VPN services are really good security tools, but do all VPNs protect your data the same way?
Not exactly – some VPNs are safer than others. It all comes down to the security features they offer. Some VPN services just do it better than others.
What kinds of security features, you’re wondering?
We’ll tell you all about them in this article – which must-have security features to look for. We’ll also answer some questions too.
Must-Have VPN Security Features to Look for
Based on our research, these are the kinds of security features all good VPNs should offer:
1. No-Logs Policy
A secure VPN should never log your data – what sites you visit, what files you download, and your IP address.
It should have a clear no-logs policy that says the VPN doesn’t log anything. Ideally, the VPN should also be audited to confirm it truly doesn’t keep any logs.
2. Bank-Grade Encryption
To protect your data on unsecured networks, a VPN should use AES-256 bit encryption – the kind of security military institutions and banks use.
Modern encryption ciphers like ChaCha20 are also a good sign.
3. Secure Protocols
You should have access to highly secure protocols like OpenVPN and WireGuard. They’re our preferred options because they’re open-source. Also, WireGuard is very fast.
IKEv2/IPSec is a good protocol too – it’s secure and fast, plus it resists network changes (the VPN doesn’t disconnect when you switch from WiFi to mobile data, for example).
A secure VPN won’t use PPTP – it’s a protocol that’s very fast but also dangerous (its encryption can be cracked).
4. Good Leak Protection
VPNs can sometimes suffer WebRTC, IPv6, and DNS leaks. When that happens, your IP address and DNS data leak outside the VPN tunnel (so the VPN isn’t doing its job anymore).
A really good VPN will offer full leak protection against those issues. It will prevent WebRTC leaks, support or block IPv6 traffic to avoid leaks, and use its own encrypted DNS servers to avoid DNS leaks.
If you want to test a VPN for leaks, just use this tool while connected to it. See if your original IP or DNS addresses show up. If they do, the VPN is leaking.
5. A Kill Switch
A kill switch is a built-in feature that stops all Internet traffic when the VPN disconnects. While extreme, this security feature protects you from traffic leaks (your data isn’t exposed while the VPN is disconnected).
Some VPN providers even let you assign the kill switch to specific apps. You can configure it to prevent specific apps from going online if the VPN isn’t connected. This is very useful when you download torrents – you can make the VPN client prevent torrent apps from going online when the VPN disconnects.
6. Perfect Forward Secrecy
This security feature changes the encryption key at regular intervals (like every 15 minutes) throughout the VPN session. If cybercriminals were to compromise an encryption key somehow (an unlikely scenario), they wouldn’t be able to get their hands on your data. They’d only be able to crack a very small part of the traffic and they wouldn’t be able to steal any useful data.
Bonus Security Features That Aren’t Mandatory
We don’t consider these security features as being “mandatory” – they’re more like bonus features. It’s nice to get them (for free, obviously) because they provide a little more security (and convenience).
The name says it all – these features block ads on popular sites. That way, your browser will load faster. But VPN ad blockers normally can’t block YouTube ads, so be sure to use uBlock Origin (an open-source ad and script blocker) alongside the ad blocker.
But besides blocking ads, these features can also block traffic to and from malicious sites. Basically, VPNs have an up-to-date blocklist of fake and shady sites. So VPN ad blockers can protect you from phishing and MITM attacks.
Double VPN Connections
A double VPN is a VPN connection that goes through two VPN servers instead of one. Instead of this:
You VPN Server Internet
Your connection looks like this:
You VPN Server 1 VPN Server 2 Internet
Your speeds will be slower (50-60% on average), but you’ll get more security. Basically, your data will be encrypted twice. Double VPN connections are usually recommended for people living in restrictive countries, journalists, or whistleblowers.
Some VPNs even let you set up multiple hops – so you can route your connection through three or four servers instead of two.
This just means the VPN allows Tor traffic on its servers. So you can use the Tor browser while connected to a VPN server.
Why do that?
Because Tor isn’t 100% safe to use. It’s a good privacy tool, don’t get us wrong, but it’s not without its flaws. It can leak your IP address, for example. If you were to use a Tor over VPN connection, in that case, you would be safe – Tor would only leak the VPN’s IP.
This is a feature that hides your VPN traffic by adding an extra layer of encryption (called an obfuscation layer) to your VPN connection. It hides VPN metadata and makes your VPN traffic look like normal Internet traffic.
Obfuscation is useful if you want to hide your VPN traffic from your ISP. It’s also useful if your government blocks VPN traffic with DPI – a network traffic analysis method that’s very good at spotting OpenVPN traffic (a popular VPN protocol).
We don’t consider obfuscation as being a must-have because a VPN doesn’t always need it to work in restrictive countries. Many oppressive governments only block VPN server IP addresses and don’t use DPI. In that case, it’s enough for the VPN to refresh its IPs very often to avoid getting blocked.
How Do You Pick a Secure VPN?
What kinds of security features do you keep an eye out for? Please let us know in the comments below. Also, if you can, please tell us – what are the most secure VPNs in your opinion?