How to choose the VPN that's right for you

You'll find a lot of VPN guides out there, but how relevant are their recommendations to your personal needs? Here's a better way to think about your VPN decision, and what matters most to you, your usage, and your location.

VPN services: The basics Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet. Read more: https://zd.net/2BNF7ne

After writing about and testing VPN products on ZDNet and CNET for the past few years, I've started preparing a series of VPN product reviews that will launch sometime soon. As a result of all this work, I've had a chance to look at a lot of VPN services.

on cnet

Best VPN services

The CNET VPN Directory lists many of the most popular VPN Services available.

Read More

There are some things you should know if you're choosing a VPN for yourself. 

What does a VPN do?

First, let's recap what a VPN is, and why you might use it. A VPN service is a tool that you use to obfuscate your connection from your PC, tablet, or smartphone to the internet.

This is particularly valuable when using your device on a public Wi-Fi hotspot, where your transmissions might otherwise be open and unencrypted -- and subject to interception. By running VPN client software on your device, a secure tunnel is created between your device and a VPN server located somewhere on the internet.

Note: This protects the connection from you to that somewhere point on the internet. It does not protect your connection from that VPN server to your destination server on the internet.

Also: This giant cybersecurity blind spot will cost us dear 

Some folks also use a VPN to hide their originating location and IP address. This may be done for very justifiable reasons, such as making sure you can access the internet safely without revealing your location to, say, a stalker or other predator. But it can also be used to falsify your location so you can access something not normally available in your region, like video or sports programming. Doing this, in many locations, is illegal. Unfortunately, many VPN companies actively promote this use, some going so far as to designate some of their servers as particularly optimized for illegal streaming (although they tend to conveniently leave out the word "illegal").

How VPNs distinguish themselves

There are a number of criteria that VPN services use to distinguish themselves from each other. These include:

  • Trial periods
  • Number of unique IP addresses
  • Number of servers
  • Number of unique countries
  • Number of simultaneous connections
  • Devices and apps
  • Protocols
  • Logging and jurisdiction
  • Kill switch
  • Speed
  • Price

Each of these may factor less or more into your purchase decision, based on your own personal needs. Let's take a look a what matters most.

Free trial period

The single most important initial aspect in choosing a VPN service is going to be the length of the trial period. This is sometimes a period where you're allowed to use the service without being charged, or the period of time where you can use the service and get a refund if you request it.

In any case, it's the time period you have to get to know whether the service is right for you.

If you heed only one piece of advice in this article, heed this: Do not buy a VPN service until you've tested it completely and confirmed it meets your needs. The corollary to that tip is: Make sure you choose a VPN service with a long enough trial period to allow you to fully test the VPN you're purchasing.

Also: Why is my keyboard connected to the cloud? 

The only real way you can know if a VPN is right for you is for you to test it yourself. That's why the trial period is so critical, and also why we tend to rate VPN services with longer trial periods higher when we recommend them.

All those numbers

When you look at any list of VPN services, you'll often see numbers listed that describe the number of servers, IP addresses, locations, and countries. To some degree, you can use this information to gauge the scope of a VPN provider's network. But the raw numbers might not be as important as you think.

If all you want to do when using your VPN is make sure fellow patrons of the local coffee shop can't see your Wi-Fi traffic, the number of IP addresses a VPN provider offers doesn't really matter.

VPN services will sometimes tell you that the number of IP addresses increases your anonymity. That's because an IP address is less likely to be reused if it's part of a bigger pool. Of course, smaller services tend to have fewer customers and fewer IP addresses and larger services have more customers and more IP addresses, so the real fact is that you're just as likely to be using a recently used IP address regardless of the overall IP address pool size promoted by the service.

Also: A buyer's guide to virtual private networks (VPNs) in 2019 CNET 

Number of servers, locations, and countries describe how many exit points there are on the VPN provider's network. For example, I looked at one vendor that had only two servers in India, while another vendor had nearly 50, across a bunch of cities. If you wanted to present to the internet as though you were on an Indian server, you would probably want to go with the second service.  

Fundamentally, you should pay less attention to the number of overall servers, locations, and countries than you should to whether the VPN provider you're interested in provides a good number of servers in the countries you want to access.

This, again, is why a trial account is valuable. You might not be able to tell how many servers exist in the country you want to connect to until you've signed into that account.

My bottom-line recommendation is this: Choose a VPN provider based not on the big numbers, but based on whether you can VPN to the country you want to access. If you want to connect to a Moscow server, it doesn't matter if the VPN provider has 20,000 locations if they don't service Russia. It still won't meet your needs.

Number of simultaneous connections

This is a different kind of number, and this one is important. Bigger is actually better.

The number of simultaneous connections controls how many devices you can have connected at the same time. If you're traveling, two or three connections might be enough. When I was traveling across country, I often had my phone, my iPad, and my laptop all connected online through some hotel's (crappy) Wi-Fi, all at the same time. I needed my VPN service to allow me to do that to get my job done.

But if you use a VPN at home, and if you want to access the internet solely through your VPN service, you may want more connections. Or you might not. It depends on how you access the internet and whether you use a VPN in your router. That's next.

Device support and VPN apps

Nearly all VPN services have client software for Macs, Windows PCs, Android phones, and iOS devices. Many, but not all, have client software for Linux users. And some have client capabilities for set-top boxes and routers.

If you're at home and you want all your outgoing and incoming traffic to go through the VPN (say, for example, to hide from an ISP that might otherwise serve you customized ads now that net neutrality has been neutered), you might want a VPN service that works with your home router.

Also: 10 ways to develop cybersecurity policies and best practices 

Be aware, though, that once you move away from the main four platforms, support can be inconsistent and may require a rather high level of technical knowledge. You might need to install special software, edit settings, modify conf files, and more.

Some VPNs offer more than just basic VPN services through their apps. Some add additional security features. You'll need to look at each VPN provider's offering to tell which add-on features might meet your needs.

Protocols

If you think that Mac vs. PC or Kirk vs. Picard might spark a religious war, you ain't seen nothing yet. Get a bunch of protocol nerds arguing about which VPN protocols is best and you'll see some fur flying.

The fact is, some communications protocols provide better security and protection than others. Some are older and have been broken by hackers. Generally, VPN providers provide protocols that are reasonably secure for their customers and you can, mostly, go with the default provided protocol.

If you're a total VPN nerd or you're legitimately concerned about being tracked, then an article like this won't help. You'll need to do some deep research into the various protocols and make a decision based on your personal needs.

My advice: if you're using VPNs to protect you from a life-and-death threat, you need to dig deep to learn a lot more than one article will tell you. In fact, you probably want to build some of your own tunneling underneath anything a commercial VPN provider can offer.

In other words, if you're hiding from a nation-state kill squad, a three buck a month VPN service should not be your first line of defense.

Logging and jurisdiction

There are generally two types of information logged by VPN vendors. Detailed surfing information and basic connection and billing information.

You don't want to sign up to any VPN vendor that logs detailed surfing information. Usually people are concerned about this because the availability of logs means a government can request surfing data, but another risk is that companies that log this information might also sell it for marketing purposes.

Also: Brute force and dictionary attacks: A guide for IT leaders Tech Pro Research 

Of course, just because a vendor claims it doesn't log doesn't mean that's the truth. The fact is, I haven't found one single VPN vendor that is independently audited by any trusted verification organization. So, for every VPN vendor, you're just trusting what they say. 

One of my editors asked me, "Okay then, if you can't trust them, should this even be a criterion for selecting a VPN?" First, it's not that you can't trust VPN providers, it's that there's no independent verification of claims. Many VPN providers have a lot of satisfied users. Do some web searches on the company you're considering. If you find a lot of user bile or security rants, you know you need to consider another vendor.

As for whether jurisdiction and logging should be a selection criterion, the answer is yes. Just not the only one. Factor it into your decision, certainly, but you should probably have other factors you consider as well.

VPN vendors also log basic login and connection information. This is stuff like how to bill you, or performance data to allow them to tune their network. This is reasonable logging data and is to be expected.

Some VPN vendors operate in countries that have certain disclosure or logging requirements. VPN aficionados often recommend avoiding those companies headquartered in countries (like the US) where the government has some legal disclosure laws. Once again, that depends on, really, how serious you are about hiding your footprints.

Kill switch

The term "kill switch" refers to the capability of a VPN client app to stop sending data when the connection to the VPN provider ends. The idea is that no packets should transfer to the destination server unless encrypted.

Here's a simple rule of thumb: Don't sign up to a VPN service that doesn't offer a kill switch.

Here's a second rule of thumb: Don't trust it to always work.

Where a kill switch lives in the client OS is determined by the client VPN apps code and the OS it's running in. Generally, kill switches tend to live higher up in the app layers of the network connection, although some VPN vendors do have low-level kill switches that are quite effective. When choosing a VPN with a kill switch, look for one where the vendor says it runs at the driver or the OS level.

It's good to have a kill switch in the VPN provider's offering, but be aware that if you lose your connection, the kill switch might not be universally effective. Some packets might get through.

This, by the way, also applies when you start your device. You might make an initial connection and it might take a moment for the VPN app to kick in. During that time, packets might flow that are not protected by the VPN.

It's just a fact of life that VPN providers don't talk about all that much.

This all relates to an important philosophy of network security, the belt and suspenders approach. The idea is you use multiple kinds of security, usually in layers, so if one thing fails, another capability will be there to catch the fail. Like all aspects of VPN, the kill switch is a definite added-value. It's just not something you should count on absolutely.

VPN speed

If you look online, you'll find every VPN vendor claiming to be the world's fastest. Some cite supposedly independent lab reports. Some cite the results of running SpeedTest.net. Others are at tech websites where lab tests supposedly show better results for some VPN services than others.

In reality, none of the speed tests published -- including the ones I've done -- will matter for your needs. Here's why.

When I conduct my speed tests, it's from my office here in Oregon. Everything I do traverses through my local ISP, and that's going to be different from what goes through your ISP. Obviously, my tests are rudimentary.

In theory, we could be more accurate by staging VPN endpoints all around the world, and then running automated, regular tests. And yes, we could get a better picture of how VPNs perform. But even then, the performance is going to be fundamentally unrelated to your needs.

The reason is that your exact situation can't be reproduced in anyone's speed tests. Yes, speed tests that reviewers like me perform can give you a general idea of performance of one service compared to another, but that's just a very general idea. I can tell you, for example, that one vendor takes longer to establish a VPN connection than another, or one country seems to perform better with one VPN than another.

But here's where that trial time becomes important: You have to test for yourself. You need to run your workloads through the VPN service you're trying out, from your client machine in your various locations to the servers you need to reach -- at the times of the day you expect to be online. And you need to determine, by trying it yourself, what works best for you.

Price

Price should be the least important aspect of your decision. If a $3/month VPN service is unusable from your location to the destination server, it doesn't matter that it's cheaper than the $12/month service that performs better.

Choose a VPN based on the performance testing I've recommended. In other words, choose a VPN based on how long you have to try it; then try it.

Now here's a hint for saving some money. Almost every site that reviews VPNs has affiliate deals (including ours). When you click a link from a site and then buy the VPN service, some amount of what you spend goes back to the originating site.

Also: Top security tips revealed by industry experts for work and home TechRepublic 

These are great ways the VPN companies and you can support the sites you frequent. Unfortunately, because there are often deals underlying VPN listings, you can't always be sure that "the best" VPNs are truly the best objectively. They might be the vendors that offer the best affiliate deals to the site listing the deals. Again, this is why the trial period and doing your own testing matters so much.

Here's the way you can save money: Usually these affiliate links offer a discount above and beyond the posted price the VPN vendor offers on its own site. So if you do want to save some money and support your favorite sites, definitely look on recommending sites. Sometimes, you'll find a great deal.

Final thoughts

Remember that your circumstances determine your choice. Normally, for example, when I surf outside the house, I VPN back to my house using the operating system's own client software. I don't use a VPN service.

But when Hurricane Irma knocked Florida back to the stone age and power was out back at home, I couldn't VPN into my home servers. It was then that I chose a VPN service and relied on it while traveling.

If you're fluent in Linux and, say, AWS or Digital Ocean, you might spin up your own VPN server in the cloud and avoid all these services.

But, the fact is, all of that takes a lot of time and technical skill many folks don't have. For those who don't want to go full nerd, many of the VPN services we discuss offer good solutions to the problem of protecting Wi-Fi connections at a local coffee shop or hotel.

If you're a dissident, an activist, a spy, or someone trying to hide activity from a nation state, don't trust anyone's review. Do your own research and be sure you can stay safe.


You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.