A virtual private network (VPN) is the most important part of a secure online existence. They have function in security and privacy, keeping you anonymous from your ISP and hiding any identifying information from network snoopers.
In theory, all VPNs should operate this way, but that’s not the case. We’re here to give you a guide to VPN security and what you should look out for when picking a provider. By the end, our hope is that you’ll know why we recommend providers like CyberGhost (read our CyberGhost review) over ZenMate (read our ZenMate review and ZenMate alternatives guides).
If you want to go easy mode, you can always read our guide to the best VPN providers. The services we recommend all have a track record of secure, private browsing, so you don’t need to worry about how secure the VPNs are. You could bypass this knowledge altogether and just go with an option there. For the more curious among you, let’s start at the top.
What Is a VPN?
VPN stands for virtual private network, and understanding the concept isn’t that difficult. Your home network has a physical connection. If, for example, you have three computers that are all connected through a network switch and not to the internet, that would be known as a private network.
The internet, on the other hand, is a public network where files can be transferred from one private machine to another.
A VPN restores that “private” moniker to your network, but for use with the internet. You’re creating a private network virtually, hence the name “virtual private network.” It’s a network, a connection between machines, it’s virtual as there’s no physical connection to the remote server and it’s private through password protection and encryption.
Originally, VPNs were created as a way for businesses to remotely access other machines. You’d essentially trick the remote machine into thinking it was on the same physical network. Now that VPNs have evolved for commercial use, they can be used for other purposes.
You can connect to a remote server which sends data out on your behalf, such as a proxy would. The difference between a VPN and proxy, though, is that VPNs provide more security with encryption and take randomizing measures at the remote server to make sure you’re anonymous.
Once your IP and location is hidden, you can safely browse the web. VPNs are most commonly used today to reclaim online privacy and bypass nasty geoblocks, a common distribution hurdle for TV shows, movies and streaming services that restricts access to a certain part of the world.
They’re also used to get around the internet in countries with strict censorship laws, such as bypassing the Great Firewall of China (read our do VPNs really work? guide).
How a VPN Protects You
Before understanding the advantages to using a VPN, you need to understand the process in which you connect to a website. Whenever you open a browser and enter a URL, you send a request to a web server. That server receives the request and then sends back the data for that website which, in turn, loads it inside your web browser.
This happens in a matter of milliseconds, so it’s not surprising that a normal user wouldn’t give it a second thought. As you send that request, though, your internet service provider (ISP) takes a log of what URL you’re trying to access and your IP address.
In the event you’re doing something that you shouldn’t be, such as copyright piracy or other pursuits, the ISP has a record of it. If that’s your game, make sure to check out our best VPN for torrenting.
Outside of trying to download a couple of movies, the fact that your ISP can record all of your browsing data is a major privacy concern. In the U.S., there are worries about those records being shared with the NSA as part of the PRISM project (read our best VPN for Comcast piece), and there are even more major concerns abroad (just take a look at China).
There are two layers of protection that a VPN uses to protect against this sort of snooping.
Tunneling, essentially, is a virtual tunnel that your data travels through so your ISP, or any other eyes, can’t see it. All data running to and from your machine is sent in data packets. Packets include the request you’re sending, the protocol and the sender’s IP address.
A VPN puts a data packet inside of another data packet. The process is known as encapsulation, and it’s the first level of security a VPN uses to keep you anonymous.
An easy and widely used metaphor for encapsulation is to think of it like mail. The data packet would be a letter which, we’d hope, you wouldn’t send by itself. You’d use an envelope to hide the contents of the letter from the mail carrier. The envelope, in this case, is the second packet a VPN uses to protect your first one.
The VPN uses a remote access server which you connect to when using a VPN. Your computer will provide the required credentials to log into this server. The computer you’re using has a client software that’s used to establish this tunneled connection. Once it’s done, all browser activity will appear as if it’s coming from the remote server and not your machine.
Tunneling is the first layer of security and the basic function of a VPN. However, there are further protection measures.
VPNs encrypt the data packets you send to the remote server to add an extra form of security and anonymity. Your data is encrypted locally, sent to the remote server through a tunnel and then decrypted.
The best VPN providers, such as ExpressVPN (read our ExpressVPN review) use 256-bit AES encryption. It’s the industry standard encryption method that’s virtually impossible to crack. A 256-bit key can spit out 1.1 x 1077 possible combinations.
Only the data sent to the server in encrypted, though, as it has the proper decoder to make your data accessible. Once data is sent from the remote server to the website you’re trying to access, it will not be encrypted as the receiving website doesn’t have the key to decrypt that data.
By that point, however, your IP address and identity is completely hidden.
AES-256 encryption is one of many authentication methods supported by the OpenVPN protocol that ExpressVPN recommends when you install it — read our guide to what AES is. There are a variety of different VPNs protocols, though, some that are faster and some that are more secure.
A key part of understanding VPN security is learning the common protocols VPNs use and difference between them. While an automatic VPN connection should keep you anonymous, some providers use a more secure protocol than others.
We’ve listed the protocols below, but there’s a new kid on the block called Wireguard. Read our what is Wireguard piece, to find out more. ExpressVPN is working on its own version of Wireguard but with better privacy, and you can find out more in our ExpressVPN Lightway piece.
OpenVPN is an open source VPN protocol that’s known for being quick and having excellent security. It’s built on an SSL/TLS secure connection, the same way your browser verifies a web site with an SSL certificate.
It’s a go-to choice for many VPN providers because it can support nearly an operating system, has decent speeds out of the gate and supports top-notch encryption. It may not be the best protocol to use for every task, but it’s rarely a bad one.
OpenVPN is a great protocol to use for bypassing geoblocks. It’s highly configurable and can used on any port, meaning you can get through most network restrictions and firewalls without a hitch.
SSTP, or Secure Socket Tunneling Protocol, is owned by Microsoft and, thus, only available for Windows. Even so, it’s one of the most secure VPN protocols available, sitting alongside OpenVPN.
The two are very similar. SSTP transfers data through an SSL channel, hence the name. It uses SSL over TCP port 443, so it’s less likely to get blocked by a firewall, as well.
The Point-to-Point Tunneling Protocol is the oldest VPN protocol still in use. It’s developed by Microsoft and, while there are some major security vulnerabilities, PPTP still has its place.
PPTP is old and, like most older technology, it’s simple, at least compared to today. That makes it very fast, a huge advantage over other VPN protocols. It’s an ideal choice for high data transfer tasks, such as streaming, and older machines with underpowered hardware.
It usually uses the MS-CHAP-v1 authentication protocol which is insecure. It’s been cracked multiple times since it was introduced. PPTP is a fine choice for tasks where security is irrelevant, such as streaming Netflix (depending on the country you live in, of course).
With how Netflix handles VPNs, though, we wouldn’t hold our breath that you can actually access it using PPTP (read our best VPN for Netflix piece for help getting access).
The downside, at least when compared to OpenVPN, is that it’s Windows-only and not open source. As long as you’re a Microsoft user, there’s no harm in trying it as you should have a similar level of protection as if you were using OpenVPN.
This “protocol” is actually two protocols that are commonly used together. L2TP, or Layer 2 Tunneling Protocol, was introduced in 1999 as an upgrade L2F and PPTP. It provides weak encryption alone, so it’s often paired with IPsec for a more secure connection.
IPsec is an end-to-end security protocol that authenticates and encrypts each packet of data individually. When used together, L2TP and IPsec is much more secure than PPTP while still have some of the speed advantages. It’s still slower than OpenVPN, though.
This protocol pair also has some issues with firewalls as it uses UDP port 500, a port that many firewalls are known to block.
Internet Key Exchange Version 2 isn’t a VPN protocol, but many VPN applications list it as one. It’s a seperate version of the L2TP/IPsec combo that has a higher level of encryption and, thus, is more secure.
It supports up to AES-256 encryption and supports a variety of operating systems, including iOS. Additionally, it has a long track record of secure and reliable connection, reconnecting very quickly in the event you drop from the server.
It’s a close second to OpenVPN and you can use either if one is causing issues. It’s faster and more secure than PPTP, building upon IPsec for a “protocol” that’s close, but not as good, as OpenVPN.
VPN Log Handling
All of the effort a VPN provider goes through would be in vain if there were still logs of your activity. You’re simply moving it from one company to another. Good VPN providers take steps to anonymize you at their remote servers and don’t log any of your incoming activity.
NordVPN, on the other hand, is one of the most secure VPNs we’ve found in our VPN testing. It keeps a strict no-logs policy meaning that, even if a government agency asked, NordVPN would have no logs to hand over (much like ExpressVPN’s no-logs policy).
NordVPN also uses best-in-class security with AES-256 encryption on all connections and support for OpenVPN, PPTP, L2TP/IPsec and IKEv2/IPsec. NordVPN uses a few double-hop servers for an extra layer of protection. These servers are a big reasons why it’s a pick on our best VPN for China list. You can read more about it in our NordVPN review.
Kill Switches & DNS Leaks
There are two other important parts of VPN security that wouldn’t fit neatly into any other sections: leaks and kill switches.
Starting with the simpler of the two, a VPN kill switch is a security feature that allows you to cut your connection to the internet in the event you get disconnected from the remote server. That way, you won’t get caught with your pants down.
A lot of VPN providers offer a kill switch, but some of the more mediocre options on the market do not. PIA, AirVPN, IPVanish and ExpressVPN are just a few of the many providers that offer a kill switch. Read our PIA, AirVPN and IPVanish reviews to learn more about these providers.
Leaks are a serious problem when using a VPN. The two main leaks you’ll encounter are IP leaks and DNS leaks. IP leaks are when you’re connected to the VPN, but your IP address still points back to your location.
In most cases, IP leaks are the cause of a WebRTC bug. VPNs that work in browser extensions should disable WebRTC when you enable the extension, but you can go and disable it yourself using another extension.
DNS leaks are when you connect to the VPN’s DNS servers but your web browser sends the request directly to your ISP anyway. DNS, the domain name system, is what allows IP addresses and domains to work. When you type a URL into your web browser, DNS translates your IP address and the server’s IP address so the two can connect.
When you connect to a VPN, your traffic should be redirected to an anonymous DNS. However, in some cases, your web browser will just send the request directly through your ISP’s DNS. This is a DNS leak.
We test IP and DNS leaks in each of our VPN reviews, so you can read through those to see which make the cut and which fall behind. There are a few ways to check yourself, though. You can see if there’s an IP leak by looking up your IP address and seeing if its changed or not, and check your DNS by using dnsleaktest.com or ipleak.org.
The foremost concern when using a VPN is security. The provider can see everything that your ISP (or government entity) normally would, meaning some trust and comradery has to be in place before you go to check out.
If you want to use a VPN on multiple devices, make sure to check the number of simultaneous connections it allows. For example, some of the best and most secure VPNs we’ve reviewed such as NordVPN allows only six, while others like Surfshark allows unlimited. You can find out more info in our guide on Surfshark vs NordVPN.
Outside of trust, industry-standard protocols and encryption provide a layer of support for anyone lurking outside your virtual tunnel. If you’re looking for an easy-to-use service with these security features, read our best VPN for beginners guide. Be sure to check our VPN features guide to find out what else a VPN can offer.
We also have complete guides for the best remote access VPN and best VPN for business, in case you’re looking for a VPN service for your company.
Are you using a VPN? If so, which one? Let us know in the comments below and, as always, thanks for reading.