What makes a VPN secure? How can a user ensure that a VPN provider will safeguard their browsing activities?
Many VPN providers advertise their services as a way to access geo-restricted content, especially in the case of streaming platforms like Netflix and Hulu.
But at its core, a VPN is about encrypting connections — preventing unauthorized entities from accessing your data and identifying personal details. It’s a cybersecurity measure simple enough for anyone to use. Likewise, it’s crucial for anyone living in countries with governments that repress internet freedom.
So how can people distinguish genuinely secure VPN services from mere cash-grab offerings with glaring vulnerabilities? After extensive research and testing, we now know the key elements that reinforce VPN security.
We’ve come up with a definitive list of the most secure VPN providers in the market. From all across the globe, we scoured what each region had to offer — and the results are in.
Our picks for the most secure VPN:
Below is our definitive ranking of the top VPN services for privacy and security. These have met our high expectations, thanks to their industry-leading features and sound policies that prioritize user safety.
- Military grade AES-256 encryption
- Not part of any surveillance alliance
- DNS and WebRTC leak protection
- Genuine no-logs policy
- Highly secure OpenVPN protocol
- Undergoes independent auditing
- Kill Switch
- Split tunneling
- No introductory rates
ExpressVPN takes no shortcuts in developing and maintaining user privacy and security. Its location alone is a crucial aspect: The British Virgin Islands (BVI) is outside the jurisdiction of the 14 Eyes alliance. Thus, its intelligence agency isn’t legally required to share surveillance information with foreign agencies.
In 2017, ExpressVPN landed on the headlines. Turkish authorities seized their physical servers about the murder of Andrei Karlov, the Russian Ambassador to Turkey at the time.
But they were unable to find any details about the person in question. Why? True to their call for digital freedom, ExpressVPN didn’t keep connection or activity logs whatsoever. ExpressVPN stated that they don’t store data that can be associated with any particular person or online behavior (including torrenting).
Users may choose among three VPN protocols: PPTP, L2TP/IPsec, or OpenVPN. The first two options are older and more vulnerable than OpenVPN, the default protocol.
OpenVPN is open-source software, which allows everyone to seek any vulnerabilities and share it with others for fixing. Its certificates stop man-in-the-middle (MITM) attacks, which are when unauthorized entities spy on a conversation — or even impersonate one of the involved parties.
ExpressVPN uses AES-256 encryption, which even the world’s top supercomputers can’t crack if they run for a billion years. Likewise, AES-256-GCM (Galois/Counter Mode) prevents connection issues and helps in the simultaneous encryption of multiple data packages.
The top VPN provider employs perfect forward secrecy, which limits the data an attack can decrypt. It works by creating a new key every 60 minutes. Only up to 60 minutes of data may be compromised — the previous or future 60 minutes of data are safe.
VPN providers always boast they keep users safe, but so few companies walk the talk like ExpressVPN. If anything, they do more than what’s expected of even the best VPN providers. Apart from all the features above, the company supports organizations such as the Electronic Frontier Foundation and OpenMedia.
Starting at $12.95 a month, ExpressVPN is available on Windows, macOS, iOS, Android, and Linux. Users can also try the service on their routers, or use the Chrome and Firefox browser extensions.
ExpressVPN features 24/7 live chat, over 3,000 servers in 94 countries (along with virtual servers to maintain connection standards in some countries), email support, and a 30-day money-back guarantee.
Private Internet Access
Private Internet Access Pros
- DNS and IPv6 leak protection
- Industry-standard OpenVPN protocol
- Up to RSA-4096-bit handshake encryption
- Maximum AES-256 and SHA256 encryption
- Malware, ads, and tracking protection
- Updated no-logs transparency reports
Private Internet Access Cons
- Default encryption settings choose the fastest instead of the most secure option
Private Internet Access has the industry-standard AES-256 encryption, but the VPN service uses AES-128 by default due to its faster encryption speed. In the case of active attacks, users can activate the Data Authentication feature, which uses HMAC-SHA1 (the fastest authentication option) or HMAC-SHA256.
Moreover, the secure VPN provider uses RSA 2048-, 3072, and 4096-bit keys for handshake encryption. This is to ensure that users connect to a Private Internet Access VPN server and not to a cybercriminal’s server.
The company doesn’t store logs and doesn’t hand out any crucial information to any entity — even to the government. Every six months, Private Internet Access publicly shares the number of government demands received, and no logs have ever been produced from these.
If any programmer or researcher spots vulnerabilities in the VPN service, Private Internet Access may pay them monetary rewards under the Whitehat Alert Security Program.
Private Internet Access has more than 3,000 VPN servers like ExpressVPN, but they’re only in 45 nations so far, a little less than half what ExpressVPN has to offer.
Official apps are available for Windows, Linux, Android, iOS, and macOS. Users can also get extensions for Chrome, Firefox, and Opera.
The anonymous VPN service costs $9.95/mo, with significant savings for six-month and annual plans.
For users who want to remain completely anonymous, they can pay Private Internet Access using gift cards, with a $50 Walmart card already equivalent to 366 days.
Mullvad VPN Pros
- Built-in kill switch
- OpenVPN and Wireguard protocols
- Always-on DNS leak protection
- Open-source software
- Not under the EU Data Retention Directive
- Very active in the privacy community
Mullvad VPN Cons
- Has to comply with the EU GDPR laws
- Google app still in beta
The Sweden-based Mullvad VPN is under the jurisdiction of the EU, but that doesn’t mean sensitive user details are compromised. The GDPR (General Data Protection Regulation) affects data processing, but it only has to give what little user data it has to the actual user.
Foreign authorities hold no power to request information, and even Swedish court orders still undergo an examination before possible compliance. Even if the request goes through, authorities won’t see any activity logs because Mullvad VPN doesn’t store such data in the first place.
Mullvad VPN encryption applies to all online traffic, not just one’s browsing activities. By default, it uses the top-graded AES-256 encryption. However, it can use 128-bit Blowfish encryption if AES-256 doesn’t work.
For anyone who does torrenting, the top VPN service offers optimal configurations for using qBittorent. It doesn’t recommend other BitTorrent clients due to their security issues.
Instead of asking for an email address and/or username, Mullvad VPN generates account numbers — and a person can have as many account numbers as they wish. Sticking to simplicity, only one monthly rate applies, which is €5 or roughly $5.50.
Understandably, the VPN provider can’t control the information companies like Stripe and PayPal keep, which is why Mullvad VPN recommends anonymous payment options like Bitcoin and even cash. So far, it has 669 servers in 36 countries.
- Decentralized VPN servers
- 4096-bit key PKI
- Outside Five Eyes jurisdiction
- AES-256 encryption
- Supports P2P activities
- Temporary logging of more data than necessary on some occasions
- Limited server locations
BolehVPN has proven that a Malaysia-based VPN provider can also become a choice for the most secure VPN. Due to its offshore location, BolehVPN is well beyond the jurisdiction of surveillance alliances like Five Eyes and Fourteen Eyes.
The server count is significantly low relative to other top picks, but BolehVPN knows which countries to pick (such as Japan and Luxembourg) given its resources. On the other hand, these servers are in no way connected to the central user database — improving user privacy.
Instead of just 128-bit or 192-bit encryption, BolehVPN didn’t skimp on its security features — going for AES-256 encryption.
Furthermore, the VPN for privacy doesn’t ban P2P activities nor does it supervise users regarding their online activities. BolehVPN doesn’t collect any sensitive logs. It only gathers system logs necessary for the VPN servers to work as intended.
However, the VPN provider states that it may temporarily collect other logs during troubleshooting or when it conducts investigations to identify users abusing the service. Other than these crucial reasons, BolehVPN will not collect more data than it needs.
BolehVPN has a PKI (public key infrastructure) with a 4096-bit key size, which is much more secure than one with just 2048 bits and can better prevent interference. Plus, the company has traffic obfuscation to hide the fact that users have a VPN in the first place.
No real names are required — people can access BolehVPN as long as they have a working email address. It works on Windows, macOS, Android, Linux, and routers compatible with OpenVPN.
Unlike the usual top VPN services, BolehVPN allows people to pay for just seven-day access for $3.70. The monthly rate costs $9.99 while an annual will set users back $79.99. Users may pay with Bitcoin or other cryptocurrencies to maintain anonymity.
- Dedicated, bare-metal VPN servers
- Zero-knowledge DNS
- No-logs policy
- OpenVPN with AES-256 encryption
- Offshore jurisdiction outside 5 Eyes and 14 Eyes
- Limited server count
- US and UK servers prohibit certain downloads
Like BolehVPN, the Hong Kong-based blackVPN has no legal duty to share information with members of the 5 Eyes and 14 Eyes alliance — and Hong Kong itself has no law on compulsory data storage.
Founded in 2009, blackVPN acknowledges privacy as a human right. Instead of merely renting or sharing servers with other companies to increase its server location count, blackVPN has its own set of physical servers. Known as bare-metal servers, these are located in high-security data centers in 18 countries.
If users use the OpenVPN protocol, they get the top-tier AES-256 and RSA-4096 encryption features. The secure VPN also utilizes a NAT (Network Address Translation) firewall to prevent any unwelcome inbound traffic.
BlackVPN is available on Windows, macOS, Android, iOS, Linux, and routers. It has a 14-day money-back guarantee, and three VPN packages are available: Privacy, Global, and TV. All packages can be paid using PayPal, Paymentwall, or anonymously through Bitcoins and other cryptocurrencies.
What makes a VPN secure?
It’s practically impossible for a VPN provider to not use any sort of data, but that’s not what the no-log policy is. In reality, it means that companies extensively minimize what data they log, getting only what they need for VPN connections and servers to work as intended. This is one of the most important factors, when looking for a secure VPN.
The best VPN providers like ExpressVPN and Private Internet Access don’t collect activity or collection logs whatsoever.
With no “useful” data logs, user privacy and security aren’t threatened even if data centers or servers are compromised — even successful government requests won’t reveal anything that points to a specific person or activity.
Customers deserve to know which types of data are collected, how they’re secured, and how companies will respond to government requests. A VPN that touts a “no-logs policy” but fails to be transparent with its processes isn’t worth checking out.
While it doesn’t happen a lot, it’s also not impossible for even the best anonymous VPN services to have connection issues. When this happens, user privacy and security are compromised because the device goes back to a regular internet connection, which doesn’t hide the real IP address and location data.
Secure VPN providers like BolehVPN and BlackVPN have a built-in kill switch. A VPN kill switch instantly disconnects other apps from the Internet once the VPN connection drops. Only when the device has reconnected to a VPN server will the internet connection return to the browser and other programs.
Just because a VPN provider states that it has over 50 server locations doesn’t mean its physical servers are in those areas. If a user chooses a server location and doesn’t actually get an IP address from that country, they may wonder why they’re experiencing censorship or can’t access geo-restricted content.
If a VPN company states that it has physical servers in North Korea, for example, that’s a huge red flag. Some countries are too restrictive when it comes to foreign businesses. Not to mention, they likely have repressive stances on online freedom.
The VPN server location isn’t just about viewing geo-restricted content. Countries like Switzerland, Spain, and Iceland are ideal locations because of their laws on net neutrality, data collection, and user privacy.
Of course, there’s nothing necessarily wrong if a VPN for privacy opts for virtual locations — providing VPN server locations to countries using physical servers in other countries.
A good reason for this is to ensure that strict standards for VPN connections and security are met, which is the case with ExpressVPN. The most secure VPN providers all own their servers, while many others rent them.
Less than 3% of ExpressVPN servers make use of virtual server locations to ensure the utmost reliability and security. For example, users can change their VPN location to Macau, Laos, or Nepal with the help of physical VPN servers in Singapore.
Encryption is the process of concealing information by turning them into code. This creates an extra security layer against hackers — the data isn’t readily available as readable text. The best encryption method is AES-256, and the best anonymous VPN services use it by default or have it as an option.
AES (Advanced Encryption Standard) is also available in 128-bit and 192-bit key sizes, and AES itself is already the industry standard, having received approval from the US Secretary of Commerce and the National Security Agency (NSA).
The total number of possible combinations is 78-digits. That’s an astronomical number, and it’s larger than the total number of atoms in the known universe. No existing computer can decode AES-256 in a day because it will require billions of years of computations. How’s that for security!
Simply put, VPN protocols are the ways a device connects to a VPN server. The protocol itself affects how secure a VPN connection is because it determines the encryption type and authentication procedure.
A VPN protocol can tell a computer to conduct all online activities through the VPN connection, or only use the encrypted tunnel for web browsing.
The following are the most popular VPN protocols:
PPTP (Point-to-Point Tunneling Protocol) was released in 1995. Thus, it’s understandably the worst pick for security. But many people still prefer the old VPN protocol because it provides speedy connections, which means they can stream content with ease.
Cisco and Microsoft made Internet Key Exchange Protocol Version 2 (IKEv2), and it’s a favorite protocol for mobile VPN servers. This is because IKEv2 allows quick reconnections to the Internet, which is good for when a device switches from a wi-fi connection to mobile data. Also, it’s relatively secure.
The Secure Socket Tunneling Protocol (SSTP) has complete integration with Microsoft — and it’s been that way since the Windows Vista Service Pack 1.
SSTP is quite speedy and secure, but the fact that it’s owned by Microsoft makes it a bit questionable since no independent entity can conduct a full review of the code. But while it’s a Microsoft product, it works on other platforms like Linux, Android, iOS, and macOS.
Layer 2 Tunnel Protocol (L2TP) sometimes has issues with avoiding firewalls. Likewise, it doesn’t have encryption abilities. This is where the IPsec protocol comes in. The L2TP/IPsec VPN protocol is secure because of its AES-256 encryption, which is the industry standard.
Like L2TP/IPsec, OpenVPN uses top-grade AES-256 encryption. It offers the best combination of speed, security, and reliability. Likewise, OpenVPN has no issues with platform and device compatibility.
VPN providers like Mullvad VPN and Private Internet Access offer OpenVPN. And since it’s open-source, independent auditors have had no problems auditing the protocol. Plus, people can access the code to check vulnerabilities. Thus, the cybersecurity community holds it in high regard.
Some countries, ISPs, and network administrations forbid VPNs. Even if a user can successfully connect to a VPN server, they may not get to use it for long once it’s detected. To address the issue, secure VPN providers like ExpressVPN and BolehVPN have connection obfuscation features.
Simply put, this conceals the fact that a VPN connection exists in the first place. With it turned on, any traffic that goes through the encrypted tunnel will still appear as regular internet traffic. This feature is a must for users in countries that are actively trying to limit citizens access to VPN services. If you are located in one of these countries, it extremely important that you choose a VPN that offers connection obfuscation in order for you to hide the fact that you are using a VPN.
DNS Leak Protection
A DNS (domain name system) is responsible for turning domain names into their IP addresses. Without it, nothing would happen if someone wrote a website URL on the address bar and pressed Enter. This is because a computer can’t understand URLs — they first need to be converted to IP addresses.
And without a DNS, people would have to remember all the IP addresses to access their favorite sites. However, outdated programs or incorrect network configurations can lead to DNS leaks, which VPN connections can’t address and will reveal one’s browsing activities to their ISP.
But with DNS leak protection, a VPN provider can use its own network of speedy DNS servers to respond to DNS requests before they reach the ISP.