How to buy the best VPN
Should you be using a VPN and, with so many to choose from, which should you trust?
There are a range of reasons why someone might want to use a VPN. It could be because you want to keep some parts of your online web activity private, you want to access content blocked in the region you’re in, or you want an extra layer of security when working on public wi-fi.
We've put more than a dozen popular brands through our test lab to assess features such as security and privacy, speed and performance, and ease of use. Find out why you'll want to factor all of this in, and what else you need to know before you sign up.
What is a VPN for and how does it work?
A virtual private network (VPN, also known as a proxy) means different things to different people, depending on what they’re trying to do online. But whether you’re unlocking overseas TV shows or trying to protect your privacy, a VPN does the same thing.
To explain how they work, we first have to look at how your internet connection works without a VPN.
If you want to visit a website, you type in the web address, requesting to visit the website. This request is sent from your device via your router to your internet service provider (ISP, such as BT, Sky, Virgin, Plusnet, etc), which sends your request on to the website.
The data from the website is sent back to your ISP, then to your router, and then to your device, and you can load the webpage.
With a VPN installed, all internet traffic is first diverted through the software and encrypted (scrambled) in a way that is only understandable by the VPN company’s own systems. The scrambled request is sent via your ISP, but all the ISP knows is that you’ve sent a request to a website (or a server) operated by the VPN. The VPN server then receives the scrambled data, unscrambles it and sends it on to the website you were asking for.
Then the same happens in reverse. The data is sent from the website to the VPN, which scrambles it, sends the scrambled data via your ISP, then to your computer’s VPN software which is able to unscramble the data and display the website.
Some websites like to use the metaphor of a tunnel or a locked envelope to which only your VPN provider has the key. These aren’t wholly inaccurate but don’t provide a full picture of where your data goes. The diagrams above should help clarify how your data is transmitted. Keep in mind that your ISP still knows when you’re online and how much data you are sending and receiving, even if you’re using a VPN.
In principle, this means everything you do while connected to the internet can’t be seen by anyone aside from the VPN company, and even then all VPN companies claim to have systems in place that make it impossible to trace who is doing what on its VPNs. More on that later.
It also means the requests you send and receive can be diverted to anywhere in the world where the VPN has a presence, which can be useful in certain circumstances.
Does a VPN protect my privacy?
It depends on what you mean by privacy.
If you’re a regular home user who just wants to encrypt their connections when using public wi-fi, a VPN is a handy tool and should prevent you getting caught out by a badly secured wi-fi network and an opportunist hacker.
But it’s not a panacea and is only one tool of many you would need to completely protect your identity online. Any VPN marketing fluff that tells you otherwise isn’t giving you the whole story.
There is an awful lot a VPN doesn’t do. It doesn’t stop websites using trackers and cookies to serve you ads and build advertising profiles about you. It doesn’t stop you getting viruses, and already-running malware on your computer will continue to be a problem. It won’t protect you from phishing scams, either.
If you use a VPN but are logged into your Facebook and Google accounts, chances are Facebook and Google will know what you’re up to anyway.
And keep in mind that by sending your data via a VPN, you are simply changing who has control over your data and so you have to trust them to be able to look after it in a responsible way. The encryption needs to be strong, and their own systems need to be robust enough to stand up to hacking attempts or even staff members having a root around. All the VPN companies make big claims about security and privacy, but it is ultimately down to trust.
No reviewer, no matter how in-depth, can see what goes on inside a VPN company’s systems.
Another point to make is that most apps and services use what are known as software development kits (SDKs) to allow extra functions in their apps that allow developers to see, at a broad scale, how their apps are being used. This is standard practice with almost any app you’ll download for your smartphone.
But Which? tests reveal that most VPN services also log such data from within their apps and send it to third-parties for analysis. All the VPN companies that replied to our queries about this said the data was anonymously gathered and that users can turn off such data collection from within the apps. However, we still mark them down in our tests because we believe the user of a privacy-focused VPN app should expect zero data sharing, whatever form it takes. We also found at least two VPNs that don’t do this, showing it is possible to run a VPN app without sharing data to third-parties.
Are VPNs secure?
VPNs make big claims about the security they provide to their subscribers. They will tell you that by using them you will protect your internet traffic behind a layer of security impenetrable to all. This is true, but as with privacy, all you have done with the security of your connection is entrust it to someone aside from your ISP, and given a piece of software on your computer or smartphone cart blanche access to your internet use.
In doing so, you are adding software to your life that could have security holes, bugs and as-yet undiscovered flaws. For example, Which?’s testing in 2020 uncovered two security issues that could, in extreme circumstances, allow your device to fall victim to a ‘man-in-the-middle’ attack where a hacker pretends to be your VPN and intercepts all your internet use. At the time of writing, one of these problems has been fixed.
Using a VPN for Netflix, iPlayer and other streaming services
Video streaming is one of the most common reasons why someone might subscribe to a VPN. Since television and film rights differ from country to country, it can be hard to access some content in certain countries.
For example, you may want to access UK television catch-up services while on holiday, or in the UK a film may only be available via a pay-per-view service such as Apple TV, but in the United States it’s available on Netflix. If you already have a Netflix subscription you might begrudge paying for the Apple TV edition of a show when you’re already paying for Netflix.
With a VPN, you can ask for your location to appear as if you are in the United States (or any other country the VPN offers). This means, to Netflix, it can appear as if you and your computer are physically located in the United States, so it can show you the content it has licences for in that country.
Is it legal to use a VPN?
VPNs are not illegal in the UK, but the legality of their use in other countries varies, so you should check your own country’s local laws if you are not in the UK.
However, this is not a guaranteed ticket to US TV heaven, because streaming services have an obligation to the companies they license content from to prevent access to content that certain users shouldn’t be able to see. As a result, Netflix and Amazon Video in particular often detect a person using a VPN and will block them viewing anything until they disconnect the VPN.
Netflix, and other streaming services, also reserve the right to terminate your account if you attempt to access content in this way, although we haven’t heard of this happening in practice. Still, the risk is very much there.
Free vs paid VPNs
Free VPNs typically only offer you a limited number of servers to use, and a very tight data limit. They also lack most of the features below. So, if you’re paying for a VPN, you should hope to get some or all of these features.
Apps for all your devices: The majority of VPNs we’ve tested have apps for Windows, Mac iOS and Android, with some also providing software to allow the VPN to run on your router, thereby encrypting your entire household’s internet traffic in one fell swoop. Before you buy, make sure the operating system you want to use it on has an app.
DNS leak protection: It’s possible that some programs on your computer or handheld device might sneak past the VPN installed on your computer. This isn’t normally malicious, but is a result of bad programming (either from the app or the VPN). Leak protection should stop software being able to do this. Our lab tests also check to see whether there are leaks so you maintain maximum privacy.
Kill switch: If your connection to your VPN server drops because of a technical fault, a kill switch will disable your device’s internet connection to ensure no unencrypted data leaves the device.
Split tunneling: This lets you set which apps on your device are encrypted via your VPN and which go to your ISP. This is helpful when perhaps you only want one app to be fully protected, or disguised, but you want the rest to behave as normal.
Simultaneous connections: This lets you use your VPN software on more than one device at the same time. If you have multiple gadgets you use, or want your household to use, too, you won’t be kicked off for having more than one connection.
Unlimited data and bandwidth: Make sure the VPN you’re subscribing to has no limits on the amount of data you can use. Most have unlimited subscriptions but some may have speed limits. Check the terms and conditions before you pay. Our tests check the average speed of each VPN in half a dozen countries over seven days, so check our reviews to see which ones performed the best.
Rock-solid privacy: As mentioned above, most VPN services claim to protect your privacy in ways that mean that nothing about you or your browsing habits are stored in any way. Some companies go as far as to get themselves audited by external companies. Ultimately, though, it is always down to trust, both whether you trust what a VPN company is telling you, but also that their systems really work well enough to avoid your data leaking online. This is something that can’t be tested by reviews, although we do check all the incoming and outgoing connections from VPN apps. If a VPN app connects to anything that isn’t what you asked it to do, we’ll let you know.