The Ultimate Guide to Finding the Best VPN

• List Of Contents
• Chapter 00 – Why You Need a VPN
• Chapter 01 – What Is a VPN?
• Chapter 03 – What Is a VPN Good For?
• Chapter 04 – What Is VPN Not Good For?
• Chapter 05 – VPN and Privacy
• Chapter 06 – VPN vs Tor
• Chapter 08 – Using VPN & Tor Together
• Chapter 09 – VPN Protocols
• Chapter 10 – OpenVPN Encryption
• Chapter 11 – Conclusion

Best VPN Providers of 2017

Chapter 01

What Is a VPN?

Virtual Private Networks were first developed by corporations to allow employees to access their private  internal network systems over the internet, as if they were accessing them internally (hence the name). An employee would connect their computer to a company server, securing this connection using an encrypted VPN tunnel from where they could freely access company resources.

Although corporate VPNs still exist, these days the term more usually refers to the private use of commercial VPN services (which is the sense in which we discuss VPN in this guide). This uses the same basic technology used in corporate VPN systems, but effectively reverses the intent, allowing individuals to connect privately from their computers (including smart phones and tablets) to the internet.

When someone uses a commercial VPN service they connect their computer to a remote “VPN server” (a dedicated computer) run by a VPN provider, encrypting all data that passes between the computer and the VPN server (this is known as a VPN tunnel). Most providers run multiple servers, usually located in various geographic locations around the world, a setup that has the following  consequences:

• As long as the encryption remains secure then no-one – not the users’ ISP, hackers, or the NSA – can “see” what passes through the VPN tunnel. The VPN provider can see what enters and leaves the VPN tunnel, and can connect this to the IP address of the user (and if this IP address is linked a real world identity, such as through their payment method, it will know who the individual is.) In order to mitigate this threat to customers ‘privacy, VPN providers often take various measures which we will discuss in detail a little later
• The VPN server acts as a proxy, with all internet traffic appearing to enter and leave from its IP address instead of the user’s real IP address. This makes it great for hiding a user’s true identity from anyone watching on the internet, and for “spoofing” geographic location

• Preventing blanket surveillance

By the likes of the NSA. Strong VPN protocols such as OpenVPN, and strong encryption ciphers such as AES, are still understood to be uncrackable (even by the NSA), so VPN provides good protection against indiscriminate government surveillance. Users should be aware, however, that the simple act of using VPN might raise their profile with surveillance agencies, causing their data to be stored for later decryption long after most unencrypted data has been discarded. They should also be aware that VPN (and pretty much any other security measures), while great for foiling untargeted surveillance, will offer no protection if they are specifically targeted by an agency such as the NSA

• Preventing nosy ISPs spying

ISPs around the world are increasing required to monitor users’ internet traffic, and store it for later retrieval if demanded by their government (this practice is known as data retention). With VPN all traffic is encrypted as it passed through the ISP’s servers, so it cannot see what the user is doing – although it can tell that VPN is being used (unless measures are taken to prevent this), the IP address of the VPN server they are connected to, and how much data they are using

• Protecting against public WiFi hotspot hackers

Hacking of private WiFi connections is not a major problem as these are usually encrypted (using WPA2 etc.), but is a major headache with public WiFi hotspots as, (among other devious tricks) hackers can either intercept unencrypted WiFi connections (an all too common problem) or lure unsuspecting victims into connecting to bogus WiFi networks (also known as “evil twin” and “rogue” hotspots or access points – “Free airport Wifi” anyone?)  Because all data is encrypted between a device using VPN and the VPN server, even if hackers are able to access a users’ data, it will just be meaningless garbage to them (even fairly weak encryption will defeat a simple criminal hacker)

• Evading censorship

With VPN neither ISPs or governments can see what users get up to on the internet, as they can neither  “see” the data, or know which websites a user is accessing (although they can see the IP address of the VPN server).

This makes VPN a fantastic anti-censorship tool, whether for restrictive governments such as Iran, for accessing banning torrent sites, or for accessing Facebook at school! Powerful governments (most notably China) do sometimes try to prevent the use of VPN because of this, but even for China such attempts are only partially effective, and VPN technologies exist to circumvent such restrictions. It should also be noted that even in countries where VPN is banned (which are very few, as VPN remains essential to many businesses) users rarely get into trouble for attempting to use it.

• Watching geo-restricted content

Thanks to complex licencing restrictions imposed by greedy content creators, many media streaming services such as Netflix, Hulu, BBC iPlayer and Pandora are only available in a limited number of countries (typically only their country of origin), or offer more limited catalogues to subscribers in some counties.

Because VPN servers act as proxies, and because providers often operate servers located in many different countries (usually favoring countries whose geo-restricted content is popular, such as the USA and UK), VPN is an excellent way to bypass such restrictions. It should be noted, however, that if accessing geo-restricted content is the only concern, then Smart DNS services are usually cheaper and offer slightly better performance. It is also worth noting that the distance electrons have to travel to carry a data signal means that the further away a streaming service is located, the greater buffering issues will become

• P2P downloading

VPN evades website blocking, hides a user’s real IP address (other P2P users will only see the VPN server’s IP address), and prevents an ISP knowing what is being downloaded, making it the perfect tool for BitTorrenters. Not all VPN providers allow P2P, and many will pass on DMCA-style notifications they receive to customers, but many also make a good business out P2P customers, and will shield them from DMCA and other legal threats.

These providers are usually located in counties that do not require logging and/or where P2P is not illegal (or at least only permit P2P on servers located in such jurisdictions). Users wishing to use VPN for torrenting should ensure that their chosen VPN service is happy to allow this before proceeding.

Commercial VPN services typically cost between $5 to $10 per month.

Chapter 04

What Is VPN Not Good For?

VPN does have a number of limitations which users should be aware of:

• VPN provides privacy not anonymity (usually)

A VPN user connects to a provider’s VPN server, and all internet traffic passes through that server, so by default the provider knows what a user gets up to, and can link that information to a user’s IP address (and payment details if they have them). Privacy-minded VPN providers (and readers should beware that not all VPN providers give a fig about users privacy)use a variety of methods  to minimize this risk, but these methods all have their limitations, and even then we have to trust that the provider is doing as it says it is.

Only by connecting to a VPN through Tor can real anonymity be achieved with VPN. We will discuss all this in more detail in the next section, but for now it should be stressed that if a provider holds any information on its users, it can and will be compelled to divulge it if pushed hard enough, no matter what promises it makes (no VPN employee will be willing to go to jail to protect customers). Users looking for real anonymity should instead consider Tor or I2P.

• VPN slows down your internet

Encrypting and decrypting VPN traffic takes processing power, and even connecting to a nearby server involves an extra leg to the traffic’s journey, so even under ideal conditions using a VPN will slow down internet traffic. Slow or busy VPN servers will slow down a connection even more (and speeds on some providers can dip sharply at leak times), which is why all our reviews include speed performance tests. Using a good provider with fast servers located geographically nearby, users can expect this performance hit to be as little as 10 percent or so, but in less ideal conditions it can be much more

• VPN is not a total privacy solution

Although a powerful tool in the privacy-seeker’s toolkit, VPN does not prevent tracking by websites, virus infections, tracking by search engines, email providers scouring personal correspondence for clues that can be used to deliver targeted advertising, government agencies listening in on VoIP calls, specifically targeted attacks by hackers or the NSA, and host of other privacy threats. However, although countering all privacy threats is well-nigh impossible in this day and age, combining VPN with other privacy technologies such as ant-tracking browser extensions, anti-malware software, full disk encryption, etc., can provide a meaningful degree of privacy against most day-to-day threats.

So how do we know if a provider can be trusted? Well… at the most basic level we can’t, but as their business model relies on customers’ trust, and if someone got busted while using their service then it would quickly scandalize the internet security community (and they would have a strong legal case against the provider), we can have a fair degree of confidence in VPN companies that are respected for their dedication to protecting customers’ privacy.

That said, although for most people using a VPN is plenty private enough, we do not ever recommend that users trust their life or liberty to a VPN provider, and should instead consider using Tor (see below)…

No logs

Keeping no records of customers’ internet activity is the single most important thing that a VPN provider can do to protect its users privacy, as no matter how strong the coercion it cannot be compelled to hand over that which it does not have. If privacy is important, then when choosing a provider it is vital to ascertain whether the country in which it is based has mandatory data retention laws (as most EU countries do, despite the Data Retention Directive being stuck down last year by the European Court of Justice , although these are not always applied to VPN services.) No matter what a provider says, if it is required by law to keep logs then it will keep logs.

Another issue with “no logs” providers is that the term is used unevenly. Some providers claim to keep literally no logs at all, while some use it to mean they keep no logs what of users get up to on the internet, but do keep metadata logs for troubleshooting purposes (such time connected, how long connected, which VPN server connected to etc.) This does not by-and large present a major threat to privacy, but is clearly not as private as ‘no logs at all’, and could potentially be used to perform an end-to timing attack to de-anonymize users.

That said, some argue that all VPN providers must keep some logs ion order to manage their systems, and therefore those that claim to keep none must be being disingenuous. As always with VPN providers, it comes down to a matter of trust…

One final thing to consider in relation to keeping logs is that even if a provider does not (and does not have to) keep logs in general, just about every government in the world can issue a court order/subpoena to force it to start keeping logs on a named individual (usually backed up by a “gag order” to prevent it alerting the customer to this.) It is worth noting, however, that if a government has gone to this much time and effort to spy on a known target then (at least privacy wise), they are probably already screwed anyway.

Shared IPs

If many users share the same IP address to connect to the internet with, it is very difficult for anyone (including the VPN provider) to determine which of those users is responsible for which action on the internet. In this way, VPN providers can very effectively distance themselves from what they know about their customers, while at the same time providing them with a high degree of privacy and deniability. It is possible, however, that with enough time and effort, a shared IP user might be de-anonymised, and if the IP is shared by only a few users this task will be much easier than if it is shared by dozens or even hundreds.

Bitcoin payment

A VPN provider will usually know exactly who its customers are because this information is provided to them by VISA, PayPal etc. when a payment is made (although good providers will discard any such records, or at least devise ways to not tie such them to specific user accounts.)

Because all Bitcoin transactions are recorded on a blockchain, using Bitcoins is not an inherently anonymous way to pay for things, but through methods such as person-to-person trading and Bitcoin mixing, a high degree of anonymity can be achieved.

Paying for VPN by Bitcoin therefore improves privacy by introducing further distance between the provider and the customer, as the provider does not know who the customer is. It will, however, still know the IP address the customer accesses its network from (unless they connect via Tor – see later).

Gift cards 

Some providers accept store gift cards as payment. These can be purchased with a high degree of anonymity over the counter in stores, and cannot trace back to an individual by a provider. As with paying by Bitcoin, however, the provider will know the IP address its service is accessed from.

We will discuss using VPN and Tor together for improved privacy in the next chapter of this guide.

Tor Pros:

• Tor allows true anonymity, as no-one knows the full path between a user an their internet activity (at least is used properly)
• It is free
• Tor is run by hundreds of volunteers as a distributed network, which makes it very resilient to being shut down or any feasible form of attack

Tor cons:

• Tor is very slow – data is bounced off at least three different ‘nodes’, which can be located anywhere in the world
• Tor is often blocked – running an exit node (which connects the chain of nodes to the internet) is a commitment and potentially carries risks, so only a limited number of volunteers are willing to do it. Combined with the fact that Tor public exit nodes are openly published, this makes it easy for governments and websites to blacklist their IP addresses. New node open and close all the time, however, so with patience it is usually possible to find an unblocked node (in situations where they are being blocked), and tools such as obfspoxy can be used to hide the fact that Tor is being used
• Traffic can be monitored by malicious Tor exit nodes (as anyone can volunteer to run an exit node, including crooks and the NSA). Although all traffic is encrypted, the metadata gained could be used to perform an end-to-end timing attack
• Tor is no good for P2P – not only would this be painfully slow, but it puts the Tor exit node volunteers at risk from copyright enforcers and slows down an already very slow system for everyone else. Using P2P on the Tor network is therefore considered not only impractical, but also very rude
• Tor is not good at geo-spoofing – as there is no way to choose where the exit node will be located. Furthermore, because the network is so slow, the idea of streaming content across it is pretty much a joke

VPN pros

• Despite the small performance hit discussed earlier, VPN is much faster than Tor
• Geo-spoofing is very easy with VPN
• VPN is ideal for P2P downloading (as long as the provider permits it)

VPN cons

• VPN provides privacy (with a good no-logs provider this can be considerable), but not the true anonymity that Tor can afford (if used carefully)
• While free VPN services do exist, it would generally be foolish to trust one’s privacy to one. A decent trustworthy VPN service generally costs up to $10 per month.

Chapter 08

Using VPN & Tor Together

It is possible to combine the two technologies for even greater privacy or anonymity, although the implications of this vary greatly depending on whether a connection is Tor through VPN (user -> VPN -> Tor -> internet) or VPN through Tor (user -> Tor ->VPN -> internet).

Tor through VPN

This is the easier of the two configurations, and can be done over any VPN connection by simply opening the Tor Browser while connected to a VPN. Doing this will mean that observers on the internet will not know that a VPN is being used, and will see only the Tor IP, providing an extra layer of privacy and protecting against potential end-to-end timing attacks by malicious Tor exit nodes.

The VPN provider will still be able to monitor the users internet traffic (should they chose to do so), and trace it back to their real IP address.

VPN through Tor

If a user connects to a VPN provider only via Tor (and pays for the service over Tor using Bitcoins etc.), the VPN cannot know who they are, or trace their real IP address. This method therefore provides all the protection of using a VPN plus all the anonymity of using Tor, with the side-benefits that it will bypass any blocks on Tor exit node IPs (outside observers will see the VPN server IP instead), and allows easy geo-spoofing.

Unfortunately, for VPN through Tor to work a VPN provider must specifically support it, and of all the providers out there, AirVPN or BolehVPN are the only ones we know of to do this.

Users should be aware that whichever method is chosen, they will suffer the combined performance hit of both VPN and Tor.

PPTP

This is the oldest and least secure VPN protocol still in general use. Developed by Microsoft back in the 1990s, it has itself issued a recommendation that VPN users should use more secure protocols. The reason that it is still in use is that it was installed on a vast range of devices, and for many legacy devices remains the only VPN protocol supported. Because it is so insecure, PPTP should be avoided except whenever possible (although even PPTP should foil petty criminals and hackers.)

L2TP/IPSec

The Layer 2 Tunnel Protocol, when combined with the IPsec encryption suite, provides a secure VPN connection against most adversaries, and has the advantage that support for it is built-in to almost as many devices as PPTP. However, as John Gilmore (security specialist and founding member of the Electronic Frontier Foundation) explains in this post, it is likely that it has been deliberately weakened during its design phase, and it has been cracked by the NSA.

OpenVPN

This open source VPN protocol is the current industry standard, and when combined with a strong encryption cipher such as AES is believed be secure against even the NSA (it is fact the only protocol generally considered 100 percent secure). OpenVPN is not built into any platform, but open source clients are now available for all major Operating Systems. Setting these up (which also involves downloading configuration files from a VPN provider) is a little more fiddly than with the other protocols, but given its security advantages, we recommend using it whenever possible (and many VPN providers also offer custom VPN clients that are pre-configured for OpenVPN.)

OpenVPN also has the advantage that it can be run over any port, including TCP port 443. This is the same port used by SSL to secure websites which makes it very difficult to block, as OpenVPN traffic using this port looks exactly like regular secure SSL traffic, and to block it would effectively ‘break’ the internet (not that this stops countries such as China from trying!) Using OpenVPN on TCP port 443 is therefore an effective way of evading attempts to censor VPN use.

SSTP

This Microsoft designed protocol is only rarely supported by VPN providers. It comes built-in to recent versions of Windows, and is theoretically as secure as OpenVPN (and runs over TCP port 443 by default). However, the fact that it is closed source, and designed by Microsoft to boot, means that most security conscious VPN users give it a wide birth.

IKEv2

This rarely seen standard (dubbed VPN Connect by Microsoft) is an IPSec based tunneling protocol rather than a real VPN protocol in its own right, but can to all intents and purposes can be treated as one.  It is particularly good at reconnecting when  switching networks (such as between a WiFi and a 3/4G connection, and is considered at least as good as, if not superior to, L2TP/IPsec in terms of security, performance (speed), and stability. For Blackberry users it is the only VPN protocol supported by their devices, and is easier to implement in iOS than OpenVPN, so occasionally turns up in custom iOS VPN apps.

OpenVPN can use a number of ciphers, but the only two commonly used by VPN providers are Blowfish and AES. Blowfish is the default cipher built into the OpenVPN standard, but while it is probably strong enough for most purposes, it does have known weaknesses, and even its creator, the eminent cryptographer Bruce Schneier has recommended against its use. If a provider does not state that it uses the AES cipher, then it is probably using the default 128-bit Blowfish, which is generally not regarded as strong enough in this post-Snowden age.

Despite some concern that Advanced Encryption Standard (AES) was ratified by the US National Institute of Standards and Technology (NIST), which is known to cooperate the NSA, AES is considered the ’gold standard’ of encryption, largely because it is the standard chosen by the US government to secure its sensitive communications (and rather worryingly, which companies have to conform to if they want contracts from the US government.) AES is nevertheless considered much more secure than Blowfish, and until the OpenVPN standard is expanded to allow the use of ciphers such as Twofish or Threefish, it remains the best cipher available.

AES is also sometimes used to secure data on L2TP/IPSec connections.

Encryption key length

This is the number of raw ones and zeros used in a cipher, and determines how long a cipher will take to “crack” using a brute force attack (trying every possible combination until the correct one is found). As a measure of how strong a cipher is, encryption key length is quite crude, as it is usually weaknesses in the cipher rather than an ability to brute-force it that allows cryptographers to crack it. Despite modern computing power, even low key lengths would take at least hundreds of years to compromise.

Nevertheless, as alarm grows over the NSA ceaseless quest (backed by who knows what resources) to compromise all known encryption standards, it is increasing considered better to ere on the safe when it comes to key length, and a 256-bits is now considered the minimum required for good security (hence AES-256 is “gold standard” OpenVPN encryption).

Data authentication and handshake

We will not go into detail about these here (as this is a very technical subject), but in addition to cipher and key length, the data authentication hash used to verify that the VPN client is connecting to the server it thinks it is connecting to, and the cryptographic key encryption handshake used also affect how strong the VPN security is. By default, OpenVPN uses SHA(1) data authentication and an RSA-2048 handshake, so any numbers higher than this mean better than average care is being taken to ensure users’ privacy.

Occasionally we see providers advertising “2048-bit OpenVPN”. This refers to the RSA handshake rather than the OpenVPN encryption key length, as is in our view a deliberately misleading…