Reviewing a VPN can be tricky. There's a lot to consider, an array of factors and features to weigh up, and everyone has their own view on what's important, and what really isn't.
As a result, definitive verdicts are hard to find. It doesn't matter how often or how carefully anyone measures connection speeds from the UK to Germany on a Windows laptop – this won't tell you very much if you're interested in connecting from Australia to New York on your Android mobile.
What we can do is check out a lot of different aspects of the service, and tell you more about them. You may not be interested in all of these – perhaps you only ever use the same location, for instance, so couldn't care less about how the server list is organized, or whether there's a favorites system – but hopefully we'll cover enough ground to give you a feel for what a provider is like.
In this feature we're going to explain the key issues we consider, how we go about evaluating and testing them, and how we ultimately decide that a service like ExpressVPN comes out on top. Although do bear in mind that while full reviews of the top VPN providers will cover everything we're going to discuss here, shorter reviews will simply focus on the major points.
But it's equally worth noting that what we've laid out here is just a fraction of what might potentially happen in a real review. If we're curious about exactly what a VPN app is doing – maybe we're wondering if it might be malicious, for instance – we might run its executable past a security scanner (try Ostorlab), examine the code of a browser extension or use something like dnSpy to decompile and browse a .NET client. But then, going into that sort of detail would require an entire book to cover properly!
- Just want to know which to download? These are the best VPN providers
The process of evaluating a VPN begins at its website, by collecting details on the service and its features.
Network size matters, though not as much as providers sometimes claim (as long as a VPN has the locations you need, it doesn't matter whether there are 20 or 2,000 more). As well as the numbers, we check to see how widely dispersed the locations are, whether they include countries you won't always get with the competition, or if they leave gaps in coverage elsewhere.
It's equally important to understand the services supported by each server. Do they all support P2P, streaming, OpenVPN, and everything else offered by the provider? This isn't always easy to find out, but it's worth making the effort (that list of 300 locations may look much less impressive if you realize you can only use P2P with three of them).
A good VPN should offer custom desktop and mobile VPN apps, as they'll be the easiest way to use the service. Be careful when you're checking this on a website, though. Providers will sometimes give you a long list of platforms, but although some of these will lead to downloads, others might just point you to a tutorial explaining how you can set up the service manually. Follow each link to find out for sure.
Identifying supported VPN protocols tells you a lot about the service. If it covers the key standards – OpenVPN, L2TP/ IPSec, IKEv2 – there's a good chance you'll be able to use it on most devices and platforms (routers, game consoles and so on), even if they're not directly supported by provider apps.
We pay close attention to any details of how each protocol is implemented, too, including the specifics of any encryption and authentication methods which might be employed. These aren't always visible upfront, but there's usually some information tucked away in the support site.
Does the VPN have any interesting bonus features? Common examples are ad, tracker and malicious URL blocking; the provider's own DNS system; Onion support; split tunneling, allowing you to choose which applications use the VPN, and which don't; and maybe Bitcoin support for payments, improving your anonymity when you sign up.
Checking out the price helps us to understand whether the service is good value, but there's more to that than looking at a single headline figure. Some cheap VPNs don't offer their lowest price unless you sign up for several years, so it's important to look at the range of plans and prices on offer.
If collecting all this data sounds like it could be a lengthy and tedious process, you're right; it is indeed. But it's not just about finding figures and feature lists. Just the experience of looking for the relevant information will give you a good feel for what a VPN is like.
A dubious provider might be short on detail, for instance, with a poorly organized website making it hard to find what you need. Information might be inconsistent or outdated, and you'll sometimes see a little marketing trickery, such as making unrealistic speed or website unblocking promises which you suspect the company can't deliver.
But a professional provider will have a well-designed website which makes all the most important information visible upfront, with plenty of technical detail tucked away if you want it. Overselling will be kept to a minimum, and honesty and transparency is likely to be the order of the day.
Assessing the level of privacy offered by any VPN is difficult, as you're relying on the provider to honestly tell you what they're doing and how the service works. Still, there's often enough information to point you in the right direction.
This starts with the technical data you collected earlier on the protocols supported, the encryption and authentication. OpenVPN support is best, IKEv2 not far behind, L2TP/IPSec is acceptable, but the outdated and insecure PPTP is best avoided entirely.
We might look for AES-256 data encryption, RSA-2048 or 4096 to cover handshaking, and Perfect Forward Secrecy to generate new keys for each session – but the truth is that VPNs don't always fully spell out what they're doing.
It's sometimes necessary to browse the support site for clues, or you can download sample OpenVPN configuration files to give you some idea of how the service works. If the service has live chat, try asking someone; the agents can usually answer pre-sales queries.
App features are key. Quality VPNs will use their own DNS servers and implement DNS leak protection (IPv4 and IPv6) to reduce the chance of your internet activities becoming visible to others. You'll also want to have a kill switch to automatically block internet access if the VPN connection drops.
Beware: just because a service has 'kill switch' on a website feature list doesn't mean that this capability will be available on every platform. Mobile apps often have fewer features and functions than their desktop siblings, for instance, so we check each one to fully understand what it does.
To confirm that a VPN is properly hiding your IP address, connect to any VPN location and point your browser at ipleak.net. If you see your real IP address, or an address owned by your ISP, there's a problem which you need to investigate further. Results can vary according to browser setup, so repeat this in every browser and on every device you use.
We test kill switches on Windows VPN clients by using a custom tool to forcibly close our VPN connection, then we check to see how long the internet remains accessible, and whether our regular external IP is visible to the outside world.
To do something similar manually, use Task Manager to close the process OpenVPN.exe and check whether your internet access goes down immediately, or there's a few seconds delay, and whether it automatically reconnects.
If the kill switch doesn't appear to work, check Settings to make sure it's turned on (sometimes it's disabled by default). Look for alternative settings which might help, too. Some clients include a 'redial if the connection drops' feature which isn't quite as effective, but will still offer some anonymity protection.
VPN providers, particularly free services, are regularly accused of selling their users browsing history. Most will try to fight back, typically by yelling 'No logging!' on the front page of their website, but years of review experience has told us this isn't always true. That's why we always look a little deeper.
Those details should be explicit and cover all logging possibilities. A single line saying 'we never under any circumstances log what you're doing online', for instance, doesn't rule out the possibility that the service might record session data: the date and time you log in, your incoming IP address, the VPN IP address you're assigned, the date and time you disconnect and the bandwidth you use. That level of detail could be enough to allow others to link an internet action to your account.
A better policy will rule out this possibility by explaining that it doesn't log connect or disconnect times, incoming and outgoing IP addresses, and so on.
The best policies will also tell you what they do record, why they do so, and what happens to that data. For example, a provider might say that it logs the last connection time and the bandwidth used in that session, but doesn't record incoming or outgoing IP addresses. It could explain that this data is useful to help the company monitor service use and identify inactive accounts (makes sense), but doesn't allow anyone to find out what you're doing online (quite true). And it might tell you that if you no longer use the service, you can email support and they'll delete your old account data entirely.
Checking out the small print can sometimes highlight logging that a VPN is admitting takes place, though. And if nothing else, it can give you clues about how honest and open a provider might be.
VPN providers know there's a lack of trust in the business, but some are trying to counter this by putting themselves through independent security audits.
The idea is that a provider invites an expert team to look in-depth at security or privacy issues with its systems, and report back with their findings.
Any VPN which puts itself through this process deserves some credit for having the courage to expose its inner workings to the world. But all audits aren't the same, and their true value depends on a range of factors.
What is the scope of the audit, for instance – what did the auditors try to look at? If it's some tiny aspect of the service, like the browser extensions, that's not going to mean very much. Inspecting the full range of apps is more useful, and the best audits will go even further. TunnelBear's security audit includes its infrastructure and even the website). While NordVPN now calls in PricewaterhouseCoopers to complete an independent of its no-logs policy.
What level of access did the auditors have to the service? Being able to test an app is good, but having access to the source code, and real VPN servers, is much, much better.
Is the final report available, in full, to the public? Ideally anyone should be able to look at it. Some reports are only available to paying customers – not so convenient, but we can live with that. A few aren't publicly available at all, though, which leaves you having to trust the VPN's own summary of the verdict. (Which is ironic, considering audits are supposed to be about reducing this need for trust.)
Finally, how long ago did the audit take place? A quality VPN is always extending and improving its systems, so a report from two years ago won't have nearly as much value today. We look for providers that not only put all their services up for inspection, but firms that commit to do it next year, too.
Test server selection
To properly understand how a VPN performs, we use automated tools to connect to multiple servers and test key aspects of the service: server availability, location, connection time, latency and download speeds.
Our tools connect to each server via OpenVPN, and so the testing process starts by downloading the VPN provider's configuration files. (If a service asks us to generate them ourselves, we specify UDP-based connections).
These files are separated into four location-based groups (the UK, Europe, North America and the rest of the world), which we then break down further to choose the servers which will be included in our tests.
Some VPN tests use largely fixed locations: one in London, one in Amsterdam, another in New York, and so on. This is good for maintaining consistency between VPN providers, but it won't necessarily make for a fair comparison.
For example, if SmallVPN.com has a single New York location, and BigVPN.com has 10, then testing one server from each provider keeps life simple. But there's no way to know whether BigVPN.com's single server will accurately represent the good or the bad points of the service.
To try and get a more realistic idea of how a VPN performs, we test up to 30 locations within a group, even if this means they're all within a relatively small area (10 servers in London, say). In real world testing you might be allocated one of these servers, occasionally, so we need to try them all ourselves, if only to see how (or if) they vary.
If there are significantly more than 30 locations, we choose a subset which best represents the group's geographical area. The North America group will include east coast, mid-American, west coast and Canadian locations where possible, for instance.
Of course, this means we may also miss some of the best (or the slowest) servers, but we think it's enough to give us a representative view of the performance in that group.