Best VPN services

Have recently changed over to SurfShark VPN . Very impressed with their customer service and the features they offer .

Mozilla have started rolling out their VPN globally, currently only available in the US, the UK, Canada, New Zealand, Singapore and Malaysia. Under the hood its Mullvad using the WireGuard

Malwarebytes is now offering a VPN service . I use Malwarebytes but I am more than happy with Surfshark VPN in all respects .

I’m currently using Oeck. But I don’t think I will continue with it, its really expensive. That said, its probably the best of the VPNs I’ve had.

This is a self serving blog but aspects may be inforative if this is how ‘it’ works, and there is little reason to believe otherwise. Some test/rank sites may be above board, but.

@SteveDuncombe, any comment, especially on the pay to play for ranking aspect for some ‘expert sites’?

https://blog.windscribe.com/were-not-paying-for-1-25b4e55ca10f

If one is solely for a secure connection when using public internet access (locally or internationally), one can save significant monthly/annual fees by setting up a vpn on their NBN router, if the router supports Open/PPTP VPN.

Check the manual for your router to see if VPN is supported, and if it is, if you are reasonably confident, you can create your own personal VPN knowing its security and that your data won’t be potentially watched by a free or paid VPN service.

I thought that PPTP along with L2TP was just not as secure as OpenVPN? My router does the former, but not the latter which is why I just have apps or OpenVPN on devices.

Yes you are right @SueW

OpenVPN is underneath it all a SSL based VPN system. It can use TLS (my preferred security), it can use either UDP or TCP as it’s transport.

PPTP has many known security issues and is largely obsolete as a VPN method. It was developed by MS. It’s benefit was it was simple to set up.

L2TP is more secure than PPTP but still has flaws and for encryption mostly relies on IPSec as it doesn’t really encrypt very strongly on it’s own so sometimes you will see it referred to as L2TP/IPSec. L2 (Layer 2) is a network layer to transfer data and supports Unicast, Multicast and VLANs among other things. As a VPN it is much more about anonymisation than being secure.

Wanting to purchase ESET VPN which was not covered in the previous review of VPN systems. Interested in your advice on Ease of Cancellation and whether Stealth mode is available? Thanks Tye

Hi @fourantz and welcome to the Community

I have moved your post into the existing topic on the VPN reviews.

Hopefully there will be someone who has or is using this product and will be able to give you their impressions of the service. I do not and have not in the past used the ESET VPN service so cannot give you any feedback about the service questions you have raised.

Is there any feedback on the Web that may help you?

Contact with ESET about their VPN service should be able to clarify their cancellation policy and whether or not they provide a “Stealth” mode. I am not quite sure what you mean by a stealth mode though, do you mean that they don’t keep logs of your use or do you mean something else. VPN traffic is encrypted and your RSP/ISP, the Government, or any public user will not be able to see where you have connected to on the Web nor read your traffic. Obviously the VPN provider will be able to see details of your usage, this is why you have to have trust in their service and trust that they do not keep logs of that usage.

On a searching about their product and reading their advertising about it I can see that they do use what they term Stealth. This is where the traffic is sent so it looks like just everyday standard HTTPS traffic rather than you surfing using a VPN (it will be sent using port 443 which is the port used for HTTPS traffic).

In regards to cancellation, it seems that the VPN service is tied to their ESET Home Security Ultimate package and is not a standalone product, so if using that package purely for the VPN would mean that if you no longer wanted it, it would be a cancellation of the entire service. If you already are using ESET for their AV then it would either be an upgrade to obtain the ability to use the VPN or is an already included option as part of the Ultimate package if that is already installed. If already included in the package from ESET, you could just cease using the VPN if unsatisfied with it. If not already available as part of a current service you are using you will need to contact ESET to check their terms, and if they do provide a refund if downgrading to a lower package or on cancellation of a service.

Thank you very much grahroll. Yes, I wondered as CHOICE didn’t review ESET VPN in Jul/Aug 22 but compared ESAT security in Sept/Oct 2023 (I guess because it was a combined package?). The questions that I raised in regards to Stealth and subscription cancellation were from your Jul/Aug 22 to check it out before committing. Thanks for doing the research and yes, will check web feedback and hopefully there maybe be some user advice from the community. Thanks again. Tye

I am a volunteer Myself and a few others help CHOICE, and Community visitors and members, by moderating the Community. I do have an interest in VPNs, encryption, security, and similar IT areas. It was no problem to look into the product for you, the Community is here to help each other find the information we need to be well educated consumers.

And anyone who desires to get the benefit of a VPN service should be aware of a current, significant long-standing weakness in the use of a VPN when you use it on a hostile local network such as a hotel’s WiFi or a cafe’s WiFi i.e. anywhere where you don’t have particular reason to trust the provider of the network (the attack has been nicknamed “TunnelVision”): Novel attack against virtually all VPN apps neuters their entire purpose | Ars Technica

This is the really important part. If you’re using a VPN at home, then unless someone else is on your home network you’re fine. Using a VPN to avoid workplace monitoring? This particular flaw can be used by the workplace to see into your VPN. Same with WiFi networks you do not control, such as the hotel/restaurant WiFi mentioned previously.

The problem is not a newly discovered bug - it is a flaw in the way one of the basic Internet protocols works. VPN providers can probably update their applications to advise users if it is being applied to their Internet connection, but for the moment VPN users are probably best off assuming that anything they connect to over someone else’s WiFi or other network is visible to the network owner. It does not appear to mean that already encrypted data can be read by the interceptor, but tells the interceptor where you are going online. As long as your connection is via HTTPS, your actual data should (to my understanding) be safe.

Actually, on third thought you should assume that your data is not safe. Because the person is able to affect how your Internet traffic is handled, while this specific problem does not give access to your data an attacker could presumably use their access to intercept your standard secure connection with a website (sitting between you and that website). Unlikely in most circumstances, but so is use of the underlying flaw.

Oh, and if you are using Android the problem does not affect you as Android never implemented this particular part of the relevant Internet specification.

It is surprising that Android is the only operating system that’s immune to this type of attack.

From the Ars Technica article,

Interestingly, Android is the only operating system that fully immunizes VPN apps from the attack because it doesn’t implement option 121. For all other OSes, there are no complete fixes.

This is also stated in a number of other articles I’ve seen about Tunnelvision. For example,

However, in order to successfully decloak the VPN traffic, the targeted host’s DHCP client must implement DHCP option 121 and accept a DHCP lease from the attacker-controlled server.
…
The problem affects all major operating systems like Windows, Linux, macOS, and iOS with the exception of Android as it does not have support for DHCP option 121.

Android failed to fully apply the standard. That is, everyone who did apply the standard in toto is vulnerable.

It’s a wonderful world.

And “in toto” for DHCP is pretty much lacking any kind of security measures anyway.

When not on the home network I use a portable broadband device to connect directly to my preferred Telco. OS I might use the hotspot option on my mobile with a roaming pack. Preferably I arrange to not need to log into banking etc.

It’s difficult though to travel for any length of time without needing to access one’s FF account/flights or accommodation booking services. Https + VPN + personal internet connection + smart password choices + … There are limits to what one can do.

If a VPN cannot be relied on, it makes me look back to when all I had was a bunch or travellers cheques, some cash and a list of local phone numbers of any pre-booked services. Even flying used paper ticketing. There were no mobile phones or internet. Security relied on not loosing any of required bits of paper. To note we have not eliminated risk. It’s that we have replaced the ones past with new ones and novel ways to loose them.

Yes. If there is any software to be installed at all in order to get the VPN working, then an update to that software may be able to monitor for this issue and warn. (Far better though just to avoid the issue.) Note that it may be preferable that a VPN does not require any software to be installed, in which case the monitoring and warning may need to come from the underlying operating system (which natively supports the VPN).

Note also that split-tunneling and other similar scenarios can be completely legitimate. So there would need to be a way to turn off the warning if such a warning is ever added.

As I think you realised, the VPN cannot itself detect this issue, even at the client end. It just sees no traffic or reduced traffic.

Of course, if you are using a VPN to bypass geoblocking then you probably don’t need a separate warning. You probably got the “warning” anyway because your bypass stopped working.

Correct. If your traffic is doubly encrypted (once first by the S in HTTPS and then by the VPN - and likewise for any other encrypted protocols, such as SSH), the bypassing of the VPN still doesn’t directly expose the content of the communication. It does however expose the destination of the communication, which in some circumstances could be a significant problem but in many circumstances isn’t a problem (do I care if the hotel where I am staying knows which bank I use? as long as I am connecting securely to said bank).

It is unclear to me whether this was an intentional (sensible) decision on the part of Android or just slackness.

DHCP option 33 could be similarly troublesome. Did anyone check Android for that one?

That assumption needs care. Since most people use their router as DHCP server, and the router may be supplied by the ISP, even pre-configured, maybe even allowing remote access by the ISP … it isn’t impossible for this attack to be mounted against your home (potentially remotely).

But, as I emphasised in my post, this attack is most directly used when you use someone else’s network that is operated intentionally maliciously.

FWIW, DHCP option 121 was added 5 years after the original specification of the first set of valid options. So it could be that Android simply implemented the original specification and the implementation was not updated for later additions.

Or, as I wrote above, it could be that the Android implementers actually bothered to read the security warnings in the documentation for DHCP option 121 and made the judicious decision to omit support.

It is newly published. When it was discovered and by whom is anyone’s guess. One could imagine, for example, that the Chinese government knew about this 20 years ago and routinely uses it to unmask dissidents (China being a country where the Great Firewall of China means that many people have a reason to use a VPN, but Australia is catching up with the badness).

If you are saying it is not a “bug”, I can see your point, but the practical effect is the same.