Virtual Private Networks (VPNs) are networks created by private companies to shield their customers against external surveillance while they surf the web, stream videos or download torrents. Commonly used by businesses to facilitate remote working and data protection, they are just as useful for everyday web users and are becoming even more popular in a world where online threats are mounting by the month.
How does a VPN work?
Using a consumer-focused VPN is extremely simple. The first step is to download and install a VPN client. Using the client software, you can establish a connection with the VPN network, and your browsing will instantly be shielded.
VPN services typically have lots of servers around the globe and handle thousands of simultaneous connections. When connected to a VPN, instead of data being routed via your Internet Service Provider (ISP) to the target destination, it is transferred via a network of servers maintained by the VPN provider. When it reaches the target, it seems that the data has originated from these servers, instead of your own computer. Additionally, your ISP can only see you connecting to a VPN server IP, rather than the final destination.
The process involves creating what is known as a VPN tunnel. This uses special tunneling protocols to “wrap” packets of data in a layer of encryption, so that any interceptor would be unable to make any sense of it.
Should I use a VPN?
There are many excellent reasons to use a VPN, whether you are running a business or browsing the web from home. Here are some of the benefits of using a VPN connection:
- Masking your identity from outsiders. This has obvious benefits for privacy, but it can also be handy for getting around the geo-blocking of streaming services, like Netflix and others.
- Getting around government censorship. By obscuring your online destination, VPNs can trick censors.
- Encrypting data. VPNs encrypt any data that you send via the network, providing a much deeper level of security than standard browsing.
- Saving money. Thanks to the way they work around geoblocking, users of VPNs can get better deals by switching their virtual location.
- Expanding choice. Services like Netflix don’t offer the same portfolio of TV shows or movies in every country or region, so your favorite movie could be unavailable. Unless you use a VPN, that is, because the VPN can make it seem as if you are anywhere in the world.
- Protecting work data. Businesses use VPNs to facilitate secure, simple remote working, giving their staff the kind of flexibility and agility the modern economy demands.
- Secure torrenting. Many countries, particularly in the West, have been clamping down on copyright violations, many of which occur over P2P (such as torrents). A VPN will protect you from the prying eyes of the copyright police.
- Improved connection speed. This may sound counter-intuitive, but VPNs can actually improve your connection if your ISP is throttling your speed (particularly for certain activities, such as P2P).
- Protection on unsecured wifi hotspots. Cafes and airports are notorious hunting grounds for hackers, who can place themselves between you and the router, intercepting all your data. Well, there’s not much use doing that if your data is encrypted.
Any of the above applications are a good reason to use a VPN service. However, there is really one overarching theme standing over all these disparate bullet points – anonymity and privacy in a digital world, where much of everything happens out of sight and takes the form of binary numbers. From talking to loved ones, to voting, to entertainment, all of it is just data, and all of it travels through entities that don’t necessarily have your best interests at heart.
VPN services let you take charge of your data, hiding you behind a veil and minimizing your exposure.
VPNs come in two major forms: software VPNs and hardware VPNs.
Software VPNs are based on installable clients that run inside your OS. These clients run the encryption and authentication processes required to guard your privacy. VPN services use tunneling protocols to create an encrypted “tunnel,” which protects your traffic as it flows from your device to the VPN server.
Software VPN solutions are a convenient option for people who aren’t well-versed in working with router firmware and flashing apps onto external hardware. The best clients are both extremely easy to set up and highly effective.
Instead of buying a separate piece (or even pieces) of hardware, the users of a software VPN can just install an application and be up and running within moments.
We can further divide Software VPNs by the sort of device or platform they were created for. In that sense, they can be Mobile VPNs, Desktop VPNs, or various types of VPN addons/extensions.
Mobile VPNs are simply VPN apps for iOS, Android, Windows Phone, Blackberry, and other mobile operating systems. Like computer-based VPNs, they work by creating a “tunnel” between your phone and the VPN server you use to access the internet.
The differences between these clients and their Desktop brethren are dictated by the device: their interfaces are adapted for touchscreens, their features are tailored for the types of activities people normally engage in on their mobile devices, etc.
Because of the way cell phones work, mobile VPNs need to be a bit more sophisticated than other forms. For instance, they may need to deal with transitions from mobile data to wifi as you move around town. This is why tunneling protocols such as IKEv2 are often favored over OpenVPN.
Smartphone resources tend to be more limited than computer resources, so VPN tools have to be efficiently coded and have the smallest possible memory footprint.
For all of these reasons, it makes sense to take care when choosing a VPN on mobile devices. We’ll look a little more at how to make your decision in a moment, but first let’s run through a few very good reasons to install a VPN on your mobile device.
These are software VPNs for desktop operating systems, such as Windows, macOS, Linux, Chromebooks, and other, rarer OS types. There are significant differences between these clients because different operating systems have different needs. For example, as an inherently less-secure OS, Windows requires VPN apps to include DNS leak protection.
When we talk about VPN hardware, what do we mean? Hardware VPN usually refers to a VPN service that runs on a network router.
With a hardware VPN, everything the VPN needs to do is handled by a standalone piece of tech. This device will deal with the authentication procedures and encryption processes which lie at the heart of any VPN and may also provide a special firewall for extra safety. VPNs require a lot of computational power and, depending on the load, some routers may require an additional processor to run smoothly.
This is very different from a software VPN, where the authentication and encryption processes are carried out by a client on the user’s computer. However, hardware VPNs do tend to require a hardware VPN client to operate, so they aren’t purely separate from computers and other digital devices.
Hardware VPN for home use
While it’s certainly possible to set up VPN hardware in your own home, this requires both more effort and more money.
Why would you want to make the effort to set up a hardware VPN in your home? Actually, there are quite a few advantages:
- With VPN hardware, device management is easier. All of your devices can be protected via a central router, allowing users to add Amazon Fire Sticks, PlayStation 4 consoles, computers, and tablets onto a single VPN-protected network. That definitely beats installing clients on all devices that require protection.
- A hardware VPN client will always be active, or at least it will be active for as long as your router is turned on. So there’s no need to remember activating your client. It just slips into gear and protects you automatically – a neat fail-safe for some users.
- VPN hardware for home use makes it easier to add new devices without worrying about security. This can be a big help for people who like the idea of the Internet of Things, but have some reservations about privacy and security.
Hardware VPN for business
If anything, hardware VPN solutions are more popular among professional users. Due to their adaptability and reliability, they often represent the most efficient and effective enterprise-wide solution for network security.
Of these two considerations, adaptability is probably the more important one. When you manage a business network, the composition of that network can change daily. New users might bring in laptops, workstations might come on or offline – it’s a recipe for confusion.
Implementing VPN hardware for business makes sense because it (largely) takes human error out of the equation, and makes life easier for the staff.
Moreover, there are significant cost considerations for businesses to think about. Implementing VPN hardware can work out much cheaper than installing a reliable VPN solution on every computer.
Estimates vary, but one expert has calculated the cost of setting up a VPN hardware device for a workforce of 1,000 people at around $8,000 per year. That includes initial setup costs, and also factors in ongoing maintenance. So it’s not a huge outlay for larger companies.
A site-to-site VPN is a direct VPN connection between two endpoints. For us to understand how site-to-site VPN works, we need to consider two offices (office A and B) located in different towns. The employee in office A needs to access a database, which is stored on a server that is in office B. Both offices are connected with peer VPNs. The two peers are connected via the internet.
VPN A must initiate a connection request to VPN B. If the security configurations and policy permits, VPN A authenticates VPN B. VPN A then uses a tunneling protocol to establish a secure tunnel. The employee can now access the database in office B as if he was physically present. The firewall strictly monitors the flow of data within the tunnel.
Site-to-site VPNs can be sorted into either extranet or intranet-based VPNs. The intranet is used when organizations have more than one branch office and wish to establish a secure intranet connection via a WAN. Extranet enables companies to extend their LAN to another company, which they trust (for example a supplier). In this case, they share resources without getting into each other’s separate intranets.
Paid vs Free – which is better?
There are two general types of free VPN services. The first is the type that’s free and has no paid version. The second lets you have a limited free version with the hopes of upselling (getting you to buy the paid version). About the former there is a good saying that goes “If it’s free, you are the product.” Usually, this means the VPN service is tracking your online activity and selling that data to those who use it for strategic marketing. Some might say “so what?” but for many that’s defeating the entire purpose of using a VPN.
The other category is a lot safer to use, but there’s a different issue. Because the business model of these VPN services is to sell subscriptions, the free version is usually very limited. The most common limitations are:
- How much data you can download/upload.
- Server switches.
When you subscribe for some of these “free” VPNs, you actually have to enter your payment details. It’s not unheard of that they’ll charge you for a month if you use up all your data allowance. There are other ways some of these VPNs try to trick the user, so be wary.
Paid VPNs are not ideal, but they are a lot more powerful and trustworthy.
Why VPN security matters
When analyzing and using VPNs, security should be your number one priority. Why is this the case? Using insecure VPNs is almost as bad as having no VPN at all. In fact, it could be far worse. If users feel protected when they actually are not, they might let their guard down and share information or data which puts them at risk. VPNs can give a false sense of security, so it’s vital to choose wisely.
Badly run VPNs can leak DNS data or sell data on your online activity to marketers. They might use out of date (and easy to hack) encryption. Despite people knowing about the risks for years, many VPNs remain vulnerable to IPv6 leaks, connection drop leaks, WebRTC leaks – you name it. All of these VPN security vulnerabilities leave users wide open to hacking attempts or government surveillance.
Then there’s the integrity of the VPN service providers themselves. Even though they protect individuals against outside actors, VPNs have privileged access to the data and identity of their customers, which can be used for nefarious purposes.
A significant proportion of VPN users rely on them for protection in rather sensitive situations. Perhaps they’re journalists or political activists, hiding from the malicious gaze of government agencies. Or perhaps they’re simply torrenting and would rather not get hit with fines. Whatever the case may be, using a faulty VPN can cause a nasty surprise.
The protection granted by VPN services is in great measure the product of encryption, which is applied to all data within the VPN tunnel. The stronger the encryption – the more secure the user will be. When we talk about encryption within the context of VPNs, we usually mean three separate variables:
- Data encryption. This is the most-commonly mentioned aspect of encryption. The most common cipher at the top of the VPN market is AES-256, which is often referred to as “military-grade” encryption by VPN service providers. However, there are other popular ciphers in use as well. One of these is AES-128, another is ChaCha20 – both are very secure alternatives. Less secure data encryption ciphers are variants of Blowfish or DES, which are sometimes also seen.
- The handshake is basically the algorithm for initiating encrypted communication between devices. Common examples include RSA-2048 or RSA-4096, Diffie-Hellman key exchange, and others.
- This refers to hash algorithms used to authenticate encrypted messages. Common examples include SHA1-3 (SHA1 is considered insecure) and MD5.
The importance of strong encryption cannot be overstated, particularly if your data is very valuable/sensitive.
Security features of VPNs
Now let’s move onto the features that make VPN apps secure. Outside of the tunneling protocols and encryption standards, we are looking at additional things like the kill switch, leak protection measures, and other goodies. Here is a comprehensive list of security features offered by various VPN services:
- Kill switch. This is a feature dealing with one type of situation – what happens when your VPN connection breaks? Regularly, your computer would continue doing what it‘s doing using your normal connection, which would reveal whatever you were trying to hide by using a VPN. A Kill switch will stop all traffic when your VPN connection is disrupted. There are two general kill switch categories – network kill switches and app kill switches. The first will stop all traffic, the second will stop all traffic from certain apps (which you get to make a list of). This is a very important feature which any respectable VPN must have.
- DNS leak protection. When you want to visit some site and enter a URL into your browser address bar, your browser will have to look up the IP address of the host (e.g. amazon.com). It will thus send a request to a Domain Name System server (DNS server), which acts as a sort of internet phonebook. Normally your computer will use the DNS server supplied by your Internet Service Provider (ISP) for resolving DNS requests. When you use a VPN, all traffic, including the DNS requests, should go through the VPN tunnel so the DNS doesn’t know who sent the DNS request and thus doesn’t know who is visiting Amazon.com. Unfortunately, due to various reasons (especially on Windows), DNS requests will go outside the VPN tunnel, which means your ISP will know what websites you are visiting.VPN providers usually have some sort of inbuilt DNS leak protection feature on their apps to prevent this from happening. Also, the better VPN providers have their own DNS.
- IPv6 leak protection. If your IP address is IPv6, but your VPN can’t handle IPv6 requests, your IPv6 address may leak. To protect against such situations, VPNs either block IPv6 or support the standard.
- Multi-hop. VPN providers like to brand this feature – Double VPN (NordVPN), Secure Core (ProtonVPN), etc. This is quite rare, but not unheard of. Multi-hop is basically the function that allows you to string together several (usually 2) VPN connections – the VPN connects to one VPN server, and then instead of going straight to the host it first goes to another VPN server. This makes it even more difficult to trace where the request came from, however, it’s probably not entirely impervious. A common misunderstanding is that multi-hop encrypts your data twice – this is wrong, because it gets decrypted at the VPN server and then re-encrypted. Either way, multi-hop is the sign of a security-centric VPN. One thing to mention is probably that this will be a heavy burden on the user’s connection and speeds will suffer.
- Tor over VPN. Combining the Tor network with VPN for a higher level of security/privacy. Tor, short for “The Onion Router”, is a browser and free online network, whose purpose is to preserve the user’s anonymity. The network consists of volunteer routers or relays – anyone can become one. Instead of your computer contacting a server, the traffic is sent on a journey through several (or several hundred) of these relays. The traffic is encrypted – levels of encryption are added or removed at each relay (depending on which way the traffic is going). This makes it very difficult for observers to know what you are doing online. Tor is not ideal in terms of security, but combining it with VPN makes it more or less ideal. The speed of this will likely be worse even than multi-hop.
- Malware protection. Some VPN services have an integrated web browser safety feature, usually combining malware protection and an ad blocker. Like most malware protection tools, this will check the websites you’re visiting against a blacklist of known malicious websites. It will also block third-party trackers. Unfortunately, these features are usually a lot less effective than browser extensions like Ghostery.
- Stealth mode/protocol. Countries intent on censoring what people can see online may employ advanced measures to prevent VPN use. For example, it is a well-documented fact that China uses Deep Packet Inspection (DPI) to seek out OpenVPN traffic on a network and then proceeds to block it. Because of this, many of the top VPN services have begun using various methods to lessen the effectiveness of DPI. The basic idea behind these is to make VPN traffic “look like” HTTPS traffic or something entirely unrecognizable. The usual tools to achieve this are XOR-patched OpenVPN, Stunnel, and Obfsproxy.
- Split tunneling. Not strictly a security feature, but ends up making the service most secure. Split tunneling allows the user to create lists of domains or apps (or devices if you’ve set the VPN up on your router) which should only be accessed through the VPN, and others, which should not.
The service provider’s location is important due to the legal and institutional context in which the company must function. For example, some countries have draconian data retention laws, requiring telecommunications companies (sometimes including VPNs) to collect and store data about their user base. This is the case with a country like the UK and is reflected in the Privacy Policies of VPN services such as Hide My Ass.
Alternatively, there are countries like the United States of America, which don’t have data retention laws, but do have other privacy-damaging realities. For example, US intelligence agencies like the NSA are carrying out wide-ranging surveillance operations on all citizens and beyond the country’s borders. Furthermore, law enforcement has extensive legal powers to obtain information in the name of national security.
Then there is the ubiquitous statement about countries belonging to the 5 Eyes, 9 Eyes, and 14 Eyes country groups. This intelligence-sharing country group is infamous (due to the Edward Snowden revelations) for spying on each other’s citizens and sharing information between each other, among other things.
Finally, there’s arguably the worst group of countries to run a VPN service out of – repressive, censorious regimes. If a VPN service is run out of a country like China, Russia, Iran, Saudi Arabia, the United Arab Emirates, North Korea, Zimbabwe, Venezuela, Belarus, and so on – you can be almost sure that the government of that country knows all there is to know about the VPN’s users.
On the other end of the equation are that have rigorous privacy protection in place. These are countries like Switzerland or Iceland, as well as off-shore havens like the British Virgin Islands or Panama.
It’s certainly tough to interpret the legalese in these documents but it is advisable for those who intend to engage in sensitive activities.
Other privacy aspects
It is worth mentioning two more angles to consider: the website and the sign-up process.
Like most contemporary websites, VPN websites rely on third-party services to improve efficiency. This always constitutes a more or less significant breach of privacy, because third-party services require information about site visitors to function properly. Therefore, users should expect to be exposed to as few third-parties through VPN websites as possible. Furthermore, they should demand that VPNs expose them only to third-parties with sound privacy policies.
Users may also be giving up too much of their privacy during the sign-up process. Some services require personal data for sign-up, including names and addresses. Meanwhile, others will only ask for an email address or not even that. Additionally, there are also differences in terms of available payment methods. Users who desire to remain anonymous should go for VPNs that allow Bitcoin or gift card payments.
Good and bad examples
To give users an idea of what good and bad VPN services look like, here are a few examples.
Operating out of the British Virgin Islands and boasting a server list containing 3,000+ entries in 94 countries, this VPN has demonstrated its integrity more than once. It has a full suite of security features and has custom apps for all the important platforms (as well as a few of the less important ones) and offers 24/7 live chat support. ExpressVPN has proven time and again that it’s a leak-free, privacy-friendly product.
A free P2P VPN service run out of the US, Hola VPN uses your idle bandwidth instead of regular VPN servers. The service has been involved in several scandals, including one where Hola VPN’s sister company, Luminati, sold user bandwidth to scammers, as a consequence of which it was used in a cyberattack. Hold VPN has also had DNS and WebRTC leaks, and little is known about its security features – what encryption (if any) it offers, what tunneling protocols are used, etc.
Turbo VPN is owned by a Chinese company, which already disqualifies it from being called secure or privacy-friendly. In addition, it has no kill switch and no customer support to speak of. Unlike using the “good” examples in this section, Turbo VPN will significantly hamper your connection speed. There are also only apps for Android and iOS available – tough luck if you are using a desktop computer.
How to start using a VPN today
VPNs used to be a thing for large corporations with dedicated IT teams that can set it all up for you. Since then, VPNs have entered the mainstream. They’re easy to use and require very little setup. In fact, all you need to do is pay, sign up for the service, install the app, and start using it.
The rising popularity of VPNs has meant the growth in the number of tools as well as the differences in quality between the top and bottom. Research is now more important than ever!
Before you jump right in and buy a subscription, read a few reviews to get some idea on the possibilities and prices. If you know what it is you need a VPN service for, then perhaps looking through some of our VPN lists will put you on the right track.
What else can I do to protect myself?
Using a VPN is just one of the steps towards security and anonymity online. Here are some of the other tools you should consider adding to your arsenal:
- Password manager. You probably have dozens of user accounts and keeping track of passwords can be a chore. Yet using the same few passwords everywhere is very dangerous – a data breach in one place can lead to your accounts getting hacked elsewhere. There are also very good reasons for using long and difficult passwords, which makes the issue even worse. Enter password managers – these tools will store all your passwords in an encrypted database, so you only have to remember one password.
- Secure email provider. Mainstream email providers like Google have all sorts of privacy issues, from exposure to various third-parties to the lack of end-to-end encryption. Thankfully the market doesn’t lack for secure alternatives, such as Protonmail or Tutanota.
- Firewalls and VPNs don’t always go together, but they should. Most of the time, conflicts with firewalls can be easily worked around, and it’s worth taking the time to do so. For instance, this could be as simple as adding an exception to Windows Defender, but you may need to toggle the “Do not use HTTPS protocol checking” option on the Windows Control Panel.
- Anti-virus software. As usual, it’s essential to add a layer of anti-virus protection because VPNs don’t do much for protection against malware.
- Browser extensions: HTTPS Everywhere, anti-tracker tool (Ghostery, uBlock Origin, DuckDuckGo, etc.).
Finally, be sure to keep your software up to date. Hackers work hard to find ever new vulnerabilities and software developers toil to patch them – don’t make them work in vain!