English

Looking for Something?

The Most Secure VPN Services in 2018

A VPNs ability to provide users with a secure connection is a fundamental one, but some services do a much better job of this than others. In this guide we take a look at the most secure VPNs available, so you can be sure your provider takes your privacy as seriously as you do.

Most secure VPN


The most secure VPN: Summary

  1. ExpressVPN - A super secure VPN service that doesn't compromise on speed and is recognized as the best
  2. NordVPN - Well implemented encryption and a large choice of superb privacy features, a close second.
  3. PrivateInternetAccess - Extremely well implemented OpenVPN and a no logs policy at a breathtaking price
  4. CyberGhost - An easy to use and robust service for anyone new to VPNs
  5. AirVPN - Allows users to connect to VPN servers via the Tor service and has an excellent reputation for security

The mark of a secure VPN is that it uses strong technical security to keep you safe on the internet. This means that it uses strong encryption, does not leak your real IP address to websites that you visit, and that that it provides a kill switch to prevent accidental exposure of your details.

Before looking in detail at these aspects of VPN security, let’s first check out which VPNs our experts agree are best for technical security, and why…

Top 5 Fully Encrypted VPN Services

1. ExpressVPN

BestVPN.com Score 9.7 out of 10
Visit Site  
Editor's Choice

ExpressVPN’s focus on providing a great customer-focused experience has always impressed me. Central to this is 24/7 live chat support, a genuinely no-quibbles 30-day money-back guarantee, and easy-to-use apps for all major platforms. ExpressVPN matches this with truly outstanding technical security, that just pips other secure VPNs at the post. It implements AES-256 cipher for OpenVPN, with an RSA-4096 handshake and SHA-512 keyed-hash message authentication code (HMAC). Perfect forward secrecy is provided courtesy of Elliptic Curve Diffie–Hellman (ECDH) key exchanges for data channel encryption. This is great. In addition, unlike most iOS apps, the ExpressVPN iOS app uses OpenVPN. Add in full Domain Name System (DNS) leak and Web Real-Time Communication (WebRTC) leak protection, along with a firewall-based kill switch, and it is clear that ExpressVPN offers exceptional VPN security. Additional features: three simultaneous connections, “stealth” servers in Hong Kong, free Smart DNS, .onion web address.

VPN Stats

  • Server Locations 94
  • Average Speed 72.69 Mbit/s
  • Simultaneous Connections 3
  • Jurisdiction British Virgin Islands

Likes

  • Super fast - great for streaming!
  • Very secure 256-bit encryption
  • Unlimited downloading
  • 30-day money-back guarantee
  • 5* 24/7 customer support
  • Special Deal: Save 49% Today

Dislikes

  • IPv6 WebRTC leaks (fixed by browser extension)
  • A little pricey
  • BVI jurisdiction is not ideal

Features

Total servers 2000
Countries 94
Simultaneous connections 3
Bare metal or virtual servers A combination
Router Support
Routers Supported Asus RT-AC56R, Asus RT-AC56S, Asus RT-AC56U, Asus RT-AC68U, Asus RT-AC87U, Linksys EA6200, Linksys WRT1200AC, Linksys WRT1900AC 13J1, Linksys WRT1900AC 13J2, Linksys WRT1900ACS, Linksys WRT3200ACM, Netgear R6300v2, Netgear Nighthawk R7000
Allows torrenting
Port forwarding
Port selection

Supported platforms

Windows
MacOS
iOS
Android
Linux
Windows Phone

Protocols offered

PPTP
L2TP/IPsec
SSTP
IKEv2
OpenVPN

Privacy

Jurisdiction British Virgin Islands
Logs Traffic
Logs Connections
Logs Timestamps
Logs Bandwidth
Logs IP Address
Logs Aggregated or Anonymized Data
Website tracking? N/A

Performance

BestVPN.com SpeedTest (max/burst) 149.77
BestVPN.com SpeedTest (average) 72.69
Data limits
Bandwidth limits
IPv4 leak detected?
IPv6 leak detected?
WebRTC leak detected?

Payment

Visa/MasterCard
Amex
Cryptocurrency

Security

Kill Switch
Obfuscation (stealth)
Self-hosted/Proxied DNS Yes
IPv4 leak protection
IPv6 leak protection
WebRTC leak protection

Support

Free trial No
24-hour support
Live chat support
Money-back Guarantee
Money back guarantee length 30

Unblocks:

Netflix
iPlayer

2. NordVPN

BestVPN.com Score 9.8 out of 10
Visit Site  

NordVPN is a secure service with a zero logs policy, this makes it perfect for people who demand high levels of privacy from their VPN provider. When it comes to encryption, NordVPN implements OpenVPN as default on Android and Windows. In addition, outdated protocols such as PPTP are completely unavailable (which is a blessing). OpenVPN is implemented well above our minimum standards for security (AES-256-CBC cipher with an RSA-2048 handshake and HMAC SHA256 data authentication). Perfect Forward Secrecy (PFS) is provided by a DHE-4096 key exchange. This means the VPN's encryption can be considered "military grade." On the iOS app, Nord is also secure. However, it does not implement OpenVPN. Instead, it uses IKEv2 implemented with robust AES-256-GCM cipher and HMAC SHA2-384 data authentication. PFS is provided by a DHE-3072 exchange. NordVPN is based in Panama, which means that it falls out of snooping jurisdictions like the UK and the US. In addition, the VPN implements a full suite of security features such as a killswitch, DNS leak protection, Tor through VPN, obfuscated servers (XOR), and double hop encryption.

VPN Stats

  • Server Locations 62
  • Average Speed 56.37 Mbit/s
  • Simultaneous Connections 6
  • Jurisdiction Panama

Likes

  • Based in Panama (great for privacy)
  • Six simultaneous connections
  • Works with US Netflix and BBC iPlayer
  • Dedicated IPs (cost extra)

Dislikes

  • IPv6 leak in macOS IKEv2 app

Features

Total servers 4568
Countries 62
Simultaneous connections 6
Bare metal or virtual servers Combination
Router Support
Routers Supported Raspberry Pi Tomato Synology DD-WRT AsusTOR AsusWRT AsusWRT-Merlin pfsense D-Link Linksys TP-Link OpenWRT belkin DrayTek Qnap Arris TOTOLink Mikrotik Huawei Tenda WD MikroTik IPFire TRENDnet EdgeRouter GLiNet NetDuma Fortinet Sabai ubee
Allows torrenting
Port forwarding
Port selection

Supported platforms

Windows
MacOS
iOS
Android
Linux
Windows Phone

Protocols offered

PPTP
L2TP/IPsec
SSTP
IKEv2
OpenVPN

Privacy

Jurisdiction Panama
Logs Traffic
Logs Connections
Logs Timestamps
Logs Bandwidth
Logs IP Address
Logs Aggregated or Anonymized Data
Website tracking? Google Analytics

Performance

BestVPN.com SpeedTest (max/burst) 212.35
BestVPN.com SpeedTest (average) 56.37
Data limits
Bandwidth limits
IPv4 leak detected?
IPv6 leak detected?
WebRTC leak detected?

Payment

Visa/MasterCard
Amex
Cryptocurrency

Security

Kill Switch
Obfuscation (stealth)
Self-hosted/Proxied DNS Yes
IPv4 leak protection
IPv6 leak protection
WebRTC leak protection

Support

Free trial Yes - 3 Days
24-hour support
Live chat support
Money-back Guarantee
Money back guarantee length 30

Unblocks:

Netflix
iPlayer

3. PrivateInternetAccess

BestVPN.com Score 8.9 out of 10
Visit Site  

PIA is based in the US, so is not a provider for the more NSA-phobic out there. However, it keeps no logs, which is a claim that it has proven in court! And although optional, its security can be first rate. At maximum settings, OpenVPN encryption uses an AES-256 cipher with HMAC SHA256 for authorization and an RSA 4096 handshake for the data channel, and an AES-256 cipher with HMAC SHA384 authentication for the control channel. Perfect Forward Secrecy is delivered with a Diffie Hellman exchange (DHE) for RSA handshakes (or ECDHE+ECDSA for ECC handshakes). PIA’s desktop software supports multiple security options, a VPN kill switch, DNS leak protection, and port forwarding. Up to 5 simultaneous connections are permitted. Its Android client is almost as good, and PIA boasts excellent connection speeds.

VPN Stats

  • Server Locations 32
  • Average Speed 48.46 Mbit/s
  • Simultaneous Connections 5
  • Jurisdiction USA

Likes

  • Cheaper than most similar VPNs
  • Great for privacy and security
  • Lots of encryption options (including OpenVPN, our recommended protocol)
  • Fast connection speeds for streaming
  • Servers all over the world

Dislikes

  • Not the best VPN for beginners who need hands-on support
  • Doesn’t unblock some popular websites (Netflix US and BBC iPlayer for instance)

Features

Total servers 3500
Countries 32
Simultaneous connections 5
Bare metal or virtual servers Bare metal
Router Support
Routers Supported DD-WRT, Tomato, PfSense, LEDE, Merlin, AsusWRT
Allows torrenting
Port forwarding
Port selection

Supported platforms

Windows
MacOS
iOS
Android
Linux
Windows Phone

Protocols offered

PPTP
L2TP/IPsec
SSTP
IKEv2
OpenVPN
Other protocols Cisco iPsec

Privacy

Jurisdiction USA
Logs Traffic
Logs Connections
Logs Timestamps
Logs Bandwidth
Logs IP Address
Logs Aggregated or Anonymized Data
Website tracking? Google Analytics

Performance

BestVPN.com SpeedTest (max/burst) 200.43
BestVPN.com SpeedTest (average) 48.46
Data limits
Bandwidth limits
IPv4 leak detected?
IPv6 leak detected?
WebRTC leak detected?

Payment

Visa/MasterCard
Amex
Cryptocurrency

Security

Kill Switch
Obfuscation (stealth)
Self-hosted/Proxied DNS Proxy
IPv4 leak protection
IPv6 leak protection
WebRTC leak protection

Support

Free trial No
24-hour support
Live chat support
Money-back Guarantee
Money back guarantee length 7

Unblocks:

Netflix
iPlayer

4. CyberGhost

BestVPN.com Score 9.5 out of 10
Visit Site  

CyberGhost‘s software is easy-to-use while also being very fully featured. It uses very strong encryption, and 5 simultaneous connections is generous. Being based in Romania and keeping no meaningful logs is also a big draw. CyberGhost’s great logging policy, decent local (burst) speeds, and fully featured software are a winning combination. And with a 7-day free premium trial plus 30-day no-quibble money back guarantee, there is zero reason not to give it a whirl. The OpenVPN encryption used by CyberGhost is as as strong as it gets. Data channel used an AES-256-CBC cipher with SHA256 hash authentication and Control channel uses an AES-256 cipher, RSA-4096 key encryption and SHA384 hash authentication. Perfect forward secrecy is provided by an ECDH-4096 key exchange. CyberGhost‘s software is easy-to-use while also being veryfully featured. It uses very strong encryption, and 7 simultaneous connections is generous. Being based in Romania and keeping no meaningful logs is also a big draw. Like ExpressVPN, some minimal statistics are kept, but with no time stamp or IPs recorded, these present no threat to users’ privacy. CyberGhost’s superb logging policy, decent local (burst) speeds, and fully featured software are a winning combination. And with a 30-day no-quibble money back guarantee, there is zero reason not to give it a test run.

VPN Stats

  • Server Locations 60
  • Average Speed 61.69 Mbit/s
  • Simultaneous Connections 7
  • Jurisdiction Romania

Likes

  • Private: Great logs policy
  • Based in Romania so no government spying!
  • Good looking and easy-to-use software: Seven simultaneous connections
  • Friendly Live Chat support
  • Peer-to-peer (P2P) torrenting allowed

Dislikes

  • Not much

Features

Total servers 2750
Countries 60
Simultaneous connections 7
Bare metal or virtual servers A combination
Router Support
Routers Supported Any router with VPN capabilities
Allows torrenting
Port forwarding
Port selection

Supported platforms

Windows
MacOS
Android
Linux
Windows Phone

Protocols offered

PPTP
L2TP/IPsec
SSTP
IKEv2
OpenVPN

Privacy

Jurisdiction Romania
Logs Traffic
Logs Connections
Logs Timestamps
Logs Bandwidth
Logs IP Address
Logs Aggregated or Anonymized Data
Website tracking? Trackers used

Performance

BestVPN.com SpeedTest (max/burst) 138.01
BestVPN.com SpeedTest (average) 61.69
Data limits
Bandwidth limits
IPv4 leak detected?
IPv6 leak detected?
WebRTC leak detected?

Payment

Visa/MasterCard
Amex
Cryptocurrency

Security

Kill Switch
Obfuscation (stealth)
Self-hosted/Proxied DNS Yes
IPv4 leak protection
IPv6 leak protection
WebRTC leak protection

Support

Free trial No
24-hour support
Live chat support
Money-back Guarantee
Money back guarantee length 30

Unblocks:

Netflix
iPlayer

5. AirVPN

BestVPN.com Score 9.5 out of 10
Visit Site  

AirVPN is at the top of the game when it comes fast, secure VPN technology, but its tech-heavy focus and rather brusque support manner alienates many would-be users. OpenVPN uses AES-256 with RSA-4096 handshake, HMAC SHA1 data channel authentication, HMAC SHA384 control authentication, and DHE-4096 for perfect forward secrecy. It allows users to connect completely anonymously to its servers via the Tor network, and can hide OpenVPN communications inside a Secure Shell (SSH) and Secure Sockets Layer (SSL) tunnel. The open source desktop client disables IPv6, and its “network lock” feature acts as a kill switch and prevents DNS leaks. WebRTC leaks are blocked by both the network lock function and at the server level. This protects users from WebRTC leaks, even when using the generic OpenVPN app. Furthermore, AirVPN runs its own bare metal servers. Additional features: real-time user and server statistics, three-day free trial, three simultaneous connections.

VPN Stats

  • Server Locations 19
  • Average Speed N/A Mbit/s
  • Simultaneous Connections 5
  • Jurisdiction Italy

Likes

  • No logs
  • Strong encryption (including Perfect Forward Secrecy)
  • Port forwarding
  • Accepts Bitcoins (and other crypto-currency)
  • 3-day free trial

Dislikes

  • Not a huge number of server locations
  • Italy is not an ideal location

Features

Total servers 250
Countries 19
Simultaneous connections 5
Bare metal or virtual servers Bare metal
Router Support
Routers Supported Asus AsusWRT based routers
Allows torrenting
Port forwarding
Port selection

Supported platforms

Windows
MacOS
iOS
Android
Linux
Windows Phone

Protocols offered

PPTP
L2TP/IPsec
SSTP
IKEv2
OpenVPN

Privacy

Jurisdiction Italy
Logs Traffic
Logs Connections
Logs Timestamps
Logs Bandwidth
Logs IP Address
Logs Aggregated or Anonymized Data
Website tracking? No tracking

Performance

Data limits
Bandwidth limits
IPv4 leak detected?
IPv6 leak detected?
WebRTC leak detected?

Payment

Visa/MasterCard
Cryptocurrency

Security

Kill Switch
Obfuscation (stealth)
Self-hosted/Proxied DNS Yes
IPv4 leak protection
IPv6 leak protection
WebRTC leak protection

Support

Free trial Yes - 3 days
24-hour support
Live chat support
Money-back Guarantee

Unblocks:

Netflix
iPlayer

Note that this article is aimed at more advanced VPN users and assumes that you have some understanding of what VPNs are and what they can do. If you don’t, then worry not! Please check out our excellent VPNs for Beginners guide for a comprehensive introduction to this subject.

Encryption and VPN protocols

Below is a summary, but for a much more detailed (but accessible) look at this subject, please check out VPN Encryption: The Complete Guide.

In order to connect securely, VPN software on your device negotiates an encrypted connection with the VPN server. The mechanism used to do this is called the VPN protocol, which uses a suite of authentication and encryption algorithms to ensure the connection is secure.

The only VPN protocols you are likely to encounter are:

PPTP

A widely supported VPN protocol that is no longer considered secure. There is very little to reason to use it these days, and it should, therefore, be avoided.

L2TP(/IPsec)

A widely supported protocol. It’s not secure against the NSA but is suitable for general use. That said, why bother when IKEv2 and OpenVPN are available?

IKEv2

A new standard that is fast and is widely considered very secure. Because of this, it is quickly gaining popularity with VPN services, but it is not mature or been battle-tested in the way that OpenVPN has.

Mobile users, in particular, may prefer IKEv2 thanks to its improved ability to reconnect when an internet connection is interrupted (such as when switching between networks or between WiFi and mobile connections).

OpenVPN

An open-source protocol that is widely regarded as the most secure and versatile VPN protocol available. We generally always recommend using OpenVPN whenever possible (although IKEv2 is also a good option).

Our OpenVPN encryption tables

When assessing the encryption used by VPN providers we focus on OpenVPN encryption. This is because:

  1. OpenVPN is the only VPN protocol we know to be fully secure. IKEv2 is also considered secure, but this is largely theoretical.
  2. Just about every VPN service offers OpenVPN. This allows us to compare like for like across VPNs.
  3. The care a provider takes over the details of its OpenVPN encryption is a strong indicator of the care it takes over security in general. And with OpenVPN, the devil is in the detail!

The table breaks up all elements that make up the OpenVPN protocol into their component parts and then rates them on how cryptographically secure they are. A red light means the element is not secure, a green light means the element is secure, and a star means the element is more secure than is strictly necessary.

If all lights are at least green, the OpenVPN encryption is good. Stars mean the encryption is future-proofed.

IP leaks

The second key element to a VPN’s technical security is ensuring that no IP leaks occur. When using a VPN, no website you visit should be able to see your real IP address, or one belonging to your ISP that can be traced back to you.

But it happens. And when it does, we call it an IP leak. When you first sign-up for a VPN service you should visit ipleak.net before and after connecting to the VPN. You should also do this every now and again when using the service.

If you see any of the same IP addresses before and after then you have an IP leak (you can ignore Private Use RFC IPs, as these are local IPs only. They cannot be used to identify an individual, and so do not constitute an IP leak).

Ip Leak Example 2

The example above shows a bad case of IPv6 leaks. The IPv4 DNS result correctly shows that I am connected to a VPN server in the US, but the website can see my real UK IPv6 address via both a regular DNS leak and WebRTC. Fail!

Kill switches

For various reasons, VPN connections sometimes drop, and this can happen to even the best VPN. A good VPN provider, however, ensures that if and when this happens you will not continue connecting to the internet and exposing your real IP address for all the world to see.

Kill switches shut down your internet connection when your VPN is not connected. They can be either reactive or firewall based. Reactive kill switches detect that the connection to the VPN server has dropped, then shut down your internet connection to prevent leaks.

There is a danger, however, that an IP leak could occur during the micro-seconds it takes to detect the VPN dropout and to shut down your internet connection.

Firewall-based kill switches solve this problem by simply routing all internet connections through the VPN interface. If the VPN is not running then no traffic can enter or leave your device. Firewall-based kill-switches are therefore better than reactive ones, but any kill switch is better than none!

Now… firewall based kill switches themselves come in two types. The first kind is implemented in the client, and will therefore not work if the client crashes. The second kind modifies the Windows or macOS firewall rules so that even if the VPN software crashes, traffic will not be able to enter or exit your device.

The only problem with method this is that it could, at least in theory, cause conflicts if you use a third-party firewall.

Quick View

Editor's Choice 1. From $6.67 / month
BestVPN.com Score 9.8 out of 10
Visit Site   Read Review
2. From $3.99 / month
BestVPN.com Score 9.6 out of 10
Visit Site   Read Review
3. From $2.91 / month
BestVPN.com Score 9.4 out of 10
Visit Site   Read Review
4. From $2.75 / month
BestVPN.com Score 9.2 out of 10
Visit Site   Read Review
5. From $1.22 / month
BestVPN.com Score 8.6 out of 10
Visit Site   Read Review

Written by: Douglas Crawford

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

13 Comments

  1. hmmmmm
    on April 27, 2017
    Reply

    Hi Douglas & notsosafe, ExpressVPN is more secure(with better enryption?) than AirVPN? Do they offer unique OpenVPN certs/keys as well? Should I cancel/ditch AirVPN for ExpressVPN? notsosafe what VPN do you use? Thanks.

    1. Douglas Crawford replied to hmmmmm
      on April 27, 2017
      Reply

      Hi hmmmmm, ExpressVPN now offers slightly stronger encryption than AirVPN (stronger SHA hash authentication), although both are so strong that it really makes little difference. Be aware that ExpressVPN does keep some very connection minimal logs. With regard to shared OpenVPN certificates, I have changed my mind since I wrote these comments last September. A lengthy discussion with the guys at IVPN has convinced that use of shared certs is not a problem, and is, in fact, better for privacy than unique certs. A summary of IVPNs argument can be found here. Please note, however, that pre-shared keys _are_ a problem when it comes to L2TP/IPec.

  2. notsosafe
    on September 30, 2016
    Reply

    The user id is irrelevant, these companies will give one to anybody on this planet that throws money at them. It merely grants one access to the backbone, it's what happens on that backbone, after they gain access. We came here to make people aware that these networks are not as secure as the public is lead to believe. Their network designs are inferior and they know it. If a key is shared, the tunnels have glass walls to an experienced user/organization. We will point you in the direction of a secure (real) vpn provider and invite you to do your own research. Have a nice day!

  3. notsosafe
    on September 28, 2016
    Reply

    People are deluded into a false sense of security with these vpn providers. If the certificates are shared, that means all users have the same key to unlock each others' sessions. They can eavesdrop on each other, they are on the same backbone. IP packets can be disassembled. Traffic can be monitored. There are many levels of intrusion. Their VPN tunnels have glass walls, it's not secure, anybody can see inside. Does one not fathom, that unscrupulous individuals/organizations will setup vpn accounts with these providers knowing this? You wouldn't give a stranger a key to your house, so why would you give them a copy of your certificate. It defeats the entire purpose of encryption. A properly encrypted VPN has encrypted certificates at each end of the tunnel and those certificates are unique to only those two interfaces. Allowing anybody else a copy of that certificate, grants them access to that tunnel. The VPN providers all know this. Ask them, they'll try to avoid your question. The more secure providers will issue your own unique certificate, those are the companies you want to deal with. People need to be aware of this!

    1. Douglas Crawford replied to notsosafe
      on September 29, 2016
      Reply

      Hi notsosafe, So... let's say that you and I are both customers of a VPN service that uses shared OpenVPN certs. I have my own login details for that service, and we are using the same cert to connect to it. How could I use this to compromise your account or internet connection (assuming that you use a strong password that I do not have access to)? I do agree that unique certs are preferable, but do not see how shared certs are the security nightmare that you describe.

  4. notsosafe
    on September 27, 2016
    Reply

    @Douglas Crawford, your site won't allow me to reply to the original comment posted. I commend you for not burying the truth and letting the public be informed about the false sense of security when using vpn's. It's not the fact that your own individual account is compromised, it can be anybody's account. Because it's a shared certificate, that means you are compromised if another user is. Can you rely on what others do with their login credentials? Also, https/ssl are compromised, so it wouldn't be too difficult to get those credentials in the first place. It's the reality of the systems they setup, many vpn providers are hiding this. You want to make sure the VPN provider you deal with, issues your OWN UNIQUE cert/keys right from the moment you login, then NOBODY else has it but you. Otherwise it defeats the purpose, it's like leaving the key in the deadbolt of your house, anybody can get in, because you've shared it.

    1. Douglas Crawford replied to notsosafe
      on September 28, 2016
      Reply

      Hi notsosafe, - I apologize for your problems using our website. I will pass on your issue to our tech team. - If unique certs are not used, then individual accounts are secured with a username and password. If an adversary does not have your username and password then your account cannot be compromised just because the certificates are shared. In other words, use of shared certs does not compromise your login credentials or compromise HTTPS. It simply means that everyone connected to the VPN servers in the same way. - I agree that unique certificates and keys are more secure, but do not think that using shared certs compromises accounts in the way you describe. If someone steals one users' login details then sure, they can connect to the service using the stolen account. I do not see how this give them access to other users' accounts, however.

We apologize, our comments section is under maintenance. Please check back soon.