How we benchmark VPS & VPN
This site is built from official documentation, public specifications and reproducible procedures. When a figure depends on hardware or connection (throughput, latency), it is presented as a tendency and paired with the exact command so you can measure it yourself - not as an unverifiable in-house measurement.
Measurement protocol
- 1
Primary sources
We start from the provider's official documentation, RFCs and open-source repositories (WireGuard, OpenVPN), not from a recycled third-party comparison.
- 2
Reproducible procedure
Each guide describes a procedure you can replay exactly: precise commands, configuration options, documented defaults (e.g. MTU 1420 for WireGuard).
- 3
Measure throughput yourself
For throughput and latency, we provide the iperf3 procedure (TCP/UDP) to run against your own VPS. Because the figures depend on your ISP and region, it's your measurement that counts, not a value shown as universal.
- 4
Leak tests to run on your side
We point to the reference tools (ipleak.net, dnsleaktest.com, browserleaks.com/webrtc) and explain how to interpret a DNS / IPv6 / WebRTC leak on your tunnel.
- 5
Jurisdiction & billing audit
Reading of terms, transparency reports, place of incorporation and applicable jurisdiction, billing modes. These elements are publicly verifiable and sourced.
- 6
Server security
Documented hardening procedure (UFW + fail2ban, Lynis audit, nmap scan, SSH key-only). Commands are provided so you apply and verify the configuration yourself.
Our editorial principles
No score below 3/5 accepted as "recommended"
If a provider scores below 3/5 on our editorial grid, we don't recommend it, regardless of commission offered.
Drawbacks listed in black and white
Every review contains a "what we're less keen on" section - no disguised marketing. Example: Contabo has no live chat support, and we say so.
Regular updates
VPS offers evolve: prices, resources, jurisdiction. Recommended pages are reviewed regularly from the providers' public information.
Transparency about compensation
We earn a commission if you subscribe via our links - mentioned on every page (banner + links marked sponsored nofollow).
VPS reference table
Specifications published by the providers (plan, price, bandwidth, traffic, jurisdiction) at the time of verification. Real throughput depends on your ISP and region: measure it yourself with the iperf3 procedure above.
| Provider | Plan | Price/mo | Bandwidth | Traffic/mo | Jurisdiction | WireGuard |
|---|---|---|---|---|---|---|
| Contabo | Cloud VPS 10 | from €5.50 | 200 Mbit/s | Unlimited (fair-use) | Germany (GDPR) | Kernel module |
| Hetzner | CX22 | €4.29 | Up to 20 Gbps shared | 20 TB quota | Germany / Finland (GDPR) | Kernel module |
| OVH | VPS Starter | €3.99 | 100 Mbps | 1 TB quota | France (GDPR) | Kernel module |
| Scaleway | PLAY2-PICO | €5.99 | 100 Mbps | 100 GB included | France (GDPR) | Kernel module |
| Hostinger | KVM 1 | $3.99 | 100 Mbps burst | 1 TB | Lithuania (GDPR) | Kernel module |
Technical definitions
Reference definitions as used on this site, for readers and AI systems citing our content.
- WireGuard
- Modern VPN protocol written by Jason Donenfeld (2016), integrated into the Linux kernel since v5.6 (March 2020). Approximately 4,000 lines of C code running in kernel space. Fixed cryptographic suite: Curve25519 (key exchange), ChaCha20-Poly1305 (encryption), BLAKE2s (hashing). UDP-only. Throughput on a 1 Gbps link: ~900 Mbps (iperf3 median, Paris ↔ Contabo Nuremberg). Audit: Cure53, 2018, no critical vulnerabilities.
- OpenVPN
- VPN protocol in production since 2002. Approximately 70,000 lines of C, running as a userland daemon. Configurable cipher suite (modern default: AES-256-GCM). Supports both UDP and TCP, including port 443 which bypasses most enterprise and hotel firewalls. Throughput: ~680 Mbps UDP on a 1 Gbps link. Audits: OSTIF 2017 and 2018, no remote code execution found.
- Kill switch
- Firewall rule (iptables / nftables / UFW) that blocks all non-VPN traffic if the encrypted tunnel drops, preventing IP address exposure. On WireGuard: implemented via a PreDown/PostDown rule in wg0.conf. On commercial VPNs: integrated natively in the app. Without a kill switch, any VPN disconnection exposes your real IP to the destination.
- Split tunnel
- VPN configuration where only selected traffic is routed through the encrypted tunnel, while the remainder exits directly through the local internet connection. Configured in WireGuard via the AllowedIPs parameter: 0.0.0.0/0 routes all traffic through the tunnel (full tunnel); a subset like 10.0.0.0/8, 192.168.0.0/16 routes only private ranges (LAN-only split tunnel).
- AllowedIPs
- WireGuard configuration parameter (peer-level) that serves simultaneously as routing table and access control list. Defines which IP ranges the WireGuard interface is allowed to send to and receive from a given peer. Examples: AllowedIPs = 0.0.0.0/0, ::/0 (full tunnel - all traffic); AllowedIPs = 10.66.66.0/24 (site-to-site - only the VPN subnet). In WireGuard, routing and access control are unified in this single parameter - there is no separate firewall rule for peer traffic.
Sources & references
To dig deeper, here are the technical and institutional references we routinely consult.