A virtual private network (VPN) service is a proxy server marketed to help users bypass Internet censorship such as geo-blocking and users who want to protect their communications against user profiling or MitM attacks on hostile networks.
A wide variety of entities provide VPN services for several purposes. Depending on the provider and the application, they do not always create a true private network. Instead, many providers simply provide an Internet proxy that uses VPN technologies such as OpenVPN or WireGuard. Commercial VPN services are often used by those wishing to disguise or obfuscate their physical location or IP address, typically as a means to evade Internet censorship or geo-blocking.
Providers often market VPN services as privacy-enhancing, citing security features, such as encryption, from the underlying VPN technology. However, when the transmitted content is not encrypted before entering the proxy, that content is visible at the receiving endpoint regardless of whether the VPN tunnel itself is encrypted for the inter-node transport. On the client side, configurations intended to use VPN services as proxies are not conventional VPN configurations. However, they do typically utilize the operating system's VPN interfaces to capture the user's data to send to the proxy. This includes virtual network adapters on computer OSes and specialized "VPN" interfaces on mobile operating systems. A less common alternative is to provide a SOCKS proxy interface.
In 2025, 1.75 billion people used VPNs. By 2027, this market has been projected to grow to $76 billion. [1] As of 2022, recommendation websites for VPNs tended to be affiliated with or even owned by VPN service providers, and VPN service providers often make misleading claims on their products. [2]
VPNs allow users to bypass regional restrictions by hiding their IP address from the destination server and simulating a connection from another country.[ citation needed ]
Where public Wi-Fi networks do not provide isolated encryption for each connected device, VPN services can provide a certain level of protection. When in use, potential eavesdroppers on the network can only observe that a connection to the VPN server is made by a user's device. [3] As of June 2025, however, approximately 98% of human-generated internet traffic was encrypted using TLS through the HTTPS protocol; [4] when TLS is used, network eavesdropping can only point out the IP addresses or hostnames a user is connecting to. Interception of network requests by a bad actor in the form of a Man-in-the-middle attack will most likely result in a certificate warning in being displayed in the user's browser. [5]
SSL stripping, the practice of downgrading a connection to unencrypted HTTP, [6] [7] doesn't always result in a browser warning,[ citation needed ] although this has been partly mitigated by the implementation of HTTP Strict Transport Security. [8] [9]
Activists and journalists working in restrictive or authoritarian regions often use VPNs to maintain anonymity and protect sensitive communications. VPNs mask IP addresses and encrypt data, ensuring safe access to information and secure communication channels.[ citation needed ]
As of 2025, four of the top six countries of VPN adoption rates from 2020 through the first half of 2025 were in the Middle East: UAE #1, Quatar #2, Oman #5 and Saudi Arabia #6 [10] Aside from bypassing a block of content it is thought that bypassing of restriction of voice over internet protocol (VoIP) services,like WhatsApp, Skype, and FaceTime are motivating facctors. [10]
Users are commonly exposed to misinformation on the VPN services market, which makes it difficult for them to discern fact from false claims in advertisements. [11] According to Consumer Reports, VPN service providers have poor privacy and security practices and also make hyperbolic claims. [12] The New York Times has advised users to reconsider whether a VPN service is worth their money. [13] VPN services are not sufficient for protection against browser fingerprinting. [14] The provider may log the user's traffic, although this depends on the individual company.{{cn]}} Users can still be tracked through tracking cookies even if the user's IP address is hidden.[ citation needed ]
A VPN service is not in itself a means for good Internet privacy. The burden of trust is simply transferred from the Internet service provider to the VPN service provider. [15] [16]
In China, unlawful use of VPNs may result in criminal prosecution under the relatively obscure Supreme People’s Court guidelines: the Criminal Information Technology System Security Offense Adjudicative Guidelines [17] and the Damage to Telecommunications Market Integrity Adjudicative Guidelines [18] .
According to the guidelines, however, the simple use of typical VPN tunnels is not inherently unlawful because it does not achieve the elements of a computer crime, i.e. intrusion or unlawful control of a computer. [17] VPN providers themselves can be prosecuted because providing a type of VPN in a way that severely disrupts the telecommunications market constitutes the offense of unlawful business operations. [18] Additionally, if a VPN is used to commit illegal activities, then its provision could fall under aiding and abetting a crime. This was the logic applied by Chinese police in the widely publicized case involving a Chinese programmer who was penalized on grounds he used an unapproved international connection to provide internet consulting services to a Company for 1,058,000 CNY in unlawful income. [19]
Russia banned various VPN service providers in 2021. [20] Law No. 276-FZ (2017) requires VPN/anonymizer services to prevent access to sites on the government blacklist; it prohibits owners of virtual private network (VPN) services and internet anonymizers from providing access to websites banned in Russia. The obligation is codified via amendments adding Article 15.8 to the Information Law and enforced by Roskomnadzor. [21]
VPN use is subject to a blanket criminal ban protecting the North Korean internet firewall; communication through other countries’ communication networks without approval within the territory of the Republic is not allowed. The 2023 revision of the Radio Wave Control Law also provides penalties including fines and “up to three months of unpaid labor or punishment by labor education. [22]
VPNs are subject to general criminalization, but with discretion by the government to allow certain permissible uses. Use of filtering-circumvention tools (e.g., VPN services) is prohibited unless legally authorized by permit under the Supreme Council of Cyberspace’s 2024 resolution (cl. 6). [23]
In 2018 PC Magazine recommended that users consider choosing a provider based in a country with no data retention laws because that makes it easier for the service to keep a promise of no logging. [24] PC Magazine and TechRadar also suggested that users read the provider's logging policy before signing up for the service, [25] because some providers collect information about their customers' VPN usage. [26] [27]
| Service | Leak Protection | Protocols | Obfuscation / Censorship Avoidance | Network Neutrality | Server | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| First-party DNS servers | IPv6 supported / blocked | Offers kill switch | Offers OpenVPN | Offers WireGuard | Supports multihop | Supports TCP port 443 | Supports Obfsproxy | Offers SOCKS | Linux support | Supports SSL tunnel | Supports SSH tunnel | Blocks SMTP (authent.) | Blocks P2P | Dedicated or virtual | Diskless | |
| Avast SecureLine | Yes | Yes | Yes | Yes | No | No | No | No | Some [28] | Dedicated [29] | No | |||||
| ExpressVPN | Yes [30] | Yes | Yes | Yes [30] | No | No | Yes [30] | Yes [31] | No [32] | Both [33] [34] | Yes | |||||
| Hotspot Shield | No | No | Yes | No | No | No | No | ? | ||||||||
| IPVanish | Yes [35] | Yes [36] | Yes | Yes [37] | Yes [38] | No | Yes [39] | Yes [40] | Yes [37] | Yes [41] | No | No | No [37] | No [37] | Dedicated | No |
| IVPN | Yes [42] | No [43] | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes [44] | Yes [45] | No [46] | No [47] | Dedicated [48] | No | |
| Mullvad | Yes [49] | Yes [49] | Yes | Yes [49] | Yes [50] | Yes; WireGuard [51] and SOCKS5 | Yes [49] | No [52] | Yes [53] [49] | Yes [54] | Yes | Yes [49] | No [49] | Yes [55] | Dedicated [56] | Yes [57] |
| NordVPN | Yes [58] | No [59] | Yes | Yes [60] | Yes; NordLynx based on WireGuard [61] | Yes; OpenVPN [62] and SOCKS5 | Yes [63] | Yes [64] | Yes [65] | Yes | No [66] | Dedicated | Yes | |||
| Private Internet Access | Yes [67] | Yes [68] | Yes | Yes [69] | Yes [70] | Yes [71] | Yes [72] | No | Yes [73] | Yes [74] | Some [a] | No [76] | Dedicated [77] | Yes [78] | ||
| PrivadoVPN | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | ||||||||
| ProtonVPN | Yes | No | Yes | Yes | Yes [79] | Yes | Yes | No | No | Yes [80] | Yes | Yes | Some [b] | Dedicated | ||
| PureVPN | Yes | Yes | Yes | Yes [82] | No | No | Only through SSTP [83] | No | No | Yes [84] | No | Some [85] | Both [86] [34] | No | ||
| Surfshark | Yes | No | Yes | Yes | Yes | Yes (WG, OVPN, IKEv2) | Yes | No | No | Yes | Some | No | Both | Yes | ||
| TunnelBear | Yes [87] | Yes | Yes | Yes [88] [89] | No | No | No | Yes [90] [91] | Yes | Yes | No [92] | Some [93] | ||||
| Windscribe | Yes | Yes | Yes | Yes | Yes [94] | Yes | Yes | No | No [95] | Yes (via Stealth protocol) | No | No | No | Dedicated [c] | Yes [97] | Yes |
Notes
| Service | Data encryption | Handshake encryption | Data authentication | |||
|---|---|---|---|---|---|---|
| Default provided | Strongest provided | Weakest provided | Strongest provided | Weakest provided | Strongest provided | |
| Avast SecureLine | AES-256 | |||||
| ExpressVPN | AES-256 | CA-4096 | ||||
| Hotspot Shield | AES-128 [98] | TLS 1.2 ECDHE PFS [98] | HMAC [99] | |||
| IPVanish | AES-256 [100] | RSA-2048 [100] | SHA-256 [100] | |||
| IVPN | AES-256 [42] | RSA-4096 [42] | ||||
| Mullvad | AES-256 (GCM) [49] | ML-KEM [101] | RSA-4096 [49] | SHA-512 [49] | ||
| NordVPN | AES-256 [102] | AES-256 (CBC) [102] | 2048-bit Diffie-Hellman [102] | |||
| Private Internet Access | AES-128 (CBC) [103] | AES-256 [103] | ECC-256k1 [103] | RSA-4096 [103] | SHA-1 [103] | SHA-256 [103] |
| PrivadoVPN | AES-256 | |||||
| ProtonVPN | AES-256 | RSA-4096 | HMAC with SHA-384 | |||
| PureVPN | AES-256 | |||||
| SaferVPN | AES-256 [104] | 2048bit SSL/TLS [104] | SHA-256 [104] | |||
| TunnelBear | AES-128 (CBC) [a] | AES-256 (CBC) [88] | 1548 bit Diffie–Hellman [b] | 4096 bit Diffie–Hellman [88] | SHA-1 [c] | SHA-256 [88] |
| Surfshark | AES-256 | AES-256 (CBC) | 2048-bit Diffie–Hellman | |||
| Windscribe | AES-256 [105] | RSA-4096 [105] | SHA-512 | |||
Notes
The following definitions clarify the meaning of some of the column headers in the comparison tables above.
We were looking for features, value, and clear and honest pricing. Free ways to learn more about a service - free plans, trial periods, refund periods - were important, and we also looked for companies which maintained your privacy when you signed up (no email address required, trials available without credit cards, Bitcoin available as a payment option).
We support peer-2-peer (P2P) networking in some of our server locations.
All of our VPN gateways run on dedicated hardware servers.
Our network is SSL-secured
Similar to PureVPN, ExpressVPN says it uses virtual servers in certain locations due to infrastructure issues.
No, but we are planning to add the support of IPv6 in 2018.
For OpenVPN TCP connections - port 443.
Yes, we do support Socks5 proxies as well as HTTP proxies (1 HTTP and Socks5 proxy at each of our VPN server destinations).
We use our own private DNS servers for your DNS queries while on the VPN.
IPv6 leak protection disables IPv6 traffic while on the VPN. This includes 6to4 and Teredo tunneled IPv6 traffic.
This is used in conjunction with the OpenVPN protocol [...]
Although quite different from a VPN, we provide a SOCKS5 Proxy with all accounts in the event users require this feature.
Any VPN provider that does not retain logs must block outgoing SMTP traffic due to rampant spam associated with usage of VPN services. With that said, we can whitelist (allow) any outgoing email server that a) require authentication, and b) is correctly setup so as not to be an open relay.
In addition, any blocked software by your ISP including P2P and other various software applications will be unblocked and unrestricted on our systems.
10 Multi-Logins per Household
Furthermore, we have blocked P2P on some of our servers as per changing Global Web Policy. We don't allow p2p/filesharing where it's illegal by law named United Kingdom (UK), United States (US), Canada, Australia etc.
PureVPN has never denied using virtual servers. To make matters simpler, an update on our Server Location page will state which servers are virtual and which are physical.
Every time you connect to TunnelBear, your DNS requests are directed to TunnelBear DNS servers, so your ISP can no longer see what websites you're visiting. And because we don't keep any records of your DNS, you're the only one that knows your browsing history.
When you turn GhostBear on, it changes your VPN traffic signature to look like a different kind of traffic. To do this, GhostBear uses a technology called Obfsproxy.
TunnelBear does not block SMTP on our network.
Turning Hotspot Shield on encrypts all of the traffic between your device and our servers using TLS 1.2 with perfect forward secrecy (ECDHE), 128-bit AES data encryption.
We encrypt all of the traffic between your device and our servers using TLS 1.2 with perfect forward secrecy (ECDHE), 128-bit AES data encryption, and HMAC message authentication.