The links in this post contain affiliate links and I will receive a small commission if you make a purchase after clicking on my link.
This is a comprehensive article on everything I've learned about VPNs. Skip around to different sections that you're interested in. I'll continue to update this article as I learn more about VPNs.
Also note that in this article, I use ProtonVPN as an example (which I'm also an affiliate for... meaning I get a small commission if you join). I was drawn to ProtonVPN because they already have a stellar product called ProtonMail which encrypts your messages between two different ProtonMail accounts (not even ProtonMail can read it). Additional benefits of ProtonVPN Free:
- Free 7 Day Premium Trial
- Unlimited data bandwidth on free account
- No tracking advertisements
- No logging
- Trusted company based in Geneva, Switzerland
- Proven track record of security with ProtonMail (encrypted email) service
- Available for Windows, Mac, Android, iPhone, Linux
A Simple VPN Definition
VPN (virtual private network) is a secure method to connect to an organizations internal network infrastructure from a connection outside of the organization. It achieves this by encrypting data sent from your device to another device (one likely owned by the VPN organization).
VPN was originally created for companies and their employees. But with the growth of the internet and the popularity for businesses such as coffee shops, airports, and hotels to provide free and convenient internet as a benefit for their customers, the importance of securing the internet has brought VPN connections into the spotlight for not only travelers, but almost anyone.
In the most common setup, the VPN software is installed your device and only affects traffic originating from that device. Other devices on the same network (whether public or private) are not affected. If you install VPN on the router, then every device connected to the router will be affected.
Another reason to subscribe to VPN service is to bypass restrictions to online services that may have placed certain restrictions in place based on region of the world:
- Netflix restricts content based on location. Not all content available in the US is available in other countries around the world. But with a worldwide and fast VPN (capable of streaming content and selecting country), you can access content not available in your region.
Mask your identity on the internet. If you're concerned about the internet connecting your online activities with tracking such as Google Analytics, one way to make yourself a bit more anonymous (assuming you're not signed into major services like Google, Facebook, or Microsoft is to use a VPN service that allows you location to be changed with each session.
Real World VPN Analogy
In simple words, I like to think of VPN like taking your web request, lets call it a letter. To send the request, you put the letter in an envelop and print your address on the envelop. If the request is secure (https), then the envelop is opaque. But if it's not secure (http), then the envelop is transparent. The envelop is then delivered.
Now with a VPN, regardless of if your envelop is opaque or transparent, the VPN takes your envelop and places it into another VPN that is always opaque with a VPN address. The letter is then delivered first to your VPN address. At that VPN service, their job is to open the VPN envelop, and deliver it to it's originally intended address.
That being said, there are delays, but with the speed of the internet and a quality VPN service, the delay should not be noticeable.
Simple VPN Example
Let's go through a simple example:
- Connect to free public Wifi: Public Wifi is defined as one that does not require a password when you connect to the network from your operating system such as iPhone, Windows, Mac, or Android. A network should be considered unsecure even if you login from a website, common with hotels.
- Browsing the internet at this point in not secure: With the help of easily obtainable software, attackers can sniff out data as it is sent over the internet. Site you visit that start with HTTP is not encrypted, but data sent with HTTPS is encrypted and provide a layer of protection. This is bad!
- Start up your VPN Client: During startup, the VPN client will create an encrypted connection that acts like a tunnel from your VPN Client to the VPN Server.
- Browse with your VPN Client: Now data, whether sent over HTTP or HTTPS, are all encrypted. The data is unecrypted at the VPN server and continues on its way. This is good!
Because that data is encrypted by the VPN Client, you are guaranteed that data sent from your VPN Client is safe from prying eyes on the same Wifi network. Note that sniffers can still intercept your web traffic, but since the data is encrypted by the VPN client, the data looks garbled. Sniffers would need to decrypt the data, which without high powered hardware would take a lot of time. This is good, assuming you chose a reputable and secure VPN service.
Selecting a Secure VPN service?
Aside from cost, which vary from different VPN services, there are several other aspects. But if free is what you're looking for, ProtonVPN offers unlimited data with no ads. Many other free VPN services force you to watch a video ad before the VPN connection is established.
There are many important points to consider when selecting a secure VPN service. But the two major categories are the technical configurations of the VPN service and the social trust of the VPN service provider.
Technical Configuration of VPN
There are many details of how a VPN is configured by the service provider. If mistakes in configuration or older protocols are used, the encryption established when you setup the VPN will be weak.
- IPv6 Leakage: VPN services all manipulate the IPv4, the original internet standard, as part of the VPN service. As IPv6 adoption grow with time, not all VPN services are applying the same rule as done on IPv4 tables.
- DNS Hijacking: The understand this, note that when you first type google.com into your browser, the internet routes your request to a DNS server to determine which server around the world will handle your request. DNS hijacking means that DNS server is compromised and returns a different server, which may display a page that looks similar to what you're expecting, hoping to gather information or username and passwords.
There are four main types of DNS Hijacking, but the a VPN connection can help prevent is man-in-the-middle DNS Hijacking. That is if someone can intercept your public unencrypted request, they can send you to their private DNS server and send you a compromised site.
- VPN Tunneling Protocol: Recall in the above VPN example that on a public network with VPN active, attackers will still sniff out VPN traffic, except that it will look garbled. If the VPN tunneling protocol is weak our outdated, a sophisticated attacker can translate that garbled message into readable text. This is bad for VPN security!
There's PPTP (point-to-point Tunneling Protocol), L2TP (Layer 2 Tunneling Protocol) with IPSec, SSTP (Secure Socket Tunneling Protocol), IKEv2 (Internet Key Exchange version 2) with IPSec, and OpenVPN. There's a great YouTube video explaining VPN Protocols.
- Locations: If you want to change your geo-location, consider a VPN with server locations throughout many countries. Also consider the speed at each of these countries, as farther locations may result in slower speeds.
Social Trust of VPN Service Provider
Social trust is how belief you put in the honesty and integrity of an individual or company. In a world where many question their trust in Facebook after 50 million accounts were exposed (Cambridge Analytica) in 2018, everyone has a personal scale of trust with the companies.
- Government Monitoring - If you believe that China is becoming more aggressive in the world order, what steps will China take to overtake the US? Note that China operates different from the US, where many China owned companies are actually owned by the state. Or would Russia have an interest in knowing what American's are browsing? Do these governments have access to the VPN servers you thought were secure? Would you be okay with a foreign nation manipulating news to affect politics? If this is of concern, consider country of origin of the parent company of the VPN service.
Problems with using VPN
At home, having a VPN on my smartphone has mostly been okay. There are a few fringe cases I've noticed which I've noted below:
- Issues connecting to Chromecast: The only way I can imagine fixing this is to not use a VPN. My VPN client allows traffic going to certain apps to not run through the VPN, but I haven't quite figured out the right settings yet.
- Problems with Play Store downloads: In this case, the apps will constantly say "Pending download". Slightly annoying, but a simply toggling the VPN service solves this problem.
- Troubles Establishing a Connection: I don't know why exactly, but sometimes the connection doesn't connect. I have to toggle a few times to resolve, but now I always check for the VPN icon in the notification bar.
How About VPN Android?
A VPN service can also be used on your smartphone. I have a Google Pixel 2 and a quick search of Android VPN apps on Google Play Store reveals a handful of VPN apps. But be careful downloading VPN because the simplicity means you may overlook the security concerns. And finding the best VPN app from a whole list of VPN apps takes research.
I randomly came across ProtonVPN and immediately gained some trust because I'm familiar with ProtonMail (secure email). So I decided to download ProtonVPN VPN app to understand how it integrates with Android. Here is my personal experience with it on Pixel 2, so it's a vanilla-Android experience. I'm testing with a free version of ProtonVPN + seven days of premium free. Here are my opinions:
ProtonVPN Free Services
- Free service allows unlimited data to select countries, but at reduced speeds. It's great in a bind.
- Integrates nicely with Android, as VPN service can be turned on/off from Android Notification bar via "Quick connect"
- When ProtonVPN is running, there's a notification icon. However, like all Android notifications, ProtonVPN's notification can be hidden by long holding the notification and clicking "Stop Notifications".
- Ability to Split Tunnel, meaning traffic from some Apps won't go thru the VPN. That being said, I still struggle getting Google Home to work at home while ProtonVPN is enabled.
ProtonVPN Premium Services
- "Secure Core" is ProtonVPN's way of protecting traffic from government with restrictive internet regulations like China, United States, Russia, and many more. In these countries, Secure Core allows traffic to flow through secure VPN servers before reaching their final destination, thereby disrupting attempts to monitor VPN Servers.
- With Premium, VPN speeds are fast. Even though I don't realize a speed difference, my battery life still takes a hit (~10-15% for the day), even with limited browsing.
Best Free Unlimited VPN without Ads, try ProtonVPN
How About VPN at Work?
If you sit behind a desk and work at a large company, there's a big chance that your traffic through you work laptop is being monitored. Your traffic may flow through a proxy server which may be monitoring keystrokes and mouse clicks. Additionally, sites like YouTube or Google Drive may be blocked. The primary goal of the company is to reduce time wasted on personal browsing while at work.
- Using a VPN service at work will hide the site and the data, but if the company can still theoretically monitor there is garbled traffic flowing through their server. And a lot of garbled traffic is suspicious and may imply use of a VPN server.
- If you install a VPN service on a computer owned by the company, it's possible that the company has pre-installed software (think of it as spyware or bloatware) directly on your machine that can be searching your local machine for VPN software. They may even block installation of VPN software.
- If your company is invasive and periodically taking screenshots, having VPN installed won't hide what is displayed on your screen.
You will have much finer control if you install a VPN app on your personal laptop or smartphone, connected to your work's Guest Wifi. Without VPN, it's possible the Guest Wifi is being monitored. With VPN on your personal device, you can protect your internet data. By owning the hardware, you'll know your company has not pre-installed any of their software on your device. Again, because the company owns the network, they will see garbled (encrypted) data flowing through their network, can probably tie it back to a specific device ID (MAC Address), but unless your register with identifying information, the network can't tie it back to you.
Configure VPN on a Router
Configuring a VPN on a router (assuming in a home environment) enables all devices connected to the router to flow through the VPN. There are certainly pros and cons of having such a setup.
Pros of VPN on a Router
- No need to connect each time you connect to the network.
Cons of VPN on a Router
- You must always use the VPN, there's no turning it off.
- Every device will be browsing from the same VPN location.
- The VPN sevice needs to be reliable. Now you need to worry about downtime with your ISP and your VPN provider.
- You'll need to configure or flash your VPN, and every router is different. You may be better off with a router designed to handle VPN.
I personally see the benefit of configuring the VPN at the router, but also see the many issues it may cause. At the end, I decided not to configure my router, as it may cause many downstream problems that isn't worth configuring. Generally, I trust my ISP provider more than public WiFi, so unless Comcast makes drastic changes to their terms, I'll keep VPN on the router on the backburner.
Will a VPN Prevent Fingerprinting?
Fingerprinting (also known as browser fingerprinting or canvas fingerprinting) are ways the server can identify you. Examples of data that can be pulled include:
- Operating System
- Installed Browser Plugin
- Time Zone
- Touch Screen
- IP Address
If you want to know how your browser is passing this information, try visiting https://panopticlick.eff.org. Make test the site on different browsers such as Google Chrome and Brave Browser, which may product different results. Your results on the site (how unique you are) also depends on how many people with your same configuration visited the site, so it may be inaccurate.
Ironic as it seems, the more you change configurations to reduce the amount of identifying data you are sending, the more unique you make your browser. Additionally, if you have 70 installed plugins, you are also unique because what are the chances someone else has those exact 70 plugins installed?
To make yourself unique, you want to blend in with the crowd, so that you're identifying data is the same as many other people. Additionally, there are plugins that may send false information on a rotating basis, which will also obfuscate your identity. The moral is no matter what you do, you can be fingerprinted
But what about VPN and browser fingerprinting? Since a VPN only encrypts the data that you send, it does nothing to change the data your browser sends along. Therefore on it's own, a VPN does NOT prevent fingerprinting. However, what it does do is change one of the many parameters of used in browser fingerprinting... the IP Address. If your VPN can rotate IP addresses, it changes your browser fingerprint. But at a minimum, by browsing with many other users out of the same VPN geo-location, you're joining many others and sharing the same IP, which may help to mitigate browser fingerprinting.