VPN Advice (November 2021 Edition)

By Michael Gebis, Tue 16 November 2021, in category Vpn

I had a short discussion with a friend about his VPN needs; here's a summary of that discussion.

Executive summary:

  1. Most users don't need a VPN for privacy anymore; the majority of your web traffic is encrypted by default.
  2. If you need a VPN so you can access servers at your home: Tailscale.
  3. If leaking metadata is a concern, first check if you already are paying for a VPN like "VPN by Google One" or "iCloud Plus".
  4. If you want a free VPN: ProtonVPN (with some caveats)
  5. If you need a more serious VPN: Mullvad or NordVPN.
  6. If you need overkill: Tor

Beware of all VPN advice

Some VPN providers are a little sketchy. Especially for the "free" VPNs, you should ask yourself "How are they making money?" The answer might be that they make money selling your metadata to advertisers. Ugh.

Don't trust search engines, either: the "top 10 VPNs of 2021" lists search engines show to you all feel like astroturf campaigns. Shady VPN companies are pretty good at SEO.

Don't even believe me. I swear I'm not a shill, but that's exactly what a shill would say. Double-check everything anyone tells you about VPNs, even me.

Your VPN provider becomes your ISP (kinda).

Without VPN, your ISP (Comcast, T-Mobile, Starbucks, the WiFi at your work) can see the data "going over the wire"--but most of that data is encrypted nowadays, so they don't get that much. The metadata that is viewable to them is the destination server. In other words, your ISP can tell you're going to Facebook, but not which page on Facebook, nor the contents of that page. Still, this metadata is valuable, so some ISPs make money selling it.

But remember: When you turn on your VPN, your data is encrypted to the VPN who then sends it over the internet... thus the VPN provider can see which websites you're going to. So you're swapping one trusted entity for another. Choose wisely.

Advice for specific VPN use cases:

Use Case: I want to connect to servers at my house (to download your private music, video, etc.)

The easiest answer on this page: just use Tailscale. It's amazing--every computer you install it gets a new 100.64/10 address. Any of your computers running Tailscale can get to any other computer running Tailscale using this address. All NAT traversal and key management is handled by their software (that's the magic!). It's so easy that if you started setting it up at when you started reading this paragraph, you would already be done.

An alternate workable option is to see if your router (Netgear, TP-Link, whatever) has a VPN server you can enable. But this is a pain to configure, is error prone, and if your router firmware isn't patched, you might be enabling a VPN service that has serious bugs. Some example VPN bugs affecting Netgear, TP-Link, Linksys... really, everybody's had a problem at some point. It's embarrassing. If your router gives you a choice, Wireguard VPN is easier to set up than OpenVPN.

Use Case: I would like to protect my internet traffic at an internet cafe

If you're worried about someone sniffing your traffic: This once was a concern, but in 2021 you probably don't need a VPN at all. All the big websites have turned on TLS (in web browsers, look for HTTPS), which encrypts the contents of your traffic. Google (including Gmail, YouTube, Drive, everything), Facebook, Twitter, Yahoo, etc., everybody uses TLS. What HTTPS does NOT do is hide the metadata of exactly where your traffic is going... read on:

Use Case: I would like to keep my phone browsing habits from my employer while on their WiFi

While TLS encrypts the content, it does not hide the destination. If you are going to OnlyFarmers dot com, the ISP doesn't know which pages or the contents, but they still know it's OnlyFarmers. This is true of apps you may have on your phone as well--the OnlyFarmers app probably phones home without you knowing it multiple times a day. This may be something you would like your employer to not know.

You might unknowningly have a VPN with your phone plan that you're already paying for; both Google (VPN by Google One) and Apple (iCloud Plus) have a VPN that you can use. Double check.

If you don't have one of these, and want a cheap solution: try the free ProtonVPN plan.

If you prefer a more robust paid VPN, right now the VPN subreddit rates both Mullvad and NordVPN pretty highly. But check it out for yourself, things may have changed since I published this article.

Use Case: I want to circumvent regional content restrictions

A lot of VPNs advertise that they can bypass regional content restrictions. Good luck with that. The reality is it's a cat-and-mouse game. Content providers are constantly blocking known VPN servers, VPN providers are constantly moving their IP addresses. I think "intermittent" is the best you're gonna do. The NetflixViaVPN subreddit can probably let you know what's working best at the moment.

Use Case: I want to torrent

Find a provider that doesn't keep logs. It's also a good idea to have a VPN client with an automatic kill switch: if the VPN goes down, all internet traffic should stop, rather than reverting to a non-encrypted connection.

Most free VPNs block all P2P traffic, so you'll almost certainly have to use a paid solution. The VPNTorrents subreddit has good advice about how to choose a paid VPN. I'm currently on a multiyear Private Internet Access plan, but when that expires I'll probably switch to Mullvad. (Why will I switch? Because PIA was purchased by company that has a checkered past).

Use Case: I want to hide from the NSA/CIA/FSB/MSS/Unit 8200

This is above my pay grade. In general, the Tor browser your best bet, either standalone or as part of Tails OS. But Tor traffic can be slow and is blocked by a lot of websites, so using Tor for everything is not a good daily driver. Good luck.