Choosing the best VPN provider

How does a VPN protect online privacy?

A VPN is a third party service that encrypts and reroutes your internet traffic through their server(s) before accessing the public web. As your data passes through the VPN server, your IP address is replaced with the VPN’s.

This adds some privacy protections to whatever you’re doing online.

As we will see, the degree of your privacy and the security of your data ultimately depends on the VPN service being used. This article will answer some of the big questions users should have about VPNs and privacy:

• What is the business model of a VPN?
• How is your data encrypted?
• How many servers does the VPN use?
• How is your traffic data and metadata stored by the VPN?
• Are their servers secured against attacks and breaches?
• Will the VPN hand your traffic data over to third parties?

Different VPN architectures

Not all VPNs are built the same: they have different architectures, or physical infrastructures facilitating the way user data is routed. Here are the main things to consider.

Single or multi-hop routing?

Most VPNs use a single server to route traffic through before reaching the web. Multi-hop VPNs provide more privacy by routing traffic through multiple servers, making tracking harder. However, traditional VPNs offering multi-hop often control both servers, reducing privacy benefits.

Centralized servers

Centralization concerns how your data is handled once in the hands of the VPN provider. Most VPN services own and operate their own servers, or they rent them from third-party services. Logs or records of your online activities can be stored in a single physical space, as will the financial records linking your payment to their VPN service. Note that all single-server VPNs are by definition centralized regardless of their logging policies.

Why is this a problem? Because the centralized data storage of millions of users’ IP addresses, traffic data, and payment records is a prime target for cyber criminals, censoring authorities, data brokers, and government agencies looking to acquire mass amounts of user data for their own purposes.

Decentralized VPNs (dVPNs)

To address this risk of data centralization, new types of VPNs have been designed to use decentralized networks of independent relay servers. dVPNs are multi-hop by default (usually only 2 hop). But there are no centralized servers where user data is logged. This bypasses the risks of central points of attack and failure, significantly increasing the security of user data.

It’s also worth learning about hardware vs. software VPNs, as the architecture of the VPN—whether physical or virtual—can affect not only performance and scalability but also the level of control and transparency users have.

DNS leak protection

A DNS leak happens when traffic goes through your ISP instead of the VPN, exposing your activity. DNS translates web addresses (e.g., "nymvpn.com") into numerical IPs, typically handled by your ISP.

A misconfigured VPN may let DNS requests bypass encryption, risking exposure to hackers. To prevent this, use VPNs with their own DNS servers.

Multi-server network

As we saw, mainstream VPNs are single-server routing systems. If you’re looking for increased privacy, look for VPNs that provide multi-server options. Even better, choose a dVPN service that is multi-hop by default and without additional charges. Also check where in the world a VPN’s servers are located, as this can be important for avoiding censorship restrictions or for accessing location-based content (e.g., while streaming).

Foreign-based servers

Ultimately, data that is routed through one or more foreign-based servers will be more difficult to track than a single-server based in one’s own country. This is because VPN providers are more easily subject to regulations in their own state jurisdictions. However, with political systems of mass surveillance, many government agencies are now internationally cooperting.

Split tunneling

Split tunneling is a specialized VPN feature that allows users to configure what traffic passes through the VPN and what bypasses it. This is an important tool to deal with the latency issues that VPN multi-hop routing might cause. Users can configure what traffic (like web browsing or email) use the more secure VPN route and which activities (like gaming) bypass the VPN altogether.

Kill switch

A kill switch is a crucial modern VPN feature. If your VPN connection drops, even for a second, your data in transit might be at risk. A kill switch disables your internet connection immediately if the VPN connection is interrupted. However, not all VPNs have kill switches.

Ad/malware blocking

Some VPNs provide additional ad or malware blocking tools, such as prohibiting attempts from known advertisers and malicious IPs from connecting with your device while the VPN is activated.

Performance considerations in choosing a VPN

At Nym, we know that maximizing privacy features is crucial, but that this is sometimes at the cost of performance. So here are the key performance issues to keep in mind when choosing a VPN provider.

Internet speed

Since VPNs require an additional hop (or more) for your internet traffic, you should consider how fast you need your connection or particular traffic to be. Users can sometimes experience latency while using a VPN. For example, for gaming or streaming, users might choose a single-hop over a multi-hop VPN, or choose a decentralized VPN like NymVPN with WireGuard to optimize connections.

Users can also test the speed of a VPN provider by using one of the available speed test tools online. We advise to first connect without the VPN to establish a baseline before testing the connection with the VPN to see the difference in speed.

Device support

It’s important to check whether a VPN is compatible with the device(s) you need it for. Some VPNs might provide only desktop support, but not have a mobile app to protect the data on your smartphone, or be compatible with router installation to protect all the devices using your home network.

Cost

Like all products, VPN services range in price depending on the security and privacy features they provide. These can range from many “free” VPN services (again, a huge privacy risk) to VPNs providing international multi-hop server networks and advanced features. Not all users will need these advanced features, but if you are concerned with your privacy in general, choosing a decentralized VPN is currently the best VPN architecture on the market.

Location-based services

VPNs can be useful in gaining access to location-based content, such as a country’s particular streaming services. However, some VPNs might be blocked by certain web services, preventing you from accessing their contents while using the VPN. Some countries might even block the use of certain VPNs altogether. So if you’re looking to bypass censorship restrictions, choosing certain VPN providers not currently on national ISP blacklists is another factor.

How to verify a VPN’s privacy record

With advancements in encryption on the public web, traffic and metadata logging and analysis is really the biggest privacy risk we face. But this can be avoided by choosing a VPN provider whose decentralized design takes data logging out of the equation and which makes traffic analysis exceedingly difficult.

What is their privacy policy?

Look for and read the VPN provider’s privacy policy on their logging practices. If they do not commit to not keep logs of user traffic, turn the other way. If they do promise no- or zero-logs, check whether they mention metadata, since many VPN providers will likely keep metadata logs for operational purposes. The best option is choosing a VPN that is structurally incapable, as NymVPN was designed, of keeping centralized logs at all.

Where is the company based?

VPN providers must follow the laws of their host country, which can impact privacy, censorship, and surveillance. Some countries blacklist VPNs, while others grant broad surveillance powers, forcing VPNs to comply with data requests. Nationally-based VPNs have little recourse if authorities demand server access or user data. Even if a VPN claims no logs, trusting this can be risky. Decentralized VPNs offer a more secure alternative, free from government control.

Have they leaked data before?

Data breaches are regular occurrences across the whole web, wherever valuable digital data is centralized. VPN providers are no exception, with their potential logs of mass user traffic logs and financial records. Knowing whether a VPN provider has a history of data leaks requires some research. You can start by simply searching the VPN service provider’s name with “data leaks” and “data breaches.”

Have they been involved in court cases?

Many VPN services can be compelled by court order to hand over traffic logs (though they may not reveal anything about users if no logs, or minimal logs, are kept). Some VPNs have been or are being sued by privacy groups for violating the privacy of their users in making available or selling user data to third parties. Researching the legal history behind a company can give you a good picture of their true privacy commitments beyond their promotional guarantees.

Do they use third-party security audit reports and transparency reports?

To provide clients with increased confidence regarding their no-logs policies, some companies have their databases audited by third-party security firms. This can provide some public confirmation that the privacy commitments of the company are followed through on, and that there is no user traffic data on drives that would be at risk. Companies can also employ pin testers to audit the security of their databases against cyber attacks and data breaches.

Are they using outdated and vulnerable VPN protocols like PPTP?

Point-to-Point Tunneling Protocol (PPTP) is an early and outdated encryption protocol which is no longer used by most reputable VPN providers, and which can pose security risks for users. Check whether the VPN provider is using state-of-the art protocols like WireGuard and industry standard ones like OpenVPN or IKEv2/IPsec.

Do they have a diskless, RAM-only server infrastructure?

Most traditional VPN run their servers on hard drives or solid state drives. This means that user data is recorded and retained on disk. Privacy focused VPN providers can use diskless (or RAM-only) servers. This means that when the server is powered off, all data on the Random Access Memory (RAM) server is erased without the possibility of recovery. This can greatly diminish the risks posed by data breaches, and can even increase performance speeds for user traffic.

Need the best VPN provider for privacy? Go Nym

All things considered, if genuine online privacy is your concern, then paying for a decentralized VPN is the way to go. There are simply too many risks with traditional VPNs and their centralization of user data.

But multi-hop routing can cause latency issues. For this reason, NymVPN has been designed to give users a choice for how much protection they need online, when, and for what kinds of traffic:

• You can select between a 2-hop mode for faster connection with more robust privacy than any traditional single-server VPN on the market can provide
• Or an unparalleled 5-hop mixnet mode for highly sensitive traffic (like private email apps or crypto transactions).

Whatever VPN provider or type of VPN you’re considering, don’t choose blindly. Not all services with the same name provide the same quality of privacy protection, and some provide the complete opposite. If you truly need online anonymity, sincerely consider how decentralized networks can help.