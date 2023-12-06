Nowadays, it's nearly impossible to be online for any period of time without being bombarded with adverts for VPNs. They're everywhere. From big-name players to small upstarts, it feels like there's a continuous roundabout of new and old VPNs desperate to advertise to us, and in turn secure their business in protecting our internet traffic. VPNs can be an essential tool online and have helped protect the security and privacy of their users everywhere, from warzones to coffee shops. VPNs are now big business, but it's become harder than ever to pick through the marketing and understand exactly what a VPN can and can't do for you.

What is a VPN?

Minus the marketing

A VPN (Virtual Private Network) is a tool that allows secure tunneling over the internet. A VPN acts between a client and a server, where the client establishes a secure, encrypted tunnel to the server before routing all or part of the client's internet traffic down this tunnel. The client in this situation is normally your phone or PC, while the server might be in a remote location anywhere else in the world. Anyone attempting to watch (or sniff) internet traffic from the client will only see a single encrypted tunnel, with all traffic being securely transmitted to one destination.

From this destination (the server), your traffic can be broadcast to the internet. To anyone receiving this traffic, it would appear as if your traffic has always come from the server. Data returned from the internet traverses the tunnel in reverse, arriving at the server before being encrypted and sent back to the client down the same tunnel.

What can I use a VPN for?

Accessing blocked content

Source: Private Internet Access

One of the key benefits a VPN offers is that all traffic reaching the internet will appear to originate from the server. This means that any attempt to geolocate the traffic will return to the location of the VPN server you're connected to, not the location of the client. This can make VPNs great for escaping geographical restrictions on TV or content. This also makes it harder for websites to track your activity based on your IP address.

Many consumer VPN providers will offer servers in a wide range of countries. You can also use a VPN to evade web filtering, whether that's from your ISP, school, or workplace. However, be aware that your ISP or workplace will normally be able to recognize VPN traffic, even if they can't read it, and identify that you're using a VPN.

Added security

Another benefit (and something that differentiates most VPNs from a proxy) is that a VPN encrypts all of your traffic, even if it's already encrypted. The VPN will re-encrypt all your traffic and decrypt it again at the server, before sending it out to the internet. This means that some of your traffic is encrypted twice, once with the encryption established between the client and server, and once with the remote server you're trying to access (for example, a HTTPS-enabled website). The benefit of this is that no internet traffic can leave your computer without being encrypted. This includes things that might not normally be encrypted, like DNS queries or SSL/TLS handshakes, but that can give away clues about what you're accessing.

There are other uses for VPNs and many different ways to set up a VPN. We're focusing on consumer VPN providers, but you could also host your own VPN in the cloud, or host one at home to access your private services remotely.

Should I always use a VPN?

There can be downsides to leaving your VPN on 24/7

There is a performance overhead to using a VPN, as all traffic will need to be encrypted and decrypted. This can also add latency, so using a VPN for gaming will cause higher ping (both because of the performance overhead and the added jump to the server before traffic hits the internet). Using a VPN server close to where you live can help with this. There's no danger to using a VPN all the time, and many corporate devices won't allow access to the internet without connecting first through a VPN. That said, it's generally not necessary. A better strategy might be to use your VPN on networks you don't trust, or when you think internet filtering or data collection might be a concern.

How do I get a VPN?

Should I just pick the first one?

There are hundreds of VPN providers out there, normally with relatively affordable prices in the range of $2-10+ a month. Some providers are even free but often come with bandwidth caps or injected advertising. Many VPN providers will run heavy discounts, whether through promo codes or seasonal promotions, so it's best to shop around. Establish what basic features you need from a VPN (i.e. servers in specific countries, clients for your devices) and look for recommendations online from trusted sources. Some VPN marketing can be misleading, so it's best to use review sites you trust with your security.

Nebulous Marketing

Claims about VPNs have been getting increasingly audacious

In recent years, the market around VPNs has muddled slightly. As the popularity of VPNs has soared in recent years, running a large provider has become an extremely profitable business. This is what has, in part, led to the overload of VPN marketing on the internet. VPN providers can be extremely profitable. A VPN provider can run a server relatively cheaply in the cloud, and most of the fundamental software tools already exist (like OpenVPN or WireGuard) to run a decently sized VPN. Providers obviously bring their own apps and clients, but these are generally boilerplate. Some providers implement their own protocols or features on top, but these are discretionary and not necessary to run a provider.

The effect of this is that success in the VPN space has become entirely about marketing, which has led to the massive marketing budgets of some common providers. Brand recognition and reputation is essential here, and influencer marketing can have a big impact in building trust and recognition around a brand. However, as this marketing race has developed over the last few years, more and more bad information has been circulating about why you might need a VPN.

Is public Wi-Fi dangerous?

Some VPN providers have been scaremongering about the dangers of public Wi-Fi. You'd not be remiss to believe, given some of the marketing, that any use of public Wi-Fi without a VPN is a security death sentence. This threat is often wildly exaggerated. It is possible that, if using HTTP (not HTTPS), an attacker on a public network could set up a man-in-the-middle attack on your traffic. However, HTTP has been phased out almost entirely for any online application with a login, and the attacker would still need to have some kind of device in the same physical space as the Wi-Fi network (although this could be small or compact). In most browsers now, you'll even get a warning if a page you're visiting is using HTTP instead of HTTPS.

The threat of using public Wi-Fi for day-to-day tasks is exaggerated

There are free options to improve your security if you're concerned more generally, an extension like HTTPS Everywhere will force all of your web browser traffic to use HTTPS, which adds more general protection. If you're concerned about DNS leakage, which would allow an attacker to see the domain (i.e. xda-developers.com) of sites you're accessing but not their full URL, you can enable DNS-over-HTTPS on Windows. This isn't to say don't use a VPN, but that for the overwhelming majority of situations, it isn't necessary. More security is always good, but consumers shouldn't feel like they need to buy a VPN out of fear.

Does a VPN make you anonymous online?

This is another big misleading one. A VPN only makes you anonymous online so much as you trust your VPN provider. If your VPN provider keeps logs or has been forced by a court to monitor your traffic, your anonymity is gone. Your IP address is still very much traceable to your VPN provider, effectively transferring responsibility for your privacy from your ISP to the VPN provider. Even more concerningly, service providers have previously been forced to hand over data while being barred from publicly disclosing that they're doing so, making it almost impossible to know for sure if your VPN provider is doing the same. Some encrypted messaging services have even elected to shut down instead of handing over user data. For serious anonymity online, decentralized tools like Tor are preferred.

Accessing blocked content online

This is another common marketing point — that a VPN can be used to access blocked content at work or school. This is true, but it comes with a big caveat. Just because VPN traffic is encrypted, doesn't mean it's hidden. Your work or school can still tell you're using a VPN, even if they can't see what you're using it for. In some cases, using a VPN inside your work or school network might immediately trigger security alerts, and you may find yourself in more trouble than you set out to avoid.

What makes a good VPN provider?

Security is paramount.

Source: NordVPN

First and foremost, a VPN is only as secure as the provider. In fact, if a VPN server is compromised, it can be far worse for your privacy and security to use a VPN than not to. If a VPN server is compromised, you've not only lost the protection a VPN offers but also intentionally funneled all of your internet traffic to an attacker to inspect, without even knowing it.

It's important to choose a VPN provider with a focus on security and user experience, even if it's more expensive than the cheapest option. This means a provider with a good reputation that is proactive about patching and maintenance. This might also include providing a VPN kill-switch, which ensures that no traffic is allowed to leave your machine if the VPN is disconnected. You might also want a provider that allows anonymous signups (i.e. without an email address) or one that accepts Bitcoin or another decentralized payment method.

Some providers publish third-party external audits of their security or verification of their no-log policies, which is also a great sign of a provider who's taking security seriously.

A VPN is not a one-stop-shop for all your privacy and security considerations online

Recognize when you're the product

Some VPN providers can also engage in more nefarious practices, like selling your user or usage data to third parties, injecting adverts into your traffic, or making use of your client as an exit node for other services. Some VPN providers make it a core tenant of their marketing that they don't keep logs of your usage. The cheapest or free VPN providers are often engaged in this type of practice in order to subsidize their low costs. It's important to research a provider properly and read reviews both from end users and from sources you trust who make security and privacy a focus. Look for clear and transparent policies on security and the retention of logs.

Other security-related 'handouts' like inbuilt password managers or browser extensions designed to stop tracking cookies might be nice to have from your VPN provider, but be wary of that as a smokescreen for fundamental security and best practice.

Source: Betternet

A Reliable Client

Depending on which devices you'll be using your VPN on, a reliable client is important. Most VPN providers will easily allow you to set up your configuration in any client, but this can take some technical know-how to get right and makes switching between different VPN servers difficult. It's important to choose a provider that offers a good, stable client, and one that receives regular security updates. Other clients might have great extra features like custom DNS support, port forwarding, or multiple protocols. Many VPNs offer a free trial, and these are a good opportunity to test out the client.

Speed

Not all VPNs are the same. Depending on the number of servers, resource contention, and configuration, VPNs can vary in connection speed wildly. The cheapest or free VPNs will often have heavy resource contention which makes them significantly slower than your normal connection, and they may even actively throttle. It's best to try out a few and find one that's fast, or take recommendations from friends or other users online. The subreddit r/vpnrecommendations is a great resource here.

The cheapest or free VPNs will often have heavy resource contention which makes them significantly slower than your normal connection,

Extra features

Bonus features are always nice, but be wary of sacrificing functionality for bonus frills. A good range of countries is important, especially if there are specific countries you think you might need to route through.

Bonus points can be awarded to VPNs that have a strong history of not logging information on user usage, not throttling certain traffic types (like torrents), or offering external audits on privacy. Another nice thing to have is the easy setup of external clients (i.e. by downloading a .ovpn file). Some providers also offer streaming-optimized servers, which can help avoid throttling if you're watching Netflix or extra features like peer-to-peer file sharing over the VPN. If you're using a VPN for torrents, shop around for a VPN that has a good reputation for it, as many VPNs will heavily throttle or outright block torrent traffic.

Choosing a VPN can be difficult

Choosing a VPN can be difficult, and can often come down to your own awareness of brands and their marketing. We recommend you take advice from trusted sources, who have tested out each VPN for you, and stick with an established provider with a good reputation. It's important to be aware of the security and privacy considerations of using a VPN and also to be aware of the limitations. A VPN should be part of your privacy arsenal but is not a one-stop-shop for all your privacy and security considerations online.