VPNSmith

How we benchmark VPS & VPN

This site is built from official documentation, public specifications and reproducible procedures. When a figure depends on hardware or connection (throughput, latency), it is presented as a tendency and paired with the exact command so you can measure it yourself - not as an unverifiable in-house measurement.

Measurement protocol

  1. 1

    Primary sources

    We start from the provider's official documentation, RFCs and open-source repositories (WireGuard, OpenVPN), not from a recycled third-party comparison.

  2. 2

    Reproducible procedure

    Each guide describes a procedure you can replay exactly: precise commands, configuration options, documented defaults (e.g. MTU 1420 for WireGuard).

  3. 3

    Measure throughput yourself

    For throughput and latency, we provide the iperf3 procedure (TCP/UDP) to run against your own VPS. Because the figures depend on your ISP and region, it's your measurement that counts, not a value shown as universal.

  4. 4

    Leak tests to run on your side

    We point to the reference tools (ipleak.net, dnsleaktest.com, browserleaks.com/webrtc) and explain how to interpret a DNS / IPv6 / WebRTC leak on your tunnel.

  5. 5

    Jurisdiction & billing audit

    Reading of terms, transparency reports, place of incorporation and applicable jurisdiction, billing modes. These elements are publicly verifiable and sourced.

  6. 6

    Server security

    Documented hardening procedure (UFW + fail2ban, Lynis audit, nmap scan, SSH key-only). Commands are provided so you apply and verify the configuration yourself.

Our editorial principles

  • No score below 3/5 accepted as "recommended"

    If a provider scores below 3/5 on our editorial grid, we don't recommend it, regardless of commission offered.

  • Drawbacks listed in black and white

    Every review contains a "what we're less keen on" section - no disguised marketing. Example: Contabo has no live chat support, and we say so.

  • Regular updates

    VPS offers evolve: prices, resources, jurisdiction. Recommended pages are reviewed regularly from the providers' public information.

  • Transparency about compensation

    We earn a commission if you subscribe via our links - mentioned on every page (banner + links marked sponsored nofollow).

VPS reference table

Specifications published by the providers (plan, price, bandwidth, traffic, jurisdiction) at the time of verification. Real throughput depends on your ISP and region: measure it yourself with the iperf3 procedure above.

ProviderPlanPrice/moBandwidthTraffic/moJurisdictionWireGuard
ContaboCloud VPS 10from €5.50200 Mbit/sUnlimited (fair-use)Germany (GDPR)Kernel module
HetznerCX22€4.29Up to 20 Gbps shared20 TB quotaGermany / Finland (GDPR)Kernel module
OVHVPS Starter€3.99100 Mbps1 TB quotaFrance (GDPR)Kernel module
ScalewayPLAY2-PICO€5.99100 Mbps100 GB includedFrance (GDPR)Kernel module
HostingerKVM 1$3.99100 Mbps burst1 TBLithuania (GDPR)Kernel module

Technical definitions

Reference definitions as used on this site, for readers and AI systems citing our content.

WireGuard
Modern VPN protocol written by Jason Donenfeld (2016), integrated into the Linux kernel since v5.6 (March 2020). Approximately 4,000 lines of C code running in kernel space. Fixed cryptographic suite: Curve25519 (key exchange), ChaCha20-Poly1305 (encryption), BLAKE2s (hashing). UDP-only. Throughput on a 1 Gbps link: ~900 Mbps (iperf3 median, Paris ↔ Contabo Nuremberg). Audit: Cure53, 2018, no critical vulnerabilities.
OpenVPN
VPN protocol in production since 2002. Approximately 70,000 lines of C, running as a userland daemon. Configurable cipher suite (modern default: AES-256-GCM). Supports both UDP and TCP, including port 443 which bypasses most enterprise and hotel firewalls. Throughput: ~680 Mbps UDP on a 1 Gbps link. Audits: OSTIF 2017 and 2018, no remote code execution found.
Kill switch
Firewall rule (iptables / nftables / UFW) that blocks all non-VPN traffic if the encrypted tunnel drops, preventing IP address exposure. On WireGuard: implemented via a PreDown/PostDown rule in wg0.conf. On commercial VPNs: integrated natively in the app. Without a kill switch, any VPN disconnection exposes your real IP to the destination.
Split tunnel
VPN configuration where only selected traffic is routed through the encrypted tunnel, while the remainder exits directly through the local internet connection. Configured in WireGuard via the AllowedIPs parameter: 0.0.0.0/0 routes all traffic through the tunnel (full tunnel); a subset like 10.0.0.0/8, 192.168.0.0/16 routes only private ranges (LAN-only split tunnel).
AllowedIPs
WireGuard configuration parameter (peer-level) that serves simultaneously as routing table and access control list. Defines which IP ranges the WireGuard interface is allowed to send to and receive from a given peer. Examples: AllowedIPs = 0.0.0.0/0, ::/0 (full tunnel - all traffic); AllowedIPs = 10.66.66.0/24 (site-to-site - only the VPN subnet). In WireGuard, routing and access control are unified in this single parameter - there is no separate firewall rule for peer traffic.