Why You Need a VPN
Cybercriminals, spies, overeager retailers and even internet service providers can watch your internet traffic to find out what you do online — but only if you let them.
To stop them, consider using a virtual private network, or VPN, which creates a secure tunnel through the internet for your data. Everything you do will be unreadable by the rest of the internet until it reaches the VPN servers at the other end of the tunnel.
Credit: Adobe StockWith hundreds of VPN services and clients available, it can be difficult to decide which to use. We extensively tested several popular VPN services that met three requirements: They had desktop and mobile client software, they had servers in many countries, and they offered unlimited data use, at least in their paid versions.
Based on our performance tests and a comparison of features and pricing, Private Internet Access is the best overall VPN service. Of the services we tested, it's the best overall performer, has the most servers and is the cheapest full-fledged VPN service we reviewed, at $39.95 per year.
Both Private Internet Access and one of our two runners-up, IPVanish, are based in the United States, which may deter some customers who are trying to evade Uncle Sam. Our other runner-up, CyberGhost, is based in Romania, which has strong privacy laws.
News & Updates
AmpliFi announced Teleport, a piece of hardware that lets you create a secure tunnel back to your home network when you're traveling. You'll need an AmpliFi HD router on the home end. The connection from the home router out into the internet won't be protected, however, unless you have a regular VPN as well. (You could create a similar system with an old computer and free OpenVPN software.) AmpliFi is taking pre-orders of $199 and up via Kickstarter.
PureVPN may have shared customer logs with the FBI in a Massachusetts cyberstalking case, according to an affidavit filed by an FBI special agent. We've reached out to PureVPN and will update this note when we receive a reply.
How We Test VPNs
One basic test for a VPN service is to see how long a VPN client takes to connect to a VPN server and get online. We installed each vendor's VPN client software on a Lenovo ThinkPad X1 Yoga notebook, an Apple MacBook Air, an iPad mini and an Android-based Samsung Galaxy S6 phone. We used all four devices with all VPN services.
- Using Wi-Fi on the X1 Yoga, we timed how long it took to connect to websites, measured latency times (how long it took a server to respond), and recorded upload and download speeds with Ookla's Speedtest meter, both with and without the VPN activated. We also saw how long it took to download a 428MB file of a 4K video shot by NASA about the International Space Station, both with and without VPN activation.
- We measured how quickly a VPN service connected after we clicked the activation button. These readings, and those of the data speed and latency — how long it took to get a response from a destination server — were repeated three times and averaged.
- During each test run, we noted how many times (if any) we needed to re-establish the VPN link.
- We also used each VPN for a variety of more mundane things, such as receiving and sending email; retrieving, updating and saving Google Docs files; and playing a few online games.
|Avast SecureLine||Avira Phantom VPN (Pro)||CyberGhost (Premium Plus)||Express|
|IPVanish||NordVPN||Opera VPN||Private Internet Access||PureVPN|
|Client software||Windows, Mac, Android, iOS||Windows, Mac, Android, iOS||Windows, Mac, Android, iOS||Windows, Mac, Android, iOS, Linux, BlackBerry, Kindle Fire, Nook, routers||Windows, Mac, Android, iOS, Amazon Fire||Windows, Mac, Android, iOS||Windows, Mac, Linux, Android, iOS||Windows, Mac, Android, iOS, Linux, Chrome extension||Windows, Mac, Android, iOS, Chrome, Firefox extensions|
|Max. devices at once||Depends on plan||Unlimited||5||3||5||6||Unlimited||5||5|
|Number of servers||27||40||875||145||850||1,044||500 max desktop; 586 mobile||3,251||750|
|Countries with servers||19||20||29||94||60||57||5||25||141|
|Ad blocker||No||No||Yes||No||No||Yes||Yes||Yes||Desktop only|
|Payment options||Credit card, PayPal||Credit card, PayPal||Credit card, PayPal, Bitcoin||Credit card, PayPal, Bitcoin||Credit card, PayPal, Bitcoin, more||Credit card, PayPal, Bitcoin, more||n/a||Credit card, PayPal, Bitcoin, gift cards, more||Credit card, PayPal, Bitcoin, gift cards, more|
|ID required||Real name, street address||Real name, street address||Valid email address||Valid email address||Valid email address||Valid email address||None||Valid email address||Real name, email address|
|Country of registration||Czech Republic||Germany||Romania||British Virgin Islands||United States||Panama||Canada||United States||Hong Kong|
|Kill switch||No||Yes||Yes||Yes||Yes (Mac & Win)||Yes (Win, Mac, iOS)||No||Yes||Yes|
|Supported protocols||OpenVPN, L2TP/IPsec||OpenVPN, L2TP/IPsec||OpenVPN, L2TP/IPsec, PPTP||OpenVPN, L2TP/IPsec, SSTP, PPTP||OpenVPN, L2TP/IPsec, IKEv2,|
|OpenVPN, L2TP/IPsec, SSTP, IKEv2,|
|OpenVPN, L2TP/IPsec, SSL proxy||OpenVPN, L2TP/IPsec, PPTP||OpenVPN, L2TP/IPsec, SSTP, IKEv2, PPTP|
Our Top Picks
Private Internet Access was our top overall performer and the cheapest full-fledged VPN service we tried out, and it has more than 3,000 connection servers. The only downside is that you can't select your own username. Making Private Internet Access our VPN service of choice was almost a no-brainer, but anyone wary of the U.S. government may want to consider another service.
CyberGhost was one of the best and most reliable performers in our tests. Unlike most other full-fledged VPN services, it's transparent about its company structure, with online profiles of all staffers, including the office cleaning lady. Privacy fanatics will like its Romanian location, and there's a decent free option. But CyberGhost's full-service subscription is expensive.
IPVanish wasn't the top performer in our tests, but it was one of the most reliable, connecting smoothly and staying connected every time we used it. It has a decent array of connection points and reasonable pricing, but its U.S. base may be a negative for some potential customers.
Avast SecureLine VPN offers good overall performance and steady connections, and was the best of the limited-feature services we tested. But whereas most VPN services have a single license for all of a user's devices, Avast SecureLine VPN charges you for each Windows computer, plus extra for Mac software or an iOS or Android app. Fortunately, Avast recently introduced a package deal of $80 per year for up to 5 devices of any platform, making SecureLine VPN a little less expensive than it previously had been.
Opera VPN is really two different services. The free desktop version works only through the Opera web browser, and while it's very fast, it shouldn't be used for sensitive communications. But the mobile apps, also free to use, are full-fledged VPN services that perform decently and are perfect for occasional travelers who are seeking to avoid the risks of hotel and airport Wi-Fi networks.
Like Avast, Avira got into the VPN business to complement its antivirus offerings. Phantom VPN is easy to use and gives you up to 1GB of data per month for free, making it ideal for vacation travelers who just need to check email. Its unlimited paid plans are reasonably priced, but it had slow downloads and dropped connections in our tests.
ExpressVPN has the largest range of client software available, a dedicated proxy service for streaming media and its own DNS service. But it dropped many connections, its overall performance was in the middle of the pack, it allows only three devices to be connected simultaneously per account and it's one of the most expensive services we evaluated.
NordVPN is easy to set up and use, has more than 1,000 servers across the world, encrypts your data twice, has an easy-to-use Chrome extension to provide a quick proxy service, and is reasonably priced. But its performance was only so-so.
PureVPN has servers in more than 140 countries and can be very inexpensive if you pay for two years up front. It also lets you "split-tunnel" your service so that some data is encrypted and other data isn't. But PureVPN was at or near the back of the pack in almost all of our performance tests. In October 2017, the U.S. Department of Justice disclosed in a criminal complaint that PureVPN had given the FBI customer logs in reference to a cyberstalking case.
What VPNs Do and Don't Do
Using a VPN can make it look like you're someplace else. It's a well-worn practice to evade online censorship, as in China, or to tap into U.S. streaming services while in Europe or Asia. We've used VPNs to read the New York morning paper in Beijing and watch American TV in England.
But there are some caveats. A VPN will give you more privacy, but not more security. If you end up on a website harboring malware, the VPN can't prevent you from being infected. (A couple of the full-fledged VPN services have started blocking known malicious sites.)
Credit: Opera VPNAlso, although your data is encrypted as it travels between you and the far-off VPN server, it won't necessarily be encrypted once it leaves the VPN server to get to its final destination. If it isn't encrypted — and whether it is depends on the website you're connecting to — then the traffic might be intercepted and read. (One well-known VPN provider that we haven't yet reviewed was recently accused of inserting ads in users' web browsers, which would violate users' security and privacy.)
If you just want to evade geographical restrictions on streaming content, such as BBC iPlayer or Hulu, you don't need a VPN to do so. You just need a proxy service that will make it look like you're in the right country. There are many free proxy services available, but do your homework before choosing one — some of them are a bit dodgy.
Finally, Netflix is cracking down on both VPNs and proxy services. There's no guarantee that a particular service will evade Netflix's geographical restrictions on a particular day.
Know Your VPN Types
All of the VPN services we reviewed use the AES-256 encryption standard, which would take a well-equipped hacker with a powerful computer many years to crack. Anyone eavesdropping on your Wi-Fi traffic in a café would see gibberish without the encryption key.
Six of the VPN services we tested — CyberGhost, ExpressVPN, IPVanish, NordVPN, Private Internet Access and PureVPN — are what we call "full featured." If you plan on running all your home internet traffic through a VPN, or you travel frequently, these are the services you should consider.
These services offer many ways to connect; support operating systems and devices beyond just the "big four" operating systems (Windows, Mac, Android and iOS); have hundreds, or even thousands, of servers in dozens of countries; and generally let the user sign up and pay anonymously.
Credit: IPVanish VPNThe flip side is that a few of these full-featured services are pretty anonymous themselves, operating behind shell companies in offshore tax havens. If you're trying to avoid government scrutiny, that's great, but you might have a hard time getting your money (or bitcoin) back in the event of a dispute with the VPN provider.
Two other services — Avast SecureLine and Avira Phantom VPN — are run by antivirus companies as complements to their primary business. These VPN services offer fewer features; are limited to Windows, Mac, iOS and Android; don't work without client software; have a couple of dozen servers at most; and don't let you pay anonymously. But the companies are known quantities, and the services are handy for occasional travelers.
Finally, there's Opera VPN, which is completely free. The desktop version works only within the Opera web browser. But the mobile apps, which are made by a different company, encrypt all the internet traffic to and from an iOS or Android device. However, both the desktop and mobile versions of Opera VPN have servers in only five countries.
There are several different VPN protocols, not all of which are used by all of the VPN services we reviewed. Most operating systems have built-in support for at least one of these protocols, which means you can use it — and a VPN service that supports it — without client software. Most of the full-fledged VPN services have online instructions for how to do this, as well as how to set up routers to connect directly to the services.
OpenVPN: OpenVPN is very secure, open-source and widely used. Most VPN services support it, but except for Chrome OS, few operating systems do. It can be used in either TCP (web) or UDP (streaming) mode; the latter is sloppier but faster. You'll need either the VPN service's client software or one of the many free alternatives. (Either way, you'll still need to pay for the VPN service.)
Credit: ShutterstockL2TP/IPsec (Layer 2 Tunneling Protocol with Internet Protocol Security): L2TP is not secure itself, so it's generally paired with the IPsec secure-networking standard. If properly implemented, the combination of the two is very secure. It has native support in Windows, OS X/macOS, Android, Chrome OS and iOS. Most VPN services support it.
IKEv2 (Internet Key Exchange version 2, generally with IPsec): This is a newish standard that is very secure when properly implemented. It has native support in Windows, iOS and recent versions of OS X/macOS.
SSTP (Secure Socket Tunneling Protocol): SSTP is a Microsoft protocol with native support on Windows Vista and later versions. It's thought to be quite secure, but only Microsoft knows for sure.
PPTP (Point-to-Point Tunneling Protocol):This standard is largely obsolete, with many known security flaws, but it's fast. It has native support built into Windows, Android and older versions of Mac OS X and iOS; Apple dropped support with macOS Sierra and iOS 10. Use PPTP only for streaming content, as it won't protect your data.