Written by: Joe Robinson
Chances are by now you already know a bit about VPNs and what they do. Perhaps you’ve heard they’re useful for unblocking content on Netflix, or getting around internet restrictions at school or work, but you may want to develop a much better understanding of how they work before parting with any cash.
Up until only a few years ago, VPNs were almost exclusively used by businesses to allow employees to connect to the company network whilst working remotely. After the Edward Snowden revelations of 2013, however, when we discovered that government bodies around the world are in fact snooping on their citizens’ internet use, people started thinking more seriously about their online privacy. This and the practise of content providers using geo-blocking to stop access from certain countries, has led to a meteoric rise in the popularity of consumer VPNs.
The aim of this guide is to explain the most important aspects of VPNs in theory and practise. There’s no way I can cover everything you might need to know. If you’ve never used a VPN before or would like to know a bit more about how they work, or want to be armed with some extra knowledge before signing up to a subscription, you’ll get a good deal of information right here. I won’t dumb it down so get your thinking cap on.
VPN is an acronym of Virtual Private Network. To explain fully what a VPN is and what it does, let’s first look at how you connect to the internet normally.
When you connect to the internet, your device such as a laptop or mobile connects to a router either via WiFi or an ethernet cable. The router is connected to a modem that, in turn, connects to the internet via your internet service provider (ISP). Your device sends small clusters of information, called data packets, through these connections, that contain instructions on what you want the internet to “do”, i.e. which website to visit, login details, etc. The website then responds by sending data packets back to you that show the website and any content or details required.
These data packets can give away a lot of information about you to your ISP and the websites you visit, such as:
This information can be used to track your behaviour or location, as well as restrict your access to content. Content may be restricted by your ISP ThePirateBay, for example, a well known torrent sharing website, is blocked by all ISPs in the UK due to government regulations. It may also be restricted by websites themselves. Netflix is one of the most commonly used examples of restrictions because each country has a different library of available titles, which we’ll take a deeper look at in just a moment.
Now, what a VPN does, on the other hand, is to create a secure tunnel between your device and the internet. This means that all those data packets I mentioned earlier are encrypted and sent through your ISP to a remote server owned by the VPN company, where they are decrypted and sent on their way to the internet. Packets coming back follow the same path. This means that even if the network you’re connected to is compromised and someone is monitoring the data packets you send and receive (known as packet sniffing), they will only see a load of jumbled up letters and numbers (known as ciphertext).
The main differences between a VPN connection and regular internet are:
One of the most popular uses of a VPN, however, is to change your apparent location. That’s because you get the IP address of the VPN server, which could be anywhere on the planet.
Say you’re on vacation in Bali and want to take an evening off partying to enjoy some downtime with Netflix, but the show you’re watching isn’t available on Netflix Indonesia, you can use a VPN to change your IP address (and thus, your apparent location) to your home country, where the show is available.
There are three main ways websites are blocked.
There are many good reasons to block access to certain websites, but this blocking is often done not to protect people, but to control them. YouTube, for example has been blocked at one point or another in at least 25 countries, Facebook is completely blocked in China, and ThePirateBay is blocked in the UK.
Many websites themselves actually limit their content to specific countries. Netflix and HBO, for example, offer different libraries depending on your country. Most people would prefer to have access to the full Netflix catalogue rather than a watered down version. They do this by checking the IP address of the connected device, which tells its location, and offering the content they’ve decided for that region. Now, if you use a VPN to change your IP address to one in a location where there is no blocking, you get to enjoy unrestricted access to the internet.
Using a VPN is simple. Most of the top VPN service providers have created products that are simple to set up and use. Signing up to a VPN provider is typically uncomplicated and many allow payment via cryptocurrency and only require an email address, for people who want an additional level of anonymity.
The exact steps vary between providers, but usually look something like this:
As I mentioned, most of the popular VPNs have apps for Windows, MacOS, Linux, Android, and iOS, so you can just download the right one and get connected within a few minutes. Many companies also either have apps or at least detailed setup guides for other devices such as smart TVs, games consoles, even tablets. Not every device that can connect to the internet can have a VPN installed on it, but it is possible to run a VPN on a router (again, not all routers), that means every connected device gets the benefits. What’s more, with a VPN router you can choose which devices connect to the VPN and which to the regular internet.
There are many reasons to go for a paid VPN rather than a free one, which I’ll discuss later. One of which is the software provided by the service. Up-to-date software is critical in the world of cybersecurity, as vulnerabilities that are patched will only be present in an update.
There are arguments for and against leaving a VPN running in the background all the time. Some people regard their online privacy with a higher degree of concern than others, and people from countries where the internet is censored or monitored by the government, law enforcement, or ISPs, may want to keep their VPN on at all times just to enjoy the internet in the democratic and free manner in which it was conceived.
Someone might have a VPN subscription mainly to access geo-blocked content such as Netflix, or get a wider range of live sport by watching overseas TV channels. Others might feel safer carrying the protection of a VPN for Android to help keep their data secure when they need to connect to an untrusted WiFi network.
Luckily, the best VPNs can be left on at all times without any worry. If you want to do this, make sure your VPN has a killswitch so that the internet connection will be cut off in the event of VPN failure, and you won’t be left unprotected without realising it.
There are many inaccuracies floating around the internet with regards to what a VPN does and doesn’t do. Some of these are from VPN services themselves, others from review sites whose staff lack appropriate knowledge. Like I said before, don’t trust anyone who says a VPN provides 100% anonymity, but there are a couple more misconceptions it’s worth pointing out here.
Something I see way too many people who should know better saying is that you need to use a VPN to access any banking or financial website.
This is simply not true.
No reputable bank in the world allows non-secure connections. You can see that just by visiting your bank’s website and checking the address begins with https:// rather than http:// – the s stands for secure, and it is. Just like a VPN creates a tunnel between your device and the VPN server, a secure website uses an encrypted tunnel to keep your data safe from snooping and ensure that the website you’re visiting is authentic.
VPNs do not protect you from viruses or other malware. It’s just not what they do. A VPN encrypts data you send and receive through the internet and allows you to choose your IP location, it has nothing to do with malware protection.
Windows comes with malware protection preinstalled, but I’d recommend using a premium real-time anti-malware such as BitDefender, MalwareBytes, or AVG. Additionally, you should be using a firewall. Windows and Mac OS have them preinstalled, but they may not be active so it’s worth checking your settings.
User tracking is massive business. Facebook ads are built on tracking, as are Google ads. The reason people think a VPN will stop them being tracked online is that someone has told them a VPN makes them anonymous, and therefore they think marketing trackers won’t work. Again, this is not true. Most web tracking is done via cookies, which you can block from your computer if you’re worried about it, but you will lose some other web functionality.
You should always use a VPN if you need to connect to an untrusted WiFi network such as at a cafe or airport. The reason for this is that you just don’t know if someone is monitoring the network. If you’re on an open WiFi with no password, anyone else connected to it could be capturing your data packets and snooping on your internet activity. Most websites nowadays do use TLS to encrypt data in transit between your device and the website, but not all, and any snooper would still be able to see which websites you visit, which could become the basis of a larger attack.
Another time you’ll want to use a VPN is when accessing content that’s blocked in your country, yet not actually illegal. Pornographic websites are actually blocked in several countries despite pornography itself being legal. At the time of writing, the UK is about to roll out a porn-block that would require adults to register for a “porn-pass” with a valid ID in order to access any pornographic site. Now, I totally agree that children should be prevented from accessing such content, but this approach is typically heavy-handed of the current government. Anyway, if you want to access those sites in the UK when the ban has been implemented, provided you’re of legal age, you can simply use a VPN to connect to the closest country with less draconian laws.
Having said that, a quality VPN will provide security all the time and can actually be left on at all times without really any need to switch it off. I haven’t yet found a VPN service that runs so perfectly that I can leave it all the time, although I have sometimes gone several days without switching it off, not noticing it’s even on.
Probably, a little bit, but it depends a lot on the particular VPN.
Some of the best services have a barely noticeable drop in speed, whereas others make internet use laborious and slow. There are two things that could cause your internet to become slower whilst using a VPN.
The first is encryption. Encrypting and decrypting all the data passing between your device and the VPN server requires calculations to be constantly made that are in addition to everything that normally happens when you connect to the internet. These calculations take time. How much time depends on the processing power of your device and the VPN server you’re connecting to, as well as the quality of the VPN app.
The other thing that can affect speeds is the quality, configuration, and distance of the server you’re connecting to, as well as the number of other people who are connected to it. The maximum speed of data transfer is limited by the weakest piece of equipment and the available bandwidth. So the quality, configuration, and number of people connecting to the server you’re connecting to will play a major role in actual VPN speed, as well as the distance between you and the server, as there will be more parts to the chain when it’s further away.
Most of the time, any loss in speed is barely noticeable provided you go with a reputable VPN provider that properly maintains its service.
To check your VPN connection speed, head over to https://testmy.net/, a free speed test website that’s very easy to use and has a good, if a little dated, graphical interface. We’ve used the service quite a bit and published a TestMy.net review here.
Yes, a VPN does use more data, but only a small amount more. It depends on the cryptographic functions applied to your data and how the packets are transmitted. As encryption gets stronger, it creates longer ciphertext, and uses more data. Some VPN providers offset this by compressing data before it’s encrypted, although that can lead to vulnerabilities.
In most countries, yes, using a VPN is perfectly legal, but it’s certainly not a carte blanche for breaking other laws.
Using a VPN is illegal in:
And governments in the following countries are taking steps to outlaw VPN use, however the legal status is not certain:
However: What you use a VPN for is still confined by the laws of the country you’re physically in. We don’t condone illegal activity of any kind, and you should remember that even when you’re using a VPN you’re not 100% anonymous.
While there are certain countries such as Iran, Saudi Arabia, UK, Germany, UAE, Turkey, and many more whose leaders have a rather authoritarian outlook towards the internet, there is nothing inherently untoward about VPNs.
Basically – No.
There is no such thing as a truly anonymous VPN. A quality VPN will provide a degree of anonymity and a lot of privacy, but definitely not 100%.
There is a very important distinction that I want to make here, which is between anonymity and privacy. Whilst many people think of them as being the same thing, they’re quite different.
Privacy is curtains, anonymity is a mask.
You can expect that when you have your curtains drawn in your living room, no-one can look in, so your actions are private. If you wear a mask when you go out, your actions aren’t private but people won’t know who is performing them, giving you anonymity. Batman is anonymous.
A VPN provides a degree of privacy and anonymity, but should not be relied upon to provide absolute anonymity or privacy. There are ways to make your VPN account closer to being anonymous, but anyone claiming a certain VPN service is 100% anonymous or private is either lying or doesn’t hold the necessary knowledge on the subject to be worth listening to.
Masking your IP address is the main way a VPN hides your identity. By doing this, your location is unknown. There are other ways, however, to trace who you really are. Your device’s MAC address, as well as accounts you’re logged into, can reveal your true identity. Your identity can also be revealed at any time by the VPN provider. The amount of data they hold about you depends on how much they collect, which is what makes careful analysis of VPN providers’ logging policies so important.
What a VPN does better is providing privacy. Because you connect to the VPN server through a secure tunnel, often using extremely strong encryption suites, your internet usage can be considered private. If you’re logged into Chrome then Google will still be able to track everything you do. Additionally your VPN provider could monitor your internet activity, another reason to go with a zero logs service.
This issue is confounded by the fact that practically all VPN services use proprietary closed source software meaning the source code of the software you use can’t be independently vetted by analysts. The implication here being that if a VPN company were forced or otherwise persuaded to add a back-door for the NSA to access traffic, we wouldn’t know about it.
For further reading on surveillance and tracking, see our internet surveillance guide. Either way remember that you can achieve a degree of anonymity and good general privacy from a VPN, but nothing is 100%.
In almost all cases, a high-quality paid VPN will outperform a free VPN. One of the main reasons behind this is that it costs money to run VPN servers and develop secure apps and keep them updated. so if the service is free, you should wonder who’s paying to keep it running, and what they’re getting in return.
As the famous phrase goes, ”If you are not paying for it, you’re not the customer; you’re the product being sold.”
This has been shown to be true for some companies in the VPN industry. Here are a couple of notable examples:
Hola is probably the most famous free VPN service that funds its network by selling access to your computer and network to third parties by creating an exit node on your device!
From their website (as of May 1st 2019):
That really is just as sinister as it sounds, and really bad for a company that on from the outside appears to be privacy focused. But what does this mean?
So, Hola VPN is operated by a company called Luminati. By using Hola VPN you agree that they can sell the use of your internet connection, through your computer or even mobile data! Chances are your computer will be used to send bot traffic for market research, but it could potentially be used for illegal activity, and guess who would become the focus of police or even government attention – yes, you.
That’s the most insidious monetisation of free VPN service I know about, but there are several others that place cookies in your browser as your browsing the internet so they can sell you as advertising targets.
Some free VPNs that store a cookie on your browser or otherwise track your behaviour so their affiliates can target you with ads:
And many more.
Now, internet tracking is nothing new. Facebook, Google, Instagram, and many others, make vast amounts of money by allowing advertisers to target you based on your behaviour and interests. What is shocking about this is that people expect privacy when using a VPN (that V stands for Private, after all), that they just don’t get, and probably have no idea about the way these services are monetised.
They look just like totally genuine VPN services when you’re on the website unless you read the lengthy terms and privacy policies.
VPNs aren’t that expensive (Check our NordVPN review to see one of the best with subscriptions from around $3/ month). I recommend not choosing a free one.
There are many VPN service providers around these days and they are certainly not all equally good. Some are subsidiaries of major corporations whilst others were put together after school by a kid who wanted to watch YouTube in class, neither of which are definitive indicators of quality.
We’ve reviewed around 40 VPN services and strive to develop more rigorous testing criteria with each review iteration. Take a look at what we consider important criteria for selecting the best VPN that will fit your needs further down this post.
The jurisdiction can be extremely important when choosing a VPN. Certain countries may require companies to log information about their users. Similarly, if you’re going to be doing any torrenting (which, of course, we don’t condone), you’ll want to make sure they’re not located in the USA where they could be subpoenaed into handing over your details because of a DMCA request.
For maintaining a private connection, you should be aware that there are various ways your VPN can encrypt your data. These are called VPN protocols, and there are usually several different ones to choose from depending on your requirements. All our reviews have a section on security that cover the specific protocols offered by the VPN.
Most VPNs offer the following protocols:
OpenVPN is usually considered the “best” option due to its high level of protection, speed, compatibility on most devices, and the fact that it’s open source and has been vetted by security researchers. IKEv2 is another excellent option for those using a VPN on their mobile whilst traveling as it can quickly reestablish a connection when it gets cut off. Other protocols can be insecure and therefore I don’t recommend them unless you know how you’re setting up your VPN connection and understand the risks.
For almost all users, OpenVPN provides the optimal level of security, compatibility, speed, and reliability.
For a more detailed look at the OpenVPN protocol, check out guide to VPN protocols.
A VPN’s logging policy is one of the most scrutinised parts of the service, and with good reason. This is where you’ll find out about whether they store your data, including the websites you visit and services you use, and what they do with that information.
As we saw with the free VPNs, some companies really don’t care much for your privacy.
So what are we looking for in a logging policy? Ideally, no logs at all.
Whilst many VPN services claim to have zero logs policies, the truth is they wouldn’t be able to run the service at all without holding any information about you or your computer. So what seems to be the norm in the VPN industry is that zero logs means no PII (personally identifiable information). But there is a caveat.
Almost all VPN services provide their customers with software to run the VPN on their device, known as a VPN client. This client is almost always closed source, proprietary, software, so impossible for independent cybersecurity professionals to audit.
So we basically have to trust them. Well, not quite. We can judge VPN companies on their actions.
There have been a number of cases where VPN companies have been caught providing user data to the authorities. On the other hand, there are a number of VPN companies that have shown that they keep their users totally safe by not storing any PII.
NordVPN has been independently audited by PricewaterhouseCoopers AG and found to present no risk to users’ PII. The audit is available only to NordVPN customers.
VyprVPN has been publicly audited by Leviathan. Whilst the audit initially identified PII present in some logs, they confirmed that this has now been fixed, and VyprVPN presents no risk to users’ PII.
My favourite way for a VPN company to show that they protect their users is when they actually do so when faced with seizure or legal challenges.
ExpressVPN had its servers seized in Turkey, but the authorities were unable to obtain any user data due to ExpressVPN’s no logs policy.
Finally, Perfect Privacy had servers seized in Rotterdam in 2016, but no user data was compromised.
The speed of the VPN service ultimately relies upon the quality and number of servers. Be sure to read our VPN reviews before jumping into any subscriptions.
If one of your goals with a VPN is to access geo-restricted content (think Netflix/Hulu outside of the US), you’ll want to be sure that the company has servers in the country that these services are accessed in. If you use P2P for downloading, make sure the company has servers in a country that’s P2P-friendly (Switzerland, Spain, The Netherlands and Hong Kong are a few), which leads us nicely to our next section.
Sometimes too many features can seem gimmicky, which is especially true for VPNs. Too many features could lead to security vulnerabilities and at least more frequent updates being required. There is, however, a feature set present in several excellent VPNs that really does improve the service.
Whilst I’m not going to recommend that anyone uses P2P file sharing networks to download pirated content or software, torrenting is an incredibly efficient way of sharing files with multiple users. Whether it’s static content or live shows such as sports, if you want to use these services, make sure you go with a VPN that allows or ignores it.
Shared IPs make it almost (but not 100%) impossible to connect activity with an individual as many people can be accessing the internet from the same VPN server simultaneously.
A VPN killswitch is a safety mechanism that shuts off access to the internet in the case of failure. In the event that your VPN connection gets cut off for any reason, a killswitch will protect your real IP being exposed and stop any unencrypted data from leaving your machine.
Many VPN clients have a killswitch, and we check whether or not one is present when we review a VPN. For more details check our VPN killswitch guide.
A multi-hop, or double-VPN, connection is when your traffic is encrypted multiple times and sent through multiple VPN servers. This makes certain vulnerabilities of VPN (remember I said it’s not 100% private) such as timing attacks, almost impossible to exploit. For most users, a multi-hop VPN connection is unnecessary and will slow down the service. For whistleblowers facing a global adversary, multi-hop connections may be necessary.
Certain countries use a blanket firewall to block VPN traffic. In China where VPNs are outlawed and many websites are blocked, the only way to get a VPN to work is to package data so it looks like normal internet traffic. Obfuscation still provides encryption, just disguised to look like normal HTTPS traffic.
Obfuscated servers generally have quite limited capacity, so unless you actually need to disguise the fact that you’re even using a VPN, you should keep them free for those who do.
Different VPN services provide different levels of support to their users. This could be in the form of actual online chat to help you if you get stuck, or ticket systems, or just FAQs on the website. I prefer live chat as it means you get the answer immediately, but I’d rather use a ticket and get the right answer than end up chatting with someone who doesn’t know what they’re talking about. Again, this is something we test in all our reviews, so make sure you read them.
Almost all commercial VPNs these days offer their own VPN client. Whilst I mentioned earlier that this could lead to privacy concerns, it does go a long way to providing ease of use. Most clients are simple to set up and generally have a nice GUI that all makes sense.
Most people won’t really care about this, but some will. I think it’s important for privacy focused companies to offer at least Bitcoin payment options so that journalists and whistleblowers in authoritarian states such as Russia, Saudi Arabia, UK, and USA can protect themselves from government tyranny.
There’s so much more to VPNs than I could possibly fit into this article, but I hope you’ve learnt something and have a better understanding now of what you can and can’t do with a VPN. A few key points I’d like to quickly repeat:
That’s it. If you have any comments or suggestions please feel free to drop them below. Stay safe.