The Most Secure VPN Services in 2019

A VPNs ability to provide users with a secure connection is a fundamental one, but some services do a much better job of this than others. In this guide we take a look at the most secure VPNs available, so you can be sure your provider takes your privacy as seriously as you do.

Most secure VPN

The most secure VPN comparison

  1. ExpressVPN
  2. NordVPN
  3. PrivateInternetAccess
  4. CyberGhost
  5. AirVPN

The mark of a secure VPN is that it uses strong technical security to keep you safe on the internet. This means that it uses strong encryption, does not leak your real IP address to websites that you visit, and that that it provides a kill switch to prevent accidental exposure of your details.

Before looking in detail at these aspects of VPN security, let’s first check out which VPNs our experts agree are best for technical security, and why…

Top 5 Fully Encrypted VPN Services

1. ExpressVPN

ExpressVPN’s focus on providing a great customer-focused experience has always impressed me. Central to this is 24/7 live chat support, a genuinely no-quibbles 30-day money-back guarantee, and easy-to-use apps for all major platforms.

ExpressVPN matches this with truly outstanding technical security, that just pips other secure VPNs at the post. It implements AES-256 cipher for OpenVPN, with an RSA-4096 handshake and SHA-512 keyed-hash message authentication code (HMAC). Perfect forward secrecy is provided courtesy of Elliptic Curve Diffie–Hellman (ECDH) key exchanges for data channel encryption.

This is great. In addition, unlike most iOS apps, the ExpressVPN iOS app uses OpenVPN. Add in full Domain Name System (DNS) leak and Web Real-Time Communication (WebRTC) leak protection, along with a firewall-based kill switch, and it is clear that ExpressVPN offers exceptional VPN security.

Additional features: three simultaneous connections, “stealth” servers in Hong Kong, free Smart DNS, .onion web address.

2. NordVPN

NordVPN is a secure service with a zero logs policy, this makes it perfect for people who demand high levels of privacy from their VPN provider. When it comes to encryption, NordVPN implements OpenVPN as default on Android and Windows. In addition, outdated protocols such as PPTP are completely unavailable (which is a blessing).

OpenVPN is implemented well above our minimum standards for security (AES-256-CBC cipher with an RSA-2048 handshake and HMAC SHA256 data authentication). Perfect Forward Secrecy (PFS) is provided by a DHE-4096 key exchange. This means the VPN's encryption can be considered "military grade."

On the iOS app, Nord is also secure. However, it does not implement OpenVPN. Instead, it uses IKEv2 implemented with robust AES-256-GCM cipher and HMAC SHA2-384 data authentication. PFS is provided by a DHE-3072 exchange.

NordVPN is based in Panama, which means that it falls out of snooping jurisdictions like the UK and the US. In addition, the VPN implements a full suite of security features such as a killswitch, DNS leak protection, Tor through VPN, obfuscated servers (XOR), and double hop encryption.

3. PrivateInternetAccess

PIA is based in the US, so is not a provider for the more NSA-phobic out there. However, it keeps no logs, which is a claim that it has proven in court! And although optional, its security can be first rate.

At maximum settings, OpenVPN encryption uses an AES-256 cipher with HMAC SHA256 for authorization and an RSA 4096 handshake for the data channel, and an AES-256 cipher with HMAC SHA384 authentication for the control channel. Perfect Forward Secrecy is delivered with a Diffie Hellman exchange (DHE) for RSA handshakes (or ECDHE+ECDSA for ECC handshakes).

PIA’s desktop software supports multiple security options, a VPN kill switch, DNS leak protection, and port forwarding. Up to 5 simultaneous connections are permitted. Its Android client is almost as good, and PIA boasts excellent connection speeds.

4. CyberGhost

CyberGhost‘s software is easy-to-use while also being very fully featured. It uses very strong encryption, and 5 simultaneous connections is generous. Being based in Romania and keeping no meaningful logs is also a big draw.

CyberGhost’s great logging policy, decent local (burst) speeds, and fully featured software are a winning combination. And with a 7-day free premium trial plus 30-day no-quibble money back guarantee, there is zero reason not to give it a whirl.

The OpenVPN encryption used by CyberGhost is as strong as it gets. Data channel used an AES-256-CBC cipher with SHA256 hash authentication and Control channel uses an AES-256 cipher, RSA-4096 key encryption and SHA384 hash authentication. Perfect forward secrecy is provided by an ECDH-4096 key exchange.

CyberGhost‘s software is easy-to-use while also being very fully featured. It uses very strong encryption, and 7 simultaneous connections is generous. Being based in Romania and keeping no meaningful logs is also a big draw. Like ExpressVPN, some minimal statistics are kept, but with no time stamp or IPs recorded, these present no threat to users’ privacy.

CyberGhost’s superb logging policy, decent local (burst) speeds, and fully featured software are a winning combination. And with a 30-day no-quibble money back guarantee, there is zero reason not to give it a test run.

5. AirVPN

AirVPN is at the top of the game when it comes fast, secure VPN technology, but its tech-heavy focus and rather brusque support manner alienates many would-be users.

OpenVPN uses AES-256 with RSA-4096 handshake, HMAC SHA1 data channel authentication, HMAC SHA384 control authentication, and DHE-4096 for perfect forward secrecy. It allows users to connect completely anonymously to its servers via the Tor network, and can hide OpenVPN communications inside a Secure Shell (SSH) and Secure Sockets Layer (SSL) tunnel.

The open source desktop client disables IPv6, and its “network lock” feature acts as a kill switch and prevents DNS leaks. WebRTC leaks are blocked by both the network lock function and at the server level. This protects users from WebRTC leaks, even when using the generic OpenVPN app. Furthermore, AirVPN runs its own bare metal servers.

Additional features: real-time user and server statistics, three-day free trial, three simultaneous connections.

Note that this article is aimed at more advanced VPN users and assumes that you have some understanding of what VPNs are and what they can do. If you don’t, then worry not! Please check out our excellent VPNs for Beginners guide for a comprehensive introduction to this subject.

Encryption and VPN protocols

Below is a summary, but for a much more detailed (but accessible) look at this subject, please check out VPN Encryption: The Complete Guide.

In order to connect securely, VPN software on your device negotiates an encrypted connection with the VPN server. The mechanism used to do this is called the VPN protocol, which uses a suite of authentication and encryption algorithms to ensure the connection is secure.

The only VPN protocols you are likely to encounter are:


A widely supported VPN protocol that is no longer considered secure. There is very little to reason to use it these days, and it should, therefore, be avoided.


A widely supported protocol. It’s not secure against the NSA but is suitable for general use. That said, why bother when IKEv2 and OpenVPN are available?


A new standard that is fast and is widely considered very secure. Because of this, it is quickly gaining popularity with VPN services, but it is not mature or been battle-tested in the way that OpenVPN has.

Mobile users, in particular, may prefer IKEv2 thanks to its improved ability to reconnect when an internet connection is interrupted (such as when switching between networks or between WiFi and mobile connections).


An open-source protocol that is widely regarded as the most secure and versatile VPN protocol available. We generally always recommend using OpenVPN whenever possible (although IKEv2 is also a good option).

Our OpenVPN encryption tables

When assessing the encryption used by VPN providers we focus on OpenVPN encryption. This is because:

  1. OpenVPN is the only VPN protocol we know to be fully secure. IKEv2 is also considered secure, but this is largely theoretical.
  2. Just about every VPN service offers OpenVPN. This allows us to compare like for like across VPNs.
  3. The care a provider takes over the details of its OpenVPN encryption is a strong indicator of the care it takes over security in general. And with OpenVPN, the devil is in the detail!

The table breaks up all elements that make up the OpenVPN protocol into their component parts and then rates them on how cryptographically secure they are. A red light means the element is not secure, a green light means the element is secure, and a star means the element is more secure than is strictly necessary.

If all lights are at least green, the OpenVPN encryption is good. Stars mean the encryption is future-proofed.

IP leaks

The second key element to a VPN’s technical security is ensuring that no IP leaks occur. When using a VPN, no website you visit should be able to see your real IP address, or one belonging to your ISP that can be traced back to you.

But it happens. And when it does, we call it an IP leak. When you first sign-up for a VPN service you should visit before and after connecting to the VPN. You should also do this every now and again when using the service.

If you see any of the same IP addresses before and after then you have an IP leak (you can ignore Private Use RFC IPs, as these are local IPs only. They cannot be used to identify an individual, and so do not constitute an IP leak).

Ip Leak Example 2

The example above shows a bad case of IPv6 leaks. The IPv4 DNS result correctly shows that I am connected to a VPN server in the US, but the website can see my real UK IPv6 address via both a regular DNS leak and WebRTC. Fail!

Kill switches

For various reasons, VPN connections sometimes drop, and this can happen to even the best VPN. A good VPN provider, however, ensures that if and when this happens you will not continue connecting to the internet and exposing your real IP address for all the world to see.

Kill switches shut down your internet connection when your VPN is not connected. They can be either reactive or firewall based. Reactive kill switches detect that the connection to the VPN server has dropped, then shut down your internet connection to prevent leaks.

There is a danger, however, that an IP leak could occur during the micro-seconds it takes to detect the VPN dropout and to shut down your internet connection.

Firewall-based kill switches solve this problem by simply routing all internet connections through the VPN interface. If the VPN is not running then no traffic can enter or leave your device. Firewall-based kill-switches are therefore better than reactive ones, but any kill switch is better than none!

Now… firewall based kill switches themselves come in two types. The first kind is implemented in the client, and will therefore not work if the client crashes. The second kind modifies the Windows or macOS firewall rules so that even if the VPN software crashes, traffic will not be able to enter or exit your device.

The only problem with method this is that it could, at least in theory, cause conflicts if you use a third-party firewall.

Powered by

You can use our simple tool to see if you have an account that has ever been compromised in a data breach. Simply enter your email address above to find out.

Quick View

  1. ExpressVPN
  2. NordVPN
  3. PrivateInternetAccess
  4. CyberGhost
  5. AirVPN

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.


  1. hmmmmm

    on April 27, 2017

    Hi Douglas & notsosafe, ExpressVPN is more secure(with better enryption?) than AirVPN? Do they offer unique OpenVPN certs/keys as well? Should I cancel/ditch AirVPN for ExpressVPN? notsosafe what VPN do you use? Thanks.

    1. Douglas Crawford replied to hmmmmm

      on April 27, 2017

      Hi hmmmmm, ExpressVPN now offers slightly stronger encryption than AirVPN (stronger SHA hash authentication), although both are so strong that it really makes little difference. Be aware that ExpressVPN does keep some very connection minimal logs. With regard to shared OpenVPN certificates, I have changed my mind since I wrote these comments last September. A lengthy discussion with the guys at IVPN has convinced that use of shared certs is not a problem, and is, in fact, better for privacy than unique certs. A summary of IVPNs argument can be found here. Please note, however, that pre-shared keys _are_ a problem when it comes to L2TP/IPec.

  2. notsosafe

    on September 30, 2016

    The user id is irrelevant, these companies will give one to anybody on this planet that throws money at them. It merely grants one access to the backbone, it's what happens on that backbone, after they gain access. We came here to make people aware that these networks are not as secure as the public is lead to believe. Their network designs are inferior and they know it. If a key is shared, the tunnels have glass walls to an experienced user/organization. We will point you in the direction of a secure (real) vpn provider and invite you to do your own research. Have a nice day!

  3. notsosafe

    on September 28, 2016

    People are deluded into a false sense of security with these vpn providers. If the certificates are shared, that means all users have the same key to unlock each others' sessions. They can eavesdrop on each other, they are on the same backbone. IP packets can be disassembled. Traffic can be monitored. There are many levels of intrusion. Their VPN tunnels have glass walls, it's not secure, anybody can see inside. Does one not fathom, that unscrupulous individuals/organizations will setup vpn accounts with these providers knowing this? You wouldn't give a stranger a key to your house, so why would you give them a copy of your certificate. It defeats the entire purpose of encryption. A properly encrypted VPN has encrypted certificates at each end of the tunnel and those certificates are unique to only those two interfaces. Allowing anybody else a copy of that certificate, grants them access to that tunnel. The VPN providers all know this. Ask them, they'll try to avoid your question. The more secure providers will issue your own unique certificate, those are the companies you want to deal with. People need to be aware of this!

    1. Douglas Crawford replied to notsosafe

      on September 29, 2016

      Hi notsosafe, So... let's say that you and I are both customers of a VPN service that uses shared OpenVPN certs. I have my own login details for that service, and we are using the same cert to connect to it. How could I use this to compromise your account or internet connection (assuming that you use a strong password that I do not have access to)? I do agree that unique certs are preferable, but do not see how shared certs are the security nightmare that you describe.

  4. notsosafe

    on September 27, 2016

    @Douglas Crawford, your site won't allow me to reply to the original comment posted. I commend you for not burying the truth and letting the public be informed about the false sense of security when using vpn's. It's not the fact that your own individual account is compromised, it can be anybody's account. Because it's a shared certificate, that means you are compromised if another user is. Can you rely on what others do with their login credentials? Also, https/ssl are compromised, so it wouldn't be too difficult to get those credentials in the first place. It's the reality of the systems they setup, many vpn providers are hiding this. You want to make sure the VPN provider you deal with, issues your OWN UNIQUE cert/keys right from the moment you login, then NOBODY else has it but you. Otherwise it defeats the purpose, it's like leaving the key in the deadbolt of your house, anybody can get in, because you've shared it.

    1. Douglas Crawford replied to notsosafe

      on September 28, 2016

      Hi notsosafe, - I apologize for your problems using our website. I will pass on your issue to our tech team. - If unique certs are not used, then individual accounts are secured with a username and password. If an adversary does not have your username and password then your account cannot be compromised just because the certificates are shared. In other words, use of shared certs does not compromise your login credentials or compromise HTTPS. It simply means that everyone connected to the VPN servers in the same way. - I agree that unique certificates and keys are more secure, but do not think that using shared certs compromises accounts in the way you describe. If someone steals one users' login details then sure, they can connect to the service using the stolen account. I do not see how this give them access to other users' accounts, however.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.