What Is A VPN ?
A VPN, or Virtual Private Network, is a service that allows you to connect to the internet via a server run by a VPN provider. All data traveling between your computer, phone or tablet, and this “VPN server” is securely encrypted. As a result of this setup, VPNs:
- Provide privacy by hiding your internet activity from your ISP (and government)
- Allow you to evade censorship (by school, work, your ISP, or government)
- Allow you to “geo-spoof” your location in order to access services unfairly denied to you based on your geographical location (or when you are on holiday)
- Protect you against hackers when using a public WiFi hotspot
- Allow you to P2P download in safety.
In order to use VPN you must first signup for a VPN service, which typically cost between $5 – $10 a month (with reductions for buying 6 months or a year at a time). A contract with a VPN service is required to use VPN.
Note that using a VPN service does not replace the need for an Internet Service Provider, as it is your ISP that provides your internet connection in the first place.
A note on commercial vs. corporate VPN
VPN technology was originally developed to allow remote workers to securely connect to corporate networks in order to access corporate resources when away from the office. Although VPN is still used in this way, the term now usually refers to commercial VPN services that allow customers to access the internet privately through their servers.
This article (and the BestVPN website) deals exclusively with these commercial VPN services, and use of the term VPN here should not be confused with private corporate networks, which are an entirely different kettle of fish (despite similarities, and crossovers in the underlying technology.)
How does it work?
Normally, when you connect to the internet you first connect to your Internet Service Provider (ISP), which then connects you to any websites (or other internet resources) that you wish to visit. All your internet traffic passes through your ISP’s servers, and can be viewed by your ISP.
When using VPN you connect to a server run by your VPN provider (a “VPN server”) via an encrypted connection (sometimes referred to as a “VPN tunnel”). This means that all data traveling between your computer and the VPN server is encrypted so that only you and the VPN server can “see” it.
This setup has a number of important consequences:
1. Your ISP cannot know what you get up to on the internet
- It cannot see your data because it is encrypted
- It cannot know which websites (etc.) you visit because all internet activity is routed through the VPN server. Your ISP can only see that you are connected to the VPN server.
Your ISP can only see that you are connected to the VPN server.
2. You appear to access the internet from the IP address of the VPN server
- If the VPN server is located in a different country to you, then as far as the internet is concerned you are located in that country (most VPN services run servers located in many different countries).
- Anyone monitoring your internet activity from the internet will only be able to trace it back to the VPN server, so unless the VPN provider hands over your details (more on this later), your real IP address is hidden. This means that websites etc. cannot see your true IP address (just that of the server).
3. It is safe to use public WiFi hotspots
Because the internet connection between your device and the VPN server is encrypted. Even if a hacker somehow manages to intercept your data, for example by tricking you into connecting to an “evil twin” hotspot or packet-sniffing your WiFi data, the data is safe because it is encrypted.
4. Your VPN provider can know what you get up to on the internet
- You are therefore shifting trust away from your ISP (which has no interest in, or commitment to, protecting your privacy) to your VPN provider who usually promises to protect your privacy.
- More privacy-minded VPN services mitigate this issue by employing various technical measures to know as little as they can about you. More on this later.
5. Your internet will slow down because:
- Encrypting and decrypting data requires processing power. This also means that, technically, the stronger the encryption used, the slower your internet access. However, given the power of modern computers, this issue is relatively minor compared to…
- The extra distance traveled by your data. Using VPN always introduces another leg to the journey that your data has to travel (i.e. to the VPN server), and thanks to the laws of physics, the further your data has to travel, the longer it takes.
If you connect to VPN server located geographically nearby in order to access a website also located nearby, then you can expect around a 10 percent hit to the internet speed you get without using VPN. If you connect to a server half way across the planet, you should expect a much greater hit.
It is also a case that some VPN providers do better than others when it comes to speed performance, which is why every review we publish includes detailed speed tests This is due to factors such as server processing power, available bandwidth, and load (how many other people are using the server at the same time as you).
All other things being equal, for best performance when using VPN you should connect to the VPN server closest to the website or service you wish to use, and then as close as possible to your own location.
For example, if I want to access US Netflix from the UK I would connect to a server located in the US, but as close as possible to the UK (somewhere on the northern East Coast, such a New York, would be ideal).
Is it legal?
Yes. In most countries citizens have a legal right to privacy, and as far as I know simply using a VPN service is illegal pretty much nowhere.
More repressive countries such as China and Iran, who understandably do not like the unrestricted and largely unaccountable access to the internet that VPN allows,do ban VPN services from operating in their country, and attempt to block users from accessing overseas VPN services.
Even in China, however, which has the most sophisticated internet censorship system in the world, such blocks are only partially successful (and we have yet to hear of anybody getting into trouble just for using VPN).
In Europe the threat of terrorism has been seized on by a number governments to introduce wide-ranging surveillance laws, and in many countries (such as France and the UK) VPN providers are required to keep logs of users’ activity. VPN users looking for privacy should therefore avoid any services based in such countries, and use servers located in countries where logs are not legally required.
Where do I start?
There are now a huge number of VPN services vying for your attention, and unfortunately not all VPN providers are created equal (far from it!) The first thing you should do, therefore, is to check out reviews and recommendations on sites such as BestVPN (hey, it’s what we’re here for!). For example, the most comprehensive summary is this page, of the best vpn services.
Probably the first thing to consider is what you mainly want a VPN for. Is it for privacy while surfing the internet? To download without looking over your shoulder? To evade the Great Firewall of China? Or just to access geo-blocked TV streaming services from abroad?
Although pretty near all VPN services cover the main basis to some extent, there is no such thing as a perfect VPN service. Things you should be looking out for include:
- Price (of course!)
- Speed – VPN always entails some internet speed loss due to extra distances traveled and the processing demands of encryption/decryption (as discussed earlier).
- Privacy – all VPN providers promise privacy, but what does this actually mean? See “Does a VPN make me anonymous?” below for a discussion on this
- Security – how good are technical measures used to prevent an adversary (hackers, the NSA, etc.) forcing access to your data. Again, see below for more details.
- Number of servers/countries – If you need to connect to servers located all over the place, then the more the better, and the more likely it is that a server will be located where you want it to be.
- Number of simultaneous connections – Some providers will only let you connect one device to their service at a time, while others allow you connect your PC, laptop, phone, Xbox and girl/boyfriend’s tablet all at once. The more the merrier!
- Customer support – Many VPN users are still learning the ropes, so customer support that a) actually answers your questions in a reasonable timeframe, and b) knows what it is talking about, can be invaluable.
- Free trials and money back guarantees: Perhaps the best way to decide if a service is for you is to try before you buy!
- Software – VPN clients should not only look good good and be easy to use, but can add lots of funky features. The most useful of these areVPN kill switches and DNS leak protection
- Cross-platform support – a service is no use if it can’t run on your device/OS. Support can include detailed setup guides for different platforms, or dedicated apps (as is increasingly common for iOS and Android devices).
- Other bells and whistles – Some providers offer “stealth servers” for evading the Great Firewall of China, free SmartDNS or cloud storage, fancy security options (such as VPN through Tor), and more.
VPN is available for almost all computer-type devices, including desktops, laptops, smart phones, and tablets.
Just about every provider fully supports Windows, Mac OSX, Android and iOS platforms, and many also support Linux and Chrome OS (if only indirectly). Support for Blackberry OS and Windows Mobile devices, however, is much patchier.
To signup for a VPN service, simply visit its website and follow the links. Your provider will give give you instructions on what to do next, or our full reviews all have a “The process” section that runs through the whole process for each provider.
Interestingly, there does not appear to be much correlation between what you pay for VPN and the service you receive, so I again suggest that you read our reviews (including readers comments sections) and take advantage of any free trials and money-back guarantees to help you decide.
Running a VPN service is not cheap, so you have to ask yourself how a free service can afford to operate. As the old saying goes, if you don’t pay for a product, then you are the product…
That said, some reputable free VPN services do exist, most notably CyberGhost’s free offering, which while limited, is enough for many casual users, and is transparently funded through its premium offerings. VPN Gate is another option, and is run by volunteers.
You should be aware, however, that no free VPN will give you anywhere near the performance or privacy benefits of a good commercial service.
Given that VPN typically costs the price of a beer or so per month, I strongly recommend splashing out on a fully featured service.
Does a VPN make me anonymous?
No. VPN does not make you anonymous because the VPN provider can always* know who you are, and can see what you get up to on the internet. Privacy-oriented VPN services go to great lengths, however, to protect their customers’ privacy, which is why we say that VPN provides privacy (rather than anonymity).
The first thing to note is that while many providers promise to protect users’ privacy, such promises are not worth the digital ink they are printed on if they keep logs. No matter what they say, no VPN provider staff will go to jail (or ruin their business) to protect a customer. If the data exists, any VPN provider can be compelled to hand it over. Period.
If you want to use VPN to provide privacy, then only a ‘“no logs” provider will do. Unfortunately, when a provider claims to keep no logs, we just have to take its word for it (which is why the Edward Snowden’s of this world prefer to use Tor).
Choosing a VPN provider therefore comes down to a matter of trust, so how do you know a provider can be trusted? Well… privacy orientated VPN providers have built their business model on promising privacy, and if it becomes known that they failed to do this (for example by keeping logs even when they promised not to, and then being compelled to hand these over to the authorities), their businesses would be worthless (and they might find themselves liable for legal action by the compromised individual).
It should be understood that even when a provider keeps no logs, it can and will be able to monitor users’ internet activity in real-time (this is essential for trouble shooting etc. – all the more so when no logs are kept).
Most no logs providers also promise not to monitor users’ activity in real-time (unless necessary for technical reasons), but most countries can legally demand that a provider start to keeps logs of an individual (and provide a gag order to prevent the company alerting their customer of this).
This is, however, a specifically targeted demand or request (most providers will happily cooperate when it comes to catching pedophiles, for example), so only specific individuals already identified by the authorities need be too concerned.
In addition to keeping no logs, any company that cares about protecting their users’ privacy also uses shared IPs. This means that many users are assigned the same IP address, so matching identified internet behavior with a specific individual is very difficult to do, even if a provider should wish (or is compelled) to do so. This goes a long way towards addressing the privacy issue outlined above.
What does ‘no logs’ actually mean? Usage logs vs. connection logs
When many providers claim to keep no logs, what they really mean is that they keep no (what we term) ‘usage logs’. They do however keep ‘connection logs’:
- Usage logs – details of what you get up to on the internet, such as which web sites you visit etc. These are the most important (and potentially damaging logs)
- Connection logs – many ‘no logs’ providers keep metadata about users’ connections, but not usage logs. Exactly what is logged varies by provider, but typically includes things like when you connected, how long for, how often etc. Providers usually justify this as necessary for dealing with technical issues and instances of abuse. In general we are not too bothered by this level log keeping, but the truly paranoid should be aware that, at least in theory, such logs could be used to identify an individual with known internet behavior through an ‘end to end timing attack’
Some providers claim to keep no logs of any kind (“no logs providers”, and it is these that are generally considered best for protecting privacy. It should be noted that some critics argue it is impossible to run a VPN service without keeping logs, and those who claim to do so are being disingenuous.
However, as mentioned above, with a VPN provider everything comes down to trust, and if a provider claims to keep no logs at all we have to trust its ability to run to run the service in this way…
Mandatory data retention
Something to be aware of when choosing a privacy-friendly VPN provider is where it is based (i.e. under which country’s laws does it operate). Many countries (including many European countries) require communications companies to keep logs for a certain amount of time, although whether these laws apply to VPN providers can vary somewhat (in Europe the Netherlands, Luxembourg, Romania, and Sweden are popular places to base a VPN service because VPN providers in these countries are not required to keep logs).
If a VPN provider is based in a country which really requires it to keep logs then it will do so, no matter what other impression it tries to give.
Paying for VPN anonymously
More privacy-minded VPN companies allow you pay for their services anonymously. The most common method is using Bitcoins**, but companies such as Private Internet Access will accept anonymously purchased store cards, and Mullvad will even take cash sent by post!
This adds an extra layer of privacy, as the VPN company does not know your real name, address, or banking details. It will, however, still know your real IP address*
In addition to the direct privacy benefits of paying anonymously, accepting anonymous payment is often a good indicator that a VPN takes privacy seriously (this is hardly a guarantee, but not accepting anonymous payment is definitely poor show!)
** Paying by Bitcoin is not inherently anonymous, but if the correct steps are taken then a high degree of anonymity can be achieved. Please see my guide to Buying Bitcoins to pay for VPN anonymously for more details.
An exception to the rule*
An exception to the rule that VPN providers always know who you are is if you use VPN through Tor. This means that you connect to the VPN service via the Tor anonymity network, so that your VPN provider cannot see your true IP address.
If you also signup using Tor, and use an anonymous payment method, you can achieve a very high level of true anonymity with this setup. Do be aware, however, that doing this combines the speed hit of both VPN and Tor, making internet connections very slow.
So… am I “safe” if I use VPN?
Using a good no logs VPN service does provide a high degree of privacy. It will protect you from blanket government surveillance, prevent your ISP knowing what you get up to on the internet, prevent you being tracked by copyright owners when pirating stuff, and will even provide a fair bit of protection when engaged in low level criminal activities.
It will not, however, protect you if the police, your government, or the NSA, are specifically interested in you, and are willing to spend time and resources investigating what you do on the internet.
Journalists, whistleblowers, and others who need a very high level of anonymity should therefore use Tor instead (although VPN through Tor does provide some concrete benefits).
How secure am I?
VPN protects your data using encryption. I have two core articles discussing VPN encryption and the various terms used to describe it. They are rather technical for this beginners guide, but if the subject interests you then please do check them out:
The TL:DR version, however, is to use OpenVPN (or maybe IKEv2) wherever possible. L2TP/IPsec is fine, but PPTP should be avoided at all costs (in my view it is irresponsible for a provider to even offer customers PPTP as an option!).
As a point of reference, the minimum default settings for the OpenVPN protocol are:
Hash authentication: SHA-1
This is more than sufficient for most users, but if you are the sort of person who worries about the NSA, then my minimum recommendation for a “secure” VPN connection that should be resistant against any known form of attack for the foreseeable future is:
VPN Protocol: OpenVPN with Perfect Forward Secrecy enabled
Hash authentication: SHA256
IP leaks & kill switches
If your VPN is working properly then it should completely hide your IP address from any website you visit. Unfortunately, for a variety of reasons, this is not always the case. If a website can somehow detect your true IP address even when using VPN, you have what is known as an IP leak.
To determine if you are suffering an IP leak, visit ipleak.net. If you are connected to a VPN and you can see your true IP address (or even just your ISP’s name) anywhere on this page then you have an IP leak. Note that ipleak.net does not detect IPv6 leaks, so to test for these you should visit test-ipv6.com.
If you detect a leak please consult A Complete Guide to IP Leaks in order to find out why its happening, and how to fix it.
A related issue is VPN dropouts, as every VPN connection will occasionally fail. With a good VPN provider this should not happen very often, but it occasionally happens even to the best. If your computer continues to remain connected to the internet after a dropout,, then your real IP will be exposed.
The solution is a “VPN kill switch” which either monitors your internet connection and shuts it down when it detects a VPN dropout, or uses firewall rules to prevent any internet traffic leaving your computer outside of your VPN connection.
Many VPN providers include a kill switch as part of their VPN software, but third party options are available. Alternatively, if feeling brave you can configure your own using firewall rules. Please see here for more discussion on kill switches, including how to configure OpenVPN for Android as a kill switch.
Can I torrent safely using VPN?
Yes, as long as you use a provider that permits it (not all do, so check!) With VPN your data is encrypted so that your ISP cannot see what you are doing online, and your IP is shielded by your VPN provider.
When P2P downloading via BitTorrent (or streaming using Popcorn Time) everyone else downloading the same file can easily see the IP address of everyone else who is downloading that file (hence the names P2P and filesharing!) When using a VPN, someone tracking that file will only see the IP of your VPN server, not your real IP address.
VPN companies get bombarded with DMCA-style copyright infringement notices due to users’ activities all the time. Some prefer to cooperate with copyright holders, to the point of handing over the names of infringing customers for further legal action, while others simply try to keep copyright holders happy by issuing warnings, and ultimately disconnecting repeat offenders.
Some providers, however, are happy to let customers P2P download, and make a good business out of protecting their identities (keeping no logs is always a good start here!) If your VPN provider allows P2P then you can download in safely.
Perhaps more than anyone, however, downloaders should be careful to use a VPN kill switch as they often leave torrents to download unattended for hours at time…
When SmartDNS is better
Many people use VPN primarily to evade geo-restrictions in order to watch TV streaming services that are blocked to international users (or which offer better catalogs to users in certain countries).
If this is the only reason you want VPN for, and you are not interested in the privacy and security advantages that VPN brings, then you may be better off using a SmartDNS service instead.
SmartDNS uses much simpler technology and does not encrypt your connection, which makes it faster than VPN (so fewer buffering issues, but distance remains an issue). It can also be configured on many internet devices that cannot run a VPN client, such as Smart TV’s, media streaming devices, and games consoles (as every internet capable device has DNS settings that can be changed).
SmartDNS services are also usually cheaper than VPN ones. For more information please visit SmartDNS.com.