Best VPN

[Rainmaker]

Virgin, which is notorious for throttling and blocking VPN connections, and also general speed issues during peak times due to over-utilization of their network

Ah yes, the infamous "throttling" and speed issues... I read a lot about VM throttling VPN connections, and even wondered myself at one point. Then I spent a couple of grand on a decent PC, and completely overhauled my local network with all copper Ethernet, a decent managed switch, OpenBSD x86 router, and Ruckus R710 enterprise WiFi.

Strangely, VM seemed to stop 'throttling' my connection after that. Or rather, they just don't. They actively confirm on their website that there's no protocol throttling, shaping or 'traffic management'/slow downs any more. They got rid of that a few years ago. You won't get what you want out of your network unless it's built and running properly. Pick a time of day, all over WireGuard to (variously) Mullvad, PIA and Nord.

...Throttling...

The 19.2% figure only shows availability, the number of people that actually have full gigabit is going to be much lower than that.

That's by the by though, isn't it? And a nice little straw man. You can't say that WireGuard is pointless and unsafe, and that OpenVPN is fast enough because only 12% of the population have FTTP... But then, faced with evidence that all of those arguments are false, say 'Well yes it's much more than that, but not that many people subscribe to it though'... LOL.

The only point I made, which you seem to be at pains to dispute, is that OpenVPN can't and won't saturate an average gigabit WAN - certainly not efficiently, repeatably and for everyone. WireGuard will. Pick whichever suits, and whichever you prefer; but there's no need to repeat FUD on the back of it.

 

[Avalon]

My figure was slightly out of date, but it really doesn't change anything. The only cable provider in the UK is Virgin, which is notorious for throttling and blocking VPN connections, and also general speed issues during peak times due to over-utilization of their network. The 19.2% figure only shows availability, the number of people that actually have full gigabit is going to be much lower than that.

For your earlier point about price, I wouldn't buy a VPN based on price either, but I'm also not keen on throwing money away. I've used Mullvad for several months in the past, I simply wasn't getting any benefit from the extra money compared to AirVPN. There was also the fact that they didn't accept Monero. If someone was buying a VPN right now I'd actually recommend getting 2 months of Mullvad until AirVPN have their usual birthday sale, since 1 month of AirVPN is more expensive.

I keep meaning to reply to this, but life gets in the way, then I come back and it’s already been said.

So being out by over 50% of what you stated doesn’t change anything... and we just ignore all gigabit cable because of imaginary issues? Tell that to the thousands of people that represents who can now get FTTP or gigabit cable. As to your claims about VM some of them are even more out of date than the coverage figure or Wg claims, VM changed its policy years ago when it changed ownership, no throttling and they never blocked VPN’s, I can’t even think where that come from. The VM network is far from perfect, but the issues are usually localised due to the way the network works (or doesn’t), a lot of standardisation took place when Telewest purchased NTL, but that was mainly the telco side and back end with the finalisation of the digital migration, but in some cases it wasn’t possible due to the way the individual franchises were constructed. Some people have a horrible experience, but the silent majority have no significant issues and get exactly what they pay for (technically more due to over provisioning), I am thankfully one of them, but still waiting on my area being upgraded for gigabit.

VPN wise your previous post read as though you were suggesting it was reasonable to pay for a fast connection and then accept non line speed VPN because you could save £2 odd a month, obviously that’s pretty silly. Air do a number of things that puzzle me, like apparently quoting ingress and egress combined for load and running a network with 20% utilisation, knowing what it costs me and others for colo or server rental monthly, that strikes me as a low figure, also who runs a commercial enterprise from a .org? Anecdotal testing shows Wg speeds best OVPN, even with AES-NI and using UDP, randomly TorrentFreak found the same, circa 30% faster across a range of providers from memory. If op is after a cheap provider and doesn’t care about anything other than OK app support and reasonable track record of privacy, then both Nord and PIA are effectively free, and faster in my testing than Air, if privacy is actually the top priority, then better options exist.

 

[DeliciousStorage]

That's by the by though, isn't it? And a nice little straw man. You can't say that WireGuard is pointless and unsafe, and that OpenVPN is fast enough because only 12% of the population have FTTP... But then, faced with evidence that all of those arguments are false, say 'Well yes it's much more than that, but not that many people subscribe to it though'... LOL.

What on earth? You can't just make stuff up lmao, where did I say that WireGuard is pointless and unsafe? I said WireGuard might be worth it if you have Gigabit internet, but there are potential privacy concerns and it is new/experimental. The Windows version is still in beta which I'd guess the majority of people will be using.

The point I was making about 12% availability is that the vast majority of people won't have any speed advantages from WireGuard, and that point still stands. You're acting as though the figure being slightly outdated somehow invalidates that point with no logical reasoning as to why. The average UK broadband speed is less than 70mbps, which OpenVPN won't get anywhere close to being a bottleneck.

 

[Rainmaker]

I also said immediately that if you're speed constrained, then AirVPN are a rather nice provider for what they are. Even then, though, you'll still max your line with way less overhead, faster (re)connection speeds, better/seamless roaming and other advantages by sticking with WireGuard. Your spurious addition of (incorrect) FTTP coverage, non-existent VM throttling, irrelevant 'concerns' about WireGuard and arguments about price (which you simultaneously don't care about) are what I took issue with.

I'll repeat: Pick what works for you. Unless you have a compelling reason not to, though, WireGuard is the de facto better option in most situations. @Avalon covered the rest of my thoughts quite nicely.

 

[DeliciousStorage]

I also said immediately that if you're speed constrained, then AirVPN are a rather nice provider for what they are. Even then, though, you'll still max your line with way less overhead, faster (re)connection speeds, better/seamless roaming and other advantages by sticking with WireGuard. Your spurious addition of (incorrect) FTTP coverage, non-existent VM throttling, irrelevant 'concerns' about WireGuard and arguments about price (which you simultaneously don't care about) are what I took issue with.

I'll repeat: Pick what works for you. Unless you have a compelling reason not to, though, WireGuard is the de facto better option in most situations. @Avalon covered the rest of my thoughts quite nicely.

Issues with Virgin Media are real and well documented. You may have swapped out the router to fix those issues and live in a non congested area, it doesn't make the problems non existent in the real world.

WireGuard may well be the de facto option in the future, but for now OpenVPN still has several non trivial advantages over it, and in my opinion you can't call beta software the de facto better option when it comes to privacy.

 

[Rainmaker]

Issues with Virgin Media are real and well documented. You may have swapped out the router to fix those issues and live in a non congested area, it doesn't make the problems non existent in the real world.

WireGuard may well be the de facto option in the future, but for now OpenVPN still has several non trivial advantages over it, and in my opinion you can't call beta software the de facto better option when it comes to privacy.

With respect, you clearly don't wish to evaluate the information before you, and your arguments keep changing (and make no sense to the topic at hand). To be clear, again - WireGuard is not beta. It is production quality code in full mainline release. The underlying protocol is now well battle tested, independently audited, and has been at stable release for some time. Just because the Windows userspace application is labelled beta, doesn't make the underlying protocol beta.

Why do you seem to conflate the GUI on one OS with the underlying resilience and privacy credentials of the underlying protocol? WireGuard the app on Windows does not equal WireGuard the VPN protocol running underneath. Two entirely different things. You can just as easily run TunSafe (app) on Windows and still run WireGuard underneath - your argument is flawed.

The Noise Framework and Cha Poly are well established and secure, and they are de facto standards (ask Signal, WhatsApp, the EU, NATO, or any of the other bodies relying on them). With respect it seems like you don't know much about how it all works. Have you read the whitepaper? Read the code? The audits? Actually tested as I suggested? Jason, like many cryptographers, is exquisitely painstaking in his methodology and he is very slow to label things 'complete'. The Windows app is fine, and if you're worried, run it on Linux or OpenBSD (where it works much better anyway as it's native).

The VM issues are not 'real' they're imaginary. You were just a couple of posts ago beating the drum about their 'well documented' throttling of VPNs... When that was shown (like your other arguments) to hold no water, you ignore those parts of the reply, say nothing of the evidence and move on to another nit to pick. Whether VM - like most ISPs - has some local congestion or peering issues, is absolutely irrelevant to the topic at hand, which is VPNs. The fact one can replace an ISP router and get better features, more stable performance or whatever is hardly news, and certainly not VM specific. One thing it doesn't do, as you alluded, is increase the speed. I don't get 900Mbps over WireGuard because I run my own router, I get it because the gigabit service from VM is good and WireGuard is excellent.

if you have slow Internet, a low to mid tier home network, you have a specific need or choice for OpenVPN, or you just don't care, then pick what you like. That's fine and I've said that all along. Just please don't sling FUD when you have an apparent lack of understanding of the underlying code, principles and protocols at play. It'd be interesting to know which of the features of OpenVPN that you laud over WireGuard you actually use in your daily life? What's it offering that you need, that WireGuard isn't able to provide you personally?

 

[DeliciousStorage]

With respect, you clearly don't wish to evaluate the information before you, and your arguments keep changing (and make no sense to the topic at hand). To be clear, again - WireGuard is not beta. It is production quality code in full mainline release. The underlying protocol is now well battle tested, independently audited, and has been at stable release for some time. Just because the Windows userspace application is labelled beta, doesn't make the underlying protocol beta.

Why do you seem to conflate the GUI on one OS with the underlying resilience and privacy credentials of the underlying protocol? WireGuard the app on Windows does not equal WireGuard the VPN protocol running underneath. Two entirely different things. You can just as easily run TunSafe (app) on Windows and still run WireGuard underneath - your argument is flawed.

The Noise Framework and Cha Poly are well established and secure, and they are de facto standards (ask Signal, WhatsApp, the EU, NATO, or any of the other bodies relying on them). With respect it seems like you don't know much about how it all works. Have you read the whitepaper? Read the code? The audits? Actually tested as I suggested? Jason, like many cryptographers, is exquisitely painstaking in his methodology and he is very slow to label things 'complete'. The Windows app is fine, and if you're worried, run it on Linux or OpenBSD (where it works much better anyway as it's native).

The VM issues are not 'real' they're imaginary. You were just a couple of posts ago beating the drum about their 'well documented' throttling of VPNs... When that was shown (like your other arguments) to hold no water, you ignore those parts of the reply, say nothing of the evidence and move on to another nit to pick. Whether VM - like most ISPs - has some local congestion or peering issues, is absolutely irrelevant to the topic at hand, which is VPNs. The fact one can replace an ISP router and get better features, more stable performance or whatever is hardly news, and certainly not VM specific. One thing it doesn't do, as you alluded, is increase the speed. I don't get 900Mbps over WireGuard because I run my own router, I get it because the gigabit service from VM is good and WireGuard is excellent.

if you have slow Internet, a low to mid tier home network, you have a specific need or choice for OpenVPN, or you just don't care, then pick what you like. That's fine and I've said that all along. Just please don't sling FUD when you have an apparent lack of understanding of the underlying code, principles and protocols at play. It'd be interesting to know which of the features of OpenVPN that you laud over WireGuard you actually use in your daily life? What's it offering that you need, that WireGuard isn't able to provide you personally?

Since you were so insistent on how superior WireGuard is I decided to buy a month of Mullvad and test it myself. It was tested in a virtual machine as this is my typical use case. I used VirtualBox and set up a clean install of Windows 10 Pro with all updates installed, 6 cores and 8GB RAM were allocated. I was expecting WireGuard to be a tiny fraction faster from lower overheads but the result was surprising. I tested several servers in the same location for both the VPN and the speed test, then took the best results.

Results Down/Up
Mullvad OpenVPN: 51.21mbps/15.19mbps
Mullvad WireGuard: 46.52mbps/14.23mbps

OpenVPN was objectively and consistently faster than WireGuard for my use case. I don't know if there is some issue specific to Mullvad, or if for some reason WireGuard doesn't work well on virtual machines, but so much for it being the de facto option. Speed is only one criteria, for a VPN the privacy aspects are arguably more important. WireGuard was not designed with privacy in mind, and the convoluted workarounds various VPN providers have implemented to address the many privacy issues seem imperfect.

 

[chrcoluk]

Currently using nordvpn, not cheap, I primarily use it for f1 tv, paid for by my European friend, but performance wise I see it can comfortably hit my line speed (74/20 syncing vdsl2).

 

[Avalon]

Currently using nordvpn, not cheap, I primarily use it for f1 tv, paid for by my European friend, but performance wise I see it can comfortably hit my line speed (74/20 syncing vdsl2).

As already mentioned, use Quidco, Nord ranges from cheap (70% off the discounted price) to free depending on the offer.

 

[chrcoluk]

As already mentioned, use Quidco, Nord ranges from cheap (70% off the discounted price) to free depending on the offer.

Dont need to as my friend paid for it, but thats a nice hefty discount, makes you wonder how much companies overcharge if they can afford that kind if discount.

 

[Rainmaker]

OpenVPN was objectively and consistently faster than WireGuard for my use case. I don't know if there is some issue specific to Mullvad, or if for some reason WireGuard doesn't work well on virtual machines, but so much for it being the de facto option. Speed is only one criteria, for a VPN the privacy aspects are arguably more important. WireGuard was not designed with privacy in mind, and the convoluted workarounds various VPN providers have implemented to address the many privacy issues seem imperfect.

I would have happily loaned you a Mullvad key for a week had you taken up my mention of testing yesterday. Alas, Oracle VirtualBox has horrific networking, and especially on a Windows host. On Windows 10 bare metal I do see slower speeds, as one would expect from a userspace implementation. I tend to cap out around 800 to 850Mbps to Mullvad on the rare occasion I have to use Windows, whereas Linux or OpenBSD will give the fuller >900Mbps. Six cores is ample for WireGuard - my pentium G4560 router (2 cores, no HT enabled) will max gigabit to Mullvad under Linux or OpenBSD. No matter what CPU your 6 cores emanate from (excepting, perhaps, early Phenom or Bulldozer?) it should be much faster outside of Oracle's dreadful and ponderous NAT implementation. Try again in native Linux, or even under KVM if Windows is a must. There's little joy in driving a Ferrari down a 20mph road outside a school.

Why are you using VMs for your VPN connection? Are you tying together VMs with (for example) a VPN tunnel in one and a torrent app or similar passing through it, perhaps? This was an 'idea' a decade or so ago to keep the host OS on the ISP WAN (for streaming etc) and have downloads contained behind the VPN separately. Woefully slow and old fashioned implementation if so. Depending on your use-case, you'd be perhaps much better off running a *nix base, with either policy based routing or, better, a Docker/Podman/LXC/KVM container setup with a dedicated local network for the download containers routing out through a WG container. That would allow much closer to wirespeed. Of course, if you're running a decade old CPU on spinning rust, you're going to have much worse results than on a fast modern CPU, Intel dedicated NICs and NVMe scratch drives.

Again, pick whatever works for you. Mullvad nor WireGuard are slow on appropriate hardware, as evidenced by the many speedtests I posted for you in an earlier reply (which IBB seem to have since removed, probably because I stripped their ads lol). The repetitious statements about privacy issues are shown to be nonsensical, and the 'convoluted workarounds' you talk about are much the same for OpenVPN. They primarily involve locking out unauthorised users and disabling logging; but again, as you don't seem to understand much about the inner workings it's forgivable to find them obtuse. You have a month of Mullvad, so have fun experimenting with it. It's physically impossible to have a userspace, single-threaded daemon run faster than a multi-threaded, kernel space implementation provided you run them both appropriately.

 

[ChrisD.]

I've just signed up to NordVPN for two years with cash back. I run a headless Linux VM that manages all of my Usenet downloads and IPTV streams. I'll soon be on 900 Mbps with Zen, any reason I should look at an alternate?

 

[Rainmaker]

I've just signed up to NordVPN for two years with cash back. I run a headless Linux VM that manages all of my Usenet downloads and IPTV streams. I'll soon be on 900 Mbps with Zen, any reason I should look at an alternate?

You won't have many issues with them mate. The current cashback isn't too bad (though it's not as good as it was a short time ago - basically free!). I grabbed the deal also, to add to my little collection of VPNs lol. I like that they have a Icelandic servers, and iPlayer etc work on Nord so why not?

The only two caveats (small as they are) that I notice are (1) no port forwarding, though I still basically max my gigabit line over torrents - you just can't seed and (2) WireGuard is implemented in their own proprietary 'wrapper' as NordLynx. It means you can't just generate a .conf and throw it in /etc/wireguard - but that said, their Linux app works OK and has an old Cisco type syntax which is nice. For example:

sudo nordvpn set technology nordlynx
sudo nordvpn set dns 10.100.0.5
sudo nordvpn whitelist add subnet 10.100.0.0/16
sudo nordvpn connect #or sudo nordvpn connect 'country'/'city'

You only need to set your options once, they get stored. When whitelisting your subnet, go one bigger. My LAN is actually still on a /24 but a bug (the implementation, really) of Nord's app means if you whitelist the /24 you can't access your LAN. If you whitelist it to /16 everything works. If you're on Windows their app takes care of it for you.

I just switched from Mullvad to NordVPN (London) to reply to your post:

The latency is a little 'high' at 30ms but bear in mind I'm on VM. That means DOCSIS overhead, plus the traffic is being routed from Liverpool > London (VPN) > Manchester (speedtest server) > London (VPN) > Liverpool (back to me). Actual real life latency is in line with my VM connection, often actually better due to VM's poor routing.

ping -c 4 9.9.9.9
PING 9.9.9.9 (9.9.9.9) 56(84) bytes of data.
64 bytes from 9.9.9.9: icmp_seq=1 ttl=60 time=22.7 ms
64 bytes from 9.9.9.9: icmp_seq=2 ttl=60 time=23.3 ms
64 bytes from 9.9.9.9: icmp_seq=3 ttl=60 time=23.4 ms
64 bytes from 9.9.9.9: icmp_seq=4 ttl=60 time=23.4 ms

--- 9.9.9.9 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 22.662/23.181/23.411/0.304 ms

 

[ChrisD.]

Thanks @Rainmaker. It's working fine now and I have a /24 in my exceptions list. It's running using OpenVPN but I will check out WG once I've moved if OpenVPN is too much for the faster connection.

 

[ChrisD.]

Well, I think I'm going to get a refund with NordVPN, mainly due to the lack of port forwarding support. I just have to find a provider now which will allow it and allow it to be configured via terminal only as I don't run a desktop on my VM.

 

[Rainmaker]

Well, I think I'm going to get a refund with NordVPN, mainly due to the lack of port forwarding support. I just have to find a provider now which will allow it and allow it to be configured via terminal only as I don't run a desktop on my VM.

Mullvad allow you to set and manage your forwards via their web dashboard (i.e. log into your account, set forwards per WireGuard key). You can then set your configs locally (i.e. in the VM) as you wish, including said forwarded port. OVPN have a similar arrangement. I know that PIA allow you to obtain a forward via CLI/API but it's messy at best, and the port expires and changes regularly.

 

[ChrisD.]

Mullvad allow you to set and manage your forwards via their web dashboard (i.e. log into your account, set forwards per WireGuard key). You can then set your configs locally (i.e. in the VM) as you wish, including said forwarded port. OVPN have a similar arrangement. I know that PIA allow you to obtain a forward via CLI/API but it's messy at best, and the port expires and changes regularly.

Thanks, I tried out PIA and as you say it's a bit messy so I may cancel it and try out Mullvad today and see how I get on.

 

[ChrisD.]

I've just managed to set up Mullvad and port forwarded to Plex just fine, they also allow BTC payments which is nice. Now to work out how to set a kill switch and allow local access still.

 

[Rainmaker]

I've just managed to set up Mullvad and port forwarded to Plex just fine, they also allow BTC payments which is nice. Now to work out how to set a kill switch and allow local access still.

Glad you got sorted mate. Yeah them taking BTC is handy. Wish they (and more others) would accept Monero, it's much more private and in line with VPN ethos. The only one I know who does is OVPN. I have my hand in both (and a few others), but I mostly concentrate on Monero. Mullvad do have a couple of resellers who accept Monero for a six month / annual pass code, which is fair enough. At any rate, I'm happy you got sorted and you shouldn't have any bother. Mullvad are very good.

 

[maj]

@ChrisD. I've also just got a refund from Nord although in my case it was due to the cashback not tracking. How easy was it to configure it on a headless VM? As it's something I'd be looking at doing too.