VPN service

For the more general concept, see virtual private network.

This article contains dynamic lists that may never be able to satisfy particular standards for completeness. You can help by editing the page to add missing items, with references to reliable sources.

A virtual private network (VPN) service is a proxy server marketed to help users bypass Internet censorship such as geo-blocking and users who want to protect their communications against user profiling or MitM attacks on hostile networks.

A wide variety of entities provide VPN services for several purposes. Depending on the provider and the application, they do not always create a true private network. Instead, many providers simply provide an Internet proxy that uses VPN technologies such as OpenVPN or WireGuard. Commercial VPN services are often used by those wishing to disguise or obfuscate their physical location or IP address, typically as a means to evade Internet censorship or geo-blocking.

Providers often market VPN services as privacy-enhancing, citing security features, such as encryption, from the underlying VPN technology. However, when the transmitted content is not encrypted before entering the proxy, that content is visible at the receiving endpoint regardless of whether the VPN tunnel itself is encrypted for the inter-node transport. On the client side, configurations intended to use VPN services as proxies are not conventional VPN configurations. However, they do typically utilize the operating system's VPN interfaces to capture the user's data to send to the proxy. This includes virtual network adapters on computer OSes and specialized "VPN" interfaces on mobile operating systems. A less common alternative is to provide a SOCKS proxy interface.

In 2025, 1.75 billion people use VPNs. By 2027, this market is projected to grow to $76 billion.^[1] Recommendation websites for VPNs tend to be affiliated with or even owned by VPN service providers, and VPN service providers often make misleading claims on their products.^[2]

VPN use cases

Accessing geo-restricted content

VPNs allow users to bypass regional restrictions by hiding their IP address from the destination server and simulating a connection from another country.

Improving privacy on public Wi-Fi

Where public Wi-Fi networks do not provide isolated encryption for each connected device, VPN services can provide a certain level of protection. When in use, potential eavesdroppers on the network can only observe that a connection to the VPN server is made by a user's device.^[3] As of June 2025, however, approximately 98% of human-generated internet traffic was encrypted using TLS through the HTTPS protocol;^[4] when TLS is used, network eavesdropping can only point out the IP addresses or hostnames a user is connecting to. Interception of network requests by a bad actor in the form of a Man-in-the-middle attack will most likely result in a certificate warning in being displayed in the user's browser.^[5]

SSL stripping, the practice of downgrading a connection to unencrypted HTTP,^[6][7] doesn't always result in a browser warning,^{[citation needed]} although this has been partly mitigated by the implementation of HTTP Strict Transport Security.^[8][9]

Improving privacy for activists and journalists

Activists and journalists working in restrictive or authoritarian regions often use VPNs to maintain anonymity and protect sensitive communications. VPNs mask IP addresses and encrypt data, ensuring safe access to information and secure communication channels.

Criticism and limitations

Users are commonly exposed to misinformation on the VPN services market, which makes it difficult for them to discern fact from false claims in advertisements.^[10] According to Consumer Reports, VPN service providers have poor privacy and security practices and also make hyperbolic claims.^[11] The New York Times has advised users to reconsider whether a VPN service is worth their money.^[12] VPN services are not sufficient for protection against browser fingerprinting.^[13]

Security

A VPN service is not in itself a means for good Internet privacy. The burden of trust is simply transferred from the ISP to the VPN service provider.^[14][15] The provider may log the user's traffic, although this depends on the individual company. Users can still be tracked through tracking cookies and device fingerprinting, even if the user's IP address is hidden.

Legality

Further information: VPN blocking

China

In China, unlawful use of VPNs may result in criminal prosecution under the relatively obscure Supreme People’s Court guidelines: the Criminal Information Technology System Security Offense Adjudicative Guidelines ^[16] and the Damage to Telecommunications Market Integrity Adjudicative Guidelines ^[17].

According to the guidelines, however, the simple use of typical VPN tunnels is not inherently unlawful because it does not achieve the elements of a computer crime, i.e. intrusion or unlawful control of a computer.^[16] VPN providers themselves can be prosecuted because providing a type of VPN in a way that severely disrupts the telecommunications market constitutes the offense of unlawful business operations.^[17] Additionally, if a VPN is used to commit illegal activities, then its provision could fall under aiding and abetting a crime. This was the logic applied by Chinese police in the widely publicized case involving a Chinese programmer who was penalized on grounds he used an unapproved international connection to provide internet consulting services to a Company for 1,058,000 CNY in unlawful income.^[18]

Russia

Russia banned various VPN service providers in 2021.^[19] Law No. 276-FZ (2017) requires VPN/anonymizer services to prevent access to sites on the government blacklist; it prohibits owners of virtual private network (VPN) services and internet anonymizers from providing access to websites banned in Russia. The obligation is codified via amendments adding Article 15.8 to the Information Law and enforced by Roskomnadzor.^[20]

North Korea

VPN use is subject to a blanket criminal ban protecting the North Korean internet firewall; communication through other countries’ communication networks without approval within the territory of the Republic is not allowed. The 2023 revision of the Radio Wave Control Law also provides penalties including fines and “up to three months of unpaid labor or punishment by labor education.^[21]

Iran

VPNs are subject to general criminalization, but with discretion by the government to allow certain permissible uses. Use of filtering-circumvention tools (e.g., VPN services) is prohibited unless legally authorized by permit under the Supreme Council of Cyberspace’s 2024 resolution (cl. 6).^[22]

Comparison of commercial virtual private network services

Privacy

PC Magazine recommends that users consider choosing a provider based in a country with no data retention laws because that makes it easier for the service to keep a promise of no logging.^[23] PC Magazine and TechRadar also suggest that users read the provider's logging policy before signing up for the service,^[24] because some providers collect information about their customers' VPN usage.^[25][26]

Technical features

Service	Leak Protection			Protocols		Obfuscation / Censorship Avoidance							Network Neutrality		Server
	First-party DNS servers	IPv6 supported / blocked	Offers kill switch	Offers OpenVPN	Offers WireGuard	Supports multihop	Supports TCP port 443	Supports Obfsproxy	Offers SOCKS	Linux support	Supports SSL tunnel	Supports SSH tunnel	Blocks SMTP (authent.)	Blocks P2P	Dedicated or virtual	Diskless
Avast SecureLine	Yes	Yes	Yes	Yes	No	No	No			No				Some[27]	Dedicated[28]	No
ExpressVPN	Yes[29]	Yes	Yes	Yes[29]	No	No				Yes[29]	Yes[30]			No[31]	Both[32][33]	Yes
Hotspot Shield	No	No	Yes	No	No	No				No				?
IPVanish	Yes[34]	Yes[35]	Yes	Yes[36]	Yes[37]	No	Yes[38]	Yes[39]	Yes[36]	Yes[40]	No	No	No[36]	No[36]	Dedicated	No
IVPN	Yes[41]	No[42]	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes[43]		Yes[44]	No[45]	No[46]	Dedicated[47]	No
Mullvad	Yes[48]	Yes[48]	Yes	Yes[48]	Yes[49]	Yes; WireGuard[50] and SOCKS5	Yes[48]	No[51]	Yes[52][48]	Yes[53]	Yes	Yes[48]	No[48]	Yes[54]	Dedicated[55]	Yes[56]
NordVPN	Yes[57]	No[58]	Yes	Yes[59]	Yes; NordLynx based on WireGuard[60]	Yes; OpenVPN[61] and SOCKS5	Yes[62]		Yes[63]	Yes[64]			Yes	No[65]	Dedicated	Yes
Private Internet Access	Yes[66]	Yes[67]	Yes	Yes[68]	Yes[69]	Yes[70]	Yes[71]	No	Yes[72]	Yes[73]			Some[a]	No[75]	Dedicated[76]	Yes[77]
PrivadoVPN	Yes	Yes	Yes	Yes	Yes				Yes	Yes				No
ProtonVPN	Yes	No	Yes	Yes	Yes[78]	Yes	Yes	No	No	Yes[79]	Yes	Yes		Some[b]	Dedicated
PureVPN	Yes	Yes	Yes	Yes[81]	No	No	Only through SSTP[82]	No	No	Yes[83]			No	Some[84]	Both[85][33]	No
Surfshark	Yes	No	Yes	Yes	Yes	Yes (WG, OVPN, IKEv2)	Yes	No	No	Yes			Some	No	Both	Yes
TunnelBear	Yes[86]	Yes	Yes	Yes[87][88]	No	No	No	Yes[89][90]	Yes	Yes			No[91]	Some[92]
Windscribe	Yes	Yes	Yes	Yes	Yes[93]	Yes	Yes	No	No[94]	Yes (via Stealth protocol)	No	No	No	Dedicated[c]	Yes[96]	Yes

Notes

1. The support team may be willing to whitelist your email provider's SMTP server upon request.^[74]
2. Only on free plan.^[80]
3. With the exception of one virtual server located in Antartica.^[95]

Encryption

Service	Data encryption		Handshake encryption		Data authentication
	Default provided	Strongest provided	Weakest provided	Strongest provided	Weakest provided	Strongest provided
Avast SecureLine	AES-256
ExpressVPN	AES-256			CA-4096
Hotspot Shield	AES-128[97]		TLS 1.2 ECDHE PFS[97]		HMAC[98]
IPVanish	AES-256[99]		RSA-2048[99]		SHA-256[99]
IVPN	AES-256[41]			RSA-4096[41]
Mullvad	AES-256 (GCM)[48]	ML-KEM[100]	RSA-4096[48]		SHA-512[48]
NordVPN	AES-256[101]	AES-256 (CBC)[101]	2048-bit Diffie-Hellman[101]
Private Internet Access	AES-128 (CBC)[102]	AES-256[102]	ECC-256k1[102]	RSA-4096[102]	SHA-1[102]	SHA-256[102]
PrivadoVPN	AES-256
ProtonVPN	AES-256		RSA-4096		HMAC with SHA-384
PureVPN	AES-256
SaferVPN	AES-256[103]		2048bit SSL/TLS[103]		SHA-256[103]
TunnelBear	AES-128 (CBC)[a]	AES-256 (CBC)[87]	1548 bit Diffie–Hellman[b]	4096 bit Diffie–Hellman[87]	SHA-1[c]	SHA-256[87]
Surfshark	AES-256	AES-256 (CBC)	2048-bit Diffie–Hellman
Windscribe	AES-256[104]		RSA-4096[104]		SHA-512

Notes

1. Only on iOS 8 and earlier. All other supported devices and operating systems use AES-256 (CBC).^[87]
2. iOS 9 and later use 2048 bit. iOS 8 and earlier use 1548 bit. All other supported devices and operating systems use 4096 bit.^[87]
3. iOS 8 and earlier use SHA-1. All other supported devices and operating systems use SHA-256.^[87]

Definitions

The following definitions clarify the meaning of some of the column headers in the comparison tables above.

Anonymous payment method

Whether the service offers at least one payment method that does not require personal information. Even if a service accepts a cryptocurrency like bitcoin, it might still require that the customer hands over personally identifiable information (PII) like their full name and address.

Bandwidth

Whether the users' bandwidth is logged while using the service, according to the service's privacy policy.

Diskless

Whether the service's server hardware is connected to hard drives, according to the service provider. If the servers are diskless, the service provider should be unable to log any usage data.

First-party DNS servers

Whether the service provides its own domain name system (DNS) servers.

Kill switch

Whether the service has the ability to immediately sever your connection to the Internet in the event that the VPN connection fails. This prevents a user IP address leak.^[105]

Logging

Whether the service stores information about their users' connection or activity on the network, according to the service's privacy policy or terms of service. If logging isn't mentioned in those sections but denied somewhere else on the website, the particular table cell will be marked as "No" in yellow and include an explanatory note.

Privacy Impact Score

An indicator of a website's usage of potentially privacy intrusive technologies such as third-party or permanent cookies, canvas trackers etc.^[106] The score can be in the range from 0 to 100, where 0 is minimal privacy impact (best) and 100 is the biggest privacy impact (worst) relative to other web sites.^[106] The score also has a simplified letter and colour presentation from A to F where A is "No cookies" and F is "Score above three standard deviations from the average".^[106] The metric is developed by WebCookies.org.^[106]

Obfuscation

Whether the service provides a method of obfuscating the VPN traffic so that it's not as easily detected and blocked by national governments or corporations.^[107][108]

Offers WireGuard

Whether the service provider offers the WireGuard tunneling protocol.

SSL rating

The service's website's overall SSL server rating according to Qualys SSL Labs' SSL Server Test tool.

Supports Obfsproxy

Whether the service has an implementation of the Tor subproject Obfsproxy.^[107][108]