The Best VPN Services of 2018

Cryptokey Routing

Applying a NAT policy to a Sonicwall VPN Tunnel
Fastest Mobile Networks Some countries don't have data-retention laws, making it easier to keep a promise of "We don't keep any logs. However, I am no longer sure about what I wrote in Step 9. We have often said that having to choose between security and convenience is a false dichotomy, but it is at least somewhat true in the case of VPN services. Since some organizations deploy the SAML identity providers IDP on-premise in a way that is not publically accessible, a secure app tunnel is required to authenticate and login to the app. Premium vpn service, absolutely free.

HowTos & Reviews

Conceptual Overview

The automated root certificate and intermediate certificates downloading function has been implemented. On this version, you do not need any longer to do such a manual installation of chained certs. In previous versions, you had to perform the editing task for the OpenVPN configuration file manually. We apologize that the previous build Build has a problem that the RSA certificate authentication doesn't work. This build has been fixed the problem.

Please use Build if you are intending to use the RSA certificate authentication function. Thank you for waiting! Improved the behavior of the Privacy Filter Mode security policy. On or after this version, both broadcast packets and ARP packets will also be blocked by the Privacy Filter Mode policy to eliminate the broadcast traffics.

Added the generating function of X. According to the users reports, on very minor Linux environment, the "vpnserver stop" shutdown operation sometimes hangs up. However, we added the fail-safe code to run "killall -KILL vpnserver" after the process shutdown operation times out 90 seconds.

In contrast, it more mimics the model of SSH and Mosh; both parties have each other's public keys, and then they're simply able to begin exchanging packets through the interface. WireGuard works by adding a network interface or multiple , like eth0 or wlan0 , called wg0 or wg1 , wg2 , wg3 , etc. This network interface can then be configured normally using ifconfig 8 or ip-address 8 , with routes for it added and removed using route 8 or ip-route 8 , and so on with all the ordinary networking utilities.

The specific WireGuard aspects of the interface are configured using the wg 8 tool. This interface acts as a tunnel interface. WireGuard associates tunnel IP addresses with public keys and remote endpoints. When the interface sends a packet to a peer, it does the following:. Behind the scenes there is much happening to provide proper privacy, authenticity, and perfect forward secrecy, using state-of-the-art cryptography.

At the heart of WireGuard is a concept called Cryptokey Routing , which works by associating public keys with a list of tunnel IP addresses that are allowed inside the tunnel. Each network interface has a private key and a list of peers. Each peer has a public key. Public keys are short and simple, and are used by peers to authenticate each other.

They can be passed around for use in configuration files by any out-of-band method, similar to how one might send their SSH public key to a friend for access to a shell server. In the server configuration, each peer a client will be able to send packets to the network interface with a source IP matching his corresponding list of allowed IPs.

For example, when a packet is received by the server from peer gN65BkIK In the server configuration, when the network interface wants to send a packet to a peer a client , it looks at that packet's destination IP and compares it to each peer's list of allowed IPs to see which peer to send it to.

For example, if the network interface is asked to send a packet with a destination IP of In the client configuration, its single peer the server will be able to send packets to the network interface with any source IP since 0. For example, when a packet is received from peer HIgo9xNz In the client configuration, when the network interface wants to send a packet to its single peer the server , it will encrypt packets for the single peer with any destination IP address since 0.

For example, if the network interface is asked to send a packet with any destination IP, it will encrypt it using the public key of the single peer HIgo9xNz In other words, when sending packets, the list of allowed IPs behaves as a sort of routing table, and when receiving packets, the list of allowed IPs behaves as a sort of access control list. This is what we call a Cryptokey Routing Table: Any combination of IPv4 and IPv6 can be used, for any of the fields.

WireGuard is fully capable of encapsulating one inside the other if necessary. VPNs are necessary for improving individual privacy, but there are also people for whom a VPN is essential for personal and professional safety. Some journalists and political activists rely on VPN services to circumvent government censorship and safely communicate with the outside world.

Check the local laws before using a VPN in China , Russia, Turkey, or any country with with repressive internet policies. Others restrict such activity to specific servers. Learn the company's terms of service—and the local laws on the subject.

That way you can't complain if you run into trouble. It is also possible emphasis on "possible" that VPNs may be able to save net neutrality repeal.

For those who are unaware, net neutrality is the much-discussed concept that ISPs treat web services and apps equally, and not create fast lanes for companies that pay more, or require consumers to sign up for specific plans in order to access services like Netflix or Twitter.

That said, an obvious response would be to block or throttle all VPN traffic. We'll have to see how this plays out. The VPN services market has exploded in the past few years, and a small competition has turned into an all-out melee. Many providers are capitalizing on the general population's growing concerns about surveillance and cybercrime, which means it's getting hard to tell when a company is actually providing a secure service and when it's throwing out a lot of fancy words while selling snake oil.

It's important to keep a few things in mind when evaluating which VPN service is right for you: Don't just focus on price or speed, though those are important factors. In fact, not all VPN services require that you pay.

Several services we've listed here also have free VPN offerings. You tend to get what you pay for, as far as features and server locations go, but if your needs are basic, a free service can still keep you safe. Some VPN services provide a free trial, so take advantage of it. Make sure you are happy with what you signed up for, and take advantage of money-back guarantees if you're not.

This is actually why we also recommend starting out with a short-term subscription—a week or a month—to really make sure you are happy. Yes, you may get a discount by signing up for a year, but that's more money at stake should you realize the service doesn't meet your performance needs.

Most users want a full graphical user interface for managing their VPN connection and settings, though a few would rather download a configuration file and import it into the OpenVPN client. Most VPN companies we have reviewed support all levels of technological savvy, and the best have robust customer support for when things go sideways. If you're using a service to route all your internet traffic through its servers, you have to be able to trust the provider.

It's easier to trust companies that have been around a little longer, simply because their reputation is likely to be known. But companies and products can change quickly. Today's slow VPN service that won't let you cancel your subscription could be tomorrow's poster child for excellence. We're not cryptography experts, so we can't verify all of the encryption claims providers make. Instead, we focus on the features provided. Bonus features like ad blocking, firewalls, and kill switches that disconnect you from the web if your VPN connection drops, go a long way toward keeping you safe.

We also prefer providers that support OpenVPN, since it's a standard that's known for its speed and reliability. It's also, as the name implies, open source, meaning it benefits from many developers' eyes looking for potential problems.

Since we last tested VPNs, we've given special attention to the privacy practices of VPN companies and not just the technology they provide. In our testing, we read through the privacy policies and discuss company practices with VPN service representatives. What we look for is a commitment to protect user information, and to take a hands-off approach to gathering user data. As part of our research, we also make sure to find out where the company is based and under what legal framework it operates.

Some countries don't have data-retention laws, making it easier to keep a promise of "We don't keep any logs. The best VPN services have a privacy policy that clearly spells out what the service does, what information it collects, and what it does to protect that information.

Some companies explain that they collect some information, but don't inform you about how they intend to use that information. Others are more transparent. While a VPN can protect your privacy online, you might still want to take the additional step of avoiding paying for one using a credit card, for moral or security reasons.

Several VPN services now accept anonymous payment methods such Bitcoin, and some even accept retailer gift cards. Both of these transactions is about as close as you can get to paying with cash for something online.

That Starbucks gift card may be better spent on secure web browsing than a mediocre-at-best latte. A tool is only useful when it's used correctly, after all. For that, you'll want to access the Tor network , which will almost certainly slow down your connection.

While a VPN tunnels your web traffic to a VPN server, Tor bounces around your traffic through several volunteer nodes making it much, much harder to track. Using a VPN will prevent most kinds of DNS attacks that would redirect you to a phishing page, but a regular old page made to look like a legit one in order to trick you into entering your data can still work. Some VPNs, and most browsers, are pretty good about blocking phishing pages, but this attack still claims too many victims to be ignored.

In addition to blocking malicious sites and ads, some VPNs also claim to block malware. We don't test the efficacy of these network-based protections, but most appear to be blacklists of sites known to host malicious software.

That's great, but don't assume it's anywhere near as good as standalone antivirus. Use this feature to complement, not replace, your antivirus. Lastly, keep in mind that some security conscious companies like banks may be confused by your VPN.

If your bank sees you logging in from what appears to be another US state or even another country, it can raise red flags. Some important things to look for when shopping for a VPN are the number of licenses for simultaneous connections that come with your fee, the number of servers available, and the number of locations in which the company has servers.

It all comes down to numbers. Most VPN services allow you to connect up to five devices with a single account.

Any service that offers fewer connections is outside the mainstream. Keep in mind that you'll need to connect every device in your home individually to the VPN service, so just two or three licenses won't be enough for the average nested pair. Note that many VPN services offer native apps for both Android and iOS, but that such devices count toward your total number of connections. Of course, there are more than just phones and computers in a home.

Game systems, tablets, and smart home devices such as light bulbs and fridges all need to connect to the internet. Many of these things can't run VPN software on their own, nor can they be configured to connect to a VPN through their individual settings. In these cases, you may be better off configuring your router to connect with the VPN of your choice. By adding VPN protection to your router, you secure the traffic of every gadget connected to that router. And the router—and everything protected by it—uses just one of your licenses.

Nearly all of the companies we have reviewed offer software for most consumer routers and even routers with preinstalled VPN software, making it even easier to add this level of protection.

When it comes to servers, more is always better. More servers mean that you're less likely to be shunted into a VPN server that is already filled to the brim with other users. But the competition is beginning to heat up. Last year, only a handful of companies offered more than servers, now it's becoming unusual to find a company offering fewer than 1, servers.

The number and distribution of those servers is also important. The more places a VPN has to offer, the more options you have to spoof your location! More importantly, having numerous servers in diverse locales means that no matter where you go on Earth you'll be able to find a nearby VPN server. The closer the VPN server, the better the speed and reliability of the connection it can offer you. Remember, you don't need to connect to a far-flung VPN server in order to gain security benefits.

For most purposes, a server down the street is as safe as one across the globe. In the most recent round of testing, we've also looked at how many virtual servers a given VPN company uses.

A virtual server is just what it sounds like—a software-defined server running on server hardware that might have several virtual servers onboard. The thing about virtual servers is that they can be configured to appear as if they are in one country when they are actually being hosted somewhere else.

That's an issue if you're especially concerned about where you web traffic is traveling. It's a bit worrisome to choose one location and discover you're actually connected somewhere else entirely. We have often said that having to choose between security and convenience is a false dichotomy, but it is at least somewhat true in the case of VPN services. When a VPN is active, your web traffic is taking a more circuitous route than usual, often resulting in sluggish download and upload speeds as well as increased latency.

The good news is that using a VPN probably isn't going to remind you of the dial-up days of yore. Most services provide perfectly adequate internet speed when in use, and can even handle streaming HD video. However, 4K video and other data-intensive tasks like gaming over a VPN are another story. And nearly every service we have tested includes a tool to connect you with the fastest available network.

Setting up OpenVPN over SSH on a PC