The process of selecting a VPN provider should not be taken lightly. The more one is concerned with privacy or anonymity, the fewer good choices there are. VPNs are a crucial component of a Privacy-as-a-Service (PRaaS) strategy. They are excellent for concealing your identity and protecting your information as it traverses the public Internet. However, those protections come at a cost. There are trade-offs. This article is about choosing the right VPN. What is best for you might not be the best choice for someone else.
What Type of VPN Solution Do You Need?
This guide focuses on client-side VPN solutions only. That means using a VPN server setup and maintained by a third-party. You'll be connecting to an existing server, and that server will forward your connection to the Internet.
You may also be interested in reading How VPNs Work - Part 1: Overview
There are circumstances where someone might want a complete VPN solution: a solution that requires managing both the client and server ends. An example would be if you have a home network and you want to be able to access it remotely via a VPN to protect your data transmissions and information about your home network from prying eyes. If that is the case, this guide is not for you.
- How VPN Providers Perceive Their Customers
- How Customers Perceive VPN Service Providers
- Selection Criteria
- Prioritizing: What's Most Important?
- Device Use Cases
- Special Features
- Evaluating VPN Service Providers
How VPN Providers Perceive Their Customers
How the cost of VPN services look from a provider's perspective:
VPN service providers must balance the cost of running their business with the features they provide. Larger VPN providers take advantage of scale to drive down costs, spreading their infrastructure costs among many customers. VPN providers also routinely tempt customers with significantly reduced price levels in exchange for committing to longer term service agreements. By encouraging customers to pay in full up front, they are able to invest in more equipment and personnel, which helps them promote growth. Smaller providers have less leverage and must find other ways to be competitive. This does not mean larger providers are better. All providers tend to excel in certain areas regardless of size.
How Customers Perceive VPN Service Providers
Customer priorities for most people tend to be centered around certain core concepts. As you can see in the diagram below and to the right, other than legal jurisdiction, these factors are related. For example, cheaper VPN services tends to come with fewer features, such as less robust security measures or slower speed.
These aren't all going to be a concern to everyone, but it's important to understand the issues so you can make an informed decision. Is download speed more important to you than anonymity or cost? Or is data integrity more important? If you're having trouble figuring out your priorities, think about your typical use case(s). For instance, someone who wants a VPN to get around censorship will have a different priority hierarchy than someone who wants to download files of questionable legality or someone who wants to stream Netflix from another country.
Let's break down each of the factors above.
The price of VPN service varies substantially. Some providers restrict usage or limit the amount of data throughput per billing period, while others have no restrictions. It's important to understand your needs and factor them into the decision making process. You may find that cost is less important than you originally thought once you factor in capabilities that you value. Furthermore, the cost difference between providers is - for the most part - quite small.
Here are some factors to consider. Are any of these more important to you than cost?
- Number of simultaneous connections
- Average connection speed
- Robust data encryption
- Private DNS servers
- Collection of user data (logging) or not
- Shared connections (simultaneous access from multiple physical locations)
- Ability to join specific servers
- P2P, Torrent connections allowed or not
- No data cap
- TOR browser use
Speed is relative. You may have heard that term before in physics. What seems fast - perception - depends on one's perspective. If you're used to a 100-Mbps connection speed and over a VPN it drops to 50-Mbps, chances are you won't notice for most activities. However, if your starting point is 5 Mb/s and you drop to 2-Mbps, it's more likely you will notice a slowdown.
I strongly suggest you establish ground rules with regards to VPNs before you begin shopping. Define your goals first. If speed is of utmost importance, don't settle for a VPN with a reputation for poor data throughput speeds.
- Comparisons between VPNs made with the same Internet connection
- There should be a pre-determined speed benchmark for uploads and downloads, when the VPN is not in use
- Multiple speed samples should be taken, to allow for variations in network congestion
- Average speeds are more important than maximum speeds
- There is a trade-off between speed, security (data integrity, data confidentiality), and privacy (anonymity)
Confidentiality (Data protection/Data integrity)
When you hear the term Confidentiality in the context of a VPN, it pertains to how well protected your data is while in transit between VPN peers. Just think confidentiality = data encryption.
When you read or hear of terms such as, "AES-256" and "ECDSA," those are crytographic ciphers used to encrypt and decrypt what's called the payload, which is the actual underlying data you're trying to get from Point A to Point B. There are other cipher names of course, and then there are seperate sets of names that refer to ciphers used for other security and privacy purposes, such as authenticating the data stream or the connection.
Encryption vs. Authentication
I'll briefly touch on the difference between encryption and authentication, because they are often mentioned in tandem in various literature; usually without explaining there is a difference between them. First, they are different processes that accomplish different goals. And secondly, while they both utilize cryptograhic algorithms, the algos they implement are quite different from one another.
The job of encryption is to inject noise into a set of data such that a malicious actor would be unable to decipher it even if they captured a copy of the data stream.
On-the-other-hand, authentication is a process that allows the data recipient to verify the payload was not tampered with and altered while in transit. An authentication method calculates a checksum for a set of data and correlates it to see if it is the same when the data arrives at the other end of the connection. Authentication algorithms need a way to scramble their information to make it more difficult for an attacker to guess the checksum algorithm.
With both encryption and authentication methods, the peers use previously negotiated shared keys. Thus, only the peers should theoretically be capable of decoding the messages, and verifying the authenticity of the messages through the authentication checksums.
It's important to understand authentication and encryption are independent processes.
Protecting your privacy means obfuscating or concealing personally identifiable information, such as your true source IP address. Privacy or anonymity features are all about concealing who is transmitting the data packets inside the VPN. This is important because it prevents tracking your activities, or at least tying them back to you. It will be possible for someone to track a transmission back to the VPN server itself, but that should be where the trace stops. However, some companies are better at this than others.
Domain Name System (DNS) lookups are a related sore point that often don't get handled in a way that protects the identity of the end user. A good VPN provider will take steps to protect your identity by ensuring their system redirects DNS queries within the bounds of the VPN network. However, this requires proper configuration to force the client device (e.g. your device) to route DNS queries across the VPN and not the open Internet. When the process fails, it's called a DNS leak. If you are manually configuring a VPN, such as setting up an OpenVPN connection on Linux, you may need to take additional precautions to ensure your connection is not "leaking," especially when it comes to DNS queries. If that sounds like something you will need to concern yourself with, you may want to take a look at some of the articles on this website pertaining to OpenVPN (found in the Virtual Private Networks section).
A Word on Privacy and Location: When using a VPN, any host you connect to on the public Internet will perceive you to be located where the VPN server is. Your IP address will appear to be coming from the VPN's IP address. Your real IP address will be obscured.
If you are planning to rely on an app provided by the VPN service provider, before you commit to a contract, ensure your chosen provider offers the ability to mask your DNS queries. Not all providers offer this feature. If you will manually configure your VPN, such as setting it up as a Split VPN, then you should be able to accomplish this task as part of your configuration.
This isn't particularly important to most users. However, if you are using a VPN to avoid detection by some sort of authority, it may be worth paying attention to. Are you concerned your VPN provider might be subpoenaed at some point regarding your online behavior? Trying to avoid censorship? If governmental interference is a concern of yours, then logging and legal jurisdiction of providers should be of paramount importance to you. Aside from trusting the VPN provider, you may need some faith you can trust the government where the provider is headquartered and/or where their servers are located. Some countries (e.g. China) impose extra-territorial jurisdiction on any VPN servers located within their purview, whether your company is headquartered there or not. The Chinese could care less.
Jurisdiction of the VPN provider's headquarters matters for three (3) reasons:
- The legal rights the relevant government has
- The legal rights your provider has
- If the provider HQ country is known for cooperating with international intelligence agencies
Don't lose sight of the fact if you are really concerned with privacy, you should consider signing up for a Multi-Hop service. A determined government entity will simply wiretap your provider's servers via their Internet Service Provider, obviating the need to involve the provider directly.
The Eyes Have It
One more concern worth mentioning is there are formal international surveillance agreements and relationships between law enforcement and government intelligence agencies around the world that facilitate information sharing. The most notorious are referred to as the "Eyes" countries, referring to three (3) groups of reciprocal operating agreements between 14 specific countries known as "5 Eyes", "9 Eyes", and "14 Eyes." The "5 Eyes" countries share information fluidly with one another. The "9 Eyes" not quite as seamlessly, but still very readily upon request. The "14 Eyes" countries have commitments to share with one another, and generally do relatively rapidly.
Anything discovered in one of the "Eyes" countries can and will be shared with intelligence agencies of the others on request. Israel, Japan, Singapore, and South Korea are also suspected signatories of mutual aide agreements with the National Security Agency (NSA) in the United States, and is very likely that information gets exchanged between the NSA and the "14 Eyes" countries as well. Other similar agreements are known or rumored to exist that encompass other parts of the world, such as a purported intelligence sharing agreement between Hong Kong and China, and between China, Russia, and Turkey. However, it is unclear if those agreements pertain predominantly to military intelligence or if like the "Eyes" agreements if they are designed to share any data vacuumed by one party with the others.
Ironically, some countries that are a party to these agreements themselves have very strong personal privacy laws, such as Switzerland, which happens to be one of the 14 Eyes. Even so, keep in mind those protections only pertain to data collected in one way; namely within the corresponding country (e.g. Switzerland). That means if information is gathered by other countries/agencies and handed to the Swiss, there is no foul. So, while using a VPN headquartered inside Switzerland might afford you some additional privacy protections, residing in Switzerland wouldn't help protect you from data disclosed to the Swiss government that was collected from outside Switzerland. As you can see, privacy and intelligence/information sharing creates lots of gray areas and potential paths for surreptitious information sharing.
When discussing devices and use-case scenarios relative to VPNs, two (2) types of discussions typically arise: number of simultaneously connected devices, and the type of devices (such as a multimedia player or TV).
Most VPN service providers offer an independent app for smart phones and other mobile devices to make using their service simple. Some providers also offer apps/programs for desktop and server based plaforms. Personally, I recommend using a universal platform and manual configuration. You'll get a more reliable picture of whether your connection is truly secure or not, and have the ability to switch service providers without changing your interface. For example, OpenVPN has official apps for mobile platforms. I would start there and migrate to an alternative if it doesn't work well for you.
Interested in knowing where else you can find more information to help you make an informed decision when choosing a VPN service provider? You may be interested in the related article, Reviewing the VPN Reviewers.
Every VPN account allows a specified number of simultaneous device connections to the service. The tricky part is figuring out how the provider counts a device. When accessing the VPN via a router or firewall, at times those devices will act like a proxy, and to the VPN server they may all appear to be a single device, even though they are not. The VPN servers may or may not be capable of detecting whether you are connecting multiple devices behind a router or firewall. That depends on how well they scrutinize your incoming traffic. Regardless, it's a good idea to sign up for a VPN service that permits at least as many device connections as you expect to want to use at the same time. If you attempt to exceed the maximum number of devices, all that happens is your subsdequent connections will fail until you free up a slot for a new connection. Pretty straightforward.
Circumventing Geographic Restrictions
The other type of scenario relates to the type of device, and specifically if the user is attempting to circumvent some sort of barrier - such as geographic restrictions - via the VPN connection. This is an important distinction, because geo-fencing workarounds in particular rely upon a number of factors working together. If getting around geo-fenced content is your primary goal, alternatives to a VPN may be a better choice, such as a Smart DNS provider, or possibly Combining a VPN and Smart DNS.
Prioritizing: What's Most Important?
Choosing a VPN is a surprisingly complicated affair. So many choices. To arrive at a truly informed decision, you must be diligent. It is a process of elimination. The key is to focus on the features and functions most important to you. Then, verify your top-choice providers are truly offering you the best experience that fits your requirements. You must block out the noise from marketing messages and reviews, and focus on the core offering details of each provider.
- Identify the features and functions you must have.
- Rank the relative importantance of each primary feature category*
- Platform (What type of devices are you going to access the VPN with?)
- Data security
- Does legal jurisdiction matter?
- Location (Where are servers located? How many?)
- Use VPN provider reviews to identify the best candidates based on your highest priority feature.
- Dismiss any providers that do not meet the criteria of #1 and #2.
- Narrow your list to five (5) choices or less, based on your feature priorities.
- Scrutinize the details of each remaining contender. Is there any sign of impropriety or suspicious behavior, negative reviews, etc. that could disqualify any of them?
- Compare secondary and tertiary features and benefits. Look at server availability and flexibility (number, location). Consider how long each company has been in business.
- Narrow your choice to a winner.
* If your highest priority is not one of these, perhaps you don't truly need a VPN. If you're unsure, consider taking a step back before proceeding further and read the article Do You Really Need (or Want) a VPN?.
Here are examples of questions you could ask yourself to arrive at your own prioritization criteria:
- Privacy/Anonymity: Is concealing your identity important? Does your data contain personally identifiable information?
- Security: How bad would it be if your data was compromised by a 3rd party (e.g. hacker)? For example, will you be transferring financial info across your VPN?
- Legal Jurisdiction: Where the VPN company is headquartered makes a big difference on how cooperative it is with government and law enforcement agencies.
- Country Hubs: Which countries does the VPN provider have POPs (Points-of-Presence)? This matters when it comes to speed and geo-fencing issues, or just trying to look like you are somewhere else from where you truly are.
- Censorship: Will you be streaming with services such as Torrents, Netflix, etc.? Does the VPN provider block streaming services?
- Platforms: What platforms do you need supported (e.g. Android, Windows, Mac, Linux, etc.)?
Sometimes a special need or circumstance elevates a particular VPN feature to the top of your list. Below are some examples.
WireGuard is a new, up-and-coming VPN protocol. It should be considered experimental.
WireGuard promises these benefits:
- State-of-the-art data encryption
- Fast performance
- Streamlined code
- More resistant to hacking attempts
First, let me be clear that public WireGuard support is very inconsistent, and in fact this new protocol is still in development.. It is far from ready for prime time usage. To understand why, jump ahead to What's Wrong with WireGuard? Without significant changes to some portions of its architecture, WireGuard will remain a niche product.
Which VPN Providers Support WireGuard?
As of this writing in late 2019, very few. The following public VPN service providers offer limited support for WireGuard. This generally means being confined to specific servers. In some cases, those servers may be in a beta or test mode and access may be turned on or off randomly. Support may be limited to specific platforms.
- Mullvad - Also supported in their iOS app
- VPN.AC - Beta
- WireVPN: Supports Android (native app), Windows, MacOS, Linux via config files
What's Wrong with WireGuard?
I'll give you three (3) good reasons why WireGuard - although promising - is not likely to receive widespread adoption by consumers for some time:
- New and unproven
- UDP support only
- Logs activity
Furthermore, WireGuard servers present some challenges for VPN service providers. Notably, when multiple concurrent devices are used by the same account, each device must have its own key, and all keys need to be loaded into the server's kernel memory. Also, every packet received is cross checked against the keys. This all spells out great security measures, but the cost in server resources for a server fielding multiple simulataneous connections becomes very high, very quickly. Thus, at the moment WireGuard is not suitable on a large scale to a typical VPN service provider. The more connections you have, the more servers are needed. While that is obviously true of other VPN protocols as well, WireGuard is much more demanding on the server end than other protocols for the reasons mentioned.
Multi-hop is a practice where a VPN transmission is bounced from one server to another on the same VPN network. A multi-hop network may operate in a variety of modes. The most common implementation uses two (2) servers on the same VPN network.
Multi-Hop vs. Redirection
It's important to understand how a multi-hop VPN connection differs from a redirected VPN connection.
Of course, redirection is what VPNs do. However, there is also redirection that takes place inside the VPN server network. Whether or not that is the case and if so, how it's done depends on the architecture of the VPN system. VPNs have their own backbone. A normal connection is transmitted across the backbone of the VPN, and exits the VPN server network at a pre-determined point. Most of the time, this pre-determined exit will be near the intended destination. However, that is not always the case. The exit point will normally be determined by one of the following criteria:
- Same server as the entry
- As specified by the client
- Any server, based on balancing server load
- Physically closest to the destination IP address
It's rare for VPN providers to allow the client to specify or request a specific exit point, because this practice - if honored 100% of the time - means the VPN provider loses some control over load balancing its servers. Most providers self-manage exit points based on the payload's final destination and/or the VPN server loads at the time.
Making the exit point the same server as the entry is a common practice. This may be done to limit resources on the part of the VPN provider or it may be done because the true destination is nearby and that is the most efficient means of enabling the data transmission. For most end users, it doesn't matter. The same server can easily be configured with very different entry/exit IP addresses, which is what most people are concerned with.
Some VPN providers offer specific means for the client to advise the server its intention is to appears as if the connection is originating from a specific location, such as a specific country. This is a common situation when the end user is attempting to circumvent geo-restricted content. In that case, the client needs to be able to inform the server which country it wants the connection to appear from the perspective of the final destination of the payload. These methods and processes I've just described are redirection methods.
Multi-hops Are Different
The client (end user) must indicate a particular outgoing transmission is to be a mutli-hop connection. A multi-hop connection bounces a single connection through two (2) or more VPN servers for the purpose of making tracking the connection more difficult. In the redirection model, it is conceivable a VPN connection could exit the same VPN server connected to by the VPN client. That will never happen with a multi-hop connection. Just like redirection though, a multi-hop VPN process requires a schema, and it will vary from provider to provider. The VPN provider's network architecture determines how the multi-hop connection is applied. The connection could be bounced between servers in proximity to one another or between distant servers. Normally, it doesn't matter to the end user as the desired effect will be created either way. In fact, from a legal perspective it may be advantageous one way or another for a multi-hop connection to travel across country borders, or not. The details boil down to the user's needs.
Very few public VPN service providers support multi-hop and it may be difficult for an end user to ascertain the exact architecture methods utilized by any particular vendor who supports it. Ironically, even attempting to trace one's own connection to determine how the vendor's multi-hop system is designed is fruitless as the very nature of the methodology hide the ability to verify exactly what it's doing. There is a remote possibility that timing algorithms could be employed to determine the service provider's schema, but such attempts are only viable with smaller providers using fewer servers. On large networks, the potential match combinations quickly become numerous. End users have to trust the technical prowess of their provider, and truth-in-advertising. Even auditing a VPN provider is highly unlikely to yield this type of information. For the most part, this is a non-issue for VPN clients (end users).
Who Needs Multi-Hop? Why Use It?
Multi-Hop is an obfuscation technique. It has several privacy advantages over a typical VPN connection. The process makes it virtually impossible to track the true IP source of a connection. Even if interim servers retain logs, they will not know the real source and destination IP addresses of the payload (data).
Multi-hops are very uncommon among publicly available VPN servers. They require more sophisticated implementation schemes, multiply the number of resources a provider requires to support a single user, and have limited or no use for most end users. In fact, most end users would find the trade-off in performance (speed) to far outweigh its potential benefits. For those that are interested for whatever reason, a properly orchestrated multi-hop system offers unrivaled privacy.
A significant challenge of implementing multi-hop is how to manage asymmetric key decryption. A normal VPN connection requires the host (VPN server) to have the ability to decrypt the original IP traffic, so that it may be repackaged and sent to the true destination server. However, with a multi-hop VPN configuration this creates a potential problem. The final server in the chain must be capable of decrypting the original message. There are two (2) methodologies to accomplish this.
How Multi-Hop Works
A VPN provider has basically two (2) possible methods of implementing a multi-hop service.
Method 1: Unique Key Pairs for Every Hop
This method of managing multi-hop encryption/decryption involves encrypting and decrypting the underlying payload (message) between each server hop, keeping the process simple and allowing the server to handle every connection the same way in terms of confidentiality.
Using this method, a multi-hop connection is handled in virtually the same manner as normal connections. The connection still needs to be flagged in some manner so the server knows it is a multi-hop connection, but otherwise only the header needs to be modified, which includes details on where the packet is to be sent next and may contain an authentication hash. This is a simpler process than the second method (described below), because it obviates the need to keep track of two encryption keys - the one used on the last leg versus the one used by the first server in the chain (the 2nd method). The downsides to this approach are a slower connection speed due to more encryption/decryption processes, and each server in the chain is able to view the real source IP header. Thus if any server in the chain were to be compromised by a malicious observer, that entity could ascertain the true origin of the multi-hop packet.
Method 2: Shared 1st Symmetric Key
This method requires the original symmetric key used by the first server in the chain to be shared with the final VPN server.
A notable advantage to this method is when a server in between the first and last VPN servers is compromised during a Man-in-the-Middle (MitM) attack, the attacker will be unable to decrypt the original message. This is because this methodology only decrypts the original payload at the end of the chain. However, that is a very obscure and unlikely situation. There is a greater risk in sharing the first symmetric key with the last server in the chain. Furthermore, this method generates an additional risk in the sense that the first server must make contact with the last server and proceed with the same key exchange agreement that took place between the client and first server. Thus, the temporary connection between first and last servers will from a relationship - even if tempoary - that could be observed. That observation information could be used by a clever 3rd party to ascertain the first server in the chain, obviating the purpose of the multi-hop, which is to disguise the first server origin.
This method should be discouraged as it obviates several of the protections a multi-hop server configuration seeks to create in the first place. An advantage of this method is it has a slightly less negative effect on speed (performance) versus the Unique Keys method.
Which Method is Better?
It depends on your perspective. The primary drawback to multi-hop VPN configurations is speed. Regardless of which approach is utilized, there is no way around substantial losses in performance when using a multi-hop connection. Several connection speed factors become cumulative, including:
- Network latency between each hop
- Adding additional layers of encryption with each hop
- Server load at each hop server
Every additional leg in the chain adds time, reducing overall throughput (bits per second) of the connection. The upside is substantially improved privacy.
Unfortunately, you're not likely to know which method any particular provider utilizes. If you have particular or extreme needs for privacy and are considering a multi-hop solution provider, you may be better off creating your own custom VPN, such as a site-to-site VPN creating a virtual private gateway, ideally with your own hardware, though it can be done via public cloud services providers, such as an Amazon EC2 VPN gateway.
Evaluating VPN Service Providers
The world is full of different kinds of people, with different interests, goals, agendas, and circumstances. The selection of public VPN service providers currently on the market reflects this. There are many different options. Depending on your needs and/or your constraints, which VPN is "right" for you is likely to be different from someone else. I can't stress enough that you must be diligent in choosing a VPN provider. The VPN market is filled with hundreds of them, many of which are worthless.
Perhaps the largest challenge in choosing a VPN service is the sheer number of them (350+). Coupled with a constant bombardment of marketing propaganda from organizations that do not have your best interests at heart, how can anyone hope to make an informed decision?
When it comes to VPNs, the truly objective sources don't try to tell you what to do. They explain how to figure out what you should do. For example, That One Privacy Site (TOPS) doesn't reach conclusions as to whether a VPN provider is good or bad based on a one-size-fits-all ranking system. If you want the "best" protection for yourself, you must work your way through the finer details, separating the treasure from the trash.