How we tested
Mashable’s VPN reviews involve hands-on testing, which I’ll describe in more detail shortly, but they also hinge heavily on guidance from cybersecurity experts. When it comes to the types of things consumers should look for in VPN services, they told me in separate interviews, much of what separates the good from the bad can be gleaned before anything is installed. These experts include:
What the experts said
When you surf the internet freely without a VPN, you’re being tracked online constantly by multiple third parties, including your Internet Service Provider (ISP), search engines like Google, and possibly even your employer or school. Connecting to a VPN means taking your traffic away from them and putting it in the hands of one lone entity instead, conceding exclusive, unfettered access to all of your browsing data. It’s a privilege that needs to be earned, and the true caliber of a VPN ultimately comes down to whether you can wholly believe it’s keeping you safe.
Unfortunately, the VPN industry is notorious for hyperbolic marketing, especially when it comes to privacy practices. This can “give VPN users a false sense of security if they don’t realize that the protections offered are not comprehensive,” according to a Consumer Reports investigation into 16 providers. (Many popular VPNs shout about offering “military-grade” encryption, for example, which isn’t a thing.) It’s unwise to take a provider’s “trust me bro!” claims at face value.
So how do you know for sure if a VPN is trustworthy? A single Google search can be enlightening: A good provider won’t have a long rap sheet for mishandling users’ personal data or succumbing to server breaches, and bad headlines should raise a red flag — including those about a VPN’s ownership or parent company. A swift, effective response to crises and a healthy dose of corporate accountability can offset these concerns in some cases, but I also place a high value on a pristine reputation.
The best VPN services should also be willing to open themselves up to scrutiny. Bragging about a strong “no logs” privacy policy that specifies how users’ personal information gets protected is one thing. But subjecting that no-log policy to independent audits — and making the results public — provides a much higher level of assurance.
The most trustworthy VPNs will also issue regular transparency reports disclosing any requests for data they’ve received from government or law enforcement agencies. (These requests won’t yield anything if a provider’s privacy policy holds up.) Some go the extra mile by offering in-house bug bounty programs to researchers who comb their software and servers for vulnerabilities.
Tests we run on VPNs
After assessing their company policies, histories, and overall reliability, I hands-on test VPNs on mobile and desktop. (I’ve tested TunnelBear on an Apple MacBook Pro running macOS Monterey, an HP Elite x360 1040 G11 running Windows 11, and an iPhone 11 with iOS 16.6.1.) I have the VPN connected for approximately four to eight hours at a time to get a general sense of the user experience as part of the average person’s everyday workflow. I also put them through a handful of performance benchmarks:
DNS leak tests
Often described as “the internet’s phone book,” the DNS (Domain Name System) is basically a back-end directory that translates website domain names into computer-speak, aka internet protocol (IP) addresses. An IP address is a unique number that’s assigned to a device when it’s connected to the internet; it identifies the device’s general location and the name of the ISP.
Without making things overly complicated (bear with me): When you search for a website, your browser sends a query to one of your ISP’s DNS servers to track down its matching IP address(es) so it can send you to that page. Without the DNS, you’d have to type out a long string of numbers every time you wanted to visit a website. For example, instead of “Mashable.com,” you’d enter “104.18.33.218” or “172.64.154.38” into your search bar.
A VPN is supposed to reroute your DNS queries to its own DNS servers while you’re connected to it — that way, your ISP (and possibly other snoops) can’t see where you are or what sites you’re looking up. If the VPN is faulty, it may continue to send DNS queries to the ISP’s DNS servers, putting your security at risk. That’s the gist of a DNS leak.
Some VPN apps have built-in DNS leak tests that tell you if your connection is secure and whether your real IP address is being hidden. Otherwise, you can perform them via DNSleaktest.com. When I try a VPN, I run its standard test twice: once with the VPN off, and once with it connected.
Trying different use cases
The No. 1 purpose of VPNs is to make it difficult for anyone other than the provider to identify and track your online activity, so every VPN I recommend must do that well — no exceptions. However, VPNs are also widely used to spoof user locations and skirt geo-restrictions on content, especially overseas streaming libraries. (Services like Netflix limit their libraries abroad because of region-specific distribution rights.)
While a VPN will never be disqualified simply because it can’t get users access to geo-blocked content, it’s a plus if it succeeds, so I still test for it. I do so by connecting to one of the VPN’s UK servers from my home in Chicago and running a DNS leak test to see if my IP address changes accordingly, then attempting to watch Love Island UK on the UK streaming service ITVX.
Speed tests
The connection speed of a VPN depends on a lot of different variables, but it will almost always be slower than your regular internet connection, so it’s not a huge factor in my final recs. That said, I try to get an idea of how well a VPN performs by using it for a lengthy period of time and running it through some Ookla Speedtests on Google Chrome. (I do three of them back-to-back: one with the VPN off, one with the VPN connected to a local server, and one with the VPN connected to a UK server, if possible. Some providers don’t let their free users pick specific server locations, and when that’s the case, I’ll use any European server I can get on.) If a VPN is noticeably sluggish to the point where it affects usability, I’ll call it out.
A general rule of thumb for any VPN is that your connection speeds will be fastest when you’re connected to a server that’s geographically close to your actual location.
Other important details
I also take following factors into account as I use a VPN and decided whether to recommend it, listed in no particular order:
Included features
Most premium VPNs come with similar privacy tools, so I don’t encounter major provider-to-provider discrepancies in this regard. Still, it’s worth noting some of the important ones I look out for:
-
A kill switch will immediately disconnect your device from the internet if your VPN drops. (This one’s non-negotiable.)
-
Support for multi-hop connections that route your traffic through two or more of the VPN’s servers. This adds an extra layer of protection.
-
Split tunneling, a tool that sends some of your traffic through the VPN and some outside it to conserve bandwidth, can be useful for streaming and gaming.
Oftentimes, providers will also bundle their VPN with additional security features like malware/adware blockers, data breach detectors, and cloud storage. These won’t make the VPN itself any better, but they’re good to have alongside your go-to antivirus software and password manager. (If you have to choose between a reputable VPN or one that comes with a bunch of add-ons, always go with the former.)
Protocol type
A VPN’s protocol is the set of instructions that determine how data gets communicated between its servers and your devices. Many VPN providers have developed proprietary protocols within the past few years, but OpenVPN remains the most popular and widely respected option: It’s stable, secure, and open-source, meaning anyone can inspect its code for vulnerabilities. WireGuard is another good pick that’s newer than OpenVPN and supposedly faster.
Encryption type
A VPN protects your data by encrypting it, or scrambling it up into unreadable “ciphertext” that can only be decoded with a secret key or password. Virtually all premium VPNs use an encryption algorithm called Advanced Encryption Standard (AES) 256-bit encryption, which is pretty much uncrackable to third parties.
Server network size and distribution
Picking a VPN with a large server network means there’s a lower likelihood of you sharing one with a bunch of other users, which is especially valuable for streaming (since there’s more bandwidth to go around).
Relatedly, a VPN with a geographically diverse network of servers in many different parts of the world will make it easier for you to spoof specific locations and find one close to you to optimize connection speeds. Most premium VPNs maintain servers throughout the Americas, Europe, Asia, and Australia; few have a big presence in Africa.
Number of simultaneous connections
Most VPNs can be used on five to 10 devices per account (depending on the provider), which should be plenty for individual users. A handful of them support unlimited simultaneous connections to better serve bigger households.
Customer support options
Users should have access to some kind of help around the clock in case an issue arises with their VPN connection or account, whether it’s by phone, email, or live chat. (Online help forums and tutorials are nice, but not enough on their own.) I also give preference to VPNs that offer some kind of money-back guarantee; in most cases, it’s 30 days long.
Overall value
Premium VPN providers typically charge anywhere from $2 to $12 per month for access to their clients, depending on the subscription length. It’s easier to justify the higher end of that spectrum if it gets you a reliable and responsible VPN with some useful security features.
Ease of use
Some VPNs are more intuitive and beginner-friendly than others.
It’s important to note that many popular VPN providers posit their jurisdiction, or the location of their headquarters, as something that can have serious privacy implications based on local surveillance laws (such as the Five, Nine, and 14 Eyes alliances). Without getting too in the weeds, the experts I spoke to said the average consumer shouldn’t put a big stake in these claims, and that authorities will get access to user data one way or another if the need is great enough. What’s more concerning, they added — to bring things full circle — is whether any data is being retained by a VPN provider in the first place.
If anything, users might be better off choosing a VPN headquartered in a country with strong consumer protections against deceptive marketing (like the U.S. and many countries in the European Union). These could come in handy if a provider’s privacy policy was ever questioned.
Note: Ookla is owned by Mashable’s publisher, Ziff Davis.