SoftwareLab.org is an independent software testing company. To keep our information free to access, we may earn a referral commission when you make a purchase using one of the links below. In doing so, you are supporting independent testing, for which we are grateful.
Top 5 – The Best VPN for your Windows PC
What is a VPN? A VPN allows you to browse the web securely and anonymously, without being tracked. You can download torrents safely, unblock Netflix, avoid censorship in China, and use public WiFi networks without risk. A VPN does this by masking your IP address and encrypting your internet connection. In short, by using a VPN, you’ll be safe online.
What is the best VPN? CyberGhost and NordVPN are the best options all-round. They are fast, secure, fairly priced, and each have millions of users. CyberGhost allows you to protect 7 devices, where NordVPN allows you to protect 6. If you need to protect even more devices, have a look at ZenMate or Surfshark. Both allow you to install the VPN on an unlimited number of gadgets. Finally, if you want excellent antivirus software and a VPN in one, Norton is your best bet.
Why do we not recommend ExpressVPN? ExpressVPN is great. It’s fast, secure and beautifully designed. But frankly, it’s too expensive and only allows you to install it on 3 devices. CyberGhost and NordVPN are just as fast, secure and beautiful. But they are better priced, and allow you to protect more devices.
All VPN below work with Windows, Mac, Android and iOS
How we test: Privacy & security
Below, we briefly explain why privacy is the most crucial factor for a VPN, how you’re being tracked, and how a VPN changes this.
If you’re already familiar with what a VPN is and how it works, skip on to the part “Is a VPN 100% secure?”.
It’s all about privacy
If you’re like most people, the primary reason why you get a VPN is to protect your privacy. And you have more than enough reasons to do so:
- Internet Service Providers (ISP) are spying on you and selling your data.
- Governmental agencies are conducting mass surveillance.
- Hackers are stealing your data on public WiFi hotspots and networks.
- Advertisers are tracking and selling your identity and location.
In the end, it all boils down to privacy. So you want your VPN to have this part covered perfectly. No exceptions or compromises allowed.
To understand which VPN do their job well, it helps to understand the basics of how you’re being tracked and how a VPN stops this.
How are you tracked?
When you visit a website or use an online service, you actually connect to a network owned by an ISP, which in turn connects you to the website or service.
This is true at home, where you connect through your own ISP. As well as in a cafe or other public place, where you connect through the ISP of the cafe.
If you are not using a VPN, everything you do online is easily analyzed, stored, and sold by the ISP who owns the network you are using. Or any hacker able to hack its way into the data stream, through a man-in-the-middle attack.
How does a VPN change this?
When you connect to a VPN, your data is sent through an encrypted tunnel. Often referred to as a VPN tunnel. This means that your data is encrypted as it passes through the ISP’s network on its way to the VPN server. The VPN server then connects to the website or online service on your behalf.
This solves a few security and privacy issues:
- The ISP only sees gibberish. As the data that arrives at your ISP is encrypted, it has no idea what you’re doing online. It doesn’t see what websites you’re visiting, the services you’re using, or data you’re transferring.
- The same goes for any hacker that was able to hack the data stream between you and the website. The hacker now also only sees an encrypted and unusable data stream.
- The website or online service you are using, see the VPN as the origin of the traffic. Not you. This makes it more difficult for them to create a consumer profile and send you targeted advertisements that follow you around the internet.
Is a VPN 100% secure?
That is possible, but not always the case. It depends on the policy of the VPN provider, the technology it uses, and the jurisdiction it is incorporated in. And these are exactly the elements which we test.
What part of the VPN provider do we test?
We test 7 different elements in our Privacy and Security test:
1. Logging Policy
What do we test for:
We analyze the logging policy of every VPN provider and check exactly what data they collect on you. The fewer data collected, the better the score.
So what is a logging policy and why does it matter?
Remember why you got a VPN in the first place? Privacy.
Well, logs are data VPN providers could store about you and your online activity. Some VPN providers have a zero-log policy and collect (almost) no data, and some collect enough data to create complete user profiles. And the latter is, of course, exactly what we don’t want.
The range of logs a VPN provider could store include:
- User data
- Device and browser used
- Originating IP Address
- Payment information
- User activity data
- Bandwidth data
- Connection dates, times and durations
- Browsing history
- Server performance data
As you can see, in the worst case, this can be pretty much the same data an ISP collects. Combining, for instance, your credit card data with your browsing history allows a VPN provider to create a very accurate profile on you.
Luckily, none of the top VPN providers in our comparison do that. In fact, the very best, such as ExpressVPN and NordVPN, only collect data to optimize their service to you. They don’t collect any sensitive data such as browsing history or originating IP address.
In a recent interview with the CDT (Center for Democracy and Technology), ExpressVPN explained the data they collect and closed with the comment: “None of the data enable ExpressVPN or anyone else to match an individual to specific network activity or behavior.” In other words: It doesn’t collect any sensitive information on you.
What do we test for:
We check in what country the VPN provider, or its parent company, is incorporated. And how invasive that government’s policy is on consumer data collection and net neutrality. The less invasive the government’s policy, the better the score.
So what is a jurisdiction and why does it matter?
In this context, a jurisdiction is a country.
Like every other company, a VPN provider is bound to the rules and regulations of the country it is incorporated in. And this can have serious consequences.
Depending on the country, a VPN provider can be forced by the court to hand over data logs or entire servers. For instance, in the United States, a governmental agency can use a National Security Letter to demand that companies hand over customer data, like phone, internet, and banking records.
And to make matters worse, the reach of a government can extend beyond its own borders through international agreements.
A good example of this international reach is the UKUSA agreement. This agreement, between the USA, UK, Australia, New Zealand, and Canada, is created to share intelligence between the security services of the countries. This group is also known as the Five Eyes.
The agreement between these countries states that they will not spy on each other. However, leaks exposed by Snowden show that this simply isn’t true. Both the British spy agency GCHQ, and their American counterpart the NSA, collect and share large amounts of intelligence on each others’ citizens.
For privacy-sensitive users, it is therefore not recommended to use a VPN provider incorporated in the US, UK or a partner country. A safer bet is either ExpressVPN or NordVPN, which are incorporated in the British Virgin Islands and Panama.
What do we test for:
We analyze which protocols are offered by the VPN provider, which protocol is the default, and how easy it is to switch between protocols. The more secure the default protocol, the better the score.
So what is a VPN protocol and why does it matter?
A VPN protocol determines how data is transmitted over a VPN connection. There are several protocols out there, and all have different specifications. Some might prioritize speed, where others emphasize security.
Perhaps obvious, but worth mentioning, is that VPN protocols don’t play well together. When the VPN app on your device, called a VPN client, connects to a VPN server, the two must use the same protocol. Otherwise, the connection won’t work.
The short story about VPN protocols is that OpenVPN is the most used and highly secure, but that SSTP is very solid too. Best to avoid the old PPTP, and IKEv2 and L2TP/IPsec, which are potentially hackable by the NSA.
If you’d like more detail on each protocol read on. Otherwise, skip ahead to encryption.
OpenVPN. Overall the best and most used protocol available. It’s open source, highly secure, supports the practically unbreakable AES-256 encryption, and can be used by just about everything: Windows, MacOS, Linux, iOS, Android, routers and more. Read more on Wikipedia.
SSTP. A protocol developed by Microsoft, and fully integrated with every Windows operating system since Vista Service Pack 1. This allows SSTP to be used with Winlogon, a smart chip, which provides additional security. It uses 256-bit SSL key for
L2TP / IPSec. L2TP, which stands for Layer 2 Tunnel Protocol, is the successor to the PPTP protocol by Microsoft and the L2F protocol by Cisco. As it doesn’t provide any encryption itself, it is bundled with security protocol IPSec. Combined, they form a very secure protocol using AES-256 encryption. There are leaks, however, that suggest the NSA might be able to crack IPSec. Perhaps best to avoid this protocol. Read more on Wikipedia.
IKEv2 (Internet Key Exchange, Version 2). Also developed by Cisco and Microsoft. IKEv2 is a tunneling protocol, and often paired with IPSec for encryption. Is it frequently used in mobile VPN, due to its capability of reconnecting after a temporary loss in connection or network switch. The Snowden documents suggest the NSA is capable of cracking IKEv2 as well. Might be best to avoid this one too. Read more on Wikipedia.
PPTP. PPTP, which stands for Point-to-Point Tunneling Protocol is the oldest one of the bunch. Although still used sometimes, most VPN have switched to more modern solutions. Overall it is considered
What do we test for:
We analyze the encryption standard used by the VPN provider. The more secure the encryption, the better the score.
So what is encryption and why does it matter?
The basic concept of encryption is the following: You take regular data and transform it using a secret code (called a key) into unreadable gibberish. Then you send this gibberish to a receiver who has the key to transform it back into regular data.
In today’s digital world, we use the AES algorithm (Advanced Encryption Standard) to encrypt and decrypt data. This algorithm can use different key length to encrypt the data; the most commonly used within the VPN industry are AES-128 and AES-256. Although AES-256 is the most secure of the two, it is generally accepted that AES-128 is already unbreakable.
And the AES technology is not unique to VPN technology. Compression tools such as Winzip use it, encryption software like BitLocker use it, password managers like LastPass use it, and, of course, messenger apps such as Whatsapp use it. It is everywhere.
If you would like to learn more about AES, we recommend this article or YouTube video.
5. Own DNS Servers
What do we test for:
We analyze whether the VPN provider uses its own DNS servers, or uses third parties’ DNS servers. If it uses its own, the score is better.
So what is a DNS server and why does it matter?
To understand why this matters, we’ll guide you through the basics. We’ll explain what a domain name is, what a DNS is, and why it’s important that a VPN provider uses its own DNS servers.
What is a domain name?
When we humans browse the internet, we visit websites by typing in their domain name in our browser. For instance google.com or facebook.com.
Browsers, however, don’t visit domain names. They visit Internet Protocol (IP) addresses, which are long strings of numbers used to identify websites. Numbers too long for us to remember.
So we need a system to translate domain names into IP addresses. This is where the DNS comes in.
What is DNS?
DNS stands for domain name system. It can be seen as the phonebook of the internet. Just as a phone book provides the phone number for a person, the DNS provides the computer-friendly IP address for a domain name.
Your browser then knows which resource you want to load and sends you to the right website.
What is a DNS server?
A DNS server, also known as a name server, is the server that contains a huge database with domain names and IP addresses. Its job is to look up the correct IP address belonging to the domain name you just typed into the browser.
So why should a VPN have its own DNS servers?
By handling your DNS request the VPN provider makes sure it is handled by the same tunneling protocol and encryption as your internet traffic. Your DNS request can therefore:
- Not be censored by governments or organizations through the interception of your DNS request.
- Not be hacked or manipulated to redirect you to a phishing or scam websites.
- Not be logged by a third party which could store the websites you visit, when you do so and from where you do so.
In short: Exposed DNS requests can put your security and privacy at risk.
6. Kill Switch Test
What do we test for:
We analyze whether the VPN provider has a kill switch and we test whether it works properly. If available and functioning, the score it better.
So what is a kill switch and why does it matter?
A kill switch is a safety feature on a VPN that automatically stops your internet connection when the encrypted VPN connection fails. It will block all incoming and outgoing data streams until the VPN connection returns.
It is an important feature for a VPN, as your device will likely try to reconnect when the encrypted VPN connection fails, and expose your online activity.
Of the VPN we tested, ExpressVPN, CyberGhost, NordVPN, Hotspot Shield Elite, and Private Internet Access had a kill switch. Norton Secure VPN and Panda Dome did not.
We simulated a sudden loss in the encrypted connection by unplugging the network cable, and plugging it back in after 60 seconds. As expected, only the VPN with a kill switch did not leak the originating IP address. The VPN without kill switch re-connected on an unencrypted connection and leaked the originating IP address while the VPN connection was being reestablished.
It is also worth mentioning, that ExpressVPN was the only VPN where the kill switch was turned on by default. In the other VPN with kill switch, the user had to turn it on manually. This is more important than most people appreciate. As most VPN users don’t know the value of a kill switch, turning it on is easily forgotten.
7. Leak Test
What do we test for:
We tested each VPN for potential leaks of data and information, such as DNS requests and originating IP address. The fewer leaks, the better the score.
So what is a leak and why does it matter?
A leak is when a VPN allows some of your personal data, that should be invisible, to be visible. And that can be a big deal.
The 4 potential leaks we tested are:
- DNS leak. A DNS is responsible for sending you to the right website when you type in its domain name, like google.com. When a VPN fails to hide your DNS requests, even when the rest of your data is encrypted by the VPN, we speak of a DNS leak. This can be a problem, as your ISP or DNS provider can now read the websites you’re visiting.
- IP leak. As described in more detail in the previous part, we tested each VPN for its proper use of the kill switch function. This is important, as the kill switch is responsible for making sure your real IP address is not leaked when the encrypted VPN connection suddenly gets interrupted.
- WebRTC leak. WebRTC, which stands for Web Real-Time Communication, is a group of technologies that browsers use to talk to each other. As WebRTC uses advanced IP detection methods, not all VPN protect from these leaks. Especially Google Chrome and Mozilla Firefox are vulnerable to this type of leak. Luckily, however, there are also fixes available.
- Windows Credential leak. This is a fairly old and un-patched leak, yet a very dangerous one. Using the Edge or Internet Explorer browser, it is possible for the Windows username and password to leak. As the username and password are often re-used, not just for Microsoft products, this can be a serious security hazard.
How we test: Speed
Let’s get the painful part out of the way first: a VPN slows you down. This is simply a part of encrypting and decrypting data, and routing it through an additional server.
But if you select a fast server close to you, it shouldn’t be too dramatic. A 14% reduction in download speed seems to be the average in Western Europe. We imagine that number will be similar in other developed parts of the world.
We’ll show you how we get to this 14%:
In one of our first VPN tests, we analyzed 16 VPN on a 100 Mbps connection in Antwerp (Belgium). The most optimal server location across all those VPN was Frankfurt (Germany). This is a central hub with very fast connections and servers, where nearly every VPN seems to have at least one server.
When we routed our traffic through there, the average download speed across those 16 VPN was 86 Mbps, which is a 14% speed penalty from the base connection speed of 100 Mbps.
Do keep in mind that this is an average and that results vary. The slowest VPN, Tunnelbear, had a download speed of 74 Mbps, which is a 26% speed penalty. Whereas the fastest VPN, NordVPN, had a download speed of 92 Mbps, which is only an 8% speed penalty.
Important here is to test a few servers on your VPN to figure out where you have the fastest connection. Don’t just accept the automatic location assigned to you by your VPN. We found that this one, more often than not, was not the fastest connection. You can test your connection speed here.
What was the test setup?
- Location: Antwerp, Belgium
- Base download speed: 100 Mbps
- Operating system: MacOS High Sierra
- Hardware: Intel Core CPU i5 2,6 GHz / 8 GB RAM
- Test software: The MacOS app from Speedtest by Ookla
How we test: Features
There are 5 features a VPN should have:
- It should have servers in many locations around the world
- It should support the most common platform and devices
- It should allow you to connect several devices on one subscription
- It should be able to work with streaming and torrenting services
- It should be able to bypass censorship in specific countries
Below we will explain each of these features in brief, and show you how the VPN providers rank for each feature.
1. Server locations
What did we test for?
We analyzed the countries around the world where each VPN provider has at least one server. The more countries, the better the score.
So what is a server location and why does it matter?
When you open up your VPN app and establish a connection, you create an encrypted connection between your device and a VPN server. Where that VPN server is located is called the server location, for instance, New York.
Some VPN providers allow you to select servers on a city level, for instance, London or Melbourne. Where others only allow you to select servers on a country level, for instance, the Germany or Brazil. In the second case, the VPN then automatically selects a server in a city for you.
In most countries, VPN providers only have one server location. These countries aren’t very big geographically speaking, don’t have many users, or both. It then makes little sense to invest in many server locations.
Not surprisingly, most VPN providers have servers in many locations in the United States, which is a big country with many users. Whereas most VPN providers have no servers at all in Luxembourg. And if they do, only in one city.
In our analysis, we focused on countries rather than cities.
So why do server locations matter?
For two reasons.
The closer you are to a VPN server the faster your download speed. After all, sending encrypted data back and forth between your device and the VPN server takes time. So you want to select a VPN provider with a server relatively close by. This can be a country on your continent, your country or even your city, depending on where you live.
As most VPN providers focus their servers on locations where most of their customers are (North-America, Western-Europe, South-East Asia, East-Asia, and Australia), it is extra important for users outside of these regions to check the locations as they have fewer servers close by at most VPN providers.
2. Unlocking content
Some online services are limited to specific regions. A good example is Netflix that features certain shows in the United States that users from other regions cannot watch. Using a VPN, you will be able to unlock these shows.
How this works is that you log into a VPN server within the United States, for instance, Los Angeles. Netflix will then see the IP address of that server, rather than your own. It, therefore, thinks you are in the United States and will show you the local shows.
This works for many other geo-restricted services as well.
2. Platforms & Devices
What did we test for?
We analyzed the supported operating systems, streaming devices, game consoles, and routers per VPN provider. We also checked whether the VPN offers dedicated browser extensions. We checked the following:
- OS: Windows, Mac, Android, iOS, and Linux.
- Streaming Devices: Apple TV, Android TV, Chromecast, and Roku.
- Game consoles: PlayStation, Xbox, and Nintendo.
- Other: Routers.
- Browser Extensions: Chrome, Firefox, and Safari.
So what are platforms and devices and why does it matter?
When we speak about platforms, we mean operating systems.
The operating system is the interface through which you interact with your device. It also manages all other software, such as the VPN client, on your device. There are 5 main operating software: Windows, Mac, Android, iOS, and Linux. Above all else, VPN providers should support as many operating systems as possible as it allows them to serve the most users.
When we speak about devices, we mean game consoles and streaming devices.
Game consoles and streaming devices are used to play games and stream media content. The most commonly used are Playstation, Xbox, and Nintendo when it comes to gaming consoles. On the streaming side Apple TV, Amazon Fire TV, Chromecast, and Roku are the most important devices. Having a dedicated app, or workaround, for these devices, isn’t mandatory for a VPN but definitely a nice bonus for specific users.
VPN browser extensions for Chrome, Firefox, and Safari, are lightweight versions of the VPN app installed on your device. Some, such as the extension by ExpressVPN, allow you to control your VPN app remotely from your browser. Most, however, are only proxies rather than full VPN. And it’s very important to know the difference:
The full VPN app works at the operating system level. This means that it encrypts all your internet activities across all your apps. Most VPN browser extensions provide far less protection:
- In the most basic form, they work as a proxy server but do not encrypt your data. This means that they rout your traffic through a VPN server, for instance, a server in New York. By doing this, they make websites believe that you are in New York. Although your real IP and location are now hidden, your traffic is not encrypted.
- In a more advanced form, they work as a proxy server and encrypt your traffic. Now they resemble an actual VPN. However, keep in mind that only your browser traffic is now protected. All other internet activities on your device, that are not running through your browser, are not protected.
3. Number of Connections
What did we test for?
We checked the number of connections you are allowed to make simultaneously on a single subscription. In other words, the number of devices (laptop, phone, TV) you are allowed to connect on one payment.
We also calculated how much a single connection costs. We calculated this by dividing the annual subscription cost for US-based customers, through the number of connections.
So what is the number of connections and why does it matter?
The number of connections tells you how many devices you are allowed to connect on a single subscription. If you are using a VPN just by yourself, 3 devices usually are enough. After all, you can then protect your laptop, phone and optionally your streaming device or gaming console.
However, if you plan to share your VPN with a friend or within a family, it becomes a different story. Being able to connect 7 devices simultaneously all of a sudden allows you to protect your own phone and laptop, as well as those of two friends. Now you can split to cost of the VPN and the value for money is much higher.
4. Streaming and Torrenting
What did we test for?
We tested whether the VPN worked on Netflix US and whether torrenting (P2P) was allowed on its servers.
So what is streaming and torrenting and why does it matter?
Most people will be familiar with streaming services like Netflix, Hulu, BBC iPlayer, Sling TV, HBO Now, Amazon Prime Video, and more. But not all know that these shows are often geographically limited. This means that you will not be able to access all shows for all locations in the world. And from some locations, like China, you won’t be able to access Netflix at all.
It has, therefore, become a popular practice to log in to a US-based VPN server before watching Netflix. As Netflix will now think that you are watching from a US-based computer, it will show you all US-shows.
Although Netflix is cracking down on the use of VPN on their service, many VPN have at least one server that still works.
Torrenting is a little bit more complex. By its essence, torrenting is nothing more than file sharing. However, it’s done in a clever way.
Imagine you are downloading a movie (without a copyright) using torrents.
Instead of downloading that movie directly, you download a torrent, which is also called a tracker. Using this file, you can download the movie through a dedicated app such as BitTorrent or uTorrent.
The movie is split up into smaller pieces, known as packets. These packets are stored on a server, known as the seeder, as well as on a wide range of other computers that are downloading that same movie as well. These computers are called peers.
In this system each peer functions as a mini-server. This is because everyone that is downloading the movie, is also uploading the parts of the movie they have already downloaded. That’s why it’s called peer-to-peer (P2P).
It’s a very smart system designed to lighten the load on the network. And there is nothing illegal about that system. The problem arises when you are downloading a movie that has a copyright.
Some countries have, therefore, shut down torrent websites and some people in the US have been sued for downloading copyrighted material. Although these lawsuits usually lead to nothing, the lawsuit could have been avoided entirely if the downloader had been hiding its internet use with a VPN.
Do keep in mind that you are always personally responsible for the way you use your VPN. Neither SoftwareLab, nor any of the VPN providers, advice that you download or upload copyrighted material.
5. Bypassing Censorship
What did we test for?
We tested which VPN works reliably in China, one of the most censored regions in the world.
So what is censorship and why does it matter?
There are a surprisingly large amount of countries that censor the internet. According to a report by the Freedomhouse there are 19 countries which severely limit people’s access to the internet by blocking a large number of websites and services. Which is a big deal.
After all, we don’t just use the internet to communicate, work, and travel. But just as important, we use it to learn about politics, religion and other topics that should not be censored by a powerful few. It is, therefore, essential that the internet remains a free and open internet.
Using a VPN allows you to encrypt your internet use, making sure the government cannot see what you’re doing. On top of that, it allows you to log in to servers in other locations in the world, and view websites as if you were a local, bypassing censorship.
Of course, governments are aware that VPN are capable of avoiding censorship. Some of them are therefore taking steps to block the use of VPN.
In a continuous game of cat and mouse, some VPN providers are developing technologies to mask VPN traffic and make it look like regular HTTPS traffic. This makes it more difficult for a government to uncover the use of a VPN. A good example of such a technology is the Chameleon protocol developed by VyprVPN.
As China, using the great Firewall of China, not only has one of the most extensive censorships in the world but also affects the greatest number of people, it forms the basis of our test.