AnonymFlow

How we test VPNs

The figures and assessments on this site are based on each provider's published specifications, independent third-party audits, and leak/speed checks that any reader can reproduce with free public tools. We do not claim private lab measurements; where a number isn't independently verifiable, we say so and point you to the public source or the tool to test it yourself.

How we assess a VPN

  1. 1

    Documented capabilities

    We start from each provider's official documentation: supported protocols (WireGuard/NordLynx, OpenVPN, Lightway), kill switch, server count and locations, and stated no-log policy. Only features the provider actually documents.

  2. 2

    Independent audits

    We look for published independent audits and transparency reports (e.g. PwC, Deloitte, KPMG, Cure53). A no-log claim only counts when an independent audit backs it - a marketing statement alone does not.

  3. 3

    Leak checks (reproducible)

    DNS, WebRTC and IPv6 leak checks using public services (ipleak.net, dnsleaktest.com, browserleaks.com). Anyone can run the same checks; a provider that leaks in these public tests is not recommended.

  4. 4

    Speed & latency (reproducible)

    Speed and latency are line-specific, so we describe them qualitatively (e.g. WireGuard keeps most of the raw throughput on a nearby server) and point you to fast.com, Cloudflare speedtest, Speedtest CLI or iperf3 to measure your own numbers.

  5. 5

    Streaming access

    Streaming unblocking changes constantly as services refresh their blocklists, so we report the trend from independent testers and the provider's track record rather than a fixed pass/fail number.

  6. 6

    Price transparency

    We use the publicly listed entry price and the disclosed renewal price together - never the teaser rate alone - so the real cost over a full term is clear.

Checks you can reproduce

For every VPN, we look at the same set of verifiable points. Each one is reproducible: with the free tools listed below, any reader can run the same check and confirm the result on their own connection.

  1. P1

    DNS leak check

    Open a VPN session, then check the resolved DNS across several public services (ipleak.net, dnsleaktest.com, browserleaks.com/dns, mullvad.net/check). A VPN that leaks your ISP's resolver in these public tools is not recommended. You can run exactly the same check yourself.

  2. P2

    WebRTC + IPv6 leak check

    In Chrome, open chrome://webrtc-internals plus ipleak.net, and check the ICE/STUN candidate and the surfaced public IP; cross-test with browserleaks.com/webrtc and browserleaks.com/ip. Your real IP should never appear on ICE/STUN or over IPv6 with the VPN active.

  3. P3

    Speed & latency check

    Throughput and latency are specific to your line and the distance to the server, so we don't publish them as universal numbers. Use fast.com, Cloudflare speedtest, Speedtest CLI or iperf3 with and without the VPN to see your own loss - modern protocols (WireGuard/NordLynx, Lightway) retain most of the raw throughput on a nearby server.

  4. P4

    Kill switch check

    With an active VPN session and traffic in flight, force the tunnel down (disable the virtual interface or quit the app) and confirm that internet access is cut until the tunnel recovers - no traffic should escape in the clear. This is reproducible on any machine.

  5. P5

    No-log verification

    Read the provider's published privacy policy and compare it against the latest available independent audit (PwC, Deloitte, KPMG, Cure53) and any known court cases (data requests, server seizures). A no-log claim counts only when an independent audit backs it.

Tools you can use

Free, open or public tools anyone can run to verify a VPN's behaviour. No proprietary tooling, no secret scripts - everything here is reproducible by you.

  • fast.com / Cloudflare speedtest

    Browser speed checks to measure your own throughput with and without the VPN on the same line.

  • Speedtest CLI (Ookla) / iperf3

    Command-line throughput and latency tools to compare your speed against the non-VPN baseline on the same time slot.

  • Wireshark

    Real-time packet inspection to confirm the kill switch leaves no clear-text packet between a tunnel drop and recovery, and to surface DNS leaving the tunnel.

  • dnsleaktest.com + ipleak.net + browserleaks.com

    Public cross-tests for DNS, IP, WebRTC and IPv6. Using three services rules out false positives tied to the cache or geolocation of a single one.

  • mullvad.net/check

    A free public page that reports DNS/WebRTC exposure, useful as an independent second opinion alongside the tools above.

What our assessment relies on

Our assessment relies on three kinds of evidence: (1) each provider's published specifications and feature documentation (protocols supported, kill switch, server locations, no-log claims); (2) independent third-party audits and transparency reports when they exist (e.g. PwC, Deloitte, Cure53); and (3) leak and speed checks any reader can reproduce with the public tools listed above. Speed and latency depend on your own line, distance to the server and protocol, so we describe them qualitatively and invite you to measure your own numbers rather than presenting figures as if they were universal.

How we weigh the criteria

Our editorial assessment weighs six axes. The weighting reflects what matters most for privacy and everyday use - and no commercial relationship moves a provider up or down.

  • Security - DNS + WebRTC + kill switch (30%)

    Leak-free in the reproducible public DNS/WebRTC/IPv6 checks, plus an effective kill switch. A leak in these public tests drops this axis.

  • No-log policy (20%)

    Weighted by whether the no-log claim is backed by a published independent audit, not just a marketing statement.

  • Speed (20%)

    Based on the protocols offered (WireGuard/NordLynx, Lightway) and the consensus of independent benchmarks, since real throughput is line-specific - measure your own with the tools above.

  • Real price (10%)

    Effective term rate together with the disclosed renewal rate. Not the entry teaser rate alone.

  • Support (10%)

    Documented support channels, 24/7 chat availability and the quality of the official knowledge base.

  • Ergonomics / UX (10%)

    Install friction, app legibility, platform coverage and ease of access to advanced settings.

Assessments are refreshed as providers change (prices, audits, streaming blocks). The frontmatter dateModified on each page reflects its latest review.

Limits & transparency

We are an editorial site, not an industrial test lab: we do not run thousands of automated sessions, and we do not present private speed measurements as universal truths. Speed, latency and streaming access depend on your geography, line and the moment you test - results will differ from ours. We offset this by relying on publicly verifiable sources (specs, independent audits) and by giving you reproducible checks to run yourself. Conflicts of interest: we earn a commission via the CJ Affiliate network when a reader subscribes to a partner VPN via our links. This is disclosed at the top of every concerned page and every commercial link carries the rel="sponsored nofollow" HTML attribute per Google guidelines. No commercial relationship influences our editorial assessment.

How we rate VPNs - at a glance

Summary of what our assessment is built on: documented capabilities, published independent audits, and leak/speed checks any reader can reproduce with the tools listed above.

MétriqueValeurDétail
What our rating is based onPublicDocumented specs + independent audits + reproducible checks
No-log claimsAudit-backedCounted only when a published independent audit exists
Leak checksReproducibleDNS / WebRTC / IPv6 via public tools (ipleak.net, browserleaks.com)
Speed & latencyLine-specificDescribed qualitatively; measure your own with fast.com / iperf3
Throughput - modern protocolsHigh retentionWireGuard/NordLynx keeps most raw throughput on a nearby server
Streaming unblockingTrend-basedReported from independent testers; blocklists change continuously
PriceFull-termListed entry price + disclosed renewal price together
Affiliate disclosureOn every pageCJ Affiliate commission, links rel=sponsored nofollow

Full dataset : Documented capabilities + published independent audits

Key definitions

Technical terms used in our tests, defined precisely to avoid any ambiguity in interpreting results.

Kill switch
A mechanism that automatically cuts the internet connection if the VPN tunnel drops. Without a kill switch, traffic can briefly resume in the clear - the real IP is exposed with no visible alert. You can verify it yourself by forcibly disconnecting the tunnel while watching whether traffic still flows.
DNS leak
Situation where DNS queries exit outside the VPN tunnel and go through the ISP's resolver, revealing visited domain names despite an active VPN. Detectable via dnsleaktest.com or ipleak.net. Common cause: VPN client not capturing the system resolver on Windows Smart Multi-Homed Named Resolution.
WebRTC leak
Exposure of the real IP address (local or public) via the browser's WebRTC API (STUN/ICE), even with an active VPN. It affects many default Chrome/Edge configurations. Detectable via browserleaks.com/webrtc or our built-in tool.
IPv6 leak
IPv6 traffic transiting in the clear outside the VPN tunnel if the VPN client does not block the IPv6 interface. Common on IPv6-enabled connections. Detectable via the IPv6 section of ipleak.net.
No-log
Policy declaring that the VPN provider stores neither user IP addresses, nor visited sites, nor connection timestamps. Verified value only via published independent audit (PwC, Deloitte, Cure53) - a commercial declaration without an audit is an unverifiable promise.
Five Eyes jurisdiction
Intelligence-sharing alliance between the US, UK, Canada, Australia and New Zealand with mutual surveillance data sharing. A VPN headquartered in a member country can be legally compelled to cooperate. Non-alliance jurisdictions (Panama, Switzerland, Romania) reduce this legal risk.
Perfect Forward Secrecy (PFS)
Mechanism that automatically rotates encryption keys every session: if one key is compromised, past sessions remain protected. Present in WireGuard and modern OpenVPN. Essential for long-term protection.
Double VPN (multi-hop)
Traffic routed through two successive VPN servers: layered encryption, no single server sees both the source IP and the destination. Higher latency (+40-80 ms typical). Useful for journalists and activists under active surveillance.

Our editorial principles

  • Public, verifiable sources first

    Every claim rests on a published spec, an independent audit, or a check you can reproduce - never on private figures you can't verify.

  • Drawbacks listed in black and white

    Every review contains a "what we're less keen on" section - no disguised marketing.

  • Kept up to date

    VPNs evolve: prices, streaming blocks, audits. We refresh recommended providers and reflect each review's date in dateModified.

  • Transparency about compensation

    We earn a commission if you subscribe via our links - disclosed on every page (banner + links marked sponsored nofollow). It never changes our editorial assessment.