Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Which VPN?
102 points by blohs on May 17, 2018 | hide | past | favorite | 63 comments
Which VPN do you recommend?

This is a great resource for comparing VPN options, with a focus on privacy and security: https://thatoneprivacysite.net/vpn-section/

Be wary of folks recommending individual services... the VPN market has been hot in the last few years, and most recommendations should be treated with a fair bit of skepticism.

That was a great site. I liked the option for a colorblind readable chart, I have a few colleagues that have to use plugins and other weird gadgets differentiate red and green. Also bonus point for the CC license.

IVPN (Gribaltar), Mullvad (Sweden) or PIA (U.S.) are the best bet for most users IMO. They are all fast, no logging, and have good apps.

IVPN, Mullvad are not in U.S. jurisdiction if you are concerned about that. Most people are not and just want a VPN to hide shit from ISP, etc...

Although PIA is U.S. based, they keep no logs and then they have their famous "FBI" case which they did not provide anything to them.

I myself personally use IVPN, but I have used Mullvad as well.


This is the best resource for vpn reviews, ignore everything else.

Also https://www.privacytools.io/ is great overall and they do have a vpn section

https://www.reddit.com/r/VPN/ has a bunch of more info as well.

Cannot agree with this enough. When I first started looking for a VPN, the only source of information I found were these disingenuous websites that based their reviews off how much vpns were paying them, with every off-site link being a referral. thatoneprivacysite is by a landslide most unbiased source of information I found on VPNs.

If you actually care about privacy touching the US in any way, shape or form is very, very dumb.

If you're a US citizen, perhaps not. NSA has open season for anything that isn't in the U.S. They can bring their full offensive capability to bear on foreign targets and largely do whatever the hell they want.

Domestic? Not as much. It becomes more of a legal/NSL game then. Granted, I'm sure GCHQ can (and does) compromise U.S. VPN providers.

Obviously it's far more complex than that, but if you're a U.S. citizen using a US-based service, there are some protections afforded.

On the other hand, I tend to believe Russ Tice when he says NSA conducts full-take domestic collection, so the aforementioned protections are largely data minimization practices, and thus they already have all your data.

Of course, Obama significantly weakened those protections prior to leaving office, as well as increasing the scope of NSA's sharing to include a disturbing amount of federal law enforcement agencies.

I can also rep Mullvad, they also allow people to pay in Bitcoin or even mail them money (with your account number attached) and they'll add time to your account. I've been using them for a few years now and never had any issues.

I tried Mullvad, Melbourne/Sydney servers, my adsl speed dropped from 14 Mbps to 10 Mbps

> Although PIA is U.S. based, they keep no logs and then they have their famous "FBI" case which they did not provide anything to them.

You know the NSA just puts a gag order and connects directly to the targets infrastructure. Doesn't matter that PIA doesn't keep logs, NSA's prism is logging everything.

Yup I know about gag orders, etc... I completely agree with the statement that if you care about privacy better go with something else not in U.S. or anywhere in the 14 eyes countries if you are really paranoid.

I do not know this and many others probably do not. Would be great to see a source with proof that this has happened with PIA.

Just stay away from USA. They can do anything they like with their dumb laws.

I have a Streisand[1] server running at DO, it's been good. People also like Algo[2] but I haven't tried it.

1: https://github.com/StreisandEffect/streisand

2: https://github.com/trailofbits/algo

Algo all day every day, good stuff, use it.

Yep, this.

Streisand at DO using Wireguard.

I use a self-hosted OpenVPN install on a Digital Ocean droplet to simply encrypt traffic (UDP/443) from my ISP. One plus is that I have a clean US IP address that isn't blocked by most services. This is just for security and geolocation, not anonymity.

For anonymity I use Private Internet Access as they have a fast network, lots of locations, and no logs. They're also very affordable.

I also use IPredator sometimes since they're the same folks that run Njalla and I simply like to support them.

I haven't used it extensively, but so far MullvadVPN has worked well for me and they are one of thatoneprivacysite's top recommendations

I'm using Mullvad. On the plus side, their servers are the most reliable I have seen, and they provide IPv6 addresses (behind NAT, which is reasonable for privacy). On the minus side, since November 2017 they intercept DNS queries and answer them themselves (hence you can not use DNS service of your choice), unless you connect to a specific undocumented OpenVPN port (1400 or 1401) available on a small but diverse subset of their servers.

Interesting. Good info to know. Have they specified a reason for intercepting DNS?

I believe I can quote the response to my support request:

«We added iptables rules to hijack all DNS requests on port 53 going via the VPN tunnel, this is to protect users having set a DNS server unknowingly (or by malware). We are aware that not all users want this behaviour, and we intend to add an extra port that OpenVPN listens on, where DNS hijacking will not happen.»

Some VPN providers (including Mullvad) have a client-side feature called DNS leak protection that configures the system to use the provider's DNS server. I don't know how Mullvad decided that this was not enough, and they are justified to intercept DNS. (Note that for the server-side intervention to work, the client side must be configured not to use ISP DNS, hence the client-side DNS leak protection is a prerequisite.)

I use Mullvad when traveling, with wireguard app just to avoid public wifi security issue. It's cheaper than rolling your own Digital Ocean droplet

I've used Mullvad on and off for years. Still my go to when I need it.

NordVPN -- it's one of the best IMO for security/company location. I also made my decision via the spreadsheets and analysis from the already-mentioned https://thatoneprivacysite.net/vpn-section/

It's $79 for two years, but they also have per-month subscriptions.

I got turned off by their tv commercials. They are really marketing towards the "clean your PC" crowd

Their tv commercials are so bad I got turned off by vpn.

There's no reason for anyone even moderately saavy to use a commercial private VPN. It's really insecure and expensive. Just use Streisand on a DigitalOcean droplet, AWS, etc.


Can't echo this enough. Without a VPN, your ISP can see some of your traffic (unencrypted + who you talk to). When you use a commercial VPN, the ability to snoop like your ISP just transfers to them. As much as we love to hate our ISPs, some of those services seem pretty shady by my estimation, and have very little oversight / no barriers to being unscrupulous.

Streisand is just a couple commands + whatever steps your cloud provider requires to get API keys. Take advantage of different regions to place your VPN(s) wherever you want in the world. Each installation comes with detailed instructions to configure VPN clients on your desktop or phone. Works great once you've got it running, and probably ends up being cheaper than most of those other shady services.

Tunnelling through a hosting provider doesn't provide any additional privacy. It just moves your exposure.

Perhaps I am unusual, but I trust my ISP with my privacy more than I trust the typical hosting provider.

I understand that this doesn't apply to most of the US because of your monopolistic ISP problem. In other places though, I don't think a blanket "just tunnel through a hosting provider" recommendation is appropriate.

>Perhaps I am unusual, but I trust my ISP with my privacy more than I trust the typical hosting provider.

You're lucky in this regard. Having no choice but Comcast, the number one threat to my privacy is my ISP. So that makes tunneling to an outside VPN very useful. I trust DigitalOcean far more. Although in a different situation I think you're absolutely right.

If you care about privacy, don't host it on US infrastructure. There has been so much exposure about this, that should have been enough to teach you not to burn yourself.

What if the VPS provider logs? My guess would be that DO keep logs of assigned IP to account which is arguably worse than what is done by the private VPNs.

Depends what is more important to you.

If it's for anonimity I've been told PIA is a good option.

If it's to bypass georestriction and protect your traffic from being snooped by your ISP or any clients that could attempt to sniff your traffic, hosting your own on a VPS is a good option. OpenVPN, OCserv or Outline (based on shadowsocks) are some options.








To answer "Which VPN?" you first need to answer "Why VPN?" because there are a lot of different reasons for using a VPN.

If it's just privacy from snooping, you'll be fine with setting up your own VPS with OpenVPN. It's simple enough that any technical person can do it in a few minutes (or hours).

Azirevpn[1] (Swedish based) Always been very fast for me. One of the first to implement wireguard I think, which they offer for free at the moment, tho I pay anyway for the service...

1: https://www.azirevpn.com

Any VPN is better than no VPN. But I use Private Internet Access. The interface has gotten really slick in the last year - very nice to use. You can pay using random anonymous gift cards (essentially cash). And they are the only VPN that has been tested in the court of law (they were ordered to turn over all the records they had on a customer, and they did - nothing).

PIA also donates to FOSS projects/organizations[1] and has open-sourced some of their own projects[2]

1: https://sfconservancy.org/news/2016/mar/02/PIA-LCA-matched/

2: https://pia-foss.github.io/

PIA is also US-based, which makes it a no-go for some folks since they fall under US jurisdiction.

What's the purpose of the VPN? If travelling to China or other strictly censored countries, I'd recommend https://foxshadowsocks.com

ProtonVPN is super good

And there's the free tier which has served me well too.

If you sign up you get native mac client (beta)! Really good piece of software, much more teliable than Tunnelblick

Express VPN if you don’t want to bother with setting up your own server.

If you want to setup your own server, then Streisand.

I used both and they work well. Using ExpressVPN right now in China.

Proton VPN is rock solid. I recently made the full switch off gmail to Proton email, and signed up for the VPN as well. It's worked great so far.

Don’t use strongVPN. They shared my info. Got a letter from some Hollywood lawyers after someone had been running a torrent download over my VPN (would share my WiFi on and off from my phone with visiting colleagues, if they had trouble with our corporate VPN and someone probably had a movie torrent download or seed running in the background by mistake).

Vague question can only lead to a vague answer, but I've been happy with AirVPN.org for my particular use case and needs.

TorrentFreak writes up a comprehensive review and interview with all the popular vpns, https://torrentfreak.com/vpn-services-keep-anonymous-2018/

Other than that one privacy site already mentioned, Wirecutter did a good analysis recently:


I have wireguard setup on a DO instance of <wherever region I need>. It is very fast and easy to setup for technically inclined : https://www.wireguard.com/

I used Astrill while in China and it worked good and the cost wasn't bad. Works on most all OS's.


I currently use IPVanish. I'm pleased with the uptime and service. Every now and then I get disconnected and everything reverts to using my normal connection, which isn't very secure.

I created a subjective guide based on my experiences which might be useful to you:


I used to pay for IPVanish but now I'm using Algo with much better speed. Some websites also block requests from commercial VPNs.

Your own hosted VPN, run one from home for free using a $5-10 raspberry pi zero.

Or $60 on DigitalOcean or Linode a year at $5/month.

Have been using windscribe - I use it sparingly.

But any vpn should be treated with skepticism as many have noted here.

Specific use case thread: which VPNs have worked for you in mainland China?

ExpeessVPN works fine. using it right now in china.

SomaVPN - currently in beta Based on Algo and Wireguard


I use bahnhof VPN (Swedish) and they are well known for standing up to pressure from government.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact