1. Software and apps
  2. Networking

The Best VPN Service

By David Huerta and Yael Grauer
Updated
Our pick for best VPN, Mullvad, running on a laptop next to a smartphone and a mug.
Photo: Michael Murtaugh

As more people’s work and personal lives go digital, online privacy and security become increasingly important. Although a virtual private network, or VPN, is not the total answer to protecting your online privacy, it can be a useful part of your security toolkit. However, the VPN industry is riddled with false promises and shady businesses. After sorting through dozens of VPNs and reviewing four security audits, we think the best option for most people is Mullvad, an open-source VPN that’s not only trustworthy and transparent but also fast and reliable.

Everything we recommend

Our pick

Mullvad is transparent about its security and privacy practices. The VPN offers reliable connections and is easy to use on laptops, phones, and tablets.

Also great

TunnelBear’s consistent commitment to security, transparency, and ease of use make it an acceptable alternative for those looking for a VPN that can be used on an unlimited number of devices, even if it’s sometimes slower.

Buying Options

Our pick

Mullvad is transparent about its security and privacy practices. The VPN offers reliable connections and is easy to use on laptops, phones, and tablets.

Mullvad collects minimal user data and engages in comprehensive and transparent privacy practices. It meets our security standards with a recent, publicly available third-party security audit of its servers. Although it’s nearly impossible for a company to make anonymity guarantees, we like that Mullvad allows you to pay in cash simply by using an account number it generates (you can also pay with more common payment types, including a credit card and PayPal). Mullvad offers the speedy WireGuard protocol, which is lightweight and quick. Mullvad’s desktop and mobile apps make setup simple on a variety of devices, even if you have little technical knowledge. And the service’s kill switch helps protect your privacy by automatically disconnecting your device if the VPN connection fails. Although Mullvad doesn’t offer a free trial, it does have a money-back guarantee. You can also set up many types of routers to connect with Mullvad’s servers, and you can use your Mullvad account on up to five devices at once.

Also great

TunnelBear’s consistent commitment to security, transparency, and ease of use make it an acceptable alternative for those looking for a VPN that can be used on an unlimited number of devices, even if it’s sometimes slower.

Buying Options

In this year’s testing, TunnelBear’s speed tests showed a demonstrable improvement over previous results, where it lagged behind other options. Unlike Mullvad, TunnelBear doesn’t limit the number of devices per account, so it’s an ideal choice for people with more than five devices. Although the monthly rate is roughly double that of Mullvad, TunnelBear’s annual and triennial pricing can bring down the monthly cost by more than $3, if you’re willing to pay for three years upfront. Like Mullvad, TunnelBear consistently releases public audits of both its server infrastructure and apps. Also like Mullvad, TunnelBear has apps that are easy to use, and it includes a kill switch in its “VigilantBear” feature.

We scoured articles, white papers, customer reviews, security audit reports, and forums to compile the pros and cons of various VPN services, different VPN protocols and encryption technologies, and signals indicating transparency, trustworthiness, and security.

We interviewed Eva Galperin, Electronic Frontier Foundation’s director of cybersecurity, about the limitations of VPNs and tips for selecting the appropriate VPN based on individual circumstances. We spoke with Trail of Bits co-founder and CEO Dan Guido about the security challenges inherent in VPNs and the limitations of security audits and reports. We got answers from Joseph Jerome, then the policy counsel for the Center for Democracy & Technology’s privacy and data project, about how accountable VPNs were for their business models, privacy practices, security protocols, and protections, and how that related to trustworthiness. We discussed what to look for—and avoid—in VPNs with Kenneth White, security researcher and co-director of the Open Crypto Audit Project, and Matthew Green, cryptographer and Johns Hopkins University professor. We also touched base with blockchain privacy expert and Clovyr co-founder Amber Baldet, to discuss the privacy advantages and pitfalls to consider when paying for a VPN with cryptocurrency.

We interviewed the leadership of three top-performing VPN services about their operational security and internal standards, participating in phone calls with TunnelBear CEO and co-founder Ryan Dochuk and IVPN CEO Nick Pestell, and exchanging emails with Mullvad CEO Jan Jonsson.

As a digital security trainer at Freedom of the Press Foundation (FPF), David Huerta has consulted and trained media makers in hundreds of newsrooms, including The New York Times, on how to make the best use of privacy-enhancing technology in journalistic work. Since the beginning of his time at FPF, in 2017, he has shown journalists how to use encryption tools to protect the identity of their sources, how to address privacy concerns related to having a highly public presence online, and how to circumvent national firewalls when reporting from abroad. VPNs have been a recurring topic; he has helped demystify how they work, as well as how to pick a VPN based on its technology and policy features.

Yael Grauer did the initial reporting for this guide and wrote Wirecutter’s previous recommendations in summer 2020. She has written about privacy and security for Wired, Vice, BreakerMag, The Intercept, Slate/Future Tense, and Ars Technica, and she now covers the category for Consumer Reports. She collaborated with the Electronics Frontier Foundation on its Street-Level Surveillance project and wrote curricula for TrollBusters, a just-in-time rescue service for women writers and journalists who are experiencing online harassment. She has also co-organized events, taught workshops, and spoken on panels about digital security and source protection.

This guide builds on previous feedback from the information security team at The New York Times, which at the time included Runa Sandvik, Bill McKinley, David Templeton, James Pettit, and Neena Kapur. They all provided feedback on a wide range of issues, from technical concerns to provider transparency.

For this guide we focused on virtual private networks, or VPNs, as an option for people who are hoping to add a layer of privacy or security to their web browsing. Using a VPN can stop your computer or mobile device from revealing your IP address to websites, services, and the rest of the internet when you connect. One reason to protect your IP address is that it can give away your location. Anyone can plug in an IP address at various websites to find your rough location, usually your city, state, and country. Although some IP addresses are only loosely connected to a specific geographic location, those associated with Wi-Fi hotspots are much more precise. Commercial outfits such as Skyhook have used hotspot scanning and app partners to amass large databases correlating IP addresses with hotspot locations, and companies can turn to these services to determine your exact location.

VPNs work by routing your web traffic through a secure, encrypted connection to the VPN’s server. So those other parties see the VPN’s IP address, not the one connected to your home or office, or to the coffee shop, airport, or hotel you happen to be in. Using a VPN can also stop your internet service provider from recording your online activities; in 2017, President Donald Trump signed a law repealing internet privacy rules passed by the FCC, allowing ISPs to record all of your traffic, insert ads, track you in a variety of ways, and sell that data to third parties. Although the VPN provider can see what you’re doing, your traffic mixes with that of other people using the same VPN. See What Is a VPN and What Can (and Can’t) It Do? for more information on how VPNs work and whether you need one.

And it’s not just about ISP behavior: Your IP address is typically recorded by the websites you visit and is usually attached in emails you send, becoming exposed to an email’s recipient. Even loading images embedded in emails you receive can reveal your IP address to wherever the images are loading from. IP addresses can pinpoint your places of work, too. For example, a court document indicates that a New York Times reporter accidentally tipped off a company to a major investigation by visiting its website too often. You don’t have to be a journalist to sometimes want to keep your place of business private from the site you’re visiting.

An illustration of traffic between a laptop and websites with and without a VPN, demonstrating the VPN server encrypting data.
Illustration: Dana Davis

But standard VPN services may not be enough in some instances. Human-rights activists, journalists, people who are living under repressive regimes, or people who are likely to be individually targeted by nation-state actors may need to take steps beyond using a commercial VPN; in these cases, it’s worthwhile to consult a digital-security specialist, such as Access Now, before signing up for one of our picks.

Although it’s impossible for people outside a VPN provider to know the ins and outs of the company, there are certain indicators that suggest a provider is more trustworthy, which we have attempted to lay out in this guide.

Before choosing a VPN, it’s important to be clear about what you need it to do. Some of the reasons you may want to use a VPN might be better addressed through other tools or methods that are potentially more effective. Look at it this way: If you have a drafty house with paper-thin walls and halogen light bulbs, you’d get far more value out of every dollar by sealing up cracks, insulating, and switching to LEDs than you would by putting solar panels on your roof. If you’re looking to improve your privacy and security, you should address other areas of vulnerability before signing up for a VPN.

  • Use a password manager to create and manage secure, unique passwords for all of your accounts. If you reuse passwords and one of your accounts is compromised, others can be too.
  • Enable multi-factor authentication, a security feature you can find at most major sites, including Google, Facebook, and Twitter. It’s preferable to use an app or a security key, rather than SMS (plain text messages), as your second factor.
  • Encrypt your laptop, in case you lose it or someone steals it. (iOS and newer Android devices are automatically encrypted, if you have an effective passcode.)
  • If you are choosing to use a VPN to avoid being tracked online across various ad networks, some browser extensions can be helpful. We have some favorites, including the EFF’s Privacy Badger and uBlock Origin, both of which minimize tracking from websites and online ad networks as well as security vulnerabilities. Note that you can manually turn off these extensions for websites with features that work only with ad tracking allowed, a feature generally not available with VPN apps.
  • If you use Firefox, use DNS over HTTPS (DoH); this protects your privacy relating to which websites your browser is requesting from some third parties while also improving performance. Go to Preferences, scroll to the bottom of the page, select Network Settings, scroll down, and select Enable DNS over HTTPS and Use Default. Currently this function is an experimental feature in Chrome.
  • Consider using a Wi-Fi router or mesh-networking kit that does not allow administration over a web interface and that auto-updates. If that’s not possible, make sure to change the default password, keep your router up to date, and disable any remote administration features. Otherwise, your router may be remotely exploitable due to known security vulnerabilities, which would let an attacker take over your entire home network.
  • Use the Tor Browser to research, for example, medical information or other sensitive topics that you don’t want advertisers to link to your identity. (Learn more about Tor below.)
  • Be aware that although the above tools can minimize your digital footprint, they have limitations. Some other steps to increase privacy, such as turning off JavaScript, can lead to such a poor online experience that you’re unlikely to keep using them.

For further advice, see our Simple Online Security guide. We also like the Electronic Frontier Foundation’s guide to surveillance self-defense.

One of the main reasons people want to use VPNs is to geoshift—making a website or web-based service like Netflix think that you’re connecting from, say, the United States instead of Germany, in order to access videos or other content with geographic restrictions. But the biggest sites often block connections from VPNs, making geoshifting like this unpredictable. We tested each of our candidates to see whether they could access content in different countries. Based on the results, we don’t recommend that people expect these VPNs to work for that purpose.

Because VPNs see all of the traffic you are hoping to protect, a good VPN’s most important quality is trustworthiness, and the second-most-important quality is security. Unfortunately, these are also the most difficult qualities to ascertain. In recent years, some VPN providers have begun hiring independent firms to conduct security audits to back up their security or privacy claims, and they’ve been sharing the results publicly. Security vulnerabilities are constantly being discovered. You can get some idea of a provider’s ability to keep up with and address those vulnerabilities by looking at whether it does these audits on a frequent, recurring basis.

All of your internet activity will flow through the servers of the company whose VPN you use, so you’ll need to trust it more than you trust the network you’re hoping to secure, whether that’s airport Wi-Fi, a hotel internet connection, your corporate IT network, or your home ISP. “That last mile between you and your ISP is extremely treacherous,” said Dan Guido, CEO of Trail of Bits. In the past, executives traveling overseas have been attacked with malware served through unsecured hotel Wi-Fi, and ISPs have hijacked and rerouted customer search queries, injected targeted ads based on browsing history, and injected supercookies to track mobile customers. In-flight broadband providers have been caught issuing fake HTTPS certificates.

In 2021, the Federal Trade Commission released the results of an investigation on different broadband providers’ privacy practices. It stated, among other issues, “The report identified several troubling data collection practices among several of the ISPs, including that they combine data across product lines; combine personal, app usage, and web browsing data to target ads; place consumers into sensitive categories such as by race and sexual orientation; and share real-time location data with third-parties.”

According to Guido, “There is this widespread suspicion that broadband providers aren’t being forthright with how they use your data.” A look through broadband providers’ terms of service reveals that they typically include a lot of privacy opt-outs for information collected by default and being provided to third parties. So there are reasons to trust some VPN providers over some ISPs or to seek protection in the form of a VPN.

But not all VPNs are an improvement, since more than a few VPN providers have been caught lying about their policies in the past or sharing data with third parties, and many VPN services have had poor configurations that leaked the very data they were being paid to secure. “A lot of times VPNs that promise you privacy and security don’t deliver because they’re lying,” said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation. “A lot of VPNs that say, ‘We will protect your privacy, we won’t log, we won’t comply with a subpoena,’ that kind of thing, turn out to be full of lies. That is a very serious problem because it’s really hard to evaluate for.”

In fact, there are so many stories about VPNs not being true to their claims that we can list only a sample:

On the other side, there are some VPN providers whose no-logging cases have been proved in court:

A big factor in trusting your VPN is knowing what company is behind it. Some VPNs have great service or pricing but provide little to no insight into exactly which company is handling them. We considered feedback from security experts, including from the information security team at The New York Times, on whether you could trust even the most appealing VPN if it wasn’t willing to disclose who stood behind it. We decided we’d rather give up other positives—such as faster speed or extra convenience features—if it meant knowing who led or owned the company providing our connections. Considering the explosion of companies offering VPN services and the trivial nature of setting one up as a scam, the most concrete way a company can build trust is to have a public-facing leadership team—especially one with a long history of actively fighting for online privacy and security.

Even if a company’s leadership is transparent, there are other factors to consider when you’re evaluating that leadership’s history. In recent years, a number of VPN companies, including CyberGhost, ExpressVPN, PIA, and Zenmate VPN, have been bought by Kape Technologies, formerly known as CrossRider. The company previously created software components that were popularly used by invasive ad programs. These programs are largely considered potentially unwanted programs (PUPs), and therefore many search results for “CrossRider” are instructions on how to remove it.

Kape was co-founded by Koby Menachemi, a former developer at Israel’s Unit 8200, a rough equivalent to the US’s National Security Agency. Recent reports also revealed that ExpressVPN’s CIO, Dan Gericke, was involved with Project Raven, a group of hackers working at the behest of the United Arab Emirates to target and surveil critics, including a number of human-rights activists. We think the privacy promises of those with ties to an intelligence collection agency should be considered with some skepticism.

Another major factor we looked for: publicly available published security audits, conducted by reputable third parties, which are much more common than they have been in the past. Security audits aren’t perfect. Although independent companies evaluate a VPN provider’s technology as best they can, such audits are limited to a moment in time; there are no assurances that the VPN will have the same technology or security practices the next day. Additionally, the auditors themselves are limited by time and sometimes are contracted to look only at certain aspects of a VPN.

“They’re not going to be intimately familiar with the entire company. They’re not going to have time to look through every line of code. They’re given a set of constraints, usually a very small amount of time that they’d prefer is longer, and they don’t have any familiarity with any of the technology earlier than day one and they need to figure it all out,” said Dan Guido of Trail of Bits.

However, software companies and service providers that are willing to engage with third-party auditors to review their code and implementation—and make the results public—do send a signal of trust. For this guide, we insisted that our VPN picks had published third-party security audits of their core product—their server and back-end infrastructure—rather than just their apps and web-browser extensions. Although audits for apps and extensions are a nice supplement, apps and extensions can be independently dissected by any security researcher with a smartphone or web browser. Security researchers have no other legal way to evaluate a VPN company’s servers except by getting the company’s permission to look inside them. Infrastructure audits considering both the security of a VPN’s servers and its back-end code—not just the verification of a no-logging policy—were our baseline for third-party audits that we considered in our evaluation.

Some VPNs have had no-log audits conducted in order to show that they are living up to their privacy promises. As with security audits, there’s never a guarantee that practices in place during audits aren’t changed the next day, if compelled by a government, for example. And even if companies intend to stick to their promises, they may be inadvertently failing to secure the data they are entrusted with protecting. Although the move toward transparency with no-log audits is a positive one, competition makes it mandatory for such audits to be paired with security audits that can help find vulnerabilities, so that companies can patch or mitigate them.

Even if you know which company is behind your VPN, you shouldn’t trust a free one. A free service may make you and your data the product. So you should assume that any information it gathers on you—whether it’s an actual browsing history or demographics like age or political affiliation—is being sold to or shared with someone.

If you penny-pinch on privacy and security services, you may end up without privacy or security. As Bill McKinley, head of the information security team for The New York Times, put it: “If I can spend more on organic bananas, I can spend more for confidence in a VPN provider.”

Some VPN reviewers focus on VPNs that are offshore, believing in the privacy benefits of these localities and trying to stay away from the so-called 14 Eyes countries—the 14 countries, including the United States, that actively share intelligence data gathered from internet monitoring. But depending on the location, that same lack of regulation can leave people unprotected against fraudulent marketing, which is a major trade-off. Joseph Jerome, policy counsel for the Center for Democracy & Technology at the time of our interview, told us that companies violating their own privacy policy or claims about logging would be “a textbook example of a deceptive practice under state and federal consumer protection laws,” and that in theory “the FTC could seek an injunction barring the deceptive practice as well as potentially getting restitution or other monetary relief.”

The Center for Democracy & Technology brought just such a complaint against one VPN provider in 2017, but no investigation was ever announced. Many privacy sites suggest finding a VPN service outside the prying eyes of US intelligence agencies and their allies. However, FTC protections could be an argument for finding one in the US, so that there’s a penalty if the service deceives its customers.

VPNs are not a tool for anonymity, and we have an article with a more in-depth explanation of what a VPN can and can’t do. But anyone signing up for a VPN should know that at minimum it’s possible for providers to see your traffic; beyond that, you should know that other parties have ways of tracing your identity even if you use a VPN.

There are three common scenarios in which other parties would be able to quickly link your online habits. For one, if you sign in to a Google account from home without a VPN, Google has a log of your home IP address. Even if you turn on your browser’s private or Incognito mode and don’t log in, your “private” searches are also linked to your IP address and then back to your Google account. If you then connect your VPN and sign in to your Google account just once, your “anonymous” VPN IP address is just as trivially linked back to your secret browsing history.

In fact, government requests for data have included asking ISPs for accounts linked to other accounts—if Google knows which VPN you use and that there are multiple accounts on your computer, it knows that your accounts are linked (as does anybody else it shares that data with).

Even if you were to practice perfect separation, VPNs can’t protect against browser cookies and browser fingerprinting techniques that can track you regardless of logins and IP addresses.

Those in the US who believe that offshore VPNs will protect their identities in the case of criminal activity will be disappointed to learn that the US government actually has mutual legal assistance treaties with dozens of countries throughout the world.

To narrow down the list of VPN providers we’d consider, we looked at VPNs listed in reviews from sources such as CNET, PCMag, and The Verge, as well as at recommendations from the nonprofit Freedom of the Press Foundation (where current guide author David Huerta is a digital security trainer) and the security firm Bishop Fox. We also looked at VPNs that had answered questions on the Center for Democracy & Technology’s Signals of Trustworthy VPNs survey. We combined these results with customer experiences and tips on the r/VPN subreddit, as well as reviews in the App Store and Google Play store. We piled this research on top of our work from previous years, which looked at sites like vpnMentor and TorrentFreak, at technology-focused websites such as Lifehacker and Ars Technica, and at services that were simply on our staff’s personal radars.

In 2019, we settled on 52 VPNs that were repeatedly recommended—or at least so highly visible that you’d be likely to encounter them when shopping for a VPN provider. In 2020, we added four, and then in 2021 we considered one more. From there, we dug into the details on how each VPN handled issues from technology to subscriptions, as well as the steps they’ve taken to improve their transparency and security posture.

Trust and transparency

The minimum: recent, published back-end security audits by a reputable third-party firm; public-facing leadership

The best: comprehensive, published white-box (aka open-box) security audits by a reputable third-party firm conducted annually; transparency reports; a bug-bounty program or a coordinated vulnerability-disclosure program

We thoroughly reviewed all audits, paying close attention to how comprehensive they were and what they included. We also factored in which companies had public-facing leadership or ownership. We looked for audits by third-party firms, prioritizing those that assessed the overall security of a VPN provider.

Privacy and terms-of-service policies

The minimum: marketing copy consistent with the privacy policy and the terms of service

The best: easy-to-read policies; companies located in countries with strong consumer protections; no third-party trackers on the website

The VPNs we chose said they logged minimal information. We looked for clear and easy-to-read terms-of-service and privacy policies, and we checked to confirm that they were consistent with the site’s marketing copy. We asked companies about their internal security and privacy standards, as well as how they would respond to requests for information, in order to gauge the trustworthiness of their statements on logging. Although it’s normal for a website to have third-party trackers for ads, analytics, and social media, trackers ultimately do what they say they will: track what you’re up to on a website. For a VPN service, this can seem somewhat contradictory to the larger promises made in website copy (probably written by the same marketing team making use of these trackers).

Trial or refund policy

The minimum: a free version (or trial) or a money-back guarantee

The best: a free version (or trial) and a money-back guarantee

Despite our extensive testing, we know that VPNs work differently in different locations and on different computers and networks. A trial or a free version of a VPN can allow you to test several of them risk-free, to see whether any of them are a better fit for your specific circumstance. In lieu of a free trial or tier, we recommend that you try out a new VPN for a month before committing to buying it for a full year.

Server network

The minimum: at least 75 server locations in at least 20 countries

The best: more than 1,000 servers

The more servers a network has at each of its locations, the more likely you are to have a speedy connection. And a VPN with a wide variety of server locations can help you geoshift your location without losing connectivity or allow you to log on to a less-congested part of the world. However, even on the most robust networks, VPNs tend to be slower at peak times due to limited bandwidth in and out of an area.

Security and technology

The minimum: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption

The best: RSA-4096, Curve25519, P-256, P-384, or P-521

We built our requirements based on interviews with experts and on recommendations (PDF) put out by the National Institute of Standards and Technology. All the trust in the world won’t help a VPN provider keep your browsing information private if the technology the VPN uses is not secure. We recommend the open-source WireGuard protocol, a new lightweight protocol that is gaining prominence. It now has Windows and macOS support and is integrated into the Linux kernel, which required additional security review. If the VPN you choose doesn’t offer WireGuard, we recommend using the OpenVPN protocol, due to security flaws and disadvantages in the PPTP and IPsec protocols.

Although AES 128-bit encryption is fine for most purposes, we prefer services that default to the more-secure 256-bit encryption and still offer good performance. And while RSA-2048 is sufficient for now, we prefer the future-proof RSA-4096 as our top standard.

Kill switch

The minimum: a kill switch that’s effective and that you can activate with one click

The best: customizable rules allowing you to activate a kill switch on startup or on specific networks

When a VPN “kill switch” is turned on, the VPN software is supposed to shut off all network traffic in and out of your computer or mobile device if the encrypted connection fails. Without a kill switch, if your Wi-Fi drops or another connectivity issue occurs, your VPN stops securing the connection. In some cases, VPN software doesn’t even alert you that it’s no longer protecting your traffic—thereby wiping out all of the benefits of your using it in the first place.

We considered kill switches to be mandatory, but people who find that they can’t log on to their home Wi-Fi, for example, may simply turn off their VPN out of frustration. That’s why we also looked for apps that allow you to easily set your own rules about when the kill switch should activate and when it shouldn’t, in order to customize the experience.

A computer screen capture of a desktop displaying the login pages for multiple VPN services.
Desktop VPN apps are relatively simple affairs. But the best ones quickly and easily connect to the service and find important settings.

Platforms

The minimum: native apps for Windows, Mac, Android, and iPhone, and iPad

The best: additional operating systems, routers, and smart TVs

We consider native apps for Windows and Mac a necessity because they’re far easier to use than open-source or third-party VPN apps. Native apps for iOS and Android are a requirement because even though it’s possible to manually configure your phone to use a VPN, it’s not exactly a user-friendly or easy process.

Number of connections

The minimum: two simultaneous connections

The best: five or more simultaneous connections

Though the majority of VPN providers allow you to install their software on as many devices as you’d like, most of them limit simultaneous connections. A two-connection limit is likely sufficient for most individuals, but five or more connections offer flexibility for couples, families, or people with many devices.

Support

The minimum: email support, with responses sent within 24 business hours; robust help section

The best: email, chat support during business hours, quick response to weekend tickets

If you can’t set up or reliably use your VPN, you won’t use it—thereby eliminating all of the benefits. An extensive help section on the website can resolve many problems. Although we consider online-chat support to be the gold standard, quick and clear responses to emails can be equally helpful.

Extra features

Some VPNs offer additional features that can be nice to have but weren’t crucial to our decision-making:

  • Additional payment options: Cryptocurrency, cash, PayPal, Amazon Pay, bank wire and gift card balances are accepted for payment. But since a VPN doesn’t guarantee anonymity (see the section on limitations), we don’t think such an array of options is crucial for most people.
  • Stealth modes: A stealth mode helps circumvent networks that block VPNs by making your encrypted VPN traffic look like it’s some other type of data.
  • Custom ad blockers: Although this is a nice feature for a VPN to have, you can find a number of trustworthy and free browser extensions for this purpose.
  • Multihop connections: For added encryption and obfuscation, some VPNs can route your traffic through multiple servers. This is unnecessary for most people, though, and it can reduce speeds.
  • Warrant canaries: Many companies proudly display “warrant canaries” on their websites. These are digitally signed notices that say something to the effect of “We have never been served a warrant for traffic logs or turned over customer information.” Law enforcement can prohibit a company from discussing an investigation, but in theory it can’t compel a company to actively lie. So the theory goes that when the warrant canary dies (that is, the notice disappears from the website because it’s no longer truthful), so does privacy. The EFF supports this legal position, though it stopped tracking warrant canaries in 2016; other highly regarded companies and organizations think warrant canaries are helpful only for informing you after the damage has been done. Such notices may provide a nice sense of security, and they are important to some people, but we didn’t consider them to be essential.

After reviewing the above criteria in 2022, we narrowed our initial list down to just three services that met our requirements: Mullvad, Surfshark, and TunnelBear. We also retested IVPN, a previous runner-up, despite its lacking a recent infrastructure audit. We signed up for each of those services and dug deeper into their policies, technology, and performance on a custom-built gaming PC, a MacBook Pro, an iPhone, and a Pixel phone.

Speed testing

When you’re connected to a VPN, your browsing speed and latency depend on several factors. These include the VPN server’s physical location (if a server is located far away, data takes longer to arrive) and the bandwidth of the VPN provider’s internet connection.

We tested each service using Ookla’s Speedtest on macOS for each VPN over Wi-Fi, selecting OpenVPN as the connection protocol but otherwise leaving the configuration as is. We recorded baseline download rates of nearly 285 megabits per second without a VPN active and checked our non-VPN speeds at random intervals to confirm that our local ISP wasn’t affecting the tests.

Ookla takes a “multi-threaded” approach to testing, using up to 16 streams. Multi-threaded testing, according to a 2016 white paper by Open Technology Institute, has a higher tolerance for background packet losses and can obfuscate deficiencies in the network, so it tends to be more forgiving than other tests. Though other rating options, such as M-Lab’s Speed Test, may be a better measure of real-world results, in our experience Ookla’s tests worked on every service and allowed us to get a true relative comparison. Plus, Ookla’s data has been cited by the FCC in publications including the agency’s first Consolidated Communications Marketplace Report (PDF), according to the company’s blog.

These two tests show how using a VPN, especially a distant server, will generally slow down your internet connection. We did this second speed test in Southern California with a VPN connection to a server in the United Kingdom. This screen recording has been sped up, so the connection time may be longer than depicted.

From Brooklyn, New York, we ran the VPN-enabled test using eight different server locations per service:

  • California
  • New York
  • Canada
  • England
  • Brazil
  • Australia
  • Switzerland
  • Japan

For services that offered automatic location selection—a feature designed to give you the best speed possible—we also ran the tests on whichever location the VPN software chose.

We ran the full series of tests with each location during three time periods that we chose to see whether internet rush hours drastically reduced performance:

  • Tuesday midday, between 10 a.m. and 2 p.m. Eastern
  • Tuesday evening, between 7 p.m. and 9 p.m. Eastern
  • Sunday midday, between 10 a.m. and 12 p.m. Eastern

We also tested each VPN outside of these hours, using its fastest connection on a MacBook Pro running macOS Monterey, a Pixel 2 phone running Android 11, and an iPhone SE running iOS 15.6.1. Additionally, we tested the apps over video calls to see if any service caused frozen screens, slowdowns, or dropped connections.

Efficacy checks

To verify that each service we tested effectively hid our true IP address, we used a geolocation tool as well as sites that detect DNS leaks and WebRTC leaks. We visited the websites for Yelp, Target, and Akamai—sites that sometimes block suspicious IP addresses—to make sure the VPN IP addresses did not prevent us from accessing them.

Desktop and mobile apps

We also evaluated the interface and experience of the desktop and mobile apps of all the top-performing services. We set up each service’s Android app on a Pixel 2 phone running Android 11. We used iOS apps, when available, on an iPhone SE with iOS 15.6.1. We looked at the payment process, how easy each app was to set up and connect, and what options were available in the settings pane.

Customer support

We contacted each of our finalists with simple questions about their service and troubleshooting. VPN companies provide technical support through email, online ticketing systems, or live chat, but some chat options are not available outside of business hours. Our response times to support inquiries ranged from a few to several hours. Self-help support sites can be useful when you’re waiting for a reply with the inability to connect. So we looked at both the speed of response and the robustness of troubleshooting information available in the site’s support section.

A smart phone on a lavender backdrop, with the Mullvad VPN app, our pick for best VPN, open on screen.
Photo: Michael Murtaugh

Our pick

Mullvad is transparent about its security and privacy practices. The VPN offers reliable connections and is easy to use on laptops, phones, and tablets.

Mullvad is a secure VPN that during our testing provided a seamless experience: It was easy to set up, and it hummed along so quietly in the background that we would often forget it was even turned on. The company excelled in signals of transparency and trust, and in our testing the service was easy to use and delivered some of the fastest speeds of any VPN we tried. Dedicated apps for Windows, macOS, Android, and iOS make Mullvad simple to set up on a variety of devices, even if you have little technical knowledge. Mullvad’s subscription is reasonably priced and costs the same whether you use the service for a month or a year. And one subscription can support up to five simultaneous connections at a time, so it’s easy to use on all of your devices, too.

A screen shot of Mullvad VPN, our pick for best VPN service, showing a user their account number.
Mullvad doesn’t require your email address or a username. You just get a randomly generated account number.

Although other VPNs we’ve considered have had third-party security audits in some form, Mullvad’s audits have been among the broadest in scope. Mullvad has also been the most consistent in conducting audits regularly, about once a year. In April and May 2022, Mullvad underwent its latest server security audit, a process that is key for improving trust in an opaque industry. Conducted by cybersecurity consulting firm Assured, the most recent infrastructure audit took three testers a total of 19 person-days to complete. In evaluating Mullvad, the auditors spotted 20 vulnerabilities, implementation issues, and other findings: 11 of medium severity and nine of low severity. There were also five informational notes indicating existing defensive measures and potential room for improvements. By comparison, TunnelBear’s latest infrastructure audit (which was similar in scope) found three critical-severity issues, three of high severity, nine of medium severity, four of low severity, and 14 informational notes. Only TunnelBear’s audit found any issues of critical severity, both surfacing a vulnerability that could potentially be used in tandem with other exploits to impersonate a TunnelBear server administrator. Mullvad and TunnelBear both addressed security issues quickly.

Mullvad’s transparency is another strong signal of trust. Located in Sweden, the company behind the service (Amagicom) is directly owned by founders Fredrik Strömberg (who works on research and development in security) and Daniel Berntsson. And Amagicom lists its employees on its site. Many other VPNs have begun disclosing their ownership in recent years; it may be no coincidence that the services that still haven’t done so tend to be prone to deceptive marketing and include suspicious “free” VPNs. Plus, according to Mullvad’s CEO, many of the people on its team use Qubes, a security-focused operating system designed to keep sensitive work isolated and secure, even if an attacker were to breach another portion of the computer.

In the icon design, it’s very clear when your computer is connected to Mullvad and when it’s not.

Many VPN services put their marketing promises front and center while keeping the specifics of those promises out of sight in a cryptic privacy policy, if they mention them at all. Mullvad keeps its policies comprehensive and transparent, and those policies generally indicate that it minimizes the data it collects at every step. Although the privacy policy is a bit jargony, Mullvad’s policy page links to additional documents explaining the company’s cookie policy, its no-logging policy, and the Swedish legislation it finds relevant as a VPN provider. The privacy policy states that the company does not collect or store activity logs of any kind. Additionally, Mullvad may not even collect an email address during sign-up, depending on how you choose to pay. Mullvad typically stores only the account number and the time remaining on an account, plus a few other configuration details. The stored data includes whether customers are making payments via PayPal, Stripe, Swish, or bank wire, or if they send an email or report a problem (additional information for other types of payments is described in various policy pages on the site). Mullvad stores transaction IDs and email addresses for PayPal transactions, but it deletes them after six months.

Mullvad also collects very little data on its website visitors, and all of the cookies that may track you on the Mullvad website expire when you close the browser window. Those cookies include one that allows you to log in, a cookie that retains your language preference, a security cookie that prevents cross-site request forgeries, and cookies for Mullvad’s payment processor for some payment types. By contrast, TunnelBear embeds Google Analytics and other third-party trackers in its website. Research from The Markup shows that other VPNs have far more advertising and other third-party trackers on their sites. ProtonVPN, Windscribe, Mullvad, and IVPN were the only services The Markup tested that had no trackers on their sites.

Mullvad has fairly readable terms of service, including details about what kinds of information the company collects and how it uses that information. As we discuss in the section on trusting a VPN, using a VPN service beholden to US laws provides some level of consumer protection. But some people argue that services outside the US—like Mullvad in Sweden—are less likely to be swept up in US-government data-collection efforts. We’re unable to draw distinctions between the laws of Sweden and those of the US in this regard, but we do like that Mullvad includes details on how it handles government requests for data. It also says it retains lawyers to monitor the legal landscape and is prepared to shut down the service in the affected jurisdiction if a government somehow legally forces it to spy on its customers: “Just as where no data can be revealed if it does not first exist, the service can’t be used as a surveillance tool if it’s not in operation,” the company says.

Free trials are rare in this category, but we like that Mullvad offers a 30-day money-back guarantee so you can see whether the server speeds and connections work for you. When you sign up for an account, Mullvad offers more payment options than TunnelBear, including cryptocurrencies, cash, bank wires, and more. Mullvad offers a 10% discount for payment in cryptocurrency. Although Mullvad also accepts cash payments, most people aren’t going to mail cash to Sweden from the US, and those payments are not eligible for the money-back guarantee.

A chart displaying average download speeds for VPN services, in which our top pick, Mullvad, has the highest overall average.
Mullvad was consistently the fastest VPN we tested. Chart: Wirecutter

For a trusted VPN to be worthwhile, its network has to be useful, which generally means offering fast connection speeds and a wide variety of locations to connect through. Mullvad’s app allows you to connect to servers in 68 cities across 39 countries. That’s more locations than on most VPNs we considered, but Mullvad has fewer total servers than Surfshark (which offers more than 3,200 servers). With OpenVPN connection speeds, on average, Mullvad ranked first among the VPNs we tested during rush hour, and it did not freeze or drop video calls. Across nine locations, it averaged just about 16% faster than TunnelBear. During non-rush-hour traffic, Mullvad averaged 127.32 Mbps in the US.

Mullvad’s phone apps were sometimes—but not always—faster than connecting on a computer, even with a mix of protocols available, averaging 73 Mbps on Android and 131 Mbps on iOS over Wi-Fi during non-rush-hour times. Like TunnelBear, Mullvad didn’t disrupt basic web-browsing tasks, and neither service caused video calls to drop or freeze.

As for the security and connection standards Mullvad uses, this service is competitive with the other VPN services that we found to be trustworthy. On Windows and macOS, Mullvad allows you to choose between the OpenVPN and WireGuard standards; on its iOS and Android apps, it uses WireGuard exclusively. We recommend using WireGuard for better security and faster speed. But we recommend using OpenVPN where WireGuard isn’t available, like when someone is using TunnelBear. We like that Mullvad lays out its security standards clearly; although TunnelBear meets our standards, the company is less technical in its documentation.

Mullvad includes a kill switch, which stops all traffic if the VPN disconnects. As with other competitors we tested, with Mullvad this feature worked as promised and kept our browsing and connections offline until the VPN connection was confirmed.

Mullvad’s open-source apps are available for Windows, macOS, Android, and iOS. This flexibility makes Mullvad simple to set up on a variety of devices, even if you have little technical knowledge. You can customize whether to launch the app on startup and to automatically connect when it launches. It also has a “Local network sharing” setting to access other devices on the same network; this prevents problems with printing and file sharing, a common issue for some VPNs. And though Mullvad didn’t disconnect randomly during our testing, it clearly and visually indicates when you are disconnected by changing the closed green lock icon to an open red lock. (IVPN is the same on Windows. But on a Mac, IVPN’s icon is black when connected and gray when disconnected, which can be harder to discern at a glance.) If you think a colorful icon clashes with an otherwise clean set of single-color icons, you can set the Mullvad icon to not change color by turning on the Monochromatic tray icon setting in Mullvad’s Preferences panel.

A computer screenshot of the Mullvad VPN app, our pick for best VPN service, displaying the Preference toggles in Settings.
Mullvad’s “Local network sharing” option is great, since some other VPN apps have a tendency to block certain tasks you do on your local network, such as printing.
MonthlyAnnually
Mullvadabout $5.50about $60
TunnelBear$9.99$59.88
Surfshark$12.95$47.88
Prices are accurate as of January 20, 2023.

Whether you sign up for a month or a year, the cost of a Mullvad subscription is the same: 5 euros a month (about $5.50 at the time of publication). By contrast, TunnelBear is about $10 a month, or $120 a year. Its price is on a par with Mullvad’s only if you commit to a whole year of TunnelBear service.

Mullvad offers some features that other VPN providers don’t. Although most people won’t take advantage of these extras, their existence shows that the company puts a lot of thought into privacy and security. For instance, you can download Mullvad apps using the Tor Browser, and you can verify the signatures for new app releases as well as install them on Android from the open-source Google Play store alternative, F-Droid. We were particularly impressed with the company’s design specifications, which describe how the application should work, the connections it should be allowed to make, and how that differs on each individual platform. “That level of upfront specification means that you can test against that specification, which means that you can actually find deviations from it that indicate security issues. That’s a deeper level of knowledge about what you’re building than what I’ve seen for many other VPN providers,” said Trail of Bits CEO Dan Guido. Mullvad also supports installation on many routers, though it’s worth checking to confirm that yours is supported and what steps are required.

Flaws but not dealbreakers

It’s unfortunate that Mullvad doesn’t offer a free trial of any sort, but its 30-day money-back guarantee is a longer one than many of its competitors offer. We prefer free trials because they make the process of verifying speeds before subscribing to a service so much easier.

Although Mullvad does not have a bug-bounty program, it does have a dedicated email address and PGP key for security researchers to report vulnerabilities, and it says it has rewarded findings in the past.

If you need to contact support, you have to go through email, since Mullvad doesn’t offer chat or phone support and does not use any third-party vendors for ticketing. When we checked its customer service in 2022, the company responded within 24 hours to a support email during the weekend, and it provided clear and informative responses. Its team operates support during weekday office hours on Central European time. Mullvad provides clear setup and anonymity guides, too.

Mullvad’s ad- and ad-tracker-blocking feature is a nice extra, but it requires some hands-on manual configuration to activate it on its Android app. This stands in contrast with Mullvad’s iOS and macOS apps, which feature easy on/off switches for blocking ad tracking or blocking ads altogether.

A smartphone that is displaying the Tunnelbear app, our pick for best VPN that doesn't feature WireGuard support.
Photo: Michael Murtaugh

Also great

TunnelBear’s consistent commitment to security, transparency, and ease of use make it an acceptable alternative for those looking for a VPN that can be used on an unlimited number of devices, even if it’s sometimes slower.

Buying Options

Like Mullvad, TunnelBear is transparent with its practices, implementing annual security audits that also offer a detailed view into what steps it takes to protect its OpenVPN-based infrastructure. TunnelBear offers a free plan to check it out, and if it works for you, the company allows you to connect as many devices as you want (better than Mullvad’s five-device limit). TunnelBear supports OpenVPN connections only, so there’s no WireGuard support. But its speeds have kept up with those of its competitors, in spite of the slower protocol. Like Mullvad’s, TunnelBear’s apps are easy to use and available across platforms, and they offer the same set of features we look for, like a kill switch. TunnelBear also includes potentially useful additions, such as GhostBear (which allows your TunnelBear connection to disguise itself as non-VPN network traffic, circumventing internet censorship restrictions in some countries).

A screenshot of Tunnelbear's pricing options, available on their website.
If you’re looking to buy your VPN subscription in bulk, TunnelBear’s three-year subscription brings its per-month price to roughly $3.33.

In addition to publishing the results of multiple recent security audits, the company posts occasional transparency reports. TunnelBear’s transparency report updates don’t seem to be released on a fixed schedule; the latest one, published in 2020, includes a “See you in 2022” note, announcing there would be a new report in early 2022 (which didn’t happen). Mullvad doesn’t offer a transparency report at all. Mullvad’s stance is that because it has no data to hand over, a report outlining denied requests would have little utility. “Like all VPN services we get DMCA complaints, malware notices and police requests. The specific number for each request doesn’t matter,” a Mullvad representative told us.

Like Mullvad, TunnelBear has a clear, easy-to-understand privacy policy. Also like Mullvad, TunnelBear’s privacy policy explains its use of cookies when using its website in detail. Unlike Mullvad and Surfshark, TunnelBear does not allow customers to choose a specific city to connect to; instead you pick a country. On its features page, the company states it has servers in 48 countries, but it doesn’t disclose the total number of servers. Overall, Mullvad’s OpenVPN speeds edged out TunnelBear’s by roughly 16%, but in US-only tests, TunnelBear’s average was 15% faster than Mullvad’s.

TunnelBear supports OpenVPN only, and, unlike Mullvad, it doesn’t have an option to use WireGuard. Both protocols are considered secure if configured correctly, but WireGuard’s smaller codebase minimizes the number of places where vulnerabilities can be found.

A chart displaying average location speeds for four VPNs, based on 9 location options. Mullvad has the highest average speeds.
Mullvad’s and TunnelBear’s OpenVPN speeds ultimately outpaced those of their competitors. Chart: Wirecutter

TunnelBear is available for Windows, macOS, Android, and iOS, with browser extensions for Chrome and Firefox, as well as instructions for running it on Linux. Unlike Mullvad, TunnelBear doesn’t support manually configuring it on network devices such as routers or network-attached storage. TunnelBear’s kill switch, called VigilantBear, works as expected, but TunnelBear’s apps don’t have the same extra features as Mullvad’s, such as the ability to block trackers. However, most people should block trackers through free extensions like Privacy Badger and uBlock Origin, anyway. In addition, TunnelBear allows you to set specific Wi-Fi networks as trusted, so you can choose not to use your VPN on your home Wi-Fi, for example, without disabling the kill switch setting.

TunnelBear’s GhostBear feature, heavily inspired by the Tor Project’s Obfsproxy project, is useful in getting around networks where VPNs are blocked, such as in countries with regimes that engage in censorship, depending on the type of national firewall technology being used in a given country. It can also be useful for circumventing workplace networks, which may also try to block VPN traffic.

A screenshot of the Tunnelbear security menu on their desktop app, which features options Ghostbear and Vigilantbear.
TunnelBear’s apps don’t have the ad-tracking mitigation features other VPN apps do, but they do include a way to disguise your VPN traffic for places where VPNs are blocked.

TunnelBear supports unlimited devices, so if you have more than five devices you want connected at once, it’s a better option than Mullvad. One caveat, however, is that unlike Mullvad, TunnelBear doesn’t have a means of manually configuring a VPN with non-supported devices, so routers and smart TV devices may not work. TunnelBear, like Mullvad and Surfshark, responded to an in-app support question within 24 hours, well within its advertised 48-hour window response time. TunnelBear’s online documentation is also comprehensive, including guides on setting up and using its apps on its supported platforms.

If HTTP browsing is a postcard that anyone can read as it travels along, HTTPS (HTTP Secure) is a sealed letter that gives away only where it’s going. For example, before Wirecutter implemented HTTPS, your browsing traffic could reveal to the owner of the Wi-Fi network, to your network administrator, or to your ISP the exact page you visited (such as http://www.nytimes.com/wirecutter/reviews/best-surge-protector/) as well as its content. But if you visit that same page today—our website now uses HTTPS—those parties would see only the domain (that is, https://www.nytimes.com). The downside is that the website operator has to implement HTTPS. Sites that deal with banking or shopping have been using these types of secure connections for a long time to protect financial data. And in the past few years, many major news and information sites, including that of The New York Times, have implemented them too. Every popular browser now supports an HTTPS-preferred mode, though some require that you enable the setting manually.

What a snooper sees when you’re browsing

Secure HTTPS websitesOutdated HTTP websites
https://www.nytimes.comhttp://www.nytimes.com/wirecutter/reviews/best-surge-protector/
https://newyork.craigslist.orghttp://newyork.craigslist.org/d/missed-connections/search/mis
https://www.webmd.comhttp://www.webmd.com/news/breaking-news/confronting-alzheimers/default.htm

Even without a VPN, websites that default to HTTPS give you extra privacy online. If they didn’t, a lot more information about your browsing habits would be available to prying eyes, whether they were those of Wi-Fi operators, ISPs, or independent bad actors.

HTTPS is a powerful feature because it helps keep sensitive browsing private at no extra cost to the people using it. But like most security standards, it has some potential problems. That little lock icon in your browser bar, which indicates the HTTPS connection, relies on a certificate “signed” by a recognized authority. But there are hundreds of such authorities, and, as the EFF says, “the security of HTTPS is only as strong as the practices of the least trustworthy/competent CA [certificate authorities].” Some security professionals have worried about those least-competent authorities, spurring groups to improve on the certificate standards and prompting browsers to add warnings when you come across certificates and sites that don’t withstand scrutiny. So HTTPS is good, and it’s getting better. But like anything else, it isn’t perfect.

Tor is a free service that attempts to preserve anonymity—something that VPNs do not do. It is a distributed network that runs traffic through multiple relays.

If you aren’t familiar with Tor, this handy interactive graphic shows how it protects an internet connection, and these articles go into more detail about how Tor works. Runa Sandvik, a former researcher with The Tor Project who was part of the information security team at The New York Times at the time of our interview, described it as “a tool that allows users to remain anonymous and uncensored.”

Tor does not write any history to disk, allowing you to do internet research without leaving a trail back to you or leaving a forensic trace on your computer. Although it cannot protect you from, say, targeted government surveillance, Tor can be useful for looking up private information, such as medical conditions, without your activity being traced back to you or added to a marketing profile. Tor uses a different circuit from a different IP address in each tab, making it harder for other parties to link your searches and accounts across tabs. However, Tor can be blocked by some websites, and it has a reputation for slowing connections.

One way to resolve the issue of trust is to be your own VPN provider, but that’s not a feasible option for most people. Plus, it still requires trust in any company providing the hardware that your VPN would run on, such as Amazon’s cloud services. Multiple projects can help you cheaply turn any old server into a VPN, including Algo and Outline. By encrypting all of the traffic from your home or mobile device to a server you manage, you deprive your ISP and a potentially villainous VPN of all your juicy traffic logs. But most people lack the skills, patience, or energy—or some combination of the three—to do this. If you don’t manage servers or work in IT, it may be harder to manage perfect security, operation, and performance better than trustworthy professionals can. Finally, although you remove one threat from the equation by cutting out a VPN service provider, you also lose the extra layer of privacy that comes from your traffic mixing in with that of hundreds or thousands of other customers.

ExpressVPN released a mix of audits for the build verification process it used while compiling its apps. It announced audits for its server infrastructure, as well as a no-logging certification, only recently; both meet our criteria for recent audits. This announcement came too late to include ExpressVPN in our most recent speed tests. Its new ownership and staffing had raised other trust concerns in our minds, but the addition of security audits may help address some of those concerns.

NordVPN released an audit of server infrastructure and apps conducted by Cure53. It also finally made the reports available without creating an account.

Surfshark previously kept details of its leadership private, but it made them public in 2021. The company also recently conducted a white-box infrastructure audit. Although its regular pricing is less competitive than Mullvad’s, Surfshark’s price includes the ability to use Surfshark on an unlimited number of devices (something TunnelBear also offers). Surfshark’s OpenVPN speeds were markedly slower than our top pick’s average. We also don’t like that the macOS app’s UI does not indicate which protocol is presently being used after a connection is made.

Like Mullvad’s apps, Mozilla VPN’s apps were audited by Cure53, with results comparable to those of competitors that have opted to have their apps audited. Mozilla VPN connects to Mullvad’s servers rather than to its own infrastructure; this gives it an advantage in leveraging the already-existing servers of a VPN company with high marks for security, privacy, and speed. But there’s little reason to use Mozilla VPN over Mullvad, since Mullvad’s apps are just as easy to use, have also undergone security audits, and ultimately connect to the same servers.

We dismissed several other services before performance testing for a variety of reasons.

Encrypt.me (formerly Cloak) was recently bought by J2 and has been rolled into the new parent company’s existing StrongVPN product. The acquisition brought in Encrypt.me’s servers and customers but not its tradition of conducting third-party audits and making them available to prospective subscribers.

Some other VPNs—including VyprVPN and Cloudflare’s Warp—had public audits, but with a scope limited to verifying enforcement of their no-logging policies, leaving out the security of their server infrastructure; we ruled them out for that reason.

In addition to releasing its apps as open source, ProtonVPN recently had its codebases audited by SEC Consult. This latest series of audits did not include its infrastructure.

NordVPN has previously undergone a series of third-party audits for its apps, by cybersecurity consulting firm VerSprite, but this series did not include an audit of its infrastructure. Additionally, NordVPN makes these audit reports available only to existing subscribers, so prospective customers have no way to see the audit’s findings until after they’ve made their purchase.

IVPN meets almost all of the criteria we look for as a baseline when evaluating VPNs, except for recent infrastructure audits. While Mullvad and TunnelBear release infrastructure audits on a roughly annual basis, IVPN’s more recent audit of a comparable scope was concluded in 2019. As Mullvad’s and TunnelBear’s audit reports demonstrate year after year, new security issues are discovered at an unrelenting frequency. Being able to verify the status of newer-than-2019 security issues in a VPN company’s servers is an important factor in determining its present security stature.

Other VPNs we considered testing but ruled out because they had no recent public audits at all include: AirVPN, Astrill, AzireVPN, blackVPN, BTGuard, CactusVPN, Cryptostorm, CyberGhost, Disconnect, Faceless.me, FrootVPN, F-Secure Freedome VPN, Goose VPN, Hide.me, InvinciBull, IPredator, IPVanish, KeepSolid, nVpn, OVPN, Perfect Privacy, personalVPN, PrivateVPN, Private Tunnel, Private Internet Access, PureVPN, SurfEasy, TorGuard, TorrentPrivacy, Trust.Zone, VPN.AC, VPN.ht, VPNTunnel, Windscribe, ZenGuard/ZenMate, and ZorroVPN.

We ruled out some VPNs for having trust issues. PureVPN appears to have lied about its logging practices, and ProxySH confessed to spying on customer traffic in 2013. HideMyAss has handed customer information over to police. The Center for Democracy & Technology filed a 14-page complaint about Hotspot Shield with the FTC, alleging unfair and deceptive trade practices. None of these VPNs appear to have had third-party security audits, either.

This article was edited by Thorin Klosowski and Arthur Gies.

Can I change my location with a VPN?

Yes, most VPNs allow you to pick a location for your IP address, which can get around some geo-restricted websites and online censorship. However, doing so isn’t always useful for accessing international video services, despite VPN companies’ claims that it is. If that’s your main goal, a VPN isn’t a reliable option. Success at circumventing censorship in countries that block sites you’re trying to access may also vary depending on the type of blocking involved. Some VPNs have features—including TunnelBear’s GhostBear and VyprVPN’s Chameleon—specifically to disguise VPN traffic as normal web traffic.

Will a VPN see all of my web browsing?

When you connect to a VPN, all of your traffic is tunneled through the VPN provider, so the company could technically see as much of your web browsing as the ISP you’re connected to otherwise would. This is why it’s important to find a trustworthy company.

Does a VPN hide torrenting from my ISP?

Properly configured, a VPN masks all of your internet usage, including torrenting, from your ISP. However, there’s nothing to stop ISPs from throttling traffic that looks like VPN activity. BitTorrent software also sometimes requires configuration changes to work properly with a VPN, and if you don’t set them correctly, your ISP may still see what you’re up to.

Will a VPN slow down my internet?

This depends on what internet speed you’re paying for, your location, and the location of the VPN server. But even in the best-case scenario, a VPN will typically slow down your connection a little. This is why we recommend starting with a trial, if one is available, to test the speeds before making a commitment.

Does a VPN protect me from hackers?

A VPN can help secure your internet connection when you’re working in a public place, such as a coffee shop or an airport. HTTPS is common these days and protects many aspects of your traffic on an unsecured network, but it’s still not perfect, so a VPN can be useful in this regard. However, a VPN doesn’t protect your data from the most common security threats for most people: breaches and leaks. For that purpose, we think it’s best to use a password manager to create unique passwords everywhere and to use two-factor authentication whenever possible.

Will a VPN make me anonymous online?

No. A VPN can increase security and reduce some online ad tracking, but it’s not an anonymization tool. If you log in to an online account, such as your Google account, that company can trace who you are, and browser fingerprinting can collect some data about you, regardless of whether you’re using a VPN. Used in conjunction with some browser extensions, a VPN can reduce the type of invasive tracking used primarily for advertising. But if you need anonymity, you should use tools like Tor.

When you pay for a VPN with cryptocurrency, are you anonymous?

Although VPNs do not provide anonymity, some VPNs make it easier to disclose as little as possible about yourself when you’re signing up. Cryptocurrencies like Bitcoin tend to be perceived as keeping you anonymous, but ultimately they create a digital paper trail that could be linked back to you. “There are blockchain analysis tools, however, that may still deanonymize you based on your other transactions,” said Amber Baldet, CEO of Clovyr. Another layer of data collection to consider: the use of third-party cryptocurrency payment processors, if they’re not hosted by the VPN provider itself. “If you provide a third-party payments processor with your personal details, credit card information, or linked blockchain wallet, then you should have no expectation of privacy for any of those transactions,” Baldet added.

  1. Kenneth White, security researcher and co-director of the Open Crypto Audit Project, phone interview, June 10, 2019

  2. Matthew Green, cryptographer and professor at Johns Hopkins University, phone interview, May 16, 2019

  3. Matthew Prince, CEO of Cloudflare, phone interview, May 17, 2019

  4. Joseph Jerome, policy counsel for the Center for Democracy & Technology, phone interview, May 22, 2019

  5. Dan Guido, co-founder and CEO of Trail of Bits, phone interview, May 24, 2019

  6. Eva Galperin, director of cybersecurity at Electronic Frontier Foundation, phone interview, May 27, 2019

  7. Ryan Dochuk, CEO and co-founder of TunnelBear, phone interview, May 29, 2019

  8. Nick Pestell, founder and CEO of IVPN, phone interview, June 7, 2019, and email interview, June 18, 2020

  9. Jan Jonsson, CEO of Mullvad, email interview, June 4, 2019, and June 18, 2020

  10. Amber Baldet, co-founder of Clovyr and board member of Zcash Foundation, email interview, September 24, 2021

Meet your guides

David Huerta

David Huerta is a digital security trainer at Freedom of the Press Foundation, where he trains journalists in the use of privacy-enhancing technology, such as VPNs, to circumvent national firewalls and empower a free press. When he’s not writing, he’s reading security-vulnerability disclosures and not-so-silently judging the technologies affected.

Yael Grauer

Yael Grauer is an investigative tech journalist based in Phoenix. Her work has appeared in The Intercept, Wired, Ars Technica, Motherboard, Future Tense, OneZero, and more. She likes cooking, hiking, playing puzzle games, listening to bluegrass music, and spending time with her husband and their rescue chiweenie.

Further reading

Edit
Dismiss