A Defensive Computing Checklist    by Michael Horowitz

NOTE: I gave a presentation on Defensive Computing at the HOPE conference in July 2022

HOME | Full Site Index | Domain Names | VPNs | iOS | Android | About | Rules of the Road | DC Presentation |

VPNs

Topics below: Introduction   Is the VPN working?,   Choosing a VPN - Software Features,   Choosing a VPN - Other Criteria,   Blocking Ads and Tracking while using a VPN,   An FYI on Location Hiding,   Double VPNs,   My User Experience with some VPN client programs

 INTRO

VPNs fall into many categories, the biggest is Consumer vs. business. Business VPNs are run by large companies for their employees. Typically they connect remote employees to the head office, and they may also be used to connect different buildings in different cities to form one big company-wide network. This page is about consumer VPNs, employees of a large company have their own tech support and don't need anything from me.

The two halves of a Consumer VPN are the VPN client and the VPN server. Both terms refer to software, but oftentimes a computer is dedicated to function as a VPN server, so the hardware and software can be thought of as one and the same. The VPN client software connects to a computer running VPN server software. Typically, the VPN client software runs on your devices: phone, tablet, laptop, desktop computer, etc.

With Consumer VPNs, the servers are provided by a VPN company such as Mullvad, ProtonVPN, NordVPN, IVPN and hundreds more.

The connection between VPN client software on your device and a VPN server, somewhere on the Internet, is referred to as a "tunnel". When it is working as designed, all data entering and leaving your computing device travels through the tunnel and is encrypted/decrypted by the VPN software at each end. The term tunnel is quite good, as it illustrates that only the two devices at each end of the tunnel can see the data. To anyone/anything outside the tunnel, all they see is encrypted useless junky bits.

Who is outside the tunnel? The router you are connected to and the ISP connecting it to the Internet. If you are in a public coffee shop, your fellow coffee drinkers are outside the VPN tunnel. Blocking spying by an ISP is especially important in the US, where ISPs are allowed to spy on their customers and sell that data. For details on this see, Internet Service Providers Collect, Sell Horrifying Amount of Sensitive Data, Government Study Concludes by Karl Bode (Oct. 2021).

That a VPN hides everything from the router and the ISP is how people in China can interact with the rest of the world. It is also how students in a school can bypass restrictions and see websites that teachers try to block.

Routers are computers and some routers can function as VPN client, some can function as a VPN server, some can do both and some can do neither. Most likely the router provided by an ISP can not do either function. The advantage to using VPN client software in a router is that all the devices connected to the router are protected by the VPN tunnel created by the router. This can protect devices, such as a Smart TV that are not able to run VPN client software on their own. There are two reasons to use a VPN server in a router. The first is to provide a secure way to access the devices in your home when you are away from home. The other reason is to use your home router as a free replacement for paid VPN providers. Again, when away from home, you can connect to the VPN server software in your home router and use that secure, encrypted tunnel to hide your activities from the devices near you. Note however, that this does let your home ISP spy on you.

Some people have argued that since a "secure" website (using HTTPS) prevents others from reading the content of web pages, there is little need for a VPN. However, others can still tell which websites you visited. In some cases, just the website name gives away too much information. And, websites are not the only thing on the Internet. With mobile apps, for example, you can not tell if data is being transmitted securely or not.

In addition, a VPN will change your public IP address, so you can pretend to be in a different physical location.

• On a trivial level, this can be used to see stuff that is normally restricted by country. For example, Canadians might connect to a VPN server in the US to access American Netflix if our Netflix offers shows that are not available in Canada.
• On a more serious level, this can be used to hide your physical location, just as Tor does. However, Tor only attempts to hide activity inside the Tor web browser, whereas a VPN typically functions at the operating system level and thus controls all the bits coming and going. However, by the time a VPN client program on any computing device connects to a VPN server and creates a VPN tunnel, the public IP address of the device has already leaked. Thus, people who really want to hide their physical location should not use a VPN on their computing device. Instead they should connect to a router with an existing VPN connection.
• And, see the topic below: An FYI on Location Hiding

Picking a VPN provider is mind bogglingly difficult. See one attempt and another and another and another and another and another and another and another. Even agreeing on the criteria to judge them with is impossible. I have my opinions on good/trustworthy VPN providers, email me for my suggestions. The big danger in picking a VPN provider that is not trustworthy is that they can spy on you, in the exact same way that an ISP can spy on you when you are not using a VPN.

If you are using a VPN on a device capable of both Wi-Fi and 4G/LTE/5G (pretty much every smartphone) it is best to disable the network connection that is not connected to the VPN. There is always a chance, especially on iOS, that data can leave the device on the network without the VPN.

New to VPNs? See my article An introduction to six types of VPN software from 2017. I also wrote A Defensive Computing term paper on privacy: VPNs, Tor and VPN routers in 2016 which offers an introduction to VPNs and Tor.

DOWNSIDES TO VPN

On rare occasions a website will refuse to load when you are using a VPN. This screen shot is an example. It says "Access Denied", but the actual problem was the VPN. The error message is very likely not to say that the VPN is the problem. Note that while a website can detect a VPN, this is not always perfect. It may well be that one VPN server is blacklisted but another, from the same VPN provider, is not. Trial and error is needed. Instead of being completely blocked, some websites may just require extra identification when using a VPN.

A VPN will slow down your Internet connection, but it should be quite rare that the slowdown is noticeable. If the speed is noticeably slower, try connecting to a different VPN server, one that is physically close to you. Some VPN software handles this automatically, that is, it tries to find the fastest available server for you automatically. If you prefer manually picking a city or country that you would like to connect to, some VPN software will show you how busy each available VPN server is, in that city/country.

I suppose just having to turn the VPN on and off is a downside for some people. There are some VPNs that can be configured to start automatically when the computing device boots up, but I am not a big fan of the concept. For devices, like all of mine, that are frequently off-line, the VPN client software should be able to wait patiently until the device goes on-line again and then automatically re-connect. Sometimes this works, sometimes not.

VPN tunnels can break, even when the Internet connection is alive and well. So, if you are doing something sensitive, you need to watch the icon that indicates that the VPN is currently connected.

If you are using an iOS device (iPhone, iPad) then it is fairly certain that the VPN is not working. This is a long story that boils down to not trusting any VPN on iOS because they all leak data outside the VPN tunnel. This was first reported by ProtonVPN in March 2020 for iOS version 13. See VPN bypass vulnerability in Apple iOS. I blogged about this in May 2022: VPNs on iOS are a scam and kept updating my blog through August 2022. Security company Disconnect wrote about the problem in March 2022. See Leak advisory: Apple and *All* iOS App Developers Are Able to Unmask VPN Users.

Things to test before and after connecting to a VPN:

• Public IP address: this should change after connecting to a VPN. Many websites will display your public IP address, among them ipchicken.com, checkip.dyndns.com, www.ivpn.net and checkip.synology.com.
• It is one thing for your public IP address to change, it is another to actually be connected to a server run by your VPN provider. Some VPN companies have a tester page that reports whether you are connected to their service or not. Three companies that provide this information on the home page of their website, are OVPN, IVPN and Mullvad (see screen shot). ExpressVPN offers this service on their IP Address Checker page. TunnelBear has it on their Whats My IP page. When they say your IP address is exposed or public, it simply means you are not connected to their service. ProtonVPN and Windscribe do not offer this service at all.
• DNS SERVERS: DNS is a critical foundational technology on the Internet. DNS servers translate the name of a computer into an IP address. It is very dangerous to use unknown DNS servers. Malicious DNS servers can take victims to scam copies of websites and trick them into entering passwords. Every VPN provider offers their own DNS servers so you should see a change after connecting. Your VPN provider should be able to tell you what DNS servers they use, so you know exactly what to look for.
• Detecting a change in DNS servers: The hard part about verifying a change in DNS is that a computing device can get its DNS configuration from many different places. The VPN has an opinion, the Operating System has an opinion, the router has one, each WiFi network can have its own opinion and so can each web browser. If you have a web browser that is not configured to use Secure DNS (a.k.a. Private DNS), then there are assorted online testers that display the currently in-effect DNS servers. My Router Security website has a page devoted to DNS that links to many of these tester sites. If a web browser is using Secure DNS that seems to over-ride everything and you will see the same DNS servers whether connected to a VPN or not. If you like using Secure DNS, then maybe keep one web browser on hand that does not use it, just for this testing. On Windows and macOS, the nslookup command (for ex: nslookup cnn.com) reports on the DNS servers and runs outside a browser. You should definitely see a change in DNS servers when using nslookup before and after connecting to the VPN. Whew.
• WEBSITE LOCATIONS: As described in more detail at the bottom of this page, your public IP address is not the only way that a website learns where you are physically located. Still, we can do a bit of verification that the VPN server is being used for location information by websites. Go to weather.com, which displays the weather for your location at the top of the page. You want the location to be that of the VPN server, not your actual location. Also, search for "weather" at google.com. Google wants to show you the weather for your location, so it may ask for permission to learn your location. Give it permission (Allow) and hopefully you will, again, see the weather for the location of the VPN server. Obviously, the VPN server has to be far from you for these to be useful tests.
• WebRTC: One of the big reasons to use a VPN is to hide your true public IP address. This conflicts with the WebRTC software in most web browsers. After connecting to a VPN, you want to test that WebRTC is disabled in your web browser. Many VPN providers offer a WebRTC tester page, for example, Mullvad has a Connection check and OVPN has a WebRTC leak test. More WebRTC tester pages are on the Test your Router page of my RouterSecurity.org site. Last I checked, both Safari and Chrome do not support WebRTC on iOS. If you use more than one browser, test each one. See also How to disable WebRTC in Firefox? from PrivacyTools.io.
• IPv6: Personally, I have no use for IP version 6. To me, it is a potential avenue for data to leak out of your computer without going through the VPN tunnel. Some VPN client software lets you disable IPv6, some does not. You can test if IPV6 is alive and well at test-ipv6.com. Good results on this test are "No IPv6 address detected" and "You appear to be able to browse the IPv4 Internet only. You will not be able to reach IPv6-only sites.". The Microsoft tester at ipv6.msftconnecttest.com does not produce error messages, it simply fails to load. To me, this is a good result. The DNS leak testing site, ipleak.net, also reports on IPv6 connectivity.
• How to check that your VPN kill switch is working a pcWRT blog (June 2022). I really like the cute trick used to test VPNs that are configured to run at system start-up.
• SOCKETS:

  A deeper audit of the VPN requires a router that can display the details of individual sockets/connections. Very few do. My preferred router, the Pepwave Surf SOHO does, as do all Peplink routers.

  • After making a connection to a VPN server, all communication from your computing device is unlikely to immediately use the VPN. It is best to wait a minute or two to let existing sockets/connections time out. If you have a router that shows every live socket/connection, then you can monitor this for yourself. When all is well, the only socket you should see is the one for the VPN. Anything else is trouble.
  • I ounce found a bug in VPN software by watching the sockets/connections. This screen shot shows a single device with 10 different UDP connections, from port 4500 to port 4500. The screen shot was taken with the VPN software not only not connected, but not running at all. These were old VPN tunnels that had never been closed. I have blocked out the public IP addresses of the VPN servers to hide the identity of the VPN company, so i don't have to engage a lawyer.
  • As per the above, when the VPN connection is closed, you can watch the live sockets/connections to insure the VPN connection is actually terminated.
• THE ULTIMATE TEST: The problem with monitoring the current connections/sockets via a router (above) is that it is a manual process. No one wants to sit and watch this for hours on end. The ultimate test requires a router that offers outbound firewall rules. This is, really, the only way to verify that all data leaving a VPN-connected device is, in fact, going through the VPN tunnel. As it is commonly used, the term "VPN leak" only refers to DNS requests. That is childs play compared to the full audit that a pair of firewall rules can provide.
  
  Doing this requires two firewall rules. The first allows all data to the currently connected VPN server. The second logs anything else leaving the VPN-connected device. It is assumed that the firewall rules are evaluated top to bottom. In the example shown below, the VPN-connected device (computer, tablet, phone, whatever) is at IP address 192.168.1.2. It is connected to a VPN server at IP address 1.2.3.4 on port number 456. The connection uses UDP rather than TCP. The example is from a Peplink router and the green circle with a check means the outgoing traffic is allowed. The second rule catches anything else leaving the device at IP address 192.168.1.2. The red circle with a line through it in the Action column means that the outbound request is blocked. The piece of paper around the circle means that the outbound request is logged. In a perfect world, the second rule should catch/log nothing.
  
  
  Until you have run this type of audit, you have no idea if there is leakage outside the VPN tunnel.
  
  Another way to do the same thing is with one firewall rule that logs everything from the target device's IP address. Start the firewall rule, then connect to the VPN server. You should see the outbound request(s) that establish the VPN connection. This provides a timestamp for the start of the VPN tunnel. Anything else logged by the firewall rule is trouble.

• CUSTOM DNS
  Most VPN companies insist that you use their DNS services. A few let you choose your own DNS provider, if you have one that does the type of blocking you desire.
  
  
  1. IVPN offers custom DNS
  2. Mullvad introduced their custom DNS feature in April 2021. Note that it only allows you to enter an IP address and thus is not a good fit for NextDNS which lets you enter a DoH or DoT server name.
     Aug 22, 2022: I have just been told of a cute trick to link Mullvad Custom DNS with NextDNS profiles using IPv6 addresses. The Setup tab on the NextDNS control panel shows two IPv6 addresses for each of your profiles. It turns out that the ending bits of these IPv6 addresses match the Endpoint ID associated with your profile. One possible downside is that this requires you to enable IPv6 support for the VPN. On the upside, it avoids having to worry about your public IP v4 address changing.
  3. The August 2021 ExpressVPN writeup on this makes no sense at all
  4. Windscribe on Windows gives you a choice of DNS. The default is their R.O.B.E.R.T system which does ad blocking, tracker blocking and has customizable block and allow lists. If you do not want to use R.O.B.E.R.T DNS, you can enter the IP address of another DNS server.
  5. ProtonVPN supports customized DNS on Windows, but only old DNS via an IP address, not Secure DNS (DoH or DoT) via a host name. The feature is not supported at all on iOS.
  6. On Android, there is no need for a custom DNS feature. The Private DNS feature over-rides a VPN and gives you total control.
• ANONYMITY
  One downside of a VPN, compared to Tor, is that the VPN company normally knows who you are. Even Mullvad, and IVPN which take no personal information at all when creating an account, know who you are when you pay with a credit card.
  
  
  • Look for a VPN provider that takes cash or gift cards. Many do.
  • If possible, have someone else pay for the service with their credit card.
  • In July 2022, Mullvad introduced a new wrinkle on anonymous payments. Their blog, Mullvad is now available on Amazon (US & SE) does a poor job of explaining this. On Amazon you can buy a physical card with a scratch off number on it. The number is worth either a year or 6 months of service, depending on how much you pay for the card. The great thing here is that number on the card can be applied to any Mullvad account. There is no way for Amazon to link the purchase of a card to a specific Mullvad account. When the card is purchased, the account it will be used with, does not even have to exist. Still, I suggest using a non-Mullvad VPN when purchasing the card from Amazon. And, do not use an Eero router. Or, maybe have your sister buy the card for you :-)
  • NordVPN has partnered with some retail stores so that you can purchase their VPN with cash. You buy a box which contains a "product key card" What is a product key card? They don't say. Some of the stores are Staples, BestBuy, Walmart, Office Depot, Micro Center and Target.
  • All that said, if you connect to the service from your home, the public IP address of your home can be used to identify you, if the VPN company is either malicious or forced to do so by their government.
• CLIENT SOFTWARE
  This is the software, provided by the VPN company, that you use to control and configure the VPN.
  
  
  • It is likely that a VPN provider will offer very different software on the different operating systems they support. Too many reviews evaluate only one operating system. Even on a single operating system, a VPN provider may offer three different software options (their own software, an open source alternative or the native VPN client in the operating system).
  • Some VPN client software has lots of bells and whistles, great for techies. Others have little more than a simple ON/OFF button, great for non-technical people.
  • The available features vary drastically, with each VPN client app.
  • It is easy to suggest looking for Open Source VPN client software. Open Source means that anyone can review it. However, open source does not, in and of itself, make the software good or trustworthy. The infamous Log4J software, that made headlines in December 2021 and may have the worst software bug of all time, was open source. That said, ProtonVPN, Mullvad and IVPN created their own software and made it open source. Some VPN companies will let you use open source software for the OpenVPN flavor of VPNs. I have done this often, using both of the popular apps, and did not like either one.
• Sometimes using a VPN you may want as much privacy as possible. Other times, you may care more about speed. If so, look for VPN client software that shows you how busy a VPN server is before you connect to it. If you want privacy, pick a busy server where its easier to get lost in the crowd. On Windows, the ProtonVPN client software does this, Mullvad does not. Freedome is designed to be as simple as possible, it hides all server information. Perfect Privacy provides this information on a web page rather than their client software.
• Many VPN companies rent their servers. It is more secure if the VPN provider owns their servers. Many VPN companies use a VPS (Virtual Private Server). It is more secure to not use virtualization (called a bare-metal server or a dedicated server). It is also more secure if a VPN server runs totally in RAM and never writes to the hard disk (called RAM-disk mode). Most VPN companies are mum on these points. A good survey on these two points is at Restore Privacy. It says: ProtonVPN and VPN.ac use dedicated bare-metal servers, all ExpressVPN servers use RAM-disk mode, Perfect Privacy uses bare-metal servers running in RAM-disk mode, OVPN uses dedicated bare-metal servers running in RAM disk mode, that they own. Mullvad owns some of their servers but most are rented.
• As noted in the Android topic, Exodus reports on trackers and permissions of Android apps. VPNs with no trackers: ProtonVPN, Freedome, Mullvad, OVPN and IVPN (note that the number of permissions each app requests vary quite a bit). ExpressVPN has 2 trackers, Tunnelbear and Windscribe have 1 and NordVPN has 4. Last Checked October 2021.
• We can make some judgments about a VPN company (not the service) from the tracking, or lack of it, on their website. In August 2019, Yegor of Windscribe discussed this: Shattering the Grand Illusion of Cookie Flavored Lies. I expanded on the topic in Nov 2019: Judging a VPN by its website. Then, in August 2021, Alfred Ng of The Markup covered this: How Private Is My VPN?. None of these articles looked at a large number of websites. That said, the winners were ProtonVPN, Mullvad, IVPN, Windscribe and AirVPN.
• Kill switch. This is a feature in some VPN client software that looks for a failed VPN tunnel connection and blocks all data leaving the computer until the VPN tunnel is restored. This exists to insure your public IP address is not made available to the Internet. At home, its important, at a coffee shop, not as much. But, what if the VPN client software itself fails? Most likely, this kills the kill switch software too. Few VPN providers will go into the techie details of their kill switch. IVPN does here. The article is poorly written, however, its not clear if it only applies to Windows or not. As of May 2021, ProtonVPN on Windows has two different types of kill switches.
• Split Tunneling: Normally when you create a VPN connection/tunnel you want everything leaving your device to pass through the VPN. But, there are, sometimes, exceptions and that is what split tunneling allows for. For example, some websites block access when using a VPN. Rather than stop the VPN connection, use such a site and then start the VPN, split tunneling lets you specify the websites (really domains) that should not go through the VPN tunnel. When VPN client software is used on a router, the split tunneling feature may let you specify which devices should not pass through the VPN tunnel created by the router.
• Automatic re-connect: Some (many?) people leave the 4G and WiFi on all the time on their phones and tablets. I do not. I only connect to the Internet as needed. If you are like me, you may prefer VPN software that will hang around, twiddle its thumbs while the phone/tablet is offline, and then immediately reconnect when the device goes back online. All by itself. If you expect to manually connect the VPN every time, there surely will be times where you forget.
• ACCESS TO THE LAN
  
  The focus of any VPN is on Internet access, but the LAN side is also dangerous. If the router allows it, your computing device can be attacked by other users of the same network. Local bad guys might target open TCP/IP ports on your device or take advantage of bugs in the operating system. I blogged about this in August 2021: Hiding on a Wi-Fi network. The rare feature is an option in the VPN client software that will cut you off from other devices on the Local Area Network (LAN). Bad guys can not attack a computer they can't see. Sadly, no review of any VPN ever considers this feature. To test this, after connecting to a VPN, run a LAN scanning app such as Fing. In the best case, you will only see your device and the router.
  1. Mullvad on Windows calls this "Local Network Sharing". I tested it and found that it worked.
  2. In their Android app, IPVN calls it Bypass VPN for local networks. In their Windows, macOS and Linux software IVPN calls it Allow LAN traffic when IVPN firewall is enabled. I tested it on Windows 10 and it worked. See a screen shot from v3.4.5 of their Windows software (Dec 2021).
  3. Windscribe on Android calls it "Allow LAN traffic". In my tests this feature did not work.
  4. OVPN on Android has a toggle option called "Communicate with LAN devices". I did not test it.
  5. On iOS, ProtonVPN calls this "Allow LAN connections"
  6. Like many VPN clients, the software from ProtonVPN contains a kill switch. In their writeup, What is a kill switch? they say "Because of the way iOS works, it is not possible to access devices on your local network when the kill switch is enabled." However, this writeup has no creation date, no last review date and it says nothing about the applicable release of their software or iOS. So, it may be ancient.
  7. In October 2021, Sean Gallagher, writing in Ars Technica said: "I use VPNs for very specific purposes - namely, to keep the virtual machines I use for malware hunting segmented from the rest of my network ..."
  8. In September 2021 we learned of a bug in the ARRIS TG2492 router that could leak the public IP address of a computer that was connected to a VPN. The only defense (Virgin Media has not fixed the bug for 2 years) was to block LAN side access while the VPN is active.
• WIREGUARD FROM A ROUTER
  
  If you want to run VPN client software on a router, many VPN providers support OpenVPN. However, OpenVPN requires a level of computing horsepower that many routers do not have. Thus, the VPN connection may be much slower from a router, compared to a laptop or desktop computer. WireGuard is far more efficient than OpenVPN but access to a WireGuard server from a router is not widely supported. I have been testing this with the pcWRT router and found that WireGuard works with OVPN and Windscribe. The company says it also works with IVPN, Mullvad and StrongVPN. pcWRT is based on OpenWRT so it will probably work with any router running a version of OpenWRT. The process was simple, you first generate and download a configuration file on the website of the VPN company and then import that file into the router. In my trivially small testing, I found WireGuard to be 7 times faster than OpenVPN on the pcWRT router.
  
  Another thing to look for when using a router as the VPN client, is a VPN company that has a web page with the current status of their servers. I say this because VPN software on a router does not have the bells and whistles that software for a mobile or desktop OS has. A missing feature is how busy the servers are which is a nice thing to know when choosing which server to connect to. IVPN has just such a server status page. At the time I wrote this, one of their Canadian servers was 100% busy while another one was only 17% busy. Good to know. ProtonVPN also has a server status page. Mullvad has a page listing all their servers, but it does not show busy each one is.
• EXTRA SECURITY
  Some VPN providers have extra security features.
  
  
  1. Hiding the fact that a VPN is being used at all. I am not familiar with the technical details of how this is done.
  2. Two VPN servers (aka multi-hop connections). ProtonVPN calls this Secure Core. You first connect to one of their extra special super secure VPN servers, then your Internet connection is shuttled to one of their normal servers. Needless to say, this will be slower, but it is done so that if the normal server gets hacked or is spied on, your public IP address is still hidden, you will appear to have come from the super secure server. What they don't tell you is that when using this feature, you are limited to only choosing the exit country, you can not choose an individual server/city in your desired exit country. OVPN also supports multi-hop and is now on the second version of the feature. They have a good explanation of the feature here: How Dynamic Multihop works. IVPN also offers a multi hop option and they let you pick any two VPN servers, with the only restriction being that the first/entry and second/exit servers must be in different countries. They support multi-hop with WireGuard and OpenVPN. If you want to use WireGuard from a router, they have nifty way of modifying the WireGuard config file to specify the two different multi-hop servers.
  3. Combine a VPN with Tor. ProtonVPN is one company that offers a combination of Tor and their VPN. The documentation is poor, but you first connect to a VPN server using their app and that server then automatically shuttles your data over to the Tor network. Some of their servers offer this service, most do not. Expect it to be quite slow. This scheme hides the fact that Tor is being used from your ISP. It also allows access to Tor with your regular web browser(s), there is no need to install the Tor web browser. Note that the Brave browser also can connect to Tor and you can use Brave with any regular VPN connection to get the same effect.
• Marketing honesty: Many VPN companies make vague promises of security, privacy and anonymity. This is stretching things. Look for a VPN company that is very clear about exactly what a VPN can and can not do.
• Public IP addresses (for techies only): If remote access is being used to control a router, it can be made much more secure by limiting the source IP address. While businesses often have a fixed public IP addresses, consumers do not, but we can use a VPN to provide one. One approach is to buy a permanent IP address from the VPN provider. Some offer this service, some do not. Another approach is to use a small VPN provider that has only one (or a very small number) server in a given city. Other publicly available services on the network (perhaps remote control of computers) can also be made more secure by limiting the acceptable source IP addresses. On a related note, some websites block access when using a VPN. Another advantage to a fixed IP address from a VPN company is that it may not be blacklisted the same way that their other servers are.
• Installation instructions: Most of the time, you have to install software to use a VPN. The instructions provided by the VPN companies differ greatly. I have seen companies that document every step of the install and others just say run the file you downloaded. You should be able to find the installation instructions on the website of the VPN company.
• FYI: Consider paying for a VPN monthly, at first. Once you are happy with it, then you can then change over to paying on a yearly basis. I say this because many VPN companies charge less per month when you pay for an entire year (or two).
• Wrong criteria: Judging a VPN provider by the number of servers they have is wrong. Its like saying a Toyota is better than a Rolls Royce because there are more of them on the road. More is not better. As noted above, all VPN servers are not the same. And, companies that own their own servers will have fewer than those that just rent a VPS.
• WRONG CRITERIA
  
  
  • Judging a VPN by speed tests is wrong. The purpose of a VPN is privacy, and for this, we give up some speed. Judging privacy is hard, running speed tests is easy. And, speeds vary all the time, you have to live with a VPN provider for a while before you can form an opinion on their speed. Finally, we all have different speed requirements.
  • Logging. Pretty much all VPN companies claim not to log and it is close to impossible to prove. That said, in Jan. 2020, Rae Hodge of CNet wrote: "... EarthVPN, Hide My Ass VPN and PureVPN have all been clocked by privacy advocates for handing over logs to authorities, as has IPVanish ... My beef isn't with any VPN company helping cops catch a child abuser via usage logs; it's with any VPN company that lies to its customers about doing so. The lie that helps law enforcement in the US catch a legitimate criminal is the same lie that helps law enforcement in China arrest a person watching footage of the 1989 Tiananmen Square protests."
  • In December 2021, Consumer Reports tested 16 VPN providers and published a large report: Mullvad, IVPN, and Mozilla VPN Top Consumer Reports' VPN Testing. Their recommendations are not bad but they are not the best either as, again, they used the wrong criteria. For example, they gave too much weight to open source software and marketing. And, they only evaluated on Windows.
• Not a criteria: Every paid VPN provider, that I have run across, offers unlimited bandwidth. Only a free VPN has a monthly or daily cap on data usage. Avoid the free services.
• Not a criteria: You can install the software from a VPN provider on an unlimited number of devices. I can recall only one VPN company where this was not true.
• That said, most VPN providers limit the number of concurrent connections to their service. A typical limit is 5 or 6.

There is more to choosing a VPN provider than just software features.

WHO OWNS THE VPN COMPANY?

1. Kape: In September 2021, Kape Technologies purchased ExpressVPN. They already owned CyberGhost, ZenMate and Private Internet Access (PIA). See Former Malware Distributor Kape Technologies Now Owns ExpressVPN by Sven Taylor. Kape also owns VPN review websites vpnmentor.com and wizcase.com. Speaking of ExpressVPN, there is also this: Edward Snowden urges users to stop using ExpressVPN (Sept. 2021).
2. J2Global owns IPVanish, StrongVPN and PC Magazine and Mashable, both of which, review VPNs. They also own Ziff Davis which, in turn, owns the encrypt.me and Internet Shield VPNs.
3. Some VPN companies are very clear about their ownership:
   IVPN: Who owns your VPN? You should find out (March 2021)
   Mullvad: The ownership and future of Mullvad VPN (September 2021)
   ProtonVPN: Who owns ProtonVPN (undated)
   OVPN: Who are the people behind OVPN? (undated)
   Windscribe: Can a commercial VPN still offer true privacy? (Feb. 2022)
4. Clearly, security company F-Secure runs the Freedome VPN.
5. The About Us page for Surfshark avoids the issue of ownership.
6. The About us page for Astrill says "We are a registered Seychelles company". It does not mention anything else about the company and it says nothing about any of the people involved.
7. The About Us page for TunnelBear has just cartoon pictures of bears. As of March 2018, TunnelBear was owned by McAfee. This despite McAfee offering their own VPN. In November 2021, McAfee agreed to sell itself to a group of Private-Equity investors (Advent International, Permira Advisers, Crosspoint Capital Partners, Canada Pension Plan Investment Board, GIC Private Limited and a subsidiary of the Abu Dhabi Investment Authority).
8. NordVPN and SurfShark are both private companies. In February 2022 it was announced that they are merging, as per this article in PC Magazine: NordVPN's Parent Company Is Merging With VPN Provider Surfshark. Why are they merging? They said "...the merger will open new technical knowledge-sharing opportunities and enable more focused market diversification." Is that what you want in a VPN provider? It was unclear who will run the combined company which will be called Cyberspace. It was registered in The Netherlands.
9. 3 companies control many big-name VPNs: What you need to know by Attila Tomaschek of CNet (Feb 2022)
10. Hidden VPN owners unveiled: 104 VPN products run by just 24 companies by Jan Youngren of VPN review website VPNpro (Oct 2021).

WARNINGS

• Avoid free VPNs. More specifically, avoid VPNs that are always free. Some commercial VPN providers offer limited accounts for free. If you can't pay, use the free service from ProtonVPN, TunnelBear or Windscribe. On iOS, there is also a free version of the Guardian Firewall + VPN app.
• A VPN based in the United States would be my last choice. After all, it the was the US that let ISPs spy on us in the first place. And, Snowden. Granted, this is a matter of opinion, but see too: Are US-based VPNs trustworthy? Here's why I don't recommend them by Rae Hodge for CNet (Feb. 10, 2022)
• 8 Bad VPNs You Must Avoid to Protect Your Privacy by Georgina Torbet for MakeUseOf (Dec 2021). The eight are: Hola, HotSpot Shield, HideMyAss, Facebook Onavo, Opera Free, PureVPN, VPNSecure and Zenmate.
• NordVPN Review: Feature-Rich and Speedy, But Privacy and Transparency Issues Need Attention by Attila Tomaschek and Rae Hodge of CNET (August 29, 2022). Quoting: "From a distance, NordVPN almost looks like the perfect VPN. But with a little digging, we uncovered some pretty major cracks in the facade ... Most notably, we found that NordVPN routes some user traffic through residential IP addresses supplied by a company with a questionable history. The company's overall efforts at transparency also leave quite a lot to be desired ... the company offers nothing in the way of an annual transparency report and [it] is cagey about its partnerships and corporate structure ... Nord operates its main offices physically out of Lithuania, processes payments through the US, maintains legal entities in the UK and Germany, and is owned by a holding company based in the Netherlands." I suggest also reading the section on the Threat Protection feature.
• Windscribe VPN Security Breach: Servers and Private Key Seized by Sven Taylor for Restore Privacy (July 19, 2021). Quoting: "Windscribe, a popular VPN based in Canada, has suffered a major security breach. Ukrainian authorities seized Windscribe servers and also obtained Windscribe's private key, which allows them to decrypt traffic from Windscribe users. Windscribe staff has admitted they failed to properly encrypt their servers ... " See also the two blogs that Windscribe published on the topic: OpenVPN Security Improvements and Changes by Yegor Sak (July 8, 2021) and Ukrainian server seizure - a commentary and state of the industry by Yegor Sak (Aug 24, 2021). This was a bad thing, but does not strike me as a huge big deal. Exploiting the issue to spy on a Windscribe customer would have been very difficult. Also, they were very public about the problem, and what they are doing to fix it, which is all we can hope for from any company with a security problem. Mr. Taylor makes money from the VPN companies he recommends, which does not include Windscribe. Why not? Probably because Windscribe has no affiliates program, no one makes money by recommending them as the best VPN for left handed people with curly hair.
• One of the articles above, Ukrainian server seizure - a commentary and state of the industry by Yegor Sak of Windscribe (Aug 2021) is two things. First, it is an admission of a mistake they made and an explanation of the fixes they implemented. It also, has very technical details on similar mistakes that other VPN providers continue to make, when it comes to OpenVPN. Anyone considering using NordVPN should read the section on the NordVPN 2019 Hack. Likewise, anyone considering or using TorGuard, PIA (Private Internet Access), Surfshark, ExpressVPN and Perfect-Privacy should read the sections devoted to their OpenVPN configurations. The only company that gets a good grade is IVPN.
• From the Wirecutter: "We ruled out some VPNs for trust issues. EarthVPN appears to have lied about its logging practices, while ProxySH confessed to spying on customer traffic in 2013. HideMyAss has handed customer information over to police. The Center for Democracy & Technology filed a 14-page complaint about Hotspot Shield with the FTC, alleging unfair and deceptive trade practices." (Last update Jan 2022)

UNIVERSITY of MICHIGAN RESEARCH

This paper, VPNalyzer: Systematic Investigation of the VPN Ecosystem by researchers at the University of Michigan is long and dense and looks at a number of criteria never found in the tech press. They wrote their own software to perform assorted technical evaluations of VPNs. Their software ran on Windows, macOS and Linux, so nothing in the paper applies to iOS or Android. They studied 80 different VPN providers. Some findings (there is much more) are below.

• IPV6: Only 11 providers out of the 80 tested supported IPv6 connectivity. I have no need for IPv6 specifically for what this research found: four VPN providers leaked IPv6 traffic. Put another way, these four VPNs do not block the user's IPv6 traffic and thus leak IPv6 data to the ISP. The four offenders: Astrill VPN, Norton Secure VPN, Turbo VPN and SurfEasy VPN.
• They looked at the behavior when the VPN tunnel dies and they found 18 VPN providers leaking all user traffic during tunnel failure. Yikes. This is why there are kill switches. Of the 18, four are free VPN providers which no one should opt for anyway. One was their own University. The remaining 13 are: Encrypt.me, Hide My Ass!, IPVanish, Ivacy VPN, Pure VPN, Speedify, Trust.Zone, Strong VPN, Astrill VPN, Norton Secure VPN, SurfEasy and Turbo VPN.
• They looked for malicious behavior such as TLS interception and found evidence of manipulation in Betternet (on both MacOS and Windows) and Turbo VPN (Windows)

Finally: You don't see this every day. In April 2022, the Windscribe blog featured a puff piece on the founder of the company: Who is Yegor Sak? The Man Behind The Meme by Catt Garrod. The article included this: "I started using VPNs in 2009 for my daily Internet activity ... This led me to learn all about what VPNs can and cannot do ... The one that stood out as different and I personally used for years was IVPN. Windscribe was very much inspired by how that company was operated: solid apps, no marketing speak, brutally honest information on capabilities and limitations.".

As a rule, the job of blocking ads and/or trackers falls to your web browser and its extensions. But some VPNs can do this too. One advantage of VPN blocking is that it applies to the entire operating system, not just one web browser. If you connect to one of these VPNs from a router, it can block ads/tracking on any device connected to the router. The downside of any such blocking (in a browser or a VPN) is carving out exceptions to the rules.

These VPNs do blocking:

1. IVPN calls their tracker blocking feature AntiTracker.
2. ProtonVPN calls their ad/tracker blocking feature NetShield. It uses DNS filtering to protect you from malware, blocks ads, and prevent website trackers from following you around the web. It is only available to paid customers.
3. Mullvad added support for custom DNS server configuration on macOS, Windows, Linux and Android in April of 2021. This can be used with an assortment of DNS providers that block ads/trackers. In May 2021, they introduced ad blocking How to set up ad blocking in our app. In June 2021, ad and tracker blocking was a new feature in their iOS app (How we’re knocking down ads and tracking). In March of 2022, they added malware blocking. See Adding another layer: Malware DNS blocking. Their customers can enable or disable each type of blocking individually. They also offer ad blocking for free to anyone, not just their customers, via their secure DNS service. DNS over HTTPS and DNS over TLS (last updated November 2021).
4. OVPN added ad/tracker blocking to their Android and iOS apps in November 2021.
5. At Perfect Privacy, their TrackStop feature blocks ad-tracking and phishing.
6. The Disconnect Privacy Pro SmartVPN blocks trackers on iOS. Their Premium VPN blocks trackers on iOS, Android and macOS.
7. Windscribe VPN offers what they call a "One-of-a-kind customizable server-side domain blocking tool" that blocks ads and trackers. And, you can customize it. They call the feature R.O.B.E.R.T. Their big advantage is that you can easily customize the blocking with your own block list and allow list - much like NextDNS.
8. The Freedome VPN from F-Secure blocks trackers on iOS, Android, Windows and macOS.
9. The Guardian Firewall + VPN app on iOS "blocks digital trackers from secretly collecting your information." It is from the Sudo Security Group. For free, their VPN service alerts about tracking but does not block. I wrote about it in August 2019.
10. On Android, there are three versions of the Blokada ad-blocker. The free version that blocks ads is not allowed in the Play Store. It installs a VPN, but only to block ads by intercepting DNS requests. There was a trivial version in the Play Store that also installed a VPN but all it did was modify the DNS servers. Currently (Feb.2020) the version in the Play Store is called Blokada Slim and it combines the older DNS changer with a fairly new, real, VPN called Blokada Tunnel which costs 5 Euros/month (roughly $5.50 in US dollars). Great feature: customized white and black lists.
11. Coming: AdGuard VPN (Jan 2020). They are writing a new VPN protocol, which is not a good sign.
12. Android 9, 10, 11 and 12: There is an interesting conflict between a VPN and the Android Private DNS feature. Each wants to be in charge of the system-wide DNS. In a test of Android 10 with three VPN providers, Private DNS won out every time. This was not a DNS leak, the DNS requests went through the VPN tunnel and the Private DNS resolver sees requests coming from the VPN server, not from the VPN client. However, in a test with Android 9, the VPN DNS won out. Beats me why. If Private DNS wins, and you use NextDNS, then any VPN can be used alongside the ad and tracker blocking from NextDNS. The best of both worlds. I tested with multiple DNS testers on my RouterSecurity.org site.

All VPNs claim to hide your physical location and/or let you appear to be somewhere else. This stems from the fact that, with a live VPN connection, all data going to/from the Internet passes through the VPN server. Your pubic IP address is that of the VPN server not your home or office. In the old days this was sold for the anonymity it offered. Later, it was sold so that people in the US could listen to the BBC.

But the claim predates smartphones, spy machines that they are. A smartphone can locate itself using GPS, Wi-Fi, cell tower location and probably even Bluetooth (not sure). I have tested Wi-Fi based locating and found it extremely accurate. So, if the phone knows where you are, who is to say whether it leaks this information to the outside world. And the outside world, on a phone or a desktop computer, is not just websites. Modifying your public IP address is not the be-all and end-all that it used to be. It is still a good thing, but it may no longer be sufficient.

The June 2022 issue of Unredacted Magazine had a story about this. The anonymous author is a privacy enthusiast. He uses a router with VPN client software, and the router makes a VPN connection that all LAN side devices pass through. One of the LAN side devices is an Xbox that is Ethernet connected to the router. You might think that the outside world only knows about the physical location of the VPN server. That's what the author of the article thought ... until he checked his Xbox Account Settings page and found a picture of the apartment complex where he lives with a pin in it indicating his apartment. It turns out that the Xbox uses Wi-Fi and that it can not be disabled. The Xbox was spying on him. It listened to all the SSIDs and MAC addresses being broadcast by the routers of his neighbors and calculated his location. VPN be damned.

If hiding your location is really important, it is best to use a device without Wi-Fi or GPS or Bluetooth. On a smartphone or tablet, disable them and hope the phone operating system honors your request. On a cellphone, airplane mode should prevent it from contacting cell towers. I say "should" because I don't know how to verify this. Even if you can not make or receive a phone call, that does not insure that the phone is not communicating with a cell tower. After disabling Wi-Fi, GPS and Bluetooth, re-boot the device to insure that it is not still using a recently detected location.

Clearly, Ethernet is your friend here. iPhones and iPads can use Ethernet with an appropriate adapter. Likewise there are USB type A and USB type C adapters for Ethernet that can be used with any computing device with a USB port.

To put this in perspective, the strongest option is preventing the operating system from knowing where it is. If this is not possible, then you need to try and prevent the operating system from giving the location to applications and to web browsers. In the case of browsers, there are probably configuration options in both the browser and the operating system for this. For more on this, see the Location Tracking topic on the main page.

Windows 10, for example, offers OS level configuration options for Location in System Settings -> Privacy -> Location. In the resulting panel, insure that everything is off. On a lower level, Windows users should probably disable the Windows Geolocation service (a.k.a. lfsvc). The description says that it "...monitors the current location of the system and manages geofences (a geographical location with associated events). If you turn off this service, applications will be unable to use or receive notifications for geolocation or geofences." There may be a down side to disabling this service, I have not tested this extensively. But, I doubt it.

As an example of browser location settings, consider the Location settings for the Chrome browser (the screen shot is from Chrome 93 on Windows). You can access the location settings directly at chrome://settings/content/location. Here is where you control whether the Chrome browser is allowed to tell websites the location of the computer/phone/tablet. This assumes that the operating system and the browser already know the location. One slip-up in configuring this and a VPN can no longer hide your location from a website.

An article on this: How does my browser know my real location when I'm on a VPN? by pcwrt (January 2021).

I have yet to see any VPN provider mention that location blocking should be configured in both the operating system and the web browser that you use. That would burst their marketing bubble.

Fighting with the operating system and the browser is complicated, error prone and, even if done right, involves some trust that the software is doing what its told. The safer approach is to insure the operating system can not learn its location in the first place. Ethernet is your friend.

You can increase your anonymity by using a VPN inside a VPN. Start with a normal Operating System level VPN. Then, while it is connected, use a web browser that has a VPN extension for a different VPN provider.

How does this protect you? The OS level VPN company will only know that you connected to the Browser VPN company. They can not see anything that you do in the browser. The Browser VPN company can see what you do (like any VPN provider) but they do not know where you are. They see you as a customer of the OS level VPN provider. They may, however, know who you are.

If you can be anonymous to the Browser VPN company, all the better. Perhaps the Browser VPN has a limited free tier or a free trial that can be used without providing personal information. Or, you can pay for some VPNs with cash or a gift card. I would avoid any VPN provider that only offers a free service.

Not all VPN companies offer a web browser extension.

NordVPN calls theirs a VPN proxy extension and it works with Chrome, Edge, and Firefox.

Microsoft's Edge browser will soon have a free VPN called the Edge Secure Network. The free tier limits data to 1 gigabyte per month. Worse, however, is that Microsoft requires users to be signed in to a Microsoft account to use the VPN. So, no anonymity there.

TunnelBear has extensions for Chrome and Firefox. It is a paid service with a limited free tier.

Windscribe has extensions for Firefox and Chrome. It too, is a paid service with a limited free tier.

The Opera browser has its own free VPN as part of the browser itself, no extension needed.

The Epic browser includes a free VPN and it can be installed on Android, iOS, Windows and macOS. That said, I am not familiar with it at all.

Not all browser VPN extensions are limited to just the browser, some work at the Operating System level and thus can not provide a VPN inside a VPN. This is true for the ExpressVPN browser extension and the Mozilla VPN. On Android and iOS, Brave includes a VPN (powered by Guardian) that also works at the operating system level.

Another option for double protection is offered by the desktop (Windows, macOS, Linux) versions of the Brave browser which includes access to the Tor network, no need to install an extension. The option is called "New private window with Tor".

A third approach is to run a normal Operating System level VPN on your computing device, while it is connected to a router that has its own VPN connection. This is most secure when each VPN connection is to a different VPN company.

The experience of using a VPN varies drastically, not only from company to company, but even from operating system to operating system with the same company. With that in mind, this haphazard section offers some insight into the user experience on a particular operating system with a particular VPN provider.

ProtonVPN on Windows 10
Software version 1.26.0 March 2022
--The software update process is excellent. You are notified that a new version is available but you are not forced to update. You are told about the new features before doing the update. The update process is painless, just click on a link and, if running as a restricted user, enter the password for an admin user.
--There is a quick connect button that connects you to a fast server that is chosen for you. You can also configure profiles to connect to specific servers. You can not have a profile connect to a specific US state, only to an individual server in the state. That is, you have to pick server TX#34 or TX#35 rather than Texas. The profile also lets you chose the type of VPN: WireGuard, OpenVPN with TCP, OpenVPN with UDP or Smart, which lets them chose for you. Smart is what they suggest. Before you connect, there is a list of your profiles. For each profile, it shows you how busy that specific server is, both as a graph and as a percent. A percent of what? It does not say. Maybe CPU usage, maybe bandwidth, maybe both. Dunno.
--While connected, you can see the pubic IP address of the VPN server you are connected to, the data transmission rate, the total amount of data sent/received (referred to as "Volume"), how long you have been connected and the type of VPN. Some of this information is only shown on the map which makes no sense. What is really nifty is that it shows the current load on the server (again, load of what?). So, the server you are connected to may have been lightly used when you first connected, but now it could be very heavily used so you may want to connect elsewhere. It is very rare to see current server load information in real time.
--Navigation within the app is annoyingly inconsistent. There are two tabs, Countries and Profiles. Fine. But all the other stuff is scattered. Some of the other options exist as small buttons in the Countries tab. The rest are accessed with the three horizontal lines in the top left corner, then clicking on Settings. It is as if one group created the app, then it was turned over to a different group to maintain it and they had different ideas on navigation. One small button in the Countries tab is an on/off for the Secure Core feature. Another is for NetShield which can be set to block nothing, block only malware or block everything: ads, trackers and malware. The last button configures the Kill Switch which can be On, Off, or Permanently On.
--There is a custom DNS option but it only takes an IPv4 address for input. It claims to support Private DNS but all private DNS providers give you a host/server name, no one uses IP addresses This seems half baked.
--A big part of the user interface is a map of the world that struck me as useless and lame. While I was connected to the West coast of the US, the map showed me in Kansas. You can get rid of it (look for a tiny arrow pointing to the left).

ProtonVPN on iOS version 15.5
Software version 3.1.3 May 2022
--User Interface: There are five buttons along the bottom. The easiest is Quick Connect which connects to whatever VPN server the software thinks is best. Countries is self-explanatory, which you click on a country you see the list of all their servers in that country. For each server you see the city it is in and a percentage, which I have to assume is how busy the server is. Click on a server to connect to it. The Map button strikes me as useless.
--Profiles: The Profiles button presents a list of profiles. You are not shown the type of VPN used by any of the profiles. Profiles that connect to a specific server, only show the country and the server number. They do not show the city where the server is. Even when editing the profile, the city is not shown. You can make up for some of this missing information in the name of the profile. Instead of one specific server, a profile can also connect to the Fastest server in a country or a random one. After not using the app for a while, I could not figure out how to edit a profile. There is an edit button tucked away in the corner of the screen.
--Features: The app supports WireGuard, IKEv2, OpenVPN with UDP and OpenVPN with TCP. The default is "Smart", which means the app chooses the protocol for you. The NetShield feature can block either malware alone or malware, ads and trackers (great). There is a Kill Switch and an option to Allow LAN connections (I did not test it). Debugging is built into the app. In the Settings section, it can show three different logs: Application, OpenVPN and WireGuard.
--While connected: a green stripe (good color choice) confirms the VPN is connected. You see the public IP address of the server, the city it is in, its number, the protocl being used and how long the VPN has been connected in what seems to be HH:MM:SS format. Again, nothing is explained. The Quick Connect button changes to a Disconnect button while the VPN is connected.
--Problems: The Always-on VPN option is not an option. Its always on. I don't like this on a conceptual level. Also, I suspect it may not interact well with the Airplane Mode feature. Worse is that in testing I did in May 2022, the VPN seems to have leaked. In fairness, I suspect this is an iOS problem not a ProtonVPN problem. However, their tech support has been less than ideal. The details are here.

OVPN on Windows
Software version 2.0.0 and 2.1.0 April/May 2022
--Installation: There is a huge installation problem. Now that their software includes WireGuard, it MUST be installed while logged on to Windows as an administrator. It can not be installed if the currently logged on Windows user is restricted/standard. In and of itself, this is not a huge big deal, but two decisions by OVPN make it much worse. The first is that they don't tell you this. You have to complain to tech support that the installation failed, provide them with debugging information (which you have to do on your own, unlike when the app is running) only to find out later the real cause of the problem. Both the software and their website should warn people about this, neither does. Adding insult to injury, when the software detects a new version, it will not let you continue to use the old version. This is no way to run things.
--Features: The interface for picking servers manually is great, it shows both how busy each server is and the ping time to the server (screen shot). On the other hand, the scrollbar for scrolling through the list of servers is much too narrow. It can also chose the best server in a country of your choice, or just chose the best server, period. Once connected, there is no indication of how busy the server is. Usually you can pick individual servers to connect to, but on one computer, it only let me connect to the best server in a specified country, not sure why. There is a question mark next to every configuration option that takes you to a dedicated web page with an explanation of what that option is. Great. (screen shot). There is a Support feature that lets you describe a problem and report it to them, optionally with logs and diagnostic data. Nice touch. There is also a button to show the log files. The software keeps two different types of logs on your computer. The Kill Switch is on by default (good). IPV6 is off by default (good). Launch on boot is on by default (not my preference). The software supports OpenVPN and WireGuard. OpenVPN is the default and it can run with either UDP or TCP which is pretty standard. Only a single port is supported for OpenVPN (but they are different for UDP and TCP). While connected, the app has two different graphs of bandwidth usage. There is an icon in the system tray. When connected, it is green, when disconnected it is yellow. Good choice of colors. When connected with OpenVPN, you can not access devices on your LAN. Tech support was great when I asked about this, they said that with the WireGuard software from WireGuard, you can connect with LAN devices. I did not try it.
--Wireguard: Wireguard is a constant problem with OVPN. Very often it fails to connect due to key management. Other VPN providers do not seem to have this problem and I do not fully understand it. To fix it, you have to logon to the OVPN website and expire old keys. The error handling for this is not the best. For example, the first time I tried to connect with Wireguard on a Windows machine, it just ignored me. There was no error message and no VPN connection either.

OVPN on Android version 12
App software version 0.8.0 released Feb. 10, 2022. Observations from May 2022.
Originally OVPN relied on open source OpenVPN software on Android. Now, they now have their own app (it was first released in 2020). The app only supports WireGuard and has relatively few features. That said, it does have two features that I consider important: it can block ads and trackers (always does both) and it can hide you on the LAN. On the other hand, I did not like how it handles WireGuard keys. While you can install the OVPN software on an unlimited number of devices, there can only be six active WireGuard keys and I often maxed out. When this happened, the app failed to connect and the error message was useless. More than once I had to logon to their website and delete one of the active WireGuard keys before I could connect.
--Connecting: VPN servers can be chosen for you automatically, or you can pick your own manually. The automatic approach requires you to first choose a country, then the software will pick a server in the country for you. Each country is identified with a "ms" number. What the number is, they don't say. It is probably the ping time to a server in the country. To pick a favorite server (it does not keep a list of your favorites) manually you first select a country, then it shows all the cities in the country with, again, a ms number. When you select a city, it shows all the servers in that city along with a percentage, which I assume is the server load. Based on using their Windows software, their servers are never very busy, which is great.
--While connected: it shows the city, country and IP address of the VPN server (screen shot). It also shows how many minutes you have been connected. Nothing else. There is no speed or bandwidth information. It is annoying that the blue circle rotates all the time. On Windows, a similar blue circle only rotates when making a connection, then it stops once connected.
--Configuration: There is a toggle option to Block ads and trackers. There is another toggle option to "Communicate with LAN devices". i did not test this.

OVPN on iOS version 15.5
App software version 0.5.0 dated Feb. 2022. Observations from May 2022.
The user interface on iOS is, by and large, a duplicate of the user interface on Android (see above). Here too, only WireGuard is supported. As on Android, there is an option to block ads and trackers (only does both). However, it does not have the an option for blocking LAN side communication. Maybe this is unnecessary as a recent addition to iOS was the ability to block LAN side communication? I am not sure.

Windscribe on Windows 10
Software version 2.3.16 April 2022
It does not display workload information for individual VPN servers (their Android app does). There is a link to download the software at windscribe.com/download but there is no link to any installation instructions. That said, the installation process is painless. On Windows 7, there is no way to get an icon for the software in the system tray. You either see the software on the task bar or you see nothing at all. And, while the taskbar entry does change to indicate the connected status, the change is very subtle and easily missed. On Windows 10, there is a system tray icon. Some setup options are in the section with the list of servers, other options are in different sections you find in the hamburger menu. So, inconsistent. The index of sections in the hamburger menu is icons rather than words which I find a constant annoyance. The list of countries to connect to seems haphazard and is a lot to scroll through. The software can be installed by a restricted/standard user and yet it includes Wireguard. This is different and much better than OVPN (above). The app is ugly. The app does not have a standard Windows title bar which makes it hard to move it around the screen. It is hard to scroll in the app because the scrollbar is far too narrow. Tip: make the app window taller to avoid vertical scrolling.
--Features: There is a MAC spoofing option, which is unusual and might be a good thing, but there is no explanation of it in the app. There are five different VPN protocols to chose from. It is confusing however that OpenVPN with UDP is called UDP (same for TCP) in the app, so unless you do some homework, no idea it is OpenVPN. Dumb design. Two off-the-beaten-path types of VPN it supports are WStunnel and Stealth. WireGuard and OpenVPN are supported on five different (fixed) ports, which is great. IKEv2 has to use port 500, such is the protocol. Before connecting it does not tell you how busy each server is, but it does show the ping time. This is not all that helpful in finding a city/server close to you. There are no profiles. There is an option to Kill TCP sockets after connection. This is rare and a very good thing. It insures that existing connections between Windows and the Internet are terminated when the VPN is activated, so that everything is forced to use the VPN tunnel when communicating with the Internet.
--DNS: You can use a custom DNS while connected to the VPN which is nice. Their normal DNS service, ROBERT, blocks many ads and trackers. When I need to do something that ROBERT blocks, there is no need to update the ROBERT rules (but you can). Instead, I specify another DNS service in the "DNS While Connected" field. This requires disconnecting and re-connecting before it takes effect, which you are not told.
--While connected: The software tells you very little about the current connection. It does not tell you how long you have been connected, the total data uploaded/downloaded, the current speed or how busy the server is. It does tell you the public IP of the VPN server, the type of VPN (IKEv2 seems to be the default) and the port number. When you disconnect, it tells you how long you were connected and some other bandwidth number. Not sure about what that number is because it is displayed for only a second, literally. Update: By accident, I discovered that if you hover the mouse over the type of VPN or the port number, there is a pop-up telling you how long you have been connected (with no label as to hours or minutes, just a string of numbers) and the amount of data transferred. In which direction(s) was this data transferred? Don't say.
--Firewall: The kill switch is called a firewall, a constant annoyance. There is a toggle for it in the main part of the app. One way the indicator is white/black, the other way it is white/blue. Which is on and which is off is not obvious at all. Elsewhere in the app, ON is indicated by green/black, so inconsistent.
--There is a toggle option to Allow LAN traffic but there is no documentation on it. I searched their Knowledge Base for the option and came up empty. Seems to not work. With it set to OFF, I was able to get to the web interface of my router. I was also able to run a LAN scanning program and see other devices on my LAN. Worse, a LAN scanning program on another device was still able to see my VPN connected PC. This is bad. Tech support at Windscribe said "The logs ... show that you did disable the Allow LAN Traffic option but, the firewall was turned off ... Therefore, despite having the Allow LAN traffic option disabled, when the firewall is deactivated, you will still be able to access your LAN resources" Again, when they say "firewall", they mean Kill Switch. So, somehow the Kill Switch needs to be on for LAN traffic to be blocked. Again, there is no documentation on this which is disgraceful. With the Kill Switch on, some things were blocked, others were not. Ongoing....
--Un-install: An un-install of the app leaves information behind. I used it for a bit, uninstalled it for a while, then when I re-installed the software, there was no need to provide my Windscribe userid/password. It was still on the computer.

Windscribe on iOS version 15
App software version 3.0.0 (262) April 2022
The lack of explanation is a huge issue. Before connecting, some servers have a number next to their name which I assume is the ping time. I have to assume because there is no column heading in the display. Some servers have no number, what that means is a mystery. When I connect to a VPN there is a huge warning "This network is unsecured". What that means, I have no idea. It is not even clear if the message refers to the local Wi-Fi network or the VPN server it is about to connect to. The expanded explanation under this message is: "Unknown is unsecured, meaning you don't wish to use Windscribe while on this network" WTF? After a few times, the "unknown" was replaced with the SSID in my home, so its not complaining about the VPN server. What does it think is wrong with my home network? No idea. Its WPA2 Personal and, trust me, quite secure. While connected to the VPN, the app provides no information at all. For assorted toggle switches, the app uses black/white to indicate OFF and green/black to indicate ON.
--Features: The option to "Show Location Load" is off by default. When enabled, the app shows a green line of varying length under each section of a country (i.e. Canada West) and a green line under each server. What is the green line? Is a longer line better than a shorter one? None of our business, there is no explanation. The app supports three types of VPN: IKEv2, WireGuard and OpenVPN (on either UDP or TCP). With both WireGuard and OpenVPN, six different connection ports are available, a nice defense from blocking.

Windscribe on Android version 12
App software version 3.1.887 May 2022
See a screen shot of the app. When you first login, there is an option to display the password as you enter it. This is helpful for those of us with long passwords. It takes some tweaking, but the app can show both the load and the ping time for each VPN server. The big down side is that there is no easy-to-find documentation on the configuration options. There is a Help section in the app but that links to general help that is not focused on the options in the Android app. OVPN was much better at documenting each configuration option. You can configure R.O.B.E.R.T (their DNS system that blocks ads/trackers and more) in the app, which is great. Compared to their Windows software, the Android app has a better user interface. That said, the version number of the software is in the General section rather than the fairly standard About section. Also, it does not do landscape mode.
--Configuration General options: I always change the "Display Latency" from Bars (the default) to Ms. This takes effect immediately if you are currently connected to a VPN server. One one Android device the Ms did not display at all. Another device was fine. I did not investigate. The "Show Location Load" option is OFF by default. Turn it on. It adds a green line underneath each displayed VPN server. The problem, however, is exactly what does the green line indicate? Is a long line (more green) better or worse than a short green line? If green is good, then more green is better? Or, is it showing the load on the server, in which case a shorter line is better and they should not have chosen a bright green color. This change also takes effect immediately, even if the VPN is active. The option for Haptic feedback is ON by default, I always turn it off. There is a toggle option for "Notification stats" that does not seem to do anything. Speaking of toggle options, they are too hard to toggle. The slider is much too small. The list of servers is presented in geographic sequence by default, which I find sub-optimal. I suggest changing the sort order to Latency so that countries near you sort to the top. That said, this sequencing is far from perfect. Eventually the sorting sequence won't matter to you as you can set Favorite VPN servers that display in their own section of the app. That said, I have lost my favorite VPN servers many times, the last time a password reset wiped them out.
--Configuration Connection options: Connection Mode is perhaps the most important option in this section. It defaults to Auto which uses IKEv2 and port 500. If you opt for Manual, you can chose other types of VPN connections (such as WireGuard) and also pick from a small list of allowable port numbers. The option to "Allow LAN traffic" is OFF by default. This is the more secure default.
--While connected: It says "ON" which is good. It also shows the type of VPN connection (such as WireGuard or IKEv2), the port number and the public IP address of the VPN server. There is no bandwidth information while connected.
--Location Load: Windscribe has a comprehensive status page at windscribe.com/status. I mention it because it too has green lines underneath each VPN server. It also shows the load on the server as a number which makes it obvious that shorter green lines mean a lesser load.

Copyright 2019 - 2022