As more people’s work and private lives go digital, online privacy and security become increasingly important. A virtual private network, or VPN, are often a useful a part of your security toolkit. But the industry is riddled with false promises and shady businesses. After sorting through dozens of VPNs and reviewing six security audits, we expect the simplest option for many people is Mullvad, an open-source VPN that’s not only trustworthy and transparent but also fast and reliable.
Mullvad collects minimal user data and engages in comprehensive and transparent privacy practices. It meets our security standards with a publicly available third-party security audit. Though anonymity guarantees are nearly impossible for any company to make, we like that Mullvad allows you to pay in cash simply by using an account number it generates (you can also pay with more common payment types, including credit card and PayPal). Mullvad offers a speedy new protocol called WireGuard, which is lightweight, quick, and easy to set up compared with IPsec and OpenVPN, the previous tunneling protocols. Mullvad’s desktop and phone apps make it simple to set the VPN upon a variety of devices even if you have little technical knowledge, and the service’s kill switch helps shield your privacy by automatically detaching your device if the VPN connection fails. Although Mullvad doesn’t offer a free trial, it does have a money-back guarantee. You can also set up many types of routers to connect with Mullvad’s servers.
Mullvad may be a secure VPN that provided a seamless experience during our testing: it had been easy to line up, and it hummed along so quietly within the background that we would often forget that it was even turned on. The company excelled in signals of transparency and trust, and in our testing, the service was easy to use and delivered some of the fastest speeds of any VPN we tested. Dedicated apps for Windows, macOS, Android, and iOS make Mullvad simple to set up on a variety of devices even if you have little technical knowledge. Mullvad’s subscription is fairly priced and costs an equivalent whether you employ the service for a month or a year, and one subscription can support up to 5 simultaneous connections at a time, so it’s easy to use on all of your devices, too.
In May and June 2020 Mullvad underwent a third-party security audit, a process that’s key for improving trust in an opaque industry. Though we wish that Mullvad, like IVPN, allowed testers to look at its servers—something only the company can authorize—the white-box audit was otherwise comprehensive and included a look at Mullvad’s phone apps, something IVPN’s audit didn’t cover. Conducted by Cure53, the audit took six testers a complete of 20 person-days to finish (IVPN’s took 21 person-days). In evaluating Mullvad, auditors spotted seven vulnerabilities, implementation issues, and other findings: two of medium severity, two of low severity, and three informational. In comparison, IVPN had three high-severity issues, two of medium severity, three of low severity, and one informational. Both companies issued updates quickly. Cure53’s record states that Mullvad “does an outstanding job protecting the end-user from common PII leaks and privacy-related risks.”
Mullvad’s clarity is another strong signal of trust. Located in Sweden, the company (Amagicom) is straight owned by founders Fredrik Strömberg—who operates on research and development in security—and Daniel Berntsson, and it lists its employees on its site. Plus, according to Mullvad’s CEO, many of the people on its 22-person team use Qubes, a security-focused operating system designed to keep sensitive work isolated and secure even if an attacker were to breach another portion of the pc.
Mullvad collects less information than many VPNs and a little less than IVPN. For example, IVPN stores email addresses, the associated IVPN ID and expiration date, and some payment information and transaction information. Mullvad collects very little data on its customers and all of the cookies that may track you on the Mullvad website expire when you close the browser window. Those cookies include one that allows you to log in, a cookie that retains your language preference, a security cookie that prevents cross-site request forgeries, and cookies for Mullvad’s payment processor for some payment types. In contrast, IVPN uses a web analytics service—Piwik/Matomo—and collects data on your browser user-agent, language, screen resolution, referring website, and IP address, though it does discard the last piece of the IP address. Piwik can also use an internet cookie to spot users who revisit the location. In addition, IVPN reserves customers’ transaction and subscription IDs to process their money-back guarantee, allow auto-renewal subscriptions, and resolve payment issues.
If you plan to use six or seven devices at once, or if your speeds with Mullvad aren’t as good as what we saw in our tests, IVPN is just as transparent and trustworthy. IVPN also gives you some extras Mullvad lacks, like the power to let it choose the fastest server for you, to dam trackers, or maybe to dam Facebook and Google altogether. Depending on what percentage devices you would like to attach, IVPN is often cheaper or costlier than Mullvad, with IVPN’s cheapest option allowing only two devices compared with Mullvad’s five but its costlier premium plan allowing seven. IVPN’s premium plan includes two features the basic plan doesn’t: port forwarding and multihop (but most people won’t need either). Though you would like to supply payment information for IVPN’s three-day trial, the corporate won’t charge you until the trial expires. Like Mullvad, IVPN offers instructions on how to set up many types of routers to connect with its servers, as well as for instructions on using it with network-attached storage.
If Mullvad doesn’t give you the same speeds we found, if you want to get faster responses to support tickets, or if you want to more easily install a VPN on network-attached storage, IVPN is a good choice. It is fast, consistent, and easy to use on Windows, Mac, Android, and iOS. Like Mullvad, on its website, it includes detailed information on its policies and readable terms of service. IVPN has a three-day trial, which is great for people who want to test speeds without paying for the service or going through a refund process as Mullvad requires. But IVPN has less server locations than Mullvad, and in our tests, IVPN was slower than Mullvad.
IVPN (Privatus Limited), which was incorporated in Gibraltar, lists its core team on its website, and founder and CEO Nick Pestell answered all of our questions about the company. IVPN has 13 full-time staffers, three of whom work specifically on infrastructure security; that’s fewer staffers than Mullvad has but still far more than many VPNs have. It seems committed to transparency, and it’s undergone a public, third-party security audit. In fact, the auditors confirmed that IVPN fixed the problems found during the audit. Although the audit did not include IVPN’s phone apps, testers did have access to IVPN’s servers, which was not the case for Mullvad’s audit.
IVPN also posts a transparency report that shows the number of valid legal requests it received from government or law enforcement agencies in a given year, going back to 2016. We like that IVPN makes some extent to mention it doesn’t advertise or guarantee complete anonymity, enable geo-blocked content on streaming services, or offer how round the Great Firewall of China. Additionally, IVPN has published ethical guidelines on its site, including clear, detailed information on its marketing methods and ethical commitments.
You can take IVPN out for a spin to see if it works for you with its three-day trial, but you’ll need to provide a valid credit card or PayPal account (which won’t be charged until the end of the trial). You can also get a full refund if you cancel your account within seven days.
Although IVPN has fewer servers and exit nodes than Mullvad, it was almost as fast, and it was the third-fastest VPN we tested during rush hour. We like that IVPN lets you choose the city of the server you want to log in to, or it can automatically select the fastest connection, an option that Mullvad does not offer. It’s worth experimenting to see if the server IVPN selects as the fastest actually is the speediest for you; in our testing, a location close to us tested faster than IVPN’s option.
Like Mullvad, IVPN is an open-source and includes an option to use WireGuard, which we recommend for improved speed and security. The two services are pretty similar once configured. IVPN offers a kill switch in the form of an always-on firewall option, which worked when we tested it.
IVPN provides two subscription tiers: a standard account, which works for up to two devices simultaneously, or a more expensive pro account, which works with as many as seven. A pro account also includes port forwarding, which most people don’t need, and multihop, which routes your connection through multiple servers in separate jurisdictions; multihop can also slow down your speed exponentially, however, and you’ll get an equivalent enjoy using Tor for free of charge. We recommend choosing an account type by the number of devices you propose to put in IVPN on. Annoyingly, IVPN limits you by what percentage devices you’re logged in to, not actively using. For example, although you can install IVPN on a tablet, computer, and phone with a standard account, you have to repeatedly log in and out if you bounce between those devices.
Like Mullvad, IVPN is available for Windows, macOS, Android, iOS, and Linux. You can install IVPN on some routers and network-attached storage devices.
Last we checked, IVPN responded quickly to our support ticket during the weekend, providing clear and informative responses. You can also get help via chat during business hours. The company has two customer service staffers providing around 18 hours of coverage per day both through ticket requests and via chat (though the chat may be offline if a staff member is working on a ticket). IVPN’s CEO said that 81% of tickets in May 2020 were answered within an hour, which a further 18.1% were answered within one to four hours. Mullvad doesn’t keep stats on its support answers but says it manages customer support during weekday office hours in Central European Time.back to menu ↑
How we picked
To narrow down the list of VPN providers, we checked out VPNs listed in reviews from sources like CNET, PCMag, and therefore the Verge, also as recommendations from the nonprofit Freedom of the Press Foundation and the security firm Bishop Fox. We also looked at VPNs that had answered questions on the Center for Democracy & Technology’s Signals of Trustworthy VPNs survey. We combined these results with research and proposals from noncommercial sources like That One Privacy Site, customer experiences and recommendations on the r/VPN subreddit, and reviews within the App Store and Google Play store. We piled this research on top of our work from previous years, which looked at sites such as vpnMentor and TorrentFreak and technology-focused websites like Lifehacker and Ars Technica, as well as those services that were simply on our staff’s personal radars.
In 2019, we settled on 52 VPNs that were repeatedly recommended or at least so highly visible that you’re likely to encounter them when shopping for a VPN provider. In 2020, we added four more. From there, we dug into the details on how each one handled issues from technology to subscriptions, as well as the steps they’ve taken to improve their transparency and security posture.back to menu ↑
How we tested
After going through the above criteria in 2019, we narrowed our initial list down to just five services that met our requirements. In 2020, we tested six services, including four we had earlier tested, and two we had originally skipped because they didn’t meet our security standards: Encrypt.me, IVPN, Mullvad, NordVPN, ProtonVPN, and TunnelBear. We signed up for each one of those services and dug deeper into their policies, technology, and performance on an Acer laptop, a MacBook Pro, an iPhone, and Pixel phone.