The Best VPN Service

I am a senior staff writer for Wirecutter, and I’ve been covering privacy and security for 12 years, spending much of that time focused on testing and evaluating VPNs.

For this guide:

• I looked over VPN reviews from PCMag, Tom’s Guide, and other outlets. I also read criticism of the VPN industry from Consumer Reports and Ars Technica, as well as the Electronic Frontier Foundation’s guide to VPNs.
• I spent several weeks researching 77 VPNs before settling on seven for testing.
• I compiled data from 55 VPN companies about their pricing and features to determine industry trends.
• I interviewed privacy experts from the EFF and the Freedom of the Press Foundation.
• During testing, I read through all the companies’ available policy documents and third-party audits.

Previous versions of this guide were written by Yael Grauer and David Huerta.

When you use a VPN, all of your web traffic is protected by an encrypted connection between your computer and a server operated by the VPN company. Such companies have long claimed that this encryption keeps your internet service provider from peeking at your activities and stops snoops on public Wi-Fi networks from intercepting your private information or rerouting you to phishing sites. VPN companies also play up how their services hide your IP address, making it harder for advertisers to track you across the web.

A VPN does do all of that—but whether a VPN is actually necessary for most people to use every day is no longer clear. The widespread adoption of HTTPS in the United States, for secure web browsing, limits what ISPs and anyone running a Wi-Fi network can see, even without a VPN. “Since it’s encrypted, they can’t see your credit card information or things like that,” Rory Mir, the Electronic Frontier Foundation’s associate director of community organizing, told us. ISPs and Wi-Fi operators may still see what sites you visit, but not the specific pages. “They can just see you going to Reddit or Wirecutter,” Mir added.

On top of that, some of the Wi-Fi attacks that VPNs were designed to protect against aren’t even feasible today. David Huerta, senior digital security trainer at Freedom of the Press Foundation, told us that if a Wi-Fi operator were to attempt to redirect you to a malicious page, it would set off numerous alerts in your browser.

Other threats that people encounter can’t be addressed with a VPN alone. VPNs can hide your IP address, but advertisers have numerous sophisticated options for tracking and identifying you online. A VPN also can’t protect against attackers who use information from data breaches to hijack your accounts, and it can’t shield you from scammers who trick you into entering your password on a phishing site.

The experts we spoke with told us that most people probably don’t need a VPN all the time. “It’s a largely redundant and unnecessary thing for most people,” Huerta said. But VPNs are still useful if you have specific goals in mind. A VPN prevents your ISP from seeing anything you do online, more so than HTTPS alone. And there’s good reason to distrust ISPs and their handling of your data, so if that’s a concern for you, a VPN can help. You may also want to use a VPN while traveling, because HTTPS is less widely used outside the US.

VPNs can be especially useful for marginalized people in dangerous environments, Mir told us. Activists or anyone living under a government that censors the internet can use a VPN to try to circumvent those restrictions. And journalists can use a VPN’s IP-address-hiding abilities to avoid tipping off subjects to an investigation.

When evaluating VPNs, we consider the following elements to be the most important.

Trustworthiness: An unscrupulous VPN company could monitor all your traffic, sell your information, or worse. We look for several signals that a VPN takes its customers’ privacy seriously.

• Recent third-party audits: Ideally, the audits cover backend infrastructure and privacy-policy compliance. We prefer services with a track record for releasing audits annually. Audits represent only a snapshot in time, but we consider them extremely valuable.
• Strong privacy policy: The policy should outline what information the company does and does not gather, as well as the efforts the company makes to protect its customers.
• Listing of public leadership: A VPN company should be clear about who owns it and what humans are responsible for the service.
• Bug bounty or disclosure program: Trustworthy VPNs have a system in place for researchers to report potential vulnerabilities so that the company can address them.
• Transparency report: Ideally, a VPN company should outline the requests for information it receives from law enforcement, and how it responded.
• Fair, reasonable marketing copy: The best VPNs don’t resort to misleading scare tactics to drive sign-ups.

Affordability: Looking across 55 VPN services, we found an average monthly price of $10 and an average annual price of $66. VPNs that cost more than the average aren’t necessarily overpriced, but they should offer compelling features to justify their cost.

Most VPNs cost less if you buy a subscription for a year or longer. We recommend that you hold off on committing at first and instead buy the shortest subscription so that you can test the VPN yourself.

Excellent underlying technology: We decided to limit our testing to services that support the open-source OpenVPN protocol, but we gave preference to VPNs that also support the WireGuard protocol, which is a new, lightweight, open-source VPN protocol.

Support for basic controls and security features: A VPN must allow you to use at least five different devices with its service at the same time. The VPN should include a kill switch, which ensures that your machine doesn’t transmit unencrypted data if the VPN is disconnected. The VPN should also let you select a server location manually.

The best VPNs include additional privacy features. Obfuscation makes VPN traffic appear as if it’s HTTPS traffic and thus makes it less likely to be blocked. Multi-hop connections route your traffic through at least two VPN servers, ensuring that your connection is secure even if one VPN server is compromised. Split tunneling lets you designate which apps send their data through the VPN connection, routing low-risk but high-bandwidth tasks such as video streaming outside the VPN. Some VPNs route all your web traffic through a VPN and the Tor network; this provides greater privacy but also slows your connection enormously.

Some VPNs have expanded their portfolio of services to include password managers, secure file storage, and even antivirus. We didn’t evaluate these features closely, but purchasing a bundle of services can result in a cost savings if you’re also in need of other privacy tools.

Ease of use: A good VPN should be available on all the major mobile and desktop platforms, with similar features across all its apps. The best services offer polished interfaces that connect quickly and make it obvious when the VPN is in use and when it is not.

To assemble a list of VPN services for consideration, we checked other reviews from Consumer Reports, PCMag, and other outlets. We also looked at the most popular search results, and which services’ ads we saw the most. Out of the 77 that we evaluated, we tested seven VPN services that met our criteria: ExpressVPN, IVPN, Mullvad, NordVPN, Proton VPN, Surfshark, and TunnelBear.

We read the privacy policies and available audits for all of these services, and we examined their apps and documentation for information about their underlying technology. After purchasing accounts from all of these companies, we evaluated the user experience on an Android phone, an iPhone, an Apple MacBook Pro laptop, and a Windows laptop. We used an online DNS leak test tool to confirm that the VPN was not leaking DNS requests and that our visible IP address changed on every device. All of the VPNs we tested passed both tests on every platform.

We contacted customer support for all seven of the VPNs we tested, asking a simple question about the service.

Speed testing

When you use a VPN, your internet connection slows down because the VPN adds physical distance and additional stops along your internet traffic’s path. Even the best, fastest VPN slows things down a bit.

Price and privacy features are better criteria for judging a VPN, especially because there’s only so much that a company can do to improve its service’s speed. How a VPN performs for you also depends on where you are, when you connect, what VPN server you select, the time you connect, and so on.

We performed speed tests on the seven VPNs we evaluated using the Ookla Speedtest browser tool. Ookla provides three results:

• Latency: This refers to the time it takes for your computer to communicate with Ookla’s test server. The result is measured in milliseconds. For these tests, we used “idle latency,” which is measured when the test tool isn’t testing upload or download speed.
• Download: This is the amount of data that can be downloaded from the internet to your computer, measured in megabits per second (Mbps).
• Upload: This is the amount of data that can be uploaded from your computer to the internet, also measured in megabits per second.

We used a Windows 11 Lenovo laptop connected by Ethernet to a residential FiOS internet connection in Manhattan. We ran several tests with and without the VPN, took the median of each set, and then found the percentage change between the two.

Note: You may occasionally see better performance with a VPN turned on than without, but that is usually not the case. In general, we do not think you should rely on a VPN to provide a better, faster internet experience.

VPN speed-impact testing results

Our testing showed that NordVPN had the least impact in all three categories. Keep in mind that your results are likely to vary greatly from ours. Although our picks didn’t perform the best in our speed testing, their ease of use, value, and dedication to privacy outweigh any impact on performance.

To demonstrate how variable VPN performance can be, we asked four Wirecutter staff members to test our top VPN picks in their own homes. Testers used a mixture of macOS and Windows computers, Wi-Fi and Ethernet connections, and the ISP they had at home. We chose the testers based on their geographic locations across the continental US, including urban and rural environments.

National VPN speed-impact testing comparison

In most of these comparisons, Mullvad performed better than TunnelBear in nearly every category. That trend was consistent, but the results varied greatly. If you’re concerned about the impact on speed, try out a VPN service in your own home and see if it performs well and doesn’t interfere with your day-to-day tasks.

Mullvad puts customer privacy front and center, with features designed to protect users that few other services offer. It also costs significantly less than other VPNs. Some features—such as the lack of usernames and passwords—might take some getting used to, but the benefits outweigh the quirks. Mullvad has been our top VPN pick for four years running.

It’s affordable. At a cost of €5 per month or €60 per year (about $5 and $65, respectively, at this writing), Mullvad is the only VPN we’ve seen that doesn’t incentivize long-term subscriptions with lower prices. Despite that, it’s still one of the most affordable VPNs available, costing about half the average price per month and a dollar or so less than the average for annual plans. The company accepts credit cards, PayPal, and numerous other options. Paying for subscriptions with cryptocurrency gets you a 10% discount. The company does not offer a free trial of its VPN, but it does have a 30-day money-back guarantee.

It’s designed for privacy. You don’t need to provide any personal information to Mullvad in order to use it. When you create an account, Mullvad generates a random account number that serves as your sole identifier. You also use this account number to log in, no password or username required. The idea is that by retaining as little information about customers as possible, Mullvad cannot be compelled to hand over information about them to law enforcement. Even a successful attack on its infrastructure would yield little about its customers.

That dedication to privacy extends to payments as well. The company also accepts cash sent directly to its offices, allowing customers to avoid leaving a digital paper trail. Using a wire transaction, however, makes your account number visible to Mullvad in bank records, although the company does not store that information; we advise against using wire transfers if you’re concerned about anonymity. Mullvad does not offer automatic subscription renewal, because doing so would require the company to track subscription information about its customers.

Mullvad is known for its transparency and trustworthiness. The company’s website lists its leadership and ownership structure, as well as a system for researchers to report potential vulnerabilities. Mullvad has also released third-party audits steadily for the past few years, including evaluations of its infrastructure. The company’s privacy policy is clear and fairly easy to read, and Mullvad provides numerous other documents that go in-depth on important issues, such as what laws apply to the Sweden-based company. To its credit, Mullvad has also been open about security issues, like when Swedish authorities unsuccessfully attempted to search its offices.

Unlike other companies that simply list countries where they offer servers, Mullvad has an interactive site showing all of its servers, their features, and even who owns them. It’s a rarely seen degree of transparency.

Its apps are easy to use and built on good technology. Mullvad’s apps are consistent across platforms and straightforward to use. Getting online is easy, as is switching servers. We liked that the app’s map interface offers one way to start a VPN connection, giving folks who aren’t so great at geography a leg up.

All of Mullvad’s apps support the WireGuard VPN protocol, and its desktop apps also support OpenVPN. Not all of its apps support additional features, however: Only its desktop apps can use multi-hop connections, which route your traffic through a second VPN server, and only its Android and Windows apps provide split tunneling, which lets you route some traffic outside the VPN connection. Most people don’t need those features, though.

Obfuscation, which disguises VPN traffic to avoid being blocked, is available in all of its apps, but like other tools it’s tucked into the settings. The company says that its kill switch, which blocks your device from sending data when the VPN is disconnected, is always on and cannot be disabled; the optional lockdown mode continues blocking internet access even if you quit the app.

It has some features that go beyond what a traditional VPN offers. The company’s app includes the option to block certain kinds of content, such as adult websites, ads, trackers, and more. We prefer to use browser extensions for tracker blocking, but Mullvad’s offering is welcome. We also appreciate that it makes clear that its malware-blocking feature is not the same as full-fledged antivirus protection.

Mullvad doesn’t offer access to the Tor network via VPN, but it did collaborate with the Tor Project to design the Mullvad Browser. This browser includes several anti-tracking and privacy features but does not connect to the Tor network.

Flaws but not dealbreakers

Some of the privacy-preserving features are confusing. Because Mullvad doesn’t offer automatic renewal for subscriptions, you have to keep a close eye on your account to make sure it stays active. We like Mullvad’s use of account numbers instead of usernames and passwords, but that practice might confuse some people.

The privacy and transparency information isn’t centralized. Mullvad has a solid track record of safeguarding its customers’ privacy, but we’d like to see it make that information easier to find. The company should have a readily accessible transparency report that’s updated frequently, and it should commit to annual third-party audits.

It allows only five simultaneous connections. This restriction is especially frustrating, as an increasing number of VPNs have raised or removed limitations on the number of simultaneous connections. If you try to log in to a sixth device, you’re prompted to remotely log out from another. That’s easily done, but it’s still annoying.

It offers servers in only 41 countries. That’s a little below the average we’ve seen of 49 countries, and it’s far less than the selection you get from services such as NordVPN or Proton VPN. Although small, Mullvad’s selection of servers includes regions that other VPNs ignore, but you might have trouble finding a server if you’re traveling or looking to spoof your location.

Whereas other companies lean on businesslike language and flashy graphics to assure and entice customers, TunnelBear uses deadpan cartoon bears and a silly sense of humor. It’s a refreshingly friendly experience, and the service backs that up with a demonstrated track record of privacy and transparency. It’s a VPN you might actually want to use, and you can use it for free (kind of).

It has a long-running commitment to privacy. TunnelBear was one of the first VPN companies to commit to annual third-party audits, and it has stuck to that policy for seven years. It also releases transparency reports, though at a less regular cadence than its audits. Its privacy policy is thorough and includes plain-language breakout sections that explain some portions in greater detail. The Canadian company is owned by McAfee, and McAfee Secure VPN uses TunnelBear’s technology and server network.

It covers the basics well. TunnelBear supports the WireGuard and OpenVPN protocols across all its apps, and it supports IKEv2 on all its apps except the Android version. Its service includes a kill switch (called VigilantBear) and obfuscation (GhostBear), the latter of which is intended to get around attempts to block VPN traffic. Split tunneling (the two-headed SplitBear) is available in all its apps, but the macOS version can route only websites, not app traffic. One standout feature: TunnelBear places no limits on the number of devices you can use at the same time, so it’s a great choice if you want to have a VPN on all your smart devices.

What you won’t find with TunnelBear are additional privacy features. It lacks multi-hop connections, something that Mullvad offers, and it does not provide access to Tor via VPN, as Proton VPN does. Most people are unlikely to miss those tools. You also won’t find a server in every location: TunnelBear has servers across a diverse cross-section of the globe, but only 47 countries total.

It’s a pleasure to use. Although nearly all the VPNs we tested are easy to use, few could be described as enjoyable—and none have the personality of TunnelBear. When you connect, a bear digs a hole before emerging out of a green pipe à la Mario. Most important, these flourishes don’t get in the way of using TunnelBear. If anything, they might encourage customers to explore what it can do. How else will people discover that enabling split tunneling causes an on-screen bear to grow a second head?

When we’ve given friends and loved ones a choice between what we consider to be the best VPN options, nearly all of them have picked TunnelBear.

It offers a limited free subscription. Most VPNs that offer free subscriptions are too shady to recommend, but TunnelBear is a trustworthy company. Free subscribers are limited to only 2 GB of data per month, however. That’s probably enough for some specific activities, but it won’t work if you want to leave your VPN on all the time, especially with multiple devices. You can, however, access any of TunnelBear’s servers and use as many devices as you wish.

Proton VPN has a better free subscription, but TunnelBear’s free plan is worth a test at home.

Security experts caution most people to be wary of free software and services, and that warning especially holds true for VPNs. At best, most free VPNs are painfully limited previews of better products. At worst, they’re outright malicious or at least lacking a serious commitment to customer privacy. Proton VPN is the exception: It offers one of the very few free subscription options that place no restrictions on data usage, and it’s backed by a reliable company.

Proton has a track record for trustworthiness. The company lists its leadership publicly, issues transparency reports, and offers a bug-bounty program. Its most recent third-party audits are from 2023 and cover its no-log policy and apps. We’d like to see Proton commit to regular audits, especially those that include its server infrastructure.

The company came under scrutiny in 2021 when it was revealed that Swiss authorities had compelled the company to record and provide the IP address of a suspect who used its encrypted email service, Proton Mail. The company clarified that its VPN customers could not be subject to a similar order.

Its free subscription is the best we’ve seen. Free subscribers of Proton VPN can use only one device at a time, unlike the typical five or more, and are limited to a subset of the company’s servers. Free subscribers also can’t use some advanced features, such as multi-hop connections. However, Proton VPN does not limit how much data free customers can use or how long they can use the service.

Other free VPNs are more restrictive. TunnelBear’s free VPN limits you to just 2 GB of data per month, which is doable but restricts when and how you use that service. Other services either limit access or attempt to monetize free-user accounts through advertising, ostensibly to control the costs of running a free VPN service. Proton’s free subscription is the only trustworthy free VPN that we could see working well in regular use, without serious issues.

Performance with a free subscription is fine—mostly. By limiting the servers that free subscribers can access, Proton corrals many people into a small number of servers. This practice divides each server’s bandwidth among more people, potentially impacting performance.

In our speed testing, we were at first surprised to see little impact at all from Proton VPN. Then, during the last few tests, the upload and download speeds plummeted from a brisk 90-some megabits per second to just 1.6 Mbps. So while poor performance isn’t guaranteed, we think it’s fair to say that the experience is unpredictable.

It’s an all-around good VPN. Proton VPN supports the WireGuard VPN protocol across all its apps, along with multi-hop connections (called SecureCore) and access to Tor via VPN. It also supports split tunneling in every app except the iOS version. Proton VPN’s collection of server locations is also quite large, covering 91 countries.

If anything, Proton has a little too much going on. Its apps are cluttered and not as consistent as those of Mullvad or TunnelBear. We like its collection of features and how customizable the apps are, but most people aren’t likely to take advantage of those options. An annual subscription costs $72 a year, which is quite a bit more than what you pay for our favorites. Paying for Proton VPN allows access to all of its servers, raises the device limit to 10, and grants access to advanced features such as multi-hop connections and split tunneling.

If you need a VPN just for traveling: Like Mullvad, IVPN uses a password-free account-number system that protects customer privacy. IVPN also accepts cash payments sent by mail. The company has established a good track record with third-party audits and transparency reports. Where Mullvad and IVPN differ is in their pricing, as IVPN is significantly more expensive at $10 a month or $100 per year for IVPN Pro. But it’s also much more flexible in that regard: If you can live with a two-device limit and fewer features, the price drops to $6 per month or $60 per year for its IVPN Standard plan. If you can’t afford that, or if you need a VPN for just a little while, weekly subscriptions cost $2 for the Standard tier or $4 for Pro. That flexibility and the company’s commitment to privacy make IVPN a great choice for travelers who want a VPN only for the duration of their trip.

You can do a few things to better protect yourself online that can have a bigger impact than using a VPN.

Use a password manager. Using a weak password is an invitation for an attacker to take control of your account, and reusing passwords across multiple accounts is an invitation to do the same to more accounts. A password manager can generate unique and complex passwords for every site and service you use and then automatically fill in those passwords for you. We recommend 1Password or Bitwarden. Most web browsers also have serviceable password managers built in.

Enable two-factor authentication wherever it’s available. When you log in with 2FA, you take an additional action along with entering your password, such as entering a code generated in a 2FA mobile app or plugging in a security key. With 2FA enabled, even if a bad actor has your password, they can’t take control of your protected accounts.

Use a tracker or ad blocker in your browser. Using an ad or tracker blocker such as the EFF’s Privacy Badger, or even the tools built into some web browsers, makes it harder for trackers to follow you online, and you may see fewer ads too. Ads can be a way for malware to spread (via a practice called malvertising), so limiting your exposure can improve your security as well. Many VPNs offer ad and tracker blocking, but using a browser plugin allows you to choose what to block.

Check URLs and pay attention to your browser’s warnings. Most browsers have built-in tools for identifying dangerous phishing sites. When your browser alerts you, pay attention to it. Phishing sites are hard to spot, and some don’t last long enough to be blocked, so be sure to examine the URL in the address bar; if it seems unusual, don’t proceed.

Ensure that your software and operating systems are up-to-date. Keeping your software current ensures that you’re not exposed to any recently patched vulnerabilities.

Consider antivirus protection. Antivirus software can serve as a useful safety net if you fail to spot a malicious link, or if a new security threat emerges that OS makers have yet to patch. Windows Defender, which is free and included with all modern Windows computers, does a good job of protecting against threats.

To understand whether you need a VPN or in what circumstances you may use one, it’s important to understand what a VPN can’t do.

Using a VPN can expose you to other risks. Every expert we spoke with stressed that when you use a VPN, you move the risk of having your data surveilled from your ISP to the VPN company itself. For this guide, we looked only at VPNs that made some effort to prove that they would not surveil or sell customer data.

A VPN can’t protect you from hackers. Online thieves use the most direct route they can: phishing sites, phone scams, and email spam. VPNs can mitigate some of those risks, but they cannot guard against all of them entirely.

A work-issued VPN doesn’t hide your activities from your boss. Many companies provide corporate VPNs so that employees can access corporate resources remotely. When you’re connected to a work-issued VPN, your employer can see all of your internet activity.

A VPN cannot make you invisible or completely anonymous online. A VPN can prevent your ISP and others from closely monitoring your web traffic, and it can change your visible IP address, but various parties have many ways to track you online, such as digital fingerprinting.

A VPN encrypts your information only as the data moves around the web. Separately, encryption in other programs can protect the files on your computer and the messages you send from your phone.

Every device you own and every site you visit has an IP address to send and receive information. When you’re using a VPN, your computer’s true IP address is hidden behind the VPN server’s address. That’s handy for obscuring your identity, but because IP addresses are distributed geographically, changing your IP address makes it appear as if you are browsing the web from somewhere else.

Some people take advantage of a VPN's location-spoofing abilities to try to access content that’s accessible only in certain countries, such as from streaming services. If that’s your goal, be aware that doing so can be against the streaming company’s terms of service. There’s also no guarantee that a VPN that lets you access, say, UK Netflix from Chicago will keep working into the future. We view VPNs as a privacy tool first, so we don’t test to see how they perform in unlocking region-restricted content.

Also, there are limitations to how well a VPN can spoof your location. For example, a mobile app may find your location by using your phone’s GPS function or comparing nearby Wi-Fi networks against a list of known networks. A VPN is usually good enough for location spoofing, but don’t be surprised if it doesn’t always work as you may intend.

HTTPS uses encryption to secure some of your web browsing. You can tell when you’re connected to a site with HTTPS because you’ll see those letters in the URL of the website, and a padlock icon will appear in most browsers.

Because HTTPS connections are encrypted, the content of your activities isn’t visible to outside observers. The information you send—emails, credit card numbers, and so on—remains secure from prying eyes.

HTTPS also limits what your ISP can discern about your online activities. Your ISP will know, for instance, that you’re browsing the New York Times website, but not the specific pages that you view.

What a snooper sees when you’re browsing

HTTPS is far more common today than it was a few years ago. Let’s Encrypt, an organization that has helped spread the technology, reports that 94% of websites visited by Firefox users in the US use HTTPS. In fact, Firefox doesn’t load sites without HTTPS by default. That said, HTTPS is still comparatively rare in different parts of the world, making VPNs potentially more valuable to travelers.

Using a VPN does hide more than using HTTPS. Online observers and your ISP can’t even see the sites that you’re visiting, since your connection is encrypted by the VPN.

Instead of routing your connection through a single server, as a VPN does, or even two servers, as a VPN with multi-hop does, Tor routes your connection through several intermediary nodes, making it much harder for online snoops to track you online.

Tor is designed to limit what each node can see. For example, Node A knows that your data came from your machine and is heading to Node B but doesn’t know where your data will exit or where it goes after that.

Using Tor can also grant you access to special sites that are normally inaccessible. Whenever you hear about the dark web, the discussion is usually referring to one of these Tor-only sites. Some of these sites have a deservedly bad reputation, serving as online black markets for weapons and child sexual abuse material. But others are simply designed to be accessed securely and anonymously. The New York Times, for example, has maintained a Tor-accessible site since 2017.

Using Tor has major drawbacks. Because your online traffic takes such a circuitous trip, you browse the web far more slowly than on most VPNs. Also, Tor is far from perfect; exotic attacks can correlate online activities to Tor users, and people have long brought up concerns about Tor nodes being secretly taken over by nefarious entities for surveillance purposes. You still need to be mindful when using Tor and to take precautions such as sticking to HTTPS websites.

For most day-to-day activities, using Tor does not make sense. But if you’re greatly concerned about any kind of internet surveillance, it’s a useful and free tool to have at your disposal.

The underlying technology that VPN companies use is open-source, so anyone can build their own VPN service from scratch. A few projects, such as Outline and Algo, aim to make building a VPN more accessible to the average person, and they do an admirable job.

Creating your own VPN solves some of the problems that commercial VPNs present. (Hopefully, you can trust yourself not to spy on your own activities or sell your own data.) However, running your own VPN creates other problems. Even the most accessible tools have a learning curve, and running a secure VPN requires maintenance to ensure that it hasn’t broken down or become compromised. When you buy a VPN subscription, you effectively hire someone else to solve those problems for you.

Notably, NordVPN’s Meshnet feature lets you route traffic between your own devices (or the devices of trusted friends) for free. Using Meshnet is much easier than rolling your own VPN, but people who are most concerned about trusting VPN companies will not find it adequate.

Private Internet Access, a VPN we previously dismissed, and ExpressVPN announced new third-party audits, and we’ll be taking a look at them soon. DuckDuckGo added a VPN to its Privacy Pro subscription service, which costs $10 per month or $100 per year; we’ll be taking it into consideration once the company releases a third-party audit.

In early May 2024, security researchers announced that they had discovered a new attack that could affect VPNs. Using this attack, named TunnelVision, a malicious Wi-Fi operator, or an attacker able to modify the Wi-Fi network, could route traffic outside VPN connections. Doing so would allow the attacker to see the traffic’s destination but would not make the traffic’s contents visible as long as it was encrypted with HTTPS—which is the case for many sites and services. This attack is not effective if you’re using an Android device, connected through a cellular connection, or connected via an Ethernet cable.

Because of its limitations, TunnelVision is probably not a major concern for most people. However, if you’re using a VPN for more security on a public Wi-Fi network, if you’re connecting to Wi-Fi outside the US, where HTTPS is less common, or if you’re at risk for targeted attacks—particularly from oppressive regimes—TunnelVision is a potential threat. People in these groups are also the ones who benefit the most from what VPNs provide.

Several VPN companies have said that their services have features designed to mitigate or prevent TunnelVision, but it depends on the device you’re using. Mullvad says that it has not yet integrated TunnelVision mitigations into its iOS app. TunnelBear says that it’s working to mitigate TunnelVision in its macOS app and recommends that users enable its kill switch on iOS. Proton VPN says that enabling its kill switch prevents the attack on all platforms. IVPN told us that its iOS app is potentially vulnerable, and that desktop apps may be vulnerable depending on their configuration.

We started with a list of 77 VPN services and eliminated most of them for failing to meet our criteria. Ultimately, we tested seven VPNs.

Mozilla VPN is from the nonprofit behind the Firefox browser but uses Mullvad’s infrastructure. Those are both points in its favor, but it’s hard to recommend because it costs $10 per month—nearly double Mullvad’s price. However, it’s a good app, and it offers an opportunity to support a company with a deep history of promoting a free internet.

NordVPN is perhaps the most well-known VPN service, and it has grown enormously to now include a password manager, secure file storage, and numerous other services. It has a large network of VPN servers, and it includes advanced features such as multi-hop connections and access to Tor via VPN. It recently introduced Meshnet, a unique tool that lets you route your traffic between your own devices (or a trusted friend’s devices) and send files securely. Notably, NordVPN posted the best scores in our speed-impact tests. But NordVPN is expensive at $13 per month, and the average person probably doesn’t need NordVPN’s slew of advanced features. The company belatedly acknowledged a 2018 security incident and has made public commitments toward better security and transparency.

Surfshark is owned by the same company as NordVPN but operates independently. It offers servers in 93 countries, allows unlimited simultaneous connections, and has a highly polished family of apps. It’s also one of the most expensive VPNs, at over $15 per month, and it’s increasingly leaning on upselling a collection of other privacy features that go beyond what most people need in a VPN.

ExpressVPN boasts servers in 105 countries, frequent audits, and colorful, retro apps. It also ranks among the most expensive VPNs we looked at, costing $13 per month and $100 per year. ExpressVPN—along with Private Internet Access and CyberGhost—are owned by Kape, which used to be called Crossrider and previously supplied technology that was used in adware. A representative for ExpressVPN told us, “Crossrider was a cross-platform development platform for browser extensions, that was unfortunately abused by third-party developers and misattributed to Crossrider (even though there’s no direct involvement on Crossrider’s part in the creation of adware/malware).” Reports of major layoffs also made us concerned about Kape’s ability to effectively manage its VPNs.

We also eliminated many other VPNs for not meeting our criteria or not meeting the standard of quality and value represented in our picks. This group included: 1.1.1.1 +WARP, AirVPN, Apple iCloud Private Relay, Astrill VPN, Atlas VPN, Avast SecureLine VPN, AVG Secure VPN, Avira Phantom VPN, AzireVPN, Bitdefender Premium VPN, BTGuard, CactusVPN, Cryptostorm, CyberGhost, F-Secure VPN, Faceless.me, FastestVPN, FrootVPN, Goose VPN, Hide.me, HideIPVPN, HMA VPN, Hook VPN, Hotspot Shield, InvinciBull, IPVanish, Ivacy VPN, Kaspersky VPN Secure Connection, KeepSolid VPN Unlimited, Malwarebytes Privacy VPN, Njalla, Norton Secure VPN, nVpn, Nym, Opera VPN Pro, OVPN, Perfect Privacy, PersonalVPN, PrivadoVPN, Private Internet Access, PrivateVPN, PureVPN, Steganos VPN Online Shield, StrongVPN, SurfEasy, TorGuard, Trust.Zone, Turbo VPN, UrbanVPN, VPN.AC, VPN.ht, VPNArea, VPNTunnel, VyprVPN, Webroot WiFi Security, Windscribe, ZenGuard/ZenMate, ZenVPN, and ZorroVPN.

This article was edited by Caitlin McGarry and Signe Brewster.