing, live file sharing, online games). To work, it tries to discover all your IP addresses — including those your VPN is supposed to hide. If nothing blocks it, a JavaScript script on a malicious site can read your real IP despite active VPN. It's the sneakiest leak among the seven audit points.

The test: launch our DNS Leak Test tool — it probes WebRTC ICE candidates from your browser and reveals if a public IP different from the VPN exit appears, i.e. a confirmed leak. If the revealed IP differs from the VPN server IP noted in step 1, immediate action required.

Solutions in order of effectiveness: (1) enable WebRTC protection in your VPN settings (most good VPNs have this option), (2) install the official VPN browser extension that natively disables WebRTC, (3) manually disable WebRTC in Firefox about:config (set media.peerconnection.enabled to false) or via uBlock Origin on Chrome (settings → Privacy → prevent WebRTC).

Step 4 — Verify absence of IPv6 leak

This is the forgotten leak of superficial audits. Many VPNs only route IPv4 traffic and let IPv6 pass directly to your ISP. Result: if the visited site supports IPv6 (Google, Facebook, Cloudflare all do), it sees your real IPv6 while the VPN hides only your IPv4. The site therefore knows your real geolocation.

Quick test: visit test-ipv6.com. If the IPv6 section shows an address and that address isn't the VPN server's, you have an IPv6 leak. Best VPNs offer a "Block IPv6" or "Tunnel IPv6" option in advanced settings. Enable that option or, as a last resort dirty-but-effective fix, disable IPv6 globally on your system (Windows Settings → Network → Adapter → Properties → uncheck IPv6).

NordVPN supports IPv6 tunneling since 2024, ExpressVPN blocks IPv6 by default, Surfshark has a dedicated option. VPNs that don't manage IPv6 at all are technically obsolete in 2026 — Free and Orange deploy IPv6 natively, many users are affected without knowing.

Step 5 — Test the kill switch

The kill switch is what cuts your internet connection if the VPN drops. Without it, a one-second VPN disconnect is enough to reveal your real IP to active sites, even to resume connections in cleartext (Netflix, banking, etc.). It's an essential passive security mechanism.

Simple test: launch a long background download (Ubuntu Linux distribution ISO, 4 GB), then in VPN settings, force a disconnect or kill the VPN client process via task manager. The download must stop dead. If it continues, your kill switch isn't active — or your VPN simply doesn't have one.

Also verify behavior at machine startup: does your VPN reconnect before the browser sends its first requests? If not, the exposure window between OS startup and VPN activation can reveal your IP to trackers that auto-load (Google Analytics, Facebook Pixel on bookmarked sites). Fix: enable "Launch at startup" + "Auto-connect" in the VPN client, AND disable browser auto-launch with previous session.

Step 6 — Measure speed loss

A well-configured VPN typically loses 5 to 15% throughput on nearby server, and adds 10 to 40 ms latency depending on distance. Beyond that, either the server is saturated, the protocol is poorly chosen (OpenVPN instead of WireGuard), or your VPN isn't technically up to 2026 market standards.

Use the Speed Test tool in reproducible sequence: (1) measure once without VPN, note download/upload/latency across 3 successive tries (median), (2) activate VPN on the geographically closest server, (3) remeasure under same conditions, (4) calculate loss in percentage. If you lose more than 30% throughput or 80+ ms latency on local server, change server (yours is saturated) or protocol (force WireGuard/NordLynx). Our complete NordVPN speed analysis details expected benchmarks per configuration.

Modern protocols (WireGuard, NordLynx, Lightway, IKEv2) are significantly more efficient than older ones (OpenVPN UDP, especially OpenVPN TCP). Force WireGuard when available in the VPN client.

★ Audit Deloitte 2024 · ✓ Garantie 30 jours · 14M+ utilisateurs (source : NordVPN press)

Test NordVPN — passes 7-step audit in 99% of sessionsNative WireGuard/NordLynx · Threat Protection · 30-day money-back→

Step 7 — Verify logs policy (and its independent audit)

This is the step you can't technically test yourself, but can verify indirectly via trusted third parties. A VPN claiming to be "no-log" without public audit is just a marketing promise — not a technical proof.

Look on the VPN's website for mention of a recent independent audit by a recognized firm: PwC, Deloitte, KPMG, Cure53, Securitum. NordVPN published several PwC audits (2018, 2020, 2022) and Deloitte (2023, 2024). ExpressVPN was audited by KPMG in 2022. Mullvad has a Cure53 audit series from 2020 to 2023. ProtonVPN audited by Securitum in 2023.

A VPN's no-log policy is as strong as its jurisdiction. A VPN based in a country without legal data retention obligation and independently audited offers the strongest guarantees — but no guarantee can be absolute. Healthy skepticism remains the rule.

— EFF, Electronic Frontier Foundation — Choosing a VPN that's right for you (2024)

Also verify the jurisdiction. A VPN based in Panama (NordVPN) or British Virgin Islands (ExpressVPN) isn't subject to the same retention obligations as a VPN based in the United States (Five Eyes) or France (military programming law). It doesn't guarantee they won't log in practice, but it reduces the legal pressure that could force them to. See our complete NordVPN test for audit + jurisdiction detail.

Summary — your 10-minute audit checklist

To miss nothing, here's the exact sequence to apply in methodological order. Each step must return a result conforming to 2026 standards otherwise the VPN isn't suited to serious privacy use.

Step	Tool	Red flag
1. Public IP	My IP tool	IP unchanged or ISP unchanged
2. DNS leak	DNSLeakTest.com	DNS server = your ISP
3. WebRTC	DNS Leak Test tool	Public IP different from VPN exit
4. IPv6	test-ipv6.com	Real IPv6 visible
5. Kill switch	Manual download test	Download continues after VPN drop
6. Speed	Speed Test tool	Loss > 30% or latency > 80 ms
7. Logs	VPN site + public audit	No recent independent audit

Renew this complete audit after every major update: Windows 11 feature updates, macOS releases, Firefox/Chrome major versions, and of course after VPN client update. Once per quarter is enough for personal use. Our documented VPN testing protocol systematizes this sequence on audited VPNs.

What to remember

A VPN passing the 7 steps protects you against the most common leaks — essential for daily privacy, VPN streaming, or browsing on untrusted Wi-Fi (cafés, hotels, airports). It's rarely the case for free VPNs, and generally the case for the three or four leading paid VPNs on the 2026 market — NordVPN, ExpressVPN, Surfshark, and Mullvad or ProtonVPN for more strictly privacy-focused uses.

If you're going for "journalistic anonymity" or "whistleblower" mode, you'll need to go beyond these 7 steps — Tor on top of VPN, dedicated Linux/Tails machine, strict OPSEC. But that's no longer a simple VPN audit subject, it's complete OPSEC beyond this guide's scope.

For most everyday uses, the chain of 7 verifications above is largely sufficient. Once per quarter, it takes 10 minutes and is well worth confirming that your privacy tool is doing its job.

★ Audit Deloitte 2024 · ✓ Garantie 30 jours · 14M+ utilisateurs (source : NordVPN press)

Test NordVPN — complete Threat ProtectionPwC 2023 + Deloitte 2024 audits confirmed · 30-day money-back→