Many VPN services also provide their own DNS resolution system. Think of DNS as a phone book that turns a text-based URL like "pcmag.com" into a numeric IP address that computers can understand. Savvy snoops can monitor DNS requests and track your movements online. Greedy attackers can also use DNS poisoning to direct you to bogus phishing pages designed to steal your data. When you use a VPN's DNS system, it's another layer of protection.
If you’re seriously concerned about government surveillance—we explain above why that should be most people’s last consideration when choosing a VPN—some expert sites like privacytools.io recommend avoiding services with a corporate presence in the US or UK. Such experts warn about the “14 eyes,” a creepy name for a group of countries that share intelligence info, particularly with the US. IVPN is based in Gibraltar, a British Overseas Territory. We don’t think that makes you any worse off than a company based in Switzerland, Sweden, or anywhere else—government surveillance efforts around the world are so complicated and clandestine that few people have the commitment, skills, or technology to avoid it completely. But because Gibraltar’s status has been a topic of debate in other deep dives on VPNs, we’d be remiss if we didn’t mention it.
ExpressVPN’s “#1 Trusted Leader in VPN” claim may be a bit difficult to prove, but the service offers a compelling list of features nonetheless. It also constantly tries to make consistent improvements in speed and simultaneous streaming capabilities, and with support for all major platforms (Windows, MacOS, Android, etc.), you won’t need to worry about compatibility. ExpressVPN shows up on a number of “best VPN” lists, and so its relatively high prices are justified.
HTTPS is a powerful tool that everyone should use because it helps keep sensitive browsing private at no extra cost to the people using it. But like most security standards, it has its own problems too. That little lock icon in your browser bar, which indicates the HTTPS connection, relies on a certificate “signed” by a recognized authority. But there are hundreds of such authorities, and as the EFF says, “the security of HTTPS is only as strong as the practices of the least trustworthy/competent CA [certificate authorities].” Plus, there have been plenty of news stories covering minor and even major vulnerabilities in the system. Some security professionals have worried about those least-competent authorities, spurring groups to improve on the certificate standards and prompting browsers to add warnings when you come across certificates and sites that don’t withstand scrutiny. So HTTPS is good—but like anything, it isn’t perfect.
With Kodi, you can access your media over a local connection (LAN) or from a remote media server, if that's your thing. This is, presumably, where concerns about VPN enter the picture. A device using a VPN, for example, will have its connection encrypted on the local network. You might have trouble connecting to it. Using Chromecast on a VPN device just doesn't work, for example. Kodi users might have the same issue.
Some VPNs offer “split tunneling,” which routes all traffic through your VPN except specific services or sites that you allow. For example, you might want to send your Web traffic through your VPN but stream Netflix on your fast, domestic connection. But these types of rules are complicated to implement without also leaking other important information, and we didn’t assess how effective they were in practice.
When we say that in theory VPNs can’t be intercepted, that’s because VPNs are like any other form of security: if you use them on a device that’s already been compromised by malware such as keyloggers or other security threats then they can’t do their job properly. If you’re on Windows, then good quality, up to date anti-virus software isn’t a luxury. It’s absolutely essential.
L2TP/IPsec (Layer 2 Tunneling Protocol with Internet Protocol Security): L2TP is not secure itself, so it's generally paired with the IPsec secure-networking standard. The combination of the two was once thought to be very secure when properly implemented, but some VPN services suggest that you use OpenVPN instead. L2TP/IPsec has native support in Windows, OS X/macOS, Android, Chrome OS and iOS. Most VPN services support it.
Even if none of the above really sound right to you, you can still benefit from using a VPN. You should definitely use one when you travel or work on an untrusted network (read: a network you don’t own, manage, or trust who manages.) That means opening your laptop at the coffee shop and logging in to Facebook or using your phone’s Wi-Fi to check your email at the airport can all potentially put you at risk.
What that means in practice is that VPNs are fine for bypassing geo-blocks, for protecting your online banking and for keeping business communications free from interception. However, if you’re using the internet to fight repressive regimes or to do anything else that could attract the attention of the authorities where you live, a VPN is not a magic wand that’ll make you invisible.
Some VPN services provide a free trial, so take advantage of it. Make sure you are happy with what you signed up for, and take advantage of money-back guarantees if you're not. This is actually why we also recommend starting out with a short-term subscription—a week or a month—to really make sure you are happy. KeepSolid VPN Unlimited offers a one-week Vacation subscription, for example. Yes, you may get a discount by signing up for a year, but that's more money at stake should you realize the service doesn't meet your performance needs.
Our VPN-issued IP address was never blacklisted by websites like those of Yelp and Target, but we were unable to access Netflix and BBC iPlayer while connected to TorGuard. No VPN offers a reliable way to access these streaming services, though: All of the VPNs we tried were blocked by Netflix, and of the four that could access BBC content on the first day, two were blocked the next.
We have often said that having to choose between security and convenience is a false dichotomy, but it is at least somewhat true in the case of VPN services. When a VPN is active, your web traffic is taking a more circuitous route than usual, often resulting in sluggish download and upload speeds as well as increased latency. The good news is that using a VPN probably isn't going to remind you of the dial-up days of yore.
The main reason to use a VPN is security - in theory, the data that travels across your VPN should be impossible for anybody else to intercept, so it can protect your online banking or confidential business communications - but there are other benefits too. VPNs can make it much harder for advertising to track you online, and they can overcome geography-specific blocks that prevent you from accessing some country-specific services such as online video.
Everything you do on the Internet has to pass through your own ISP before reaching the destination. So, when you request Google, for example, the information is sent, unencrypted, to your ISP and then passes through some other channels before reaching the server that holds Google’s website. Basically, VPN services privatize information that can be read by ISPs or any other agency that inspects your traffic.
Many companies proudly display “warrant canaries” on their websites. These are digitally signed notices that say something to the effect of “We have never been served a warrant for traffic logs or turned over customer information.” Law enforcement can prohibit a company from discussing an investigation, but in theory, it can’t compel a company to actively lie. So the theory goes that when the warrant canary dies—that is, the notice disappears from the website because it’s no longer truthful—so does privacy. The EFF supports this legal position, though other highly regarded companies and organizations think warrant canaries are helpful only for informing you after the damage has been done. Such notices may provide a nice sense of security, and they are important to some people, but we didn’t consider them essential.
One of the most important factors when you’re choosing a VPN provider is also the hardest to quantify: trust. All your Internet activity will flow through this company’s servers, so you have to trust that company more than the network you’re trying to secure, be it a local coffee shop’s Wi-Fi, your campus Internet connection, your corporate IT network, or your home ISP. In all our research, we came across a lot of gray areas when it came to trusting a VPN, and only two hard rules: Know who you’re trusting, and remember that security isn’t free.
The practical uses for a VPN service are plentiful. Want to access a website that your ISP has blocked? A VPN puts that website just one click away. Want to access the US version of Netflix from the UK? Just set your VPN to a US location and you're there. Want to access porn without your ISP or your business knowing about it? Want to download torrents without being blocked by your ISP? It's easy.
Trust and transparency issues are the foremost concerns in choosing a great VPN, and if a service doesn’t have enough locations to be useful to you, all the security features won’t make a difference. But after those concerns have been satisfied, we recommend that most people use connections based on the OpenVPN protocol, because of security flaws and disadvantages in the PPTP and L2TP/IPsec protocols. (Experienced users may consider IKEv2, but because it has its own debated pros and cons, we ruled it out.) Though AES 128-bit encryption is fine for most purposes, we prefer services that default to the more-secure 256-bit encryption and still offer good performance.
IPVanish’s endpoints in the Netherlands fared well, too, with us consistently getting speeds of between 8.5MB/s (68Mbit/s) and 9.5MB/s (76Mbit/s). UK speeds however fell way short of expectations – we recorded a relatively feeble 3.2MB/s (25.6Mbit/s) via FTP and 3MB/s (24Mbit/s) via HTTP. We were also unable to connect to BBC iPlayer this time around as well.
Whereas most providers say they log nothing, that’s not always the case. Some record very little data like the day you subscribed, the amount of data you’ve consumed, and delete those logs when you end the session. Other providers log your IP address, the servers you used, and store those logs. If they’re based in the US, UK or any other country with data retention laws, they can be compelled to hand over that data to law enforcement.
The student/worker. This person has responsibilities to attend to, and uses a VPN provided by their school or company to access resources on their network when they’re at home or traveling. In most cases, this person already has a free VPN service provided to them, so they’re not exactly shopping around. Also, if they’re worried about security, they can always fire up their VPN when using airport or cafe WI-Fi to ensure no one’s snooping on their connection. Photo by Ed Yourdon.
However, you've got no choice but to run TunnelBear's client software (unless you use Linux), which may concern some privacy-minded users, and there's no option to set up TunnelBear connections on routers or other devices. Last but not least, this tiny Canadian firm is now owned by U.S. antivirus giant McAfee, which may mean TunnelBear is subject to U.S. search warrants.
With endpoints in 18 countries, Kaspersky Secure Connection can be set up so that it connects automatically, connects to an endpoint in a certain country by default, or seeks to establish a connection whenever you connect to an insecure Wi-Fi hotspot. You don’t, however get an automatic killswitch, so if your VPN connection goes south, you won’t be automatically disconnected.
A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryption. A VPN available from the public Internet can provide some of the benefits of a wide area network (WAN). From a user perspective, the resources available within the private network can be accessed remotely.