A VPN encrypts all of the Internet traffic between your computer and the VPN server, preventing anyone on your local network, or connection points along the way, from monitoring or modifying your traffic. Beyond the VPN server (in other words, on the rest of the way to whatever Internet server you’re connecting to), your traffic mixes with traffic from other people on the VPN and the rest of the Internet. Ideally, that makes your traffic traceable only to the VPN server, not to your home, office, or computer. You can read a more detailed explanation in our post about what a VPN is and when using one makes sense.

Connecting to a VPN is fairly simple. In Windows, press the Windows key, type VPN, and click the Set up a virtual private network (VPN) connection option. (If you use Windows 8, you’ll have to click the Settings category after searching.) Use the wizard to enter the address and login credentials of the VPN service you want to use. You can then connect to and disconnect from VPNs using the network icon in the system tray – the same one where you manage the Wi-Fi networks you’re connected to.
We're slightly surprised that ExpressVPN wasn't #1 in the rankings, as Reddit users really seem to love it (or as close to love as you can get with the ultra picky Reddit community). If you do a Reddit search on any other VPN, someone in the comments will say Express is better. At first glance, it already looks a lot more user friendly and a lot more trustworthy than PureVPN. In his ExpressVPN review, Redditor bigkenw writes:
A good VPN provider cares about its customers and can offer a free trial version for the user to test and decide on a choice. Moreover, some VPNs will please you with a money back guarantee. If within 30 days of using the VPN, it does not suit you or does not satisfy your needs, you can take advantage of the return guarantee and be sure that you will get your money back.
Dang, "complete BS service" is pretty harsh. We did see some positive comments from users mentioning that they didn't have these problems. Others also mentioned that it's a good idea to test out every VPN service with a money-back guarantee just to see how they work, because why not? Unless you're in China — CyberGhost servers are apparently not the greatest there. Get one month for $12.99, one year for $5.25/month, two years for $3.69/month, or three years for $2.50/month. (There is a free version, but Reddit users warn to not even think about it.)
A VPN client on a remote user's computer or mobile device connects to a VPN gateway on the organization's network. The gateway typically requires the device to authenticate its identity. Then, it creates a network link back to the device that allows it to reach internal network resources -- e.g., file servers, printers and intranets -- as though the gateway is on the network locally.

Consumers use a private VPN service, also known as a VPN tunnel, to protect their online activity and identity. By using an anonymous VPN service, a user's Internet traffic and data remain encrypted, which prevents eavesdroppers from sniffing Internet activity. VPN services are especially useful when accessing public Wi-Fi hotspots because the public wireless services might not be secure. In addition to public Wi-Fi security, a private VPN service also provides consumers with uncensored Internet access and can help prevent data theft and unblock websites.

The best part of all: all plans are backed up by a 31-day refund guarantee. This allows you to test-drive the service and its capabilities. Acceptable payment methods are quite diverse and include options like PayPal, AliPay, Payment Wall, Bitcoin and even Gift Cards. Once you start using the service, you get to leverage fast vpn speeds and strong unblocking features.
VPNArea is one of the few providers that offer dedicated IP addresses in various countries around the world, as listed on their website. They also allow account sharing and permit six simultaneous connections per subscription. VPNArea continues to improve and remains an excellent choice for privacy-focused users. Check out their discount pricing for annual plans. [Learn more >]
In addition to blocking malicious sites and ads, some VPNs also claim to block malware. We don't test the efficacy of these network-based protections, but most appear to be blacklists of sites known to host malicious software. That's great, but don't assume it's anywhere near as good as standalone antivirus. Use this feature to complement, not replace, your antivirus.
L2TP/IPsec (Layer 2 Tunneling Protocol with Internet Protocol Security): L2TP is not secure itself, so it's generally paired with the IPsec secure-networking standard. The combination of the two was once thought to be very secure when properly implemented, but some VPN services suggest that you use OpenVPN instead. L2TP/IPsec has native support in Windows, OS X/macOS, Android, Chrome OS and iOS. Most VPN services support it.
IVPN was one of the fastest providers when we tested US servers using the Internet Health Test. Our budget pick, TorGuard, was faster, but it defaults to the less secure 128-bit encryption. Our non-VPN connection tested at roughly 300 Mbps down. Some tested services are not listed because connection failures prevented some of our tests from completing.
Disclaimer: Top10VPN is not a VPN service and does not endorse the use of VPNs for unlawful means. Users should ensure they adhere to all applicable laws and terms of service when using a VPN. We have no control over third-party websites and your use of them may be governed by their terms and conditions. We are an advertising-supported comparison and review site and may be compensated for featuring certain providers. We strive to keep the information on our Website up-to-date and accurate, but we do not guarantee that this will always be the case.
OpenVPN: OpenVPN is very secure, open-source and widely used. Most VPN services support it, but except for Chrome OS and Linux, few operating systems do. This protocol can be used in either TCP (web) or UDP (streaming) mode; the latter is sloppier but faster. You'll need either the VPN service's client software or one of the many free alternatives. Either way, you'll still need to pay for the VPN service.
Nevertheless, the point of a VPN is to remain private and to have your internet activity kept as private as possible. For that reason, we’re choosing Mullvad as the best overall VPN (see our full review of Mullvad). The company recently released an overhauled desktop client, and the VPN does a great job at privacy. Mullvad doesn’t ask for your email address, and you can mail your payment in cash if you want to. Like many other VPNs, Mullvad has a no-logging policy and doesn’t even collect any identifying metadata from your usage.

If you're trying to connect to a remote media source with Kodi, a VPN would likely play a different role. It might, for example, prevent your ISP from determining what you're up to. It might also be useful if you're connecting to a third-party service for Kodi that allows streaming of copyright-infringing material. Keep in mind, however, that some VPN services specifically forbid the use of their services for copyright infringement.
The Center for Democracy & Technology brought just such a complaint against one VPN provider last year, though no enforcement action has been announced. Many privacy sites suggest finding a VPN service outside the prying eyes of US intelligence agencies and their allies, but FTC protections could be an argument for finding one in the US so that there’s a penalty if it deceives its customers.
Hotspot Shield depends on a custom VPN protocol that's not been publicly analyzed by independent experts. We don't know how private or secure it really is. The company has been accused of spying on users (it denies the allegations), and complaints abound online about Hotspot Shield software installing on PCs without users' permission. All this, and the company's U.S. location, may scare away customers who want to protect their privacy.

Avast SecureLine is also expensive, and based on current speed results for the UK and U.S., you’re probably better off shopping around for a better deal; SecureLine works out at £49.99 a year for a single device (equivalent to £4.17 a month). If you want to connect more than one computer or mobile device, a five-licence account will cost you £64.99 a year.


The TorGuard Windows client was easy to install and made quick work of connecting to a VPN server, including the ability to choose a server location prior to connecting. The internet speed on our test system dropped from our usual 125 Mb/s download to 53 Mb/s, and our upload ran at 17 Mb/s compared to our usual 20 Mb/s. That’s not the best performance in our testing, but all internet services that we tested worked without a hitch, including Netflix and Amazon Prime Video.
TunnelBear has some strong supporters among Wirecutter’s staff. The company has a public history of transparency, staff listings, and the clearest privacy policy of any VPN service we’ve found, plus TunnelBear is one of the only VPNs to release a public audit of its system. But the service was one of the least reliable we tried. In four of our 18 connection tests, we managed broadband speeds; in a handful of others TunnelBear was well below the average, and in even more it failed to provide a usable connection at all. As we were writing this guide, security giant McAfee announced that it had acquired TunnelBear. Fans of the service should keep an eye out for changes to its privacy stance and transparency as the US-based firm takes over.
IPVanish’s endpoints in the Netherlands fared well, too, with us consistently getting speeds of between 8.5MB/s (68Mbit/s) and 9.5MB/s (76Mbit/s). UK speeds however fell way short of expectations – we recorded a relatively feeble 3.2MB/s (25.6Mbit/s) via FTP and 3MB/s (24Mbit/s) via HTTP. We were also unable to connect to BBC iPlayer this time around as well.

Each internet request usually results in a whole series of communication events between multiple points. The way a VPN works is by encrypting those packets at the originating point, often hiding not only the data, but also the information about your originating IP address. The VPN software on your end then sends those packets to VPN server at some destination point, decrypting that information.

Make sure when allocating VPN connections that the remote computers meet the same security requirements as computers on your local LAN—stricter, if possible. At a minimum, all remote VPN clients should have antivirus software and firewall software to offer some minimal protection, although some personal firewall software can interfere with some VPN client software. Include VPN client systems, such as home computers, field laptops, and partner and vendor machines, in all security assessments or vulnerability scans that you perform. You can check them the same way you check your local machines by making sure your remote VPN clients are logged on when you do your security testing and including the VPN IP range in your tests. Just make sure you get permission before you scan any machines your company doesn't own. If you use Active Directory (AD), you can also push out a standard security policy to your Win2K or later VPN clients to make sure that they conform to the policy for machines on your network.
If your VPN will primarily support remote users such as telecommuters and traveling employees and these users will access internal LAN resources that use a Network Address Translation (NAT) address rather than a routable IP address, you might have problems with some vendors' VPN products. NAT lets multiple internal network hosts use nonroutable IP addresses to access the Internet through one IP address on a firewall or router. This arrangement provides an additional level of security and lets a company be much more flexible with its address assignments than if it used real IP addresses for all its hosts.

What is a relay attack (with examples) and how can you prevent them?January 31, 2019 / by Penny HoelscherARP poisoning/spoofing: How to detect & prevent itJanuary 30, 2019 / by Josh LakeCybersecurity before, during, and after your moveJanuary 29, 2019 / by Aimee O'DriscollHow to Use Offensive Techniques to Enrich Threat IntelligenceJanuary 29, 2019 / by David BalabanHow to use Tor country codes on Windows, Mac & Linux to spoof your locationJanuary 17, 2019 / by Josh Lake

If you’re going to use torrents, however, life is easier if you use a VPN—especially if the network you’re on blocks torrenting. There are many VPNs among our top picks that could be used for downloading torrents, but our preferred choice is Private Internet Access. This no-frills VPN has an absolute ton of servers, good speeds, and a nice amount of country locations to remain relatively anonymous. (Read our full review.) The price is right at less than $40 a year, and its privacy policies have been tested in court. Plus, advanced users can adjust their level of encryption for data encryption, data authentication, and handshake.
For mobile devices, the situation is a little thornier. Most companies offer VPN apps for Android and iOS, which is great because we use these devices to connect to Wi-Fi all the time. However, VPNs don't always play nice with cellular connections. That said, it takes some serious effort to intercept cellphone data, although law enforcement or intelligence agencies may have an easier time gaining access to this data, or metadata, through connections with mobile carriers or by using specialized equipment.
This again singles out NordVPN from the rest, as it boasts the largest server database in the marketplace. However, things do not just end here; you also receive multiple protocol support, which includes PPTP, L2TP/IPSec, OpenVPN, and IKEv2. Moreover, you have native apps for all platforms/devices, along with manual setup guides and built-in VPN routers. This comes in handy for configuring a secure connection around your house.
Not all mobile VPN apps are created equal. In fact, most VPN providers offer different services (and sometimes, different servers) for their mobile offerings than they do for their desktop counterparts. We're pleased to see that NordVPN and Private Internet Access provide the same excellent selection of servers regardless of platform. These apps received an Editors' Choice nod both for desktop VPN apps and Android VPN apps.
Avast SecureLine is also expensive, and based on current speed results for the UK and U.S., you’re probably better off shopping around for a better deal; SecureLine works out at £49.99 a year for a single device (equivalent to £4.17 a month). If you want to connect more than one computer or mobile device, a five-licence account will cost you £64.99 a year.
VPN was not the first technology to make remote connections. Several years ago, the most common way to connect computers between multiple offices was by using a leased line. Leased lines, such as ISDN (integrated services digital network, 128 Kbps), are private network connections that a telecommunications company could lease to its customers. Leased lines provided a company with a way to expand its private network beyond its immediate geographic area. These connections form a single wide-area network (WAN) for the business. Though leased lines are reliable and secure, the leases are expensive, with costs rising as the distance between offices increases.
Secure Shell (SSH) is a secure version of Telnet that you can use to log on and open a command line on a remote machine. You can also use SSH to establish an encrypted tunnel between two machines, effectively creating a VPN. Different versions of SSH use RSA or Digital Signature Algorithm (DSA) for secure key exchange and 3DES or Blowfish for data encryption. You can use a free program such as Stunnel (http://www.stunnel.org) along with a free version of SSH such as OpenSSH (http://www.openssh.org) to tunnel protocols such as Web and mail protocols through an encrypted SSH tunnel. All you need is a machine at either end running both these programs. SSH and Stunnel are an inexpensive way to implement a VPN, although setting up such a VPN requires a lot of configuration and might not scale to handle a large number of machines. An SSH VPN can, however, make a nice solution for connecting two servers that need to communicate securely, such as a Web server and a back-end database server.
For a VPN that services telecommuters, consider using a vendor that offers a firewall with separate zones for work and home machines that share an Internet connection. As Figure 2 shows, the firewall's trusted zone gives the telecommuter's work PC access to the Internet and VPN access to the corporate LAN, and an untrusted zone allows a personal machine access to the Internet only. SonicWALL and WatchGuard currently offer such firewalls, which aren't much more expensive than home routers and eliminate worries about the other computers on your telecommuters' home LANs. However, multizone home firewalls don't eliminate the need to continually verify the security of remote VPN clients.
To prevent middle-man access and to ensure that the data is sent via a secure tunnel, certain criteria should be met. The criteria include a DNS Leak Protection (over IPv4, IPv6 and WebRTC), encrypted traffic via a Private tunnel, and hopefully no logs of the data saved anywhere. However, if the government wants to see which websites and web locations a user visits, the ISP provider can demand and get that information. Thus, no real anonymity is achieved, but the specific data will be encrypted, secure and free from middle-man attacks.
The heart of the security a VPN provides is its encryption keys—the unique secret that all your VPN devices share. If the keys are too short, VPN data is susceptible to brute-force cracking. You can often choose the key length to use in your VPN implementation. The longer you make keys, the harder they are to break, but the trade-off is that longer keys also require more processor power for encryption and might slow packet throughput. The minimum recommended key length now is 64 bits (128 bits, if possible) for the symmetric ciphers that encrypt the data and 2048 bits for public key cryptography such as RSA. Modern desktop computers can often crack 40-bit and shorter keys, such as those that DES uses.
However, things do not just end here, as the VPN even offers plenty of advanced features. These include NAT Firewall for preventing malicious attempts on your network. Split Tunneling and SOCKS5 proxy for improved performance to download torrents and stream content online. Ad/Tracker blocking features to hide away those irritating adverts when browsing the internet.
Inside the Preferences pane, you can also tick boxes to automatically launch or connect the app when you boot your device. Anyone using the Windows or macOS app should tick the box to autoconnect “when joining insecure WiFi networks.” You can also tag individual Wi-Fi networks as trusted or untrusted, to make sure you’re always protected even if you forget to connect the app manually. These network rules—not offered on most apps, including IVPN’s mobile apps or any of TorGuard’s apps—will make sure you don’t forget your VPN when you need it the most.

Tunneling protocols can operate in a point-to-point network topology that would theoretically not be considered as a VPN, because a VPN by definition is expected to support arbitrary and changing sets of network nodes. But since most router implementations support a software-defined tunnel interface, customer-provisioned VPNs often are simply defined tunnels running conventional routing protocols.

That attitude to the safety and privacy of personal data creates an enormous risk when it comes to online security. Public Wi-Fi networks, which are ubiquitous and convenient, are unfortunately also extremely convenient for attackers who are looking to compromise your personal information. How do you know, for example, that "starbucks_wifi_real" is actually the Wi-Fi network for the coffee shop? Anyone could have created that network, to lure victims into disclosing personal information. In fact, a popular security researcher prank is to create a network with the same name as a free, popular service and see how many devices will automatically connect because it appears safe.
×