VPNs
Topics below: Introduction
Downsides to a  VPN,
Operating System VPN Bugs,
Is the VPN working?,
Choosing a VPN - Software Features,
Choosing a VPN - Who Owns The Company,
Choosing a VPN - Anonymity,
Choosing a VPN - Other Criteria,
VPN Provider Warnings,
Blocking Ads and Tracking while using a VPN,
An FYI on Location Hiding,
An FYI on Device Limits,
Double VPNs,
VPN Articless,
Advanced Techie Stuff,
My User Experience with some VPN client programs
INTRODUCTION TO VPNs
At the simplest level, a VPN is an encrypted connection between two computing devices. The data that flows between the connected devices is encrypted by the software that created the connection. One of the devices is referred to as the VPN server. Like any other type of Server (web, email, etc) a VPN server sits and waits for computers to connect to it. The other device is the VPN client. It is the client that initiates the VPN connection between the two devices.
Software running on a computing device is what determines if it functions as a VPN client or a VPN server. Devices such as phones, tablets and personal computers are usually the VPN clients. Routers are interesting in that many can be either a VPN client or a VPN server. Then again, many routers can do neither. Oftentimes a computer is dedicated to function as a VPN server, so the hardware and software are thought of as one and the same.
There are different flavors of VPNs and both the client and server must be the same flavor. Popular flavors are OpenVPN, WireGuard and IKEv2.
In addition to flavors, there are also different categories of VPNs. Perhaps the biggest category is Consumer vs. Business. Business VPNs are run by large companies for their employees. Typically they connect remote employees to the head office, and they may also be used to connect different buildings in different cities to form one big company-wide network. This page is about consumer VPNs, employees of a large company have their own tech support and don't need anything from me.
With Consumer VPNs, the VPN servers are provided by a VPN company such as Mullvad, ProtonVPN, NordVPN, IVPN, ExpressVPN and hundreds more.
Google's Jigsaw division provides a free VPN called Outline. It differs from Consumer VPNs in that they provide the VPN server software that you have to install, configure and operate. They do their best to make setting up the VPN server as easy and cheap as possible. As to easy, they provide desktop software to install and configure the VPN server. As for cheap, the point out that the VPN server can be run on cloud-based Linux Virtual Machines for as little as $5 US/month. They also claim that their VPN is harder for bad governments to block. Again, this page is focused on Consumer VPNs. Maybe someday, I will get to kick the tires on Outline. Techies, as a rule, are disgraceful at explaining and documenting things, so whether a newbie to the software can actually get it to work will be interesting. In October 2022, the Washington Post said that nthLink offers a version of Outline that is easier to install and more flexible. I took a look at the nthLink website and found it totally devoid of information; a useless site chock full of buzzwords.
The connection between VPN client software on your device and a VPN server, somewhere on the Internet, is referred to as a "tunnel". When it is working as designed, all data entering and leaving the device running the VPN client software travels through the tunnel and is encrypted/decrypted by the VPN software at each end. The term tunnel is quite good, as it illustrates that only the two devices at each end of the tunnel can see the data. To anyone/anything outside the tunnel, all they see is encrypted useless junky bits.
NOTE: There are times when a device running VPN client software does not want all the data coming/going to travel through the VPN tunnel. This, however, is the exception. The official term for this is Split Tunneling. For example, there are some websites that test for the presence of a VPN connection and refuse to work with a VPN. In that case, the computing device running the VPN client software might want to make that one website an exception and let it travel outside the VPN tunnel. The alternative would be to shut down the VPN tunnel when accessing that website.
Who is outside the tunnel? Your ISP for one. Blocking spying by an ISP is especially important in the US, where ISPs are allowed to spy on their customers and sell that data. For details on this see, Internet Service Providers Collect, Sell Horrifying Amount of Sensitive Data, Government Study Concludes by Karl Bode (Oct. 2021). If you are in a public coffee shop, your fellow coffee drinkers are outside the VPN tunnel. If the VPN client software is running on your phone or tablet or computer, then the router is also outside the VPN tunnel.
That a VPN hides everything from the router and the ISP is how people in China can interact with the rest of the world. It is also how students in a school can bypass restrictions and see websites that teachers try to block.
As noted above, routers are computers and some can function as VPN client, some can function as a VPN server, some can do both and some can do neither. The advantage to using VPN client software in a router is that all the devices connected to the router are protected by the VPN tunnel created by the router. This can protect devices, such as a Smart TV that are not able to run VPN client software on their own.
There are two reasons to use a VPN server in a router. The first is to provide a secure way to access the devices in your home when you are away from home. The other is to use your home router as a free replacement for paid consumer VPN providers. Again, when away from home, you can connect to the VPN server software in your home router and use that secure, encrypted tunnel to hide your activities from the devices near you. Note however, that this does let your home ISP spy on you.
Some people have argued that since a "secure" website (using HTTPS) prevents others from reading the content of web pages, there is little need for a VPN. However, others can still tell which websites you visited. In some cases, just the website name gives away too much information. And, websites are not the only thing on the Internet. With mobile apps, for example, you can not tell if data is being transmitted securely or not.
In addition, a VPN will change your public IP address, so you can pretend to be in a different physical location.
- On a trivial level, this can be used to see stuff that is normally restricted by country. For example, Canadians might connect to a VPN server in the US to access American Netflix if our Netflix offers shows that are not available in Canada.
- On a more serious level, this can be used to hide your physical location, just as Tor does. However, Tor only attempts to hide activity inside the Tor web browser, whereas a VPN typically functions at the operating system level and thus controls all the bits coming and going. However, by the time a VPN client program on any computing device connects to a VPN server and creates a VPN tunnel, the public IP address of the device has already leaked. Thus, people who really want to hide their physical location should not use a VPN on their computing device. Instead they should connect to a router with an existing VPN connection.
- I accidentally stumbled on another aspect to having a different public IP address. I listen to podcasts that normally contain many commercials. Until I traveled a few hundred miles from home, I did not realize that the commercials were custom tailored to the geographic location of my public IP address. Then, I traveled a few thousand miles from home and there were no commercials at all. With a VPN, I can avoid the commercials by appearing to be thousands of miles from home.
- And, see the topic below: An FYI on Location Hiding
Picking a VPN provider is mind bogglingly difficult. See one attempt and another and another and another and another and another and another and another.
Even agreeing on the criteria to judge them with is impossible.
I have my opinions on good/trustworthy VPN providers, email me for my suggestions. The big danger in picking a VPN provider that is not trustworthy is that they can spy on you, in the exact same way that an ISP can spy on you when you are not using a VPN.
If you are using a VPN on a device capable of both Wi-Fi and 4G/LTE/5G (pretty much every smartphone) it is best to disable the network connection that is not connected to the VPN. There is always a chance, especially on iOS, that data can leave the device on the network without the VPN.
New to VPNs? See my article An introduction to six types of VPN software from 2017. I also wrote A Defensive Computing term paper on privacy: VPNs, Tor and VPN routers in 2016 which offers an introduction to VPNs and Tor.
This is also a good article: Can you be tracked when using a VPN? by Douglas Crawford of ProtonVPN. December 2022.
DOWNSIDES TO A VPN top
An ongoing issue with VPNs is what happens to existing Internet connections/sockets/threads when the VPN tunnel is created? In a perfect world, all the existing connections, which are outside of the tunnel, will be terminated and re-created inside the tunnel. But, this does not always happen and since it is an operating system thing, not a VPN thing, there is a limit as to how much any one VPN provider can do about this. To defend against this, make a VPN connection as soon as the device starts up and before you do anything else with it. For a device that has been powered on for a while, at least close out of all web browsers, email programs, and whatever apps you can close out of, before making the VPN connection.
VPN tunnels can break, even when the Internet connection is alive and well. So, if you are doing something sensitive, you need to watch the icon that indicates that the VPN is currently connected.
Sometimes a website will refuse to load when you are using a VPN. Making this worse, is that the error message, almost always, says nothing about a VPN. At tickets.com, for example,the error is "Access Denied". The US Postal Service, tells you that you do not have permission. Delta Airlines says "We're sorry but there was a problem processing your request. Please go back and try again. #SFAS001". At ticketmaster.com, the useless error message is "Your Browsing Activity Has Been Paused". They even include solutions that say nothing about blocking access from a VPN. Paying customers at Consumer Reports are falsely told that "This service is temporarily unavailable, please try again later."
Note that while a website can detect a VPN, this is not always perfect. It may well be that rather than detecting the VPN, a website is using a list of known bad IP addresses. In that case, one VPN server can be blacklisted while another, from the same VPN provider, might not be. Trial and error is needed.
Instead of being completely blocked, some websites may just require extra identification when using a VPN. For example, there may be a CAPTCHA when using a VPN that you would not see without the VPN.
A VPN will slow down your Internet connection, but it should be quite rare that the slowdown is noticeable. If the speed is noticeably slower, try connecting to a different VPN server, one that is physically close to you. Some VPN software handles this automatically, that is, it tries to find the fastest available server for you automatically. If you prefer manually picking a city or country that you would like to connect to, some VPN software will show you how busy each available VPN server is, in that city/country. Compared to Tor, VPNs are much much faster.
I suppose just having to turn the VPN on and off is a downside for some people. To counter that, many VPNs can be configured to start automatically when the computing device boots up. Personally, I am not a big fan of this because I fear that it may prevent the device from booting at all.
For devices that are frequently off-line, the VPN client software should be able to wait patiently until the device goes on-line again and then automatically re-connect. If your VPN software can not do this, it is annoying on the one hand, and all but insures, you will forget to enable the VPN at one time or another.
Even when using a VPN, there are many ways that a web browser can still spy on you. One way to counter this is to use the Tor browser. However, Tor is brutally slow, so in April 2023 Mullvad created a new web browser, the Mullvad Browser. Basically, this is the Tor browser but without Tor. The Mullvad Browser can be used with any OS level VPN or even without a VPN at all. Both the Tor and Mullvad browsers have many customizations that avoid fingerprinting, that is, they try to make all users of the software appear to be the same. The Mullvad browser is free and available for Windows, macOS and Linux. There is no Mobile version. It uses the Mullvad DoH DNS service that is available to everyone, not just Mullvad customers. They offer two free DNS services, the default one does not block ads, but this can be changed.
OPERATING SYSTEM VPN BUGS top
IOS
Apple sends data outside of a VPN connection. They do this on purpose and they can not be shamed into doing the right thing. Their security marketing message is a fib. This is a long story that boils down to not trusting any VPN on an iPhone or an iPad because they all leak data outside the VPN tunnel.
This was first reported by ProtonVPN in March 2020 for iOS version 13. See VPN bypass vulnerability in Apple iOS. I blogged about this in May 2022: VPNs on iOS are a scam and kept updating my blog through October 2022. Security company Disconnect wrote
about the problem in March 2022. See Leak advisory: Apple and *All* iOS App Developers Are Able to Unmask VPN Users.
In August 2022, VPN company IPVanish wrote an excellent article that went into three different types of leaks in iOS VPNs: iOS VPN leaks: why they happen and how to prevent exposure. In August 2023, VPN company IVPN wrote about this Removal of kill switch from our iOS app due to Apple IP leak issue.
ANDROID
There is a bug in Android, up to and including version 14 that, sometimes, sends data outside the VPN tunnel. Google seems to be taking their sweet time
fixing it. But, unlike Apple, chances are that they will, eventually, fix it.
May 3, 2024: Mullvad found the bug and blogged about it: DNS traffic can leak outside the VPN tunnel on Android. They took a small step in the app to partially fix the problem, but the bug is in Android.
June 13, 2024: IVPN write a blog about this DNS traffic leak outside
VPN tunnel on Android.
July 3, 2024: ProtonVPN writes: Why you should use a VPN on your mobile device by Douglas Crawford. No mention is made about either the known VPN problems in iOS or this known bug in Android. Very disappointing.
April 2024: Mullvad's initial bug report to Google: VPN leaks DNS traffic outside the tunnel. Quoting: "We’re from Mullvad VPN and after a recent user report about DNS traffic leaking in specific circumstances we immediately started investigating the issue. We were able to confirm that Android leaks DNS requests outside the VPN tunnel and that the leaks were not limited to the specific case raised by the user. We’ve done multiple tests over the last few days but all the details surrounding under which conditions the leak happens is yet not clear, what is clear though is that Android do leak DNS traffic outside the VPN tunnel in certain conditions."
The buggy Android function was eventually found, but there are no known work-arounds.
Windscribe has said nothing about this on their blog.
PREVENTION
As described in the section below, there is way to prevent these leaks, but it is beyond the reach of most people. You need a router that supports outgoing firewall rules. After, connecting to a VPN server, say at IP address 1.2.3.4, set a firewall rule that only allows the VPN-connected device to communicate with 1.2.3.4. Any outbound traffic to anywhere else, gets blocked. Log the blocks too, to see where the technology has let you down.
VPN SERVER SOFTWARE BUG
July 18, 2024: A paper was released in July 2024 that found six attackable flaws in VPN server software. The official name for these bugs is "Port Shadow". There are some mitigations for some of the flaws. It is very technical in nature (beyond me for the most part), thus very few people can really understand it and the danger it presents.
Perhaps the most important point to these bugs is whether your VPN provider says anything about them at all. I suspect that most VPN companies to be mute on this. Hopefully a small number will brag about the mitigation steps they took. It can be a great way to judge a VPN provider.
- Problem: The bug can be experienced while using OpenVPN, WireGuard, or OpenConnect as the problems are not with these protocols. Because of the way the vulnerability works, the mitigation strategy is limited to firewalls rules as opposed to a code fix.
- Problem: The flaws are in "connection tracking frameworks" which are responsible for many VPN functions. The framework is shared by all VPN clients connected to a single
VPN server. Among the things the framework does are: keeping tabs on user connections, routing traffic and masking a clients' real IP address. By exploiting these bugs a bad guy can force the VPN server to reroute packets in various ways.
- Problem: NordVPN, ExpressVPN and Surfshark are not vulnerable. However, the researchers only tested a few VPN providers, so they do not have a comprehensive list of known good VPN providers. Later we learned that ProtonVPN is not vulnerable. IVPN and Mullvad have said nothing on their websites.
- July 17, 2024: Port Shadow Flaw Can Exploit Some VPNs to Attack Users by
Michael Kan for PC Magazine. The article goes out of its way to note that three VPN providers that the magazine gets commissions from (NordVPN, ExpressVPN, SurfShark) are not vulnerable. That may be simplistic however as there are six different types of attacks detailed in the paper. The flaw comes from the most basic aspect of a VPN server, that it is shared by multiple VPN clients. The bugs allow a malicious VPN client to spy on or sometimes impact data traffic from another VPN client that is connected to the same VPN server. The article says the flaw is not easy to exploit. The bad guy needs to know the public IP address of a victim and the IP address of the VPN server the victim is connected to.
- One mitigation is for the VPN entry IP address to be different from the VPN exit IP address. Some VPN providers work that way, some do not. I have added this a desirable feature to look for when picking a VPN provider.
- In addition to firewall rules, the researchers made three other server OS level recommendations for mitigations. It's very technical. Same for their suggestions to VPN companies.
- Mitigations: The researchers made one suggestion for OpenVPN that makes port scan attacks more difficult and one for WireGuard that will mitigate port scanning attacks. The details are over my head but again, that is only one of six different attacks.
- Mitigation: Not an option for most people, but if you can run your own VPN server that only you can log into, you will be safe. Other suggested options are to use Shadowsocks or Tor instead of OpenVPN or WireGuard.
- Mitigation: Not said by anyone is the suggestion to often change VPN servers. To get attacked, the bad guy has to know which VPN server you are connected to. In addition, many VPN providers tell you how busy their servers are. Less busy servers have fewer, possible bad, people using them. Again, this is from me.
- Possible mitigation: None of the articles shown here says anything about a multi-hop VPN connection which may offer a mitigation. This is when you first connect to a VPN server in one city, then you are immediately bounced to a different VPN server in another city. Some VPN companies offer this as a feature, but not all.
- July 16, 2024: Vulnerabilities in VPNs
Paper presented at the Privacy Enhancing Technologies Symposium 2024. A summary of the paper from Citizen Lab. The summary seems poor. It says nothing about in/out server IPs being different. At times it says things can be mitigated, at times it says there are no mitigations.
- July 24, 2024: A good article on the topic by David Strom: Port shadow: Yet another VPN weakness ripe for exploit New info here is that Proton VPN is not vulnerable because they use different entry and exit IP addresses.
- The actual paper: Attacking Connection Tracking Frameworks as used by Virtual Private
Networks by Benjamin Mixon-Baca (Arizona State University/Breakpointing Bad), Jeffrey Knockel (The Citizen Lab, University of Toronto), Diwen Xue (University of Michigan), Tarun Ayyagari (Arizona State University), Deepak Kapur (University of New Mexico), Roya Ensafi (University of Michigan), and Jedidiah R. Crandall (Arizona State University)
IS THE VPN WORKING? top
iPhone 13 mini warning: There is no visible indication that the VPN is connected when using an iPhone 13 mini (last verified on iOS 17.4). So, if the VPN disconnects, you don't know. To see the VPN status, you have have swipe down from the upper right corner to bring up the control panel. Not good.
Things to test before and after connecting to a VPN:
- Public IP address: this should change after connecting to a VPN. Many websites will display your public IP address, among them ipchicken.com, checkip.dyndns.com, www.ivpn.net and checkip.synology.com.
- It is one thing for your public IP address to change, it is another to actually be connected to a server run by your VPN provider.
Some VPN companies have a tester page that reports whether you are connected to their service or not.
Four companies that provide this information on the home page of their website, are OVPN, IVPN, Mullvad (see screen shot) and AzireVPN (the top of every page on their site says whether you are connected to their service or not). ExpressVPN offers this service on their IP Address Checker page. TunnelBear has it on their Whats My IP page. When they say your IP address is exposed or public, it simply means you are not connected to their service. ProtonVPN and Windscribe do not offer this service at all.
- DNS SERVERS: DNS is a critical foundational technology on the Internet. DNS servers translate the name of a computer into an IP address. It is very dangerous to use unknown DNS servers. Malicious DNS servers can take victims to scam copies of websites and trick them into entering passwords. Every VPN provider offers their own DNS servers so you should see a change after connecting. Your VPN provider should be able to tell you what DNS servers they use, so you know exactly what to look for.
- Testing DNS: The hard part about verifying a change in DNS is that a computing device can get its DNS configuration from many different places. The VPN has an opinion as to what the DNS configuration should be, but so too does the Operating System, the router, the browser and maybe even the WiFi network. There are assorted online testers that display the currently in-effect DNS servers. My Router Security website has a page devoted to DNS that links to many of these tester sites.
Note however that running these tests from a web browser that is using Secure DNS (a.k.a. Private DNS) will not show any change. My experience has been that the browser DNS configuration over-rides both the OS and the VPN. Thus you will see the same DNS servers whether connected to a VPN or not. If you like using Secure DNS, then maybe keep one web browser on hand that does not use it, just for this testing. On Windows and macOS, the nslookup command (for ex: nslookup cnn.com) reports on the DNS servers and runs outside a browser. You should definitely see a change in DNS servers when using nslookup before and after connecting to the VPN.
- Advanced DNS: Some routers, such as Peplink, have their own DNS server software. In this case, put a test/dummy entry in the router, something akin to this-is-just-a-test.edu and assign it a dummy IP address such as 1.2.3.4. Then run an nslookup command before connecting to the VPN and after. Before, you should see it resolve to your dummy IP address. After, it should fail with an error about the domain not being found because DNS is being resolved by the VPN provider.
- WEBSITE LOCATIONS: As described in more detail at the bottom of this page, your public IP address is not the only way that a website learns where you are physically located. Still, we can do a bit of verification that the VPN server is being used for location information by websites. Go to weather.com, which displays the weather for your location at the top of the page. You want the location to be that of the VPN server, not your actual location. Also, search for "weather" at google.com. Google wants to show you the weather for your location, so it may ask for permission to learn your location. Give it permission (Allow) and hopefully you will, again, see the weather for the location of the VPN server. Obviously, the VPN server has to be far from you for these to be useful tests.
- WebRTC: One of the big reasons to use a VPN is to hide your true public IP address. This conflicts with the WebRTC software in many web browsers. After connecting to a VPN, you want to test that WebRTC is disabled in each web browser that you use. Last I checked, both Safari and Chrome do not support WebRTC on iOS. Many VPN providers offer a WebRTC tester page
Info on how to disable WebRTC
- IPv6: Personally, I have no use for IP version 6. To me, it is a potential avenue for data to leak out of your computer without going through the VPN tunnel. Some VPN client software lets you disable IPv6, some does not. You can test if IPV6 is alive and well at test-ipv6.com. Good results on this test are "No IPv6 address detected" and "You appear to be able to browse the IPv4 Internet only. You will not be able to reach IPv6-only sites.". The Microsoft tester at ipv6.msftconnecttest.com does not produce error messages, it simply fails to load. To me, this is a good result.
The DNS leak testing site, ipleak.net, also reports on IPv6 connectivity.
- How to check that your VPN kill switch is working a pcWRT blog (June 2022). I really like the cute trick used to test VPNs that are configured to run at system start-up.
- SOCKETS:
When you first connect to a VPN, the situation is not black and white, but shades of gray. Every ongoing connection between your computing device and the Internet is likely not to be terminated and re-started so that it passes through the VPN tunnel. The exact behavior in this regard will vary with different operating systems and VPN client software apps. Without the deep examination described just below, it would be best to wait a minute or two before doing anything sensitive. Also, it is safer to start software, be it a web browser or a mobile app, after the VPN is connected rather than before.
A deeper audit of the VPN requires a router that can display the details of individual sockets/connections. Very few do. My preferred router, the Pepwave Surf SOHO does, as do all Peplink routers.
- After making a connection to a VPN server, all communication from your computing device is unlikely to immediately use the VPN. If you have a router that shows every live socket/connection, then you can monitor this for yourself. When all is well, the only socket you should see is the one for the VPN. Anything else is trouble. Most routers, however, do not show this level of detail. In that case, I would wait about 5 minutes to let the existing connections time out. Also, I suggest terminating all web browsers before making the VPN connection as this leaves fewer chances for something to go wrong.
- The below is from a Peplink router showing a computing device that has a single socket/connection to a VPN server. The VPN server was running WireGuard, the "Service" column is incorrect.
- I ounce found a bug in VPN software by watching the sockets/connections. This screen shot shows a single device with 10 different UDP connections, from port 4500 to port 4500. The screen shot was taken with the VPN software not only not connected, but not running at all. These were old VPN tunnels that had never been closed. I have blocked out the public IP addresses of the VPN servers to hide the identity of the VPN company, so i don't have to engage a lawyer.
- As per the above, when the VPN connection is closed, you can watch the live sockets/connections to insure the VPN connection is actually terminated.
- THE ULTIMATE TEST: The problem with monitoring the current connections/sockets via a router (above) is that it is a manual process. No one wants to sit and watch this for hours on end. The ultimate test requires a router that offers outbound firewall rules. This is, really, the only way to verify that all data leaving a VPN-connected device is, in fact, going through the VPN tunnel. As it is commonly used, the term "VPN leak" only refers to DNS requests. That is childs play compared to the full audit that a pair of firewall rules can provide.
Doing this requires two firewall rules. The first allows all data to the currently connected VPN server. The second logs anything else leaving the VPN-connected device. It is assumed that the firewall rules are evaluated top to bottom. In the example shown below, the VPN-connected device (computer, tablet, phone, whatever) is at IP address 192.168.1.2. It is connected to a VPN server at IP address 1.2.3.4 on port number 456. The connection uses UDP rather than TCP. The example is from a Peplink router and the green circle with a check means the outgoing traffic is allowed. The second rule catches anything else leaving the device at IP address 192.168.1.2. The red circle with a line through it in the Action column means that the outbound request is blocked. The piece of paper around the circle means that the outbound request is logged. In a perfect world, the second rule should catch/log nothing.
Until you have run this type of audit, you have no idea if there is leakage outside the VPN tunnel.
Another way to do the same thing is with one firewall rule that logs everything from the target device's IP address. Start the firewall rule, then connect to the VPN server. You should see the outbound request(s) that establish the VPN connection. This provides a timestamp for the start of the VPN tunnel. Anything else logged by the firewall rule is trouble.
I used a similar approach to catch a VPN leak when using IVPN on Windows 10 with a Wireguard connection (this was in February 2024). In this case, my router looks for invalid IP addresses leaving out the WAN port. By "invalid" I mean an IP address that is not allowed on the Internet. The most common such group are IP addresses that start with 192.168. Another common group are IP addresses that start with 10. My routers always look for these and, when found, block them and log them. IVPN changes Wireguard keys every day and when they do, they re-start the VPN tunnel. There is a bug with re-creating the tunnel that results in the Windows 10 computer sending out requests to their DNS servers on their internal network. My router caught this and I could see that it happened at the exact same time very day. IVPN understand the issue, and opted to do nothing about it. If you use IVPN on Windows 10, then either change the Wireguard re-keying to 30 days (the maximum allowed) or use OpenVPN.
CHOOSING A VPN - SOFTWARE FEATURES top
The tech press generally evaluates a VPN based on speed, price, logging and the number of servers. All of these criteria are wrong.
- CUSTOM DNS
Most VPN companies insist that you use their DNS services. A few let you choose your own DNS provider, if you have one that does the type of blocking you desire.
- IVPN offers custom DNS and they do a great job of it on desktop Operating Systems. On Windows, macOS and Linux they support both old DNS (IPv4 IP addresses) and new DNS (DNS-over-HTTPS). On iOS they support both of these and also the other flavor of new DNS (DNS-over-TLS). On Android however they only support old DNS with a single IP address. I have more on using this feature in the page on my VPN user experiences (see the link at the bottom of this page).
- Mullvad introduced their custom DNS feature in April 2021. Note that it only allows you to enter an IP address and thus is not a good fit for NextDNS which lets you enter a DoH or DoT server name.
Aug 22, 2022: I have just been told of a cute trick to link Mullvad Custom DNS with NextDNS profiles using IPv6 addresses. The Setup tab on the NextDNS control panel shows two IPv6 addresses for each of your profiles. It turns out that the ending bits of these IPv6 addresses match the Endpoint ID associated with your profile. One possible downside is that this requires you to enable IPv6 support for the VPN. On the upside, it avoids having to worry about your public IP v4 address changing.
- The August 2021 ExpressVPN writeup on this makes no sense at all
- Windscribe on Windows gives you a choice of DNS. The default is their R.O.B.E.R.T system which does ad blocking, tracker blocking and has customizable block and allow lists. If you do not want to use R.O.B.E.R.T DNS, you can enter the IP address of another DNS server.
- ProtonVPN supports customized DNS on Windows, but only old DNS via an IP address, not Secure DNS (DoH or DoT) via a host name. The feature is not supported at all on iOS.
- On Android, there is no need for a custom DNS feature. The Private DNS feature over-rides a VPN and gives you total control.
- ChromeOS may let you change the DNS server used by a VPN. In Settings, look for VPN and it reports the DNS server provided by the VPN. I have not tested this.
- CLIENT SOFTWARE
This is the software, provided by the VPN company, that you use to control and configure the VPN.
- It is likely that a VPN provider will offer very different software on the different operating systems they support. Too many reviews evaluate only one operating system. Even on a single operating system, a VPN provider may offer three different software options (their own software, an open source alternative or the native VPN client in the operating system).
- Some VPN client software has lots of bells and whistles, great for techies. Others have little more than a simple ON/OFF button, great for non-technical people.
- The available features vary drastically, with each VPN client app.
- It is easy to suggest looking for Open Source VPN client software. Open Source means that anyone can review it. However, open source does not, in and of itself, make the software good or trustworthy. The infamous Log4J software, that made headlines in December 2021 and may have the worst software bug of all time, was open source. That said, ProtonVPN, Mullvad and
IVPN created their own software and made it open source. Some VPN companies will let you use open source software for the OpenVPN flavor of VPNs. I have done this often, using both of the popular apps, and did not like either one.
- Two IP addresses: Some VPN providers have a single public IP address. The one you connect to using the VPN client software is the same one that the public sees. However, other VPN providers use different IP addresses for coming into their server and leaving their server. Two IP addresses is a bit more secure. This came up in July 2024, see the section here on
Operating System VPN bugs.
- Sometimes using a VPN you may want as much privacy as possible. Other times, you may care more about speed. If so, look for VPN client software that shows you how busy a VPN server is before you connect to it. If you want privacy, pick a busy server where its easier to get lost in the crowd. On Windows, the ProtonVPN client software does this, Mullvad does not. Freedome is designed to be as simple as possible, it hides all server information. Perfect Privacy provides this information on a web page rather than their client software.
- As noted in the Android topic, Exodus reports on trackers and permissions of Android apps. VPNs with no trackers: ProtonVPN, Freedome, Mullvad, OVPN and IVPN (note that the number of permissions each app requests vary quite a bit). ExpressVPN has 2 trackers, Tunnelbear and Windscribe have 1 and NordVPN has 4. Last Checked October 2021.
- We can make some judgments about a VPN company (not the service) from the tracking, or lack of it, on their website. In August 2019, Yegor of Windscribe discussed this: Shattering the Grand Illusion of Cookie Flavored Lies. I expanded on the topic in Nov 2019: Judging a VPN by its website. Then, in August 2021, Alfred Ng of The Markup covered this: How Private Is My VPN?. None of these articles looked at a large number of websites. That said, the winners were ProtonVPN, Mullvad, IVPN, Windscribe and AirVPN.
- Kill switch. This is a feature in some VPN client software that looks for a failed VPN tunnel connection and blocks all data leaving the computer until the VPN tunnel is restored. This exists to insure your public IP address is not made available to the Internet. At home, its important, at a coffee shop, not as much. But, what if the VPN client software itself fails? Most likely, this kills the kill switch software too. Few VPN providers will go into the techie details of their kill switch. IVPN does here. The article is poorly written, however, its not clear if it only applies to Windows or not. As of May 2021, ProtonVPN on Windows has two different types of kill switches.
- Split Tunneling: Normally when you create a VPN connection/tunnel you want everything leaving your device to pass through the VPN. But, there are, sometimes, exceptions and that is what split tunneling allows for. For example, some websites block access when using a VPN. Rather than stop the VPN connection, use such a site and then start the VPN, split tunneling lets you specify the websites (really domains) that should not go through the VPN tunnel. On a mobile OS, the split tunnel feature may filter by app rather than by domain. When VPN client software is used on a router, the split tunneling feature may let you specify which devices should not pass through the VPN tunnel created by the router.
- Automatic re-connect: Some (many?) people leave the 4G and WiFi on all the time on their phones and tablets. I do not. I only connect to the Internet as needed. If you are like me, you may prefer VPN software that will hang around, twiddle its thumbs while the phone/tablet is offline, and then immediately reconnect when the device goes back online. All by itself. If you expect to manually connect the VPN every time, there surely will be times where you forget.
- ACCESS TO THE LAN
The focus of any VPN is on Internet access, but the LAN side is also dangerous. If the router allows it, your computing device can be attacked by other users of the same network. Local bad guys might target open TCP/IP ports on your device or take advantage of bugs in the operating system. I blogged about this in August 2021: Hiding on a Wi-Fi network. The rare feature is an option in the VPN client software that will cut you off from other devices on the Local Area Network (LAN). Bad guys can not attack a computer they can't see. Sadly, no review of any VPN ever considers this feature. To test this, after connecting to a VPN, run a LAN scanning app such as Fing. In the best case, you will only see your device and the router.
- Mullvad on Windows calls this "Local Network Sharing". I tested it and found that it worked.
- In their Android app, IPVN calls it Bypass VPN for local networks. It defaults to OFF, which
means that LAN devices can not be accessed while the VPN is active. In their
Windows, macOS and Linux software IVPN calls it Allow LAN traffic when IVPN firewall is enabled. I tested it on Windows 10 and it worked. See a screen shot from v3.4.5 of their Windows software (Dec 2021).
- Windscribe on Android calls it "Allow LAN traffic". In my tests this feature worked outbound, but not inbound.
- OVPN on Android has a toggle option called "Communicate with LAN devices". I did not test it.
- On iOS, ProtonVPN calls this "Allow LAN connections"
- Like many VPN clients, the software from ProtonVPN contains a kill switch. In their writeup, What is a kill switch? they say "Because of the way iOS works, it is not possible to access devices on your local network when the kill switch is enabled." However, this writeup has no creation date, no last review date and it says nothing about the applicable release of their software or iOS. So, it may be ancient.
- In October 2021, Sean Gallagher, writing in Ars Technica said: "I use VPNs for very specific purposes - namely, to keep the virtual machines I use for malware hunting segmented from the rest of my network ..."
- In September 2021 we learned of a bug in the ARRIS TG2492 router that could leak the public IP address of a computer that was connected to a VPN. The only defense (Virgin Media has not fixed the bug for 2 years) was to block LAN side access while the VPN is active.
- VPN CLIENT IN A ROUTER
Routers that can function as a VPN client, typically support OpenVPN and/or WireGuard. To use either type of VPN from a router requires a VPN Provider that lets you generate configuration files from their website. Then you copy the configuration file to a computer and use that computer to access the router and upload the configuration file to the router. There may be a small chance that the VPN client software in a router can be configured on its own, without importing any files, but that has not been my experience.
OpenVPN requires a level of computing horsepower that many routers do not have. Thus, the VPN connection may be much slower from a router, compared to a laptop or desktop computer. WireGuard is far more efficient than OpenVPN. I have been testing VPN clients with the pcWRT router and found that its WireGuard VPN client works with
OVPN and Windscribe. The company says it also works with IVPN, Mullvad and StrongVPN. pcWRT is based on OpenWRT so it will probably work with any router running a version of OpenWRT. In my trivially small testing, I found WireGuard to be 7 times faster than OpenVPN on the pcWRT router.
Another thing to look for when using a router as the VPN client, is a VPN company that has a web page with the current status of their servers. I say this because VPN software on a router does not have the bells and whistles that software for a mobile or desktop OS has. One typically missing feature, is a report on how busy the available servers are. This is a nice thing to know when choosing which server to connect to. IVPN has just such a server status page. At the time I wrote this, one of their Canadian servers was 100% busy while another one was only 17% busy. Good to know. ProtonVPN also has a server status page. Mullvad has a page listing all their servers, but it does not show busy each one is.
- Support for a NAS box as a VPN client. A Synology NAS box supports three types of VPNs, the most popular being OpenVPN. QNAP also supports some VPNs, but I am not sure which. This is only half the story, as a VPN company also has to support connections from a NAS device. As of March 2023:
--No NAS support: Mullvad, ProtonVPN, Windscribe
--NAS supported: IVPN (both Synology and QNAP), OVPN (both Synology and QNAP)
Both Synology and QNAP devices can also be configured as a VPN server, but that's another topic.
- EXTRA SECURITY
Some VPN providers have extra security features.
- Hiding the fact that a VPN is being used at all. Peronally, I have not had to fight this battle. One company offering this service is ProtonVPN.
See Defeat censorship with Stealth, our new VPN protocol from Proton (published Oct 2022 and
updated Aug 2024).
- Two VPN servers (aka multi-hop connections). This is a fairly common feature. Rather than connecting to a VPN server that shuttles your traffic out to the Internet, you connect to a VPN server that shuttles your data out to another VPN server. The second one, sends your data out to the Internet. One way to spy on a VPN connected user is a timing attack, that watches data leaving the VPN server and times it with data leaving the target of the spying. A multi-hop connection makes this harder. If the VPN servers are in different countries, it's harder still to be de-anonmyized via timing. Needless to say, this will be slower than using just one VPN server, but I have not found speed to be an issue. And, no one uses a VPN for speed anyway. ProtonVPN has some extra special super secure VPN servers that they use as the first hop when doing multi-hop.
ProtonVPN calls this Secure Core. What they don't tell you is that when using this feature, you are limited to only choosing the exit country, you can not choose an individual server/city in your desired exit country. IVPN also offers a multi hop option and they let you pick any two VPN servers, with the only restriction being that the first/entry and second/exit servers must be in different countries. Here is a screen shot of their Windows software (v3.14 on Window 10) with a multi-hop connection, first to Mexico, then to Denver, Colorado.
They support multi-hop with WireGuard and OpenVPN. If you want to use WireGuard from a router, IVPN has a nifty way of modifying the WireGuard config file to specify the two different multi-hop
servers. OVPN also supports multi-hop and is now on the second version of the feature. They have a good explanation of the feature here: How Dynamic Multihop works.
- Combine a VPN with Tor. ProtonVPN is one company that offers a combination of Tor and their VPN. The documentation is poor, but you first connect to a VPN server using their app and that server then automatically shuttles your data over to the Tor network. Some of their servers offer this service, most do not. Expect it to be quite slow. This scheme hides the fact that Tor is being used from your ISP. It also allows access to Tor with your regular web browser(s), there is no need to install the Tor web browser. Note that the Brave browser also can connect to Tor and you can use Brave with any regular VPN connection to get the same effect.
- Public IP addresses (for techies only): If remote access is being used to control a router, it can be made much more secure by limiting the source IP address. While businesses often have a fixed public IP addresses, consumers do not, but we can use a VPN to provide one. One approach is to buy a permanent IP address from the VPN provider. Some offer this service, some do not. Another approach is to use a small VPN provider that has only one (or a very small number) server in a given city. Other publicly available services on the network (perhaps remote control of computers) can also be made more secure by limiting the acceptable source IP addresses. On a related note, some websites block access when using a VPN. Another advantage to a fixed IP address from a VPN company is that it may not be blacklisted the same way that their other servers are.
- Error Handling: When something goes wrong, how good is the app at reporting the details of the error? There are two parts to this. For one, reporting the problem should be part of the app and easy to use. And, the app should report all the data needed for the VPN company to understand the problem. One example:
In November 2022 I was using a newly installed copy of ProtonVPN (app version 4.3.52.0) on a Chromebook and while the Internet connection was working fine, the app would not connect to any VPN server. There is an option in the app to display the log file, but the log text was too small to read and it was not possible to copy the log text anywhere. I was able to report the problem through the VPN app and the problem report included the log. However, when ProtonVPN responded, it was clear that the log did not provide nearly enough information to understand the problem. OVPN and Mullvad handle errors better, but no doubt, others handle it worse.
- FYI: Consider paying for a VPN monthly, at first. Once you are happy with it, then you can then change over to paying on a yearly basis which is likely to be cheaper than paying month to month.
- WRONG CRITERIA
- Judging a VPN by speed tests is wrong. The purpose of a VPN is privacy, and for this, we give up some speed. Judging privacy is hard, running speed tests is easy. And, speeds vary all the time, you have to live with a VPN provider for a while before you can form an opinion on their speed. Finally, we all have different speed requirements.
- Judging a VPN provider by the number of servers they have is wrong. Its like saying a Toyota is better than a Rolls Royce because there are more of them on the road. More is not better. And, as noted above, all VPN servers are not the same. Companies that own their own servers will have fewer than those that just rent a VPS or rent a server.
- Cost: Picking a VPN because of the monthly cost is a mistake. Not that the most expensive VPN is the best either. Some things are worth paying for and, in my opinion, VPN service is one of those things.
- Logging. Pretty much all VPN companies claim not to log and it is close to impossible to prove. That said, in Jan. 2020, Rae Hodge of CNet wrote: "... EarthVPN, Hide My Ass VPN and PureVPN have all been clocked by privacy advocates for handing over logs to authorities, as has IPVanish ... My beef isn't with any VPN company helping cops catch a child abuser via usage logs; it's with any VPN company that lies to its customers about doing so. The lie that helps law enforcement in the US catch a legitimate criminal is the same lie that helps law enforcement in China arrest a person watching footage of the 1989 Tiananmen Square protests."
- In December 2021, Consumer Reports tested 16 VPN providers and published a large report: Mullvad, IVPN, and Mozilla VPN Top Consumer Reports' VPN Testing. Their recommendations are not bad but they are not the best either as, again, they used the wrong criteria. For example, they gave too much weight to open source software and marketing. And, they only evaluated on Windows.
- Not a criteria: Every paid VPN provider, that I have run across, offers unlimited bandwidth. Only a free VPN has a monthly or daily cap on data usage. Avoid the free services.
- Not a criteria: You can install the software from a VPN provider on an unlimited number of devices. I can recall only one VPN company where this was not true.
- That said, most VPN providers limit the number of concurrent connections to their service. A typical limit is 5 or 6.
Choosing a VPN - Who Owns The Company top
Many VPN providers share the same corporate ownership.
- Kape: In September 2021, Kape Technologies purchased ExpressVPN. They already owned CyberGhost, ZenMate and Private Internet Access (PIA). See Former Malware Distributor Kape Technologies Now Owns ExpressVPN by Sven Taylor. Kape also owns VPN review websites vpnmentor.com and wizcase.com. Kape is not particularly trustworthy. Then too, there is this May 2023 writeup from Pen Test Partners: Bullied by Bugcrowd over Kape CyberGhost disclosure byCeri Coburn, in which the company had a very hard time reporting a bug in the CyberGhost software to Kape.
- J2Global owns IPVanish and StrongVPN, as well as PC Magazine and Mashable, both of which, review VPNs. They also own Ziff Davis which, in turn, owns the encrypt.me and Internet Shield VPNs.
Update Nov. 2022: In this video, The DARK side of VPNs Naomi Brockwell says that
while Ziff Davis claims to own six VPNs, they really own 13 and maybe more. Skip to 15 minutes 30 seconds.
- Some VPN companies are very clear about their ownership:
- ProtonVPN: Proton started in 2014 when some scientists at CERN created ProtonMail to make privacy accessible to everyone. ProtonVPN was released a few years later. In this undated article, Who owns ProtonVPN, they say that the company is employee-owned.
In this May 2023, Twitter thread they say the company was founded by Andy Yen who, before that, was a particle physicist a CERN, Harvard and Caltech. It is "largely subscription-funded" and there are "no venture capital investors".
- From Windscribe: Their VPN map shows the relationships between VPN companies, their corporate owners, and paid affiliates who profit from reviewing them positively. See VPN Relationship Map.
- OVPN: This undated blog was valid until May 2023: Who are the people behind OVPN? at which point the company was sold as described in this blog by David Wilbergh (one of the two owners): Next chapter for OVPN (May 8, 2023). OVPN is now owned by Pango which also owns other VPNs: Hotspot Shield, Betternet, VPN 360 and Ultra VPN. Eh. I had a high opinion of OVPN and used their service before this change of ownership. Who owns Pango? They say" "We are proudly backed by some of the leading investor groups, including Warburg Pincus, WndrCo, Accel, and General Catalyst." And, more. Pango is owned by Aura.com which also has their own VPN service. Read about Aura. Both Pango and Aura have no physical location according to their websites.
July 8, 2024 update: The item linked to above about who are the people behind OVPN, has been revised. It was last updated January 11, 2024 and now says:
"OVPN is operated by OVPN Integritet AB. Organization number: 556999-4469. The owner of OVPN is Pango." However, this page is buried/hidden on the
ovpn.com website. It is in the Tech Support section, under General
Information and not even in the main index for General Information. Meanwhile, easily found pages still have the old information which omits the Pango ownership.
For example, the About page is undated and says nothing about Pango. Interested in being an OVPN Affiliate? That page says "The company is 100% owned by David Wibergh & Ruben Rehn." Their Press Resources page also says that "The company is 100% owned by David Wibergh & Ruben Rehn." It too is
conveniently undated.
- Clearly, security company F-Secure runs the Freedome VPN.
- When I first wrote this (I did not save the date), the About Us page for Surfshark avoided the issue of ownership. As of January 2023, it says: "The founder of Surfshark is Vytautas Kaziukonis. In 2022, Surfshark and Nord Security merged under one holding company to form a cybersecurity powerhouse while still operating independently."
- The About us page for Astrill says "We are a registered Seychelles company". It does not mention anything else about the company and it says nothing about any of the people involved.
- The About Us page for TunnelBear has cartoon pictures of bears. As of March 2018, TunnelBear was owned by McAfee. This despite McAfee offering their own VPN. In November 2021, McAfee agreed to sell itself to a group of Private-Equity investors (Advent International, Permira Advisers, Crosspoint Capital Partners, Canada Pension Plan Investment Board, GIC Private Limited and a subsidiary of the Abu Dhabi Investment Authority). As a rule, things go downhill quickly when a company is owned by private equity investors.
February 3, 2023: the Tunnelbear About Us page has no information about who/what owns the company. It still has the cartoon bear pictures for each employee, along with their first name, last initial and a made-up joke of a job title. It is useless childish fluff.
February 9, 2025: Still no information about who/what owns the company.
- Nord Security Ltd. owns NordVPN, Surfshark and Atlas.
In February 2022 it was announced that NordVPN and SurfShark were merging, as per this article in PC Magazine: NordVPN's Parent Company Is Merging With VPN Provider Surfshark. Why are they merging? They said "...the merger will open new technical knowledge-sharing opportunities and enable more focused market diversification." Is that what you want in a VPN provider? It was unclear who will run the combined company which will be called Cyberspace. It was registered in The Netherlands.
As of January 2023, the Atlas VPN website said: "In 2021, Atlas VPN became part of Nord Security" and "Atlas VPN is a service of Peakstart Technologies Inc, a US company registered in Delaware and a subsidiary of Nord Security Ltd. which owns NordVPN and Surfshark VPN."
- 3 companies control many big-name VPNs: What you need to know by Attila Tomaschek of CNet (Feb 2022)
- Hidden VPN owners unveiled: 104 VPN products run by just 24 companies by
Jan Youngren of VPN review website VPNpro (Oct 2021).
Choosing a VPN - Anonymity top
One downside of a VPN, compared to Tor, is that the VPN company normally knows who you are, if for no other reason than you paid with a credit card.
- Some VPN providers take cash. Others take gift cards as payment.
- Both Mullvad and IVPN take no personal information at all when creating an account. They do not even ask for an email address. Each generates a random account number for you and that is how they know you. Still, credit card (neither has a free tier).
- If possible, have someone else pay for the service with their credit card.
- In July 2022, Mullvad introduced a new wrinkle on anonymous payments. Their blog, Mullvad is now available on Amazon (US & SE) does a poor job of explaining this. On Amazon you can buy a physical card with a scratch off number on it. The number is worth either a year or 6 months of service, depending on how much you pay for the card. The great thing here is that number on the card can be applied to any Mullvad account. There is no way for Amazon to link the purchase of a card to a specific Mullvad account. When the card is purchased, the account it will be used with, does not even have to exist. Still, I suggest using a non-Mullvad VPN when purchasing the card from Amazon. And, do not use an Eero router. Or, maybe have your sister buy the card for you :-)
- IVPN also sells vouchers on Amazon. According to Amazon, this started in November 2022. According to IVPN it is only available in the US. Surprisingly, the Pricing page on ivpn.net fails to mention this.
- NordVPN used to partner with some retail stores so that you could purchase their VPN with cash. You buy a box which contains a "product key card" What is a product key card? They don't say. Some of the stores are Staples, BestBuy, Walmart, Office Depot, Micro Center and Target.
As of November 2024, I am not sure if this still exists. Even if it does, read more about them on this page.
- All that said, if you connect to the service from your home, the public IP address of your home can be used to identify you, if the VPN company is either malicious or forced to do so by their government.
- See also the section here on Double VPNs for increased anonymity.
Choosing a VPN - Other Criteria top
There is still more to choosing a VPN provider. Ugh.
Many VPN companies rent their servers. It is more secure if the VPN provider owns their own servers. Many VPN companies use a VPS (Virtual Private Server). It is more secure to not use virtualization (called a bare-metal server or a dedicated server). It is also more secure if a VPN server runs totally in RAM and never writes to the hard disk (called RAM-disk mode). Most VPN companies are mum on these points. A good survey on these two points is at Restore Privacy. It says: ProtonVPN and VPN.ac use dedicated bare-metal servers, all ExpressVPN servers use RAM-disk mode, Perfect Privacy uses bare-metal servers running in RAM-disk mode, OVPN uses dedicated bare-metal servers running in RAM disk mode, that they own. Mullvad owns some of their servers but most are rented. AzireVPN also uses dedicated servers running in RAM disk mode, that they own. They blogged about this in September 2022: Why we Own our Own Servers.
Diskless servers: Some VPN companies use disk-less VPN servers. These are server computers where the operating system exists only in RAM. When the computer is powered on, it downloads the operating system and starts running it. This is also referred to as a RAM-Only server. Some VPN providers offering this are: Mullvad, OVPN, NordVPN, ExpressVPN, Surfshark, Private Internet Access, CyberGhost and AzireVPN. It is claimed that this increases privacy because when a server is powered off or re-booted, everything in RAM is lost. It also makes it harder (not impossible) to create logs. If nothing else, it makes the servers more reliable as there is one less thing to break and they probably run cooler too. In my opinion, this is nice to have but not a show-stopper feature.
Marketing honesty: Many VPN companies make vague promises of security, privacy and anonymity. This is stretching things. Look for a VPN company that is very clear about exactly what a VPN can and can not do.
Installation instructions: Most of the time, you have to install software to use a VPN. The instructions provided by the VPN companies differ greatly. I have seen companies that document every step of the install and others just say run the file you downloaded. You should be able to find the installation instructions on the website of the VPN company.
Canceling: How a VPN provider handles customers canceling their accounts can tell us something about the company. I have tried to cancel two VPN accounts before the time had run up. IVPN handled it very well, ProtonVPN did not. ProtonVPN accounts auto-renew and you can not tell them not to renew when your time is up. You can only tell them to cancel now. Right now.
Technical Communication: When there is an industry-wide VPN issue, does the company explain how it affects them? This happened in August 2023 with the TunnelCrack flaw. Mullvad responded on Aug. 9th: Response to 'TunnelCrack' vulnerability disclosure. IVPN responded on
Aug 10th: IVPN + TunnelCrack vulnerability information. As far as
I can tell ProtonVPN, NordVPN and AirVPN said nothing.
Dedicated IP address: A normal VPN environment has multiple customers sharing a single VPN server computer. This offers some anonymity as anyone monitoring data coming and going from the VPN server machine will see data/traffic for all the customers. And, the number of customers on the machine will always vary. To me, this is a good thing. However, in some cases people want a VPN server just for themselves - a feature typically referred to as a dedicated IP address. Not all VPN providers offer this feature and those that do charge extra for it.
One reason to want a dedicated IP address is less nagging. Oftentimes VPN customers have to jump through hoops that others do not - an extra CAPTCHA for instance. Or, access to a website may be blocked when using a VPN. Still another reason is your own personal source IP blocking. For example, if you have to leave a port open on a router, a good router can limit the IP addresses that are allowed to communicate on that open port. You can get the same effect by using a small VPN provider that has only one or two servers in a given physical location. The large VPN providers have many servers in each location.
However, if you have a target on your back (say you are a high profile person) then having a dedicated IP address makes it easier to spy on you. Personally, I often change the VPN servers that I connect to.
Change Log: It is nice to see a list of changes made to the VPN client software. If bugs are fixed, you want to know if they were in features you use. The log also includes new features, ones that you might not have otherwise known about. Some software releases are major, others are minor. Standard practice is to avoid the major releases for a while until the inevitable bugs are fixed. A change log shows which releases contain many updates and which just fix one or two bugs. Perhaps most importantly, it is a sign of professionalism to publish a Change Log. I publish one for this very website.
Examples: The Windscribe Change Log is here for their Windows, macOS and Linux software. Mullvad publishes their Change Log (and source code)
on GitHub. IPVN maintains a Change Log for their desktop software (Windows, Linux, macOS) and there is a link to it on the page where you download the software. They have separate Change Logs for their iOS and Android apps but again, they link to it on the page where you download the apps.
I could not find a Change Log for ProtonVPN on their website. I also checked their iOS app and there was no Change Log there either.
Praise: Finally, you don't see this every day. In April 2022, the Windscribe blog featured a puff piece on the founder of the company: Who is Yegor Sak? The Man Behind The Meme by Catt Garrod. The article included this: "I started using VPNs in 2009 for my daily Internet activity ... This led me to learn all about what VPNs can and cannot do ... The one that stood out as different and I personally used for years was IVPN. Windscribe was very much inspired by how that company was operated: solid apps, no marketing speak, brutally honest information on capabilities and limitations.".
The website Privacy Guides recommends three VPN providers: Mullvad, IVPN and ProtonVPN. At first glance, they seem independent and not biased.
VPN PROVIDER WARNINGS top
This 20 minute November 2022 video, from Naomi Brockwell, has many warnings: The DARK side of VPNs. She interviews VPN expert Jonathan Tomek. At the end he recommends
Mullvad.
- bad things are said about 1clickVPN at 5 min 40 seconds into video
- bad things are said about FreeVPN at 7 min 20 seconds
- bad things are said about ZenMate at 8min 50 seconds
- bad things are said about Aza and Hula at 10 min 10 seconds
- bad things are said about NordVPN and ExpressVPN at 11 min 30 seconds, including that they ask for mobile permissions that a VPN should not need. They cite multiple
reasons to avoid NordVPN.
- NordVPN, Surfshark and Atlas are owned by same company
- Ziff Davis claims to own 6 VPNs. Naomi says they really own 13 and maybe more. 15 min 30 seconds
Other VPN providers too, have been caught doing bad things.
- Avoid free VPNs. More specifically, avoid VPNs that are always free. Some commercial VPN providers offer limited accounts for free. If you can't pay, use the free service from ProtonVPN, TunnelBear or Windscribe. On iOS, there is also a free version of the Guardian Firewall + VPN app.
- A VPN based in the United States would be my last choice. After all, it the was the US that let ISPs spy on us in the first place. And, Snowden. Granted, this is a matter of opinion, but see too: Are US-based VPNs trustworthy? Here's why I don't recommend them by Rae Hodge for CNet (February 2022). Hodge also wrote "Any VPN based out of the US, UK, Canada, Australia and New Zealand -- the so-called " Five Eyes" intelligence community -- should generally be avoided if you're looking to max out your privacy. Five Eyes openly calls for what most people consider an end to online privacy ... "
- Avoid Big Mama VPN as per this article: VPN used for VR game cheat sells access to your home
network by Matt Burgess for Ars Technica and Wired. December 20, 2024.
- A VPN from Google is a contradiction and thus best avoided. VPNs are about privacy and, as an advertising company, Google is all about invading privacy and tracking people. But, there's more. Like other VPN providers, Google offers installable software for Windows. But, there is a DNS issue with the software. A reasonable person would call this a bug, but Google considers it a feature. The issue: A normal VPN will change the Windows DNS settings while the VPN is active and then restore the settings when the VPN is disabled. But not Google's VPN, it changes the Windows DNS settings forever. Worse still, on a Windows laptop with both Ethernet and Wi-Fi connections the Google VPN software will change DNS settings for both network interfaces, even though it is only using one of them. The Google macOS VPN software does not do this. FYI: Google's VPN is part of their Google One subscription plan.
More: Users say Google's VPN app 'breaks' the Windows DNS settings by Ron Amadeo for Ars Technica. April 2, 2024.
April 11 2024: Google One VPN will be discontinued, Pixel VPN remains with upgrade coming
by Abner Li for 9 to 5 Google. There are no changes to the free Pixel VPN introduced with the Pixel 7 series in 2022. The VPN available with Google Fi will also remain available. Yes, Google had three different VPN products.
- According to this blog by Kailash Z. of Windscribe Virtual or Physical? Why Windscribe Has the Most Server Locations (May 17, 2023) many VPN providers lie about the country that their servers are located in. Let me start by saying that having the most servers in the most countries does not strike me as a big deal. That said, they caught a number of VPN providers lying and there are implications beyond just knowing that a VPN provider is a liar. Quoting:
"The inflated country counts are facilitated by virtual server locations. A virtual server location is one for which the actual physical server exists in a location that is not the claimed/advertised location. Most providers operating virtual server locations run the actual server in countries with low bandwidth costs while faking the location with false IP WHOIS data to make it appear that it is elsewhere. This results, first and foremost, in subpar performance for users .... [and] potential legal repercussions for anyone looking to connect to servers in specific countries because of privacy protections afforded by the laws of the said country."
Some of the biggest liars reported in the article: ExpressVPN claims to have servers in 94 countries, but the reality is 47. Surfshark claims to have servers in 100 countries but the reality is 57. Surprisingly, they even cite ProtonVPN which claims to be in 67 countries but is really in 50. Two other fibbers are
CyberGhost and Hide.Me.
- ExpressVPN: Edward Snowden urges users to stop using ExpressVPN (Sept. 2021). They sponsor the Security Now podcast with Steve Gibson (as of January 2023). One of their ads in the podcast was full of lies. The ad promised things that no VPN is able to provide.
- Android Owners, Watch Out for These 7 Shady VPN Apps by Rae Hodge of CNET (October 2022). The article focuses on Android VPNs that require more permissions than they actually need. The list: Yoga VPN, proXPN, Hola Free VPN, oVPNSpider, SwitchVPN, Zoog VPN and Seed4.Me VPN.
- 8 Bad VPNs You Must Avoid to Protect Your Privacy by Georgina Torbet for MakeUseOf (Dec 2021). The eight are: Hola, HotSpot Shield, HideMyAss, Facebook Onavo, Opera Free, PureVPN, VPNSecure and Zenmate.
- NordVPN Review: Feature-Rich and Speedy, But Privacy and Transparency Issues Need
Attention by Attila Tomaschek and Rae Hodge of CNET (August 29, 2022). Quoting: "From a distance, NordVPN almost looks like the perfect VPN. But with a little digging, we uncovered some pretty major cracks in the facade ... Most notably, we found that NordVPN routes some user traffic through residential IP addresses supplied by a company with a questionable history. The company's overall efforts at transparency also leave quite a lot to be desired ... the company offers nothing in the way of an annual transparency report and [it] is cagey about its partnerships and corporate structure ... Nord operates its main offices physically out of Lithuania, processes payments through the US, maintains legal entities in the UK and Germany, and is owned by a holding company based in the Netherlands." I suggest also reading the section on the Threat Protection feature.
- From Dong Ngo, in Virtual Private Network (VPN) Explained: Privacy, Security, and How to Get it Free. In responding to a September 2022 comment on the article, Ngo said: "NordVPN is evil ... it’s so popular because its affiliation pays well - each time you click on a link and sign up the owner of the article gets a cut."
- Windscribe VPN Security Breach: Servers and Private Key Seized by Sven Taylor for Restore Privacy
(July 19, 2021). Quoting: "Windscribe, a popular VPN based in Canada, has suffered a major security breach. Ukrainian authorities seized Windscribe servers and also obtained Windscribe's private key, which allows them to decrypt traffic from Windscribe users. Windscribe staff has admitted they failed to properly encrypt their servers ... " See also the two blogs that Windscribe published on the topic: OpenVPN Security Improvements and Changes by Yegor Sak (July 8, 2021) and
Ukrainian server seizure - a commentary and state of the industry by
Yegor Sak (Aug 24, 2021). This was a bad thing, but does not strike me as a huge big deal. Exploiting the issue to spy on a Windscribe customer would have been very difficult. Also, they were very public about the problem, and what they are doing to fix it, which is all we can hope for from any company with a security problem. Mr. Taylor makes money from the VPN companies he recommends, which does not include Windscribe. Why not? Probably because Windscribe has no affiliates program, no one makes money by recommending them as the best VPN for left handed people with curly hair.
- One of the articles above, Ukrainian server seizure - a commentary and state of the industry by Yegor Sak of Windscribe (Aug 2021) is two things. First, it is an admission of a mistake they made and an explanation of the fixes they implemented. It also, has very technical details on similar mistakes that other VPN providers continue to make, when it comes to OpenVPN. Anyone considering using NordVPN should read the section on the NordVPN 2019 Hack. Likewise, anyone considering or using TorGuard, PIA (Private Internet Access), Surfshark, ExpressVPN and Perfect-Privacy should read the sections devoted to their OpenVPN configurations. The only company that gets a good grade is IVPN.
- Windscribe: I was a customer for a couple years and dealt with their tech support somewhat often. It is pretty bad. They have ducked questions and refused to consider that there might be an issue with their software.
- Maybe avoid Swing VPN. See Swing VPN app is a DDOS botnet by an anonymous security researcher. June 4, 2023. It seems to only be malicious on Android, not iOS, but still, I would avoid it on iOS too. Quoting: "From the provided evidence I think it is undeniable that creator of the app has malicious intent in denying services to regular people by DDOS'ing those services. They use different techniques to obfuscate and hide their malicious actions in order to try to go undetected. That is main reason for why they send the request every few seconds as with the amount of install base they have it is enough to bring the services down but still not fire security alarms in appstore and playstore security teams."
- Maybe avoid iKHfaa VPN as per this article: Android spyware found hiding out in Play Store; delete these two apps now! by
Alan Friedman (June 19, 2023).
- From the Wirecutter: "We ruled out some VPNs for trust issues. EarthVPN appears to have lied about its logging practices, while ProxySH confessed to spying on customer traffic in 2013. HideMyAss has handed customer information over to police. The Center for Democracy & Technology filed a 14-page complaint about Hotspot Shield with the FTC, alleging unfair and deceptive trade practices." (Last update Jan 2022)
- Also see the University of Michigan research in the Advanced Techie Stuff section for research that shows some bad practices by a few VPN providers.
Misleading pricing: From How Cheap VPNs Can Cost More Than You Bargained For by Fergus O'Sullivan for HowToGeek. February 8, 2023. Some VPN providers offer initial discounts and revert to higher fees afterwards.
- NordVPN pricing is simply misleading, according to O'Sullivan. Depending on the promotions it has running, you can get the service for as little as $40 per year, provided you sign up for two years or more. However, the fine print states that once your initial term is up, the price is $124 per year, "a generous amount considering how mediocre we've assessed the service to be."
- Surfshark does something similar. After the initial term, Surfshark costs just under $100/year.
NOTE: Shortly after this article was published, I checked the Surfshark site and did not find it deceptive. It was clear that the service cost roughly $60 for the first two years and $60/year after that. Or, roughly $48 for the first year and $60 for the next.
- AtlasVPN is more subtle, placing an asterisk next to its price of $50 for two years. The asterisk eventually says that once you renew, the service costs $40 per year.
"In the case of AtlasVPN, for example, it’s ridiculously slow and has a buggy interface that will have you tearing your hair out as it crashes yet again."
Block Ads/Tracking While Using a VPN top
As a rule, the job of blocking ads and/or trackers falls to your web browser and its extensions. But some VPNs can do this too. One advantage of VPN blocking is that it applies to the entire operating system, not just one web browser. If you connect to one of these VPNs from a router, it can block ads/tracking on any device connected to the router. The downside of any such blocking (in a browser or a VPN) is carving out exceptions to the rules.
These VPNs do blocking:
- IVPN calls their tracker blocking feature AntiTracker. Initially they used a single block list. Around August 2023, this was expanded and they now offer 10 different lists and you can customize the ones you want. Despite the name, these lists block both ads and trackers. That said, they do not let you specifically block/allow a single domain or sub-domain. See Better tracker blocking controls with AntiTracker Plus by Viktor Vecsei of IVPN. Also AntiTracker Plus Lists Explained.
- ProtonVPN calls their ad/tracker blocking feature NetShield. It uses DNS filtering to protect you from malware, blocks ads, and
prevent website trackers from following you around the web. It is only available to paid customers.
- Mullvad added support for custom DNS server configuration on macOS, Windows, Linux and Android in April of 2021. This can be used with an assortment of DNS providers that block ads/trackers.
In May 2021, they introduced ad blocking How to set up ad blocking in our app. In June 2021, ad and tracker blocking was a new feature in their iOS app (How we’re knocking down ads and tracking). In March of 2022, they added malware blocking. See Adding another layer: Malware DNS blocking. Their customers can enable or disable each type of blocking individually. They also offer ad blocking for free to anyone, not just their customers, via their secure DNS service. DNS over HTTPS and DNS over
TLS (last updated November 2021).
- OVPN added ad/tracker blocking to their Android and iOS apps in November 2021.
- At Perfect Privacy, their TrackStop feature blocks ad-tracking and phishing.
- The Disconnect Privacy Pro SmartVPN blocks trackers on iOS. Their Premium VPN blocks trackers on iOS, Android and macOS.
- Windscribe VPN offers what they call a "One-of-a-kind customizable server-side domain blocking tool" that blocks ads and trackers. And, you can customize it. They call the feature R.O.B.E.R.T. Their big advantage is that you can easily customize the blocking with your own block list and allow list - much like NextDNS.
- The Freedome VPN from F-Secure blocks trackers on iOS, Android, Windows and macOS.
- The Guardian Firewall + VPN app on iOS "blocks digital trackers from secretly collecting your information." It is from the Sudo Security Group. For free, their VPN service alerts about tracking but does not block. I wrote about it in August 2019.
- On Android, there are three versions of the Blokada ad-blocker. The free version that blocks ads is not allowed in the Play Store. It installs a VPN, but only to block ads by intercepting DNS requests. There was a trivial version in the Play Store that also installed a VPN but all it did was modify the DNS servers. Currently (Feb.2020) the version in the Play Store is called Blokada Slim and it combines the older DNS changer with a fairly new, real, VPN called Blokada Tunnel which costs 5 Euros/month (roughly $5.50 in US dollars). Great feature: customized white and black lists.
- Coming: AdGuard VPN (Jan 2020). They are writing a new VPN protocol, which is not a good sign.
- Android 9, 10, 11 and 12: There is an interesting conflict between a VPN and the Android Private DNS feature. Each wants to be in charge of the system-wide DNS. In a test of Android 10 with three VPN providers, Private DNS won out every time. This was not a DNS leak, the DNS requests went through the VPN tunnel and the Private DNS resolver sees requests coming from the VPN server, not from the VPN client. However, in a test with Android 9, the VPN DNS won out. Beats me why. If Private DNS wins, and you use NextDNS, then any VPN can be used alongside the ad and tracker blocking from NextDNS. The best of both worlds. I tested with multiple DNS testers on my RouterSecurity.org site.
FYI ON LOCATION HIDING top
All VPNs claim to hide your physical location and/or let you appear to be somewhere else. This stems from the fact that, with a live VPN connection, all data going to/from the Internet passes through the VPN server. Your pubic IP address is that of the VPN server not your home or office. In the old days this was sold for the anonymity it offered. Later, it was sold so that people in the US could listen to the BBC.
But the claim predates smartphones, spy machines that they are. A smartphone can locate itself using GPS, Wi-Fi, cell tower location and probably even Bluetooth (not sure). I have tested Wi-Fi based locating and found it extremely accurate. So, if the phone knows where you are, who is to say whether it leaks this information to the outside world. And the outside world, on a phone or a desktop computer, is not just websites. Modifying your public IP address is not the be-all and end-all that it used to be. It is still a good thing, but it may no longer be sufficient.
The June 2022 issue of Unredacted Magazine had a story about this. The anonymous author is a privacy enthusiast. He uses a router with VPN client software, and the router makes a VPN connection that all LAN side devices pass through. One of the LAN side devices is an Xbox that is Ethernet connected to the router. You might think that the outside world only knows about the physical location of the VPN server. That's what the author of the article thought ... until he checked his Xbox Account Settings page and found a picture of the apartment complex where he lives with a pin in it indicating his apartment. It turns out that the Xbox uses Wi-Fi and that it can not be disabled. The Xbox was spying on him. It listened to all the SSIDs and MAC addresses being broadcast by the routers of his neighbors and calculated his location. VPN be damned.
In August 2023 Windows malware (dubbed "Whiffy Recon") was discovered that surveyed the nearby Wi-Fi networks and sent the resulting information to Google using their Geolocation API. While it is not known what the malicious software does with this information, it shows that even if Windows is configured not to track its location and the web browser is also configured not to tell the location to websites, it is still available to software running on the PC. For more see: Whiffy malware stinks after tracking location via Wi-FI by Brandon Vigliarolo for The Register (Aug 28, 2023) and Smoke Loader Drops Whiffy Recon Wi-Fi Scanning and Geolocation Malware by Secureworks (Aug 23, 2023).
In May 2024, Brian Krebs wrote Why Your Wi-Fi Router Doubles as an Apple AirTag. The title is a bit much, but the article describes a new research paper that shows how iOS and Android devices use nearby Wi-Fi networks to figure out where they are. This means that Apple and Google know exactly where every Wi-Fi router is located. A VPN does nothing about this, only Ethernet does.
If hiding your location is really important, it is best to use a device without Wi-Fi or GPS or Bluetooth. On a smartphone or tablet, disable them and hope the phone operating system honors your request. On a cellphone, airplane mode should prevent it from contacting cell towers. I say
"should" because I don't know how to verify this. Even if you can not make or receive a phone call, that does not insure that the phone is not communicating with a cell tower. After disabling Wi-Fi, GPS and Bluetooth, re-boot the device to insure that it is not still using a recently detected location.
Clearly, Ethernet is your friend here. iPhones and iPads can use Ethernet with an appropriate adapter. Likewise there are USB type A and USB type C adapters for Ethernet that can be used with any computing device with a USB port.
To put this in perspective, the strongest option is preventing the operating system from knowing where it is. If this is not possible, then you need to try and prevent the operating system from giving the location to applications and to web browsers. In the case of browsers, there are probably configuration options in both the browser and the operating system for this. For more on this, see the Location Tracking topic.
Windows 10, for example, offers OS level configuration options for Location in System Settings -> Privacy -> Location. In the resulting panel, insure that everything is off. On a lower level, Windows users should probably disable the Windows Geolocation service (a.k.a. lfsvc). The description says that it "...monitors the current location of the system and manages geofences (a geographical location with associated events). If you turn off this service, applications will be unable to use or receive notifications for geolocation or geofences." There may be a down side to disabling this service, I have not tested this extensively. But, I doubt it.
As an example of browser location settings, consider the Location settings for the Chrome browser (the screen shot is from Chrome 93 on Windows). You can access the location settings in Chrome at chrome://settings/content/location (last checked with v116 on Windows 10). Here is where you control whether the Chrome browser is allowed to tell websites the location of the computer/phone/tablet. This assumes that the operating system and the browser already know the location. One slip-up in configuring this and a VPN can no longer hide your location from a website.
An article on this: How does my browser know my real location when I'm on a VPN? by pcwrt (January 2021).
I have yet to see any VPN provider mention that location blocking should be configured in both the operating system and the web browser that you use. That would burst their marketing bubble.
Fighting with the operating system and the browser is complicated, error prone and, even if done right, involves some trust that the software is doing what its told. The safer approach is to insure the operating system can not learn its location in the first place. Ethernet is your friend.
FYI ON DEVICE LIMITS top
NOTE: This topic was added December 10, 2023
If you use a VPN provider that has no device limits, then skip this section.
Both IVPN and Mullvad (and no doubt many others) limit the devices that can concurrently connect to the VPN. But, they both do a disgracefully miserable job explaining this, so I will attempt to here. Assume the device limit is 5, just for the sake of this example.
With both companies, you can install the software on an unlimited number of devices.
With both companies the first 5 devices work fine. Dull and boring.
The sixth device is where things get ugly. This is because, the device limit is not on the number of concurrently connected devices. Even if the first 5 devices are off-line the 6th device will fail to connect to the VPN. The limit is on something neither company explains. For lack of a better term, I will call the limit on REGISTERED devices.
What is not explained is that each device first REGISTERS before it connects to the VPN. The 6th device fails because the maximum devices are already REGISTERED. For the 6th device to connect to the VPN, you first have to de-register one of the first 5.
Mullvad lets you de-register a single device. But, they identify REGISTERED devices using their own code names, which you have to track. REGISTERED devices do not get user-friendly names like "Susans ipad".
IVPN does not let you de-register one device. For the 6th device to connect, all of the first 5 need to be DE-REGISTERED. The good news is that the customizations made to the settings are not lost when a device is DE-REGISTERED (only tested on Windows).
DOUBLE VPNs top
You can increase your anonymity by using a VPN inside a VPN. Start with a normal Operating System level VPN. Then, while it is connected, use a web browser that has a VPN extension for a different VPN provider.
How does this protect you? The OS level VPN company will only know that you connected to the Browser VPN company. They can not see anything that you do in the browser. The Browser VPN company can see what you do (like any VPN provider) but they do not know where you are. They see you as a customer of the OS level VPN provider. They may, however, know who you are.
If you can be anonymous to the Browser VPN company, all the better. Perhaps the Browser VPN has a limited free tier or a free trial that can be used without providing personal information. Or, you can pay for some VPNs with cash or a gift card. I would avoid any VPN provider that only offers a free service.
Not all VPN companies offer a web browser extension. Some that do:
- NordVPN calls theirs a VPN proxy extension and it works with Chrome, Edge, and Firefox.
- TunnelBear has extensions for Chrome and Firefox. It is a paid service with a limited free tier.
- Windscribe has extensions for Firefox and Chrome. It too, is a paid service with a limited free tier.
- ProtonVPN has a browser extension that works with both Chromium-based browsers (Google Chrome, Brave, Microsoft Edge, Chromium, Opera, and Vivaldi) and Firefox-based browsers (Firefox itself, LibreWolf, and Waterfox). See Introducing the Proton VPN browser extension by Antonio Cesarano of Proton (last updated Sept 3, 2024) and How to use the Proton VPN browser extension by Proton (undated). Download it from the Chrome Web Store or from the Firefox Add-ons.
- The Opera browser has its own free VPN as part of the browser itself, no extension needed.
- Microsoft's Edge browser has a free VPN called the Edge Secure
Network that uses services from Cloudflare. The free tier initially had a 1 gigabyte per month limit, but that was raised in July 2023 to 5 GB. Microsoft and privacy, of course, are like oil and water. Microsoft requires users to be signed in to a Microsoft account to use the VPN, so, no anonymity. According to this article (by Mayank Parmar for Bleeping
Computer July 3, 2023) signing in to a Microsoft account enables the sync feature of the browser, which makes browsing data accessible across all signed-in versions of Edge. This includes browsing history, favorites, settings, form fill data, passwords, extensions, open tabs, and collections. Not a good choice.
- The Epic browser includes a free VPN and it can be installed on Android, iOS, Windows and macOS. That said, I am not familiar with it at all.
Not all browser VPN extensions are limited to just the browser, some work at the Operating System level and thus can not provide a VPN inside a VPN. This is true for the ExpressVPN browser extension and the Mozilla VPN. On Android and iOS, Brave includes a VPN (powered by Guardian) that also works at the operating system level.
Another option for double protection is offered by the desktop (Windows, macOS, Linux) versions of the Brave browser which includes access to the Tor network, no need to install an extension. The option is called "New private window with Tor".
A third approach is to run a normal Operating System level VPN on your computing device, while it is connected to a router that has its own VPN connection. This is most secure when each VPN connection is to a different VPN company.
A fourth approach is only available to Apple Safari users willing to pay for it. The system is called iCloud Private Relay and it is available on iOS, iPadOS and macOS. Users must pay for iCloud+ and it only works with the Safari browser. Like a VPN, it hides your public IP address. Unlike a VPN, Apple claims that they can not spy on you. Not that they don't , but that they can not.
As to how it works, this is from Apple iCloud Private Relay & Privacy (September 20, 2024):
"Your internet connection requests are routed through two separate relays operated by different entities. The first knows your IP address, but not the website you are visiting. The second knows the website you are visiting, but not your IP address, instead providing a generalized identity and location to the destination website. In this way, no single entity has the information to identify both you and the sites you visit."
The first relay device/server that Safari talks to is owned by Apple, the second relay device is not. Who owns/runs these secondary relay servers? Apple does not say, they only say it's not them. DNS requests are encrypted such that the ISP and the Apple-owned first relay thingy can not see them (this assumes old insecure DNS). Both Apple and the ISP do see your public IP address. The second relay thingy decrypts DNS requests and sends your data/traffic out to the Internet. To the rest of the world, your traffic is seen as coming from the second relay thingy. More: iCloud Private Relay Overview (2021).
In February 2025, a fifth double-VPN approach was introduced - Obscura VPN has a partnership with Mullvad. Mullvad announced this on Feb. 11th: Mullvad has partnered with Obscura VPN. At the time, Obscura VPN software was only available on macOS. Obscura customers connect to Obscura VPN servers, but Obscura then connects to a Mullvad server and the traffic exits onto the Internet from a Mullvad server. The claim is that "This two-party architecture ensures that neither Obscura nor Mullvad can see both your identity and your Internet traffic." It is easy to see how Mullvad does not know who you are, all they see is data coming from Obscura. Mullvad should not see your public IP address and you are not their customer. The claim that Obscura also can not see into their VPN tunnel is a stretch. If not for the involvement of Mullvad, I would not believe it. Obscura says "Your traffic is always end-to-end encrypted via WireGuard to the exit server." More from them here: Trust, 2-Party Relays, and QUIC.
Even if an Obscura server can not see into your tunnel to them, certainly their macOS software can. I write this in Feb. 2025 and it is too early yet to have a pro/con
opinion
VPN ARTICLES top
January 17, 2025: If you use a VPN for a TikTok ban, make sure it’s one you can trust by Shira Ovide in the Washington Post. Recommended VPNs are: Mullvad, IVPN, Proton VPN and Mozilla VPN (which is Mullvad under the covers). That said, judging a VPN by watching British videos from the US, is the wrong criteria. It does not make the conclusions wrong, just realize that the author of this article is not a techie. Fortunately "digital security and privacy experts" were consulted.
This article in Wired magazine is really bad: Protect Your Home Wi-Fi Network by Setting Up a VPN on Your Router by David Nield April 25, 2024. The purpose seems to be earning commissions, not informing readers.
To begin with it talks about a VPN without distinguishing between VPN server and VPN client software. A huge omission. Just a big, is that there is no mention of the different types of VPNs. It does mention OpenVPN but does not state that it is only one of many types. Then, it mentions a couple VPN providers that sell routers with their software pre-installed but does not bother to mention that many VPN providers do this. And, no mention of my favorite VPN on a router company pcWRT. And, there is no discussion of the pros/cons of running VPN client software on your only router vs. using a second router plugged into the main one. And, editing sloppiness: saying at a VPN on a router protects all your Wi-Fi devices, as if Ethernet devices did not also get protected. If you had any respect for Wired, well ...
ADVANCED TECHIE STUFF top
The below is very technical, scholarly research into VPNs.
UNIVERSITY of MICHIGAN
The paper, VPNalyzer: Systematic Investigation of the VPN Ecosystem by researchers at the University of Michigan is long and dense and looks at a number of criteria never found in the tech press. They wrote their own software to perform assorted technical evaluations of VPNs. Their software ran on Windows, macOS and Linux, so nothing in the paper applies to iOS or Android. They studied 80 different VPN providers. Some findings (there is much more) are below.
- IPV6: Only 11 providers out of the 80 tested supported IPv6 connectivity. I have no need for IPv6 specifically for what this research found: four VPN providers leaked IPv6 traffic. Put another way, these four VPNs do not block the user's IPv6 traffic and thus leak IPv6 data to the ISP. The four offenders: Astrill VPN, Norton Secure VPN, Turbo VPN and SurfEasy VPN.
- They looked at the behavior when the VPN tunnel dies and they found 18 VPN providers leaking all user traffic during tunnel failure. Yikes. This is why there are kill switches. Of the 18, four are free VPN providers which no one should opt for anyway. One was their own University. The remaining 13 are: Encrypt.me, Hide My Ass!, IPVanish, Ivacy VPN, Pure VPN, Speedify, Trust.Zone, Strong VPN, Astrill VPN, Norton Secure VPN, SurfEasy and Turbo VPN.
- They looked for malicious behavior such as TLS interception and found evidence of manipulation in Betternet (on both MacOS and Windows) and Turbo VPN (Windows)
ARIZONA STATE UNIVERSITY
Researchers from a number of different universities looked into hacking VPNs. This is an introductory article about their research and findings: Are virtual private networks actually private? by Annelise Krafft of Arizona State University (October 2022).
- Blind In/On-Path Attacks and Applications to VPNs by William J. Tolley and Beau Kujath, Breakpointing Bad/Arizona State University; Mohammad Taha Khan, Washington and Lee University; Narseo Vallina-Rodriguez, IMDEA Networks Institute/ICSI; Jedidiah R. Crandall, Breakpointing Bad/Arizona State University. This was an August 2021 presentation to Usenix. The page has links to both slides and a PDF. Quoting: "... we demonstrate attacks to infer the existence of, interfere with, or inject data into TCP connections forwarded through the encrypted VPN tunnel. In the server-side threat model, we also demonstrate an attack to hijack tunneled DNS queries and completely remove the protections of the VPN tunnel ... Server-side attacks have not been addressed and are still feasible with all operating systems and VPN servers that we tested. "
UNIVERSITY of MICHIGAN (again)
OpenVPN is Open to VPN Fingerprinting by Diwen Xue, Reethika Ramesh, and Arham Jain, University of Michigan; Michalis Kallitsis, Merit Network, Inc.; J. Alex Halderman, University of Michigan; Jedidiah R. Crandall, Arizona State University/Breakpointing Bad and Roya Ensafi, University of Michigan.
This was an August 2022 USENIX presentation. The page has both a PDF and slides. Quoting: "To investigate the potential for VPN blocking, we develop mechanisms for accurately fingerprinting connections using OpenVPN ... We identify three fingerprints based on protocol features such as byte pattern, packet size, and server response ... we identify over 85% of OpenVPN flows with only negligible false positives, suggesting that OpenVPN-based services can be effectively blocked with little collateral damage ... Although some commercial VPNs implement countermeasures to avoid detection, our framework successfully identified connections to 34 out of 41 'obfuscated' VPN configurations."
MY USER EXPERIENCES top
The experience of using a VPN varies drastically, not only from company to company, but also from operating system to operating system with the same VPN provider. With that in mind, this haphazard section offers some insight into the user experience on a handful of operating systems with a few VPN providers (Windscribe, IVPN, OVPN, ProtonVPN, Mullvad).
See my user experiences (Note: this was moved to its own page November 12, 2023.
This page: 37 views per day (over 1,215 days) Total views: 44,608 Created: October 17, 2021 |
Copyright 2019 - 2025