ExpressVPN offers a simple ‘one size fits all’ plan, starting at $12.95 per month and dropping to $9.99 per month if purchased on a 6 monthly basis.
This is somewhat on the pricey side, especially when the rather limited number of features offered by ExpressVPN are considered, but is somewhat offset by the generous 30-day “no-hassle” money back guarantee, which will provide users with more than enough time to decide if the service meets their needs.
In addition to this, Android users get a 1-day freetrial when they download the app, and iOS users usually receive 7-day free trial courtesy of iTunes (although this depends if the download is available in a given region).
It should be noted, however, that the free mobile trials do not appear to entitle users to a simultaneous free desktop trial (although we were unable to test this due to having used up our free Android trial in the past). For such a high-profile service (matched by a high-profile price), ExpressVPN offers a very stripped-down VPN experience:
- No browsing logs (but keeps extensive metadata logs)
- PPTP, L2TP/IPSec, OpenVPN and SSTP protocols (Windows only) – we generally always recommend using OpenVPN whenever possible as it is very secure, although SSTP is also highly secure
- Android and iOS apps
- 2 simultaneous connections (1 computer, 1 mobile device)
- 97+ servers in 78 countries
- Shared IPs
- Permits P2P (we think)
- SmartDNS service
The devil, however, is in the detail. In our view, a basic service is fine if it is done well…
ExpressVPN states that,
“We may collect the following information: times when connected to our service, choice of server location, and the total amount of data transferred per day. We store this to be able to deliver the best possible network experience to you. We analyze this information generically and keep the data secure.”
We were fairly sure that ExpressVPN is a US-based company, although the ToS states that,
“This Agreement shall be governed by and construed in accordance with the laws of the British Virgin Islands, excluding its conflicts of law rules.”
We asked support about this, who responded that,
“The corporation is setup under the British Virgin Islands at the moment. The owners of the company are in the U.S.”
As a US owned company, ExpressVPN is subject to government surveillance via FISA and the Patriot Act(even when data is stored overseas). Even if it does abide by British Virgin Islands laws, the British Virgin Islands are a British overseas territory, and therefore no safer from NSA spying (thanks to UK data retention laws and the NSA’s best buddy – GCHQ).
On the plus side, ExpressVPN does accept payment via Bitcoin. This means that if the correct measuresare taken, then users can add an addition layer of privacy by paying anonymously. However, the fact that ExpressVPN keeps metadata logs does mean that it may be able to tie internet behaviour to a real IP address.
Similarly, we like the fact that the only personal information asked during sign-up is an email address (and there is nothing to prevent the use of a disposable email account for this), but the problem remains that users’ IP addresses are logged. That said, the use of shared IP’s (see below) does considerably reduce the impact of this issue.
As far as P2P downloading is concerned, our understanding is (and we could be wrong here, but there is no easy way to verify the situation), ExpressVPN is tacitly ok with it, but prefers not to discuss the subject (for obvious reasons).
ExpressVPN uses 256-bit AES OpenVPN encryption, which is good, although the SHA256 hash authentication is less impressive. Support declined to mention the key encryption/handshake used, so we presume it is the rather average OpenVPN standard RSA-2048. L2TP and SSTP encryption is also described as being 256 (more on SSTP later).
We stress that there is nothing wrong with this, and it should be secure against almost any form of attack, but we nevertheless find it uninspiring in these post-Snowden days where we know the lengths to which the NSA has gone to undermine international encryption standards. Having said that, given the amount of metadata it logs, together with it basically being a US company, ExpressVPN is not a provider for the more NSA-paranoid anyway.
Instead of relying on the usual username/password to authenticate users, ExpressVPN uses certificate based authentication for OpenVPN connections (generated at sign-up). This removes the problem of users’ choosing weak passwords, but as it is used instead of a username/password authentication rather than in addition to it, provides no additional security through 2 factor authentication.
ExpressVPN uses shared IP addresses, which makes it difficult to determine which one of many users of an IP address is responsible for any given internet activity, and goes some way towards addressing the problem of keeping detailed metadata logs.
We do note that ExpressVPN declined to take part in TorrentFreak’s Which VPN Services Take Your Anonymity Seriously? survey, but leave readers to make of that what they may.
Something that is not very well advertised (in fact it only became clear once we had signed up for an account) is that ExpresVPN offers a Smart DNS service. This means that instead of relying on your ISP’s servers to convert long-form web addresses (e.g. www. cloudwards.net) into the numerical IP addresses that computers use (e.g. 220.127.116.11), ExpressVPN can do it instead.
Because this process is carried out by a US-based server, users’ apparent geolocation is in the US, making Smart DNS ideal for streaming geo-restricted media content. Because there are no encryption overheads involved, Smart DNS is much faster than VPN, which means less buffering issues when watching US TV shows.
It also means that many devices such as the Apple TV and PS4, which cannot run VPN software, can be configured to evade geo-restriction barriers.
A custom VPN client is available for Windows and Mac OSX desktop machines, while mobile apps are available for Android (4+) and iOS devices. The desktop and Android apps support OpenVPN, while the iOS app relies on L2TP/IPSec.
OpenVPN setup files are provided for Linux and routers, while PPTP and L2TP/IPSec instructions are provided for legacy devices. In addition to summary guides, detailed setup guides, complete with screenshots, are available for all platforms.
Smart DNS setup guides are available for Apple TV and PlayStation 4 (it should be easy to use these guides to setup other devices such as Smart TVs).
The client offers the following features:
- DNS leak protection – a VPN provider should resolve DNS requests when connected, but sometimes computers revert to their default settings, which can reveal a user’s true IP address (see here for more details). DNS leak protection prevents this
- Switch between VPN protocols – UDP and TCP are variants of the OpenVPN protocol. To cut a long story short, TCP is faster, while UDP is more stable. Unless users experience connection problems, it is usually recommended they stick with TCP
- SSTP – a (mainly) Windows-only VPN protocol, SSTP provides a similar level of security to OpenVPN. The main advantage of this proprietary Microsoft standard is that is uses TCP port 443 by default, which is the same port used by regular HTTPS traffic. Because HTTPS is a major backbone of security on the internet (it is the protocol used by every https:// website), blocking it effectively ‘breaks’ the internet, and so very rarely happens. This makes SSTP ideal for evading censorship, such as that practiced in China or Iran. It should be noted that OpenVPN can also be configured to use TCP port 443, although this must be done manually, and ExpressVPN provides no support for doing so
- Built-in speed test – this can help when choosing the best server to connect to
The built-in latency (ping), download speed, and “speed index” tests to find the fastest servers would be a great feature, except that they consistently failed when we ran them…
DNS leak protection is nice, but the client is otherwise fairly plain vanilla. It does, however, do its job just fine.
As with the desktop client, the Android app is a fairly simple affair, but it gets the job done without any fuss.
The ExpressVPN website looks smart, and information is easy to find. However, this information (such as that contained in the FAQ) is aimed very much at the VPN novice, and to get any kind of technical details we had to contact support…
Fortunately, this was very easy to do through the Live Chat app, and we were pleased to find the responses friendly and informative. Support is also available via direct email or a ticket system.
One thing to note is that when paying via PayPal (and possibly other means), billing is automated each month, so users planning on stopping their subscription will need to cancel this payment manually.
We tested speed performance using the HTML5-based Testmy.net tests, using its UK server on our 20MB/s download – 1MB/s upload UK connection.
These results are OK, but do not exactly set our world on fire. We also checked for DNS leaks, but did not find any problems.
There is nothing majorly wrong with ExpressVPN. As long as the NSA is not a major concern, its privacy policies and technical security are absolutely fine for most users, and it performance, while not amazing, is average or better for a VPN service. As such, and despite being on the decidedly pricier end of the spectrum, we can quite happily recommend the service. While at the same time noting that better services are available for less outlay.