DNS servers are a bit like the phone books of the Internet: You can type in “thewirecutter.com,” for instance, and one of the many DNS servers behind the scenes can point you to the IP address of a server hosting the site. Most of the time, your DNS requests automatically route through your ISP, giving the ISP an easy way to monitor your traffic. Some VPN services rely on third-party DNS servers, but the best ones keep DNS servers in-house to prevent your browsing history, or your IP address, from getting out.
When we say that in theory VPNs can’t be intercepted, that’s because VPNs are like any other form of security: if you use them on a device that’s already been compromised by malware such as keyloggers or other security threats then they can’t do their job properly. If you’re on Windows, then good quality, up to date anti-virus software isn’t a luxury. It’s absolutely essential.
A Virtual Private Network is a connection method used to add security and privacy to private and public networks, like WiFi Hotspots and the Internet. Virtual Private Networks are most often used by corporations to protect sensitive data. However, using a personal VPN is increasingly becoming more popular as more interactions that were previously face-to-face transition to the Internet. Privacy is increased with a Virtual Private Network because the user's initial IP address is replaced with one from the Virtual Private Network provider. Subscribers can obtain an IP address from any gateway city the VPN service provides. For instance, you may live in San Francisco, but with a Virtual Private Network, you can appear to live in Amsterdam, New York, or any number of gateway cities.
Speed-wise, Avast SecureLine did well in our European speed tests, with us recording over 9.83MB/s (78.64Mbit/s) in our file transfer tests to the Netherlands. Its US performance was a little below average but still decent at 3.22MB/s (25.76Mbit/s), although UK performance was a bit slower than in our last round of tests, at 6.5MB/s (52Mbit/s) via FTP and 5.8MB/s (46.4Mbit/s) for an HTTP download.
When we talk about privacy, PureVPN is fairly decent choice among competitors. Not only does it offer high-end encryption but also has a no-logging policy. In regards to DNS leaks and such, not only that PureVPN has IPv6 covered as well as the more commonly used protocols, but you are guaranteed to get your money back, in case something goes amiss.
Israel-based Hola isn’t a traditional VPN in which customers connect to a network of centralized servers owned by the VPN company. Instead, Hola users connect to each other, using other users’ idle bandwidth as part of a large peer-to-peer network. Obviously, this comes with some pretty big security and legal concerns. Users could use each other’s internet for illegal activity, for example. In 2015, Hola used its user’s computers to create a botnet and perform a massive distributed denial-of-service (DDoS) attack. The abuse of customers’ trust happened entirely without their knowledge.
TorGuard was consistently one of the fastest services we tested. When we averaged three tests performed at different times of the week with Internet Health Test, TorGuard was the fastest service when connecting in the UK and Asia, the second fastest in the US, and the third fastest in Central Europe. OVPN was the next most consistent, but that company’s small network doesn’t have any servers in Asia, and it ranked fifth in the UK. Our top pick, IVPN, was the third most consistently fast after TorGuard and OVPN. However, we tested with each app’s default settings—since we expect most people won’t change them—and TorGuard’s default 128-bit encryption gives it an advantage in speed tests over VPNs that default to 256-bit encryption, as most services do. Still, we think 128-bit encryption is fine for most people who prioritize speed, and TorGuard’s consistency makes it a good value as our budget pick.
Users need to make sure the provider they select, offers maximum privacy and anonymity. As a result, there should be no DNS leaks. Below we conduct a leak test to ensure that you are not caught by government agencies or copyright infringement trolls in your country. We connected to a server in Singapore, and the DNS address claims the same. Nothing points to our original US location, which means you are completely secure when using Mullvad!
Switzerland is famed for its privacy-friendly legislation, and that’s where VyprVPN operates from - although its servers operate in 72 other countries to deliver unlimited data. If you’re used to VPN services absolutely killing your data speeds you’ll be positively surprised by VyprVPN: we found that our data speeds actually increased when we enabled the VPN! Not only that but there are plenty of useful options including auto-connect, a kill-switch and enhanced security via the service’s proprietary Chameleon protocol and its own DNS. VyprVPN has a free trial too so you can try it our and see what you think before you commit!
For a VPN that services telecommuters, consider using a vendor that offers a firewall with separate zones for work and home machines that share an Internet connection. As Figure 2 shows, the firewall's trusted zone gives the telecommuter's work PC access to the Internet and VPN access to the corporate LAN, and an untrusted zone allows a personal machine access to the Internet only. SonicWALL and WatchGuard currently offer such firewalls, which aren't much more expensive than home routers and eliminate worries about the other computers on your telecommuters' home LANs. However, multizone home firewalls don't eliminate the need to continually verify the security of remote VPN clients.
Tip for Chrome, Firefox, and Opera users: A feature called WebRTC can, in some Web browsers, inadvertently cause your true IP address to leak out even when you’re connected via a great VPN. WebRTC assists with peer-to-peer connections, such as for video chatting, but could be exploited in some cases. You can manually disable this function in Firefox, or use an extension to block most instances of it in Chrome or Opera. For more details and instructions, check out Restore Privacy.
What that means in practice is that VPNs are fine for bypassing geo-blocks, for protecting your online banking and for keeping business communications free from interception. However, if you’re using the internet to fight repressive regimes or to do anything else that could attract the attention of the authorities where you live, a VPN is not a magic wand that’ll make you invisible.
Many VPN services also provide their own DNS resolution system. Think of DNS as a phone book that turns a text-based URL like "pcmag.com" into a numeric IP address that computers can understand. Savvy snoops can monitor DNS requests and track your movements online. Greedy attackers can also use DNS poisoning to direct you to bogus phishing pages designed to steal your data. When you use a VPN's DNS system, it's another layer of protection.
TorGuard’s signup and payment process is also fine but not stellar. Compared with that of IVPN, the checkout process is clunky, and using a credit or debit card requires entering more personal information than with our top pick. The easiest option for anonymous payments is a prepaid debit card bought locally. Otherwise, like most providers, TorGuard accepts a variety of cryptocurrencies, PayPal, and foreign payments through Paymentwall. That last service also allows you to submit payment through gift cards from other major retailers. We don’t think this method is worth the hassle for most people, but if you have some money on a fast-food gift card you don’t want, turning it into a VPN service is a nice option.
Downloading Files: Yes, let’s be honest – many people use VPN connections to download files via BitTorrent. This can actually be useful even if you’re downloading completely legal torrents – if your ISP is throttling BitTorrent and making it extremely slow, you can use BitTorrent on a VPN to get faster speeds. The same is true for other types of traffic your ISP might interfere with (unless they interfere with VPN traffic itself.)
Since we first recommended IVPN in the spring of 2018, the company has added automatic server selection to its desktop applications, bringing it in line with other top-performing VPN apps. Alternatively, when you click on the location at the bottom of the app, you’ll see a list of all of the global IVPN server locations, color coded by speed. At the top of the list is an option to connect to the fastest one, and once selected, the app remembers your preference through future disconnects and reboots. You can also use IVPN’s multihop servers to route your traffic through two VPN servers—a feature unique to IVPN among the services we tested—though we don’t think this step is necessary for most people, given the slower speeds you’ll likely experience.
A VPN encrypts all of the Internet traffic between your computer and the VPN server, preventing anyone on your local network, or connection points along the way, from monitoring or modifying your traffic. Beyond the VPN server (in other words, on the rest of the way to whatever Internet server you’re connecting to), your traffic mixes with traffic from other people on the VPN and the rest of the Internet. Ideally, that makes your traffic traceable only to the VPN server, not to your home, office, or computer. You can read a more detailed explanation in our post about what a VPN is and when using one makes sense.
ProtonVPN is one of the newest VPN services, and it boasts some star-studded founding members. The company was founded at CERN, the birthplace of the internet, and grew out of the ProtonMAIL service that’s been protecting the email of activists and journalists for years. The service acts as a Swiss company and is thus free from the laws of the U.S. and the European Union. It’s also not a member of the “fourteen eyes surveillance network,” and user traffic isn’t logged and passes through privacy-friendly countries, so you needn’t worry about your true IP address being revealed.
PPTP. A consortium of vendors, including U.S. Robotics, Ascend Communications (now part of Lucent Technologies), 3Com, and Microsoft, developed PPTP. VPN software implementations are more likely than hardware implementations to use PPTP, although some VPN hardware vendors (e.g., Lucent in its MAX and Pipeline communication products and Nortel in its Contivity products) use it. PPTP software implementations can't handle high volumes of traffic, but PPTP hardware implementations can. PPTP 1.2 had major flaws, but version 2.0 fixed most of the problems. However, even this version 2.0 as Microsoft has implemented it is weak cryptographically because it still relies on the user's password to generate keys. In addition, PPTP's design and heavy promotion by a few large vendors such as Microsoft have made it suspect in some quarters.
With hundreds of VPN services and clients available, it can be difficult to decide which one to use. We've extensively tested several popular VPN services that met three requirements: They had both desktop and mobile client software (with one exception), they had VPN servers in many countries, and they offered unlimited data use, at least in their paid versions.
However, you've got no choice but to run TunnelBear's client software (unless you use Linux), which may concern some privacy-minded users, and there's no option to set up TunnelBear connections on routers or other devices. Last but not least, this tiny Canadian firm is now owned by U.S. antivirus giant McAfee, which may mean TunnelBear is subject to U.S. search warrants.
Hardware-based VPNs tend to be less vulnerable than software implementations because their chip-based OSs are more lightweight (i.e., they have fewer features to exploit than general-purpose OSs). Also, because they don't sit on everyone's desktop, they're less used and understood, although exploits on them aren't unheard of. For example, security researchers recently discovered several security holes in Cisco's VPN concentrators. Make sure you subscribe to your VPN vendor's security update mailing list and promptly apply all security patches.
If you use Intrusion Detection System (IDS) technology, you should know that if the IDS machine is between the Internet and the VPN concentrator that decrypts the encrypted packets (e.g., on a demilitarized zone—DMZ—network), it won't be able to detect intrusion activity that occurs between VPN-connected machines. Most IDS sensors match packet payloads to a database of intrusion signatures so that they know when to flag something as suspicious. If the packets are encrypted, they'll look like gibberish to the IDS machine. If you want your IDS machine to be able to monitor network traffic from VPN connections, make sure you place the IDS machine behind the VPN concentrator so that the IDS machine checks the traffic after the VPN concentrator decrypts it. You can't use an IDS on a software VPN, which operates directly from one VPN host to another.
Like most well-known VPN companies, IVPN supports a variety of privacy groups and causes. Pestell told us he worked with the Center for Democracy & Technology to improve trust in VPNs with a handful of transparency initiatives before they were announced. Neena Kapur of The New York Times (parent company of Wirecutter) information security team noted that IVPN’s leadership transparency and its relationship with CDT were significant pluses that contributed to its trustworthiness. Pestell was also the only representative we spoke with to offer to arrange for one of our experts to audit the company’s server and no-logging policies.1 We cover trust issues with VPNs at length elsewhere in this guide, but we believe that IVPN takes an active role in protecting its customers’ privacy and is not a dude wearing a dolphin onesie.
How to watch the 2019 GRAMMY Awards live onlineFebruary 8, 2019 / by Aimee O'Driscoll12 free and paid alternatives to CinemaNowFebruary 8, 2019 / by Mark GillHow to watch BAFTA 2019 film awards online for freeFebruary 6, 2019 / by Tom BlackstoneHow to install MX Player on FirestickNovember 29, 2018 / by Ian GarlandHow to watch Vikings Season 5 online from anywhereNovember 27, 2018 / by Tom Blackstone
Selecting servers close to you—preferably in the same country—will improve your connection speed, but that may not provide the full privacy or unrestricted access you’re looking for. If you want to access country-specific content, use a server located in that country. This will be easier if you have more server options available to you through your VPN.
There’s another side to privacy. Without a VPN, your internet service provider knows your entire browsing history. With a VPN, your search history is hidden. That’s because your web activity will be associated with the VPN server’s IP address, not yours. A VPN service provider may have servers all over the world. That means your search activity could appear to originate at any one of them. Keep in mind, search engines also track your search history, but they’ll associate that information with an IP address that’s not yours. Again, your VPN will keep your activity private.
IPSec supports several different enciphering algorithms. The most commonly used algorithm, Advanced Encryption Standard (AES), is widely acknowledged as one of the strongest algorithms available for data encryption. With a minimum key length of 64 bits, AES is strong enough for almost any commercial application. Some vendors' IPSec implementations use the Data Encryption Standard (DES) or Triple DES (3DES) ciphers. DES, whose 40-bit key has been cracked, is generally considered a weak algorithm for all but the lowest security levels. 3DES fixes DES's problems by using the algorithm three times and providing an effective key length of 168 bits. Note that if your VPN solution supports only one algorithm, any devices you add in the future must use that algorithm as well.
This is important to understand. Consumer VPN services protect your transmission from your location to their location, not from your location all the way to the destination application you're using. If you think about it, this makes sense: A consumer VPN service is operated by a completely different company than, for example, Facebook or your bank.
The process of determining the anonymity of a VPN does not just end by a WebRTC leak test. Users need to make sure the provider they select, offers maximum privacy and anonymity. As a result, there should be no DNS leaks. The results below reveal a single DNS server, which is located in the UK. This means, our identity is completely secure, as there are no signs pointing to our official US location!
Below we conducted a WebRTC Test from Browser Leaks on the provider. The process involved connecting to a server in the UK. PureVPN managed to cloak your identity quite successfully! As you can see, there are no signs of any leakages in the test. The VPN successfully manages to hide your local IP address and IPv6 address, revealing only the public IP address, which is that of a UK location.
Aside from a moral quandary, what does VPNHub offer subcribers? A selection of endpoints in 50 countries, including less common locations like Cyprus, Costa Rica and the Philippines, the option to connect to VPNHub on booting up your system, a killswitch that’ll nerf your connection whenever the VPN fails, and ‘Scramble’, a feature that attempts to hide from your ISP the fact that you’re using a VPN.
Sometimes, it’s not as simple as hiding your personal data from data-hungry organizations or your ISP. Depending on where you live, censorship could play a big role when choosing to use a VPN or not. By replacing your IP address with one from another location, you can bypass even the strictest censorship and access content on the web from around the world.
IVPN goes further than the other leading candidates we considered by being transparent about who runs the service and is responsible for your privacy. The company lists its core team on its website, and its small team has an online presence on a variety of platforms. In contrast, only one employee at ExpressVPN has a public face: VP of marketing Harold Li gave us detailed answers to questions about policies and internal security, but couldn’t tell us much about who else worked there. (We discuss ExpressVPN in more detail in the Competition section—that company was almost our top pick but for this issue.)
Chromecast and other streaming protocols send data over your local network, but that's a problem when you're using a VPN. Those devices are looking for streaming data from phones and computers on the same network, not from a distant VPN server. Likewise, smart home devices may be gathering lots of data about you and your home that you'd rather not have intercepted. Unfortunately, these devices simply cannot run VPNs. The solution for both problems is to move the security up a level by installing a VPN on your router. This encrypts data as it leaves your safe home network for the wild web. Information sent within your network will be available, and any smart devices connected to your network will enjoy a secured connection.
Consumers use a private VPN service, also known as a VPN tunnel, to protect their online activity and identity. By using an anonymous VPN service, a user's Internet traffic and data remain encrypted, which prevents eavesdroppers from sniffing Internet activity. VPN services are especially useful when accessing public Wi-Fi hotspots because the public wireless services might not be secure. In addition to public Wi-Fi security, a private VPN service also provides consumers with uncensored Internet access and can help prevent data theft and unblock websites.
However, if you’re using a top-tier VPN service, the difference in speed usually isn’t noticeable, and can sometimes speed up your connection. You can still watch streaming videos and download large files without interruption. Our VPN servers are among the fastest in the industry and we work hard to keep it that way. Download Hotspot Shield VPN and get privacy protection without sacrificing speed.
The VyprDNS technology, as the name implies, focuses more on the unblocking aspect of websites. It adds a secure and personalized DNS into your computers’ readable address. This allows you to fool websites by bypassing their geo-restrictions, hence defeating DNS-censorship. Pricing starts at $9.95 monthly, but if you opt for the yearly plan, you only pay $5.00 monthly. This totals to only $60 annually!
ExpressVPN scored well in our recent round of testing in terms of speed – we recorded around 8.5MB/s (68Mbit/s) via both FTP and HTTP in the UK, while Dutch endpoints gave us 6.3MB/s (50.4Mbit/s) via FTP and 7MB/s (56Mbit/s) via HTTP, more than enough for general browsing, streaming and downloading. US connection speeds, as you’d expect, were rather slower at 2.5MB/s (20Mbit/s) via FTP and a good 3.2MB/s (25.6Mbit/s) over HTTP.
If you require a high level of trust on the authentication process as well as the encryption, you might consider using digital certificates instead of the standard preshared secret key that most VPNs default to. Digital certificates guarantee that the person trying to connect is who he or she says he or she is. A separate digital certificate for each end connection can be expensive; however, some VPN vendors offer authentication services that provide a bulk discount on certificates.
However, NAT can interfere with some VPN implementations because it changes information in a packet's IP header to route the packet to the correct internal IP address. VPN protocols often check the integrity of the packet header and terminate the connection if they detect any changes that were made after the packet was encrypted. Vendors have devised a workaround for this problem: A technique called UDP Traversal encapsulates the IP Security (IPSec) packet in a UDP packet so that the IPSec header can arrive intact. Most vendors, including Microsoft, Nortel Networks, SSH Communications Security, NetScreen Technologies, SonicWALL, and Cisco Systems—in IOS Software 12.2(8) and later—support UDP Traversal. However, some low-end VPN appliances and software implementations might not. Alternatively, if you use IPSec, your router or firewall might support IPSec pass-through, which recognizes the IPSec protocol and lets IPSec packets pass through unaltered, eliminating the need for NAT traversal. You might also be able to work around NAT by turning off IPSec's Authentication Header (AH) element (which verifies the header information), if your VPN allows this level of detail in configuration. Be sure to check with your VPN vendor about NAT if you plan to support remote users through a network that uses NAT.
To understand the value of a VPN, it helps to think of some specific scenarios in which a VPN might be used. Consider the public Wi-Fi network, perhaps at a coffee shop or airport. Normally, you might connect without a second thought. But do you know who might be watching the traffic on that network? Can you even be sure the Wi-Fi network is legit, or might it operated by a thief who's after your personal data? Think about the passwords, banking data, credit card numbers, and just plain private information that you transmit every time you go online.
While a VPN can protect your privacy online, you might still want to take the additional step of avoiding paying for one using a credit card, for moral or security reasons. Several VPN services now accept anonymous payment methods such Bitcoin, and some even accept retailer gift cards. Both of these transactions is about as close as you can get to paying with cash for something online. That Starbucks gift card may be better spent on secure web browsing than a mediocre-at-best latte.