What Is a VPN?
A VPN (Virtual Private Network) is a way of adding an extra level of privacy to your online activity. VPNs encrypt your device’s internet connection, allowing you to surf the web privately and free of snooping or hackers. Much like a home security system, a VPN keeps your valuables safe and everything else outside.
Benefits of a VPN
A VPN allows you to connect to the internet via a server run by a VPN provider. All data traveling between your computer, phone or tablet, and this "VPN server" is securely encrypted. As a result of this setup, VPNs:
- Provide privacy by hiding your internet activity from your ISP (and government).
- Allow you to evade censorship (by school, work, your ISP, or government).
- Allow you to “geo-spoof” your location in order to access services unfairly denied to you based on your geographical location (or when you are on holiday).
- Protect you against hackers when using a public WiFi hotspot.
- Allow you to P2P download in safety.
In order to use a VPN you must first sign up for a VPN service, which typically cost between $5 and $10 a month (with reductions for buying six months or a year at a time). A contract with a VPN service is required to use a VPN.
Note: using a VPN service does not replace the need for an internet service provider (ISP). It is your ISP that provides your internet connection in the first place.
Commercial Vs. Corporate VPN
VPN technology was originally developed to allow remote workers to securely connect to corporate networks in order to access corporate resources when away from the office. Although VPN is still used in this way, the term now usually refers to commercial VPN services that allow customers to access the internet privately through their servers.
This article (and the BestVPN website) deals exclusively with these commercial VPN services. Use of the term VPN here should not be confused with private corporate networks. Those are an entirely different kettle of fish (despite similarities and crossovers in the underlying technology.)
How Does it Work?
Normally, when you connect to the internet, you first connect to your internet service provider, which then connects you to any websites (or other internet resources) that you wish to visit. All your internet traffic passes through your ISP’s servers, and can be viewed by your ISP.
When using a VPN you connect to a server run by your VPN provider (a “VPN server”) via an encrypted connection (sometimes referred to as a “VPN tunnel”). This means that all data traveling between your computer and the VPN server is encrypted so that only you and the VPN server can “see” it.
This setup has a number of important consequences:
1. Your ISP cannot know what you get up to on the internet
- It cannot see your data because it is encrypted
- It cannot know which websites (and so forth) you visit because all internet activity is routed through the VPN server. Your ISP can only see that you are connected to the VPN server.
2. You appear to access the internet from the IP address of the VPN server
- If the VPN server is located in a different country to you, then as far as the internet is concerned you are located in that country too (most VPN services run servers located in many different countries).
- Anyone monitoring your internet activity will only be able to trace it back to the VPN server, so unless the VPN provider hands over your details (more on this later), your real IP address is hidden. This means that websites and so forth cannot see your true IP address (just that of the server).
3. It is safe to use public WiFi hotspots
Because the internet connection between your device and the VPN server is encrypted. Even if a hacker somehow manages to intercept your data, for example by tricking you into connecting to an “evil twin” hotspot or packet-sniffing your WiFi data, the data is safe because it is encrypted.
4. Your VPN provider can know what you get up to on the internet
- You are therefore shifting trust away from your ISP (which has no interest in, or commitment to, protecting your privacy) to your VPN provider, who usually promises to protect your privacy.
- More privacy-minded VPN services mitigate this issue by employing various technical measures to know as little as they can about you. More on this later.
5. Your internet will slow down
This is because encrypting and decrypting data requires processing power. This also means that, technically, the stronger the encryption used, the slower your internet access.
However, given the power of modern computers, this issue is relatively minor compared to the extra distance traveled by your data. Using a VPN always introduces another leg to the journey that your data has to travel (i.e. to the VPN server), and thanks to the laws of physics, the further your data has to travel, the longer it takes.
If you connect to a VPN server located geographically nearby in order to access a website also located nearby, then you can expect around a 10% hit to the internet speed you get without using VPN. If you connect to a server half way across the planet, you should expect a much greater hit.
Some VPN providers do better than others when it comes to speed performance. This is why every review we publish includes detailed speed tests. Server processing power, available bandwidth, and load (how many others are using the server at the same time) all impact on speed.
All other things being equal, for best performance when using a VPN you should connect to the VPN server closest to the website or service you wish to use, and then as close as possible to your own location.
For example, if I want to access US Netflix from the UK I would connect to a server located in the US, but as close as possible to the UK (somewhere on the northern East Coast, such a New York, would be ideal).
Are VPNs legal?
Yes. In most countries citizens have a legal right to privacy. As far as I know simply using a VPN service is illegal pretty much nowhere.
More repressive countries such as China and Iran, which understandably do not like the unrestricted and largely unaccountable access to the internet that VPN allows, do ban VPN services from operating in their countries. They also attempt to block users from accessing overseas VPN services.
Even in China, however, which has the most sophisticated internet censorship system in the world, such blocks are only partially successful. We have also yet to hear of anybody getting into trouble just for using VPN.
In Europe, the threat of terrorism has been used by a number of governments to introduce wide-ranging surveillance laws. In many countries (such as France and the UK) VPN providers are required to keep logs of users’ activity. VPN users looking for privacy should avoid any services based in such countries. They should instead opt for servers located in countries where logs are not legally required.
There are a huge number of VPN services vying for your attention. Unfortunately not all VPN providers are created equal (far from it!). The first thing you should do, therefore, is to check out reviews and recommendations on sites such as BestVPN (it’s what we’re here for!).
Probably the first thing to consider is what you want a VPN for. Is it mainly for privacy while surfing the internet? To download without looking over your shoulder? To evade the Great Firewall of China? Or just to access geo-blocked TV streaming services from abroad?
Although pretty near all VPN services cover the main bases to some extent, there is no such thing as a perfect VPN service.
Things to Consider
- Speed – VPN always entails some internet speed loss, as discussed earlier
- Privacy – all VPN providers promise privacy, but what does this actually mean? See “Does a VPN make me anonymous?” below for a discussion on this
- Security – how good are the technical measures used to prevent an adversary (hackers, the NSA, etc.) forcing access to your data? Again, see below for more details
- Number of servers/countries – if you need to connect to servers located all over the place, then the more the better. That way it is more likely that you will find a server where you need it
- Number of simultaneous connections – some providers will only let you connect one device to their service at a time, while others allow you connect your PC, laptop, phone, Xbox and girl/boyfriend’s tablet all at once. The more the merrier!
- Customer support – many VPN users are still learning the ropes, so customer support that a) actually answers your questions in a reasonable timeframe, and b) knows what it is talking about, can be invaluable
- Free trials and money back guarantees – perhaps the best way to decide if a service is for you is to try before you buy
- Software – VPN clients should not only look good and be easy to use, but add lots of funky features. The most useful of these are VPN kill switches and DNS leak protection
- Cross-platform support – a service is no use if it can’t run on your device/OS. Support can include detailed setup guides for different platforms, or dedicated apps (as is increasingly common for iOS and Android devices)
- Other bells and whistles – some providers offer “stealth servers” for evading the Great Firewall of China, free SmartDNS or cloud storage, fancy security options (such as VPN through Tor), and more
VPN is available for almost all computer-type devices, including desktops, laptops, smart phones, and tablets.
Just about every provider fully supports Windows, Mac OSX, Android and iOS platforms. Many also support Linux and Chrome OS (if only indirectly). Support for Blackberry OS and Windows Mobile devices, however, is much patchier.
To sign up for a VPN service, simply visit its website and follow the links. Your provider will give you instructions on what to do next. Our full reviews also all have a process section that runs through the whole process for each provider.
Interestingly, there does not appear to be much correlation between what you pay for the VPN and the service you receive. Therefore it's advisable to read our reviews (including readers' comments sections). You can also take advantage of any free trials and money-back guarantees to help you decide.
Free VPN services do exist, but these are mostly severely limited in some way. They also cannot be trusted not to sell your data. Running VPN services isn't cheap, so you have to consider how a free service can afford to operate. As the saying goes, if you don’t pay for a product, then you are the product!
That said, some reputable free VPN services do exist, most notably CyberGhost’s free offering. While limited, it is enough for many casual users, and is transparently funded through its premium offerings. VPN Gate is another option, and is run by volunteers.
Remember: no free VPN will give you anywhere near the performance or privacy benefits of a good commercial service.
Does a VPN Make Me Anonymous?
No. A VPN does not make you anonymous. The VPN provider can always* know who you are, and can see what you get up to on the internet. Privacy-oriented VPN services go to great lengths, however, to protect their customers’ privacy. This is why we say that VPN provides privacy (rather than anonymity).
While many providers promise to protect users’ privacy, such promises are not worth the digital ink they are printed on if the provider keeps logs. Remember: no VPN provider staff will go to jail (or ruin their business) to protect a customer. If the data exists, any VPN provider can be compelled to hand it over. Period.
If you want to use a VPN to gain privacy, then only a ‘“no logs” provider will do. Unfortunately, when a provider claims to keep no logs, we just have to take its word for it. This is why the Edward Snowdens of this world prefer to use Tor.
Thus choosing a VPN provider comes down to a matter of trust. So how do you know a provider can be trusted? Well… privacy orientated VPN providers have built their business model on promising privacy. If it becomes known that they failed to do this (for example by keeping logs when they promised not to, then being compelled to hand these over to the authorities), their businesses would be worthless. They might also find themselves liable for legal action by the compromised individual.
Even when a provider keeps no logs, it can and will be able to monitor users’ internet activity in real-time. This is essential for trouble shooting and so forth – all the more so when no logs are kept.
Most no logs providers promise not to monitor users’ activity in real-time (unless necessary for technical reasons). However, most countries can legally demand that a provider start to keeps logs of an individual. They can also provide a gag order to prevent the company alerting their customer of this.
This is, however, a specifically targeted demand or request. Most providers will happily cooperate when it comes to catching pedophiles, for example). Thus only specific individuals already identified by the authorities need be too concerned.
Any company that cares about protecting their users’ privacy uses shared IPs. This means that many users are assigned the same IP address. Thus matching identified internet behavior with a specific individual is very difficult to do, even if a provider should wish (or is compelled) to do so. This goes a long way towards addressing the privacy issue outlined above.
What Does ‘No Logs’ Actually Mean? Usage Logs Vs. Connection Logs
Many providers claim to keep no logs. What they really mean is that they keep no ‘usage logs.’ They do however keep ‘connection logs.’
- Usage logs – this means details of what you get up to on the internet, such as which websites you visit. These are the most important (and potentially damaging logs).
- Connection logs – this means metadata about users’ connections is logged, but not their usage. Exactly what is logged varies by provider. Typically this includes things like when you connected, how long for, how often, and so forth. Providers usually justify this as necessary for dealing with technical issues and instances of abuse. In general, we are not too bothered by this level of log keeping, but the truly paranoid should be aware that, at least in theory, such logs could be used to identify an individual with known internet behavior through an end to end timing attack.
Some providers claim to keep no logs of any kind (“no logs providers”). These are generally best for protecting privacy. Note: some critics argue it is impossible to run a VPN service without keeping logs. They believe those who claim to do so are being disingenuous.
However, as mentioned above, with a VPN provider everything comes down to trust. If a provider claims to keep no logs at all, we have to trust its ability to run the service without doing so.
Mandatory Data Retention
Something to be aware of when choosing a privacy-friendly VPN provider is where it is based (that is, under which country’s laws it operates). Many countries (including many European countries) require communications companies to keep logs for a certain amount of time. Whether these laws apply to VPN providers can vary somewhat. For example, in Europe, the Netherlands, Luxembourg, Romania, and Sweden are popular places to base a VPN service. This is because VPN providers in these countries are not required to keep logs.
If a VPN provider is based in a country that requires it to keep logs then it will do so, no matter what other impression it tries to give.
Paying for VPN Anonymously
More privacy-minded VPN companies allow you pay for their services anonymously. The most common method is using Bitcoins*. Companies such as Private Internet Access will accept anonymously purchased store cards, and Mullvad will even take cash sent by post!
This adds an extra layer of privacy, as the VPN company does not know your real name, address, or banking details. It will, however, still know your real IP address**.
Accepting anonymous payment is often a good indicator that a VPN takes privacy seriously. This is hardly a guarantee, but not accepting anonymous payment is definitely poor show!
* Paying by Bitcoin is not inherently anonymous. However, if the correct steps are taken then a high degree of anonymity can be achieved. Please see my guide to Buying Bitcoins to pay for VPN anonymously for more details.
**An Exception to the Rule
An exception to the rule that VPN providers always know who you are is if you use a VPN through Tor. This means that you connect to the VPN service via the Tor anonymity network. Thus your VPN provider cannot see your true IP address.
If you sign up using Tor, and use an anonymous payment method, you can achieve a very high level of true anonymity. Be aware, however, that doing this combines the speed hit of both the VPN and Tor, making internet connections very slow.
So… Am I “Safe” if I Use a VPN?
Using a good no logs VPN service does provide a high degree of privacy. It will protect you from blanket government surveillance, prevent your ISP knowing what you get up to on the internet, prevent you being tracked by copyright owners when pirating stuff, and even provide a fair bit of protection when engaged in low level criminal activity.
It will not, however, protect you if the police, your government, or the NSA are specifically interested in you, and are willing to commit time and resources to investigating what you do online.
How Secure Am I?
VPN protects your data using encryption. I have two core articles discussing VPN encryption and the various terms used to describe it. They are rather technical for this beginners guide, but if the subject interests you then please do check them out:
The short version is that you should use OpenVPN (or maybe IKEv2) wherever possible. L2TP/IPsec is fine, but PPTP should be avoided at all costs. In my view it is irresponsible for a provider to even offer customers PPTP as an option!
As a point of reference, the minimum default settings for the OpenVPN protocol are:
Hash authentication: SHA-1
This is more than sufficient for most users. However, if you are the sort of person who worries about the NSA, then my minimum recommendation for a “secure” VPN connection that should be resistant against any known form of attack for the foreseeable future is:
VPN Protocol: OpenVPN with Perfect Forward Secrecy enabled
Hash authentication: SHA256
IP Leaks and Kill Switches
If your VPN is working properly then it should completely hide your IP address from any website you visit. Unfortunately, for a variety of reasons, this is not always the case. When a website can detect your true IP address when using a VPN, it means you have an IP leak.
To determine if you have an IP leak, visit ipleak.net. If you are connected to a VPN and you can see your true IP address (or even just your ISP’s name) anywhere on this page, then you have an IP leak. Note that ipleak.net does not detect IPv6 leaks. To test for these you should visit test-ipv6.com.
If you detect a leak please consult A Complete Guide to IP Leaks in order to find out why it is happening, and how to fix it.
A related issue is VPN dropouts. Every VPN connection will occasionally fail. With a good VPN provider this should not happen often, but it occasionally happens even to the best. If your computer remains connected to the internet after a dropout, your real IP will be exposed.
The solution is a VPN kill switch. This either monitors your internet connection and shuts it down when it detects a VPN dropout, or uses firewall rules to prevent any internet traffic leaving your computer outside of your VPN connection.
Many VPN providers include a kill switch as part of their VPN software. Third party options are also available. Alternatively, if you are feeling brave you can configure your own using firewall rules. Please see here for more discussion on kill switches, including how to configure OpenVPN for Android as a kill switch.
Can I Torrent Safely Using a VPN?
Yes, as long as you use a provider that permits it. Not all do, so check! With a VPN, your data is encrypted so that your ISP cannot see what you are doing online. Your IP is also shielded by your VPN provider.
When P2P downloading via BitTorrent (or streaming using Popcorn Time) everyone who is downloading the same file can easily see the IP address of everyone else who is downloading that file (hence the names P2P and filesharing!). When using a VPN, someone tracking that file will only see the IP of your VPN server, not your real IP address.
VPN companies get bombarded with DMCA-style copyright infringement notices due to users’ activities all the time. Some prefer to cooperate with copyright holders. This means they might hand over the names of infringing customers for further legal action. Others simply try to keep copyright holders happy by issuing warnings, and ultimately disconnecting repeat offenders.
Some providers, however, are happy to let customers P2P download, and make a good business out of protecting their identities. Keeping no logs is always a good start here! If your VPN provider allows P2P then you can download in safely.
When SmartDNS is Better
Many people use VPN primarily to evade geo-restrictions in order to watch TV streaming services that are blocked to international users (or which offer better catalogs to users in certain countries).
If this is the only reason you want a VPN, and you are not interested in the privacy and security advantages that a VPN brings, then you may be better off using a SmartDNS service instead.
SmartDNS uses much simpler technology and does not encrypt your connection, which makes it faster than a VPN (so there are fewer buffering issues, though distance remains an issue). It can be configured on many internet devices that cannot run a VPN client, such as Smart TVs, media streaming devices, and games consoles (as every internet capable device has DNS settings that can be changed).
SmartDNS services are also usually cheaper than VPN ones. For more information please visit our sister-site SmartDNS.com.
Do VPNs Work on Mobile Devices?
VPNs are well-supported on the iOS and Android platforms. As with desktop computers, a VPN will encrypt your data and hide your IP address for all internet connections. When accessing websites through your website’s browser for P2P downloading, therefore, you are fully protected when using a VPN.
However… mobile apps have many ways other than your IP address to determine your identity, and know what you are doing online. Apps often have access to GPS data, contact lists, Google Play/Apple Store ID, and more. Many apps send this and all sorts of other personal data directly to their parent companies (thereby bypassing your VPN).
As if this wasn’t bad enough, the ads used in many apps as a way for developers to monetize their product are a whole privacy nightmare just by themselves!
To gain the full benefits of a VPN on a mobile device you should therefore access websites and services via their web page or web interface using your browser (preferably the open source and privacy-friendly Firefox), rather than through dedicated apps.
The usual way to run a VPN is via a software app running on each device you wish to connect to a VPN service. Another option is to setup your router so that it connects to a VPN service. Many modern routers have a VPN client built-in, which can usually be configured via the router’s admin page.
It is also possible to flash routers with third party firmware such as DD-WRT and Tomato, which include a VPN client. Indeed, some providers offer pre-flashed routers that have been pre-configured for their service.
The main advantages of using a VPN router are:
- Every device that connects to the router is protected by the VPN
- This includes devices that cannot run VPN software themselves. Such as smart TVs, games consoles, and Roku boxes. This is very useful for geo-spoofing.
- The router counts as just one VPN connection as far as your provider is concerned. This means you can connect an unlimited number of devices to the VPN at once via the router.
All of which is great! Except that encrypting and decrypting VPN data is very processor-intensive (especially when using OpenVPN). And most routers are simply not up to the job. Beefy hardware, such as that found in the ExpressVPN Router, is required in order to prevent the router from slowing down your internet connection.
This is particularly true of the slew of mini VPN boxes that have hit the market recently. Such as the Anonabox or PandaPow WiFi. The hardware in such devices is so underpowered for the job at hand, that you can expect to lose 90 percent or more of your internet connection speed when using them.
What a VPN Does Not Do
Using a VPN does meaningfully improve your privacy and security, but it is important to understand what it will not help with some things.
- A VPN does not provide anonymity – as already discussed. If the NSA is after you, a VPN will not help, and we consider any VPN provider that says a VPN will make you “anonymous” (as many do) to be highly irresponsible.
- A VPN does not prevent tracking by websites. Hiding your IP address with a VPN helps a bit, but most tracking performed by websites and by marketing and analytics companies is performed using tracking technologies such as cookies and worse (including browser fingerprinting), which a VPN will not help with. The best defense against this form of tracking is to use various browser add-ons and tweaks.
Beginners VPN Guide: Conclusion
A VPN is a very versatile tool, and one that for a few bucks a month will greatly enhance your internet experience, decrease your chances of being hacked, and prevent your government from watching everything you do online (this last point is why I personally use a VPN religiously).
My hope with this guide is that you will now be able to make informed choices about which VPN service is right for you. If any terms here still confuse you, we have a Glossary designed to help.