How we tested
We put the VPNs we review through a series of hands-on stress tests for a few weeks at a time. For my latest round of testing, I had ExpressVPN running for two weeks while I browsed, participated in video calls, shopped, and streamed (both domestic and international content). I performed several DNS leak tests to determine whether the VPN was actually concealing my public IP address. I also ran Ookla Speedtests to get a feel for how it affected my connection. I performed all of my testing on a Mac but will try ExpressVPN on other platforms for future updates.
The main purpose of this testing is to give potential users a general sense of how a VPN works as part of an everyday workflow (not in a lab). That said, our overall scores also hinge heavily on guidance from cybersecurity experts about the things consumers should look for in VPNs. Much of what separates the good from the bad, they told us in interviews, can be gleaned before anything is installed.
When you surf the internet freely without a VPN, you’re being tracked online constantly by multiple third parties, including your Internet Service Provider (ISP), search engines like Google, and possibly even your employer or school. Connecting to a VPN means taking your traffic away from them and putting it in the hands of one lone entity instead, conceding exclusive, unfettered access to all of your browsing data. It’s a privilege that needs to be earned, and the true caliber of a VPN ultimately comes down to whether you can wholly trust it to keep you safe.
The big issue is that the VPN industry is notorious for hyperbolic marketing, especially when it comes to privacy practices. This can “give VPN users a false sense of security if they don’t realize that the protections offered are not comprehensive,” according to a Consumer Reports investigation into 16 providers. (Many popular VPNs shout about offering “military-grade” encryption, for example, which isn’t a thing.) It’s unwise to take a provider’s claims at face value.
So how do you know for sure if a VPN is trustworthy? A single Google search can be enlightening; a good provider won’t have a long rap sheet for mishandling users’ personal data or succumbing to server breaches, and bad headlines should raise a red flag — including those about a VPN’s ownership or parent company. A swift, effective response to crises and a healthy dose of corporate accountability can offset these concerns in some cases, but we tend to place a high value on a pristine reputation.
After trustworthiness, we base our VPN reviews on a combination of the following factors (listed in no particular order):
DNS leak tests
A DNS (domain name service) leak test is basically a lookup of your active IP (internet protocol) address. That’s the unique number identifying your general location and the name of your internet service provider that’s assigned to your device when it’s connected to the internet. By running several DNS tests with a VPN off and on, we can determine whether it’s actually encrypting our IP address. Some VPN apps have built-in DNS leak tests; otherwise, you can perform them via DNSleaktest.com.
Most premium VPNs come with similar sets of privacy tools, so we don’t encounter major provider-to-provider discrepancies in this regard. Still, it’s worth noting some of the important ones we look out for:
A kill switch will immediately disconnect your device from the internet if your VPN drops. (This one’s non-negotiable.)
Support for multi-hop connections that route your traffic through two or more of the VPN’s servers adds an extra layer of protection.
Split tunneling, a tool that sends some of your traffic through the VPN and some outside it to conserve bandwidth, can be useful for streaming and gaming.
Oftentimes, providers will also bundle their VPN with additional security features like malware/adware blockers, data breach detectors, and cloud storage. These won’t make the VPN itself any better or more successful, but they’re good to have alongside your go-to antivirus software and password manager. (If you have to choose between a reputable VPN and one that comes with a bunch of add-ons, always go with the former.)
A VPN’s protocol is the set of instructions that determines how data gets communicated between its servers and your device(s). Many VPN providers have developed proprietary protocols within the past few years, but OpenVPN remains the most popular and widely respected option: It’s stable, secure, and open-source, meaning anyone can inspect its code for vulnerabilities. WireGuard is another good pick that’s newer than OpenVPN and similar but supposedly faster.
A VPN protects your data by encrypting it, or scrambling it up into unreadable “ciphertext” that can only be decoded by authorized parties with access to a secret key or password. Virtually all premium VPNs use Advanced Encryption Standard (AES) 256-bit encryption, which is pretty much uncrackable to third parties.
Different use cases
The No. 1 purpose of VPNs is to make it difficult for anyone other than the provider to identify and track your online activity, but they’re also widely used as location-spoofing tools to skirt geo-restrictions on streaming services. (Platforms like Netflix limit their libraries abroad because of region-specific distribution rights.) While we don’t put a ton of weight on their ability to succeed in this secondary use case, it’s great if they do and we still test them for it.
Server network size and distribution
Picking a VPN with a large server network means there’s a lower likelihood of you sharing one with a bunch of other users, which is especially valuable for streaming (since there’s more bandwidth to go around).
Relatedly, a VPN with a geographically diverse network of servers in many different parts of the world will make it easier for you to spoof specific locations and find one close to you to optimize speeds. (More on that below.) Most premium VPNs maintain servers throughout the Americas, Europe, Asia, and Australia; few have a big presence in Africa.
Number of simultaneous connections
Most VPNs can be used on five to 10 devices per account (depending on the provider), which should be plenty for individual users. A handful of them support unlimited simultaneous connections to better serve bigger households.
Every premium provider we’ve encountered offers VPN clients for Windows, Mac, Android, and iOS at minimum, though some restrict certain features to certain platforms. Some VPNs also work on Linux, Chrome, smart TVs, and even gaming consoles (via router or hotspot).
The speed of a VPN depends on a lot of different variables, but it will almost always be slower than your regular internet connection, so it’s not a huge factor in our final ratings. That said, we try to get an idea of how well a VPN performs by using it for a lengthy period of time and running it through some quick Ookla Speedtests. If a VPN is noticeably sluggish to the point where it affects usability, we’ll call it out.
A general rule of thumb for any given VPN is that your speeds will be fastest when you’re connected to a server geographically close to your actual location.
Customer support options
Users should have access to some kind of help around the clock in case an issue arises with their VPN connection or account, whether it’s by phone, email, or live chat. (Online help forums and tutorials are nice, but not enough on their own.) We also give preference to VPNs that offer some kind of money-back guarantee; in most cases, it’s 30 days long.
Premium VPN providers typically charge anywhere from $2 to $12 per month for access to their clients, depending on the subscription length. It’s easier to justify the higher end of that spectrum if it gets you a reliable and responsible VPN with some useful extra security features.
Overall ease of use
Some VPNs are more intuitive and beginner-friendly than others.
It’s important to note that many popular VPN providers posit their jurisdiction, or the location of their headquarters, as something that can have serious privacy implications based on local surveillance laws (such as the Five, Nine, and 14 Eyes alliances). Without getting too in the weeds, the experts we spoke to said the average consumer shouldn’t put a big stake in these claims, and that authorities will get access to user data one way or another if the need is great enough. What’s more concerning, they added — to bring things full circle — is whether any data is being retained by a VPN provider in the first place.
Finally, we generally don’t recommend using any free VPNs. Such providers often sneakily log and sell user data, and sometimes even bundle their clients with malware. (If they’re not making money off subscriptions, they have to get paid somehow — it’s a classic “no free lunch” situation.) The best way to get a VPN “for free” without putting yourself at risk is by signing up for a paid plan through a reputable provider, then making use of its money-back guarantee.
Note: Ookla is owned by Mashable’s publisher, Ziff Davis.