VPN services are thriving as fewer and fewer internet users want to readily expose themselves and their data to the world's governments and big corporations. We show how VPN works, what you need and where the limits are. [...]
VPN stands for Virtual Private Network, in German a virtual, private network. Put simply, the VPN acts as a kind of middleman or trustee between users and the web services they wish to visit. Instead of calling up a website directly, users choose to use an encrypted connection with a VPN server. The server receives the website request from the user and then forwards it to the desired web service.
Without a VPN, both the internet provider and the web service you are visiting see your IP address and other information such as your (approximate) location and the software used for the connection (e.g. web browser and operating system). With VPN, the ISP only sees that you are connected to a VPN server. The visited web service receives your request on behalf of the VPN server and does not receive any data from you.
In order to be able to offer this service, three basic things are necessary: A client, a server and a protocol, as is so common with Internet services. The client usually comes in the form of an app for VPN services. This manages the administrative things like creating connections to specific servers or triggering a kill switch that breaks the connection. Usually this is packaged in a pretty app that is easy to use. Most operating systems could also use a VPN connection without a client. However, the process is rather cumbersome and difficult to implement in everyday life. Since you often have to pay for the service, you can use the app right away and save yourself the trouble.
The protocol ensures the encrypted connection to the server. Currently, three protocols are particularly common:
OpenVPN is the most popular protocol. It offers the best security and is comparatively flexible. As a bonus, the project is open source and also uses OpenSSL for encryption, in addition to TLS, Figure 2.
IKEv2 is comparable in performance to OpenVPN, but it is not open source. The protocol developed by Cisco and Microsoft is already set up for this on many operating systems. This makes it easier to use on Windows, macOS and iOS.
WireGuard has the potential to dominate the near future of VPN services. The protocol is significantly faster than OpenVPN or IKEv2. By default, however, WireGuard still has a few security problems that a VPN provider has to eliminate for its offer. That should be the case with good VPN providers. However, one cannot know for sure.
As far as encryption is concerned, the Advanced Encryption Standard (AES) is mainly used. AES-128 should be sufficient. While AES-256 is theoretically more secure, it offers little added value in everyday use, but in return it consumes more system performance, which can slow down the connection.
Finally, a VPN connection needs a server. This manages the requests you send over the VPN connection and forwards them to the web service. As a user, you are primarily interested in two things: How fast is the connection to the server and where is the server located? Unfortunately, the connection speed may vary. Depending on how busy the server is, how far away the server is from you and how good the connection between you and the server is at the moment. Servers in distant locations are logically slower than servers close to you.
If you use VPN primarily for privacy, it is best to connect to a Swiss server (or another country near you). If you want to bypass a geo-restriction via VPN (for example, to watch certain content from another country), choose a server in a suitable country. Ideally still one close to your location and with good privacy laws.
Why a VPN?
The reasons for a VPN connection vary. However, the most common arguments revolve around security, privacy and geo-blocking. A VPN connection encrypts data streams and anonymizes users online, preventing third parties from spying on a user. This is particularly relevant in countries with weak data protection laws, for example in the UK or the USA, where the government or companies can dispose of private data almost freely. Fortunately, data protection in Switzerland and the EU is still on a more stable footing. In this country, a VPN tends to protect against legal, but potentially unwanted tracking methods or illegal data collection.
The second major use of a VPN is to bypass geo-blocking. While the Internet was still an almost utopian space outside political borders when it was first created, the terrestrial nations have long intervened and brought their rules, laws and, of course, politics with them. Accordingly, messages such as "This content is not available in your country" are being encountered more and more frequently online, mostly due to complicated legal situations, Figure 3. These geographical blocks can often be circumvented with a VPN connection. All you have to do is find out in which countries the desired content is available. Then connect to a VPN server in that country and voila: the website thinks you're in the "right" country and unblocks the content.
If you want a VPN service solely for this purpose, you should consider two things in particular:
Firstly, a proxy server (see box above) is sufficient to bypass geo-blocking. If you already have a reliable set of proxy servers in the necessary countries, a VPN service is not absolutely necessary for you.
Second, circumventing geo-blocking doesn't always work reliably. Although websites cannot determine your real location, many services detect when someone is using a VPN connection and block all traffic from VPN servers. This can in turn be tricked with various VPN apps, but you end up in an endless arms race between web service providers and VPN operators. In addition, many online services now require more than just a suitable IP address. Payment services in particular often require a valid residential address or payment method from the relevant country.
Lastly, VPNs are good tools to bypass censorship. This is an issue especially in countries with bigger censorship problems than Switzerland. In addition to geographic blocks, DNS blockades and other forms of Internet censorship can also be bypassed via VPN. Together with encryption and improved anonymity, VPNs are absolutely essential, especially for journalists in crisis areas or whistleblowers.
TIP: VPN VS. PROXYVPNs and proxy servers may seem very similar at first: they both act as a middleman between the user and a web service, preventing the web service from getting to your IP address. This is also the end of the proxy server. Apart from the IP change, the proxy does nothing. That can be enough for simple things like bypassing an IP block or a geoblock.
But if privacy is important, you need a VPN. This also encrypts the data traffic between you and the server and thus protects against espionage. Another difference is in the scope. Proxy servers are typically used at the application level. For example, a browser connects to a proxy server while other network traffic remains regular. The majority of VPN services, on the other hand, act at the operating system level and affect the entire traffic of the device.
As nice as it would be, VPN is not a panacea. The technology is far from perfect and comes with everyday problems that can be quite annoying.
An encrypted connection is always slower than an unencrypted connection, Figures 4 and 5. Finally, encryption means an additional work step that takes time and resources.
In addition, all your network traffic runs through a server, the distance and quality of which also has an impact on the connection as a whole. Modern VPN services keep the loss of speed comparatively low. So VPNs are no longer nostalgia triggers for 90s kids who grew up with slow internet, but now offer absolutely usable speeds - even for gamers and other demanding users.
With the fast WireGuard protocol, VPNs are getting even closer to normal line speeds, making the presence of a VPN less and less noticeable. The pace is no longer the biggest nerve factor today.
VPN services cost money. Free services are available but not recommended (see box below). Accordingly, you should reckon with 50 to 100 francs per year in subscription costs for a good service. That may not be the world, but it is one of a long list of subscriptions that will add up at some point.
TIP: FREE VPN
Free VPN services are a dime a dozen. And just like the sand, these services are only nice at first glance. Upon closer inspection, the sand is too hot to walk barefoot on, gets in your eyes with every gust of wind, and you can still find the stuff everywhere months after your beach vacation. It can also get just as uncomfortable with free VPN services. Because as with other services, if it costs nothing, you are the product. Respectively your data.
This is particularly tricky with a VPN app because the app knows a tremendous amount about you. If you use it at the system level, it knows all your network connections to the outside world, every website you visit, every connection to a game server, every software update you download. What the provider does with this data is up to them, and if you don't pay money for the service, you can figure out how the provider pays its bills. With this in mind: Stay away from free VPN services.
setup and maintenance
Operating a VPN not only costs money, but also involves a certain amount of effort. The VPN needs to be set up and maintained regularly, Figure 6. There are updates, upgrades, bills to be paid, server changes and other little things. In addition, VPNs are a bit like other privacy tools in everyday life: They do not work equally well with all web services and have to be deactivated from time to time for everything to run smoothly.
A bit insidious is the nice feeling of security that a VPN gives. One tends to flip the VPN switch and just assume everything is fine. However, appearances are deceptive. No VPN is perfect, nor does it protect against everything. VPN services without a kill switch are particularly tricky. This is a function that cuts the entire network connection immediately if the VPN connection is interrupted. Otherwise, even a brief loss of connection can release your data. Also, don't forget that while a VPN is anonymous, it doesn't protect against other threats like phishing or malware.
Not everything works
Web services have long noticed the VPN trend and sometimes block all traffic from VPN servers. VPN providers counter this by disguising traffic as HTTPS. An endless competition ensues, similar to malware and antivirus makers. As a user, you are dependent to a certain extent on the VPN service you are using staying up to date and continuing to offer popular services. As a user, you sometimes hardly notice anything about it. For example, baseball streaming service MLB.tv refuses to work over VPN. There is no error message, videos are simply not played. The user has to find out for himself why this is the case, Figure 7.
help to choose
The first thing to check with a VPN provider is the log policy. This tells you how much data the provider collects about its users. Zero is the ideal value here - preferably tested independently, Figure 8. A Google search will help here. Depending on how demanding you are, even a provider with minimal data collection, for example to improve their service, may still be fine. A VPN provider that keeps detailed logs of its users is pointless for privacy purposes. Unless you simply want to give your VPN provider a monopoly on selling your data.
You should also check which operating systems and protocols the provider supports. After all, the service must also work as desired on all your devices. Also worth considering is the kill switch. As already mentioned, this cuts your entire internet connection as soon as the VPN connection is lost. This will prevent data from being released unintentionally.
Recommending VPN services is a bit tricky. The market is ultra-competitive and the user data business extremely tempting for a service that could read virtually your entire web history. It is clear that free services sell their user data, but paid services with a previously good reputation have also been caught doing so. And as with software in general, all it takes is an unfavorable change of ownership to lose the trust factor.
As of June 2021, NordVPN and ExpressVPN are among the best options, Figure 9. Both offer fast speeds, solid apps, and a wide range of servers. Perhaps even more important: NordVPN and ExpressVPN do not create any logs and have had this confirmed by an external test center in Switzerland, Figure 10.
The two services Perfect Privacy and ProtonVPN may also be of interest to users in this country, Figure 11. The two Swiss providers may not be able to keep up with NordVPN and ExpressVPN in terms of speed, but they also offer interesting approaches.
Perfect Privacy, for example, relies completely on privacy and security - for the everyday user probably on an exaggerated level, but just right for sensitive people.
The Swiss service ProtonVPN is also a bit slower, but has an interesting bundle in store: the service is available in combination with the popular ProtonMail at a much lower price. The offer is particularly interesting for users who already use ProtonMail or have an eye on encrypted mail services in addition to VPN.