Cybercriminals, spies, overeager retailers and even internet service providers can watch what you do online — but only if you let them.
Based on our performance tests and a comparison of features and pricing, Private Internet Access is the best overall virtual private network (VPN) service. Of the services we tested, it's the best overall performer and the cheapest full-fledged service we've reviewed, at $39.95 per year.
If you're looking for free VPN service, look into Windscribe, which has a very generous plan that gives you 10GB of VPN data per month, more than most people would need outside their homes or offices. At $49 per year, its unlimited paid service costs a bit more than Private Internet Access, but is just as fast and flexible.
Hotspot Shield gives you even more free data at 500MB per day, although it runs ads, but its paid service is also fast. We can't recommend any totally free full-fledged VPN services, but we can recommend several free limited options.
VPN News and Updates
— TunnelBear now supports Siri Shortcuts on iOS 12.
— Windscribe has added support for custom OpenVPN configurations in its Windows and Mac client software.
— Mullvad recommends all users update to client software version 2018.3, following changes made as the result of a security audit.
Why You Need a VPN
A VPN creates a secure tunnel through the internet for your data. Nothing you do will be readable by others until it reaches the VPN servers at the other end of the tunnel.
With hundreds of VPN services and clients available, it can be difficult to decide which one to use. We've extensively tested several popular VPN services that met three requirements: They had both desktop and mobile client software (with one exception), they had VPN servers in many countries, and they offered unlimited data use, at least in their paid versions.
Our Top Picks
For two years running, Private Internet Access has performed the best in our network tests and remained the cheapest full-fledged VPN service we've tried. It has more than 3,000 servers worldwide, supports platforms ranging from Windows and Mac to open-source routers, and lets you customize your tunneling and encryption protocols. You can pay in bitcoin, and you don't have to provide your real name.
Private Internet Access' client interfaces aren't as flashy or cutesy as some other services' software, but they're clear and simple enough for newbies to start right away. A toggle switch reveals all the settings a VPN expert would ever want to play with. You can also skip Private Internet Access' software and connect directly to the servers, or use a third-party OpenVPN client.
The only downsides to Private Internet Access are that you can't select your own username — you've got to stick with an assigned random ID — and that you've occasionally got to reinstall a balky driver in Windows. (There's a button to do this.) Selecting Private Internet Access as our VPN service of choice was almost a no-brainer, but because it's based in the U.S., anyone wary of the FBI may want to consider another service.
Windscribe's standout features are a very generous free service that gives you up to 10GB per month and a moderately priced paid service that lets you connect as many devices at once as you like. (Most other VPN services permit only five at a time.)
Windscribe's network performance was once about average in our tests, but a recent switch in VPN protocols put it on par with Private Internet Access in head-to-head tests. Windscribe is compatible with many platforms (including routers and Amazon Fire and Kodi TV set-top boxes), offers a wide variety of connection options, has a wide geographic reach with hundreds of servers, and presents an appealing, if minimal, user interface.
You can pay for a Windscribe subscription with bitcoin, and you don't even have to provide an email address. The service is based in Canada, which may appeal to users wary of U.S. authorities. The only feature lacking is a kill switch to stop all internet activity if the VPN connection is lost while in use, but Windscribe argues that its built-in firewall prevents data leakage.
We've knocked CyberGhost down a peg from last year's standings because the service's network performance wasn't as great this time around in our tests. Yet it has a feature-loaded, user-friendly interface, with convenient buttons in the Windows client software for streaming media, torrenting files, protecting your Wi-Fi transmissions and evading censorship. (The Mac desktop software has fewer features.)
There are about 3,000 CyberGhost connection points in about 60 countries worldwide. You don't need to provide your real name, just a working email address, and you can pay in Bitcoin to remain nearly anonymous. As with most full-fledged VPN services, you can connect directly from your operating system's network settings or use third-party OpenVPN software to do so. You can also select from among VPN protocols and set up a home Wi-Fi router to use CyberGhost all the time.
CyberGhost is transparent about its company structure, posting photos and bios on its website of everyone from the CEO to the cleaning lady, and privacy fanatics will like that the company is based in Romania rather than the U.S. But CyberGhost's full-service subscription price is among the most expensive month by month — it's far better to just pay for a year at a time.
Goldilocks would love TunnelBear, as it's just right for VPN newcomers. It has a friendly, easy-to-use interface; offers a limited free plan that's ideal for casual use in airports and cafes; is uncomplicated yet offers a fair number of options; has about 1,500 servers in 20 countries; and doles out a large helping of security and privacy.
Even TunnelBear's network performance and pricing are just about average compared to other services we've reviewed, except that you can pay anonymously with cash. The company takes security and privacy seriously, explaining its policies and protocols in plain English, and you can read the results of a third-party security audit on the company website.
However, you've got no choice but to run TunnelBear's client software (unless you use Linux), which may concern some privacy-minded users, and there's no option to set up TunnelBear connections on routers or other devices. Last but not least, this tiny Canadian firm is now owned by U.S. antivirus giant McAfee, which may mean TunnelBear is subject to U.S. search warrants.
Hotspot Shield downloaded files rapidly in our performance tests and has 2,000 servers around the world (including in China and Russia, rare for a VPN service). It offers an easy-to-use, attractive interface, and the Android client app scans your device for malware.
Hotspot Shield also offers an entirely free, ad-supported VPN service, as well as an affordable lifetime subscription. The monthly and yearly costs are rather pricey — confusingly, there's no longer an option to pay for a single year at a time — but you can pay with store gift cards to remain relatively anonymous.
But whether you pay or not, you have to use Hotspot Shield's client software, which is limited to Windows, Mac, Android and iOS. Many VPN services let you connect to their servers in other ways, and privacy advocates say that's the better way to do it.
Hotspot Shield depends on a custom VPN protocol that's not been publicly analyzed by independent experts. We don't know how private or secure it really is. The company has been accused of spying on users (it denies the allegations), and complaints abound online about Hotspot Shield software installing on PCs without users' permission. All this, and the company's U.S. location, may scare away customers who want to protect their privacy.
Mullvad is not that easy to use, with a bare-bones desktop interface and, unlike every other VPN service we've reviewed, no mobile client apps. (You do get instructions on how to manually set up OpenVPN apps.) This service's network speeds were far from great in our tests, and it's fairly expensive, with no discount for paying yearly instead of monthly.
Yet Mullvad is worth a look because it's extremely private and secure. It asks nothing about you when you sign up. Instead, it assigns you a random number that will be your combined username and password. You don't have to provide an email address, and you can pay by mailing cash to the company's headquarters in Sweden. (Mullvad also takes credit cards, PayPal, bitcoin and wire transfers.)
Like many other services, Mullvad permits manual setup of PCs, smartphones and routers, and Linux users can test out a new open-source VPN protocol called WireGuard. Mullvad isn't for everyone, but it's the perfect choice for privacy fanatics.
|Avast SecureLine||Avira Phantom VPN (Pro)||CyberGhost||Express|
|Hotspot Shield||IPVanish||Mullvad||NordVPN||Opera VPN||Private Internet Access||PureVPN||TunnelBear||VPN Unlimited||Windscribe|
|Client software||Windows, Mac, Android, iOS||Windows, Mac, Android, iOS; Chrome extension||Windows, Mac, Android, iOS; Chrome, Opera extensions||Windows, Mac, Android, iOS, Linux, Kindle Fire, Nook, some routers; Chrome, Firefox, Opera extensions||Windows, Mac, Android, iOS; Chrome, Firefox extensions||Windows, Mac, Android, iOS, Ubuntu Linux, Amazon Fire TV||Windows, Mac, Linux||Windows, Mac, Android, iOS; Chrome, Firefox extensions||Windows, Mac, Linux, Android, iOS||Windows, Mac, Android, iOS, Linux; Chrome, Firefox, Opera extensions||Windows, Mac, Android, iOS, Android TV, Amazon FireStick, Kodi; Chrome, Firefox extensions||Windows, Mac, Android, iOS; Chrome, Firefox, Opera extensions||Windows, Mac, iOS, Android, Linux, Windows Phone; Chrome, Firefox extensions||Windows, Mac, Linux, iOS, Android, Amazon Fire TV, Nvidia Shield; Chrome, Firefox, Opera extensions|
|Manual/3rd-party connection||None||None||Above, plus Linux, ChromeOS, Windows Phone, open-source routers||Above, plus ChromeOS, Windows Phone, NAS drives, other routers||None||Above, plus routers, ChromeOS, Windows Phone||Above, plus Android, iOS, routers||Above, plus Linux, ChromeOS, Windows Phone, BlackBerry, routers, ||None||Above, plus routers||Above, plus routers, Linux, ChromeOS, Kindle Fire, NAS drives ||Linux only||Above, plus Roku, Amazon Fire TV, Android TV, routers||Above, plus Windows Phone, Kodi, routers|
|Max. devices connected at once||5||Unlimited||7||3||5||5||5||6||Unlimited||5||5||5||5||Unlimited|
|Number of servers||54||82||3,000+||2,000+||2,000+||1,000+||170||4,000+||500 max desktop; 586 mobile||3,100+||750||1,700||400||500|
|Countries with servers||34||25||60||94||24||60||29||62||3||28||140+||20||52||52|
|Ad blocker||No||No||Yes||No||Only on Chrome extension||No||No||Yes||Yes||Yes||Desktop only||Chrome extension only||No||Browser extensions only|
|Payment options||Credit card, PayPal||Credit card, PayPal||Credit card, PayPal, Bitcoin. more||Credit card, PayPal, Bitcoin||Credit card, PayPal, gift cards||Credit card, PayPal, Visa-branded gift cards||Credit card, PayPal, cash, Bitcoin, more||Credit card, PayPal, Bitcoin, more||n/a||Credit card, PayPal, Bitcoin, gift cards, more||Credit card, PayPal, Bitcoin, gift cards, more||Credit card, PayPal, Bitcoin, cash, more||Credit card, PayPal, Bitcoin, gift cards||Credit card, PayPal, Bitcoin|
|ID required||Real name, street address||Real name, street address||Valid email address||Valid email address||Valid email address||Valid email address||None||Valid email address||None||Valid email address||Real name, email address||Valid email address||Valid email address||None|
|Country of registration||Czech Republic||Germany||Romania||British Virgin Islands||United States||United States||Sweden||Panama||Norway||United States||Hong Kong||Canada/United States||United States/Ukraine||Canada|
|Kill switch||No||Yes||Yes||Yes||Yes||Mac & Windows||Yes||Windows, Mac, iOS||No||Yes||Windows, Mac, Android||Yes||Yes||No|
|Supported protocols||IKEv2/IPsec, OpenVPN, L2TP/IPsec||OpenVPN, L2TP/IPsec||IKEv2, OpenVPN, L2TP/IPsec, PPTP||OpenVPN, L2TP/IPsec, SSTP, PPTP||Catapult Hydra VPN||OpenVPN, L2TP/IPsec, IKEv2,|
|OpenVPN, WireGuard||IKEv2, OpenVPN, L2TP/IPsec, |
|OpenVPN, L2TP/IPsec, SSL proxy||OpenVPN, L2TP/IPsec, PPTP||IKEv2, OpenVPN, L2TP/IPsec, SSTP, PPTP||IKEv2, OpenVPN||IKEv2, OpenVPN, IKEv1, LT2P/IPSec, PPTP, KeepSolid Wise||IKEv2/IPsec, OpenVPN|
How We Test VPNs
One basic test for a VPN service is to check how long a VPN client takes to connect to a VPN server and get online. For our 2018 reviews, we installed each vendor's VPN client software on an HP EliteBook x360 1020 G2 laptop running Windows 10, an iPad mini and a Samsung Galaxy S8 Android phone. (In 2017, we used a Lenovo ThinkPad X1 Yoga notebook, an Apple MacBook Air, a Samsung Galaxy S6 phone and the iPad mini.) We used each device with each VPN service we tested.
Using Wi-Fi on the Windows laptops, we timed how long it took to connect to websites, measured latency times (how long it took a server to respond), and recorded upload and download speeds with Ookla's Speedtest meter, both with and without the VPN activated. We also timed how long it took to download a large video file, both with and without VPN activation.
We measured how quickly a VPN service connected after we clicked the activation button. These readings, and those of the data speed and latency — how long it took to get a response from a destination server — were repeated three times and averaged.
During each test run, we noted how many times (if any) we needed to re-establish the VPN link.
We also used each VPN for a variety of more mundane things, such as receiving and sending email; retrieving, updating and saving Google Docs files; and playing a few online games.
Other VPN Services Reviewed
IPVanish wasn't the top performer in our 2017 round of testing, falling in about the middle of the pack. But it was one of the most reliable VPN services, connecting smoothly and staying connected every time we used it. IPVanish has excellent client software, although you can connect to the company's servers manually, and a decent array of about 850 connection points in 50 countries. However, its subscription price is kind of high, and its U.S. base may be a negative for some potential customers.
Avast SecureLine VPN offers good overall performance and steady connections, and it was the best of the limited-feature services we tested in 2017. But at $80 per year for software installation on five devices, it's more expensive than any full-fledged VPN service that doesn't limit installations. A single Mac or PC license is $60, while iOS or Android licenses are $20 each.
VPN Unlimited has great software that works with many platforms and devices, and the company has servers around the world. But its network performance was among the worst we've seen, and it has a U.S. address despite basing most of its operations in Ukraine.
Opera VPN works only through the Opera web browser, and it shouldn't be used for sensitive communications. Once very fast, Opera's VPN connections were painfully slow in our most recent tests. The Opera VPN mobile apps, which were full-fledged VPN services that performed decently in our 2017 tests, unfortunately closed up shop at the end of April 2018. There's one good feature, though: Opera VPN streamed Netflix successfully from all of its server locations (there are only three of them), which is more than many paid VPN services can do.
Like Avast, Avira got into the VPN business to complement its antivirus offerings. Phantom VPN is easy to use and gives you up to 1GB of data per month for free, making this service ideal for vacation travelers who just need to check email. Its unlimited paid plans are reasonably priced, but it had slow downloads and dropped connections in our 2017 tests.
ExpressVPN has a wide range of client software, a dedicated proxy service for streaming media and its own DNS service. But in our 2017 tests, it dropped many connections and its overall performance was in the middle of the pack. It also allows only three devices to be connected simultaneously per account, and it's one of the most expensive services we evaluated.
NordVPN is easy to set up and use, has more than 1,000 servers across the world, encrypts your data twice, has an easy-to-use Chrome extension to provide a quick proxy service, and is reasonably priced. But its performance in our 2017 tests was only so-so.
PureVPN has servers in more than 140 countries and can be very inexpensive if you pay for two years up front. It also lets you "split-tunnel" your service so that some data is encrypted and other data isn't. But PureVPN was at or near the back of the pack in almost all of our 2017 performance tests. In October 2017, the U.S. Department of Justice disclosed in a criminal complaint that PureVPN had given the FBI customer logs in reference to a cyberstalking case, which kind of negates the entire point of using a VPN.
What VPNs Do and Don't Do
Using a VPN can make it look like you're someplace else. It's a well-worn practice to evade online censorship, as is done in some countries, or to tap into U.S. streaming services while in Europe or Asia. We've used VPNs to read the New York morning paper in Beijing and watch U.S. TV in England.
But there are some caveats. A VPN will give you more privacy but not more security. If you end up on a website harboring malware, the VPN can't prevent you from being infected. (Some of the full-fledged VPN services block known malicious websites.)
Credit: Opera VPNAlso, although your data is encrypted as it travels between you and the far-off VPN server, it won't necessarily be encrypted once it leaves the VPN server to get to its final destination. If the data isn't encrypted — and that depends on the website you're connecting to — then the traffic might be intercepted and read. (One well-known VPN provider was recently accused of inserting ads in users' web browsers, which would violate users' security and privacy.)
If you just want to evade geographical restrictions on streaming content, such as BBC iPlayer or Hulu, you don't need a VPN to do so. You just need a proxy service that will make it look like you're in the right country. There are many free proxy services available, but do your homework before choosing one — some are a bit dodgy.
Finally, Netflix and the BBC are cracking down on VPNs and proxy services. There's no guarantee that a particular service will evade geographical restrictions on a particular day.
Know Your VPN Types
All of the VPN services we've reviewed use the AES-256 encryption standard, which would take a well-equipped hacker with a powerful computer many years to crack. Anyone eavesdropping on your Wi-Fi traffic in a café would see gibberish without the encryption key.
Nine of the VPN services we've tested — CyberGhost, ExpressVPN, IPVanish, Mullvad, NordVPN, Private Internet Access, PureVPN, VPN Unlimited and Windscribe — are what we call "full-featured." If you plan on running all your home internet traffic through a VPN, or you travel frequently, these are the services you should consider.
These services offer many ways to connect, including without the service's client software; support operating systems and devices, such as routers or set-top boxes, beyond just the "big four" operating systems (Windows, Mac, Android and iOS); have hundreds, or even thousands, of servers in dozens of countries; and generally let the user sign up and pay anonymously.
Credit: IPVanish VPNThe flip side is that a few of these full-featured services are pretty anonymous themselves, operating behind shell companies in offshore tax havens. If you're trying to avoid government scrutiny, that's great, but you might have a hard time getting your money (or bitcoin) back in a dispute with the VPN provider.
Two more services, Hotspot Shield and TunnelBear, make you use their client software, which is limited to the big four OSes. You can't connect your home router or other nonstandard devices directly to these service's VPNs. (TunnelBear makes an exception for Linux boxes.)
Avast SecureLine and Avira Phantom VPN are run by antivirus companies as complements to their primary businesses. These services are also limited to Windows, Mac, iOS and Android and don't work without client software. But they offer few features, have a couple of dozen servers at most and don't let you pay anonymously. However, the companies are known quantities, and the services are handy for occasional travelers.
Finally, there's Opera VPN, which is completely free. The desktop version works only within the Opera web browser. But the mobile apps, which are made by a different company, encrypt all the internet traffic to and from an iOS or Android device. However, both the desktop and mobile versions of Opera VPN have servers in only five countries.
There are several different VPN protocols, not all of which are used by all of the VPN services we reviewed. Most operating systems have built-in support for at least one of these protocols, which means you can use that protocol — and a willing VPN service — without client software. The full-fledged VPN services have online instructions for how to do this, as well as how to set up routers to connect directly to the services.
OpenVPN: OpenVPN is very secure, open-source and widely used. Most VPN services support it, but except for Chrome OS and Linux, few operating systems do. This protocol can be used in either TCP (web) or UDP (streaming) mode; the latter is sloppier but faster. You'll need either the VPN service's client software or one of the many free alternatives. Either way, you'll still need to pay for the VPN service.
L2TP/IPsec (Layer 2 Tunneling Protocol with Internet Protocol Security): L2TP is not secure itself, so it's generally paired with the IPsec secure-networking standard. The combination of the two was once thought to be very secure when properly implemented, but some VPN services suggest that you use OpenVPN instead. L2TP/IPsec has native support in Windows, OS X/macOS, Android, Chrome OS and iOS. Most VPN services support it.
IKEv2 (Internet Key Exchange version 2, generally with IPsec): This is a newish standard that is very secure when properly implemented. It has native support in Windows, iOS, and recent versions of OS X/macOS.
SSTP (Secure Socket Tunneling Protocol): SSTP is a Microsoft protocol with native support on Windows Vista and later versions. It's thought to be quite secure, but only Microsoft knows for sure.
PPTP (Point-to-Point Tunneling Protocol): This standard is largely obsolete, with many known security flaws, but it's fast. It has native support built into Windows, Android, and older versions of Mac OS X and iOS; Apple dropped support with macOS Sierra and iOS 10. Use PPTP only for streaming content, as it won't protect your data.