Using a VPN service has become essential for better online privacy. Getting a VPN is the easiest and fastest way to encrypt your connection and hide your internet traffic.
While there are multiple benefits to using a VPN service as such, it is specific added-value features that make buying a VPN subscription worthwhile these days. Understanding what these must-have VPN features are and how to use them can have a big impact on your online privacy.
- Ad Blocker & Anti-Tracker
- MAC, Time & Location Spoofing
- Diskless Servers & Zero-Knowledge DNS
- Open Sourced, Audited & Public Facing
- Anonymous Signup & Payment
- Obfuscation: Camouflaging VPN Usage
- Choice of Protocols for Every Situation
- Multi-Hop VPN & Tor over VPN
- Kill Switch/Firewall & Auto-Connect
- Split Tunneling for Apps & Websites
- Bonus: 7 VPN Myths & Misconceptions
- Extra Bonus: 5 Real Benefits of VPN Services
- Conclusion: Which VPN?
Ad Blocker & Anti-Tracker
For many users a VPN is no longer just a basic tool to quickly change their IP address or prevent third parties from viewing their online activities. A VPN is expected to be a complete suite of privacy and security tools that blocks adware, data trackers, malware, spyware, phishing sites and other cyber threats.
Unlike such browser extensions as uBlock Origin, a VPN with an ad blocking and anti-tracking feature works effectively across all apps on the connected device. And unlike installing Pi-hole or configuring a DNS server, using an ad blocking VPN is easy and conveniently managed within one service.
The ad blocker and anti-tracker feature relies on open source content-filtering software and related adware block lists. When this feature is enabled, the VPN blocks domains associated with advertising, tracking or hosting malicious code via specially configured DNS servers.
There are two common ways to activate ad blocking. The first one is as simple as toggling this feature on or off. NetShield by ProtonVPN* and CyberSec/Threat Protection by NordVPN* are good examples of such a smooth in-app control over this feature.
The second way to enable ad blocking is by configuring it within your account rather than the app. This option is less user-friendly and is usually abandoned after the initial launch. For example, R.O.B.E.R.T. by Windscribe* used to be available only within your account. Now it is built into the app. It is a tool that offers a more sophisticated level of control over ad blocking. You can create your own rules by whitelisting or blacklisting specific domains and IPs as well as activate further ‘house’ lists to block social networks, cryptominers and gambling sites.
MAC, Time & Location Spoofing
One of the basic rationales for using a VPN service is to ‘mask’ your location and thus ‘trick’ websites and online services into ‘believing’ that you are somewhere else. VPN services achieve this primarily by assigning your connection a different IP address. But in the world of advanced fingerprinting and state-of-the-art online tracking the IP address is a largely insignificant piece of your online profile.
This is why many VPN providers seek to enhance their service by offering advanced ‘spoofing’ features. Many of these cutting-edge features are experimental and not fully effective. Their relevance and availability differ from one platform to another and some critical features may never be available on either Android or iOS due to harsh restrictions.
One of the most innovative VPN features is MAC (media access control) spoofing. It works by changing your NIC’s (network interface controller) MAC address. It may be useful for example to bypass bandwidth limits or parental controls.
Windscribe has implemented this MAC spoofing feature on its Windows app. For its browser extension Windscribe has further added such features as Time Warp to make the timezone on your computer match that of your VPN connection, Cookie Monster to delete cookies when you close the tab and Split Personality to reduce fingerprinting. Many of these features may turn out quite impractical for your browsing experience, though.
To return back to ‘masking’ your location, even if you are connected to a VPN, your actual location may be revealed based on either your WiFi SSID name or GPS. Again Windscribe’s browser proxy has a feature to prevent your browser API from detecting your location. If you use an Android phone, Surfshark has an in-app feature that overrides your physical GPS location. To activate this feature, however, you will need to first enable developer mode on your phone.
Diskless Servers & Zero-Knowledge DNS
A VPN is only worth using if its infrastructure is properly secured from hacking and man-in-the-middle attacks. In remotely managing a global network of nodes, data center breaches can happen and VPN servers can be seized by governments. Which is why it matters what happens under the hood of your VPN service.
Established VPN providers are usually transparent about which data centers they use in each location. For full control over their infrastructure, they also use fully owned dedicated servers with private 1 Gbps or 10 Gbps ports.
How each server is hardened is particularly significant. Traditionally, VPN providers’ main precaution has been full disk encryption to secure server certificates, software and configurations. For example, ProtonVPN uses full disk encryption on all its servers.
A different method of server hardening is using RAM-only diskless servers. Diskless VPN servers do not store anything locally, including OS, and are part of a centrally controlled network. For example, NordVPN has created such a network of RAM-only servers.
Another crucial part of a VPN service is its DNS system. Any VPN provider that claims to not log any personally identifiable data can only do so if it uses its own – not third-party – DNS servers with encrypted DNS queries. For example, VyprVPN* has developed its own zero-knowledge VyprDNS that is free from any DNS filtering.
Open Sourced, Audited & Public Facing
Besides the technology used by a VPN provider, the key issue in choosing the right service is its trustworthiness. What makes a VPN trustworthy includes – among other things – independent audits, openly accessible source code for apps, public-facing ownership and open channels of communication with customers.
Open source code refers primarily to the platform-specific clients developed by a VPN provider. This code shows which software has been built into each client and what it actually does. Two established VPN services with open source apps are ProtonVPN and IVPN.
Yet the majority of VPN companies do not publish such codes and choose instead other ways to be transparent. The most accepted step toward trustworthiness is an independent third-party audit. What is audited differs from one contract to another but as a minimum it focuses on native clients. An extended audit involves infrastructure, server configurations and employee practices. NordVPN is known to have conducted such an extended audit, although the full report is not publicly available.
When you use a VPN it acts to a great extent as an ISP in that all your traffic is routed through their system. As you would know who owns and runs your ISP, you should be able to also know who is behind a VPN company. Some users assume that, because a VPN is a privacy service, it is better when its ownership is anonymous. This could not be further from what transparency and accountability mean. Public facing leadership is crucial in the VPN business, and their online activism and communication with customers is also a welcome signal.
Anonymous Signup & Payment
Most VPNs claim not to log any personally identifying information, so it seems reasonable that also signing up with a VPN service should be as anonymous as possible. While it is certainly good to have an extra layer of anonymity when using a VPN, this option is usually unnecessary for most users who choose a trustworthy independently audited no-logs VPN.
An anonymous signup is a logical option for a privacy service. It usually involves auto-generating a randomized account name that cannot be traced back to either a phone number or an email address. Another step is paying for the service either by cash or cryptocurrency.
VPN providers have implemented this feature in different ways. Some offer anonymous password-free accounts by default, for example IVPN. Some require that you create an account with a password but give you an option not to use an email, for example Windscribe. And others, such as ProtonVPN, require an email address for the signup but this email itself can be anonymous, for example ProtonMail*.
The way you create an account can have its disadvantages. Without an email you cannot reset your password. With no customer data and traceable payment the VPN company cannot verify the ownership of your account in case it is compromised. You cannot get a refund, either. And getting customer support may be sophisticated.
Obfuscation: Camouflaging VPN Usage
If you are on a heavily restricted network or in a high-risk location, you may benefit from a cool VPN feature that conceals the fact that you are using a VPN in the first place. Authoritarian governments and many WiFi networks do nor allow using a VPN and will block it as soon as they discover your attempts to connect via a VPN service.
Most VPN providers have developed one method or more to bypass restrictions and combat censorship. One popular way to hide your VPN connection is to use a modified OpenVPN protocol. For example, VyprVPN has created their custom Chameleon protocol that scrambles OpenVPN packet metadata making it unrecognizable via DPI (deep packet inspection).
Another way to achieve similar stealth or camouflage while using a VPN is to connect to a specialized VPN server. For example, with NordVPN you can connect to obfuscated servers that make it possible to bypass VPN-blocking firewalls. It works similarly by changing data packages.
Choice of Protocols for Every Situation
A VPN protocol is the central component of a VPN service that many casual VPN users know little about. Most VPN providers have a default protocol but also give you the choice of which protocol to use. Multiple protocols and the freedom to choose one are essential depending on what you use the VPN service for, on which device and on which network.
OpenVPN is still considered the industry standard as it offers a good balance between performance and stability. Based on two different transport protocols UDP and TCP, OpenVPN tends to be preferred for desktops and routers. For example, before implementing WireGuard, ProtonVPN used it as the default protocol on its Windows app via Smart Protocol that picked UDP or TCP automatically.
On its mobile apps, ProtonVPN uses additionally IKEv2/IPsec. IKEv2/IPsec tends to increase both speed and security compared to OpenVPN but is more easily blocked. It is ideal for everyday browsing and is the default protocol used by Windscribe.
A third protocol offered by many VPN services is WireGuard. WireGuard has a much smaller code base than OpenVPN or IKEv2 and uses state-of-the-art cryptography. WireGuard cannot however ensure complete privacy out of the box and requires additional assembly for large deployments. NordLynx is an example of how a VPN provider has implemented the WireGuard protocol. NordLynx is NordVPN’s default protocol.
Some VPN services offer additional options when it comes to protocols. For example, VyprVPN has built its Chameleon protocol around OpenVPN with the purpose of defeating VPN blocking on restricted networks. And ExpressVPN has developed its own Lightway protocol that in many ways resembles WireGuard.
Multi-Hop VPN & Tor over VPN
While VPN obfuscation is intended primarily for those on restrictive networks, rerouting your traffic through two (double-hop) or more (multi-hop) VPN servers is useful against increased surveillance and network attacks. The main idea is that your connection will be encrypted at least twice and, in case of malicious network monitoring, it will hardly be possible for the attacker to follow your connection to its final destination.
The way double- or multi-hopping is implemented differs among VPN services. For example, ProtonVPN has created its own network of Secure Core servers with all traffic routed through those in Switzerland, Sweden or Iceland. NordVPN’s double-hop connection mixes UDP and TCP protocols between servers, where the second server has no knowledge of your real IP address. Still other VPN services, such as Windscribe, make double-hopping possible through a browser extension.
If you need an extra layer of privacy that comes with routing your traffic through multiple servers, you can make use of the Tor-over-VPN feature. This handy feature gives you access to the Onion anonymity network without having to use the Tor browser. When you use the Tor over VPN servers, the entry node of the Onion network cannot see your real IP and your ISP cannot see that you are on the Onion network.
The disadvantage of routing your traffic multiple times is that the connection speed is likely to be reduced, especially on Tor over VPN servers.
Kill Switch/Firewall & Auto-Connect
A VPN service is only as good as its ability to continuously hide your traffic even when the connection drops. To prevent any kind of leaks – WebRTC, DNS, IPv6 – most VPNs include a feature called kill switch or firewall. It works by blocking all connectivity on your device if your VPN disconnects or is disabled thus making sure your privacy is never compromised.
The kill switch feature is usually available natively on desktop apps. Most VPNs will offer one or all of the following firewall options: automatic only when the VPN is on, permanent that blocks non-VPN connections at all times, and manual that lets you choose when to enable the mode.
The kill switch mode can be enabled in the phone settings on mobile device. On Android phones the feature is called Always-On. On iOS devices it is called On-Demand.
Another handy feature related to the kill switch mode involves automatically connecting to the latest, closest, fastest or unblocked VPN server. The basic auto-connect feature creates a random or customer-defined VPN connection on launch or after the connection to a previous server drops.
A more advanced type of the auto-connect feature ensures that you stay connected to the VPN service even if someone tries to block your access. For example, VyprVPN’s Chameleon with Smart IP works by periodically changing your VPN server in the background. ProtonVPN’s Smart Protocol automatically reconnects through a different VPN protocol if the default protocol is blocked. And Windscribe’s Auto Pilot is a feature of its browser extension that automatically changes location in case of geo-blocking.
Split Tunneling for Apps & Websites
There may be situations when using a VPN for every app on your device is impractical. The feature called split tunneling lets you choose which apps remain connected to your VPN and which do not.
Split tunneling is useful in many scenarios. For example, when using a VPN with split tunneling you can access both local and foreign content at the same time through different apps. You can choose to be able to have access to LAN devices such as printer without switching off the VPN service. And because some apps and websites may not work properly, especially banking services, you can route that specific traffic outside the VPN tunnel.
You can use split tunneling in two ways: you can exclude certain apps from the VPN connection or you can include only one or a few specific apps while using the device on a VPN-free connection (inverse split). Besides apps, you can exclude also specific websites: different VPN providers let you do this by configuring IPs only (e.g. ProtonVPN) while others allow excluding specific URLs (e.g. NordVPN).
The split tunneling feature can be called differently by various VPN providers: for example, VyprVPN calls it Connection per App and SurfShark refers to it as Whitelister. Split tunneling is still a relatively new feature that may not be available on every platform, such as Smart TVs and game consoles. For example, most VPN services do not offer this feature on routers, with ExpressVPN being a notable outlier.
Bonus: 7 VPN Myths & Misconceptions
Strict No Logging
Number of Servers
Many VPN services proudly advertise that they operate thousands of servers worldwide. While the number of servers matters, when you choose a VPN you just need to make sure that it has servers in those few locations that matter to you: usually in your country of residence and in those countries where you wish to unblock geo-restricted content or services. More than the number of servers, what matters is whether these servers utilize high-speed high-capacity connections (ideally 10 Gbps ports) and how reliable the server setup is (for example, VyprVPN uses server clusters for an uninterrupted experience).
VPNs that operate as offshore companies do not necessarily increase your privacy. The VPN service’s jurisdiction does not matter much, as long as it is not in an authoritarian country. While there are benefits to being located in a jurisdiction with stronger privacy and consumer protection laws, these benefits have little relevance to VPNs as such. This is so mainly because data retention laws apply to ISPs – not VPNs. Crucially, many offshore VPN providers do not disclose their ownership and may thus be operated by malicious groups.
Static IP Address
One of the biggest benefits of using a commercial VPN is that you gain a layer of privacy by having your traffic mix in with that of thousands of other VPN users who share the same IP address while connected to a VPN server. Paying for a dedicated IP address makes using a VPN in this sense useless. Some VPN providers offer instead a static IP address that differs from a dedicated IP in that it is still shared by dozens or hundreds of other users. Like a dedicated IP, a static IP is always available to you and can be used for port forwarding. If you do need a dedicated IP to access a restricted network remotely, you can do so cost-effectively by self-hosting an OpenVPN server with Cloudron*.
Many VPN providers readily claim that one of the benefits of using their service is unblocking media content in different countries via geoshifting. Yet streaming services like Netflix and Amazon Prime can easily block VPNs. Special servers optimized for streaming may work most of the time but it is unlikely to be a smooth uninterrupted experience overall.
Shopping with a VPN
Similarly, VPN services are often promoted as tools to save money while shopping online globally. While you can indeed see different prices on the same products and services in different countries, you may not be able to successfully complete a purchase while using a VPN. Depending on what software a website uses, you may be bombarded with captchas, your access to the checkout page may be blocked by a WAF or your financial transaction may be flagged as fraud and declined.
You can get a decent VPN service for less than $5/month but a VPN that costs less than $1/month is probably not worth paying for. Lifetime licenses offered by some new VPN services, for example FastestVPN*, are also quite a gamble. A reliable VPN service needs a good flow of money to pay for servers, bandwidth, development, app design and frequent updates, marketing and much more. Above all, human labor is expensive and customer support is an integral part of a good VPN service.
Extra Bonus: 5 Real Benefits of VPN Services
A VPN is typically offered as a commercial service. In a nutshell, a VPN provider implements communication protocols on a network of servers accessible to users via apps installed on their devices. An important question is whether you need to use a VPN service at all. To answer this question, here are the proven benefits of using a VPN:
- encrypting connection to prevent ISPs and mobile network providers from monitoring your online activity: when you use a VPN, your ISP cannot log IPs or domains you visit
- increasing security on public networks by preventing man-in-the-middle attacks: a VPN helps protect your data on free WiFi networks in airports, cafes, libraries etc.
- bypassing censorship: you can defeat VPN blocking in high-risk countries and on restricted networks in order to gain access to any internet resources
- masking location by changing an IP address: a VPN makes it possible to access geo-blocked news, videos, entertainment and other content regardless of your actual location
- reducing tracking by ad networks and tech companies: this works if you have enabled the anti-tracker feature on your VPN service – and the key word here is reducing, not eliminating
Conclusion: Which VPN?
Many VPN services have evolved into sophisticated suites of privacy and cybersecurity tools that go beyond just changing your IP address. They offer – among other things – multiple protocols, multi-hopping, split-tunneling, ad blocking and GPS spoofing.
The question is whether you need all the awesome VPN features there are and which VPN service is right for you. The answer will depend primarily on what you will use the service for, how important transparency is to you – and of course on your budget and payment preferences.
The safest choice is currently ProtonVPN*. It boasts open source apps and an independent audit. It will have a fast server close to wherever you are. Its features include a kill switch, ad blocking and split tunneling on apps for every platform. You can start for free and upgrade to one of the affordable paid plans. ProtonVPN also offers multiple payment methods and money back guarantees.
ProtonVPN is reliable and fast but it does not rush into implementing the latest hottest features. If you need a VPN service that is faster to implement newest protocols and numerous other innovative features, a strong alternative is NordVPN*. It is a trusted brand for busy professionals and beginners with nice deals on your first invoice. NordVPN has countless privacy features and is easily the best VPN for those who enjoy truly uncensored internet.