A VPN is simply an encrypted connection between two computers, each side running VPN software. The two sides, however, are not equal.
The software that you, as the user of a VPN service deal with, is known as the VPN client. The software run by a VPN company is a VPN server. The encrypted connection always starts with a VPN client making a request to a VPN server.
There are many different flavors of VPN connections, each with its own corresponding client and server software. The most popular flavors are probably L2TP/IPsec, OpenVPN, IKEv2 and PPTP.
Some VPN providers support only one flavor, others are much more flexible. Astrill, for example, supports OpenWeb, OpenVPN, PPTP, L2TP, Cisco IPSec, IKEv2, SSTP, StealthVPN and RouterPro VPN. At the other extreme, OVPN, as their name implies, only supports OpenVPN.
I mention this to counter some mis-leading information from normally trustworthy sources.
When Brian Krebs recently wrote about whether you should use a VPN, he said "... VPNs rely on specialized software that you download and install on your computer."
Likewise, Lily Hay Newman, in Wired, recently wrote " ... the set-up process is fairly straightforward: You pay for access from the VPN of your choice, create an account, and then download the VPN’s portal program onto your computer and mobile devices."
The fact is, VPNs can be used without installing software. And, a case can be made, that this is the safer way to go.
BUILT-IN VPN SOFTWARE
To avoid installing software, the operating system on the computer/device that is the VPN client has to natively support the same VPN flavor(s) offered by a VPN provider.
As my recent blog, Triple your privacy with a Chromebook and two VPNs, showed, Chrome OS, the operating system on a Chromebook, natively supports L2TP/IPsec and OpenVPN.
iOS version 10 supports IKEv2, IPsec and L2TP. You can see this with Settings -> VPN -> Add VPN Configuration -> Type. iOS 9 supported these three plus PPTP, but support for PPTP was removed in version 10.
Android version 6 supports PPTP, L2TP/IPSec PSK, L2TP/IPSec RSA, IPSec Xauth PSK, IPSec Xauth RSA and IPSec Hybrid RSA. You can see this with Settings -> More -> VPN -> Plus sign -> Type.
Configuring a VPN on Sierra does not have to be hard. These instructions from Apple, macOS Sierra: Set up a connection to a virtual private network, talk about using a VPN settings file to automatically import VPN settings that configure the built-in VPN client software.
Windows 7 and Windows 10 support PPTP, L2TP/IPSec, SSTP and IKEv2.
Both ExpressVPN and NordVPN give their customers a Windows phonebook file (.pbk) for use with the VPN client software built into Windows. The file is pre-configured to work with the multiple VPN servers each company supports.
NordVPN describes this in their Windows 7 setup instructions. ExpressVPN refers to the file as a Windows Dialer file and describes its use here.
And, there's another option.
Open source client software is available for OpenVPN and IKEv2 based VPNs (not sure about other VPN flavors). With this option, you can use software that has, hopefully, been audited or vetted. OpenVPN provider Mullvad is flexible, they let their customers use either Mullvad-provided software or an open source alternative.
The NordVPN tutorials page (above) shows that they support all three types of VPN software on Windows. With Windows 7, 8 and 10, they offer six ways to connect to their VPN service.
"Application" uses software provided by NordVPN, "OpenVPN" uses software downloaded from openvpn.org. The other four options (L2TP/IPSec, PPTP, IKEv2/IPSec and SSTP) use no external software, they merely configure Windows to use VPN client software that is built into the system. To a Windows VPN user, this total flexibility is as good at it gets.
CHOOSING A TYPE
Which of these three types of VPN client software is the safest is debatable.
Software from a VPN provider, while tempting, is probably the least secure option.
It's tempting for non-techies because it can paper over the complexity of making the VPN connection. It can also be tempting for nerds because of extra bells and whistles such as a kill switch, IPv6 blocking and easy access to multiple VPN servers.
Tempting or not, software from a VPN provider is a black box (Note: Mullvad is an exception, their software is open source). There is no practical way to fully know what it's doing. There is also no way to test the quality of the software. There have been multiple reports over the years about VPN client software not doing what it should be doing. There is no way to know if it is actively maintained with bug fixes or if has been abandoned.
Running a VPN service requires expertise in networking, server software and encryption. To also expect an organization to employ good programmers for their macOS, Windows, iOS and Android software is a lot to ask.
I have no first hand knowledge, but it's likely that some VPN providers outsource the programming of their apps. It's bad enough that you have to trust the VPN provider not to spy on you, you may also have to trust whoever wrote their VPN client software on the operating system you use.
Anyone running Windows, may not trust Microsoft. Fair enough. But at least if you use the VPN client software built into Windows you know who wrote it.
If you trust Apple to protect your privacy, then you are probably safest using their VPN client software built into iOS and macOS.
And, speaking as a long time Windows user, I have seen too many instances where installing software creates a problem. None of the older operating systems (Windows, OS X, macOS, Linux) are as good as the newer systems (iOS, Android, Chrome OS) at isolating application software, so any software installation on these "desktop" systems carries some risk.
Amul Kalia of the EFF recently suggested we "look for services that you can use with an open source client. There are many clients that support the above-mentioned OpenVPN or IPSec protocols." The article, however, offered no links or suggestions for finding such software.
And, while open source software may be an open book, that doesn't make it perfect or bug free.
Personally, I find a specific VPN feature important enough that, on my cellphone, I consider it a must have.
My phone spends most of its time disconnected. That is, both the Wi-Fi and the LTE/4G are disabled. When I connect to the Internet, I want the VPN software to kick in immediately. If I had to manually enable the VPN, I would surely forget every now and then. Even when I did remember, data transmitted before the VPN kicks in, can leak information, so I want that interval as short as possible.
Thus, I look for VPN client software that runs all the time and immediately detects when the phone goes on-line and protects that connection, be it Wi-Fi or LTE/4G.
BROWSER BASED VPNS
The three options described so far all work at the operating system level. Any VPN connection made this way should (if all is working correctly) send everything to/from your computing device to the VPN server.
But VPNs can also exist at the web browser level. These are not nearly as secure because they only protect data coming/going from the browser.
Presently, the desktop (Windows, Mac, Linux) version of the Opera browser stands alone - it is the only browser to include VPN client software. Opera is hard wired into a VPN provider called SurfEasy that they purchased in 2015. The VPN access is disabled by default, but turning it on is a simple matter. Its also free and there is no bandwidth limitation.
On the downside, SurfEasy is based in Canada, a Five Eyes country. Also, Opera is owned by a consortium of Chinese companies, including Qihoo 360. And, as of September 2016 at least, many of the technical details of the VPN were unknown.
Other browsers can gain VPN functionality via add-ons/extensions. Many VPN providers, such as Mullvad, TunnelBear, PureVPN, Private Internet Access and ZenMate offer Chrome extensions. Some of these can also be installed in Opera and at least one works with Firefox.
The first five types of VPN client software are designed to work on a single computing device, be it a laptop, desktop, tablet or phone. Anyone wanting to use a VPN to protect multiple devices has a sixth option, a router with VPN client software.
This is a somewhat rare feature, but there are, nonetheless, many choices. Some of the router operating systems (the official term being "firmware") that support VPN clients are DD-WRT, Tomato, OpenWRT, MikroTik, Sabai and DrayTek.
Among consumer routers, Asus has been offering a VPN client for a long time. Many Asus routers can function as clients for OpenVPN, L2TP and PPTP VPNs. ExpressVPN offers instructions for configuring an Asus router to work with their service.
For anyone that does not want to configure a router, there are at least three companies that sell modified routers pre-configured to act as VPN clients. Many VPN providers, such as ExpressVPN, BlackVPN, StrongVPN, WiTopia and VyprVPN will sell you a router customized to work with their service. I keep a list of routers that can act as VPN clients on my Router Security site.
Some articles about VPN client routers assume it will be the only router. This is a mistake. A VPN client router is best installed behind an existing router. When you need privacy connect to the VPN client router, when not, connect to the normal router.
Get in touch with me privately by email at my full name at Gmail. Public comments can be directed to me on twitter at @defensivecomput