A VPN, or virtual private network, encrypts all of your web traffic and routes it through a remote server, making it harder for anyone to intercept and monitor your communications. It’s a great tool when you’re on public Wi-Fi, using a personal computer or mobile device at the office or otherwise using an untrusted network.
We evaluated 11 different VPN providers, assessing their ease of use, performance, privacy policies and device support, and found two services that are affordable, serious about their security and your privacy and packed with convenient-enough connectivity features and device support that you’ll actually use them to protect yourself online.
The best VPN overall: Mullvad
5€/month at Mullvad
If you’re looking for privacy — and that’s the most important thing to think about when you’re looking for a VPN in the first place — Mullvad goes the extra mile. The company has an interesting method of ensuring your privacy: They don’t ask you for your email address when you subscribe to their service. Instead, you obtain a random code that you use to identify yourself. That means no password is required once you have entered your code, it is unlikely that anyone can guess this code or find it on the dark web (unless you reuse it, which you shouldn’t) and there is little chance anyone could connect it back to you even if they did manage to get a hold of the code in a breach.
Their pricing is a simple 5€ per month (payable via a dizzying array of options, from cash to credit cards to cryptocurrencies) that is automatically renewed, with a 30-day cancellation policy. You can connect up to five concurrent devices per subscriber, and software is available for Windows, MacOS, Linux, iOS, Android, an extension for the Firefox browser, and for network routers too.
Mullvad has a dirt-simple user interface. There are toggle switches to block malware, ads and tracking. You specify which country you want to connect to, and it finds the closest server quickly and automatically. It also has an automatic kill switch: If it crashes, it will disconnect you from the internet entirely so you don’t end up communicating over an insecure connection without noticing it. And it has automatic software updates and also doesn’t gather third-party data.
Sweden-based Mullvad gets high marks for transparency: the company has released their code to open source, and uses open-source development tools as well. Mullvad had their code audited by Cure53 back in 2020, and while they are due for another look, we liked how transparent they were with their audit, addressing the issues found and how they were resolved. They take your privacy seriously enough that they don’t even know your encryption keys — you generate them yourself when you initially bring up the software.
Mullvad is well-regarded enough that Mozilla nowadays runs their pricier MozillaVPN service on Mullvad’s servers.
Mullvad’s major downside is that they don’t have servers in as many countries as their competitors. Their biggest advantage is performance; there was little degradation of the connection, with almost no loss of latency and download speed.
A runner-up VPN: IVPN
Starting at $6/month at IVPN
Like Mullvad, IVPN uses a random code assignment scheme for login, so it keeps no record of a password and an attacker would have no way to tie your email address — and thus your personal data — to their systems in the event of a breach. They have a very impressive ethical guidelines page that other vendors should emulate. IPVN offers apps for the five major OSs as well as routers and network storage units. IVPN is a little more expensive than Mullvad, though their higher-tier service offers a bit more flexibility than Mullvad’s. IVPN offers support for two concurrent devices for $6/month, or seven for $10/month., with annual discounts available. IVPN doesn’t automatically renew your subscription unless you explicitly tell it to do so, which is a nice touch.
In our testing, we saw great performance from IVPN, getting 88% or more of the speeds we saw without any VPN on our test systems. IVPN’s configuration controls are all grouped together to make it easy to adjust things, such as to switch between the OpenVPN and WireGuard protocols, and whether to invoke additional protections to prevent tracking and what it calls “hardcore mode,” which blocks all Google and Facebook domain interactions, the ability to use a custom DNS server and to enable usage of LAN-connected devices (such as printers and file shares).
Another feature we liked is that IVPN offers a kill switch in the form of an always-on firewall option. IVPN (and TunnelBear) are the two VPNs to have regular publicly available audits each year without any misses. It also doesn’t gather third-party data, or have any significant DNS leakage.
What to know about VPNs
There are lots of reasons to use a VPN — encrypting your internet activity and private data while you are using public Wi-Fi or other untrusted networks, streaming videos that are blocked because you are in a foreign country, segregating your work-from-home traffic from your family’s personal traffic or just getting internet access from within a country (or a place of business) that censors content. (In Russia, VPN app downloads and demand for VPN services have reportedly climbed since the Russian government limited internet access after their war on Ukraine began earlier this year.) Under certain circumstances (let’s say your ISP throttles some types of traffic) a VPN can even improve your internet access speeds,
But a VPN isn’t a cure-all — it isn’t meant to be a complete security solution. If someone is determined to obtain your data, there is always a way. A government could obtain a court order, or a criminal could use malware to infect your computer or phone and then copy your data outside of a VPN’s operation, or your computer may accidentally leak data because of a software misconfiguration. Or someone could slowly gather bits of data about you and your equipment (in the process is called “digital fingerprinting”), eventually getting the ability to track your movements across cyberspace — basically the way advertising companies make use of social media data to serve you those ads that always pop up under creepy circumstances.
VPN vendors, however, obscure things in their marketing materials by using language in their materials such as “military-grade encryption” and “total or 100% anonymous access.” While there are a variety of encryption standards that are better at protecting data streams than others, there is no generally accepted “military” standard, and there’s no way to guarantee anonymity. Some VPN vendors also make claims about “multi-hop” methods or double-encrypting your traffic; we don’t think this is much of a benefit because it can slow down your performance and doesn’t really buy much in terms of privacy.
Yes, using a VPN can make you more anonymous, but you can still leave some digital tracks. IVPN, to its credit, explicitly says it doesn’t promise either anonymity or military encryption and has clearer language with information on its marketing practices and commitments..
VPN vendors often make claims that they protect your identity by virtue of where their headquarters are located. While getting a court order to obtain your data from a Swiss- or Panama-based vendor (such as ProtonVPN or NordVPN, respectively) may be more effort than a US-based one, it isn’t impossible. Many countries’ courts under very limited circumstances can compel vendors to give up account information, and share that information through mutual legal assistance treaties. Given these caveats, we have provided their HQ location for your reference in each review, but we don’t think you need to give it much consideration.
Take vendor transparency claims with a grain of salt, and look for open-source software. Some VPNs (such as Mullvad, MozillaVPN, IVPN, ProtonVPN and PIA) have published their entire software code openly for anyone to review. We prefer this because open-source projects are subject to public scrutiny, and thus tend to fix vulnerabilities and issue patches more regularly, protecting you better. Others (such as Surfshark and ExpressVPN) have taken a more limited approach and support the OpenVPN protocol standard or just publish a specific piece of their software. Other vendors who have products not built on open-source code will claim that their products have been audited by third parties (Surfshark, for example, has had audits in 2018 and 2021); these audits may not be easily accessible or not happen frequently enough, or only make their audits available to customers (NordVPN). RestorePrivacy goes into details about the audit specifics for a few vendors. Also, not every part of a product’s code base is necessarily subject to an audit (this was at the root of the problem described in this 2017 report on Android VPN apps containing malware).
Finally, as you’re doing more research, be aware of the specialist VPN review sites themselves. Many are owned by the VPN vendors themselves (for example, VPN-Mentors.com is owned by Kape, which sells a variety of VPNs including ExpressVPN and PIA), so you’ll want to look for independent sources of information as well.
How we tested each VPN
We tested 11 popular VPNs, looking at those that were best-reviewed, provided the most servers and speed and had a documented history of providing good privacy. With each VPN, we downloaded installers and set up accounts. We then ran each VPN and tested it under various conditions, including running speed and DNS leak tests for more objective measurements.
• Ease of setup/installation: For every program, there’s a setup. As we installed each VPN and created our accounts, we noted the duration and ease of each setup process, as well as how easy it is to switch from one server to another.
• Ease of use: There are many factors that make one VPN easier to use than another. We looked not just at how friendly software interfaces were, but how simple vendors made security features. Some VPNs (CyberGhost, ExpressVPN, Surfshark) do not support any multi-factor authentication whatsoever, some offer all sorts of privacy controls but make them difficult to use or configure, some have kill switches (which can terminate your connections immediately if the VPN software fails, preventing accidental exposure of your data), and some will tell you if you are using an outdated version or automatically prompt you to upgrade.
• Device support: We examined which platforms each VPN supported (ideally, each should offer support for Windows, MacOS, Linux, Android and iOS devices), how many concurrent streams the service would support and the number of servers and locations under each VPN’s command. We took router support into consideration, though setting up a VPN server on your router isn’t for everyone, and will require some technical knowledge.
• Throughput test: Using Ookla’s Speedtest, as we described above.
• DNS leak test: Using DNSLeakTest.com.
• Warranty, trial period and subscription services: We looked closely at how VPN vendors handle subscriptions. Why? Many of the VPN vendors offer free 30- or 45-day trials to check out their products, and some vendors also offer free plans (with reduced functionality). That sounds great until you decide to terminate your trial and seek another solution. Some vendors make it hard to leave, while others store your private data even after you close your account. Several vendors offer discounts via ads and affiliate deals; if you keep an eye on YouTube, you probably can get a subscription initially at high discounts
Some notes on measuring VPN performance
If you want to protect your privacy and security, you will have to accept that your browsing and network latency will suffer. The VPN vendors try to mitigate this by supporting different communications protocols, and there are three principal choices:
- OpenVPN, a time-tested open-source protocol that almost every VPN now supports.
- WireGuard, a newer protocol that appears to be faster in more circumstances.
- Custom protocols unique to a particular vendor (NordVPN, ExpressVPN and Hotspot Shield).
Opinions (and they are just that) differ on which approach is best in terms of the trade-off between security and performance. Check out what ProtonVPN has to say here and what IVPN has to say here. Some vendors support more than one protocol, either letting you choose or automatically finding the fastest connection. A few vendors, including CyberGhost, NordVPN and IPVanish, publish server locations, which can be helpful.
We measured the reduction in speed using the Ookla’s Speedtest.net from our offices in St. Louis. But that calculation can vary depending on other traffic and which Ookla endpoint you choose to measure speeds. Keep all these factors in mind when you look at our performance numbers.
Other VPNs we tested
$13/month at ExpressVPN
ExpressVPN is owned by Kape Technologies and is based in the British Virgin Islands. It supports the five major OSs along with browser extensions for Chrome, Edge and Firefox and also smart TVs, game consoles, routers and Chromebooks. It has a server network in 94 different countries and its plan covers five concurrent streams. It has its own protocol, similar to WireGuard, called Lightway that is documented here, along with supporting IPSec and OpenVPN protocols. ExpressVPN offers a 30-day money back guarantee, though some reviewers have reported obtaining the refund was a time-consuming process. Bitpay and the Paymentwall gateways are supported.
A big issue is that Kape, in a previous incarnation when the company was known as Crossrider, marketed a plugin development platform that was used to distribute ad injection software; its CIO was fined by the US Department of Justice for hacking, and that gives us pause when considering a product meant to protect your privacy. Kape also maintains a VPN review site, VPN-Mentors.com.
$13/month at CyberGhost
CyberGhost is also owned by Kape Technologies, which shares the same issues as PIA and ExpressVPN in terms of corporate responsibility. The company is based in Romania, and has 7,800 servers spread across 91 locations. The monthly plan comes with a 14-day money-back guarantee and the longer periods offer 45-day guarantees. The plan includes support for up to seven concurrent devices and covers all five OS’s along with various smart TVs, gaming consoles, Chrome and Firefox browsers, and routers. Transparency reports are published every three months, which isn’t quite the same as a third-party review, but still they insist that they have no data to share and don’t monitor or store any user data. The software lacks a kill switch and doesn’t offer any MFA support, and uses WireGuard exclusively. They sell a series of security add-ons, including password manager, anti-virus and private browser. When using the Windows app, you’ll need to install Microsoft’s .Net Framework before you run the main Windows app.
$13/month at Hotspot Shield
Hotspot Shield covers 80 countries and has apps for all five OSs plus Chrome browsers and routers. It has three different plans: a forever free plan, a premium plan (covering five concurrent devices) for $13/mo and a family plan (supporting up to 25 connections) for $20/month. The free plan is limited in connection speeds and one location, with 500 MB of daily traffic. The paid plans can support streaming video. You can try the paid plans for up to 45 days, and there are big discounts if you have an annual subscription. Hotspot Shield advertises “military-grade encryption,” which is not a meaningful description, and the company has had complaints from the Federal Trade Commission in the past and has not done any code audits. They are based in the US and have developed their own protocol called Catapult Hydra that has been patented and is used by a few other security vendors.
$11/month at IPVanish
IPVanish, now owned by Ziff-Davis, offers a single plan with a 30-day money back guarantee if you sign up annually. It supports an unlimited number of devices on all five OSs along with Amazon Fire sticks, routers and Chrome browsers. It has a large network of its own servers in more than 75 locations (with one Africa location and just a few in South America) and supports the OpenVPN, IPSec and WireGuard protocols. The company is based in the US. It has not had a code audit, doesn’t block ads and only supports split tunnels (which let you route only some of your traffic through a VPN, useful if you depend on some services — like maps — that do need to know your location) on Android devices. IPVanish does log origin IP addresses and usernames unencrypted on the local device.
Private Internet Access (PIA)
$10/month at Private Internet Access
Private Internet Access (PIA) is based in the US (they are another Kape-owned vendor) and has a large server network in 78 countries. They have apps for the five major OSs, gaming consoles, routers and smart TVs, along with browser extensions for Chrome, Opera and Firefox. They support up to 10 concurrent device streams using both OpenVPN and WireGuard and have published their apps on open source. They have also published a series of transparency reports, although haven’t been independently audited. They have some data leak issues. Their service is discounted for longer time periods, with a 30-day refund, though as with most services customers have reported that getting the refund can be difficult.
Plus plan, $8/month at ProtonVPN
ProtonVPN is a venerable company with a solid reputation, and is serious about their security and your privacy. It offers three paid plans: Basic for $4/month, Plus for $8/month and Visionary for $24/month, all with annual discounts. Our recommendation is that you go with the Plus plan, which offers better speeds and streaming support and also supports ten concurrent devices. That plan also passes your traffic through multiple servers but optimizes performance, and allows you to choose specific servers across its wide collection of locations. The Basic plan has servers in 40+ countries, while the Plus and Visionary plans have the full network of 63 countries, and support routing your VPN traffic through its “secure core” servers in Sweden, Iceland or Switzerland. This is a way to ensure more protection, but comes, of course, at a performance hit.
There is also an adware blocker called NetShield that you can engage to block just malware, or also include ads and trackers, and a simple kill switch. All of these are available from the main configuration panel. ProtonVPN also has its “smart protocol” which automatically chooses the best performing connection for your circumstances. You can also switch between WireGuard and OpenVPN through another configuration menu.
The service uses its own DNS servers to prevent DNS leaks. Other reviewers found some PII in its logs, despite its claim to a “strict no-logs policy,” which could be another reason to use Mullvad or IVPN if this is a concern. The company is based in Switzerland and makes available open-source code for its Windows, MacOS, iOS and Android apps along with its 2019 audits (though it is time to refresh these reports). If you want to terminate or change your subscription, you are charged for the portion of the month that you have used the service.
$13/month at SurfShark
SurfShark supports all five major OSs and has extensions for Chrome, Firefox and Edge browsers. It has servers in 65 countries, and its third-party server infrastructure has been audited here. It also offers unlimited concurrent devices and supports both the OpenVPN or WireGuard protocols. It is based in the British Virgin Islands. Plans are available at significant discounts for longer periods, eligible for a refund up to 30 days, although some reviewers have mentioned difficulties in obtaining refunds. SurfShark will accept cryptocurrency payments through CoinGate or CoinPayments. There have been reports of leaks with some private data in its logs.
$10/month at TunnelBear
TunnelBear is now owned by McAfee and supports Windows, MacOS, iOS and Android (though not Linux), and has Chrome and Firefox browser extensions. The company is based in Canada and has servers in 50 countries, and they are adding countries in the Southern Hemisphere where other vendors haven’t had much coverage. It has three plans: a forever free plan, a paid plan and a business plan for multiple users at $5.75/month per seat, with discounts for annual purchases. The free plan includes 500 MB of monthly traffic and the paid plans provide for up to five concurrent devices. They don’t log any activity, although they do have some private data that researchers have found but they have regular code audits. They support OpenVPN but not the WireGuard protocol and don’t offer any refunds.
$12/month at NordVPN
NordVPN is based in Panama. It has applications for the five OSs along with support for smart TVs, Chromebooks and gaming consoles plus extensions for Chrome, Edge and Firefox browsers. It has servers in 60 countries, and a series of plans that support up to six concurrent device streams. It developed its own version of the WireGuard protocol called NordLynx, and also supports OpenVPN and IPSec too. It has done third-party audits, but they are only available to existing customers. It has a free 30-day trial and a monthly plan with annual discounts, though as usual with VPN services, reviewers have mentioned difficulties in obtaining refunds. NordVPN will accept cryptocurrency payments through CoinPayments. It has an optional obfuscated server security that will hide your VPN traffic. The company also sells NordPass, a password manager, and NordLocker, a secure cloud storage service.