1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Best VPN

Discussion in 'Networks & Internet Connectivity' started by mrochester, 9 Apr 2021.

  1. mrochester

    Soldato

    Joined: 29 Sep 2003

    Posts: 5,631

    Location: Newcastle upon Tyne

    Hi all.

    My 3 year nord vpn deal is coming to an end soon so I am shopping around for a VPN.

    I’ve heard a lot about express VPN but they seem to be considerably more expensive than other VPN services (it costs more for a year of express VPN vs 2 years of nord vpn).

    is the cost increase warranted or should I just stick with NordVPN? I’d be interested to hear the experience of those who have tried both.

    many thanks.

    m.
     
  2. SixTwoSix

    Capodecina

    Joined: 14 Sep 2007

    Posts: 11,974

    Location: Limbo

    I jumped ship to Mullvad from NordVPN last year and won't go back. It's more expensive but it maxes out 95%+ of my 900Mb line speed, whereas Nord topped out around 600Mb. I'd also been on Nord for 3 years prior.

    Also Mullvad is a numbered account and I can pay via BTC, a touch closer to anonymity.
     
  3. mrochester

    Soldato

    Joined: 29 Sep 2003

    Posts: 5,631

    Location: Newcastle upon Tyne

    Thanks for the recommendation, I will investigate that.
     
  4. Avalon

    Soldato

    Joined: 29 Dec 2002

    Posts: 6,606

    If you want cheap, Nord/PIA are regularly free via Quidco (PIA was paying 104% cash back a week or two back). I don’t like Nord/PIA for a variety of reasons, but thus far they haven’t been able to provide logs of anything when ordered to do so by court order. Mullvad are slightly more expensive and I would suggest are in better standing for a variety of reasons, but it depends how strongly you feel about privacy and who you trust with it.
     
  5. Rainmaker

    Sgarrista

    Joined: 18 Aug 2007

    Posts: 8,795

    Location: Liverpool

    What are you expecting from it? What's your setup? It's impossible to give a reasonable answer to 'What's the best VPN', and the automatic answer has to be 'For what?'. You wouldn't go far wrong with Mullvad for most things, but they're not perfect. For privacy, speed and features then they're pretty up there, but they won't work with streaming services, for example.

    Express are junk ime. They're heavily marketed, but I could never get more than a couple of hundred Mbps out of them, whether on their proprietary LightWay protocol or other. Mullvad, Nord, PIA, Azire and OVPN all give me 900Mbps all day every day. Some of them will work with streaming services, some are better on Linux, others have better mobile app support... So again, what do you need?

    @Avalon - talk about timing. We have to stop meeting like this. :p
     
  6. mrochester

    Soldato

    Joined: 29 Sep 2003

    Posts: 5,631

    Location: Newcastle upon Tyne

    I am expecting it to simply keep my browsing private. I use the VPN software on all on my devices. I don’t use it as a means to access geofenced content. Speed and reliability are the key factors.
     
  7. Rainmaker

    Sgarrista

    Joined: 18 Aug 2007

    Posts: 8,795

    Location: Liverpool

    I'd stick to Mullvad then, just keeping in mind that iPlayer, Netflix and Prime Video etc won't work. If those are deal breakers you'll have to look elsewhere, but not many of the services can keep VoD streaming working these days (streamers work hard to block VPNs).
     
  8. mrochester

    Soldato

    Joined: 29 Sep 2003

    Posts: 5,631

    Location: Newcastle upon Tyne

    Why don’t they work?
     
  9. DIABLO

    Soldato

    Joined: 18 Oct 2002

    Posts: 5,495

    Location: N.Devon

    Because the streaming services have black listed the IP addresses of the VPN servers.
     
  10. mrochester

    Soldato

    Joined: 29 Sep 2003

    Posts: 5,631

    Location: Newcastle upon Tyne

    But just Mullvad’s ?
     
  11. Rainmaker

    Sgarrista

    Joined: 18 Aug 2007

    Posts: 8,795

    Location: Liverpool

    No, most of them. The streaming services block all non-residential IPs basically, including VPNs. Some providers have found ways around this using DNS or routing hackery (eg NordVPN, ProtonVPN, PIA's streaming server) but mostly not.
     
  12. Lmg80

    Hitman

    Joined: 20 Nov 2016

    Posts: 537

    Netflix would be a deal-breaker for me. Never used to work with PIA, hence swapped for NordVpn.
     
  13. DeliciousStorage

    Gangster

    Joined: 29 Oct 2019

    Posts: 430

    AirVPN, just as good as Mullvad IMO but they have a cheaper long term plan. 3 years works out at £2.38/month. They accept multiple cryptocurrencies including Monero, and you don't need a real email when registering.
     
  14. Rainmaker

    Sgarrista

    Joined: 18 Aug 2007

    Posts: 8,795

    Location: Liverpool

    AirVPN are decent provided you don't have high speed Internet. Their rigidity in sticking to OpenVPN means they're not able to give more than a couple of hundred Mbps usually.

    Edit: I actually just popped over to AirVPN and did some reading. I used them for *years* before my WAN outpaced their available bandwidth. On their forum they are saying 500Mbps is considered record throughput on their service, and because of the way their infrastructure is set up they can't get much better using WireGuard (God knows why). A user or two posted to say they'd hit 700Mbps occasionally, but their servers are quite contended and that's not going to happen regularly.

    Meanwhile, ProtonVPN and PIA (and Nord?) use 10Gbps uplinks, and Mullvad/OVPN/Azire use 2Gbps. You pays your money...
     
    Last edited: 10 Apr 2021
  15. DeliciousStorage

    Gangster

    Joined: 29 Oct 2019

    Posts: 430

    If you're one of the 12% of households that has access to FTTP and you absolutely must have the extra speed then a WireGuard VPN like Mullvad might be worth it. Even if I had Gigabit internet I think I'd still stick with OpenVPN for now since WireGuard is still new/experimental. It has potential privacy issues which is why AirVPN haven't implemented it yet and OpenVPN is still the default option on Mullvad. Not sure where you're getting "servers are quite contended" because I'm looking at the UK servers right now and the average load is around 20% which leaves 800Mbps available bandwidth. They do have a couple of 10Gbps servers, not that they are really needed yet.

    In my case I got 3 years in the Black Friday sale so it's around £1.59/month, which compares to £3.90 a month for Mullvad for a very similar quality of service. There is the caveat that it locks me in for 3 years, but that's not much of a concern because they are one of the longest running VPN's (11 years), and it was so much cheaper that I would have paid the same with Mullvad after 14 and a half months anyway.
     
  16. Rainmaker

    Sgarrista

    Joined: 18 Aug 2007

    Posts: 8,795

    Location: Liverpool

    I do indeed have gigabit, and Air can't come close. Tell me more about the privacy issues in WireGuard... Or is this just repetition of something written on Air's website? Genuine question, as I see that a lot on various VPN sites (when they don't happen to have the support for it). WireGuard is stable as a protocol, audited and well tested. It's also well past mainline release and full kernel integration in Linux, and hasn't been considered experimental for around six Linux kernel versions now.

    The 'privacy issues' basically amount to endpoint storage on the 'server' (WG doesn't actually have a 'server', it's a P2P model) and static key issues. Since the keys are public/private and you can generate your own, it's as secure as SSH. That is to say, very. Especially since it uses 256 bit keys by default and the encryption is modern, lean and has no known vulnerabilities. The endpoint issue is a 'possible' concern, if you don't wish an adversary (i.e. nation state) to know you were connected to the VPN at some point.

    Any decent provider, including Mullvad, Azire and OVPN have mitigations for these potential privacy concerns. They run encrypted PXE boot on diskless servers (i.e. RAM only), with the daemons set to log to /dev/null (or disabled completely where technically possible), and they wipe the last connection/endpoint within 3 minutes of a handshake expiring. Azire go one step further, and had Jason Donenfeld (WireGuard's creator) write a 'rootkit' to lock out all access to the daemon. Even the owners can't see into the WireGuard instance, and no tools or manual checking will reveal who - if anyone - is connected to the service, let alone what they're doing. They call this 'blind operator mode'. [1]

    I mentioned the 'contended' servers because many are at around 50% or more usage. Even those that aren't don't give you a lot of bandwidth to play with. Even in your own example, 800Mbps is still over 100Mbps less than I get from Mullvad/OVPN/Azire/PIA/Nord using Wireguard... and even then, good luck getting 800Mbps reliably over OpenVPN.

    This is not an assault on Air. They're a nice provider, mostly, and as I said I used them for years. Their refusal to move with the times and migrate to - or at least offer contemporaneously - WireGuard was a foolhardy one imo. Even with OpenVPN v2.5 or v3, and the new wintun adapter (to replace the old, slow TAP) doesn't come close to matching WireGuard for speed or simplicity. Ironically, the (relatively large) improvements in speed brought by wintun are still thanks to WireGuard, as it was created by... Jason Donenfeld, WG's creator, to bring a faster virtual interface to Windows for WireGuard's Win userspace application.[2]

    As I said, you pay your money and you make your choice. For me, when it was a choice between 200Mbps to 400Mbps up and down, on a single core, at the whim of a single gigabit server; or >900Mbps all day every day connected to a multi-gigabit server, using all cores, with a simple and tested native networking protocol (wg) it was a no brainer. Your choices can, of course, differ. Your allusion to cost is a non sequitir, as plenty of decent wg based VPNs offer similar or even cheaper pricing. I just happen to like Mullvad and OVPN.

    [1] https://www.azirevpn.com/docs/security#blind-operator-mode
    [2] https://www.wintun.net/
     
    Last edited: 11 Apr 2021
  17. DeliciousStorage

    Gangster

    Joined: 29 Oct 2019

    Posts: 430

    This was AirVPN Staff's comment on their forums as to why they believe OpenVPN is in many ways superior to WireGuard:
    • it's faster than Wireguard in AES-NI supporting systems when it uses AES. Have a look here!
    • it can be connected over stunnel, SSH, SOCKS5 and HTTP proxies, and Tor swiftly
    • even for the above reason, for an ISP it's not so easy to block OpenVPN, while it's trivial to block Wireguard
    • it supports TCP
    • it supports dynamic IP address assignment
    • it supports DNS push
    • it does not hold in a file your real IP address when a connection is closed
    • a significant part of our customers will not be able to use Wireguard effectively, simply because UDP is totally blocked in their countries or by their ISPs
    • UDP blocking and heavy shaping are becoming more and more widespread among mobile ISPs, making Wireguard slower than OpenVPN in TCP even in mobile devices, or not working at all in mobility
    If you're in one of the 88% of households that don't have FTTP availability then it seems like a no brainer to use OpenVPN. If you do have FTTP then WireGuard might be worth considering. Out of curiosity, which WireGuard VPN's offer cheaper pricing than £1.59/month?
     
  18. Rainmaker

    Sgarrista

    Joined: 18 Aug 2007

    Posts: 8,795

    Location: Liverpool

    As I said, many VPN providers who can't/don't/won't offer WireGuard muse similar misgivings. The privacy issues are a non-issue, as I explained. The 'Have a look here!' link shows a 600-700Mbps throughput on OpenVPN, with wintun. That's laudible but still nowhere near WG performance. WireGuard will saturate your gigabit NIC and, on suitable hardware, your 10Gb NIC too.

    It's also completely false to say that OpenVPN on an AES-NI CPU will outpace WG. I've tested on everything from a G4560 to a 3770 to a 8700K to a Threadripper 3960X to an Epyc Rome CPU. All are AES-NI and none come close to matching WireGuard, which will push full gigabit at single digit CPU usage, while OpenVPN is chugging 100% of a single core and doing a fraction of the speed throughput. You simply can't compare userspace (OpenVPN) to in-kernel (WireGuard) networking in this context.

    Note on the link you provided (which I'd already read), that Air say WireGuard isn't faster than OpenVPN *on their setup*, but they don't/won't say what that setup is. Windows (userspace) on spinning rust with a dual core from 2010? Or 3990X on NVMe running Linux or OpenBSD with in-kernel wg and a 10Gbps uplink?...

    I don't know what they're running these days, but it must be pretty funky to be unable to beat OpenVPN using UDP, all available cores and on a 10Gb NIC. Instead of relying on what Air (or I, or anyone else) tells you, why not do some testing yourself? Try out Mullvad for a month, or rent a Digital Ocean/Linode/whatever node for an hour for all of 3p and run some side-by-side tests with proper Epyc/Xenon CPUs, NVMe drives and multi-gigabit uplinks.

    The rest of the concerns, bar UDP blocking in some countries, are again either irrelevant or have solutions.

    Providers offering cheap deals (especially around Black Friday) include Surfshark, StrongVPN, PIA, NordVPN and so on. Until recently, NordVPN was actually paying YOU to take the service, via cashback. As it happens, VPNs are one of the items (alongside cigars, Cognac, cars, shoes and food) that I don't buy on price. I'd happily pay £20 a month for a decent provider with 10Gbps servers, WG, port forwarding, streaming support and audited, trustworthy privacy.

    As I said, it's down to user circumstances and choice. The whole anti-WireGuard drum only seems to be beaten by commercial suppliers who don't already offer it. OpenVPN can and does offer a nice niche, and has some flexibility not afforded by WireGuard (by design). IPSEC/IKEv2 can also give good throughput (though not as high as WireGuard on very high end NICs), and mitigates some of the 'issues' with WG. Define your parameters and pick what fits.
     
  19. Rainmaker

    Sgarrista

    Joined: 18 Aug 2007

    Posts: 8,795

    Location: Liverpool

    To add to last night's post, I did some reading up after you kept repeating the 'only 12% of homes have FTTP' figure. As of H2 2020, it was 19.2% for actual FTTP. That's not the only means of reaching gigabit, however. For example there's also cable (DOCSIS), and the reach of gigabit services overall was 37.4%, which is fully more than a third of properties. With VM's Project Lightning and OpenReach's similar endeavours, I'm sure that figure has since crept up again.
     
  20. DeliciousStorage

    Gangster

    Joined: 29 Oct 2019

    Posts: 430

    My figure was slightly out of date, but it really doesn't change anything. The only cable provider in the UK is Virgin, which is notorious for throttling and blocking VPN connections, and also general speed issues during peak times due to over-utilization of their network. The 19.2% figure only shows availability, the number of people that actually have full gigabit is going to be much lower than that.

    For your earlier point about price, I wouldn't buy a VPN based on price either, but I'm also not keen on throwing money away. I've used Mullvad for several months in the past, I simply wasn't getting any benefit from the extra money compared to AirVPN. There was also the fact that they didn't accept Monero. If someone was buying a VPN right now I'd actually recommend getting 2 months of Mullvad until AirVPN have their usual birthday sale, since 1 month of AirVPN is more expensive.
     
    Last edited: 11 Apr 2021