Find a no-logging VPN operator who isn't out to sell or read your web traffic.
Using a VPN will not keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic.
If you are looking for anonymity, you should use the Tor Browser instead of a VPN.
If you're looking for additional privacy from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved.Download Tor Tor Myths & FAQ More Info
Mullvad EUR €60/Year
Mullvad is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since 2009. It is the only VPN provider that currently meets our criteria for recommendation. Mullvad is based in Sweden and does not have a free trial. Visit mullvad.net to create an account.
Mullvad has 409 servers in 39 countries at the time of writing this page. Typically the more servers a provider offers, the better: With hundreds of servers in operation, you are far more likely to find a fast connection and a server geographically closest to you.
In addition to standard OpenVPN connections, Mullvad supports WireGuard. WireGuard is an experimental protocol with theoretically better security and higher reliability, although it is not currently recommended for production use.
Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report published at cure53.de. The security researchers concluded:
...Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint.
Remote port forwarding
Mullvad in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, and cash/local currency as anonymous forms of payment. They also accept Swish and bank wire transfers.
No Mobile Clients
While iOS and Android clients are reportedly in the works, mobile users will need to use a traditional OpenVPN client and configuration files, which are a bit more difficult to configure.
The Mullvad VPN clients have a built-in killswitch to block internet connections outside of the VPN. They also are able to automatically start on boot. The Mullvad website is also accessible via Tor at xcln5hkbriyklr6n.onion.
ProtonVPN Free USD $96/year
ProtonVPN is a strong contender in the VPN space, and they have been in operation since 2016. ProtonVPN is based in Switzerland and offers a limited free pricing tier, as well as premium options. Unfortunately due to its lack of an independent security audit it does not meet the complete criteria for recommendation, see our notes below.
ProtonVPN has not undergone a security audit by an independent third party, and therefore cannot be strongly recommended at this time. We have still chosen to list it on this page with the assumption that an audit will be published soon:
We are currently undergoing a complete security audit of our VPN applications by a reputable Swiss security company. The results of the audit will be summarized in a public report for cases like this.
We will reevaluate this listing at the end of Q1 2020 or when the aforementioned report has been published, whichever is sooner.
ProtonVPN has 526 servers in 42 countries at the time of writing this page. Typically the more servers a provider offers, the better: With hundreds of servers in operation, you are far more likely to find a fast connection and a server geographically closest to you.
ProtonVPN does technically accept Bitcoin payments; however, you either need to have an existing account, or contact their support team in advance to register with Bitcoin.
In addition to providing standard OpenVPN configuration files, ProtonVPN has mobile clients for iOS or Android allowing for easy connections to their servers.
The ProtonVPN clients have a built-in killswitch to block internet connections outside of the VPN. They also are able to automatically start on boot. ProtonVPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using the official Tor Browser for this purpose.
IVPN Standard USD $60/Year Pro USD $100/Year
IVPN is another strong premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar and offers a 3 day free trial. Unfortunately, due to its lack of an independent security audit, it does not meet the complete criteria for recommendation, see our notes below.
No Security Audit
IVPN has undergone a no-logging audit from Cure53 which concluded in agreement with IVPN's no-logging claim. However, IVPN has not undergone a more comprehensive security audit by an independent third party, and therefore cannot be strongly recommended at this time.
We have still chosen to list it on this page with the assumption that an audit will be published soon. IVPN has hired Cure53 to undertake a comprehensive audit covering the IVPN website, public and internal server infrastucture. They expect the audit to begin in November 2019 and be completed by the 6 auditors in January 2020.
IVPN has 77 servers in 31 countries at the time of writing this page. Typically the more servers a provider offers, the better. IVPN has a decent (but not exceptional) server count that will most likely provide adequate coverage to most users.
Remote port forwarding
In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin and cash/local currency (on annual plans) as anonymous forms of payment.
In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for iOS or Android allowing for easy connections to their servers.
The IVPN clients have a built-in killswitch to block internet connections outside of the VPN. They also are able to automatically start on boot. IVPN also provides "AntiTracker" functionality, which blocks advertising networks and trackers from the network level.
Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations. We have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible.
Operating outside the five/nine/fourteen-eyes countries is not a guarantee of privacy necessarily, and there are other factors to consider. However, we believe that avoiding these countries is important if you wish to avoid mass government dragnet surveillance, especially from the United States. Read our page on global mass surveillance and avoiding the US and UK to learn more about why we feel this is important.
Minimum to Qualify:
- Operating outside the USA or other Five Eyes countries.
- Operating outside the USA or other Fourteen Eyes countries.
- Operating inside a country with strong consumer protection laws.
We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. If a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected.
Minimum to Qualify:
- OpenVPN support.
- Killswitch built in to clients.
- OpenVPN and WireGuard support.
- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.)
- Easy-to-use VPN clients, especially open-source. Even better if the Android version is also available in F-Droid.
- Supports IPv6. We expect that servers will allow incoming connections via IPv6 and allow users to access services hosted on IPv6 addresses.
- Capability of remote port forwarding assists in creating connections when using P2P (Peer-to-Peer) filesharing software, Freenet, or hosting a server (e.g., Mumble).
We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required.
Minimum to Qualify:
- Bitcoin or cash payment option.
- No personal information required to register: Only username, password, and email at most.
- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.)
- No personal information accepted (autogenerated username, no email required, etc.)
A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis.
Minimum to Qualify:
- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption.
- Perfect Forward Secrecy (PFS).
- Published security audits from a reputable third-party firm.
- Strongest Encryption: RSA-4096.
- Perfect Forward Secrecy (PFS).
- Comprehensive published security audits from a reputable third-party firm.
- Bug-bounty programs and/or a coordinated vulnerability-disclosure process.
You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled.
Minimum to Qualify:
- Public-facing leadership or ownership.
- Public-facing leadership.
- Frequent transparency reports.
With the VPN providers we recommend we like to see responsible marketing.
Minimum to Qualify:
- Must self host analytics (no Google Analytics etc). The provider's site must also comply with DNT (Do Not Track) for those users who want to opt-out.
Must not have any marketing which is irresponsible:
- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know users can quite easily deanonymize themselves in a number of ways, eg:
- Reusing personal information eg. (email accounts, unique pseudonyms etc) that they accessed without anonymity software (Tor, VPN etc)
- Browser fingerprinting
- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of 3 or more hops that regularly changes.
- Use responsible language, eg it is okay to say that a VPN is "disconnected" or "not connected", however claiming that a user is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example the visiting user might be on another VPN provider's service or using Tor.
Responsible marketing that is both educational and useful to the consumer could include:
While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc.
Should I use a VPN?
The answer to this question is not a particularly helpful one: It depends. It depends on what you're expecting a VPN to do for you, who you're trying to hide your traffic from, and what applications you're using.
In most cases, VPNs do little to protect your privacy or enhance your security, unless paired with other changes.
VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way.
What if I need encryption?
In most cases, most of your traffic is already encrypted! Over 98% of the top 3000 websites offer HTTPS, meaning your non-DNS traffic is safe regardless of using a VPN. It is incredibly rare for applications that handle personal data to not support HTTPS in 2019, especially with services like Let's Encrypt offering free HTTPS certificates to any website operator.
Even if a site you visit doesn't support HTTPS, a VPN will not protect you, because a VPN cannot magically encrypt the traffic between the VPN's servers and the website's servers. Installing an extension like HTTPS Everywhere and making sure every site you visit uses HTTPS is far more helpful than using a VPN.
Should I use encrypted DNS with a VPN?
The answer to this question is also not very helpful: it depends. Your VPN provider may have their own DNS servers, but if they don't, the traffic between your VPN provider and the DNS server isn't encrypted. You need to trust the encrypted DNS provider in addition to the VPN provider and unless your client and target server support encrypted SNI, the VPN provider can still see which domains you are visiting.
However you shouldn't use encrypted DNS with Tor. This would direct all of your DNS requests through a single circuit, and would allow the encrypted DNS provider to deanonymize you.
What if I need anonymity?
VPNs cannot provide strong anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data.
Shouldn't I hide my IP address?
The idea that your IP address is sensitive information, or that your location is given away with all your internet traffic is fearmongering on the part of VPN providers and their marketing. Your IP address is an insignificant amount of personal data tracking companies use to identify you, because many users' IP addresses change very frequently (Dynamic IP addresses, switching networks, switching devices, etc.). Your IP address also does not give away more than the very generalized location of your Internet Service Provider. It does not give away your home address, for example, despite common perception.
Should I use Tor and a VPN?
By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides 0 additional benefit to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. Read more about Tor bridges and why using a VPN is not necessary.
Are VPNs ever useful?
A VPN may still be useful to you in a variety of scenarios, such as:
- Hiding your traffic from only your Internet Service Provider.
- Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations.
For use cases like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're trusting the provider. In pretty much any other scenario you should be using a secure-by-design tool such as Tor.
Sources and Further Reading:
- VPN - a Very Precarious Narrative by Dennis Schubert
- Don't use VPN services by Sven Slootweg
- The self-contained networks recommended by PrivacyTools are able to replace a VPN that allows access to services on local area network
- Slicing Onions: Part 1 – Myth-busting Tor by blacklight447
- Slicing Onions: Part 2 – Onion recipes; VPN not required by blacklight447
More VPN Providers
Related VPN information
- Beware of False Reviews - VPN Marketing and Affiliate Programs
- I am Anonymous When I Use a VPN - 7 Myths Debunked
(Note: While this is a good read, they also use the article for self-promotion)
- Proxy.sh VPN Provider Sniffed Server Traffic to Catch Hacker
- Ethical policy - All of the reasons why Proxy.sh might enable logging
- IVPN.net will collect your email and IP address after sign up
Read the Email statement from IVPN.
- blackVPN announced to delete connection logs after disconnection
- Don't use LT2P IPSec, use other protocols.