VPN Testing Methodology: IP, DNS & WebRTC Leak Detection

This page documents exactly how our VPN testing tools work, what our reviews measure, and where the limitations are. We publish this because we believe testing methodology should be transparent and verifiable. If you think our approach is flawed or incomplete, tell us – we would rather improve our process than defend it.

How We Test a VPN

Leak Testing Methodology

Our browser-based leak test checks for three categories of VPN failure. Each test runs automatically when you load the tool – no software to install and no account required. Here is what each test does, how it works, and what it cannot detect.

IP Address Leak Detection

What it tests: Whether your real IPv4 and IPv6 addresses are visible to websites while you are connected to a VPN. When a VPN is working correctly, websites should see the VPN server‘s IP address – not the one assigned by your ISP.

How it works: The tool makes requests to external detection endpoints that report back the IP address they see. If that IP matches your ISP-assigned address rather than the VPN server’s address, a leak is detected. We check both IPv4 and IPv6 because many VPNs tunnel IPv4 traffic correctly but leave IPv6 completely unprotected – a common and underreported failure mode.

What it cannot detect:

• Leaks that occur intermittently – for example, during VPN reconnection or server switching
• Leaks at the operating system level in applications outside the browser
• Leaks in non-HTTP protocols (torrenting, email clients, gaming)
• Leaks caused by misconfigured split tunnelling rules

DNS Leak Detection

What it tests: Whether your DNS queries – the lookups that translate domain names like “example.com” into IP addresses – are going through your VPN’s DNS servers or leaking to your ISP or a third-party resolver. Even if your IP address is hidden, a DNS leak reveals every website you visit to your ISP.

How it works: The tool triggers DNS lookups to unique, randomly generated hostnames and checks which DNS servers resolve them. If the resolving servers belong to your ISP rather than your VPN provider, a DNS leak is present. We check across multiple query types to catch partial leaks – situations where some queries route correctly through the VPN but others escape to your ISP’s resolver.

What it cannot detect:

• DNS leaks in applications other than your web browser
• DNS leaks that occur only under specific network conditions (e.g., captive portals, IPv6-only networks)
• DNS manipulation by sophisticated adversaries at the network level
• DNS-over-HTTPS or DNS-over-TLS configurations that bypass the VPN by design

WebRTC Leak Detection

What it tests: Whether WebRTC – the browser technology that enables video calls, voice chat, and peer-to-peer connections – is exposing your real IP address to websites. WebRTC can reveal your IP address even when a VPN is active because it uses a different network pathway than normal web traffic.

How it works: The tool uses the same technique that websites use to discover your available network connections. If your real public IP address or local network IP appears in the results, a WebRTC leak is present. This is the same method a malicious website would use to identify you.

Browser differences matter: WebRTC behaviour varies significantly across browsers. Chrome and Edge expose WebRTC by default and provide no built-in option to disable it fully. Firefox allows users to disable WebRTC via about:config (setting media.peerconnection.enabled to false). Safari has more restrictive WebRTC handling by default. A VPN that prevents WebRTC leaks in Firefox may still leak in Chrome if it relies solely on browser settings rather than routing protection.

What it cannot detect:

• WebRTC leaks that only occur during active media sessions (video calls, screen sharing)
• Leaks via TURN servers that require authentication credentials
• WebRTC behaviour in mobile browsers, which may differ from their desktop counterparts

VPN Review Methodology

Our VPN reviews go beyond the leak test. When we review a provider, we evaluate five areas. Each is described below.

Security Testing

• Leak test results – We run our full IP, DNS, and WebRTC leak tests on every VPN we review. Tests are conducted on multiple platforms (Windows, macOS, Android, iOS) where the provider offers apps.
• Kill switch effectiveness – We test whether the VPN’s kill switch actually blocks internet traffic when the VPN connection drops unexpectedly. A kill switch that fails to activate during disconnection is worse than not having one – it creates a false sense of security.
• Encryption standards – We document which VPN protocols the provider supports (WireGuard, OpenVPN, IKEv2, proprietary) and verify the cipher suites in use where possible.
• Independent audit history – Has the provider undergone an independent security audit? When was it conducted, by whom, and what was the scope? We link to published audit reports where they are publicly available.

Privacy Assessment

• Logging policy – We read the provider’s privacy policy in full and document what data they claim to collect, retain, and share. Where a provider has undergone a verified no-logs audit, we note the auditor, date, and scope.
• Jurisdiction – Where is the provider legally incorporated? What data retention laws apply in that jurisdiction? Does the country participate in intelligence-sharing agreements (Five Eyes, Nine Eyes, Fourteen Eyes)?
• Ownership and corporate structure – Who owns the VPN? Is it an independent company, a subsidiary of a larger corporation, or part of a portfolio that includes other VPN brands? Transparency about ownership matters because it reveals potential conflicts of interest.

Performance

• Speed impact – We measure the percentage reduction in download and upload speeds compared to a baseline connection without the VPN active. Tests are run at multiple times of day to account for server load variation.
• Server coverage – How many servers does the provider operate, and in how many countries? We verify a sample of server locations rather than relying on the provider’s claimed count.
• Connection stability – We monitor for unexpected disconnections, slow connection establishment, and server-switching reliability during a testing session.

Usability

• App quality – Is the application well-designed, responsive, and free of obvious bugs? We test on the platforms where most users will encounter the product.
• Setup difficulty – Can a non-technical user install the app, connect to a server, and verify it is working without consulting documentation? We note where the setup process is confusing or requires manual configuration.
• Customer support – We contact the provider’s support team with a real question and document the response time, accuracy, and helpfulness of the answer. We test both live chat and email support where available.

Value

• Pricing – We document all pricing tiers including any introductory rates that increase on renewal. If the provider advertises “$2.99 ✓ Mar 18, 2026/month” but that requires a three-year commitment, we say so.
• Refund policy – We test the refund process ourselves rather than quoting the provider’s stated policy. If a “30-day money-back guarantee” involves a difficult cancellation process or unexpected charges, we report it.
• Simultaneous connections – How many devices can be connected at once? Does the provider limit bandwidth or features for additional connections?

Scoring

Each VPN receives an overall score out of 10, calculated as a weighted average of five category scores. We publish the weights because hidden formulas invite suspicion.

Hard Rules

• Leak test failure caps the score. A VPN that leaks your IP address or DNS queries in our testing cannot score above 5.0 overall, regardless of how well it performs in other categories. This is a hard ceiling, not a sliding scale.
• Scores are recalculated on every re-test. A VPN that scored well six months ago and has since introduced a regression will see its score adjusted downward. There is no inertia protecting a previous rating.

Worked Example: NordVPN

Here is how the scoring formula produces NordVPN‘s overall rating of 8.8/10, using real numbers from our most recent evaluation:

Why not higher? NordVPN loses points on value (renewal price increases, no free tier) and usability (Linux is CLI-only). Security and privacy – which together carry 60% of the weight – are where NordVPN excels. A VPN exists to protect your connection, so those categories should dominate the score.

What the hard rule means in practice: NordVPN passed all leak tests, so no score cap applies. If it had failed even one leak test, the overall score would be capped at 5.0 regardless of how well it performs elsewhere. We have applied this cap to providers that leaked – their reviews reflect it.

Our Testing Setup

We specify the testing environment because VPN performance and leak behaviour can vary significantly across platforms, browsers, and network conditions. Our results are representative of typical consumer use, but may not match every configuration.

Re-Testing Schedule

VPN software changes constantly. A provider that passed all tests six months ago may have introduced a regression in a recent update, changed its server infrastructure, or revised its privacy policy. Static reviews become inaccurate reviews.

Our re-testing approach:

• Ad-hoc re-tests – Triggered by major version releases, user reports of new issues, significant changes to a provider’s policies or ownership, or when we become aware that a review may no longer reflect the current product.
• Published test dates – Every review displays the date of last testing prominently. We never present stale data as current.
• Score changes – When re-testing reveals improvements, scores go up. When it reveals regressions, scores go down. There is no inertia protecting a previous rating.

Limitations and Caveats

No testing methodology is perfect, and claiming otherwise would undermine exactly the kind of trust we are trying to build. Here is what our approach cannot do:

• Browser-based tests have inherent limits. Our leak detection tools test what is visible from within a web browser. They cannot detect OS-level leaks, leaks in other applications (torrent clients, email programs, messaging apps), or leaks that occur only during VPN reconnection events.
• A test result is a snapshot, not continuous monitoring. VPN connections can fail intermittently due to network conditions, server load, or software bugs. A passing result means the VPN was working correctly at the moment of testing – not that it will never fail.
• We test consumer VPN products. Our methodology is designed for standard consumer use cases: privacy protection, security on public Wi-Fi, and circumventing geographic restrictions. We do not test for enterprise deployments, corporate network security, or high-threat-model scenarios where nation-state adversaries are a concern.
• Your environment may differ from ours. VPN behaviour can vary based on ISP, network configuration, device hardware, browser version, and the specific VPN client version installed. Our results are representative, but we cannot guarantee they will match your exact experience.
• We are not a security audit firm. Our testing covers common leak vectors and publicly accessible product features. It does not substitute for a professional security audit of a VPN provider’s server infrastructure, code, or cryptographic implementation.

How Detection Works

Our testing tools use three detection methods:

• IP geolocation – When our tools detect an IP address, we look up its geographic location, ISP, and organization. This tells us whether an IP belongs to a VPN provider, a residential ISP, or a data center – which is how we determine whether a leak has occurred. Results are cached for performance and are not stored beyond the test session.
• DNS leak detection – Our DNS leak test triggers lookups to unique hostnames. By checking which DNS servers resolve these lookups, we can determine whether your DNS queries are routing through your VPN or leaking to your ISP.
• WebRTC leak detection – Uses your browser’s built-in peer-to-peer connection features to discover which IP addresses are available. No external service is required – the browser itself reveals whether your real IP is exposed.

Data Sources

In addition to our own testing, we reference the following when preparing reviews:

• VPN provider websites, privacy policies, and support documentation
• Published independent security audits (linked in reviews where publicly available)
• Browser WebRTC and networking specifications (W3C, IETF)
• Aggregate, anonymised data from VPN tests run on our site (as described in our privacy policy)
• Corporate registry filings and ownership records for provider transparency assessments

This methodology is a living document. As VPN technology evolves and new leak vectors are discovered, we update our tools and testing process. If you have suggestions for improving our methodology, or if you have identified a gap in our testing, please get in touch. We would rather know about a weakness in our approach than remain unaware of it.