VPNs are a great way to improve computer security and online privacy. The concept of how a VPN (Virtual Private Network) works is pretty simple.
VPNs are basically third-party computer servers that keep your online activities hidden from businesses and governments by acting as an intermediary between your computer and the sites you visit. They also encrypt your data to add an additional layer of anonymity.
VPNs can be used to:
- Trick geolocation and beat geoblocks
- Browse the Internet without prying eyes
- Unblock censored websites
- Protect your devices on public wifi
- Transfer sensitive information securely
Although the idea of a VPN is easy to understand, how VPN security works is a more complex topic.
In this comprehensive VPN Security Guide (just over 9,000 words), we’ll do our best to make VPN security simple.
In the process, we’ll answer all of your VPN security questions.
- How Do VPNs Secure My Data Online?
- Which VPN Protocol Is the Most Secure?
- What Level of Encryption Do I Need?
- Will a VPN Make Me Anonymous Online?
- Can I Trust a VPN to Keep my Data Private?
- What Should I Know About VPN Companies?
- What Security Features Do I Need?
- Which VPN Provides the Highest Security?
But before we get to all of that, let’s sort through some of the jargon.
VPN Security Basics
You don’t have to understand precisely how a VPN works to secure your online activity.
However, a baseline understanding of the concepts involved is essential to choose the right options for you. You first need to be able to identify VPNs that meet your security needs. But you also need to avoid some common mistakes. If you do the wrong things, a VPN may not protect you.
VPNs secure your data in two main ways:
- Tunneling: Creates a connection to a VPN server.
- Encryption: Scrambles data between connection.
Some online snoops may be able to see the connection between your IP and that of your VPN, but they will not be able to see what passes through it.
How Does a VPN Work? (Made Easy)
A simple analogy:
Imagine data sent between your device and other places online to be mail. Your Internet service provider is the mailman, and he doesn’t use envelopes. He likes to read your mail and watch where it goes. He allows others to see, too.
VPN tunneling is like an envelope addressed to a mail forwarding center. Snoops can see mail traveling between you and the mail forwarding center. But it is harder to see inside. VPN encryption is like upgrading the envelope to a locked box that only you and the VPN provider have a key too.
In order to see inside, snoops must break the box, obtain the key, or infiltrate the mail forwarding center. The best VPN companies use unbreakable boxes, keep your keys safe, and don’t keep records of who you trade mail with.
How to Choose a Secure VPN
Understanding the terms used by VPN companies is an important first step.
But there is a lot more you should know if security is the main reason you need a VPN. Not all VPNs are created equal. Some take the strength of their locks to an extreme. Others might do a better job disposing of your records.
“VPN security” can mean several things.
As such, educated VPN shoppers look at several things:
- Anonymity & Privacy
- Company Values
- Security-Specific Features
- Other Security Concerns
If security is your number one priority, these criteria provide a good starting point.
Let’s dive deeper into them now.
Strong encryption is probably the most critical factor in VPN security.
In case you didn’t know: Encryption turns information into code in an attempt to prevent unauthorized access. VPN encryption is performed by complex cryptographic algorithms, called ciphers.
These algorithms are basically just complex formulas containing variables. Your original data is transformed based on one of these ciphers. To read that data, it must be transformed back to its original form.
Ciphers contain a mystery variable, called a key. These unique keys adjust the final output of the cipher.
Therefore, you need this unique key to accurately decrypt data previously encrypted with that algorithm. Without the correct key, a hacker must try to “crack” the cipher. Keys come in different lengths, expressed in bits.
Generally, increasing key length makes ciphers harder to crack.
There are a variety of ciphers used in VPN technology. Probably the most important to understand is AES-256. AES represents the Advanced Encryption Standard cipher with a key 256 bits in length.
From here on, this section gets somewhat technical. If you’d prefer to just take our word for it, ExpressVPN clients currently offer the strongest encryption available.
“Military Grade” AES-256
256-bit AES encryption is currently considered the “gold standard” in the VPN industry.
There is a good reason for that. It’s touted as “military-grade” by VPN marketing departments. That’s because it’s used by the U.S. government to protect “secure” data. It’s also used by financial institutions for the same purpose.
Unfortunately, the promise of 256-bit AES isn’t enough to guarantee that your data is safe. All too often, VPN companies don’t maintain this high encryption standard everywhere they should. This may be in part to increase connection speeds, but it means less security. Plus, AES-256 encryption is only one piece of the puzzle.
Control Channel vs. Data Channel
Control channel encryption protects your connection to the VPN server. Data channel encryption protects your data.
The complexity of VPN technology leaves several potential points of failure. Your connection and your data are encrypted separately. Maximum security means AES-256 on both channels. Some companies only include it on the control channel, with a much weaker cipher on the data channel.
To a degree, control channel encryption must be broken to access the data channel. At least, control channel breaches and data channel breaches give snoops access to different things. But any network security chain is only as strong as its weakest link. The best hackers only need one loose thread to unravel your whole setup.
HMAC SHA Authentication
Cryptographic authentication is a way to verify the identities of connected parties.
A cryptographic hash function is used to create a unique fingerprint corresponding to your VPN server. Your VPN client uses this fingerprint to validate that you are connected to that server.
This is the same process used by your browser to make sure it is connected to the right site via HTTPS. In fact, OpenVPN uses parts of the same TLS/SSL authentication suite that HTTPS websites do. Other VPN protocols use different suites, but they all provide HMAC Secure Hash Algorithm (SHA) support. You might see HMAC SHA-1, HMAC SHA-2 (SHA-256, SHA-384, or SHA-512), or HMAC SHA-3. This list is ordered from weakest to stronger, but they are all currently considered secure.
Handshakes & Perfect Forward Secrecy
Control channel encryption requires an extra step to establish the keys needed to encrypt your data.
The most secure keys are created through a TLS “handshake.” During this interaction, your device and the VPN decide on the key that will be used for that session.
For VPNs, perfect forward secrecy is also essential. This means that a new key is established for every session.
Some VPNs even switch keys every 60 minutes of continuous use as well. This limits the time hackers have to crack your private key.
The handshake itself must also be secured. Otherwise, hackers may be able to see the key being created or impersonate your VPN server.
The most secure handshakes use the RSA-4096 keys, though RSA-2048 is still considered safe. A DH key exchange provides perfect forward secrecy. Alternatively, handshake and perfect forward secrecy may be provided by ECDH-384 key or higher.
OpenVPN is an open-source VPN protocol made up of a variety of other technologies, including OpenSSL and TLS.
OpenVPN is currently considered the most secure VPN technology in the industry. Also called TLS OpenVPN, the OpenSSL library provides the best VPN encryption options available.
It also has a lot of configuration options and provides stable connections. Most VPN clients allow you to switch quickly between UDP and TCP OpenVPN connections.
UDP is faster. TCP is more stable.
TCP also runs over port 443, making it easier to beat censorship and evade VPN blocks. Unlike other tunneling protocols that have native support on various operating systems, OpenVPN requires third-party software.
Considering most users access VPNs through apps, that’s not a problem. Today, all of the top VPN companies offer OpenVPN applications—though not necessarily for all devices. This is an important point to consider. We will return to it later.
Internet Key Exchange version 2 and the IPSec authentication suite are a popular tunnel/encryption pair.
IKEv2 is natively supported on Windows 7 and up, iOS, and Blackberry.
It has several advantages for mobile users who regularly switch between wifi hotspots. It is highly resistant to changing networks and automatically reconnects when Internet connections return.
It is often used for iOS VPN apps especially because Apple has additional requirements to develop with OpenVPN. Even as more of the industry makes the extra investment to do so, IKEv2/IPsec will continue to have its place.
Less security-focused users will enjoy a better mobile experience. Still, IPsec provides a robust encryption suite. Therefore, open-source versions of IKEv2/IPSec using AES can be considered secure.
Layer 2 Tunneling Protocol is supported on most major operating systems. It is also paired with IPsec for authentication.
L2TP/IPsec may be faster than OpenVPN in some circumstances. And there are no significant public vulnerabilities for L2TP/IPsec using AES.
However, there is some evidence that it may have been deliberately weakened during the design phase or compromised by the NSA. It also uses a limited number of ports.
This means that blocks can happen easily—whether purposely or not.
On top of that, many VPN companies offer insecure L2TP/IPsec implementations by using pre-shared keys that may be available from their websites. If not for this, and for the nefarious speculations, L2TP/IPsec might be an excellent option for many.
Secure Socket Tunneling Protocol (SSTP) offers similar advantages to OpenVPN but is a proprietary standard owned by Microsoft.
It is available on a few other operating systems but is integrated into Windows platforms. This makes it more stable and easy to use.
Like OpenVPN, it can also utilize TCP port 443 to evade censorship. But unlike OpenVPN, it is not open source.
Open source projects open their code up to public scrutiny. This allows the community to find vulnerabilities. Keeping the code behind closed doors should lower confidence in the security of SSTP, especially considering Microsoft’s reputation for cooperation with the NSA.
Point-to-Point Tunneling Protocol is a tunneling protocol with built-in support on nearly every operating system.
It has various security flaws. MS-CHAP v2 is usually used for authentication and MPPE for encryption. The total combination is inherently insecure.
Microsoft itself recommends the use of other protocols. Still, PPTP isn’t going anywhere.
Unfortunately, it is still the standard for many enterprise VPN setups. It is fast and doesn’t require any additional hardware. But it should never be used when security is a priority. The NSA cracks PPTP at will. It is also easy to block, by firewalling the GRE protocol or blocking port 1723.
Anonymity and Privacy
In theory, you can use a VPN to make your online activity private and anonymous.
In practice, VPNs must be set up a certain way to remain private and anonymous. Your identity can be revealed by logs, leaks, or even payment methods. So choose a VPN that addresses all three of these issues. Otherwise, you might forfeit your anonymity, your privacy, or both.
Anonymity is the condition of being unidentifiable. While an anonymous action can be observed, the responsible party can not be identified. VPNs offer this out of the box, by lumping your traffic with other users you share a server with. 3rd parties may be able to see the activity on a server, but they cannot assign any of the activity to specific people.
Privacy is the condition of being free from observation. Things done in private are generally not seen, heard, or acknowledged. VPNs boost your privacy by encrypting your data. Ideally, you would have control over all your online data. However, we unknowingly relinquish our rights to privacy every day. As a result, true online privacy can be difficult to achieve; even with the help of a VPN.
VPNs that genuinely value your anonymity and privacy emphasize all of the following areas.
Data logs can endanger both anonymity and privacy.
A VPN’s logging policy is the part of their user agreement that outlines how they handle user data. You want a VPN with a strict “no logs policy.”
All VPNs need to track server stats and usability information. But their collection methods should anonymize the data. And they should generally discard it quickly. Overall, they should record as little information as possible.
Avoid VPNs that store:
- Username Activity
- Your IP Address
- Places You Visit Online
Why are VPN log policies so important?
“No logs” policies ensure your activity is anonymous and private. Even if a hacker breaks in or a governmental agency pressures your VPN company, there is no information to be retrieved. Some countries require businesses to retain data on their users.
VPN companies located in such places have undesirable logs policies.
Even with a VPN enabled, there are several ways your activity can be tied back to your real location.
While some of the responsibility lies with you, many VPN companies go out of their way to reduce the risk of DNS, IP, and WebRTC leaks. You can test for all kinds of leaks for free at ipleak.net.
Such leaks are always a threat due to the ever-changing nature of online technologies. They can ultimately defeat the purpose of using a VPN, by allowing your ISP or DNS provider to see all of your online activity.
The best leak protection is perhaps a correctly configured firewall. Done right, this can block channels that may reveal your real IP address.
Some VPN clients try to address this with their own “leak protection” features. These can address some issues, but could never guarantee protection against all scenarios. If absolute privacy and anonymity are important to you, learn how to prevent leaks yourself.
Anonymous payment options are vital for those users who don’t even want records tying themselves to a VPN company.
Debit cards, credit cards, checks, and Paypal are all out of the question for these users. Cash, gift cards, and cryptocurrency are the only three real options here.
And for these to provide true anonymity, a few extra conditions must be met. Don’t be seen making cash purchases. Don’t purchase gift cards or crypto with credit cards. And if you pay in cash, make sure you aren’t required to record any personal details.
Company values are much more important in the VPN industry than the average user might expect.
After all, you’re trusting them to help secure your online activity. Your VPN needs to value security, anonymity, and privacy. Otherwise, don’t trust them to protect these principles.
The VPN industry has a fundamentally rebellious philosophy. Many in the space are willing to fight for your online rights. They like to make marketers and governments seem like the bad guys. But they also play on the ethical side of hacker culture.
If you’re looking for a VPN to stay ahead of government censorship and VPN bans, they better have a sturdy foundation.
Jurisdiction is the official right to take legal action. Who has authority over a VPN can make a big difference.
All companies have legal parameters. Even well-intentioned companies may crumble under intense legal pressure.
Unfortunately, VPNs operate around a lot of legal “grey area.” This makes it hard to know what the future may hold.
Many of the top VPN providers operate out of countries with little (or no) data retention laws. But that’s not true for all of them.
No one would trust VPN companies subject to a totalitarian regime like China or Syria. But many might expect U.S. or U.K.-based VPNs to be the biggest defenders of freedom.
They would be wrong.
These are the very countries most likely to require businesses to keep user data. Such western powers are also among the most likely to spy on their citizens and keep track of VPN use.
Hide My Ass!, a U.K. VPN company, has had multiple incidents where their data was used to prosecute criminals. The United Kingdom may have the harshest data retention laws in the world.
This forces Hide My Ass! to have an unfavorable logs policy. It may also force them to take action against illegal activity performed through their service.
The very fact that they have to monitor for such activity would imply that they have some knowledge of what you’re doing online. In contrast, NordVPN and ExpressVPN operate out of Panama and the British Virgin Islands, respectively. These nations have no data retention laws, mean these companies have strict no-logs policies you can have faith in.
Perhaps trivial in any other industry, you want a VPN company with a mission.
Different VPN providers have different goals when it comes to their role in cybersecurity. Some VPNs have made it their mission to fight for truly free internet.
Some are only in it for the money. There may be some overlap between the two.
But you can learn a lot from how VPN companies market themselves. While this may not give an entirely accurate picture of their internal goals as a company, it can give you an idea of how they think.
For example, let’s look at two VPN providers: CyberGhost and HideMyAss!.
CyberGhost is “a major supporter and promoter of civil rights, a free society, and an uncensored Internet culture.” This is an outspoken and out-in-the-open company advocating for the people. You can find plenty of proof on their blog.
For years they offered a free VPN, and they haven’t ruled out the possibility of it coming back. Today, CyberGhost provides some of the best encryption on the market with a full set of security features. They’ve always emphasized privacy and anonymity. And we expect that to continue in the future.
Hide My Ass! is one of the oldest VPNs on the market. Jack Cator created the original version to get around Internet restrictions as his school when he was 16 years old. Still today, they advertise streaming Netflix and sporting events much more seriously than security.
Principles are one thing, but companies need the right people to act them out.
Unfortunately, anonymous VPN companies are common. This includes two of the most secure VPNs in 2019, NordVPN and ExpressVPN.
Anonymous companies make people nervous—and for a good reason. But in the VPN industry, this can hardly be seen as a negative. Clearly, their company leaders value their own privacy and anonymity.
Such anonymity may protect the company itself from prying eyes, which can translate to security for its users. Still, it could be challenging for users to hold anyone responsible should something go wrong. F
or VPNs that remain anonymous, all you have to go on are the “context clues” you can gain from their marketing, history, and support.
On the other hand, let’s return to CyberGhost and Hide My Ass!. CyberGhost CEO, Robert Knapp, is one of the few executives in the space who seems to know about cybersecurity. You can find him giving public speeches, doing interviews, or on his social media accounts.
CyberGhost as a company has a strong team page that features lots of engineers. They seem like a company poised to stay on the cutting edge.
While Hide My Ass! doesn’t have nearly as impressive a company culture, it does pass the “legitimate business test.” This makes them much more attractive to large potential investors. In fact, Hide My Ass! was acquired in 2015 by security giant AVG.
They sold for around $40 million, with an extra $20 million growth incentive. If that’s not enough motivation to make sure your company remains a leader, nothing will. And it makes you wonder, can an anonymous VPN company compete with this sort of investment.
Whether public or private, it’s almost impossible to know exactly how capable the people behind any company are. When it comes to VPNs, this is a question you must consider carefully. But ultimately, you’re taking a leap of faith with any service you choose.
Additional Security Features
In addition to encryption and essential privacy features, VPN companies offer users various security options.
Most users use VPN clients. So the best VPN companies invest in securing their applications. Sometimes, security measures are implemented as unchangeable defaults. Other times, you’re given full customization options. And several of the top platforms have unique features.
We’ll go over all the most important ones and a few interesting extras.
Kill Switch & Run on Startup
Every VPN should have a kill switch and a “run on startup” feature. Consider them requirements.
VPN kill switches sever your Internet connection when you lose connection to the VPN server.
Run on startup engages your VPN as soon as your operating system boots. We recommend enabling both at all times.
This dramatically reduces the number-one way VPNs fail—user error. With both enabled, you literally can’t go online without connecting to a protected server.
Most decent VPNs offer a kill switch. You usually have the option to turn it off. We like CyberGhost’s approach better for newbies.
You cannot turn their kill switch off. Instead, you create “Exceptions” for applications you want to run outside of the VPN tunnel.
Run on startup isn’t quite as common as a kill switch, but most of the leaders have it. It can often be set to simply open or immediately connect to a server on startup.
Protecting your router connection with a VPN is one of the best ways to improve network security.
First, it maximizes ease of use and adoption rate. No one has to open an additional app or worry about configurations. Set it up, and all devices connected through that router receive protection. This is especially useful for protecting wifi, at the office or home.
All VPN leaders offer router support. But the kind of support varies to a high degree.
ExpressVPN and Hide My Ass! lead the pack here. You can buy routers with their VPN firmware already installed.
This lowers barriers to setup significantly. It may also yield increased performance.
ExpressVPN also has a router app that you can download to compatible routers. But for most VPNs, router setup requires manual configuration.
If that’s all you have available, you should definitely use it. But we anticipate more VPN companies will up their game in this department.
Automatic Wifi Protection
Some form of automatic wifi protection should be offered with every VPN. Unfortunately, it is not very common.
Public wifi is one of the most dangerous online security risks of the modern world. If it’s unsecured, you should never connect without a VPN.
There are so many ways for snoops to target public wifi networks. Some of the best VPNs have settings that protect you against such characters. They may allow you to connect automatically or provide a connection prompt.
Advanced users can probably find a way to set this up, even if their VPN client doesn’t support it. If necessary, we recommend this.
You can find this feature built-in to Hide My Ass! and CyberGhost clients.
But once again, CyberGhost sets itself apart in terms of customizability. You can choose different options for secured and unsecured networks. And you can also utilize their “Profiles” feature to automatically connect with specific settings.
Another standard feature offered by VPNs is split tunneling.
Split tunneling is very useful for certain types of users. This feature allows you to force some traffic through the VPN provider while other activity runs freely through your ISP. This is highly sought after by torrentors and businesses.
But more users should know about it. Only securing certain activities but not other ones could make your IP address appear less suspicious. It also ensures non-sensitive data uses your maximum internet speeds (by skipping encryption and authentication).
This feature is most common among the leading VPN providers. When offered, it is usually quite easy to find.
Again, CyberGhost shines here. Some online reviews state that CyberGhost does not offer split tunneling when they provide the best in the market. They call it “App Protection,” and it allows you to set specific apps to only connect through a VPN server.
This effectively acts as “run on startup” at the app level. You can also pair their App Protection with Exceptions for unparalleled customizability.
Additional Protection Layers
Beyond these, different VPNs develop additional solutions.
Users request a variety of different features to help secure their data. And VPN companies often comply. The leaders also innovate quickly. Plus, the current “copy culture” in the tech industry means that popular options spread quickly.
It is debatable whether any of these features are necessary. And you can expect all of them to slow down your connection even further.
But if security is essential to you, make sure to look for:
Double VPN – This is exactly as the name implies. Your traffic is encrypted twice. Your traffic is also tunneled twice. It goes through two different VPN servers before moving on to the Internet at-large. Offered by NordVPN and Hide My Ass! (called “doublehop”).
Proxy Support – If you believe in the proxy/VPN combination, some VPNs integrate the two. NordVPN and CyberGhost offer built-in HTTPS and SOCKS5 proxy support. CyberGhost provides a free proxy to the public. But NordVPN includes SOCKS5 proxies with membership.
TOR Support – .Onion users will find value in TOR integrations from several VPN leaders. NordVPN is the only one of the leaders currently offering true TOR support, with specific “Onion over VPN” servers. ExpressVPN does, however, have a .onion version of their website.
Other Things That Affect VPN Security
It can’t be easy to run a top-tier VPN company. New threats emerge every day. And you might have millions of users depending on you to keep them safe online.
It can be easy to cut corners in areas that don’t seem to matter. Plus, it takes a consistent investment to keep your platforms up to date. It’s no surprise, then, that VPN infrastructure can also present security concerns.
Virtual vs Dedicated Physical Servers
Virtual servers make some VPN users nervous.
VPNs often use server virtualization to provide server locations outside the range of their physical network. For example, this could allow you to spoof your location to an African country while connecting to a server near your location in Europe.
This also means a faster connection than if you connected to an authentic African server. But it may increase the chance of IP leaks, as confused operating systems often choose defaults. It may also lead to other vulnerabilities based on any shared resources.
Hide My Ass! uses a large number of virtual servers to provide access to nearly 300 locations across the globe. This gives them over twice as many locations as the other leaders.
However, only 60 of those locations have dedicated physical servers. That means over 200 of those locations are “fakes.”
In contrast, NordVPN has the largest network, with over 4,400 servers around the globe. They may only offer about 60 different countries, but they only use physical servers. CyberGhost also has an interesting offering, with their “NoSpy” servers. These servers are maintained at a location CyberGhost owns and controls.; the selection is limited but provides additional peace of mind.
App Device Compatibility
Modern devices upgrades come at an alarming rate.
This is part of what makes cybersecurity such a demanding field. It also directly contributes to inconsistencies between VPN apps from the same company. Very often, crucial security features are left off of neglected app versions. T
his could even include the kill switch or run on startup. In other cases, apps for various operating systems offer different functionality. This greatly increases the chances of user error.
And as we alluded to earlier, OpenVPN is not always available across all devices. Almost never is there any mention of this. VPN companies are quick to advertise their OpenVPN 256-bit AES but hate to confess when they don’t offer it.
You often have to dive deep into their outdated support posts to find exactly what they offer on which operating systems. Apple devices, especially those running iOS receive limited OpenVPN support to date.
That’s because they hold developers to additional criteria to develop with OpenVPN. This is in favor of user security. So we appreciate VPNs who are willing to make that investment even more.
Service & Support
It’s crucial that VPN companies offer solid security-related support.
Unfortunately, that is seldom the case. VPNs are way too complicated for this to be the industry standard. Plus, there is a lot on the line—especially for certain types of users.
All too often, VPN support staffs are little more than glorified sales teams. Some of them even outsource their support solutions. So don’t be surprised when you have difficulty obtaining the answer to technical questions.
At least the leaders are moving things in the right direction. In addition to standard e-mail support tickets, 24/7 chat support is becoming more and more frequent.
Ironically, the anonymous giants, NordVPN and ExpressVPN offer the best help at the moment. NordVPN is especially reliable. They even encourage users to contact them for assistance with specific settings based on their needs.
This is a tremendous step in the right direction. And it helps build the case that NordVPN is an excellent option for security-focused VPN beginners and experts alike.
VPN Security TakeAways
If you’ve made it this far, you clearly take VPN security seriously.
This is a complex topic. But it’s one that can significantly improve your online safety, and maybe even your quality of life. There are so many technical details to consider. As if that weren’t enough, you have to consider some philosophy too.
Hopefully, you’ve learned a lot. Let’s make sure you digest it.
Top Ten Things to Remember About VPN Security
- By default, your ISP and others can see everything you do online.
- VPN tunneling creates a connection between your device and the VPN server.
- VPN encryption secures data that passes through the VPN tunnel.
- Look for a VPN with OpenVPN AES-256 encryption on the devices you use.
- Choose a VPN with a strict “no logs policy” to ensure data privacy.
- If you genuinely want to prevent IP, DNS, and WebRTC leaks, do it yourself.
- Anonymous payment options are only available at certain VPNs.
- Look for a kill switch, run on startup, router support, and wifi protection.
- Strong VPN support is both scarce and extremely valuable.
- If you want our top pick for most secure VPN, try ExpressVPN risk-free.
Hiding Your IP Address with VPN
Even if you choose the most secure VPN, your IP address and online identity may still be at risk. IP leaks can occur in several ways. There are also various security mistakes that can undermine your VPN.
If you want to hide your IP address with a VPN, you need to follow the right steps.
You cannot simply download a free VPN and expect protection from your ISP, the NSA, or hackers. A VPN with outstanding security helps, but technology evolves fast. If you want to stay ahead of online spies, you have to take some of the responsibility yourself.
Online security is always a worthwhile goal. We’re here to help.
In Part II of our VPN Security Guide, we’ll focus on FAQs from VPN users.
- How Does a VPN Protect My IP Address?
- What Causes VPNs to Fail?
- What Are IP Leaks?
- How Can I Tell If I Have An IP Leak?
- Are There Different Types of IP Leaks?
- What Are DNS Leaks?
- Who Is Interested In Finding My True IP?
We’ll address each of these concerns.
Let’s start with perhaps the most important one of all:
Is total privacy possible with a VPN?
Unfortunately, the very foundations of the Internet are not secure.
In its original form, the Web was built to be open. Before the technology caught up, networks needed as few barriers to connectivity as possible.
After all, the Internet isn’t “in the Cloud.” In truth, the Net is comprised of massive WAN networks connecting data centers and ISPs around the world. Data on these networks travels primarily through underground cables.
There are multiple players with authorized access to data transported across these networks. Furthermore, there are multiple access points where unauthorized parties can attempt to “hack” their way in.
With the rapid evolution of online technology, there may not be any true way to remain completely anonymous online. New threats emerge every day. Developments in machine learning and quantum computing will only accelerate the pace of innovation over the next few decades.
However, for the average individual or small business, virtual private networks offer excellent online security benefits. When implemented properly, VPNs hide your IP address and encrypt your data. This is about as close to total privacy online as most people need.
How VPNs hide your IP
VPNs act as a “man in the middle” between you and what you interact with online.
You connect to the VPN company’s server. That server connects to the websites or apps you use. You access online sources through the VPN server’s IP instead of your own.
As long as you eliminate IP leaks, VPNs disguise your IP.
They do this by:
Tunneling and Encapsulation: VPN protocols place data packets inside each other. This is called encapsulation. From there, a tunneling protocol is used to create a secure connection to the VPN server.
Anonymizing Your Web Traffic: Sharing servers with other users makes it much more difficult to trace your online activity. Therefore, VPN servers with more users may increase anonymization.
They also provide the further benefit of encrypting your online activity. Even if it is intercepted, it is indecipherable. Beyond that, security-conscious VPNs also delete all user traffic data. The very best VPN companies consistently develop new security features to stay ahead of emerging threats online.
That is why it is crucial to choose a company that takes security seriously.
VPN security standards
Finding a trustworthy VPN company takes a bit of research.
That’s because there are a lot of VPN security factors to consider.
Some of the most important ones include:
Encryption – The best VPN companies boast 256-bit AES encryption through OpenVPN. OpenVPN is open-source and widely considered the most secure VPN protocol. All the most competitive VPNs brag about “military grade” encryption. However, encryption technology evolves at a rapid pace. There are levels to AES-256. Plus, new encryption technologies are emerging all the time.
Logs Policy – If you want to be truly anonymous, you need a VPN that keeps no record of your activities. Otherwise, third parties may be able to access your online history. This could happen through legal action. It could also be the result of hacking. But without data logs, there’s no information for governments to demand or for hackers to steal. We highly recommend reading VPN terms of service.
Device Support – A VPN subscription does you no good if it doesn’t support your device. Most VPNs allow you to set up manual connections to their servers for a wide range of devices. However, the vast majority of VPN users connect through web clients or apps. All the top VPNs offer apps for Windows, MacOS, Android, and iOS. Router and Linux setup is usually more technical, though some VPNs offer apps for those operating systems as well.
Note that some VPNs do not offer OpenVPN support for Apple devices. Apple holds developers to higher standards. Currently, only the best VPNs are willing to jump through those hoops, although it is becoming more common.
Security Features – There are various security features that are now standard among market leaders. For example, most VPNs offer “run on startup” and “killswitch” functionality. Others offer proxy support, TOR-enhanced servers, “double VPN” servers, split tunneling, WiFi protection, and other unique features. Most of the top VPN companies have their own unique spin on security.
We go into much more depth on these features in Part I of our VPN Security Guide. If you haven’t chosen a VPN yet or aren’t sure whether yours is secure, you should start there.
Choosing the right VPN strengthens your online security foundation. But VPNs aren’t a “magic bullet” solution – nothing is. Again, the Internet is not secure by default. As new technologies emerge on top of it, new risks emerge along with them.
When it comes to IP leaks, we see three root causes.
What causes VPNs to fail
Technologically, VPNs are subject to a wide range of errors.
We will discuss the most common types of IP leaks soon.
First, we want to point out three fundamental reasons why any given VPN may be doomed to fail.
Technology Evolution – Computing and networking technologies are constantly evolving, and we constantly add new layers on top of them. This means that any given update may introduce new security vulnerabilities.
War on Your Privacy – Your data is valuable. There are more interested parties than you may realize. Not only that, but some of the best minds in the world work for these companies with a mission to uncover your secrets.
VPN User Error – Even with the most secure VPN, it is easy to broadcast your information unwittingly. Your IP is especially prone to leaks due to the nature of the Internet. If you miss the necessary steps, you render your VPN ineffective.
Maintaining your anonymity online has been difficult from the beginning, and it is only getting harder. VPN companies are on the front lines, working to defend your privacy. But this battle will continue to rage on until the Internet is no more.
The truth is, if you truly want to guarantee your IP remains hidden at all times, you might need to lose some functionality
What is an IP leak?
An IP leak is when your IP address is visible to other parties despite being connected to a VPN. Your IP may be leaking to a single party or multiple parties. IP leaks may occur for several reasons due to errors on the VPN’s side or the user’s side.
IP leaks defeat one of the main purposes of using a VPN.
When you’re connected to a VPN, it should appear that all of your online activity comes from the VPN company’s servers. If anyone can see where your activity is truly coming from, you have a leak.
How to check if your IP is leaking
Checking for IP leaks is easy.
The fastest way to check for IP leaks:
- Visit Google.com.
- Search: “What is my ip address?”
- Connect to your VPN server.
- Search again: “What is my ip address?”
If you see the same IP address both times, you have an IP leak.
However, Google’s simplified version doesn’t necessarily tell you everything you need to know. It currently only helps you find one type of IP leak.
There are various free tools out there that can provide more info.
Our favorite is https://ipleak.net/. Just visit the site, and it will automatically generate all types of information about your current connection to the Internet. You can repeat the same process as above and discover much more about your connection.
Through this, you can also double-check the location of your VPN server. That is, if you connect to your VPN’s server in New York, ipleak.net and similar tools should detect that location. If you see a different IP but can still see your real-life location, your IP can probably be traced by certain parties. All they have to do is match the location with the IP. From there, they may be able to match your online activity with you.
Your traffic should still be encrypted. However, such leaks could prevent you from beating Netflix’s VPN ban or accessing your local sports while traveling.
Types of IP leaks
Your true IP is vulnerable from multiple angles.
Most VPNs don’t talk much about IP or related leaks. Some provide technical walkthroughs on reducing the chance of a leak. A few offer IP or DNS “leak protection” features, but even those cannot prevent user error or inaction. IP leaks often stem from user error or inaction.
In some cases, there may be vulnerabilities unique to your network. And again, new threats and emerge all the time. We could never hope to capture every possible threat to your true IP. However, the types in our list should cover 99%+ of IP leaks that most users may face.
We’ll address them from most common to more obscure.
IP resolution leaks
Few know this, but:
The Internet is currently in a transition from one protocol to another. Until now, the entire Internet has been based on the IPv4 protocol. Unfortunately, there are not enough possible addresses in this protocol to meet demand.
In our guide to web hosting, we mentioned that IPv4 only supports around 4.3 billion IP addresses. The new protocol, IPv6, supports around 340 billion billion billion billion IP addresses. This should have us covered for the foreseeable future, although we’ve thought this before.
As one of the Internet’s underlying technologies, this IP upgrade presents several problems to VPN users. The issues are exacerbated by the relatively slow adoption rate of IPv6. Around 80% of the internet is still on ipv4 – due in part to the expense of upgrading.
As IP providers slowly switch over, this issue should become less common. However, IP resolution leaks are still fairly prevalent at this time.
Both IPv4 and IPv6 leaks are possible.
IPv4 leaks typically occur due to operating system errors.
IPv4 can confuse modern operating systems and trigger DNS leaks (to be discussed soon). When this happens, DNS lookup requests default to your ISP in most cases. This is one of the main groups many VPN users are looking for protection against.
Most IPv4 errors should be prevented by taking action against DNS leaks.
Almost all modern operating system support IPv6.
ISPs, webmasters, and other parties on the internet are slower to upgrade. This forces websites that support IPv6 to serve IPv4 addresses as well. Overtime, this should become less and less necessary. For now, it’s important that you choose a VPN that also supports IPv6. If your VPN does not support IPv6, then IPv6 traffic will be routed outside the tunnel.
DNS leak protection features provide partial protection against IP leaks that may arise due to IPv6 compatibility. `
DNS can refer to a domain name server, domain name service, or domain name system.
In essence, DNS is how domain names are translated into IP addresses that computers can read. Traditionally, DNS lookup requests are handled by your internet service provider. Anyone with access to your DNS request records has access to your online activity. Your DNS records also give away your IP address.
So what is a DNS leak?
DNS leaks occur any time your domain name server lookup requests occur outside your VPN tunnel. This reveals your original IP address as well as some details about your activity. Whoever carries the request for you may gain access to your complete browsing history.
It’s crucial that your DNS requests are handled by someone other than your ISP.
The best VPNs have their own domain name servers. This means they are the only ones with access to your DNS history. And if they don’t keep logs, you essentially have no DNS history.
Other VPNs choose to integrate with third-party DNS services instead. This is fine as long as they proxy those requests first and send them through their tunnel. Otherwise, that third-party service has knowledge of the true origin of those requests – your IP.
Even with DNS protection features, DNS requests are not always resolved properly. Again, this happens at the operating system level and is somewhat difficult to defend against. If you have some technical knowledge, though, OpenVPN v2.3.9 and higher offers an option to block outside DNS.
WebRTC bug leak
Web browsers are quite aggressive when it comes to acquiring IP addresses, especially with the new WebRTC standard.
WebRTC allows web browsers to incorporate features like voice calling, chat, and peer-to-peer file sharing. This is a great feature that increases usability. However, WebRTC allows your browser to bypass your VPN and access your IP directly. Only browsers such as Chrome, Firefox, and Opera have WebRTC capabilities.
Until recently, the only way to prevent WebRTC leaks was to use a non-compatible browser or disable WebRTC completely. Now, WebRTC Leak protection support is built into the OpenVPN GUI. Therefore, some VPN clients have it built in from the get-go. However, this is not yet the standard – other VPN protocols do not provide WebRTC protection.
Smart Multi-Homed Name Resolution
Smart Multi-Homed Name Resolution is a Windows-only problem.
Starting with Windows 8, Windows operating system began sending out DNS requests to all available servers. If the preferred server failed to respond, another server was selected. This is intended to improve browsing performance.
Starting with Windows 10, Microsoft changed this to automatically choose whichever server responds the fastest. This may happen even if your VPN offers its own DNS resolution.
Like WebRTC, the best way to prevent this type of leak is by disabling the feature completely.
Port fail vulnerability
In November 2015, Perfect Privacy announced that they found a vulnerability that made VPN user IP addresses discoverable.
They labeled it the “port fail” vulnerability. It requires some advanced hacking or network admin privileges. From there, an online snoop could use a port listening application to identify your true IP. There are several steps they would need to pull off. And while this doesn’t broadcast your IP for the Internet at large, it may be important for some users.
Like other IP vulnerabilities, firewall rules are the most assured way to prevent your traffic from escaping the VPN tunnel. There have also been some patches within the VPN industry.
This is a perfect example of a more obscure – but no less dangerous – form of client-side IP leak. In addition, it would most likely be used to target a specific person.
Who wants to know?
You may be wondering:
Who even cares about my IP?
Believe it or not, there are many players who are interested in what you’re doing online.
They all have different motives and may use different means, but they are united by their interest in your personal data.
This begs the question:
Why hide your IP Address?
We can think of several reasons:
- Hide Location
- Avoid IP-based Restrictions
- Avoid IP Bans
- Avoid Targeted Attacks
- Remain Anonymous Online
- Enhance Your Online Experience
You might look at it this way:
There are various powerful organizations willing to invest millions of dollars to look at what you do online. If they believe it to be valuable, maybe you should too.
Let’s talk about a few of them and why each one is interested in what you do online.
ISP: Primary offender
Internet service providers are often the most invasive online spies.
This comes as a surprise to many. Most consumers expect the company providing their internet to keep their data secure. In truth, they’re usually the entity with the easiest – and most profitable – access to your data.
As the Internet continues to expand, ISPs are likely to intrude even more.
Can my ISP see my web traffic?
Your Internet service provider can see just about everything you do online by default.
After all, they are largely responsible for carrying your requests back and forth to other IPs on the internet. Those IP addresses typically correspond to websites or web applications you use. Beyond that, they can also see what actions you perform on those sites and apps.
Their business models give them plenty of reason to monitor your activity.
Some Internet service providers slow down your connection based on what you’re trying to do online.
Video and online streaming are the most commonly throttled types of traffic. That is especially unfortunate considering they often require some of the bandwidth speeds – not to mention their exponentially rising popularity. There are several reasons ISPs slow user Internet connections.
Due to lack of competition, it’s pretty easy for them to get away with it.
Selling your data
Internet service providers also sell user information.
Online activity can be paired with demographic data to provide an excellent source of market research. Private companies can use this information to a variety of ends. These companies are willing to pay a lot of money because that data can make them even more money.
Governments and other institutions also have plenty of motivation to uncover your browsing history.
In fact, that is one of the reasons why ISP traffic snooping is so hard to stop.
Home court advantage
ISPs who want your browsing history have several major factors working in their favor.
Some of the biggest:
ISP is the Default – Developers of mainstream applications assume you’re going to use a basic connection from an Internet service provider. That’s why Windows added Smart Multi-Homed Name Resolution as a default. From an engineering perspective, ISPs also offer the framework on which the Internet runs. Maintaining the WANs that make up the global network gives them a myriad of access points.
Government Support – Nations such as the United States allow ISPs to sell user information without their knowledge. Interestingly enough, this gives Internet service providers more incentive to track user activity. The more data they obtain, the more data they can sell. This also means the government may be able to force more information out of them down the road. After all, ISPs don’t have “no logs” policies.
Industry Monopolization – Most Internet service providers are responsible for massive domains. The range of their networks continues to expand as the big fish rush to buy up the small fish. In developed countries, customers often only have one or two options for hundreds of miles. In less developed countries, they may be lucky to have one for thousands. Without competition, ISPs are left to do as they please.
Massive Budgets – Even with millions of users, no VPN could outspend an ISP. The VPN space has some great developers – but so do Internet service providers, and they have a lot more money than VPN companies. For example, some ISPs use technologies like DNS proxy transparency to intercept all DNS lookup requests. Undoubtedly, they are also developing other such strategies all the time.
No VPN alone can prevent an ISP from accessing your data. However, they provide crucial pieces to the puzzle that knowledgeable users can take advantage of.
Still, the threats to your privacy don’t end with your ISP.
Other online snoops
While the company supplying your Internet may have the most robust access, they aren’t the only ones who might like to get ahold of your data.
Even leaving out parties that might be interested in purchasing from ISPs, there is a multitude of institutions who might want to monitor (and restrict) your online activity.
Let’s touch on a few of the biggest ones:
The Digital Millennium Copyright Act is a United States copyright law designed to protect content producers.
It is in place to protect intellectual property rights for music, movies, and other digital media. It does not require copyright holders to press charges. Instead, other agencies work to enforce the policy. This keeps those producers from having to spend lots of money to protect their property rights. Still, DMCA provides a framework for them to do so if they choose.
Some people use VPNs specifically to download content illegally. Agencies who make their money finding copyright violators must trace those violations back to the offender. If they encounter a VPN that doesn’t cooperate, they are likely to attempt to exploit a vulnerability to access the specific user’s info to take action against the individual.
You might be able to imagine how aggressive these agencies might be, considering some requests might earn them six- or seven-figure contracts.
Netflix, BBC iPlayer, Amazon Prime, and other streaming services
Netflix and other streaming services actively block VPNs to help protect licensing agreements.
Online streaming is transforming how we consume movies, sports, and other forms of digital media. Traditional movie and television companies are scrambling to keep up. Netflix, Hulu, YouTube Red, and other streaming services are eating into their licensing agreements. But as long as they take that money, they’re forced to restrict content by location or other factors.
For example, Netflix offers different libraries to different countries. A VPN can help you gain access to libraries outside your own country. To combat this, Netflix enforces one of the most sophisticated VPN bans. BBC iPlayer is another example.
Only the best VPN companies can consistently maintain servers that allow you to access these services unfettered by your real-world location.
The NSA, intelligence agencies, and totalitarian regimes
National security organizations are some of the most blatant online privacy invaders.
Edward Snowden has revealed some shocking truths over the last half-decade. He’s given us a glimpse into just how invasive the NSA’s spying programs truly are. We can be sure the United States isn’t the only country engaging in this sort of surveillance.
Truth be told, citizens of “14 eyes” countries and beyond should be wary of their governments.
Oppressive governments around the world also monitor the activity of their citizens for censorship purposes.
Many people in countries like China, Russia, Iran, and Saudi Arabia can use VPNs to evade these blocks. Preventing IP leaks is especially important for such users. Whether you’re a political activist or an everyday citizen, protecting your IP could be a matter of life and death.
For such cases, we highly recommend intense technical study and utmost caution. Remember how powerful the forces acting against you really are.