Let me paint you a picture you already know. You open YouTube. You want to learn about VPNs. Within thirty seconds, a creator you trust is reading a sponsor script about how NordVPN or Surfshark is “the only VPN I personally use.” They gesture at a phone screen. A little animated shield pops up. A discount code appears. You learn nothing.
I’ve been covering privacy tools for years, and I’ll be blunt: VPN advice online is fundamentally broken. The affiliate commissions are so fat — sometimes $100+ per signup — that almost nobody with a platform has an incentive to tell you the truth. The truth being: most people don’t need a VPN the way it’s marketed to them, the differences between top providers are thinner than advertised, and the entire “best VPN” listicle genre exists primarily to generate affiliate revenue.
This guide isn’t that. I’m not going to rank five VPNs and hand you a coupon code. Instead, I’m going to explain what actually matters, what doesn’t, and how to make a decision based on your actual threat model — not some YouTuber’s sponsorship deal.
Contents
What a VPN Actually Does (and Doesn’t Do)
Before you spend a dime, let’s kill some myths. VPN marketing has convinced a generation of internet users that a VPN is a magic cloak of invisibility. It isn’t. Here’s what’s actually happening when you connect to one.
What a VPN does
- Encrypts your traffic between your device and the VPN server. This means your ISP, your coffee shop’s Wi-Fi operator, or anyone snooping on your local network sees gibberish instead of your browsing activity.
- Masks your IP address from the websites and services you visit. They see the VPN server’s IP, not yours.
- Lets you appear to be in a different location, which can bypass geo-restrictions on streaming content or censorship in restrictive countries.
What a VPN does NOT do
- Make you anonymous. You’re still logging into your Google account, your browser still has fingerprinting vectors, and the VPN provider themselves can see your traffic. You’ve shifted trust from your ISP to the VPN company — that’s it.
- Protect you from malware or phishing. A VPN is not antivirus software. If you click a malicious link, the encrypted tunnel doesn’t save you.
- Make you immune to tracking. Cookies, browser fingerprinting, tracking pixels — none of that is stopped by a VPN. Ad networks don’t need your IP to follow you around the web.
- Guarantee your privacy. You are now trusting the VPN provider instead of your ISP. If the VPN logs your activity and hands it to law enforcement or sells it to data brokers, you’re worse off than where you started.
That last point is the one the sponsor reads never mention. A VPN is a trust transfer, not a trust elimination. Understanding this changes the entire calculation.
The 5 Things That Actually Matter in a VPN
Forget the feature comparison charts with 47 rows. Forget “military-grade encryption” (meaningless marketing). If you’re choosing a VPN in 2026, here are the five variables that genuinely move the needle — and if you want to sharpen how you evaluate tech products generally, my guide on how to read tech specs applies the same critical thinking to hardware.
1. Jurisdiction
Where is the VPN company legally incorporated? This determines what laws govern their data retention and what government agencies can compel them to hand over logs. A VPN based in the United States is subject to NSLs (National Security Letters) and gag orders. One based in Panama or Switzerland faces different legal frameworks.
The “Fourteen Eyes” intelligence alliance (US, UK, Canada, Australia, New Zealand, and nine European nations) shares surveillance data. A VPN headquartered in a Fourteen Eyes country can be compelled to cooperate. This doesn’t mean they automatically do — but the legal mechanism exists.
| Provider | Jurisdiction | 14-Eyes Member? |
|---|---|---|
| Mullvad | Sweden | Yes (but strong Swedish privacy law) |
| ProtonVPN | Switzerland | No |
| IVPN | Gibraltar | No |
| NordVPN | Panama | No |
| ExpressVPN | British Virgin Islands | No |
Jurisdiction matters, but it’s not the whole story. Mullvad is based in Sweden (a Fourteen Eyes country) yet is widely regarded as one of the most privacy-respecting providers on the planet. Legal structure, corporate transparency, and technical architecture matter just as much.
2. Logging Policy (and Whether It’s Been Tested)
Every VPN on earth claims a “no-logs policy.” This phrase has become so abused it’s almost meaningless. What you want to look for:
- Independent audits. Has the provider hired a third-party security firm (like Cure53 or PricewaterhouseCoopers) to verify their no-logs claim? Mullvad, ProtonVPN, NordVPN, and ExpressVPN have all undergone audits of varying scope.
- Real-world court tests. Has the provider been subpoenaed or had servers seized, and were they actually unable to produce logs? Mullvad had its offices raided by Swedish police in 2023 and had no customer data to hand over. That’s the gold standard.
- RAM-only servers. Servers that run entirely in volatile memory and wipe themselves on reboot make it physically difficult to retain logs, even if someone wanted to.
“A no-logs policy is a marketing claim. A no-logs audit is evidence. A no-logs court case is proof.” — u/throwaway_privacy on r/privacy
3. Speed and Server Infrastructure
A VPN that cuts your bandwidth in half is a VPN you’ll turn off. And a VPN you turn off protects nothing. In 2026, with WireGuard as the standard protocol, most reputable providers deliver speeds within 10-20% of your base connection on nearby servers. The days of VPNs halving your speed are mostly over — if you’re still experiencing that, you’re either using an outdated protocol (looking at you, OpenVPN TCP) or connecting to an overloaded server on the other side of the planet.
What matters more than raw speed benchmarks: server count in regions you actually care about, and whether the provider owns or rents their infrastructure. Owned (bare-metal) servers are harder to tamper with than rented virtual ones.
4. Protocol Support
WireGuard should be the default in 2026. Period. If a provider doesn’t support it, that’s a red flag. OpenVPN is still fine as a fallback, but WireGuard is faster, leaner, and has a dramatically smaller attack surface (about 4,000 lines of code vs. OpenVPN’s 600,000+). More on this in the WireGuard section below.
Some providers also offer proprietary protocols (NordVPN’s NordLynx, ExpressVPN’s Lightway). These are generally WireGuard-based or WireGuard-inspired, with modifications for things like obfuscation in censored networks. They’re fine. Just make sure the standard options are available too.
5. Kill Switch
A kill switch cuts your internet connection if the VPN tunnel drops unexpectedly. Without one, a momentary disconnection exposes your real IP to whatever you’re doing — torrenting, browsing, whatever. This is non-negotiable. Every serious provider has one. If yours doesn’t, switch immediately.
On Linux and macOS, you can verify kill switch behavior yourself by checking firewall rules (iptables/nftables or pf). On Windows and mobile, you’re mostly trusting the client. This is another reason open-source clients matter — you can actually verify claims.
A Quick Word on Providers (Not a Listicle, I Promise)
I’m not going to rank these. I’m going to describe the landscape honestly and let you match a provider to your priorities.
The Privacy Purists
Mullvad is the provider that privacy hardliners on Reddit recommend more than any other. No email required to sign up. You get an account number. You can pay with cash mailed in an envelope. Their client is open-source. They’ve survived a police raid with zero data to show. The downside? No frills. Limited streaming unblocking. The interface is utilitarian. It costs a flat 5 EUR/month with no discounts for longer commitments — which is honestly a sign of integrity, since it means they’re not incentivized to lock you into multi-year plans.
“Mullvad doesn’t even know who you are. That’s not a bug, it’s the entire point.” — u/neteng_throwaway on r/netsec
ProtonVPN comes from the team behind ProtonMail and benefits from Switzerland’s strong privacy laws. They offer a genuinely usable free tier (rare and legitimate), open-source apps, and Secure Core routing that bounces traffic through multiple countries. Good for people who want privacy but also want a polished app experience.
IVPN is similar in philosophy to Mullvad — transparent, audited, no-nonsense. Based in Gibraltar. Smaller server network but a fiercely loyal user base. Their website has a refreshingly honest tool that helps you decide if you even need a VPN at all.
The Mainstream Picks
NordVPN and ExpressVPN are the names you hear in every podcast ad. Here’s the thing — they’re not bad. NordVPN has undergone multiple audits, operates RAM-only servers, and has a massive server network. ExpressVPN’s Lightway protocol is solid. They both unblock streaming reliably and have polished apps on every platform. The reason privacy purists side-eye them isn’t necessarily the product — it’s the marketing machine. When a company spends hundreds of millions on influencer sponsorships, you have to ask where the incentive structure points. NordVPN is owned by Nord Security (Lithuania, previously incorporated in Panama). ExpressVPN was acquired by Kape Technologies in 2021, a company with a complicated history that includes past involvement in adware distribution.
Does that mean they’re logging your data? Not necessarily. But it means you should go in with eyes open.
“NordVPN is fine for 90% of use cases. It’s when you’re in the 10% where your freedom depends on it that you want Mullvad or IVPN.” — u/privacy_matters_2025 on r/VPN
Free VPNs: You Are the Product
I need to be absolutely clear here. The vast majority of free VPN services are surveillance tools wearing a privacy costume.
Running a VPN infrastructure costs real money — servers, bandwidth, engineering, legal. If a company is offering you that for free and they’re not ProtonVPN (funded by a paid tier and Proton’s broader ecosystem), you need to ask: how are they paying for this?
The answers, documented across years of security research, include:
- Selling your browsing data to advertisers and data brokers. A 2024 study by Top10VPN found that 80% of the most popular free VPN apps on the Google Play Store had privacy policy clauses allowing data sharing with third parties.
- Injecting ads into your browsing sessions.
- Selling your bandwidth. Hola VPN infamously turned its users’ devices into exit nodes for a paid botnet service.
- Bundling malware. Multiple free VPN apps have been caught packaging credential-stealing trojans.
The one credible exception is ProtonVPN’s free tier, which is funded by their paid subscribers and has passed independent audits. Even then, the free tier is limited to servers in five countries with no streaming support. It’s a taste, not a meal. If budget is a real concern, Mullvad at 5 EUR/month is the cheapest “real” VPN you can get — and there are no multi-year upsells to dodge.
When You Actually Need a VPN (and When You Don’t)
This is the section the affiliate marketers don’t want written. A VPN is not a universal necessity. Here’s a decision framework.
You probably need a VPN if:
- You use public Wi-Fi regularly. Coffee shops, airports, hotels. An unsecured network is trivially easy to snoop on. A VPN closes that vector.
- Your ISP sells your browsing data. In the US, ISPs are legally allowed to sell your browsing history. A VPN prevents them from collecting it.
- You need to bypass geo-restrictions for streaming, news, or services blocked in your region.
- You’re in a country with internet censorship (China, Iran, Russia, etc.) and need to access blocked sites or communicate securely.
- You torrent files and want to avoid copyright trolls who monitor BitTorrent swarms for IP addresses.
- You work remotely and your company requires VPN usage for accessing internal resources. If you’re building out a remote setup, my guide on remote work essentials covers the full picture.
You probably don’t need a VPN if:
- Your primary concern is “online privacy” in a vague sense. A VPN doesn’t stop Google, Meta, or Amazon from tracking you. Browser extensions (uBlock Origin), privacy-focused browsers (Firefox with hardened settings, Brave), and good operational security do more for general privacy than a VPN ever will.
- You’re on your own home network with a trusted ISP and you’re not doing anything that requires IP masking.
- You think a VPN makes you “unhackable.” It doesn’t. Not even close.
“The best security investment most people can make isn’t a VPN — it’s a password manager and 2FA on every account. The VPN comes after those basics are covered.” — u/sec_eng on r/netsec
The WireGuard Revolution
If you’re even slightly technical — and if you’re reading WU120, I’ll assume you are (check out our developer tech stack guide for more on the tools driving modern development) — you should understand why WireGuard changed the VPN landscape.
For over two decades, OpenVPN was the gold standard for VPN protocols. It worked. It was battle-tested. It was also bloated: roughly 600,000 lines of code, running in userspace, with a configuration complexity that made sysadmins weep. IPSec/IKEv2 was the corporate alternative — capable but similarly heavyweight.
WireGuard, created by Jason Donenfeld and merged into the Linux kernel in 2020, took a different approach. Around 4,000 lines of code. Runs in kernel space. Uses modern cryptography (ChaCha20, Curve25519, BLAKE2s) with no cipher negotiation — there’s one suite, and it’s the right one. The result:
- Dramatically faster connection times. WireGuard establishes a tunnel in about 100ms vs. several seconds for OpenVPN.
- Higher throughput. Independent benchmarks consistently show WireGuard delivering 2-4x the throughput of OpenVPN on the same hardware.
- Smaller attack surface. 4,000 lines of code can be audited by a single person in a reasonable timeframe. 600,000 cannot.
- Better roaming. WireGuard handles network changes (switching from Wi-Fi to cellular) seamlessly, which matters enormously on mobile.
The one caveat: WireGuard by default stores the last-seen IP address of connected peers in memory. For a privacy VPN, this is a problem. That’s why providers like Mullvad and NordVPN (via NordLynx) have implemented wrappers that assign dynamic IPs and purge peer data. If a provider offers WireGuard without addressing this, ask questions.
By 2026, WireGuard support is table stakes. Any provider still defaulting to OpenVPN without offering WireGuard is behind the curve. Not dangerously so — OpenVPN is still secure — but needlessly slow.
Frequently Asked Questions
Can my VPN provider see my traffic?
Technically, yes. Your traffic is decrypted at the VPN server before being forwarded to its destination. A VPN encrypts the path between you and the server — not between the server and the internet. This is why the trust question (logging policy, jurisdiction, audits) matters so much. HTTPS still protects the content of your communications from the VPN provider for most websites, but they can see which domains you visit.
Should I leave my VPN on all the time?
It depends on your threat model. If you’re primarily concerned about ISP surveillance, yes — leave it on. If you’re using it for occasional geo-unblocking or public Wi-Fi protection, toggling it as needed is fine. Modern WireGuard-based VPNs have low enough overhead that “always on” doesn’t meaningfully impact battery life or performance on most devices.
Is a VPN legal?
In most countries, yes. VPNs are legal and widely used for legitimate purposes in the US, EU, UK, Canada, Australia, Japan, and most of the world. They are restricted or banned in China, Russia, Belarus, Iraq, North Korea, Turkmenistan, and a few others. Using a VPN to commit a crime doesn’t make the crime legal, obviously — the VPN itself is just a tool.
Do I need a VPN if I already use HTTPS everywhere?
HTTPS encrypts the content of your connection to a website, but it doesn’t hide which websites you visit. Your ISP can still see your DNS queries and the IP addresses you connect to. A VPN hides both of these from your ISP. Whether that matters depends on how much you trust your ISP and what jurisdiction you’re in.
What about Tor? Is that better than a VPN?
Tor and VPNs solve different problems. Tor routes your traffic through three volunteer-operated nodes and provides strong anonymity, but it’s slow (not suitable for streaming or large downloads) and can draw attention from network monitors. A VPN is faster and more practical for daily use but requires trusting a single provider. For most people, a VPN is the right daily tool. For high-stakes anonymity (journalism, activism in dangerous environments), Tor is the stronger choice — ideally via Tails OS.
How much should I pay for a VPN?
Expect to pay between $4 and $10/month for a reputable service. Be wary of “lifetime” plans — they’re financially unsustainable and often signal a company that won’t be around long. Mullvad’s flat 5 EUR/month with no long-term commitment is the most honest pricing model in the industry. If a provider is pushing a 3-year plan with an 80% discount, they’re optimizing for upfront cash, not long-term service quality.
The Bottom Line
Choosing a VPN in 2026 isn’t hard if you ignore the noise. Understand what a VPN actually does (trust transfer, not magic invisibility). Evaluate providers on the five things that matter (jurisdiction, logging policy, speed, protocol support, kill switch). Skip free VPNs unless it’s ProtonVPN’s free tier. Use WireGuard. And most importantly, be honest with yourself about whether you actually need one for your specific situation.
The VPN industry has spent billions convincing you that the internet is a terrifying place and that their product is the only thing standing between you and digital oblivion. The reality is more mundane: a VPN is a useful tool for specific scenarios, and the best providers are the ones that are honest about their limitations.
Stop clicking affiliate links. Start thinking about your threat model. The rest follows from there.
