What is VPN? In this guide, you’ll get some quickfire answers to common VPN 101 questions.
Frequently Asked Questions
A VPN (virtual private network) establishes a secure internet connection between you (the user) and the internet service provider (ISP). Essentially, VPNs perform two important functions. Firstly, they allow you to change your IP address and web location by diverting your traffic via an anonymous VPN server, before it can reach your ISP. Secondly, as your traffic is re-routed via the new location, the VPN server encrypts that data, making it virtually impossible for anyone to decipher which websites you’ve visited or what you have downloaded. These functions make VPN an ideal solution for unblocking geographically restricted content, bypassing internet censorship and for regaining a safe and private browsing experience.
- Enhanced security: your data is encrypted meaning that it is kept private and confidential from the prying eyes of hackers, surveillance programs, ISPs and other third parties.
- Online anonymity: having a VPN allows you to browse the internet in complete anonymity. In comparison to DNS or web proxies, VPNs grant user anonymity for web applications as well as websites.
- Masked IP address: a VPN masks your IP address, which dupes websites and applications into thinking that you are located in a different country or location. This allows you to access regionally blocked services and content, as well as allowing you to bypass network filters.
- Remote control: VPNs are especially useful for businesses since employees can securely access their network from a distance.
- Share files: VPNs are a great way to share private and confidential files.
Yes, an internet connection is always required in order to establish a VPN connection.
Nowadays, many VPN providers offer servers with gigabit port speeds, meaning if your original bandwidth is fast, for instance 50Mb+, the subsequent decrease in speed will hardly be noticeable during browsing or streaming.
This depends on your VPN provider, though most do not have limits on bandwidth usage. Check the service terms and conditions before beginning your subscription.
Platforms that support VPNs are Windows, Mac OS X, iOS, Android, and Linux (Ubuntu) and Chromebook. VPNs work on any compatible internet-enabled device, including smartphones and tablets (Android, iPhone, iPad, iPod, and Kindle Fire).
Yes, but it depends on the make and model of your router. Routers must be equipped with either DD-WRT or Tomato firmware. To check if your router is DD-WRT compatible, search the DD-WRT database. Note that the original Tomato firmware is no longer being developed, however numerous, modified, open source versions are available.
VPN companies commonly offer their own bespoke clients and apps for Windows, Mac OS X, Android and iOS operating systems.
A TAP driver, or network tap, is a virtual network kernel device that is required to connect via the OpenVPN protocol on Windows. Normally, you don’t need to install the TAP driver separately as it will be included in the OpenVPN installation files.
PPTP and SSTP are proprietary protocols, while L2TP/IPsec and OpenVPN are open source protocols. PPTP is known for being fast, though it is very insecure and easy to block. Technically, L2TP/IPSec is secure, though it was allegedly compromised by the NSA and is often blocked by robust firewalls. OpenVPN is regarded as the most secure and is the most widely implemented protocol; it is often modified/enhanced by providers and can be very fast depending on encryption level and server response. What’s more, OpenVPN uses multiple ports and is capable of avoiding port blocking, though it may be slow due to opposing factors. SSTP is also very secure and is difficult to block, though usually it is fairly slow.
Open protocols are subject to peer review by the greater public. This public review process has proven to create a more secure product. On the other hand, proprietary protocols are often supported well by their corporations, but because of their confidential nature they may be vulnerable to unforeseen security flaws.
For a more in-depth comparison, have a read of our guide to VPN protocols.
Historically, it is common for VPN providers to keep basic connection logs (user’s IP address and VPN connection timestamps) for a period ranging from 2 days to 6 months or more. This also depends on the company’s local jurisdiction. If the provider is based in the European Union, it is likely that they must keep some logs to operate in accordance with the law. Surprisingly, companies in the United States are not obligated to keep logs, however may well be subject to backdoor surveillance.
There are a few VPN services today that have phased out even connection logs, making the user’s experience that bit more anonymous.
For more information, take a look at our guide to VPNs without logs.
Data authentication is part of the encryption process and refers to the message authentication algorithm with which user data is authenticated. This is used to protect users from active security attacks. If you are not concerned about active attacks you can turn disable data authentication.
An encryption key tells your computer how to decrypt or encrypt data. The most common forms of encryption are symmetric-key encryption or public-key encryption. For symmetric-key encryption, all users share the same key, enabling everyone with the key to encrypt and decrypt data. For public-key encryption, each user has a public-private key pair. One user has a private key to encrypt data while another user has the corresponding public key to decrypt that data. One kind of symmetric-key encryption that is used by VPNs is called handshake encryption, which establishes a secure connection and verifies that your computer is communicating with a legitimate VPN server, rather than an insecure or harmful server. With handshake encryption there are different levels of security, including RSA-2048, RSA-3072, RSA-4096, ECC-256k1, ECC-256r1, and ECC-521.
Encryption is an integral component of VPNs because it ensures that data is only accessible to intended users, though VPNs rely on more than just a pair of encryption keys to encode data. This is why protocols are important. Protocols allow computers to determine what kind of data is being transfered and how secure the connection is between users. For example, a site-to-site VPN could use either internet protocol security protocol (IPSec) or generic routing encapsulation (GRE). GRE provides the framework for how to package the passenger protocol for transport over the Internet protocol (IP). For additional VPNs may be secured through obfuscation, which is a programming technique that deliberately obscures code, making it difficult to infiltrate for anyone other than the intended user. Ofuscation is used with the OpenVPN protocol and may be useful if your VPN is being blocked by your ISP.
Your ISP will be able to see that encrypted data is being sent to an endpoint, but they won’t be able to determine the nature of that data. Your ISP will also be able to see how much bandwidth you’re using, and if they are suspicious of your activity they can request access logs, though usually this requires a court order. And if your VPN provider truly does not keep logs, then a court order won’t have much use.
In order to identify the best VPN, it’s important to know what you need the service for. We recommend checking out our detailed guide to recommended VPN services for a wide range of user-specific features and purposes to help you find the right provider for you.
VPNGate (vpngate.net) is a free service described on their website as “an academic experiment”. Since it is run by Japanese university students it is unlikely to be a permanent service and bandwidth is likely to be slow. Also, according to their privacy policy, your source IP address will be logged on the destination web server.
A legitimate and reliable paid VPN service offers several advantages, including a much more private environment, authentic guarantees, faster speeds, more servers, more extra features and add-on services, as well as being less likely to log traffic or connection logs.
There are pros and cons to both shared and dedicated IPs. Shared IPs provide greater anonymity for public wifi hotspots since they automatically implement NAT, as well as offering a much wider range of shared IPs than dedicated IPs. On the down side, shared IPs can get abused by other users on the network, through activity such as spamming and hacking. The first can lead to certain websites banning this IP altogether, meaning you won’t be able to access the site via that particular server. The latter depends more on your VPN provider’s commitment to safeguarding your privacy, but if that isn’t the case, illegal hacking and similar malicious activity by one individual can attract the attention of the authorities, who ultimately can force your provider to discreetly provide access for monitoring traffic on your favourite server, or the entire network for that matter. To avoid this, ensure to use a service that does not keep traffic logs, and demonstrates their devotion to customers by being headquartered in an advantageous location.
Dedicated IPs are a better choice for users who prefer not to share any network with other users and only wish to use dedicated servers with a static IP. This unique IP will not be applied to anyone else’s device but theirs. Likewise, this option bears an element of exclusivity and is almost always more expensive than a standard, shared VPN plan. Unlike their dynamic counterparts, static IPs are capable of accessing ports that may initially be blocked by the ISP or local network administrator. Dedicated IP addresses use their own ports, aiding users in countries where block blocking is a common occurrence, like in China. With dedicated IPs, it is down to your own activity as to whether or not the IP gets blacklisted so you don’t have to worry about the behavior of others users on the server. That said, the range of dedicated IPs is more limited than shared IPs and if the provider turns out to be untrustworthy, your own traffic will be easily identifiable. For more information on the difference between dynamic and static IP addresses, take a look here.
Essentially, DNS is a navigation system that your computer or mobile device uses to reach the right destinations online. The process can be fully referred to as DNS name resolution and it applies when attempting to reach a website as well as when sending an email. It is in fact possible to reach a website by inputting its IP address in the URL bar, however, you will probably feel overwhelmed if you try to save all of the different IP addresses of your favourite sites. Moreover, some websites can change their IPs while others have multiple IPs assigned to a single domain; this is why unique website domains are much more memorable and easier to use.
One of the best resources for testing your device for DNS leaks is dnsleaktest.com. Simply go to the website and run either the ‘Simple’ or ‘Extended’ test (for our example, we chose ‘Extended’). The test will complete itself within a few seconds, and if the results display the IP and location of your VPN, as our own result shows below, your computer and VPN are functioning properly.
By far the quickest and easiest way to prevent DNS leak is by using a VPN client with built-in DNS protection. Not many providers offer this, however services like Private Internet Access, VyprVPN and PureVPN have long featured this function in their apps. For more information opn how to detect and prevent this, have a read of our guide on how to fix and prevent DNS leaks.
In a nutshell, NAT acts as an extra security layer that filters unwanted, malicious inbound data packets; the kind of data often used by harmful botnets, which can discreetly exploit your computer or device. Many modern routers already have NAT configured. Likewise, all VPN providers who offer shared IP (as opposed to dedicated), already implement NAT on their network. In other words, NAT is running by default with all shared IP connections, translating many users’ own IPs into one shared address that becomes associated with your device after having connected to a standard VPN.
No, though some providers like PureVPN and VyprVPN offer additional protection.
Typically, local firewalls don’t block VPN services and no configuration is required. Certain firewalls may block VPNs (Avast, for example). If your VPN is blocked by a firewall, you’ll need to create the relevant exceptions in your firewall settings for VPN ports.
Monthly VPN subscriptions typically cost from $7-10. Longer billing cycles (i.e. 6 months and 1 year) are usually discounted.
Multiple device usage varies depending on your provider. Some services permit just one active connection at a time, while others allow up to 5. It’s often difficult to identify exactly how many multiple connections a provider permits, as this information is often buried in their FAQ and knowledgebase sections. This is why we’ve created a list of VPN services that allow the most simultaneous device connections under one subscription plan.
Some countries, like Iran, have officially outlawed the use of VPNs. In China, VPNs are not technically illegal, but are actively blocked by the government-enforced firewall.
Nowadays, VPN providers offer many payment alternatives, including options for anonymous transactions. he most common methods for anonymous payment include Bitcoin, Altcoins, Alipay, CashU, PaySafeCard, Gift Cards, as well as the traditional credit card options. TorGuard, for example, has 120 payment options.
This is a common problem in China. To resolve the issue, some providers offer mirror URLs for customers to be able to access their websites from restrictive locations. Another option is to look for a provider whose website is not currently blocked. Because of the vast range of VPN providers, there are often many alternatives from which to choose. We recommend taking a look at our in-depth guide to choosing a VPN for China.
DPI is used by authorities in countries such as China and Iran to sniff out and block VPN traffic at HTTP level. To help customers bypass this, VPN providers are actively implementing modified OpenVPN protocols with added obfuscation layers, which masks VPN traffic away from view of DPI crawls.
Another option is to change your DNS servers. By default, you are likely to be using Chinese DNS servers, provided by your ISP. These will definitely be worth changing as your location could still be exposed on Windows operating systems, even if you are connected to a VPN. First, check your DNS server location by running a very quick test on dnsleaktest.com. If the results point to China-based servers, you can switch them to public DNS servers like OpenDNS.
You can check your connection, as well as your IP location, at ip-api.com.
Each VPN provider is different so make sure you read the terms and privacy policy before connecting as certain unexpected restrictions may apply. In your service terms you will find criteria about misuse/prohibited use (or something similar). Typically, these criteria cover abuse, hacking, illegal behavior, and other prohibited activities.
In a nutshell, proxies will only change your virtual locations within the browser, while VPNs will change your virtual location on the entire device (or connection, if configured through a router), and will likewise encrypt your traffic in the process.
Like a VPN, Smart DNS, also known as DNS Proxy, SmartVPN and Smart DNS Proxy, allows users to access geo-restricted content by changing a user’s IP address. There are, however, important differences between VPNs and Smart DNS. While VPNs offer high levels of security and encryption to keep your activity private, Smart DNS offers no protection whatsoever, leaving your data exposed to monitoring from ISPs and others. Smart DNS does not implement encryption and uses little processing power; it is therefore faster than VPN and is nowadays the best choice of unblocking content and streaming purposes. See our guide to the best Smart DNS providers for more information.
Open source VPN software
OpenVPN
OpenVPN is an open-source software application that implements VPN techniques to establish point-to-point or site-to-site connections in routed or bridged configurations, as well as for remote access facilities. It uses a bespoke security protocol that utilizes SSL/TLS for key exchange. OpenVPN is capable of traversing network address translators (NATs) and firewalls.
OpenVPN clients are a good alternative to using a provider’s bespoke VPN client. OpenVPN clients available for Windows, Mac OS X, Ubuntu/Linux, iOS and Android.
RetroShare
RetroShare is a private and secure communication and sharing platform that provides file sharing, instant chat, private messaging, forums, and channels. Retroshare is completely decentralized, meaning there are no central servers. It is entirely open-source and free and there are no ads or terms of service.
Router Firmware
pfSense
pfSense is free open-source software that provides FreeBSD for use as a firewall and router. The software is managed entirely via a web interface and includes numerous additional features and a package system, which allows further expandability without risking security vulnerabilities.
OpenWrt
OpenWrt is an embedded operating system based on the Linux kernel. Primarily, it is used on embedded devices to route network traffic. OpenWrt provides users with a fully writable filesystem and includes packet management. This allows you to avoid the application selection and configuration provided by the vendor, meaning that you can customize your device using packages fit for any application.
DD-WRT
DD-WRT is a Linux-based open-source firmware suitable for various WLAN routers and embedded systems. DD-WRT is compatible with many routers, including the Linksys WRT54G series (which includes the WRT54GL and WRT54GS).
Tomato
Tomato is a partially free HyperWRT-based, Linux core firmware for a range of Broadcom chipset-based wireless routers, most notably the Linksys WRT54G (including the WRT54GL and WRT54GS), Buffalo AirStation, Asus Routers, and Netgear’s WNR3500L. Among its features the user interface makes use of Ajax as well as an SVG-based graphical bandwidth monitor.
Tomato VPN
Tomato VPN is based on the Tomato firmware mentioned above and includes a web GUI interface for creating VPN tunnels.
Advanced Tomato
AdvancedTomato is for users who want more interface features than the basic customizable options offered by Tomato. With AdvancedTomato, users can upgrade their router’s GUI to a clean and contemporary flat design.
EasyTomato
EasyTomato firmware was created by relief lab team members in post-earthquake Haiti to tackle excessive, uncontrolled use of low-bandwidth connections, which impeded operations at disaster relief sites and hospitals. It uses a drag-and-drop interface so network managers can quickly set up internet access rules to govern bandwidth consumption at specific times of day. EasyTomato is easy for anyone set up and use and requires virtually no training.
Tomato Speed Mod
The Tomato Speed Mod is a modified version of Tomato 1.19, which aims to improve the router’s performance under high load (for multiple connections over 2000 or so).
Tomato by Shibby
Tomato by Shibby brings together the latest modifications of the original Tomato system. Modifications include torrent client integration with user-friendly GUI for configuration, NFS server integration, a new sd-idle tool to K26, support for USB 3G modems, SNMP protocol integration, APCUPSD integration, DNScrypt-proxy integration, and the possibility to change paths for system logs.
* There are many more Tomato forks available, including Toastman, Victek, and other unconfirmed forks because authors have not contributed their mod’s source code to the community. This is considered a violation of Tomato’s GPL and more restrictive GUI licenses. Some of these projects have enticing features, including dual-wan, but without being able to review their source code, it is not certain that their firmware does not contain anything malicious. Tomato advises users to avoid such firmware.
My Open Router
My Open Router is an online community for open source firmware, particularly NETGEAR routers, including the R6300, R6300v2, R7000, R8000, and support for firmware such as DD-WRT, Tomato, and OpenWRT. Their website includes forums, articles, downloads, a blog, and an online store.
ZRouter
ZRouter is a free BSD-based firmware for embedded devices.
There are always new firmware modifications being released and new forks that might be right for you. Keep an eye on the forums on the My Open Router platform for current details.
Should you have any further questions that aren’t addressed in our 101 guide, feel free to ask us using the comment section below.