Table of Contents
In a world overcrowded by hackers, malwares, ransomwares and other malicious software or parties trying to steal your personal data without you even knowing it, increasing your online security and protect your connection as much as you can while using the internet is quickly becoming one of the most important security issues for every user.
As you'll most likely already know, there are a number of essential protection tools that you should already have installed and properly configured, such as:
- Antivirus, which will help you against ransomwares, malwares, viruses and so on, either preventing them before they can hit you and (hopefully) removing them when it's too late to do that, preventing the worst case scenario. If you need additional info regarding these topics, take a look at this post.
- Firewall, either as a dedicated, stand-alone appliance or (if you can't afford that) as a software-based application: the Firewall will protect you against malicious or compromised websites, shield against the most common forms of scams, cripple most man-in-the-middle. Needless to say, you must take your time to set it up properly to avoid being hit by some typical firewall configuration mistakes - like those that we highlighted in this other post.
- Data Encryption Software, either in-transit, at-rest and end-to-end, which we covered in this post.
In this post we're not going to talk about antivirus and firewalls softwares, since you'll most likely already know what they are and the utmost importance of having them on configured: instead, we're going to introduce a fundamental IT security concept that you definitely need to know for a number of reasons, including:
- Securely and anonymously surf over the web by hiding your IP address and masking your connection details.
- Encrypt data transfer using powerful in-transit encryption algorythms.
- Access blocked websites, including those blocked by governments and/or banned from your country or ISP.
Definition of VPN
Let's start with a brief definition: VPN is an acronym for Virtual Private Network, a connection method that extends a private network across a public network and enables the conneting users to send and receive data as if their computing devices were directly connected to the private network itself.
There are basically two types of VPN services nowadays:
- Those used to grant their users a secure way to remotely access a Local Area Network (LAN), for example their work network (such as explained in this Wikipedia article).
- Those used to grant their users a secure and anonymous way to access the World Wide Web, circumventing geo-restrictions, avoiding censorship and/or masking their connection endpoints (such as explained in this VPN guide).
Both scenarios are actually using the same technology to achieve different goals. For the sake of simplicity, to better distinguish them, we'll call the former ones VPN Services to Secure Remote Access, and the latter ones VPN Services for Secure Internet Browsing.
VPN Services for Secure Remote Access
VPN technology was originally developed to allow remote users and branch offices to access corporate applications and resources: in order to ensure a good security level, the private network connection is established using an encrypted layered tunneling protocol and VPN users use authentication methods (username + password, certificates, OTPs and/or tokens) to gain access to the VPN itself.
In such scenario, the VPN acts basically as a secure way to remotely access a Local Area Network (LAN) connection, with the VPN server appliance being physically installed on the LAN itself (on-premise). A good example of VPN server appliance that performs such task is Kerio Control, which is basically a on-premise Firewall appliance which can also host/allow secure VPN connection for their users. To know more about the authentication methods of these kind of VPN services, check out this other post.
VPN Services for Secure Internet Browsing
The same technology adopted by on-premise VPN services can also be used to secure HTTP connections and transactions between a end-user and the world wide web. As a matter of fact, there are a number of VPN services that does just that - offering their cloud-based VPN servers and proprietary security algorythms either for free or (most likely) in exchange of a monthly or annual fee.
Using one of these VPN can allow any any end-user to circumvent geo-restrictions and censorship, and/or to protect its personal identity and location to stay anonymous on the Internet.
How does a VPN work
Here’s how a VPN works for you, the user. You start the VPN client (software) from your VPN service. This client software will basically do two things:
- Encrypt your data, even before your Internet Service Provider or WiFi hotspot sees it.
- Connect to a VPN server, which will "proxy" your requests to your online destination - whatever it is, from your bank website to a video sharing website to a search engine.
It goes without saying that such connection is performed in a way that will make your online destination see your data as coming from the VPN server and its location, and not from your computer and your location: in other words, your end-user client - as well as your IP address and ISP - will be fully masked.
VPN Data Encryption
In a standard client-to-server connection over the internet, all of our data is out there in the open, and any interested party can peek at what you’re sending. As you might know, web connections pass through a number of servers responsible for storing and serving data to anyone who wants to view them: proxy servers, CDN servers, relying servers, and so on. Those servers talk with each other all the time and will share your data with each other to let you send our HTTP Request (ask the page we want to view) and actually receive the HTTP Response and view the page on our browser: needless to say, that's not ideal for privacy, since these third-parties could be able to access our unencrypted data.
Conversely, when using a VPN service, our data is encrypted using a proprietary algorythm (since we're using a proprietary VPN client app) before being sent to our ISP provider and to the VPN server itself: the VPN server will act as a third-party, connecting to the destination on our behalf. Here are the advantages of such scenario:
- The destination site sees the VPN server as the traffic origin instead of us/our IP address.
- No one can (easily) identify us, our computer and/or our IP address as the source of the data, and/or see our browsing behaviour (which page we do visit, what do we click, and so on).
- Our data is encrypted, so even if someone does look at what you’re sending, they only see encrypted information and not raw data.
Needless to say, such scenario is much safer than connecting to the web using the standard, unencrypted way.
VPN security strictly depends on these factors:
- The type of encryption technology used by the VPN service provider (protocols).
- Legal and policy limitations affecting what can be done with that technology: the laws of the country where the server and the company providing the VPN are located and the company’s own policies will most likely affect how the company implements this technology in their service.
We'll address these two aspects in the following paragraphs: VPN Protocols and VPN Anonimity.
VPN protocols define how the service handles data transmission over a VPN. The most common protocols are PPTP, L2TP, SSTP, IKEV2, and OpenVPN.
Here’s a brief overview of them all, with their pros and cons:
- PTP/PPTP (Point-To-Point Tunneling Protocol): one of the oldest protocols in use, originally designed by Microsoft. Pros: works on old computers, is a part of the Windows operating system, and it’s easy to set up. Cons: by today’s standards, it’s barely secure. Generally speaking, this isn't a good choice nowadays and you should avoid it, as well as VPN providers who are only supporting this protocol... even though you won't find any.
- L2TP/IPsec (Layer 2 Tunneling Protocol): a combination of PPTP and Cisco’s L2F protocol. The concept of this protocol is sound — it uses keys to establish a secure connection on each end of your data tunnel — but the execution isn’t very safe. The addition of the IPsec protocol improves security a bit, but there are reports of NSA’s alleged ability to break this protocol and see what’s being transmitted. No matter if those are actually true, the fact that there’s a debate at all is perhaps enough to avoid this as well.
- SSTP (Secure Socket Tunneling Protocol): another Microsoft-built protocol. The connection is established with some SSL/TLS encryption (the de facto standard for web encryption these days). SSL’s and TLS’s strength is built on symmetric-key cryptography; a setup in which only the two parties involved in the transfer can decode the data within. Overall, SSTP is a very secure solution.
- IKEv2 (Internet Key Exchange, Version 2) : yet another Microsoft-built protocol. It’s an iteration of Microsoft’s previous protocols and a much more secure one at that. It provides you with some of the best security.
- OpenVPN: probably the best you can find nowadays: it basically combines the pros of the above protocols, without most of their flaws. It’s based on SSL/TLS and it’s an open source project, which means that it’s constantly being improved by hundreds of developers. It secures the connection by using keys that are known only by the two participating parties on either end of the transmission. Overall, it’s the most versatile and secure protocol out there.
Most VPNs allow you to select the protocol you use: the more secure protocol you connect through (OpenVPN, IKEv2), the more secure your whole session will be.
Will a VPN alone be enough to provide full Web Anonymity? Well, as a matter of fact... no, it won't. Using a VPN will overcome most of our privacy issues while surfing on the web, but we will still leave traces of what we're doing... For example, in the VPN server local data. If our VPN service is keeping connection/transfer logs and/or has a monitor policy for their users, we can still be traced out without significative efforts by police officers, government agencies, and the likes.
For this very reason, we need to carefuly choose the right VPN service provider, taking the following factors into account:
- Where the VPN service is estabilished? Where are their VPN servers? Are service providers legally forced to keep recors in such countries?
- Does the service keep logs? What does its EULA says about logging? What happens when a government officer or agency comes asking questions?
- Does the service keep payment records? Do those records include identifying information?
- Is the encryption protocol secure enough? (see VPN Protocols above)
It's worth noting that not every VPN service will protect you the same: if you choose your VPN provider wisely, you can address the concerns described above.
Best VPN services available
Here are some VPN providers we tested during 2018/2019 and that we can recommend. Notice that we didn't give "votes", as each one of them has different pros and cons that could be important or trivial depending on your specific scenario: for this very reason you should pick wisely, depending on your actual needs.
ExpressVPN is one of the world’s largest VPN service provider, with 2,000+ servers in 148 VPN server locations in 94 countries. The network is optimized – and strongly suggested – for most Online Streaming Websites & Services.
FastestVPN is a cost-effective VPN & IP Anonymization Service: the special offer for Ryadel readers features a 71% discount for a 1-year subscription and an 83% discount for a 2-year subscription. The service is strongly suggested if you’re looking for high network connection speed and value for money.
NordVPN is a VPN service based in Panama (which means no data-retention laws) with advanced security features, such as: Military-grade Encryption, CyberSec, Double VPN and more. The network is strongly suggested for BitTorrent enthusiasts and for those who make a great use of P2P Download Networks.
Ivacy is a VPN service based in Singapore founded in 2007. In 2010, Ivacy was the first VPN Company to introduce a unique feature called “Split Tunneling.” This feature allows users to enjoy complete control over which data to send through their ISP and which data to send through their VPN service. Since then, they have integrated many additional features, allowing their users to benefit from them in the long run.
SurfShark is a company active since 2017, based in the British Virgin Islands, therefore outside the European Union: this allows SurfShark not to have to fulfill the obligations of having to record or archive user activities, which are therefore not stored. in any way. Despite its young age, the company already has a rapidly expanding VPN network of over 800 servers distributed worldwide (over 50 different geographic areas).
Useful Resources and Links
If you want to get additional info on such topics, or if you want to increase your overall knowledge regarding VPN services and Web Security, we strongly suggest you to take a look at VPNVanguard, an advisory and review website that strives to provide the latest news on virtual private networks and security software: their team of experts in the field of Internet security will definitely help you to better understand the current environment and the threats that individuals and businesses face on a daily basis.
- List of the best VPN services available (updated monthly)
- Interview with Steve Ongaro, IT security and VPN expert
That's basically it: we sincerely hope that our VPN tutorial will share some light to those who are looking for a way to increase their security when connecting to their LAN and/or surfing the web.