How we test VPNs
The figures and assessments on this site are based on each provider's published specifications, independent third-party audits, and leak/speed checks that any reader can reproduce with free public tools. We do not claim private lab measurements; where a number isn't independently verifiable, we say so and point you to the public source or the tool to test it yourself.
How we assess a VPN
- 1
Documented capabilities
We start from each provider's official documentation: supported protocols (WireGuard/NordLynx, OpenVPN, Lightway), kill switch, server count and locations, and stated no-log policy. Only features the provider actually documents.
- 2
Independent audits
We look for published independent audits and transparency reports (e.g. PwC, Deloitte, KPMG, Cure53). A no-log claim only counts when an independent audit backs it - a marketing statement alone does not.
- 3
Leak checks (reproducible)
DNS, WebRTC and IPv6 leak checks using public services (ipleak.net, dnsleaktest.com, browserleaks.com). Anyone can run the same checks; a provider that leaks in these public tests is not recommended.
- 4
Speed & latency (reproducible)
Speed and latency are line-specific, so we describe them qualitatively (e.g. WireGuard keeps most of the raw throughput on a nearby server) and point you to fast.com, Cloudflare speedtest, Speedtest CLI or iperf3 to measure your own numbers.
- 5
Streaming access
Streaming unblocking changes constantly as services refresh their blocklists, so we report the trend from independent testers and the provider's track record rather than a fixed pass/fail number.
- 6
Price transparency
We use the publicly listed entry price and the disclosed renewal price together - never the teaser rate alone - so the real cost over a full term is clear.
Checks you can reproduce
For every VPN, we look at the same set of verifiable points. Each one is reproducible: with the free tools listed below, any reader can run the same check and confirm the result on their own connection.
- P1
DNS leak check
Open a VPN session, then check the resolved DNS across several public services (ipleak.net, dnsleaktest.com, browserleaks.com/dns, mullvad.net/check). A VPN that leaks your ISP's resolver in these public tools is not recommended. You can run exactly the same check yourself.
- P2
WebRTC + IPv6 leak check
In Chrome, open chrome://webrtc-internals plus ipleak.net, and check the ICE/STUN candidate and the surfaced public IP; cross-test with browserleaks.com/webrtc and browserleaks.com/ip. Your real IP should never appear on ICE/STUN or over IPv6 with the VPN active.
- P3
Speed & latency check
Throughput and latency are specific to your line and the distance to the server, so we don't publish them as universal numbers. Use fast.com, Cloudflare speedtest, Speedtest CLI or iperf3 with and without the VPN to see your own loss - modern protocols (WireGuard/NordLynx, Lightway) retain most of the raw throughput on a nearby server.
- P4
Kill switch check
With an active VPN session and traffic in flight, force the tunnel down (disable the virtual interface or quit the app) and confirm that internet access is cut until the tunnel recovers - no traffic should escape in the clear. This is reproducible on any machine.
- P5
No-log verification
Read the provider's published privacy policy and compare it against the latest available independent audit (PwC, Deloitte, KPMG, Cure53) and any known court cases (data requests, server seizures). A no-log claim counts only when an independent audit backs it.
Tools you can use
Free, open or public tools anyone can run to verify a VPN's behaviour. No proprietary tooling, no secret scripts - everything here is reproducible by you.
fast.com / Cloudflare speedtest
Browser speed checks to measure your own throughput with and without the VPN on the same line.
Speedtest CLI (Ookla) / iperf3
Command-line throughput and latency tools to compare your speed against the non-VPN baseline on the same time slot.
Wireshark
Real-time packet inspection to confirm the kill switch leaves no clear-text packet between a tunnel drop and recovery, and to surface DNS leaving the tunnel.
dnsleaktest.com + ipleak.net + browserleaks.com
Public cross-tests for DNS, IP, WebRTC and IPv6. Using three services rules out false positives tied to the cache or geolocation of a single one.
mullvad.net/check
A free public page that reports DNS/WebRTC exposure, useful as an independent second opinion alongside the tools above.
What our assessment relies on
Our assessment relies on three kinds of evidence: (1) each provider's published specifications and feature documentation (protocols supported, kill switch, server locations, no-log claims); (2) independent third-party audits and transparency reports when they exist (e.g. PwC, Deloitte, Cure53); and (3) leak and speed checks any reader can reproduce with the public tools listed above. Speed and latency depend on your own line, distance to the server and protocol, so we describe them qualitatively and invite you to measure your own numbers rather than presenting figures as if they were universal.
How we weigh the criteria
Our editorial assessment weighs six axes. The weighting reflects what matters most for privacy and everyday use - and no commercial relationship moves a provider up or down.
Security - DNS + WebRTC + kill switch (30%)
Leak-free in the reproducible public DNS/WebRTC/IPv6 checks, plus an effective kill switch. A leak in these public tests drops this axis.
No-log policy (20%)
Weighted by whether the no-log claim is backed by a published independent audit, not just a marketing statement.
Speed (20%)
Based on the protocols offered (WireGuard/NordLynx, Lightway) and the consensus of independent benchmarks, since real throughput is line-specific - measure your own with the tools above.
Real price (10%)
Effective term rate together with the disclosed renewal rate. Not the entry teaser rate alone.
Support (10%)
Documented support channels, 24/7 chat availability and the quality of the official knowledge base.
Ergonomics / UX (10%)
Install friction, app legibility, platform coverage and ease of access to advanced settings.
Assessments are refreshed as providers change (prices, audits, streaming blocks). The frontmatter dateModified on each page reflects its latest review.
Limits & transparency
We are an editorial site, not an industrial test lab: we do not run thousands of automated sessions, and we do not present private speed measurements as universal truths. Speed, latency and streaming access depend on your geography, line and the moment you test - results will differ from ours. We offset this by relying on publicly verifiable sources (specs, independent audits) and by giving you reproducible checks to run yourself. Conflicts of interest: we earn a commission via the CJ Affiliate network when a reader subscribes to a partner VPN via our links. This is disclosed at the top of every concerned page and every commercial link carries the rel="sponsored nofollow" HTML attribute per Google guidelines. No commercial relationship influences our editorial assessment.
How we rate VPNs - at a glance
Summary of what our assessment is built on: documented capabilities, published independent audits, and leak/speed checks any reader can reproduce with the tools listed above.
| Métrique | Valeur | Détail |
|---|---|---|
| What our rating is based on | Public | Documented specs + independent audits + reproducible checks |
| No-log claims | Audit-backed | Counted only when a published independent audit exists |
| Leak checks | Reproducible | DNS / WebRTC / IPv6 via public tools (ipleak.net, browserleaks.com) |
| Speed & latency | Line-specific | Described qualitatively; measure your own with fast.com / iperf3 |
| Throughput - modern protocols | High retention | WireGuard/NordLynx keeps most raw throughput on a nearby server |
| Streaming unblocking | Trend-based | Reported from independent testers; blocklists change continuously |
| Price | Full-term | Listed entry price + disclosed renewal price together |
| Affiliate disclosure | On every page | CJ Affiliate commission, links rel=sponsored nofollow |
Full dataset : Documented capabilities + published independent audits
Key definitions
Technical terms used in our tests, defined precisely to avoid any ambiguity in interpreting results.
- Kill switch
- A mechanism that automatically cuts the internet connection if the VPN tunnel drops. Without a kill switch, traffic can briefly resume in the clear - the real IP is exposed with no visible alert. You can verify it yourself by forcibly disconnecting the tunnel while watching whether traffic still flows.
- DNS leak
- Situation where DNS queries exit outside the VPN tunnel and go through the ISP's resolver, revealing visited domain names despite an active VPN. Detectable via dnsleaktest.com or ipleak.net. Common cause: VPN client not capturing the system resolver on Windows Smart Multi-Homed Named Resolution.
- WebRTC leak
- Exposure of the real IP address (local or public) via the browser's WebRTC API (STUN/ICE), even with an active VPN. It affects many default Chrome/Edge configurations. Detectable via browserleaks.com/webrtc or our built-in tool.
- IPv6 leak
- IPv6 traffic transiting in the clear outside the VPN tunnel if the VPN client does not block the IPv6 interface. Common on IPv6-enabled connections. Detectable via the IPv6 section of ipleak.net.
- No-log
- Policy declaring that the VPN provider stores neither user IP addresses, nor visited sites, nor connection timestamps. Verified value only via published independent audit (PwC, Deloitte, Cure53) - a commercial declaration without an audit is an unverifiable promise.
- Five Eyes jurisdiction
- Intelligence-sharing alliance between the US, UK, Canada, Australia and New Zealand with mutual surveillance data sharing. A VPN headquartered in a member country can be legally compelled to cooperate. Non-alliance jurisdictions (Panama, Switzerland, Romania) reduce this legal risk.
- Perfect Forward Secrecy (PFS)
- Mechanism that automatically rotates encryption keys every session: if one key is compromised, past sessions remain protected. Present in WireGuard and modern OpenVPN. Essential for long-term protection.
- Double VPN (multi-hop)
- Traffic routed through two successive VPN servers: layered encryption, no single server sees both the source IP and the destination. Higher latency (+40-80 ms typical). Useful for journalists and activists under active surveillance.
Our editorial principles
Public, verifiable sources first
Every claim rests on a published spec, an independent audit, or a check you can reproduce - never on private figures you can't verify.
Drawbacks listed in black and white
Every review contains a "what we're less keen on" section - no disguised marketing.
Kept up to date
VPNs evolve: prices, streaming blocks, audits. We refresh recommended providers and reflect each review's date in dateModified.
Transparency about compensation
We earn a commission if you subscribe via our links - disclosed on every page (banner + links marked sponsored nofollow). It never changes our editorial assessment.
Sources & references
To dig deeper, here are the technical and institutional references we routinely consult.
- WireGuard - whitepaper (PDF)wireguard.com - External link - new tab
- TLS 1.3 - RFC 8446ietf.org - External link - new tab
- OpenVPN - protocol overviewwikipedia.org - External link - new tab
- VPN evaluation criteria - Privacy Guidesprivacyguides.org - External link - new tab
- Recommandations IPsec - ANSSIcyber.gouv.fr - External link - new tab