- Jurisdiction British Virgin Islands
- Simultaneous connections 1000
- Countries 60
- ProPrivacy.com SpeedTest (average) 77.26 Mbps
Alternative VPN Choices for You
|Routers Supported||DD-WRT, Tomato, AsusWRT, Netgear, TP-Link, Linksys.|
|Bare metal or virtual servers||Bare metal|
Surfshark runs more than 1000 servers in over 60 counties. Impressively, it claims all of these are physical single-occupancy bare metal servers. In addition to all the usual locations, Surfshark has a strong presence in Asia, Latin America, the Middle East, and Africa.
Even more impressively, Surfshark permits unlimited simultaneous connections. This means you can connect as many devices as you want, using the same account.
Surfshark asks that users restrict access to family members and do not share account details with others, but says that it must trust its users. It keeps no logs that can identify abuse in this respect. We're big fans of this.
Torrenting is permitted on all servers, with Surfshark automatically routing P2P traffic to its Canada or Netherlands servers, which are specially configured for the purpose.
Split tunneling (“Whitelist” and reverse whitelist)
Split tunneling is a useful feature is currently available in the Windows and Android apps. It allows you to route only selected programs/apps through the VPN, or to exempt them from a system-wide VPN connection. The Windows app also allows you to exempt selcted websites and IPs from the VPN.
Surfshark offers a Smart DNS service to all users. This is very useful for spoofing your location on devices that cannot run a VPN client. Such as smart TVs, games consoles, and Apple TV. Just be aware that it provides no privacy or security benefits.
SurfShark's static IP feature is available in the Windows and Android apps. If you connect to a list of servers based in Germany, Japan, the Netherlands, UK, or US, then whenever you connect to the same server you will be assigned the same IP address. This is very handy if you run an FTP server, games server, media server, or otherwise need to connect to a computer from the internet while the VPN is running.
Netflix and iPlayer Unblocking
Surfshark unblocks a wide selection of streaming services, including Netflix in 16 different countries. Which is quite some achievement. In our tests, it unblocked US Netflix and BBC iPlayer as advertised.
Speed and Performance
|ProPrivacy.com SpeedTest (max/burst)||202.87|
|IPv6 leak detected?|
|WebRTC leak detected?|
|IPv4 leak detected?|
|ProPrivacy.com SpeedTest (average)||77.26|
At the time of updating this review, Surfshark is the fastest VPN on our books in terms of average speeds. Which is good. Max burst speed performance is not quite so impressive but is nothing to complain about and will be more than fast enough for almost all VPN users.
IP leak tests
We detected zero IPv4, IPv6, WebRTC or DNS leaks (IPv4 or IPv6). Top marks.
It is worth noting that Surfshark only guarantees WebRTC leak protection if you use its Chrome and/or Firefox browser add-ons, although we detected no leaks without them.
For more information about the danger posed by IP leaks, please check out our complete guide to IP leaks.
As is common these days, all Surfshark customers enjoy the same features. The per-month pricing is somewhat on the high end of the scale, but steep discounts are available for 1-year and 2-year subscriptions. Also if you sign up for the service using this link an additional discount is on offer.
If you're a macOS, Android or iOS user you can take part in a 7-day free trial, although you need to sign up for an account and provide payment details to take advantage of this. No payment will actually be taken if you cancel within the 7 days.
Surfshark now offers the HackLock and BlindSearch features (which we look at later in this review) as bolt-on extras for an additional $0.99 per month for the both of them.
All users can also take advantage of a generous 30-day money-back guarantee. Surfshark assures us that there are no limitations on this, which is great, but be aware that payments auto-renew, so you do need to contact support in order to cancel them.
Supported Payment Platforms
Surfshark accepts payment via PayPal, credit/debit card, and Alipay, which are processed by Stripe. Other payment methods are supported via the Tenpay and Unionpay payment processing services.
Bitcoin, Litecoin, and Etherium payments are also supported via either Coingate or CoinPayments. Paying in Bitcoin or Litecoin can provide a certain degree of anonymity, but do remember that Surfshark will always be able to see your IP address.
Ease of use
Other than payment details, the only information asked when signing up for the service is your name and email address. If you wish to signup anonymously, you can do so by paying in anonymously purchased Bitcoin or Litecoin and using a disposable email address.
A confirmation email will be sent to you containing useful links, but everything you need is readily available on the website anyway.
The Windows Client
All Surshark's apps have recently undergone a major UI design, and now look great. The Windows VPN app uses IKEv2 by default, but also supports OpenVPN.
The client features a kill switch, split tunneling ("Whitelister"), “CleanWeb”, and multihop. It also supports Hacklock and BlindSearch if you have paid for these features.
We think the new Mini mode is quite groovy.
IPv4 and IPv6 leak protection is built-in, although Surfshark says that you should use its browser add-ons to prevent WebRTC leaks. Although we didn’t detect any leaks in testing, this is still good advice.
The kill switch is not enabled by default, but worked well in our tests. A simulated crash test showed that the kill switch modifies Windows system firewall rules, meaning that it continues to work even if the Surfshark client and OpenVPN daemon suffer an unexpected crash.
Users can switch from OpenVPN UDP to OpenVPN TCP (port 443) to make VPN traffic look like regular HTTPs traffic. This is useful for evading VPN blocks, but will not fool more sophisticated detection techniques.
The macOS client
Surfshark’s macOS VPN app is available via the Apple App Store and as a stand-alone .dmg file from the website. The app uses IKEv2. It is currently rather light on features, although Surfshark tells us these will be added as fast as they can be authorized by restrictive App Store policies.
We are pleased to see that the Mac app features a kill switch. As with the Windows client, this uses system firewall rules, and so remains effective even if the Surfshark client suffers a crash. As with all the rest of Surfshark’s apps, the Mac client offers its “CleanWeb” feature. It also features "WiFi connect."
The Android app
Surfshark's Android VPN app for Android also uses IKEv2 by default, but also supports OpenVPN (UDP and TCP). And it does what it says on the tin. A kill switch (which is not enabled by default), Whitelisting, CleanWeb, and Shaodowsocks ate all present and correct.
Custom apps are available for Windows, macOS, Android, Android TV / Amazon Fire TV, and iOS. Interestingly the iOS VPN app features a kill switch and now supports both IKEv2 and OpenVPN. All apps (including the browser add-ons) now use the same smart-looking user interface we can see above.
A command-line app for Linux is now also available. Good manual setup guides are also provided for all platforms, including macOS and Linux (Ubuntu, using NetworkManager). In addition to this, setup guides are available for DD-WRT, Tomato, and a number of popular router makes that have OpenVPN clients built-in (AsusWRT, Netgear, TP-Link and Linksys).
In addition to platform support, Surfshark offers browser add-ons for Chrome and Firefox that have been independently audited for vulnerabilities by security firm Cure53. These create secure HTTPS proxy connections in the browser to Surfshark’s servers.
They also provide WebRTC protection. Now... we really wish VPN services would do more to warn their customers about the WebRTC issue, and to warn them that they should be protecting themselves from unknowingly exposing their IP addresses online when using a VPN.
This includes Surfshark, although we can’t be too harsh as we detected no WebRTC leaks using its software anyway. That said, it is still safest to either install these add-ons or disable WebRTC in your browser manually.
The browser add-ons feature “CleanWeb” as an option (see later).
Customer service and support
|Free trial||7-days (macOS and mobile apps)|
|Money back guarantee length||30|
Live Chat support is available 24/7, or you can send in a ticket email request. We found Live Chat response times to be near-instant, and were impressed by the competency and quality of the answers.
There is also knowledgebase. It is not huge but includes a useful FAQ, setup articles, and other handy bits and bobs.
Privacy and security
|IPv4 leak protection|
|IPv6 leak protection|
|WebRTC leak protection|
Surfshark is registered in the British Virgin Islands (BVI) and its Terms of Service make it clear that all disputes will be resolved in BVI courts. The British Virgin Islands is a British overseas territory. It regulates its own internal affairs and has no mandatory data retention laws, but it remains under the jurisdiction and sovereignty of the UK government. This means it is reasonable to assume that the UK could put pressure on the BVI government and any businesses based there.
Whilst being based in the BVI is probably safer than being based in a 14-Eyes country, it is still not ideal.
Surfshark easily meets our requirements for a no logs VPN:
“We do not collect IP addresses, browsing history, session information, used bandwidth, connection time stamps, network traffic and other similar data.”
Its apps do collect some anonymous diagnostic and crash data by default, although this can be disabled. This includes aggregated performance data, how often you use its services, unsuccessful connection attempts and other similar non-personally identifiable information.
Basic account and billing information is stored, in full compliance with GDPR for European customers.
Although web activity is not tracked when using the VPN itself, the Surfshark website performs quite a lot of tracking. This includes logging IP addresses and performing browser fingerprinting on visitors.
Surfshark uses a number of third-party trackers, including Google Analytics.
Surfshark is a big fan of IKEv2, which it uses as the default VPN protocol in all its apps. IKEv2 is not as battle-tested as OpenVPN, but is regarded as being very secure, and is increasingly popular with VPN services because it is much faster than OpenVPN encryption.
As always, we look in detail at the OpenVPN settings this provider uses. Not only do they provide a good indicator of the care a service takes over encryption, but it is the best way to compare like for like across VPN services. Surfshark uses the following OpenVPN settings in apps which support it:
Data Channel: an AES-256-GCM cipher. No additional authentication is required because authentication handled by AES-GCM.
Control Channel: an AES-256-GCM cipher with the TLS key exchange secured using RSA-2048. No additional authentication is required because authentication handled by AES-GCM, and perfect forward secrecy is provided by an ECDH-(384?) key exchange.
This is a highly secure setup. See VPN Encryption: The Complete Guide for more information on this subject. As already discussed, the Surfshark Windows, macOS, and iOS apps all feature kill switches. We also detected no IP leaks of any kind on any platform,
It is worth noting that Surshark makes something of a deal about being security-audited by Cure53, but just to be clear: it is only the Chrome and Firefox browser extensions which has audited in this way.
Other security features
Great news is that we detected no IP leaks of any kind on any tested platform, although it is still safest to use one of Surfshark’s browser extensions to ensure against WebRTC leaks. The Windows, macOS, and iOS clients feature system-level kill switches.
Surfshark uses bare metal servers. Some locations are virtual locations without a physical server presence, but these are a) clearly marked in the apps, and b) are run on servers operated by Surfshark and therefore from a privacy point of view count as bare metal servers. It also resolves all DNS requests itself on the server you connect to, which is ideal.
All Surfshark’s software features the “CleanWeb” option. This is advertised as blocking ads, trackers, phishing, attacks, and malware, and is almost certainly a set of firewall rules that block connections based on a simple blocklist. Which should work well enough.
This feature is available in the Windows client. It allows you to “chain” VPN servers so that your data is routed between two VPN servers as it travels between you and the internet.
Your PC -> VPN server 1 -> VPN server 2 -> Internet
Surfshark offers several double VPN combinations, but you cannot chain any two of its servers.
Multihop VPN can provide some protection against end-to-end timing attacks against the end server, but will always result in a major loss of speed. We think the privacy/security benefits of multi-hop VPN are limited, but we know this can be more important to some users than others.
Again, this unusual anti-censorship feature is supported by Windows and Android apps. Shaowsocks "is an open-source proxy application, widely used in mainland China to circumvent Internet censorship.” Basically it’s a SOCKS5 proxy. To use it requires that you download the open-source Shadowsocks app and configure it so that you connect to Shadowsocks via a Surfshark VPN server. This process is a little fiddly but should be effective at evading VPN blocks.
This feature, available in the Windows client, allows you to decide how the VPN app works when you connect to new WiFi networks – ask, protect, or always protect.
Available with BlindSearch as a bolt-on extra, HackLock scans the web looking to see if your email address has been involved in a data breach. As such it is very similar to our own data breach tool, except that it provides regular automated scans. It is available in the Windows and Android apps.
This is a private search engine for Surshark customers which is ad-free and does not log your searches. We'd guess its a SearX instance, and it works well.
This Android app is available free to everyone from the Play Store. It sends DNS queries from your device to Surfshark instead of your ISP in order to improve privacy and help defeat censorship. These queries are protected from prying eyes using the DNS over HTTPS (DoH) (by default) or DNS over TLS (DoT) encryption protocols.
Surfshark is a great VPN service. It keeps no logs, is reasonably fast, and offers great technical security with no IP leaks. The fact that it offers a large selection of servers is good, but the fact that they are all secure bare metal servers is even better.
The extras on offer, such as multihop VPN,”Cleanweb”, and WiFi-connect, are decent additions. Although none of them are killer features, they are nice to have and the collection is growing all the time, which improves Surfshark's already great value proposition.