AnonymFlow

How we test VPNs

All figures shown on this site come from measurements we performed ourselves, following the protocol described below. No data is reused from third-party comparisons or vendor spec sheets.

Measurement protocol

  1. 1

    Anonymous subscription

    We subscribe to the VPN offer like a normal customer, from an unidentified account. No press access, no free license. Everything paid via personal card.

  2. 2

    Lab setup

    Tests run from a 1 Gbps symmetric Orange fiber (Paris) and Free Mobile 5G (mobile fallback). No special routing negotiated.

  3. 3

    Throughput measurements

    fast.com, Cloudflare speedtest, and iperf3 to public servers — 3 successive runs at different times (9am, 2pm, 9pm). We keep the median.

  4. 4

    Leak tests

    ipleak.net, dnsleaktest.com, browserleaks.com/webrtc concurrently. Any provider with a single leak is excluded from recommendation.

  5. 5

    Streaming tests

    Netflix US/JP/UK, Disney+ US, BBC iPlayer, DAZN IT, Crunchyroll JP — verified on web (Chrome, Safari) and iOS native app for 7 consecutive days.

  6. 6

    Policy audit

    Full read of available no-logs audits (PwC, Deloitte, Cure53) and the vendor's latest transparency report.

Detailed test protocols

For every VPN we test, we apply five distinct protocols. Each protocol produces reproducible data: another properly equipped operator should be able to replay the experiment and land on comparable numbers within ± 10%.

  1. P1

    DNS leak test

    Method: open a VPN session, then run four concurrent DNS tests against four distinct resolvers (1.1.1.1 Cloudflare, 8.8.8.8 Google, 9.9.9.9 Quad9, the VPN's advertised resolver). Cross-check the returned IP across four services (ipleak.net, dnsleaktest.com, browserleaks.com/dns, mullvad.net/check). Acceptable threshold: zero leak detected across 95 cumulative sessions per provider. Any provider with even a partial leak is flagged failing and demoted.

  2. P2

    WebRTC + IPv6 leak test

    Method: open Chrome on chrome://webrtc-internals + ipleak.net in parallel, check the ICE STUN candidate and the surfaced public IP. Cross-test against browserleaks.com/webrtc and browserleaks.com/ip to exclude false negatives. Acceptable threshold: no real IP visible on ICE/STUN or IPv6 across 95 sessions per provider.

  3. P3

    iperf3 speed test

    Method: iperf3 client/server against 12 European servers (Germany, France, Netherlands, UK, Italy, Spain, Sweden, Poland, Switzerland, Belgium, Austria, Ireland) + 4 US servers (Ashburn, Dallas, Los Angeles, New York) + 2 Asia servers (Tokyo, Singapore). Three sessions per server, at three time slots (9am, 2pm, 9pm Europe/Paris), median measurement. Cross-validated with fast.com and Cloudflare speedtest to rule out public-iperf server anomalies.

  4. P4

    Kill switch test

    Method: open an active VPN session with streaming traffic in flight, then force the tunnel down (kill VPN process, unplug Ethernet, disable the virtual network interface). Monitor network traffic via Wireshark on the physical interface in parallel. Acceptable threshold: zero clear-text outbound packet between tunnel drop and recovery. Test repeated 95 times per provider.

  5. P5

    No-log policy verification

    Full read of the vendor's published privacy policy, comparison against the latest available independent audit (PwC, Deloitte, KPMG, Cure53), cross-check against known court cases (Tor requests, DMCA, server seizures). Qualitative score: 0 = no audit, 1 = internal audit, 2 = published Big Four audit, 3 = published Big Four audit + a court case that validated absence of logs in practice.

Tools we use

Open-source or commercial tools we run for every test battery. No proprietary tooling, no secret scripts: everything is reproducible.

  • iperf3

    TCP/UDP throughput and latency measurement in client/server mode. Used against public iperf servers + an in-house iperf3 server hosted on OVH (Strasbourg) for reference numbers.

  • Wireshark

    Real-time packet inspection to verify tunnel watertightness, validate the kill switch (zero clear-text packet between tunnel drop and recovery), and surface DNS leaks outside UDP/53.

  • Speedtest CLI (Ookla)

    Ookla command-line speed benchmark, against geo-located Speedtest servers near the VPN endpoint. Used to compare relative throughput loss against the non-VPN baseline on the same time slot.

  • dnsleaktest.com + ipleak.net + browserleaks.com

    Cross-tests for DNS, IP, WebRTC and IPv6. Three services are used to rule out false positives tied to cache or geolocation of a single service.

  • Custom Python scripts (github.com/ricco020)

    Two open-source maintained scripts: dns-leak-detector-cli and webrtc-leak-detector. They automate the repetitive checks across 95 sessions per provider and export results as CSV for later audit.

Test environment setup

Three distinct machines to cover the three major ecosystems: a Windows 11 Pro PC (i7-12700K, 32 GB RAM), a MacBook Pro M2 macOS 14.4 (16 GB RAM), and a Linux Ubuntu 24.04 LTS box (i5-10400, 16 GB RAM). Connections tested: 1 Gbps symmetric Orange fiber (Paris), 500 Mbps Free fiber (remote work), Free Mobile 5G in hotspot mode (mobile fallback), public Wi-Fi in Lisbon and Athens (untrusted environment). VPN clients used are strictly the official ones (Windows, macOS, Linux, iOS, Android) downloaded from the vendor's official site — no community fork, no exotic manual config unless explicitly flagged in the article.

Scoring methodology

A VPN's final AnonymFlow score combines six weighted axes. No score steps outside this formula — no subjective adjustment to favor a partner.

  • Measured speed (25%)

    Median throughput loss across the 18 servers tested. Baseline: no-VPN line nominal speed.

  • Security — DNS + WebRTC + kill switch (30%)

    Composite score: 10% DNS leak, 10% WebRTC/IPv6 leak, 10% effective kill switch. A single leak drops this axis to 0.

  • No-log policy (20%)

    Qualitative 0-to-3 score (see Protocol 5). Multiplied by 100/3 to obtain a percentage.

  • Real price (10%)

    Effective 24-month rate averaged with the disclosed renewal rate. Not the entry teaser rate alone.

  • Support (10%)

    Support response time across five test tickets, response quality (technical vs scripted), 24/7 chat availability.

  • Ergonomics / UX (5%)

    Install friction, app legibility, ease of access to advanced settings. Lowest weight because most subjective.

Every VPN evaluated is tested over at least 95 cumulative sessions across a window of at least 30 days. A full annual update (full re-test) is guaranteed for recommended VPNs; the frontmatter dateModified reflects each refresh.

Limits & transparency

Our tests are run from mainland France. Results may differ in other geographies — a user in South-East Asia will see different latency and unblock numbers, especially for US-only services. The session count per provider (95) is lower than the hundreds or thousands of tests some industrial testers run; we offset this with an openly published reproducible methodology and the option for any reader to replay the tests themselves using the tools listed. Conflicts of interest: we earn a commission via the CJ Affiliate network when a reader subscribes to a partner VPN via our links. This compensation is disclosed at the top of every concerned page and every commercial link carries the rel="sponsored nofollow" HTML attribute as per Google guidelines. No commercial relationship influences the final score: we have already ranked a partner VPN below a non-partner VPN in several comparisons.

Our editorial principles

  • No score below 3/5 accepted as "recommended"

    If a VPN scores below 3/5 on our grid, we don't recommend it, regardless of commission offered.

  • Drawbacks listed in black and white

    Every review contains a "what we're less keen on" section — no disguised marketing.

  • Quarterly minimum update

    VPNs evolve: prices, Netflix blocks, audits. We re-test every recommended provider at least every 3 months.

  • Transparency about compensation

    We earn a commission if you subscribe via our links — mentioned on every page (banner + links marked sponsored nofollow).

Sources & references

To dig deeper, here are the technical and institutional references we routinely consult.