Alternative VPN Choices for You
Allowing you to connect up to seven devices to the VPN at once is very generous. Most of CyberGhost’s servers are located in Europe or North America, but there are also some in South East Asia and Australia.
P2P torrenting is allowed on many servers, although not in the United States or Canda due to their very hostile copyright environments. North Americans can still download using European servers, however.
As is typical of larger VPN services offering many server locations, CyberGhost uses a mix of bare metal and virtual servers. For most users this makes no real difference, but it would be nice of CyberGhost labeled which of its servers are bare metal for the benefit of users who require high levels of privacy.
As we shall see later in this review, CyberGhost supports split-tunneling and website exemption via its client. Its desktop apps also offer “Extra features” which block malicious websites, ads, and online tracking, and force HTTPS connections when they are available
Does CyberGhost unblock Netflix and other streaming services?
One advantage of being a large VPN company is having the resources to overcome the VPN blocks put into place by many streaming services. CyberGhost's "Ghost streaming" feature successfully unblocks a long list such services, including the popular US Netflix and BBC iPlayer, although it does not unblock other regional Netflix libraries.
Speed and performance
Speed tests are performed using our groovy speed test system. This provides a scientific and objective way to measure and compare VPN speed performance. Please see here for more details.
CyberGhost's raw global average speeds are little... average, which is to be expected from a company whose servers are mainly based in Europe and North America. Its Max burst speeds, however, and absolutely fantastic. This greatly improves its weighted average results, and means anyone located reasonably close to one of its servers can expect blazing fast performance.
DNS lookup time is a good measure of how fast users' perceive their connection to be as it affects web page loading times. CyberGhost's results are very erratic on this metric, but are overall rather slow.
We run basic test IP leak tests by visiting ipleak.net. These include IPv4 and IPv6 DNS leak tests and Ipv4 and IPv6 WebRTC leak tests. Please see A Complete Guide to IP Leaks for a full discussion of what all this means. Basically, though, if we can see our real IP address or an IP address belonging to our real ISP when using the VPN, then that’s not good.
Please note that Private Use RFC IPs are local IPs only. They cannot be used to identify an individual, and so do not constitute an IP leak.
CyberGhost says that its software has DNS leak and IP leak protection built-in, and in my Windows tests it passed all tests with flying colors. WebRTC is not disabled as it can be useful, but WebRTC leaks are blocked by the client.
In macOS, however, I did detect an IPv6 WebRTC leak (even after a reboot). Mac users who also lucky enough to have an ISP that offers IPv6 connectivity should either disable IPv6 on their system (see the optional section for macOS in How to Change your DNS Settings) or disable WebRTC in their browser.
All CyberGhost users have access to all CyberGhost's features, but you get better value when you order a longer subscription. It also offers a 7-day free trial plus a 30-day “no questions asked” money back guarantee. Which means you can test it risk-free!
Payment is via credit/debit card, PayPal, or direct debit. Additional payment options may be available depending on your country of residence. CyberGhost also accepts payment in Bitcoin. This does allow for potentially anonymous payment, but please remember that no matter how anonymously you pay, CyberGhost will always know your real IP address.
Ease of Use
In order to sign-up for a CyberGhost account, you need to provide a valid email address and payment details. As already noted, CyberGhost accepts potentially anonymous payment in Bitcoin. Once payment is done, you will be sent a confirmation email with links to download software etc.
CyberGhost offers custom VPN apps for Windows, macOS, iPhone, and Android. It also provides guides for manually setting up OpenVPN and L2TP/IPsec connections on these platforms, plus Linux, various routers, and Chrome OS. In addition to this, CyberGhost now offers free proxy browser add-ons for Chrome and Firefox.
The CyberGhost 6 Windows Client
CyberGhost is very keen to highlight that its software is German-made. Please see this interview I did with CyberGhost CEO Robert Knapp for an explanation why CyberGhost considers this important.
CyberGhost organizes its Windows client around typical tasks you might want to perform using the VPN. This is a clear and intuitive layout.
The Ghost Downloads tab, for example, brings up various features and options you might want while torrenting.
The Ghost Streaming tab lists various streaming services that CyberGhost claims to work with. I was not able to test the subscription services, but all the free ones I tested did indeed work as advertised. CyberGhost now fully supports Netflix and BBC iPlayer streaming
You can chose between OpenVPN UDP and OpenVPN TCP. There is no port selection feature, however, so you cannot use TCP port 443 to evade censorship.
WiFi protection is a feature that I am seeing more and more in custom VPN clients. It will alert you whenever you connect to an unsecured WiFi network, and will automatically enable the VPN if it is not active. I have not had an opportunity to test this feature, but I can see its value.
CyberGhost offers an interesting feature called App Protection. A VPN usually protects your entire internet connection, but App Protection allows you to specify that only certain apps are protected by the VPN. This is also known as split-tunneling.
A kill switch is not mentioned in the client, but I was informed by staff that an automatic one is baked-in. If this is the case then it must be the kind that detects if a VPN connection has dropped before disconnecting the VPN, or which uses its own firewall rules rather than Window's. The second option is better, but does mean that when I force-closed the CyberGhost VPN client in Task manager to simulate a software crash, my internet still worked.
Overall, the Windows client looks good, sports lots of useful features, is easy to use, and works well.
The CyberGhost 6 MacOS Client
The Mac client looks different to the Windows client, and is not organized around "typical tasks." It instead uses the much more traditional format of just pick a country and/or server, then hit the "Start" button. This means there is considerably less hand-holding than with the Windows client. Whether this is a good or bad thing will be entirely subjective.
There is no dedicated streaming tab, but CyberGhost does now support Netflix streaming in macOS. WiFi protection and split tunneling options are missing from the Mac client. You can exempt websites, however.
It is a bit of a shame that the macOS client is not as fully-featured as the Windows client, but it is still more fully-featured than many custom client from other providers.
The CyberGhost Android app
The app does not ask for any special permissions during install, which is very welcome. As with the Windows client, the Android app is organized around "typical tasks." These are: Secured Streaming, Surf Anonymously (a term I hate - VPNs provide privacy not anonymity), and Choose My Server. WiFi Auto-Protect is also supported.
The app looks very professional and offers many of the features found in the desktop client.
The Android app fully supports steaming profiles - including US Netflix and BBC iPlayer. I tested Netflix, and it worked both on its mobile web page and the Netflix app.
I detected no IP leaks while using the Android app (although not IPv6 tested).
The browser add-ons
The free browser proxy add-ons appear identical for Chrome and Firefox. They allow you to connect to servers in Germany, Netherlands, Romania, and the United States.
Proxy connections are encrypted using HTTPS (that is, they are HTTPS proxies). This means they act very much a regular VPN except that they affect the browser only. Cyberghost states that these add-ons do not provide protection against WebRTC leaks, but I did not detect any such leaks anyway. I am impressed to note that add-ons unblock US Netflix!
The CyberGhost website has a friendly feel to it, helped by the company’s distinctive ghost logo. It is also available in eight languages, which is great for accessibility. There is plenty of information available on the website about the company, its features, and suchlike.
The Help section opens onto CyberGhost’s older website, which can be a little confusing when it comes to navigating around. It is very comprehensive, but most articles relate to CyberGhost’s free and legacy services. It is often far from clear whether all information presented in the Help section still applies.
In addition to how-to guides and an extensive help section, direct support is available via 27/4 Live Chat, with native support for French and German. The Live Chat staff member I talked to was quick to answer and friendly. He also answered most questions just fine.
I don’t expect front-line support staff to be technological whizz-kids, so did not mind when he referred more deeply technical questions to be answered later by via email… Which took more that a day before I received a response and which utterly failed to address my detailed questions about the OpenVPN encryption CyberGhost uses. Fail.
CyberGhost has since told me that it has hired 10 new support agents. This should improve matters, although customer service tests we performed for our last VPN Awards still produced somewhat mixed results.
CyberGhost itself is based in Romania, which is widely regarded as very privacy-friendly. Romanian courts struck down the EU Data Retention Directive on constitutional grounds long before it was declared illegal by the European Court of Justice. Romania is also not a 14-Eyes spying alliance nation, and has no known ties to the NSA. All of which is great.
CyberGhost has, however, recently been acquired by Kape Technologies PLC - a company based in the Isle of Man and headquartered in Tel Aviv. The Isle of Man is a self-governing Crown dependency. The UK government has very little direct influence on such independently administered jurisdictions, but could conceivably exert considerable diplomatic pressure.
That said, any such pressure would be very indirect, as CyberGhost itself is based in Romania. This allows it to offer a very robust no-logs policy:
“Log data: CyberGhost keeps no logs which enable interference with your IP address, the moment or content of your data traffic. We make express reference to the fact that we do not record in logs communication contents or data regarding the accessed websites or the IP addresses.
CyberGhost VPN records exclusively for statistical purposes non-personal data (such as for example, data regarding the utilization degree of the servers), which do not represent in any moment a danger for your anonymity. Such serve exclusively for the improvement of the service quality.”
This means that CyberGhost logs no information that be used to identify users. Is it 100% no logs? I think it is close enough not be worth quibbling over.
CyberGhost publishes a transparency report. This still relies on trusting CyberGhost to report all incidents, but is nevertheless a reassuring show of dedication to openness. It also provides a great insight into the kind of issues a large VPN company such as CyberGhost must routinely deal with.
VPN Protocols and Encryption
CyberGhost primarily uses the OpenVPN protocol to secure connections, but also suports L2TP/IPsec and the new IKEv2. For OpenVPN it uses the folowing encryption settings:
Data channel: an AES-256-CBC cipher with SHA256 hash authentication. Control channel: an AES-256 cipher, RSA-4096 key encryption and SHA384 hash authentication. Perfect forward secrecy is provided by an ECDH-4096 key exchange.
This is a fantastic OpenVPN setup! And unlike many providers, CyberGhost does not use publicly available pre-shared keys (PSKs) for its L2TP connections. This is also good.
For information on what all this means, please see VPN Encryption: The Complete Guide.
Privacy Badger detected a couple of potential trackers on the CyberGhost website, but these seem fairly benign. One of these trackers belongs to Google, but only relates to fonts. It is good to see an absence of Google Analytics trackers.
Other security considerations
CyberGhost last year caused concern by issuing a root certificate (now removed from the software) and logging users’ hardware ID. CyberGhost may well have acted in good faith in both these cases, as it claims, but these incidents are nevertheless rather worrying from a privacy perspective.
Of even greater concern is a paper published this year which named CyberGhost’s Android VPN app among those found to be “malicious and intrusive,” and for testing positive for malware. CyberGhost has always strenuously denied any wrongdoing, and it is indeed common for anti-virus scanners to generate “false positives." For what it's worth, I downloaded an .apk of the latest Android app and VirusTotal gave it a clean bill of health.
The fact that CyberGhost is now owned by Kape Technologies is also of some concern. Its CEO is a rather colorful character, and under its previous name if Crossrider, Kape Technologies was involved in some highly dubious behavior.
The Windows and macOS clients both feature full IPv4 and IPv6 leak protection, plus have a kill switches. As already noted, though, Mac users with IPv6 connections should take additional steps to prevent leaks via WebRTC. CyberGhost hosts its own DNS servers for maximum privacy but offers no special obfuscation tech. Most VPN users have no need of such technologies, anyway, but those looking for a VPN to access the open internet from places such as China or Egypt should look elsewhere.
The desktop client offers a number of “extra features." It is very difficult, however, to assess their effectiveness – especially as no feedback or information is available on what they are doing.
They may well be great tools, but we would much rather trust respected open source browser add-ons such uBlock Origin, Privacy Badger, and HTTPS Everywhere for this kind of functionality. It is worth noting that CyberGhost tells us "the https feature is 100% based on HTTPS Everywhere." This sounds great, although the fact that the code is closed means there is no way to verify this claim.
Data compression uses standard LZO compression (which is performed by most VPN services), and re-encodes JPEGs into lower quality images - "thus optimizing them for size".
“Extra speed” connects you to faster premium servers, and is always-on for paying customers.
CyberGhost is very proud of its no-spy servers, which are the result of a crowdfunding campaign. These are servers located in Romania on premises owned and entirely managed by CyberGhost. This means that CyberGhost has complete control over the servers, rather than having to rely on a third party server provider.
CyberGhost's bold claim that these servers are "out of NSA reach" should be taken with a pinch of salt. If the NSA wants your data badly enough, it can almost certainly get it one way or another. However... running its own server center does make the data stored in it much more secure. And as noted above, the USA has no legal purchase in Romania. Unfortunately, these No-spy servers only currently seem available to original backers of the crowdfunding campaign.
CyberGhost is a very good VPN service. Its software is easy-to-use while also being fully featured. It uses very strong encryption, and seven simultaneous connections is generous. Being based in Romania and keeping (almost) no logs is also a big draw, although concern over the past behavior of its new owners is valid.
All-in-all, CyberGhost’s great logging policy, decent local (burst) speeds, and fully featured software are a winning combination. And with a 7-day free premium trial plus 30-day no-quibble money back guarantee, there is zero reason not to give it a whirl.