VPN 101: Everything You Need to Know About Virtual Private Networks

Frequently Asked Questions

What is VPN and how does it work?

A VPN (virtual private network) establishes a secure internet connection between you (the user) and the internet service provider (ISP). Essentially, VPNs perform two important functions. Firstly, they allow you to change your IP address and web location by diverting your traffic via an anonymous VPN server, before it can reach your ISP. Secondly, as your traffic is re-routed via the new location, the VPN server encrypts that data, making it virtually impossible for anyone to decipher which websites you’ve visited or what you have downloaded. These functions make VPN an ideal solution for unblocking geographically restricted content, bypassing internet censorship and for regaining a safe and private browsing experience.

What are the main advantages to using a VPN?
  • Enhanced security: your data is encrypted meaning that it is kept private and confidential from the prying eyes of hackers, surveillance programs, ISPs and other third parties.
  • Online anonymity: having a VPN allows you to browse the internet in complete anonymity. In comparison to DNS or web proxies, VPNs grant user anonymity for web applications as well as websites.
  • Masked IP address: a VPN masks your IP address, which dupes websites and applications into thinking that you are located in a different country or location. This allows you to access regionally blocked services and content, as well as allowing you to bypass network filters.
  • Remote control: VPNs are especially useful for businesses since employees can securely access their network from a distance.
  • Share files: VPNs are a great way to share private and confidential files.
Do I need an internet connection to use VPN?

Yes, an internet connection is always required in order to establish a VPN connection.

Will VPN slow down my internet connection?
Technically yes, but how much depends on different factors, including what kind of encryption protocol is used, how fast the actual VPN server is, and how far the user is from the server. Sometimes, PPTP, L2TP/IPSec and OpenVPN protocols with 128-bit encryption on a well-performing server can give back near identical speeds to your ISP’s original bandwidth. However, when using 256-bit encryption keys on supporting protocols L2TP/IPSec or OpenVPN, speeds may decrease from anywhere between 5% to 50%. Again, reduction in speed depends on the server as well as its distance from the user’s location.

Nowadays, many VPN providers offer servers with gigabit port speeds, meaning if your original bandwidth is fast, for instance 50Mb+, the subsequent decrease in speed will hardly be noticeable during browsing or streaming.

How much bandwidth can I use when connected to a VPN?

This depends on your VPN provider, though most do not have limits on bandwidth usage. Check the service terms and conditions before beginning your subscription.

Which platforms and devices support VPN connections?

Platforms that support VPNs are Windows, Mac OS X, iOS, Android, and Linux (Ubuntu) and Chromebook. VPNs work on any compatible internet-enabled device, including smartphones and tablets (Android, iPhone, iPad, iPod, and Kindle Fire).

Can I run the VPN through my router?

Yes, but it depends on the make and model of your router. Routers must be equipped with either DD-WRT or Tomato firmware. To check if your router is DD-WRT compatible, search the DD-WRT database. Note that the original Tomato firmware is no longer being developed, however numerous, modified, open source versions are available.

Do VPN providers offer their own software?

VPN companies commonly offer their own bespoke clients and apps for Windows, Mac OS X, Android and iOS operating systems.

What is a TAP driver?

A TAP driver, or network tap, is a virtual network kernel device that is required to connect via the OpenVPN protocol on Windows. Normally, you don’t need to install the TAP driver separately as it will be included in the OpenVPN installation files.

What is the difference between VPN protocols?
Choosing a protocol depends on what you would like from your VPN. The main facets to consider are; reliability, security, performance, and ease of use. Currently, there are several protocols in use today, including the most popular OpenVPN, along with PPTP, L2TP/IPsec, SSTP and IKEv2. Bear in mind that not all VPN providers support all of these protocols, SSTP and IKEv2 being the notable exceptions, but most will support the other three.

PPTP and SSTP are proprietary protocols, while L2TP/IPsec and OpenVPN are open source protocols. PPTP is known for being fast, though it is very insecure and easy to block. Technically, L2TP/IPSec is secure, though it was allegedly compromised by the NSA and is often blocked by robust firewalls. OpenVPN is regarded as the most secure and is the most widely implemented protocol; it is often modified/enhanced by providers and can be very fast depending on encryption level and server response. What’s more, OpenVPN uses multiple ports and is capable of avoiding port blocking, though it may be slow due to opposing factors. SSTP is also very secure and is difficult to block, though usually it is fairly slow.

Open protocols are subject to peer review by the greater public. This public review process has proven to create a more secure product. On the other hand, proprietary protocols are often supported well by their corporations, but because of their confidential nature they may be vulnerable to unforeseen security flaws.

For a more in-depth comparison, have a read of our guide to VPN protocols.

Do VPN providers keep logs?
Most VPN providers officially claim that they do not keep traffic logs, however it’s always important to check the company’s privacy policy and location of their headquarters (in terms of jurisdiction). Genuine VPN providers should never keep traffic logs, however it is possible that when their service is misused, certain technologies may and do occasionally get used to identify the most malicious users.

Historically, it is common for VPN providers to keep basic connection logs (user’s IP address and VPN connection timestamps) for a period ranging from 2 days to 6 months or more. This also depends on the company’s local jurisdiction. If the provider is based in the European Union, it is likely that they must keep some logs to operate in accordance with the law. Surprisingly, companies in the United States are not obligated to keep logs, however may well be subject to backdoor surveillance.

There are a few VPN services today that have phased out even connection logs, making the user’s experience that bit more anonymous.

For more information, take a look at our guide to VPNs without logs.

What is VPN encryption and how does it work?
Encryption is the process by which data is encoded so that only a computer with the correct decoder can access that data. Data is encrypted and decrypted using a symmetric cipher algorithm. Essentially, data encryption provides users with a secure VPN tunnel whereby data is protected. There are, however, varying levels of encryption available depending on your needs. Default encryption for OpenVPN includes AES-128, SHA1, and RSA-2048, while maximum encryption includes AES-256, SHA256, and RSA-4096. Both OpenVPN and SSTP use SSL key libraries.

Data authentication is part of the encryption process and refers to the message authentication algorithm with which user data is authenticated. This is used to protect users from active security attacks. If you are not concerned about active attacks you can turn disable data authentication.

An encryption key tells your computer how to decrypt or encrypt data. The most common forms of encryption are symmetric-key encryption or public-key encryption. For symmetric-key encryption, all users share the same key, enabling everyone with the key to encrypt and decrypt data. For public-key encryption, each user has a public-private key pair. One user has a private key to encrypt data while another user has the corresponding public key to decrypt that data. One kind of symmetric-key encryption that is used by VPNs is called handshake encryption, which establishes a secure connection and verifies that your computer is communicating with a legitimate VPN server, rather than an insecure or harmful server. With handshake encryption there are different levels of security, including RSA-2048, RSA-3072, RSA-4096, ECC-256k1, ECC-256r1, and ECC-521.

Encryption is an integral component of VPNs because it ensures that data is only accessible to intended users, though VPNs rely on more than just a pair of encryption keys to encode data. This is why protocols are important. Protocols allow computers to determine what kind of data is being transfered and how secure the connection is between users. For example, a site-to-site VPN could use either internet protocol security protocol (IPSec) or generic routing encapsulation (GRE). GRE provides the framework for how to package the passenger protocol for transport over the Internet protocol (IP). For additional VPNs may be secured through obfuscation, which is a programming technique that deliberately obscures code, making it difficult to infiltrate for anyone other than the intended user. Ofuscation is used with the OpenVPN protocol and may be useful if your VPN is being blocked by your ISP.

What will my ISP see when I am connected to the VPN?
How much your ISP knows about your activity while connected to a VPN depends on the strength of your VPN encryption. Typically, ISPs would have to pay special attention to your activity to determine that you are using a VPN. If your data is obfuscated (more on this below) it will be more difficult for your ISP to monitor your activity.

Your ISP will be able to see that encrypted data is being sent to an endpoint, but they won’t be able to determine the nature of that data. Your ISP will also be able to see how much bandwidth you’re using, and if they are suspicious of your activity they can request access logs, though usually this requires a court order. And if your VPN provider truly does not keep logs, then a court order won’t have much use.

Which are the best VPN providers?

In order to identify the “best” VPN service, it’s important to know what you need the service for. We recommend checking out our detailed guide to recommended VPN services for a wide range of user-specific features and purposes to help you find the right provider for you.

What are the key differences between free and paid VPN services?
Free services are likely to offer slow bandwidth and limited server range. Also, it’s highly likely that free services make their money through other means, which may compromise their users’ confidentiality, as was the case with Hola, which began selling its users bandwidth without clear consent.

VPNGate (vpngate.net) is a free service described on their website as “an academic experiment”. Since it is run by Japanese university students it is unlikely to be a permanent service and bandwidth is likely to be slow. Also, according to their privacy policy, your source IP address will be logged on the destination web server.

A legitimate and reliable paid VPN service offers several advantages, including a much more private environment, authentic guarantees, faster speeds, more servers, more extra features and add-on services, as well as being less likely to log traffic or connection logs.

What is the difference between Dynamic and Static IP VPNs?
When a VPN switches an IP address to a new location, users are either assigned a dynamic (or shared) IP or a static (dedicated) IP. The large majority of VPN customers use shared IP addresses, as this is by far the most common variant of the two. Nearly all personal VPN providers primarily offer subscriptions with access to dynamic IPs.

There are pros and cons to both shared and dedicated IPs. Shared IPs provide greater anonymity for public wifi hotspots since they automatically implement NAT, as well as offering a much wider range of shared IPs than dedicated IPs. On the down side, shared IPs can get abused by other users on the network, through activity such as spamming and hacking. The first can lead to certain websites banning this IP altogether, meaning you won’t be able to access the site via that particular server. The latter depends more on your VPN provider’s commitment to safeguarding your privacy, but if that isn’t the case, illegal hacking and similar malicious activity by one individual can attract the attention of the authorities, who ultimately can force your provider to discreetly provide access for monitoring traffic on your favourite server, or the entire network for that matter. To avoid this, ensure to use a service that does not keep traffic logs, and demonstrates their devotion to customers by being headquartered in an advantageous location.

Dedicated IPs are a better choice for users who prefer not to share any network with other users and only wish to use dedicated servers with a static IP. This unique IP will not be applied to anyone else’s device but theirs. Likewise, this option bears an element of exclusivity and is almost always more expensive than a standard, shared VPN plan. Unlike their dynamic counterparts, static IPs are capable of accessing ports that may initially be blocked by the ISP or local network administrator. Dedicated IP addresses use their own ports, aiding users in countries where block blocking is a common occurrence, like in China. With dedicated IPs, it is down to your own activity as to whether or not the IP gets blacklisted so you don’t have to worry about the behavior of others users on the server. That said, the range of dedicated IPs is more limited than shared IPs and if the provider turns out to be untrustworthy, your own traffic will be easily identifiable. For more information on the difference between dynamic and static IP addresses, take a look here.

What is a DNS server?
Domain Name System (or DNS) servers allow computers to exchange internet data when moving between websites. Its primary responsibility is to turn domain names such as bestvpnz.com into an IP address like “192.168.1.1” in order for computers to correctly identify a website’s location.

Essentially, DNS is a navigation system that your computer or mobile device uses to reach the right destinations online. The process can be fully referred to as DNS name resolution and it applies when attempting to reach a website as well as when sending an email. It is in fact possible to reach a website by inputting its IP address in the URL bar, however, you will probably feel overwhelmed if you try to save all of the different IP addresses of your favourite sites. Moreover, some websites can change their IPs while others have multiple IPs assigned to a single domain; this is why unique website domains are much more memorable and easier to use.

What are DNS leaks and how to prevent them?
DNS leaks occur because of a fundamental flaw in the Windows operating system (and occasionally Mac and Linux). A standard VPN connection is configured to mask your default IP address, based on the virtual server’s location, but despite having routed your traffic via a different server, Windows operating systems have a tendency to continue contacting websites using your original DNS server and IP address. Unquestionably, this poses a serious risk to your online security, anonymity and, of course, voids much of the usefulness behind your VPN.

One of the best resources for testing your device for DNS leaks is dnsleaktest.com. Simply go to the website and run either the ‘Simple’ or ‘Extended’ test (for our example, we chose ‘Extended’). The test will complete itself within a few seconds, and if the results display the IP and location of your VPN, as our own result shows below, your computer and VPN are functioning properly.

By far the quickest and easiest way to prevent DNS leak is by using a VPN client with built-in DNS protection. Not many providers offer this, however services like Private Internet Access, VyprVPN and PureVPN have long featured this function in their apps. For more information opn how to detect and prevent this, have a read of our guide on how to fix and prevent DNS leaks.

What is a NAT Firewall?
NAT stands for Network Address Translation, and by definition is an internet standard that allows local area networks (LAN) to use one or more IP addresses for internal traffic, while using a set of different IPs for external traffic. In the process, a bridge is created in the middle, essentially converting the original internal IP addresses. Quite often, NAT is mistakenly referred to as a “firewall“, however it technically isn’t one. A firewall is designed to block connections, whereas NAT works by mapping (or translating) IP addresses.

In a nutshell, NAT acts as an extra security layer that filters unwanted, malicious inbound data packets; the kind of data often used by harmful botnets, which can discreetly exploit your computer or device. Many modern routers already have NAT configured. Likewise, all VPN providers who offer shared IP (as opposed to dedicated), already implement NAT on their network. In other words, NAT is running by default with all shared IP connections, translating many users’ own IPs into one shared address that becomes associated with your device after having connected to a standard VPN.

Does using a VPN protect me against viruses, malware and spyware?

No, though some providers like PureVPN and VyprVPN offer additional protection.

Do I need to configure my firewall for the VPN to work?

Typically, local firewalls don’t block VPN services and no configuration is required. Certain firewalls may block VPNs (Avast, for example). If your VPN is blocked by a firewall, you’ll need to create the relevant exceptions in your firewall settings for VPN ports.

How much does a good VPN service typically cost?

Monthly VPN subscriptions typically cost from $7-10. Longer billing cycles (i.e. 6 months and 1 year) are usually discounted.

Can I use my VPN account on multiple devices simultaneously?

Multiple device usage varies depending on your provider. Some services permit just one active connection at a time, while others allow up to 5. It’s often difficult to identify exactly how many multiple connections a provider permits, as this information is often buried in their FAQ and knowledgebase sections. This is why we’ve created a list of VPN services that allow the most simultaneous device connections under one subscription plan.

Are VPN services legal to use?
Legitimate VPN providers, including all services reviewed on our website, are registered businesses in their respective jurisdictions. It is not illegal to use VPNs. However, abusing a VPN service with illegal online activity is likely to result in suspension of your account, while more serious cases could even prompt police investigations and monitoring of VPN traffic to identify the perpetrator. Traffic logging is rare, but can happen in individual cases, depending on the provider in question.

Some countries, like Iran, have officially outlawed the use of VPNs. In China, VPNs are not technically illegal, but are actively blocked by the government-enforced firewall.

Can I pay for VPN anonymously?

Nowadays, VPN providers offer many payment alternatives, including options for anonymous transactions. he most common methods for anonymous payment include Bitcoin, Altcoins, Alipay, CashU, PaySafeCard, Gift Cards, as well as the traditional credit card options. TorGuard, for example, has 120 payment options.

What can I do if a VPN provider's website is blocked from my location?

This is a common problem in China. To resolve the issue, some providers offer mirror URLs for customers to be able to access their websites from restrictive locations. Another option is to look for a provider whose website is not currently blocked. Because of the vast range of VPN providers, there are often many alternatives from which to choose. We recommend taking a look at our in-depth guide to choosing a VPN for China.

What is Deep Packet Inspection?
Deep Packet Inspection (DPI), also called complete packet inspection, information extraction or IX, is a process of filtering that inspects data for viruses, malware, spam, or intrusions, though it is used by ISPs, government agencies, and hackers to monitor and retain all of the data transmitted to and from your computer, including confidential and private information.

DPI is used by authorities in countries such as China and Iran to sniff out and block VPN traffic at HTTP level. To help customers bypass this, VPN providers are actively implementing modified OpenVPN protocols with added obfuscation layers, which masks VPN traffic away from view of DPI crawls.

What to do if the VPN connection keeps getting blocked?
If a connection is getting blocked repeatedly, try configuring the connection using the OpenVPN TCP protocol (primary) or SSTP, or you can use different VPN ports. If you are regularly using the internet in China, your VPN provider must absolutely offer the OpenVPN TCP and SSTP protocols as part of your account package. These protocols are by far the most reliable and involve the highest grade of data encryption. OpenVPN is the overall better choice for speed and is capable on listening on numerous ports (e.g. TCP port 443). On the other hand, SSTP is traditionally more stable, though performance will have to be sacrificed.

Another option is to change your DNS servers. By default, you are likely to be using Chinese DNS servers, provided by your ISP. These will definitely be worth changing as your location could still be exposed on Windows operating systems, even if you are connected to a VPN. First, check your DNS server location by running a very quick test on dnsleaktest.com. If the results point to China-based servers, you can switch them to public DNS servers like OpenDNS.

How to check if my VPN connection is working?

You can check your connection, as well as your IP location, at ip-api.com.

Can I use VPN to hide torrent/P2P traffic?
This is a bit of a grey area. Each VPN provider is different when it comes to carrying torrent traffic. Most services have designated servers specifically for torrenting, while others officially allow torrent transfers on all endpoints, though it is likely that they themselves use IP spoofing to redirect traffic via another country so they are less likely to receive DMCA requests from content owners. Note that some services strictly forbid BitTorrent activity.

What are common Dos and Don'ts when using a VPN?
For each VPN first check your terms of service and privacy policy, which govern your usage of a specific plan. Most VPN contracts prohibit any non-individual use or multiple-party use, including sharing a login between people and simultaneous logins from multiple IP addresses, often with the exception that an individual can have up to two (in some cases, up to five) active connections to the network per account, mostly, to allow for mobile device use, but the connections are prohibited to be used by anyone but the account holder. Any agreement you take out is personal to you, and you may not resell VPN services or permit other users access to these services through your account.

Each VPN provider is different so make sure you read the terms and privacy policy before connecting as certain unexpected restrictions may apply. In your service terms you will find criteria about misuse/prohibited use (or something similar). Typically, these criteria cover abuse, hacking, illegal behavior, and other prohibited activities.

VPN vs Proxies
Both proxies and VPNs re-route your internet traffic and mask your IP address, though there are key differences between the two. A proxy is more of a web filter in that it only applies the proxy server settings to your activity while using a browser. By contrast, a VPN encrypts all inbound and outbound traffic, including browsing activity, programs, and applications. What’s more, proxies are not compatible with certain web pages that use non-browser technology, including Comedy Central, Zatoo, Fox OD, and Sky Player. VPNs, however, operate with all internet-based services.

In a nutshell, proxies will only change your virtual locations within the browser, while VPNs will change your virtual location on the entire device (or connection, if configured through a router), and will likewise encrypt your traffic in the process.

VPN vs Smart DNS

Like a VPN, Smart DNS, also known as DNS Proxy, SmartVPN and Smart DNS Proxy, allows users to access geo-restricted content by changing a user’s IP address. There are, however, important differences between VPNs and Smart DNS. While VPNs offer high levels of security and encryption to keep your activity private, Smart DNS offers no protection whatsoever, leaving your data exposed to monitoring from ISPs and others. Smart DNS does not implement encryption and uses little processing power; it is therefore faster than VPN and is nowadays the best choice of unblocking content and streaming purposes. See our guide to the best Smart DNS providers for more information.


Open source VPN software

OpenVPN

OpenVPN is an open-source software application that implements VPN techniques to establish point-to-point or site-to-site connections in routed or bridged configurations, as well as for remote access facilities. It uses a bespoke security protocol that utilizes SSL/TLS for key exchange. OpenVPN is capable of traversing network address translators (NATs) and firewalls.

OpenVPN clients are a good alternative to using a provider’s bespoke VPN client. OpenVPN clients available for Windows, Mac OS X, Ubuntu/Linux, iOS and Android.

RetroShare

RetroShare is a private and secure communication and sharing platform that provides file sharing, instant chat, private messaging, forums, and channels. Retroshare is completely decentralized, meaning there are no central servers. It is entirely open-source and free and there are no ads or terms of service.

Router Firmware

pfSense

pfSense is free open-source software that provides FreeBSD for use as a firewall and router. The software is managed entirely via a web interface and includes numerous additional features and a package system, which allows further expandability without risking security vulnerabilities.

OpenWrt

OpenWrt is an embedded operating system based on the Linux kernel. Primarily, it is used on embedded devices to route network traffic. OpenWrt provides users with a fully writable filesystem and includes packet management. This allows you to avoid the application selection and configuration provided by the vendor, meaning that you can customize your device using packages fit for any application.

DD-WRT

DD-WRT is a Linux-based open-source firmware suitable for various WLAN routers and embedded systems. DD-WRT is compatible with many routers, including the Linksys WRT54G series (which includes the WRT54GL and WRT54GS).

Tomato

Tomato is a partially free HyperWRT-based, Linux core firmware for a range of Broadcom chipset-based wireless routers, most notably the Linksys WRT54G (including the WRT54GL and WRT54GS), Buffalo AirStation, Asus Routers, and Netgear’s WNR3500L. Among its features the user interface makes use of Ajax as well as an SVG-based graphical bandwidth monitor.

Tomato VPN

Tomato VPN is based on the Tomato firmware mentioned above and includes a web GUI interface for creating VPN tunnels.

Advanced Tomato

AdvancedTomato is for users who want more interface features than the basic customizable options offered by Tomato. With AdvancedTomato, users can upgrade their router’s GUI to a clean and contemporary flat design.

EasyTomato

EasyTomato firmware was created by relief lab team members in post-earthquake Haiti to tackle excessive, uncontrolled use of low-bandwidth connections, which impeded operations at disaster relief sites and hospitals. It uses a drag-and-drop interface so network managers can quickly set up internet access rules to govern bandwidth consumption at specific times of day. EasyTomato is easy for anyone set up and use and requires virtually no training.

Tomato Speed Mod

The Tomato Speed Mod is a modified version of Tomato 1.19, which aims to improve the router’s performance under high load (for multiple connections over 2000 or so).

Tomato by Shibby

Tomato by Shibby brings together the latest modifications of the original Tomato system. Modifications include torrent client integration with user-friendly GUI for configuration, NFS server integration, a new sd-idle tool to K26, support for USB 3G modems, SNMP protocol integration, APCUPSD integration, DNScrypt-proxy integration, and the possibility to change paths for system logs.

* There are many more Tomato forks available, including Toastman, Victek, and other unconfirmed forks because authors have not contributed their mod’s source code to the community. This is considered a violation of Tomato’s GPL and more restrictive GUI licenses. Some of these projects have enticing features, including dual-wan, but without being able to review their source code, it is not certain that their firmware does not contain anything malicious. Tomato advises users to avoid such firmware.

My Open Router

My Open Router is an online community for open source firmware, particularly NETGEAR routers, including the R6300, R6300v2, R7000, R8000, and support for firmware such as DD-WRT, Tomato, and OpenWRT. Their website includes forums, articles, downloads, a blog, and an online store.

ZRouter

ZRouter is a free BSD-based firmware for embedded devices.

There are always new firmware modifications being released and new forks that might be right for you. Keep an eye on the forums on the My Open Router platform for current details.


Should you have any further questions that aren’t addressed in our 101 guide, feel free to ask us using the comment section below.

Leave a Comment