How We Test VPNs: Our Methodology


Our Mission

Finding a trustworthy VPN in 2026 is harder than it has ever been. The market is saturated with over 300 providers, many of them operated by the same holding companies under different branding. Review sites monetised through undisclosed affiliate arrangements dominate search results, routinely awarding five stars to services with documented privacy failures in exchange for higher commission rates. VPN providers themselves have become expert at marketing-speak – phrases like “military-grade encryption” and “no-logs guaranteed” appear on the homepages of services that have actively handed user data to law enforcement.

We built VPNRating.net because we could not find a single source we trusted completely. Our editorial process has two non-negotiable foundations: every subscription is self-funded and no payment, commission arrangement, or partnership ever changes a score or a factual conclusion.

What We DoWhy It Matters
Purchase all subscriptions at retail priceNo provider can influence access or editorial access
Back every claim with packet captures and live test dataSpec sheets and press releases are not evidence
Keep commercial and editorial teams separateCommission rates are invisible to our analysts
Physically test money-back guaranteesPolicy claims mean nothing without verified execution
Re-test top providers on a rolling scheduleA review written 18 months ago is not a current review

The sections below describe our testing process in precise technical detail. We believe transparency about methodology is the only legitimate basis for trust in any review publication.


The 7 Core Pillars of Our Testing Process

Every VPN we review is subjected to the same structured evaluation across seven distinct technical domains. No category is skipped. No pillar is evaluated solely on the basis of what the VPN provider claims – all assessments are independently verified.


Pillar 1: Privacy & Logging Policies

Weighting: 15% of final score

A VPN’s privacy policy is a legal document, not a marketing brochure. We read every clause of the privacy policy, terms of service, and data retention statement before forming any opinion on a provider. We are specifically hunting for contradictions: a homepage that claims “zero logs” against a privacy policy that admits to storing connection timestamps, bandwidth totals, or originating IP addresses.

Jurisdiction Analysis

Legal jurisdiction is the first structural variable we assess. The country in which a VPN’s operating entity is registered determines which court can compel the disclosure of user data and whether the provider is subject to mandatory data retention laws. We map every provider against three key intelligence-sharing frameworks:

  • Five Eyes (FVEY): USA, UK, Canada, Australia, New Zealand. Providers in these jurisdictions face the highest legal exposure to foreign government data requests through bilateral MLAT agreements.
  • Nine Eyes and Fourteen Eyes: Extended SIGINT-sharing networks that include France, Germany, Denmark, Sweden, and others. We treat EU-based providers separately, noting that GDPR enforcement creates financial disincentives for data mishandling that do not exist outside the EU.
  • Jurisdiction-specific quirks: We flag countries with mandatory ISP data retention laws (Germany, Australia), laws that permit secret intelligence warrants without provider notification (the USA’s National Security Letters), and countries where VPN providers have historically complied with government data requests under local law.

Third-Party Audits

An unverified no-logs claim is a marketing statement. The current industry standard for verification is an independent third-party audit in which cybersecurity firms – such as Cure53, KPMG, Deloitte, or SEC Consult – are granted direct access to server configurations, logging infrastructure, and application source code to verify that no session data is being retained.

We track:

  • Which firm conducted the audit
  • Whether the full audit report is publicly available
  • The date of the most recent audit
  • The scope of the audit (app-only vs. full server infrastructure)

An audit completed four years ago against substantially different infrastructure is worth significantly less than a recent, narrowly-scoped assessment of current systems.

Ownership and Corporate Structure

We investigate the corporate ownership chain of every provider we review. Shell companies, opaque holding structures, and undisclosed cross-ownership with data harvesting businesses are all material privacy risks that a simple privacy policy review will not surface. We cross-reference business registration records, LinkedIn corporate data, domain WHOIS histories, and credible investigative reporting to establish who actually controls the infrastructure your traffic passes through.

Our position: A privacy policy that reads well is table stakes. We weight the presence of an independent audit and a verifiable corporate structure far more heavily than a provider’s self-authored claims about data practices.


Pillar 2: Security & Encryption

Weighting: 20% of final score

Encryption standards and leak protection are the engineering foundation of any VPN’s usefulness as a privacy tool. We perform all security testing ourselves using controlled network environments, packet capture tools, and purpose-built leak detection infrastructure. We do not rely on self-reported technical specifications.

Leak Detection: DNS, IPv6, and WebRTC

The three most common failure modes in VPN implementations are DNS leaks, IPv6 address leaks, and WebRTC leaks. Each represents a different path by which your real IP address or browsing destinations can be exposed – even while the VPN tunnel appears to be active.

  • DNS leak testing: We run continuous DNS query monitoring using dnsleaktest.com, ipleak.net, and our own internal DNS logging server. We test in both standard and extended modes, capturing which DNS resolvers receive queries during an active VPN session. A correctly implemented VPN must route all DNS queries through its own encrypted tunnel to its own resolver infrastructure – not to your ISP’s resolver, Google’s 8.8.8.8, or any third-party public DNS service.
  • IPv6 leak testing: Most VPNs are architected around IPv4. If a provider does not explicitly suppress IPv6 traffic or route it through the tunnel, your operating system’s native IPv6 address is transmitted in parallel to the VPN tunnel, revealing your real network identity. We test IPv6 behavior on both dual-stack (IPv4 + IPv6) network connections and IPv6-only environments.
  • WebRTC leak testing: WebRTC’s STUN protocol communicates directly with remote servers to establish peer connections, and this traffic can bypass the VPN tunnel entirely at the browser level. We test WebRTC behavior across Chromium, Firefox, and Safari using browserleaks.com and manual inspection of WebRTC ICE candidate responses.

Tools used: dnsleaktest.com · ipleak.net · browserleaks.com · Wireshark · tcpdump

Kill Switch Stress Testing

A kill switch is a firewall mechanism that halts all network traffic if the VPN tunnel drops unexpectedly. A broken kill switch is one of the most dangerous silent failures in VPN software, because it exposes your real IP without any visible warning. We test kill switch implementations under three specific stress conditions:

  • Sudden tunnel drop: We forcibly terminate the VPN process using the OS task manager while an active download is running, then capture whether any packets route through the default gateway before the kill switch activates.
  • Server switching: We initiate a server location change and monitor packet flow during the tear-down and re-establishment of the tunnel interface. A correctly implemented kill switch must maintain a “block all” firewall rule throughout this transition period – including the seconds-long window between disconnecting from one server and connecting to another.
  • Network interface change: We simulate switching from Wi-Fi to a wired connection, and toggling airplane mode on mobile, to verify that the kill switch survives interface transitions without allowing unprotected traffic to exit.

Protocol and Cryptographic Assessment

We evaluate which VPN protocols are offered (WireGuard, OpenVPN UDP/TCP, IKEv2, L2TP/IPsec), the cipher suite on the data channel (AES-256-GCM preferred), control channel security (RSA-2048 or higher), and whether the implementation supports Perfect Forward Secrecy through ephemeral key exchange.

Hard rule: Any VPN that still offers PPTP as a selectable protocol option receives a mandatory security deduction in our scoring. RC4 encryption and MS-CHAPv2 authentication are cryptographically compromised and have no place in any privacy product in 2026.


Pillar 3: Speed & Performance

Weighting: 18% of final score

Speed testing is where the most dishonest practices in VPN reviewing occur. Cherry-picked single-server results, tests run during off-peak hours, or tests conducted from a reviewer’s optimal geographic location can make any VPN look fast. Our speed testing methodology is designed to surface the performance characteristics that real users actually experience.

Baseline and Test Environment

All speed tests are conducted from a dedicated testing machine on a symmetrical fiber connection with a verified baseline throughput exceeding 500 Mbps in both directions. We record the baseline with the VPN disconnected before every testing session. All results are expressed as percentage of baseline loss, not raw Mbps, to make comparisons across different test sessions meaningful.

Server Selection and Geographic Spread

We test a minimum of four server locations for every VPN:

Server TypePurpose
Local (same city/region)Establishes best-case performance; reveals baseline VPN overhead
Domestic long-haulTests routing efficiency across greater distance within one country
Transatlantic (typically EU)Exposes peering agreement quality on major intercontinental routes
Distant intercontinental (Asia-Pacific or Oceania)Surfaces TCP windowing and latency collapse at distance

Protocol Comparison

For providers that support multiple protocols, we run identical server tests under WireGuard and OpenVPN (UDP) to quantify the throughput difference. WireGuard’s leaner cryptographic architecture (ChaCha20/Poly1305) typically outperforms OpenVPN’s AES-based implementation, particularly on ARM hardware. We document both to help readers choose the appropriate protocol for their threat model and device type.

Tools used: Ookla Speedtest CLI · fast.com · iPerf3 · WinMTR

Multi-Session Averaging and Time-of-Day Testing

Single speed test results are meaningless in isolation. We run a minimum of five test iterations per server per time window and record the median result. We test during two windows:

  • Off-peak hours – early morning on weekdays
  • Peak evening hours – 7–10 PM local time

The spread between these two windows reveals how effectively a provider manages server capacity under real consumer load – a metric that headline numbers from a single test will never surface.

Latency, Jitter, and Packet Loss

Raw download speed is only one dimension of performance. We also record:

  • Round-trip latency (ping) – determines usability for real-time applications
  • Jitter (variance in latency) – determines stability of voice and video calls
  • Packet loss – a server with 300 Mbps download but 8% packet loss is functionally unusable for VoIP or competitive gaming regardless of its throughput headline

Pillar 4: Streaming & Geo-Unblocking

Weighting: 12% of final score

Streaming platform geo-restriction bypass is one of the most heavily marketed VPN capabilities and one of the most inconsistently delivered. Netflix, Disney+, BBC iPlayer, Hulu, and Amazon Prime Video all employ layered IP reputation detection systems that combine static blocklists of known VPN IP ranges with behavioral heuristics that flag suspicious traffic patterns.

Claiming to “unblock Netflix” without specifying which Netflix catalog, on which servers, and with what consistency is a meaningless assertion.

Platform Coverage

We test against the following platforms as standard for every VPN review:

  • Netflix: US, UK, Canadian, Japanese, and Australian catalogs from corresponding server locations. We specifically check for the “Originals Only” failure mode, where Netflix detects a proxy but permits access to its own globally-licensed content while silently blocking regionally-licensed third-party content. This is a detection failure even if playback appears to work.
  • BBC iPlayer: UK server requirement with license-free geographic verification.
  • Disney+: US, UK, and Australian catalogs. Disney+ employs aggressive IP blocklisting that trips up many mid-tier providers.
  • Hulu: US-only service. We test multiple designated streaming servers rather than reporting the first server that succeeds.
  • Amazon Prime Video: US and UK catalogs. Prime Video uses session-level heuristic detection that can block access mid-stream after initially loading.
  • DAZN: Sports streaming with strict geo-enforcement.

Consistency Over Time

A VPN that unblocks Netflix today may fail tomorrow when Netflix refreshes its blocklist. We run streaming tests across multiple sessions spaced days apart and report the consistency of results, not just the best-case outcome. A provider that succeeds 2 out of 10 times on a given server is not a reliable streaming solution.

Our standard: We never describe a VPN as “unblocking” a platform based on a single successful session. Reliable access across repeated tests over multiple days is the only honest basis for a streaming capability claim.


Pillar 5: Server Network & P2P

Weighting: 10% of final score

A VPN’s server network is its physical infrastructure, and its composition directly determines real-world performance, reliability, and geographic coverage. Server count figures in marketing materials are frequently misleading – a network of 6,000 virtual servers in 10 actual physical datacenters provides very different characteristics than 500 bare-metal dedicated servers across 60 countries.

Physical vs. Virtual Servers

We research and document whether each provider’s servers are bare-metal dedicated hardware, virtual private servers (VPS) rented from cloud providers, or a mix of both.

Bare-metal servers offer dedicated CPU access – critical for consistent cryptographic performance under load, since AES-NI hardware acceleration is not shared with other tenants. VPS environments introduce CPU jitter from hypervisor scheduling. We flag virtual servers operating in high-risk jurisdictions, where the cloud provider’s local entity may be subject to government data access laws that the VPN provider’s registered jurisdiction does not.

Virtual Location Transparency

Some providers advertise servers in high-demand countries (Brazil, India, UAE) while physically routing traffic through servers in completely different countries – often neighboring regions with cheaper datacenter costs. We use traceroute analysis and IP geolocation cross-referencing to identify virtual locations and disclose them explicitly in our reviews.

RAM-Only Infrastructure

We specifically identify and note whether a provider operates RAM-only (diskless) servers. On a RAM-only server, all data – including the operating system and VPN daemon – exists exclusively in volatile memory and is permanently erased the moment the server is powered off. Physical server seizure by law enforcement yields nothing forensically recoverable. This is a meaningful infrastructure security distinction that we weight accordingly.

P2P and Torrenting Capability

We evaluate P2P support through active torrenting tests on designated P2P servers, covering:

  • Sustained torrent download throughput under real swarm load
  • Whether the client’s real IP address appears in the torrent swarm (verified using a monitoring node we control)
  • Port forwarding support – critical for upload ratio maintenance on private trackers
  • Kill switch behavior during active P2P sessions, with specific attention to the server-switching exposure window

Pillar 6: Apps & Ease of Use

Weighting: 12% of final score

A technically sophisticated VPN that requires a computer science degree to configure correctly fails a large majority of its intended user base. Conversely, a beautifully designed app that buries or omits critical security settings is providing false comfort. We evaluate the entire client ecosystem – from installation to advanced configuration – across every platform a provider officially supports.

Cross-Platform Testing Matrix

PlatformWhat We Evaluate
Windows (10 & 11)Installation, kill switch survival across sleep/resume cycles, split tunneling, protocol switching
macOS (latest 2 versions)Native app behavior, system extension permissions, packet filter kill switch implementation
iOS (latest 2 versions)IKEv2/WireGuard via NetworkExtension, background reconnection, kill switch availability
Android (stock & custom ROMs)WireGuard integration, split tunneling per-app routing, cellular/Wi-Fi handoff behavior
LinuxNative GUI client availability vs. CLI-only setup; quality of official documentation for Ubuntu, Debian, Fedora
Router-level deploymentDD-WRT, Tomato, and AsusWRT-Merlin configuration guide quality for households covering IoT and smart TV devices

Feature Parity Across Platforms

We document feature availability discrepancies between platforms – for example, a provider that offers split tunneling on Android but not macOS, or a kill switch that functions on Windows but is absent on iOS. These omissions are disclosed explicitly because they directly affect purchasing decisions for multi-device households.

UI/UX Quality Assessment

We evaluate the client interface against three criteria:

  • Accessibility – can a non-technical user connect to an appropriate server in under 30 seconds?
  • Transparency – are security settings prominently accessible, or buried several menus deep?
  • Reliability – does the UI correctly reflect the actual tunnel state (connected, disconnected, reconnecting) without lag or misrepresentation?

Pillar 7: Customer Support

Weighting: 8% of final score

VPN support quality matters most precisely when the tool has failed – when a tunnel will not connect on a hotel network, when a streaming platform has blocked an entire IP subnet, or when a kill switch is behaving unexpectedly. We evaluate support on both response speed and technical depth, across multiple channels and interaction types.

Live Chat Testing

For providers that market 24/7 live chat support, we initiate contact at three different times of day – including off-peak hours in the provider’s likely primary support geography – and record the time to first human response. We then present each agent with a graduated sequence of questions:

  1. A trivial configuration question (deliberately easy)
  2. A moderately technical connectivity issue
  3. A deliberately advanced question about protocol-level behavior

This sequence exposes whether the support team operates from scripts or possesses genuine technical knowledge of their own product.

Email and Ticket Support

We submit a standardised technical support ticket and record the time to first substantive response. We evaluate whether the response directly addresses the question asked or issues a generic scripted reply requiring follow-up. Total time to resolution on a multi-step technical issue is recorded where applicable.

Knowledge Base Assessment

We evaluate the depth and accuracy of self-serve documentation across three categories:

  • Platform-specific setup guides – completeness and accuracy for all supported platforms
  • Advanced troubleshooting content – MTU configuration, DNS override procedures, router deployment, protocol selection guidance
  • Transparency documentation – privacy policy plain-language explanations, audit report summaries, logging policy clarifications

Our benchmark: Can a technically competent user resolve a non-trivial connectivity problem using only the knowledge base, without contacting support? Providers whose documentation achieves this standard receive full marks in this category.


Pricing, Value for Money & Refund Testing

Price evaluation at VPNRating.net is not a simple comparison of monthly subscription costs. We analyse the full cost structure of each provider across multiple dimensions, and we physically test the refund process to verify that money-back guarantees are honoured in practice, not just in policy.

Real Cost Analysis

Long-term VPN subscriptions are frequently marketed with headline monthly prices that require multi-year upfront commitments. We calculate and disclose the true total cost – what actually leaves your bank account – alongside the per-month breakdown. We document renewal pricing, since many providers offer steep introductory discounts that expire on renewal, effectively locking committed users into significantly higher rates.

We flag hidden costs including:

  • Mandatory service fees added at checkout
  • Crypto transaction gas overhead
  • Plans that gate specific features (multi-hop, specific protocols) behind higher pricing tiers

Feature-to-Price Ratio

We benchmark each VPN’s pricing against its feature set, network size, audit history, and platform coverage. A $2.50/month VPN with no independent audit, a 100-server network, and a broken macOS kill switch is not competing with a $4.00/month provider with a 6,000-server network, a verified no-logs audit, and RAM-only infrastructure. We contextualise pricing within the competitive landscape rather than treating cheapness as inherently positive.

Payment Method Transparency

We document the full range of accepted payment methods and specifically note whether cryptocurrency payment is available, since credit card and PayPal payments create a permanent, subpoenaable financial record linking your identity to the VPN subscription. For providers that accept crypto, we verify which coins are accepted and whether the checkout process requires KYC verification that would undermine the pseudonymity of crypto payment.

We Actually Test the Money-Back Guarantee

This is non-negotiable in our process: we submit a refund request to every VPN we review and document the outcome. We record:

  • Time between the refund request and the written confirmation
  • Time between confirmation and the actual credit appearing
  • Any friction or conditions imposed by the support team during the process

Where a provider’s refund policy contains bandwidth caps, usage restrictions, or other conditions that make thorough evaluation impossible, we flag this with explicit examples.


How We Calculate the Final Score

Our final score is a weighted composite of the seven pillar scores plus our pricing and value assessment. Each component score is set on a 10-point scale by the lead analyst responsible for that domain. Scores are reviewed by a second analyst before publication. No single score can be modified without a documented rationale tied to specific test results.

Scoring Weights

CategoryWeightWhat earns a 10
Security & Encryption20%Zero leaks on all three vectors, AES-256-GCM, functional kill switch on all platforms, no deprecated protocols
Speed & Performance18%<20% speed loss locally, consistent throughput at distance, low jitter and packet loss
Privacy & Logging15%Verified no-logs policy via third-party audit, favourable jurisdiction, fully transparent ownership
Streaming & Unblocking12%Consistent access to all major platforms across multiple sessions, no “Originals Only” failures
Apps & Ease of Use12%Full feature parity across platforms, intuitive UI, accurate real-time tunnel state display
Pricing & Value10%Competitive long-term pricing, crypto payment available, verified 30-day unconditional refund, no hidden fees
Server Network & P2P10%Large global footprint, RAM-only infrastructure, port forwarding, no undisclosed virtual locations
Customer Support8%Sub-2-minute live chat with demonstrated technical depth, comprehensive self-serve documentation

The Composite Formula

Final Score = (Security × 0.20) + (Speed × 0.18) + (Privacy × 0.15) + (Streaming × 0.12)
            + (Apps × 0.12) + (Value × 0.10) + (Servers × 0.10) + (Support × 0.08)

Scores are displayed to one decimal place. Individual pillar scores are published alongside the composite so readers can weight categories according to their own threat model and use case.

Score Floor Rules

Certain failures are severe enough to impose a mandatory score ceiling regardless of performance in other categories:

  • A VPN that actively leaks DNS queries cannot score above 5.0 overall.
  • A provider whose free tier monetises user bandwidth through third-party proxy SDKs without explicit disclosure cannot score above 6.0 overall.
  • A VPN with a documented history of sharing user data with law enforcement in contradiction of its published no-logs policy cannot be recommended at any score.

Affiliate Disclosure & Editorial Independence

VPNRating.net generates revenue through affiliate commissions. When a reader clicks a link to a VPN provider on this website and subsequently purchases a subscription, we may receive a commission from that provider. This is standard practice across independent review publishing and is how we fund our testing infrastructure, subscription costs, and editorial team.

Affiliate commissions vary by provider. Some VPN companies pay higher commission rates than others. We are aware of this, and we have built specific structural safeguards to ensure that commission rates have no influence on our editorial conclusions:

  • Our review analysts do not have access to commission rate data by provider. Scores are determined by analysts before any commercial arrangement with a provider is established.
  • We maintain affiliate relationships with providers who receive poor scores on this site. A low score does not terminate a commercial relationship. A high commission rate does not improve a score.
  • We have declined affiliate partnerships from providers who requested pre-publication review access to scores or editorial content as a condition of the relationship.
  • We publish negative findings – documented kill switch failures, bandwidth-hijacking SDKs, opaque corporate structures – in full, regardless of whether the subject provider is an affiliate partner.
  • Every review on this site carries a consistent affiliate disclosure in compliance with FTC guidelines. We do not use deceptive formatting, small print, or buried disclosures to obscure our commercial relationships.

Buying through our affiliate links supports the site at no extra cost to you and enables us to continue purchasing subscriptions independently. We appreciate it – but it never obligates a favourable review.

If you ever believe that a specific review on this site reflects commercial bias rather than honest testing, we want to hear from you. Our editorial team is reachable through the contact page, and we take such feedback seriously.


Keeping Our Reviews Current

The VPN industry does not stand still. Providers update their apps, change their infrastructure, commission new audits, alter their corporate ownership, and sometimes quietly remove features that were present when a review was first published. A review written 18 months ago against a substantially different product is, at best, incomplete – and, at worst, actively misleading.

Our methodology includes a formal process for review maintenance:

Every 6 Months – Speed & Streaming Re-Test

Speed benchmarks and streaming platform tests are re-run on a rolling quarterly schedule for all top-10 ranked providers. Server network composition is verified. Streaming server effectiveness is re-assessed across all major platforms.

Every 6 Months – Security and Feature Audit

Leak testing, kill switch stress testing, and protocol evaluation are repeated for all providers ranked in our top 20. We check for changes to privacy policies, terms of service, and audit status. New app versions are evaluated for feature additions or regressions.

On Material Change – Immediate Review Update

When a provider experiences a data breach, ownership change, law enforcement disclosure, or major product update, we trigger an out-of-cycle review update. The review is revised to reflect current facts and the update is disclosed with a date stamp. We do not silently edit reviews – material changes are documented at the top of the affected review.

Annually – Full Methodology Review

Our testing methodology itself is reviewed annually to ensure it reflects the current technical landscape. As new attack vectors, new protocol options, and new transparency standards emerge, our testing process is updated accordingly. This page is revised to reflect any changes to our evaluation framework.


Our goal is to be the review you would write yourself if you had the time, the technical background, and the budget to do it properly – and to be honest enough to update it when the facts change.

VPN Rating
Logo