Another trip around the Sun, and another year of massive development in the world of the best VPNs. 2025 has been a journey, and with age verification at the center of the news, even more internet restrictions, and Australia's controversial social media ban for under-16s coming into force, VPNs have never been more popular.
"What were the biggest VPNs stories this year?" I hear you cry. Well, you've come to the right place. There are plenty to choose from, so I'll split this up into two sections – World News, and Software Innovations.
World News
You might not expect VPNs to have featured all that prominently in the news at large this year, but they have been directly linked to some of the biggest stories of the last 12 months.
UK and US adoption of age verification
In July, we saw the UK introduce the Online Safety Act (OSA), which demands that websites hosting content that is inappropriate for children enforce robust age-verification checks before allowing access. Methods used include using banking data, submitting government-issued ID, and even facial scanning.
Understandably, many people baulked at the thought of submitting such highly personal information to essentially unknown companies, and instead decided to use VPNs to evade the checks. Due to this, we saw a massive spike in VPN sign-ups in the wake of OSA, and adult site traffic from the UK dropped a massive 77%.
Similar laws have been put in place in the US, with 25 states – including Michigan, Missouri, and Arizona – requiring comprehensive age verification before accessing adult sites. Check out our complete US age-verification timeline for more details.
Opponents of these laws claim that they are a severe privacy concern that puts both children and adults at risk. Some have gone so far as to say that they are cynical plans to normalize mass surveillance under the guise of protecting children, and a preparation for even stricter identity verification procedures in the future.
Australia's social media ban
In a similar vein, in December, Australia enforced its social media ban for under-16s. This saw the accounts of children under 16 deleted, with recovery possible in the future. Controversially, rather than verifying an individual's age through the app store, the Australian Government mandated that each age-restricted app enforce the age verification itself.
This meant that if you were wrongly blocked from all 10 apps that came under the ban, you could realistically expect to submit your ID to six or more different age-verification companies. This opens up far more scope for hackers, and one bad move by any of these companies could result in hundreds of thousands of compromised identities.
Again, people flocked to VPNs to try to evade the ban – although we've seen that VPNs are not quite as effective, compared to evading the website-based age verification we've seen in the UK and US.
Attacks on VPNs from the West
The situations above all occurred against a wider background of hostility towards VPNs as a whole. As tools which allow individuals to avoid surveillance, VPNs have begun to elicit behavior we might generally associate with regimes such as Russia and China from Western countries like France and the UK.
Earlier this year, French broadcaster Canal+ won a landmark anti-piracy case in which a number of top VPNs were made to block 203 domain names associated with piracy. Much like the age-verification stories above, on the surface this appears to be fairly noble. However, commentators like the i2 Coalition claim that this "fundamentally threatens the privacy and security of millions of users in France and beyond," and may pave the way for more lawsuits against VPNs to ban more politically charged domains.
Something similar is happening in the UK. In December, Members of Parliament debated a petition to revoke the Online Safety Act. However, the discussion quickly turned from the stated topic towards whether VPNs should also require age verification, and any possible action that might be taken against them. Little movement is expected for several years, but the wheels appear to be in motion.
Software Innovations
VPNs themselves also came a long way in 2025, and we've covered a huge number of product updates in the last year. I can't feature every single update patch here – nor would you want me to – so I'll focus on the trends we're seeing overall, and the biggest breakout tech.
A new generation of VPNs
A number of new VPNs launched or came to the forefront this year, and three names stand out in particular: NymVPN, Obscura VPN, and VP.NET. Each one of these challenges the "traditional" VPN model, by purporting to offer greater privacy, reducing the amount of data that it is possible for the VPN to collect, or increasing anonymity alongside privacy.
NymVPN is the most established. Backed by Chelsea Manning, NymVPN operates a "mixnet," which combines your traffic with other traffic, and then routes it through five different "nodes" before sending it on its way. It's a little like Tor, but operated privately, rather than using publicly hosted nodes. This all helps to both hide your traffic from your internet provider, and obscure your metadata, too. As with many privacy-focused VPN innovations, it's probably overkill for the everyday user – but it's a very interesting approach for those who need ultimate privacy.
Obscura VPN operates on a slightly simpler principle. It has partnered with Mullvad, and acts like a double-hop VPN – Obscura does the initial encryption and hides your traffic from your internet provider, and then passes it on to Mullvad, which sends it on to your destination. Doing this means that neither Obscura nor Mullvad can see both your real IP address and the website you're visiting. In theory, this ensures that it is impossible to make a connection between your identity and your activity.
Finally, VP.NET is a little more unorthodox. It claims to be "the only VPN that can't spy on you," says it "physically cannot monitor, log, or reveal your activity," and has released its source code to back up these statements. It separates your identity from your activity by using SGX-based secure memory "enclaves." In layman's terms, VP.NET inserts a step between encrypting data on your device and sending it on to its destination, which means it can't see what you're browsing. Although quality traditional VPNs do not log your activity, there's generally nothing stopping them from doing that if it wanted to.
Big names on the front foot
To keep up with these young upstarts, established VPNs have grown enormously, and there has been a huge amount of refinement of existing features alongside growing suites of products.
This year we saw ExpressVPN improve hugely – and also drop its pricing in the process. From completely remaking its Lightway protocol in Rust and launching the ultra-fast Lightway Turbo for Windows, to redefining Dedicated IP and being one of the only VPNs to offer split tunneling on Mac, there's clearly been a lot of investment behind the scenes.
It has also been a big year for audits, and while they're not an absolute seal of approval – make sure to check the results yourself – audits go a long way to proving that VPNs really do what they claim.
So, deep breath… Proton VPN passed its fourth no-logs audit and its first SOC 2 Type II audit – the latter verifying its business security credentials – NordVPN passed an infrastructure audit and a security audit, Norton VPN passed a second no-logs audit, ExpressVPN passed a third no-logs audit, and the previously mentioned Obscura VPN passed its first audit of any kind. Windscribe also proved its no-logs policy in court, which in reality is even better proof.
Finally, it's clear that as the market grows more congested, price becomes an ever-more important differentiator. This Black Friday, we saw Proton VPN go cheaper than it has ever been, ExpressVPN launched its first ever Black Friday deal, while elsewhere we saw Surfshark discount its excellent One plan for the first time. As times become tighter, people are voting with their wallets, and it's clear that VPNs need to be affordable to get ahead.
Post-quantum encryption
While post-quantum encryption (PQE) has been on the horizon for a while now, 2025 saw a few big VPNs really invest in the future-proofing tech.
Early on in the year, ExpressVPN announced that its Lightway protocol had been upgraded to support ML-KEM post-quantum encryption. This meant that anyone connecting with Lightway was using post-quantum encryption, and that their data was safe from any "store now, decrypt later" attacks.
Big rival NordVPN responded a few months later by introducing PQE in all of its apps. It was first available in 2024 in its Linux app, but this update saw it made available on all mainstream platforms when using the NordLynx protocol. Finally, Windscribe announced in October that connections made with WireGuard would be protected by PQE.
Expect to see more and more VPNs adopt PQE in 2026. For example, Proton VPN has told us that it is "monitoring" the situation, and is waiting for industry standards to be set before developing its own version of PQE.
We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
