VPN service

For the more general concept, see virtual private network.

This article contains dynamic lists that may never be able to satisfy particular standards for completeness. You can help by adding missing items with reliable sources.

A virtual private network (VPN) service is a proxy server marketed to help users bypass Internet censorship such as geo-blocking and users who want to protect their communications against data profiling or MitM attacks on hostile networks.

A wide variety of entities provide VPN services for several purposes. But depending on the provider and the application, they do not always create a true private network. Instead, many providers simply provide an Internet proxy that uses VPN technologies such as OpenVPN or WireGuard. Commercial VPN services are often used by those wishing to disguise or obfuscate their physical location or IP address, typically as a means to evade Internet censorship or geo-blocking.

Providers often market VPN services as privacy-enhancing, citing security features, such as encryption, from the underlying VPN technology. However, users must consider that when the transmitted content is not encrypted before entering the proxy, that content is visible at the receiving endpoint (usually the VPN service provider's site) regardless of whether the VPN tunnel itself is encrypted for the inter-node transport. The only secure VPN is where the participants have oversight at both ends of the entire data path or when the content is encrypted before it enters the tunnel.

On the client side, configurations intended to use VPN services as proxies are not conventional VPN configurations. However, they do typically utilize the operating system's VPN interfaces to capture the user's data to send to the proxy. This includes virtual network adapters on computer OSes and specialized "VPN" interfaces on mobile operating systems. A less common alternative is to provide a SOCKS proxy interface.

In computer magazines, VPN services are typically judged on connection speeds, privacy protection including privacy at signup and grade of encryption, server count and locations, interface usability, and cost.^[1][2][3][4] In order to determine the degree of privacy and anonymity, various computer magazines, such as PC World and PC Magazine, also take the provider's own guarantees and its reputation among news items into consideration.^[1][2] Recommendation websites for VPNs tend to be affiliated with or even owned by VPN service providers.^[5]

VPN Use Cases

• Accessing Geo-Restricted Content. VPNs allow users to bypass regional restrictions by hiding their IP address from the destination server and simulating a connection from another country. For example, users in regions with limited streaming libraries can use VPNs to access content available in other locations, such as accessing Netflix US from abroad.^[6][7]
• Protecting Data on Public Wi-Fi. Public Wi-Fi networks, such as those in cafes or airports, are often not encrypted and susceptible to eavesdropping by other users of the same network. VPNs encrypt users' internet traffic, protecting sensitive data like login credentials, financial information, and personal communications from potential interception.^[8][9]
• Ensuring Privacy for Activists and Journalists. Activists and journalists working in restrictive or authoritarian regions often use VPNs to maintain anonymity and protect sensitive communications. VPNs mask IP addresses and encrypt data, ensuring safe access to information and secure communication channels.^[10]

Criticism and limitations

Users are commonly exposed to misinformation on the VPN services market, which makes it difficult for them to discern fact from false claims in advertisements.^[11] According to Consumer Reports, VPN service providers have poor privacy and security practices and also make hyperbolic claims.^[12] The New York Times has advised users to reconsider whether a VPN service is worth their money.^[13] VPN services are not sufficient for protection against browser fingerprinting.^[14]

Common misconceptions

• A VPN service does not make one's Internet use private. Users can still be tracked through tracking cookies and device fingerprinting, even if the user's IP address is hidden.^[15]
• A VPN service can log the user's traffic, although this depends on the VPN provider.^[15]
• A VPN service does not make the user immune to cyberattacks.^[15]
• A VPN service is not in itself a means for good Internet privacy. The burden of trust is simply transferred from the ISP to the VPN service provider.^[16][17]
• A VPN service is not a VPN. VPNs allow you to access a private network from a remote location as if you were in the same place. VPN services do not grant access to private networks.

Legality

Further information: VPN blocking

In March 2018, the use of unapproved VPN services was banned in China, as they can be used to circumvent the Great Firewall.^[18] Operators received prison sentences and were penalized with fines.^{[19][20][21][22]} Russia banned various VPN service providers in 2021.^[23]

Comparison of commercial virtual private network services

Privacy

PC Magazine recommends that users consider choosing a provider based in a country with no data retention laws because that makes it easier for the service to keep a promise of no logging.^[24] PC Magazine and TechRadar also suggest that users read the provider's logging policy before signing up for the service,^[24][3] because some providers collect information about their customers' VPN usage.^[25][26] PC World recommends that users avoid free services as a rule of thumb and said free services either sell their users' browsing data in aggregated form to researchers and marketers, or only offer a minimal amount of data transfer per month.^[25]

Service	Based in	Logging[a]					Anonymous payment and communication
		Traffic	DNS requests	Timestamps	Bandwidth	IP address
Atlas VPN	United States	No	No	No	No (Premium), Yes (Free)	No	Some
ExpressVPN	British Virgin Islands[27][28][29]	No[30]	No[30]	Yes[31]	Yes[32]	No[30]	Some[29][33][28][34]
Hotspot Shield	United States	Yes[b]	Yes[36]	Yes[36]	Yes[36]	Yes[36][37]	No
IPVanish	United States	No[38]	No[38]	No[38]	No[38]	No[38]	No[39]
IVPN	Gibraltar	No[40]	No[40]	No[40]	No[40]	No[40]	Some[41][42]
Mullvad	Sweden	No[43]	No[43]	No[43]	No[43]	No[43]	Yes[44][45]
NordVPN	Panama	No[46]	No[46]	No[46]	No[46]	No[46]	Some[47][48]
PrivadoVPN	Switzerland	No[49]	No	No	No (Premium), Yes (Free)	No	Some
Private Internet Access	United States	No[50]	No[50]	No[50]	No[50][51]	No[50]	Yes[52][53][54]
ProtonVPN	Switzerland	No[55]	No	No[55]	No	No	Some
PureVPN	Hong Kong	No[56]	No[57]	No[58]	Yes[59]	No[c]	Some[d][63]
Surfshark	Netherlands	No[64]	No	Yes	No	No	Some
TunnelBear	Canada[65][66][67]	No[68]	No[68][69]	No[70]	Yes[67][70]	No[68]	Some[65][71][66]
Windscribe	Canada	No[72]	No	No	Yes	No	Yes

Notes

1. As claimed by provider unless otherwise noted.
2. Hotspot Shield claims to collect "anonymous, aggregate data about which websites you visit and which apps you use."^[35]
3. "We DO NOT keep any record of your browsing activities, connection logs, records of the VPN IPs assigned to you, your original IPs, your connection time, the history of your browsing, the sites you visited, your outgoing traffic, the content or data you accessed, or the DNS queries generated by you."^[60] However, in 2017, PureVPN provided connection logs including IP addresses to the FBI for use in a criminal investigation.^[61]
4. Name and e-mail is required for every payment method.^[62]

Technical features

Service	Leak Protection			Protocols		Obfuscation / Censorship Avoidance							Network Neutrality		Server
	First-party DNS servers	IPv6 supported / blocked	Offers kill switch	Offers OpenVPN	Offers WireGuard	Supports multihop	Supports TCP port 443	Supports Obfsproxy	Offers SOCKS	Linux support	Supports SSL tunnel	Supports SSH tunnel	Blocks SMTP (authent.)	Blocks P2P	Dedicated or virtual	Diskless
Atlas VPN	Yes	Yes	Yes	No	Yes	Yes	No	No	No	Yes			Some	No	Dedicated	No
Avast SecureLine	Yes	Yes	Yes	Yes	No	No	No			No				Some[73]	Dedicated[74]	No
ExpressVPN	Yes[27]	Yes	Yes	Yes[27]	No	No				Yes[27]	Yes[75]			No[28]	Both[76][77]	Yes
Hotspot Shield	No	No	Yes	No	No	No				No				?
IPVanish	Yes[78]	Yes[79]	Yes	Yes[39]	Yes[80]	No	Yes[81]	Yes[82]	Yes[39]	Yes[83]	No	No	No[39]	No[39]	Dedicated	No
IVPN	Yes[84]	No[85]	Yes	Yes	Beta[86]	Yes; OpenVPN	Yes	Yes		Yes[87]		Yes[88]	No[89]	No[90]	Dedicated[91]
Mullvad	Yes[92]	Yes[92]	Yes	Yes[92]	Yes[93]	Yes; WireGuard[94] and SOCKS5	Yes[92]	No[95]	Yes[96][92]	Yes[97]	Yes	Yes[92]	No[92]	No[92]	Dedicated[98]	Yes[99]
NordVPN	Yes[100]	No[101]	Yes	Yes[102]	Yes; NordLynx based on WireGuard[103]	Yes; OpenVPN[104] and SOCKS5	Yes[105]		Yes[106]	Yes[107]			Yes	No[108]	Dedicated	Yes
PrivadoVPN	Yes	Yes	Yes	Yes	Yes[109]				Yes	Yes				No
Private Internet Access	Yes[110]	Yes[111]	Yes	Yes[112]	Yes[113]	Yes[114]	Yes[115]	No	Yes[116]	Yes[117]			Some[a]	No[119]	Dedicated[120]	Yes[121]
ProtonVPN	Yes	No	Yes	Yes	Yes[122]	Yes	Yes	No	No	Yes[123]	Yes	Yes		Some[b]	Dedicated
PureVPN	Yes	Yes	Yes	Yes[125]	No	No	Only through SSTP[126]	No	No	Yes[127]			No	Some[128]	Both[129][77]	No
Surfshark	Yes	No	Yes	Yes	Yes	Yes (WG, OVPN, IKEv2)	Yes	No	No	Yes			Some	No	Both	Yes
TunnelBear	Yes[69]	Yes	Yes	Yes[130][66]	No	No	No	Yes[131][67]	Yes	Yes			No[132]	Some[133]
Windscribe	Yes	Yes	Yes	Yes	Yes[134]	Yes	Yes	No	No[135]	Yes (via Stealth protocol)	No	No	No	Dedicated[c]	Yes[137]	Yes

Notes

1. The support team may be willing to whitelist your email provider's SMTP server upon request.^[118]
2. Only on free plan.^[124]
3. With the exception of one virtual server located in Antartica.^[136]

Encryption

Service	Data encryption		Handshake encryption		Data authentication
	Default provided	Strongest provided	Weakest provided	Strongest provided	Weakest provided	Strongest provided
Atlas VPN	ChaCha20-Poly1305 / AES-256[a]	ChaCha20-Poly1305	2048-bit Diffie–Hellman	ECP521	SHA-384
Avast SecureLine	AES-256
ExpressVPN	AES-256			CA-4096
Hotspot Shield	AES-128[138]		TLS 1.2 ECDHE PFS[138]		HMAC[139]
IPVanish	AES-256[140]		RSA-2048[140]		SHA-256[140]
IVPN	AES-256[84]			RSA-4096[84]
Mullvad	AES-256 (GCM)[92]	AES-256[92]	RSA-4096[92]		SHA-512[92]
NordVPN	AES-256[141]	AES-256 (CBC)[141]	2048-bit Diffie-Hellman[141]
Private Internet Access	AES-128 (CBC)[142]	AES-256[142]	ECC-256k1[142]	RSA-4096[142]	SHA-1[142]	SHA-256[142]
PrivadoVPN	AES-256
ProtonVPN	AES-256		RSA-4096		HMAC with SHA-384
PureVPN	AES-256
SaferVPN	AES-256[143]		2048bit SSL/TLS[143]		SHA-256[143]
TunnelBear	AES-128 (CBC)[b]	AES-256 (CBC)[130]	1548 bit Diffie–Hellman[c]	4096 bit Diffie–Hellman[130]	SHA-1[d]	SHA-256[130]
Surfshark	AES-256	AES-256 (CBC)	2048-bit Diffie–Hellman
Windscribe	AES-256[144]		RSA-4096[144]		SHA-512

Notes

1. ChaCha20-Poly1305 for all devices except for Windows, which does not support it and therefore uses AES-256
2. Only on iOS 8 and earlier. All other supported devices and operating systems use AES-256 (CBC).^[130]
3. iOS 9 and later use 2048 bit. iOS 8 and earlier use 1548 bit. All other supported devices and operating systems use 4096 bit.^[130]
4. iOS 8 and earlier use SHA-1. All other supported devices and operating systems use SHA-256.^[130]

Definitions

The following definitions clarify the meaning of some of the column headers in the comparison tables above.

Anonymous payment method

Whether the service offers at least one payment method that does not require personal information. Even if a service accepts a cryptocurrency like bitcoin, it might still require that the customer hands over personally identifiable information (PII) like their full name and address.

Bandwidth

Whether the users' bandwidth is logged while using the service, according to the service's privacy policy.

Diskless

Whether the service's server hardware is connected to hard drives, according to the service provider. If the servers are diskless, the service provider should be unable to log any usage data.

First-party DNS servers

Whether the service provides its own domain name system (DNS) servers.

Kill switch

Whether the service has the ability to immediately sever your connection to the Internet in the event that the VPN connection fails. This prevents a user IP address leak.^[145]

Logging

Whether the service stores information about their users' connection or activity on the network, according to the service's privacy policy or terms of service. If logging isn't mentioned in those sections but denied somewhere else on the website, the particular table cell will be marked as "No" in yellow and include an explanatory note.

Privacy Impact Score

An indicator of a website's usage of potentially privacy intrusive technologies such as third-party or permanent cookies, canvas trackers etc.^[146] The score can be in the range from 0 to 100, where 0 is minimal privacy impact (best) and 100 is the biggest privacy impact (worst) relative to other web sites.^[146] The score also has a simplified letter and colour presentation from A to F where A is "No cookies" and F is "Score above three standard deviations from the average".^[146] The metric is developed by WebCookies.org.^[146]

Obfuscation

Whether the service provides a method of obfuscating the VPN traffic so that it's not as easily detected and blocked by national governments or corporations.^[147][148]

Offers WireGuard

Whether the service provider offers the WireGuard tunneling protocol.

SSL rating

The service's website's overall SSL server rating according to Qualys SSL Labs' SSL Server Test tool.

Supports Obfsproxy

Whether the service has an implementation of the Tor subproject Obfsproxy.^[147][148]