Test if your specific VPN is working

Quick version: a VPN that "works" in marketing (the app says Connected) and a VPN that actually hides you are two different things. The gap is bigger than most users realize. This is the universal method to verify your VPN is doing its job, regardless of provider.

The four signals every working VPN must produce

Whatever VPN you use - NordVPN, Mullvad, your own self-hosted OpenVPN box - a working tunnel produces the same four observable signals. Our checker measures all four in your browser, in about 2 seconds:

1. Visible IP changed. Websites you visit see an IP address. With a real tunnel, that IP belongs to your VPN provider, not your ISP. Turn the VPN off, note the IP, turn it back on, refresh - the number must change.
2. Country matches what your VPN claims. If your VPN app shows "connected to Tokyo" but our checker geolocates you in Frankfurt, something is wrong. The location must agree.
3. WebRTC doesn't leak your real IP. Browsers expose all network interfaces via WebRTC. A good VPN blocks this at the firewall level; a leaky VPN doesn't, and a webpage with 5 lines of JavaScript can see through your tunnel.
4. IPv6 isn't escaping the tunnel. Many VPNs only route IPv4. If your ISP supports IPv6, websites with IPv6 endpoints see your real IPv6 address even while your IPv4 is safely tunneled.

What VPN providers actually differ on

Once you understand the four signals, the question for each VPN becomes: does the default configuration handle all four? Some do, some don't. The differences are real and stack with secondary factors:

• Kill switch behavior. When the tunnel drops momentarily, does traffic stop or fall back to the ISP? Reputable VPNs default to "stop". Free VPNs and corporate "security suite" VPNs often default to "fall back" - which is the worst possible behavior for privacy.
• WebRTC blocking method. OS firewall block (best - works at the network layer) vs. browser config (good but only inside the browser) vs. nothing (most free VPNs).
• IPv6 handling. Tunnel IPv6 through the VPN (Mullvad, ProtonVPN) or block IPv6 entirely (NordVPN, Surfshark, ExpressVPN) or ignore IPv6 (long tail of cheaper providers - leak risk).
• DNS routing. Provider's own resolvers vs. system DNS. Windows multi-homed name resolution leaks DNS even when IPv4 traffic is tunneled correctly; reputable providers patch this on Windows install.
• Audit history. Some providers have audited no-logs claims (NordVPN, ExpressVPN, Surfshark, ProtonVPN, Mullvad, IPVanish, PIA, TunnelBear). Some have only marketing claims. Some have actual logging incidents in their history (HMA 2011, IPVanish 2018, PureVPN 2017).
• Jurisdiction. Where the company is registered determines which governments can compel data. Switzerland (ProtonVPN, PrivadoVPN) and Sweden (Mullvad) are outside Five/Nine/Fourteen Eyes. US (PIA, IPVanish, Hotspot Shield, Atlas) is inside Five Eyes. This matters for high-threat-model use.
• Streaming optimization. Whether the provider actively rotates IPs to defeat Netflix/BBC/Hulu detection. Premium tier (NordVPN, ExpressVPN, Surfshark, CyberGhost) does this; budget and privacy-first options often don't bother.

Pick your provider's specific guide

Multiple independent audits + transparent operations + strong default leak protection. If you're paying for a VPN and care about audit history, start here.

• NordVPN - Best all-around for streaming + privacy. Pick if Netflix, speed, and audit history all matter.
• ExpressVPN - Premium pick. Pay if you stream daily and value smooth experience over saving $30/year.
• ProtonVPN - Best privacy/feature balance. Pick if jurisdiction + open source + free tier matter; skip if max streaming speed is the priority.

Cheaper than the top tier, still audited or court-verified. Trade-offs: smaller server fleets, less aggressive streaming optimization, sometimes parent-company concerns. Solid for daily use if budget matters.

• Surfshark - Best value of the major-VPN tier. Pick if family/multi-device or budget matters more than absolute fastest.
• CyberGhost - Cheapest serious VPN long-term. Pick if budget matters and streaming Nord-tier reliability isn't required.
• PIA (Private Internet Access) - Pick if you need port forwarding and trust the verified-by-court no-logs over jurisdiction concerns.
• Atlas VPN - Pick if you trust the Nord Security audit lineage but won't pay NordVPN prices.
• PrivadoVPN - Pick if Swiss jurisdiction matters and you want cheaper than ProtonVPN. Skip if streaming reliability is critical.
• PureVPN - Pick if heavily discounted and the 2017 legacy + always-on audit balance works for your threat model.

Outside Eyes alliances, open-source apps, anonymous payments accepted (cash, Monero). Fewer features in exchange for jurisdiction + transparency. Pick when "no one can identify me" is the actual goal, not just "Netflix from abroad".

• Mullvad - Pick if 'no one can identify me' is the actual goal. Skip if Netflix from abroad is the actual goal.
• ProtonVPN - Best privacy/feature balance. Pick if jurisdiction + open source + free tier matter; skip if max streaming speed is the priority.

Genuinely safe free tiers backed by audited paid offerings. Useful for occasional browsing, public WiFi, light privacy. Avoid sketchy free VPN extensions in the Chrome Web Store - those are usually proxies that sell data.

• ProtonVPN (unlimited data, 3 countries) - Best privacy/feature balance. Pick if jurisdiction + open source + free tier matter; skip if max streaming speed is the priority.
• Windscribe (10GB/mo (with email confirm)) - Pick for the most-generous free tier or for restrictive networks (Stealth/WStunnel). Skip if formal audit matters.
• PrivadoVPN (10GB/mo, single device) - Pick if Swiss jurisdiction matters and you want cheaper than ProtonVPN. Skip if streaming reliability is critical.
• TunnelBear (500MB/mo (no email needed)) - Pick if you value audit transparency and don't need streaming or torrenting. Avoid free tier if expecting daily use.
• Hotspot Shield (500MB/day (US-only server)) - Pick for high-bandwidth streaming on flaky connections. Skip if you want external-audit-confirmed no-logs.

Long-running brands. Some have past logging incidents (HMA 2011, IPVanish 2018, PureVPN 2017) that they've since cleaned up via audits and ownership changes. If you're picking based on track record, factor in both legacy and current operations.

• HMA (HideMyAss) - Pick if discounted heavily and the 2011 history doesn't matter for your threat model. Otherwise NordVPN/Surfshark for similar leak protection.
• TunnelBear - Pick if you value audit transparency and don't need streaming or torrenting. Avoid free tier if expecting daily use.
• IPVanish - Pick if speed and unlimited devices matter, and the 2018 history doesn't disqualify a VPN for you.
• PIA (Private Internet Access) - Pick if you need port forwarding and trust the verified-by-court no-logs over jurisdiction concerns.