The Most Secure VPN Services in 2019

A VPNs ability to provide users with a secure connection is fundamental, but some services do a much better job of this than others. However, because the VPN is so overcrowded, it can be difficult to find a secure VPN service that offers you all the features you need. In this guide we list the five most secure VPN services, so you can be sure your provider takes your privacy as seriously as you do. We also give you some helpful tips on staying secure online with a VPN.

 

The mark of a secure VPN is that it uses strong technical security to keep you safe on the internet, for a VPN service to do this we think it should have the following features:

  1. strong encryption
  2. No leaks
  3. Provides a kill switch

We will look into each aspect of a secure VPN service in more detail further into this article, but, firstly we look at the five most secure VPN services.


Other Useful Guides

If you are new to VPN services and you want to learn more about how they can ensure your privacy and security online, check out the following guides:

  • No log VPNs - A no-logs policy is vital for your privacy, find out the five services that do not log users' data why in this in-depth article. 
  • VPN encryption - In this guide, we look into everything you need to know about VPN encryption.
  • AES Encryption - This is an in-depth guide to AES encryption, an symmetric key encryption cipher that many of the services listed in this article use.

The most secure VPN comparison

Below we have listed the five most secure VPN services below. All the services in this list provide excellent security features and implement encryption protocols to an extremely high standard. If you want to find out more information about the services listed below, scroll down to read a summary of each provider or click through to the provider's website.

  1. ExpressVPN - A super secure VPN service that doesn’t compromise on speed and is recognized as the best
  2. NordVPN - Well implemented encryption and a large choice of superb privacy features, a close second.
  3. PrivateInternetAccess - Extremely well implemented OpenVPN and a no logs policy at a low price
  4. CyberGhost - is an easy to use and robust service for anyone new to VPNs
  5. AirVPN - is a VPN for the expert VPN users with excellent security features and implementation

Most secure VPN Services  - Summaries 

Below we have summarized what makes each of the services listed below the most secure VPN services on the market. If you want to find out more information about any of the services listed below, check out the provider's website or our detailed VPN reviews.

1. ExpressVPN

ExpressVPN is the most secure VPN and it provides consistently high speeds

  • Pricing

    From $6.67 / month
  • Available on

    • Windows
    • MacOS
    • Android
    • Linux
    • iOS
  • Features

    • Netflix
    • iPlayer

ExpressVPN’s focus on providing a great customer-focused experience has always impressed me. Central to this is 24/7 live chat support, a genuinely no-quibbles 30-day money-back guarantee, and easy-to-use apps for all major platforms.

ExpressVPN matches this with truly outstanding technical security, that just pips other secure VPNs at the post. It implements AES-256 cipher for OpenVPN, with an RSA-4096 handshake and SHA-512 keyed-hash message authentication code (HMAC). Perfect forward secrecy is provided courtesy of Elliptic Curve Diffie–Hellman (ECDH) key exchanges for data channel encryption.

This is great. In addition, unlike most iOS apps, the ExpressVPN iOS app uses OpenVPN. Add in full Domain Name System (DNS) leak and Web Real-Time Communication (WebRTC) leak protection, along with a firewall-based kill switch, and it is clear that ExpressVPN offers exceptional VPN security.

Additional features: three simultaneous connections, “stealth” servers in Hong Kong, free Smart DNS, .onion web address.

2. NordVPN

NordVPN is an outstanding all rounder that is a close second for security

  • Pricing

    From $3.49 / month
  • Available on

    • Windows
    • MacOS
    • Android
    • iOS
  • Features

    • Netflix
    • iPlayer

NordVPN is a secure service with a zero logs policy, this makes it perfect for people who demand high levels of privacy from their VPN provider. When it comes to encryption, NordVPN implements OpenVPN as default on Android and Windows. In addition, outdated protocols such as PPTP are completely unavailable (which is a blessing).

OpenVPN is implemented well above our minimum standards for security (AES-256-CBC cipher with an RSA-2048 handshake and HMAC SHA256 data authentication). Perfect Forward Secrecy (PFS) is provided by a DHE-4096 key exchange. This means the VPN's encryption can be considered "military grade."

On the iOS app, Nord is also secure. However, it does not implement OpenVPN. Instead, it uses IKEv2 implemented with robust AES-256-GCM cipher and HMAC SHA2-384 data authentication. PFS is provided by a DHE-3072 exchange.

NordVPN is based in Panama, which means that it falls out of snooping jurisdictions like the UK and the US. In addition, the VPN implements a full suite of security features such as a killswitch, DNS leak protection, Tor through VPN, obfuscated servers (XOR), and double hop encryption.

3. PrivateInternetAccess

PIA is a secure VPN with a very low price tag

  • Pricing

    From $3.49 / month
  • Available on

    • Windows
    • MacOS
    • Android
    • Linux
    • iOS
  • Features

    • Netflix
    • iPlayer

PIA is based in the US, so is not a provider for the more NSA-phobic out there. However, it keeps no logs, which is a claim that it has proven in court! And although optional, its security can be first rate.

At maximum settings, OpenVPN encryption uses an AES-256 cipher with HMAC SHA256 for authorization and an RSA 4096 handshake for the data channel, and an AES-256 cipher with HMAC SHA384 authentication for the control channel. Perfect Forward Secrecy is delivered with a Diffie Hellman exchange (DHE) for RSA handshakes (or ECDHE+ECDSA for ECC handshakes).

PIA’s desktop software supports multiple security options, a VPN kill switch, DNS leak protection, and port forwarding. Up to 5 simultaneous connections are permitted. Its Android client is almost as good, and PIA boasts excellent connection speeds.

4. CyberGhost

CyberGhost VPN has easy to use software and very strong encryption

  • Pricing

    From $2.75 / month
  • Available on

    • Android
    • iOS
    • Windows
    • MacOS
    • Linux
  • Features

    • Netflix
    • iPlayer

CyberGhost‘s software is easy-to-use while also being very fully featured. It uses very strong encryption, and 5 simultaneous connections is generous. Being based in Romania and keeping no meaningful logs is also a big draw.

CyberGhost’s great logging policy, decent local (burst) speeds, and fully featured software are a winning combination. And with a 7-day free premium trial plus 30-day no-quibble money back guarantee, there is zero reason not to give it a whirl.

The OpenVPN encryption used by CyberGhost is as strong as it gets. Data channel used an AES-256-CBC cipher with SHA256 hash authentication and Control channel uses an AES-256 cipher, RSA-4096 key encryption and SHA384 hash authentication. Perfect forward secrecy is provided by an ECDH-4096 key exchange.

CyberGhost‘s software is easy-to-use while also being very fully featured. It uses very strong encryption, and 7 simultaneous connections is generous. Being based in Romania and keeping no meaningful logs is also a big draw. Like ExpressVPN, some minimal statistics are kept, but with no time stamp or IPs recorded, these present no threat to users’ privacy.

CyberGhost’s superb logging policy, decent local (burst) speeds, and fully featured software are a winning combination. And with a 30-day no-quibble money back guarantee, there is zero reason not to give it a test run.

5. AirVPN

AirVPN Allows users to connect to VPN servers via the Tor service and has an excellent reputation for security

  • Pricing

    From $4.64 / month
  • Available on

    • Windows
    • MacOS
    • Android
    • Linux
    • iOS

AirVPN is at the top of the game when it comes fast, secure VPN technology, but its tech-heavy focus and rather brusque support manner alienates many would-be users.

OpenVPN uses AES-256 with RSA-4096 handshake, HMAC SHA1 data channel authentication, HMAC SHA384 control authentication, and DHE-4096 for perfect forward secrecy. It allows users to connect completely anonymously to its servers via the Tor network, and can hide OpenVPN communications inside a Secure Shell (SSH) and Secure Sockets Layer (SSL) tunnel.

The open source desktop client disables IPv6, and its “network lock” feature acts as a kill switch and prevents DNS leaks. WebRTC leaks are blocked by both the network lock function and at the server level. This protects users from WebRTC leaks, even when using the generic OpenVPN app. Furthermore, AirVPN runs its own bare metal servers.

Additional features: real-time user and server statistics, three-day free trial, three simultaneous connections.

Encryption and VPN protocols

In order to connect securely, VPN software on your device negotiates an encrypted connection with the VPN server. The mechanism used to do this is called the VPN protocol, which uses a series of authentication and encryption algorithms to ensure the connection is secure. The only VPN protocols you are likely to encounter are:

PPTP - Not Secure

A widely supported VPN protocol that is no longer considered secure. There is very little to reason to use it these days, and it should, therefore, be avoided.

L2TP - Will Not Secure Your Data From Surveillance

A widely supported protocol. It’s not secure against the NSA but is suitable for general use. That said, why bother when IKEv2 and OpenVPN are available?

IKEV2 - Secure

A new standard that is fast and is widely considered very secure. Because of this, it is quickly gaining popularity with VPN services, but it is not mature or been battle-tested in the way that OpenVPN has.

Mobile users, in particular, may prefer IKEv2 thanks to its improved ability to reconnect when an internet connection is interrupted (such as when switching between networks or between WiFi and mobile connections).

OpenVPN - Secure

An open-source protocol that is widely regarded as the most secure and versatile VPN protocol available. We generally always recommend using OpenVPN whenever possible (although IKEv2 is also a good option).

How we assess encryption

When assessing the encryption used by VPN providers we focus on OpenVPN encryption. This is because:

  1. OpenVPN is the only VPN protocol we know to be fully secure. IKEv2 is also considered secure, but this is largely theoretical.
  2. Just about every VPN service offers OpenVPN. This allows us to compare like for like across VPNs.
  3. The care a provider takes over the details of its OpenVPN encryption is a strong indicator of the care it takes over security in general. And with OpenVPN, the devil is in the detail!

There are several elements that make up OpenVPN protocol. But with OpenVPN the devil is in the detail. It's all about how well each aspect of OpenVPN has been implemented. If OpenVPN is implemented badly, then it is no better than any other protocol. Below we list the component parts of OpenVPN protocol:

  • Cipher AES-256-CGM
  • Control hash auth HMAC SHA-1
  • Handshake RSA-4096 
  • Forward security DHE-4096
  • Connection logs 
  • Traffic logs

We recognize that implementing encryption protocols like OpenVPN to a high stand is one of the main aspects of a secure VPN. This is one of the main aspects we considered when choosing our five most secure VPN services, if a VPN can't implement encryption protocols to a high standard, we don't recommend them.

IP leaks

The second key element to a VPN’s technical security is to have IP leak protection.  An IP leak is when your VPN leaks your real IP address to a website or service that you visit. This is, of course, very dangerous if you need a VPN to keep your identity private online. When using a VPN, no website you visit should be able to see your real IP address, or one belonging to your ISP that can be traced back to you. We have tested all the services in the list above to ensure that they do not leak your real IP Address. 

How to test for IP Leaks yourself

When you first sign-up for a VPN service we recommend that you visit ipleak.net before and after connecting to the VPN. You should also do this every now and again when using the service.

If you see any of the same IP addresses before and after then you have an IP leak (you can ignore Private Use RFC IPs, as these are local IPs only. They cannot be used to identify an individual, and so do not constitute an IP leak).

Ip Leak Example 2

The example above shows a bad case of IPv6 leaks. The IPv4 DNS result correctly shows that I am connected to a VPN server in the US, but the website can see my real UK IPv6 address via both a regular DNS leak and WebRTC. Fail!

Kill switches

For various reasons, VPN connections sometimes drop, and this can happen to even the best VPN. A secure VPN provider, however, ensures that if and when this happens you will not continue connecting to the internet and exposing your real IP address for all the world to see.

Kill switches shut down your internet connection when your VPN is not connected in order to protect your privacy.

Killswitches can be either reactive or firewall-based. Reactive kill switches detect that the connection to the VPN server has dropped, then shut down your internet connection to prevent leaks.

There is a danger, however, that an IP leak could occur during the micro-seconds it takes to detect the VPN dropout and to shut down your internet connection.

Firewall-based kill switches solve this problem by simply routing all internet connections through the VPN interface. If the VPN is not running then no traffic can enter or leave your device. Firewall-based kill-switches are therefore better than reactive ones, but any kill switch is better than none!

Now… firewall-based kill switches themselves come in two types. The first kind is implemented in the client, and will therefore not work if the client crashes. The second kind modifies the Windows or macOS firewall rules so that even if the VPN software crashes, traffic will not be able to enter or exit your device.

The only problem with method this is that it could, at least in theory, cause conflicts if you use a third-party firewall.

Has your data been compromised?

Check if your data has been compromised by using our tool below. It will tell your email has ever been exposed in a data breach. Simply enter your email address above to find out.

Powered by haveibeenpwned.com

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

13 Comments

  1. hmmmmm

    on April 27, 2017
    Reply

    Hi Douglas & notsosafe, ExpressVPN is more secure(with better enryption?) than AirVPN? Do they offer unique OpenVPN certs/keys as well? Should I cancel/ditch AirVPN for ExpressVPN? notsosafe what VPN do you use? Thanks.

    1. Douglas Crawford replied to hmmmmm

      on April 27, 2017
      Reply

      Hi hmmmmm, ExpressVPN now offers slightly stronger encryption than AirVPN (stronger SHA hash authentication), although both are so strong that it really makes little difference. Be aware that ExpressVPN does keep some very connection minimal logs. With regard to shared OpenVPN certificates, I have changed my mind since I wrote these comments last September. A lengthy discussion with the guys at IVPN has convinced that use of shared certs is not a problem, and is, in fact, better for privacy than unique certs. A summary of IVPNs argument can be found here. Please note, however, that pre-shared keys _are_ a problem when it comes to L2TP/IPec.

  2. notsosafe

    on September 30, 2016
    Reply

    The user id is irrelevant, these companies will give one to anybody on this planet that throws money at them. It merely grants one access to the backbone, it's what happens on that backbone, after they gain access. We came here to make people aware that these networks are not as secure as the public is lead to believe. Their network designs are inferior and they know it. If a key is shared, the tunnels have glass walls to an experienced user/organization. We will point you in the direction of a secure (real) vpn provider and invite you to do your own research. Have a nice day!

  3. notsosafe

    on September 28, 2016
    Reply

    People are deluded into a false sense of security with these vpn providers. If the certificates are shared, that means all users have the same key to unlock each others' sessions. They can eavesdrop on each other, they are on the same backbone. IP packets can be disassembled. Traffic can be monitored. There are many levels of intrusion. Their VPN tunnels have glass walls, it's not secure, anybody can see inside. Does one not fathom, that unscrupulous individuals/organizations will setup vpn accounts with these providers knowing this? You wouldn't give a stranger a key to your house, so why would you give them a copy of your certificate. It defeats the entire purpose of encryption. A properly encrypted VPN has encrypted certificates at each end of the tunnel and those certificates are unique to only those two interfaces. Allowing anybody else a copy of that certificate, grants them access to that tunnel. The VPN providers all know this. Ask them, they'll try to avoid your question. The more secure providers will issue your own unique certificate, those are the companies you want to deal with. People need to be aware of this!

    1. Douglas Crawford replied to notsosafe

      on September 29, 2016
      Reply

      Hi notsosafe, So... let's say that you and I are both customers of a VPN service that uses shared OpenVPN certs. I have my own login details for that service, and we are using the same cert to connect to it. How could I use this to compromise your account or internet connection (assuming that you use a strong password that I do not have access to)? I do agree that unique certs are preferable, but do not see how shared certs are the security nightmare that you describe.

  4. notsosafe

    on September 27, 2016
    Reply

    @Douglas Crawford, your site won't allow me to reply to the original comment posted. I commend you for not burying the truth and letting the public be informed about the false sense of security when using vpn's. It's not the fact that your own individual account is compromised, it can be anybody's account. Because it's a shared certificate, that means you are compromised if another user is. Can you rely on what others do with their login credentials? Also, https/ssl are compromised, so it wouldn't be too difficult to get those credentials in the first place. It's the reality of the systems they setup, many vpn providers are hiding this. You want to make sure the VPN provider you deal with, issues your OWN UNIQUE cert/keys right from the moment you login, then NOBODY else has it but you. Otherwise it defeats the purpose, it's like leaving the key in the deadbolt of your house, anybody can get in, because you've shared it.

    1. Douglas Crawford replied to notsosafe

      on September 28, 2016
      Reply

      Hi notsosafe, - I apologize for your problems using our website. I will pass on your issue to our tech team. - If unique certs are not used, then individual accounts are secured with a username and password. If an adversary does not have your username and password then your account cannot be compromised just because the certificates are shared. In other words, use of shared certs does not compromise your login credentials or compromise HTTPS. It simply means that everyone connected to the VPN servers in the same way. - I agree that unique certificates and keys are more secure, but do not think that using shared certs compromises accounts in the way you describe. If someone steals one users' login details then sure, they can connect to the service using the stolen account. I do not see how this give them access to other users' accounts, however.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

Large brand with very good value, and a budget price

The fastest VPN we test, unblocks everything, with amazing service all round

Longtime top ranked VPN, with great price and speeds

One of the cheapest VPNs out there, but still a good service