Avoid The Hack: 3 Best VPN Picks for Privacy and Security
Virtual Private Networks (VPNs) weren’t initially designed to be privacy tools. Rather, they were primarily designed to securely connect two physically separate networks.
However, in some cases and assuming a number of criteria is met, VPNs can be used as tools to benefit user privacy. Here, you will find avoidthehack’s top recommendations for privacy-friendly and no-logs VPN services.
VPNs are not drop-in replacements for basic security hygiene and privacy-friendly best practices.
Prior to considering recommendations outlined here, users are highly encouraged to:
At a glance...
All VPN providers listed here follow the avoidthehack VPN provider criteria.
| Service Logo | Name | Jurisdiction | Server Locations | Free tier | Remote Port Forwarding | MFA on client | IPv6 Support | Censorship resistant protocol | Infrastructure | Go to service |
|---|---|---|---|---|---|---|---|---|---|---|
 |
IVPN | Gibraltar | 35 countries | Partially | Obfsproxy | Rented | Visit Service | |||
 |
Mullvad | Sweden | 39 countries | Shadow Socks | In-house + rented | Visit Service | ||||
 |
Proton | Switzerland | 66 countries | Partially | Stealth | In-house + rented | avoidthehack affiliate |
iVPN
Highlights
- Anonymous registration possible
- Firewall feature protects against DNS, IPv6, and WebRTC leaks
- Accepts Monero for payments
- Support for IPSec protocol
iVPN is a no-logs VPN service provider operating out of Gibraltar. iVPN regularly (yearly) undergoes security audits from reputable third-parties; their no-logs policy is also audited regularly.
iVPN permits truly anonymous registration - an email is not required to register. An automated generator is used to create user accounts; the generated account number is used to connect to the VPN service; users can then "add time" to their accounts. iVPN accepts anonymous forms of payment such as Monero and Cash. They also allow payment via pseudonymous Bitcoin and traditional forms of payment like a credit card.
However, if users prefer an email and password, then they can register that way as well. Account-related data is stored on a separate, offline, and hardened server not connected to iVPN's VPN servers.
Terminated VPN accounts (due to any number of reasons, such as subscription ending) are automatically deleted after 90 days.
iVPN’s clients are open-source and support most common devices. Mulfifactor authentication (MFA) is supported on iVPN's clients.
Users can choose from WireGuard, OpenVPN, or IPSec protocols via iVPN’s clients. Assuming users sign up for the "Pro" plan, port forwarding is available for WireGuard and OpenVPN protocols.
iVPN’s Killswitch/Firewall feature provides protection against DNS, IPv6, and WebRTC leaks in addition to disabling the device’s network connection when the VPN connection is unstable.
AntiTracker blocks ads, trackers, and malicious domains/hosts via DNS, providing ad and tracker blocking while connected to the VPN and browsing. For users requiring (or simply desiring it), Obfsproxy is iVPN’s answer to circumventing censorship on desktop clients.
For WebRTC leaks, users are still highly encouraged to address the leak from inside their browsers in the case they are not connected to the VPN.
iVPN has servers in 35 countries. Although iVPN does not traditionally own any of its servers, they vet their suppliers and infrastructure partners. For reference, iVPN publicly lists names of its hosting providers on their server Status page.
Specifically, iVPN rents bare-metal servers from these vetted hosting providers; hosting providers must enable secure access to the Intelligent Platform Management Interface (IPMI). iVPN reinstalls the server from scratch, encrypting server disks with Linux Unified Key Setup (LUKS) to ensure the security and integrity of data at rest.
iVPN is currently planning, in the not-so-distant future, to roll out physical activation codes. Users will be able to purchase time for their accounts at retailers.
Mullvad
Highlights
- Anonymous registration possible
- Accepts Monero for payments
- Post-quantum resistant VPN tunnels
- Diskless servers (depending on choice)
Mullvad is a no-logs VPN service provider operating out of Sweden and owned by Swedish parent company Amagicom AB. Mullvad’s VPN service undergoes regular security audits.
Mullvad permits truly anonymous account registration. Users create their accounts via generating an account number and then funding (“adding time”) to their accounts. Mullvad accepts Monero cryptocurrency and cash payments. As of December 2022, Mullvad no longer permits refunds via cryptocurrency payments.
Mullvad’s clients are available for most platforms and are open-source - as of writing, Mullvad does not support MFA on its clients. Mullvad’s clients have a built in killswitch enabled by default that cannot be disabled; likewise, DNS leak protection is always on and cannot be disabled. Mullvad’s clients support the OpenVPN and WireGuard VPN protocols.
As of November 2022, Mullvad rolled out post-quantum safe VPN tunnels on its WireGuard servers.
For reference, the rise of quantum computers and their predicted capabilities threatens the security provided by strong public key cryptography across the world, including critical infrastructure.
For users requiring (or wanting) it, Mullvad’s Shadow Socks protocol provides censorship circumvention on desktop clients; v2ray is an obfuscation method supported on some of Mullvad’s bridges and can be deployed by using a plugin to Shadow Socks.
To help protect user privacy, some of Mullvad’s servers are diskless in operation - the servers run from random access memory (RAM), which is ephemeral and does not store data like a hard disk (whether a hard drive or solid state drive). Once the server is turned off, whatever data was "stored" in RAM is gone.
Mullvad has VPN servers in 39 countries. Mullvad both owns and rents its VPN servers - which servers are owned and rented are clearly represented on their server status page.
In 2021, Mullvad released an audited and public DNS service (presumably, the same DNS servers used by their VPN service) offering DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), QNAME minimization and easylists for adblocking. It is possible to use this service without using their VPN service.
Mullvad’s DNS service also meets avoidthehack criteria for recommended DNS providers.
ProtonVPN
Highlights
- Proton account grants access to Proton ecosystem
- Free tier available
- 1900+ servers in 60+ countries
- Secure core servers directly owned and operated by Proton VPN
Proton VPN is a no-logs VPN service provider operating out of Switzerland and part of the Proton family of privacy-respecting products and services, like Proton Mail.
To create an account with Proton VPN, users will need to provide an email address, which is the only information required for account creation. Creation of a Proton account also grants users access to the free tiers of Proton Mail, Proton Calendar, and Proton Drive.
Proton Mail is an avoidthehack recommended encrypted email provider.
Proton VPN’s clients are widely available and are open-source; the clients directly support MFA, if enabled on a user’s Proton account. The service supports the OpenVPN, WireGuard, and IKEv2 VPN protocols.
Proton VPN’s servers feature the VPN Accelerator, which is enabled by default for all protocols. According to Proton VPN, VPN accelerator improves VPN connection stability and can increase VPN speeds up to 400 percent.
Proton VPN’s killswitch terminates users’ connection to the internet in the event the VPN connection is unstable; the killswitch is optional. NetShield, if enabled, provides ad, tracker, and malware domain/host blocking via DNS. Tor servers enable users to access .onion sites and hidden services from any browse and bypass censorship.
To gain the maximum privacy benefits from the Tor network, users are still encouraged to use the Tor browser.
In October 2022, Proton VPN launched its censorship resistant protocol, Stealth. Stealth is designed to help users evade censorship and obfuscate their use of a VPN to entities actively enforcing the censorship.
Proton VPN has servers in 66 countries. Proton VPN both owns and rents its VPN servers. All Proton VPN’s servers protect data at rest with full-disk encryption. “Secure Core” servers are all owned by Proton VPN and located in hardened data centers in Switzerland, Iceland, and Sweden.
While Proton VPN does not accept Monero cryptocurrency, the service does allow anonymous payment via cash. Proton VPN also accepts pseudonymous payment via Bitcoin.
For those interested, Proton does offer a free tier, which is subsidized by the paying users. The free tier is entitled to the same privacy policy as paid tiers and extends across all of Proton's offerings - VPN service, encrypted email, and encrypted calendar.
Criteria for VPN providers
At a minimum, to be listed on avoidthehack, VPN service providers must:
No-logs policy
Any VPN provider’s no-logs policy must have been audited by a third party.
Please note that despite a service having a no-logs policy, it is often impossible to 100% verify the claim.
OpenVPN and Wireguard Support
VPN providers listed here should have support for both OpenVPN and Wireguard protocols. These protocols have proven secure when implemented appropriately for most users.
Open-source clients
If clients are provided, they must be open-source. Open-source software promotes transparency and leverages the global security/privacy community for matters like adding features and addressing weaknesses in the source code.
Additionally, along with being open-source, VPN clients must not have any tracking technologies embedded in the source code or request unnecessary permissions (such as location and bluetooth information.)
Support mobile clients
Clients should also have support for mobile platforms, like iOS and Android. Despite the VPN “flaws” associated with mobile operating systems, mobile clients enable easy use of VPNs for most users.
Tracker-free clients
Any clients developed and maintained by the VPN provider must be free of tracking technologies including, but not limited to:
- Invasive app analytics
- Ads (and ad trackers)
- Unwarranted phoning home (outside the VPN connection)
Independently audited
VPN providers listed here should have publicly available audit results conducted by reputable third parties. Ideally, audits would be conducted on a regularly schedule.
It’s worth noting independent audits absolutely do not guarantee a VPN provider’s no-logs claims, but it does show an effort to be transparent.
The audit should also probe for an encryption or protocol implementation weaknesses in addition to “verifying no logs” claims.
Strong encryption
VPN providers should use strong cryptographic libraries and implementations, such as:
- OpenVPN paired with SHA-256 authentication
- RSA 2048 handshake or better
- AES-256 for data encryption
Perfect forward secrecy (PFS)
PFS removes reliance on a single server’s private key that rarely changes. PFC generates a new session key for each transaction. This alleviates (but does not eradicate) risk in the event an attacker gains access to a session key.
Anonymous payments
VPN providers listed here should take some form of anonymous payment. This can include accepting cash and/or Monero payments. Ideally, the VPN provider would take more than one form of anonymous payment.
Minimal PII or Anonymous registration
At most, VPN providers listed here collect email addresses. Email addresses from owned domains and privacy-friendly encrypted email providers should be accepted. Email addresses must not be shared with third parties.
Ideally, VPN providers listed here should permit anonymous account registration - no PII should be collected at the time of account creation.
Supplying any additional PII should not be a requirement for VPN services to be rendered.
Multihop support
Multihop support borrows from the Tor Relay model. In the event a VPN server node is compromised, Multihop alleviates risk of user data leakage (such as browsing data) to a compromised node.
Reliable killswitches
Killswitches prevent traffic from leaking in the event the device connection to the VPN servers becomes unstable for any reason.
Support ad and malware blocking
The DNS resolvers used by the VPN should support ad and malware blocking. This helps alleviate privacy and security issues potentially stemming from targeted ads or accidental/unwanted connections to hosts known to serve malware.
Nice to haves
These are features that would be nice to have in a VPN provider but aren’t requirements for recommendation here on avoidthehack.
Remote port forwarding support
Remote port forwarding assists in maintaining the benefits of a VPN when engaging in peer-to-peer (P2P) activities.
IPV6 Support
IPv6 is said to (one day) replace the IPv4 standard. IPv6 support should allow users to access servers (and services) hosted only on IPv6 addresses.
Supports privacy-related projects
Privacy is not a single entity’s; VPN services lending support to other privacy-promoting projects is a show of solidarity.
Supported/sponsored projects do not have to be avoidthehack.
Final thoughts
VPNs can be useful tools for improving security, and in some cases, privacy posture. However, they should thought of like a supplement on top of an already healthy meal; generally, it’s difficult to be healthy on a bad diet but good supplements.
Users are encouraged to ensure they are following online privacy and personal cybersecurity best practices to get the most out of VPN usage, such as:
- Forcing HTTPS on all connections.
- Using a privacy-oriented browser.
- Fixing WebRTC leaks inside the browser.
- Consider using an encrypted DNS provider (so DNS queries are not sent unencrypted in the event connection to the VPN is unstable/disconnected.)
- Use strong passwords - better yet, a password manager.
With that said, stay safe out there!