All VPN providers claim to be experts in privacy, but there’s not usually much evidence to back that up. Swiss-based ProtonVPN is different though, because the company has a track record in security – it’s also behind ProtonMail, the popular end-to-end encrypted email service.
ProtonVPN’s network has grown by more than a third since our last review, and now provides a fair-sized 1,061 servers across 54 countries. Most servers are in Europe and North America, as with most of the competition, but there are also locations in Australia, Brazil, Columbia, Hong Kong, India, Japan, Malaysia, New Zealand, South Africa, South Korea and more.
ProtonVPN owns and manages its own servers, too, and they’re connected to the internet using the company’s own network. Apart from giving ProtonVPN great control over how the service is set up and managed, it also shows us that this isn’t just some shell company making profits from reselling other people’s kit: there are real resources and expertise here.
You can see benefits from that control in ProtonVPN’s Secure Core, a smart technology which routes traffic through multiple servers before it leaves the network (meaning that even high-tech snoopers monitoring an exit server won’t be able to trace individual users).
Most customers don’t really need that level of protection, but ProtonVPN has plenty more familiar features. The service is P2P-friendly, supports up to 10 devices (the industry average is just five), has a kill switch, DNS leak protection and built-in Tor support for accessing Onion sites. A versatile split tunneling system routes all internet traffic through the VPN, apart from the apps and destination IPs you define. And there are now native apps for Windows, Android, Mac and iOS to enable using ProtonVPN on almost anything.
Recent app-related improvements since our last review include OpenVPN support for the Android app, while the Linux client now features a kill switch. Improved localization sees the apps now available in French, Italian, Spanish, Polish, and Brazilian Portuguese.
ProtonVPN’s Android app now includes a feature called Smart Protocol, which the company says, ‘helps you to stay connected to ProtonVPN, even when someone is trying to block your access.’ Is this some kind of clever real-time obfuscation tech, we wondered? No: it just means that if the app can’t connect using one protocol, it’ll try another, similar to the Automatic option already used by some VPN apps.
We were impressed to see that all ProtonVPN apps are now open source and audited, though, a level of transparency you’ll rarely see elsewhere. That’s an improvement on ExpressVPN, which only open sourced its browser extensions, but IVPN, Private Internet Access and ProtonVPN all have open source clients.
The ProtonVPN Plus plan delivers all the features we’ve described here, covers five devices, and can be yours for 10 Euros billed monthly, 8 Euros on the annual plan, 6.63 Euros over two years. That looks a little on the high side to us, and you can get capable VPNs for much less (Private Internet Access is just $3.33 a month on its annual plan, Surfshark charges just $1.99 a month over two years).
The company has some cheaper options. The Basic plan doesn’t give you access to the premium servers, won’t stream Netflix, can’t route traffic through multiple servers, and only supports two devices, but it’s just 4 Euros a month on an annual subscription, 3.29 over two years. That’s better, but some of the competition give you an unrestricted service for a very similar amount (and sometimes less.)
Any payments are sort-of protected by a 30-day money-back guarantee, though with a potential catch: you’ll only get a refund for any unused subscription time. If you sign up for a month and ask for a refund after 15 days, for instance, the company will only return 50% of your subscription fees.
While that sounds a little mean, ProtonVPN has a great defense; it already gives users an unlimited amount of time to sample its service with a free plan.
Okay, this has some significant limits. It covers just one device, supports ‘medium speeds’ only, and gives you access to just three countries (US, Netherlands, Japan).
However, the service performed well for us, with our nearest Netherlands server averaging 65-70Mbps, and, crucially, it has no bandwidth limits. No more bumping up against tiny data allowances: you can use ProtonVPN Free as much as you like. That’s a big deal, and makes ProtonVPN interesting all on its own.
ProtonVPN’s Swiss home gives it an immediate privacy advantage over most of the competition. The country has very strong privacy laws, is outside of US and EU jurisdiction, and isn’t a member of the 14 eyes surveillance network.
The company states its logging policy very clearly on the website: “ProtonVPN is a no logs VPN service. We do not track or record your internet activity, and therefore, we are unable to disclose this information to third parties.”
Session logging is almost non-existent. The company stores the timestamp of the last successful login attempt, but that’s it. This is overwritten when you next log in, so it only ever reflects the last session.
ProtonVPN associates your account with an email address when you sign up, but this address can be whatever you like. The company suggests using ProtonMail if you’d prefer to remain completely anonymous.
Sign up for the free plan and you won’t have to provide any payment details. Choose something else and you can opt to pay by Bitcoin. If you use PayPal or a credit card, the payments are processed by a third-party, and ProtonVPN won’t see your billing details.
A Transparency Report or ‘Warrant Canary’ page which in theory reports on ‘notable legal requests’ and what happened. Sounds useful, but it seems to have only ever listed a single request (no data was handed over), and that was dated January 2019.
Another privacy plus arrived in January 2020 when ProtonVPN announced that its apps were now open source, and released independent audit reports on them all from security experts SEC Consult.
The results were good, with only 11 vulnerabilities found across the desktop and mobile apps, and those only in the low or medium category.
Eleven may sound a lot, but it really isn’t. The whole point of this kind of audit is that it’s extremely thorough, identifying even the smallest issues, and none of ProtonVPN’s vulnerabilities were showstoppers.
For example, in one item, SEC Consult identified that the Windows client temporarily stored data about the current session for processing. That’s hardly surprising, and the data disappears when the app is closed. Unless an attacker has access to your system, manages to dump a copy of your RAM, take it away, identify the VPN process and figure out its data structures, it’s not going to be a problem.
Put it all together and ProtonVPN deserve huge credit for exposing itself to this level of scrutiny. There’s scope to go a little further, so for example TunnelBear’s audits don’t just cover its apps; they look at its infrastructure, back end and front-end systems, even the website. But ProtonVPN still tramples all over most of the competition, who don’t have the courage to put themselves through any audit at all.
Signing up for ProtonVPN is straightforward. The company supports paying by card, Bitcoin or even cash if you’re looking for extreme anonymity, but we chose PayPal. The process was completed within a few seconds, and ProtonVPN directed us to our account dashboard, a handy web portal with login credentials, an OpenVPN configuration file generator, a download link for the Windows client, and links to instructions for setting up Mac, Linux, iOS and Android devices.
We grabbed a copy of the Windows client. It downloaded and installed in seconds with no technical hassles. We logged in with the user credentials we specified while signing up, and the main console appeared.
The client looks great, with a professional and polished interface. It opens with a large world map which, for once, works mostly as you’d expect: spin the mouse wheel to zoom in and out, left click and drag to move around, hover the mouse cursor over a server icon to see its location, and click to get connected.
If you don’t like map interfaces, no problem, you can collapse the client down to a standard list of locations. Icons highlight servers which support P2P (five, at the time of writing) or Tor (just three: United States, Switzerland and Hong Kong.) Expanding any location lists all its available servers, with a color indicator of load (green being low, red high), and you can connect with a click.
A Profiles feature works as an unusually powerful Favorites system. This could be as simple as creating a profile which connects to a New York server, but there are many more options. You could connect to the fastest server in a country or a location, maybe choose a random server to reduce the opportunity for tracking, select the best P2P or Tor-friendly server, and optionally choose to connect via OpenVPN TCP or UDP.
The client gives you an unusual amount of feedback on the current session. You don’t just get to see your new IP: there’s also the time connected so far, data downloaded and uploaded, the current server load, download and upload speeds.
There’s some real value here. If speeds appear slow, for instance, you can check the server load as it is right now, and if it’s high, reconnect to something else. A simple idea, but not one we’ve seen with other apps.
The Settings dialog allows you to enable or disable key features (kill switch, DNS leak protection), configure what the Quick Connect action does (connect to the fastest location, a random server, a specific server of your choice) and set up the split tunneling system. These all worked for us, but there are some options you don’t get, including the ability to change protocol (it’s OpenVPN-only, although you can manually set up an IKEv2 connection) or automatically connect when you access an insecure network.
Checking the logs, we found the client was connecting via industrial-strength AES-256-GCM encryption with HMAC-384 for authentication. Works for us, but if you’re not a crypto-geek, ProtonVPN has some useful starter articles on its website.
We finished our look at the Windows client with some in-depth kill switch tests, and found it performed very well. The client didn’t leave us exposed during normal operations, such as switching to a new server while connected to another. And if we simulated a major problem by manually closing a TCP connection or terminating a VPN process, the client instantly displayed an alert and blocked all traffic until we reconnected.
The ProtonVPN Android app looks and feels much like the desktop build, with a very similar map view, country list and Favorites-like Profile system. Even the Settings panel has almost identical options and controls, including the OpenVPN support which arrived within the last year.
ProtonVPN’s iOS follows the same pattern, even down to its updates: it also now uses OpenVPN as its default protocol, although IKEv2 is still available if you need it (which puts the app a step ahead of the OpenVPN-only Windows edition.)
Although that doesn’t leave a lot to discuss, it’s good news for users. VPN apps should have as close to the same interface and feature set as possible across all platforms, ensuring that once you’ve mastered one version, you know exactly what to do on all the others.
If you’d prefer to use another OpenVPN-compatible app or device, there is good news: ProtonVPN offers better support for this than anyone we’ve seen. Instead of forcing you to work with a single set of generic configuration files, or generate custom files individually, ProtonVPN’s web console gives you the best of all worlds.
You’re able to customize your OpenVPN files according to the platform and protocol you need, then view files by country or individual server, and download them individually, or grab the full set in a ZIP file. If you’ve ever had to grab 120 OpenVPN configuration files individually, by clicking a Download file for each one, you’ll appreciate how thoughtful this is.
Our speed testing began by connecting to the fastest server from two locations (one UK, one US), then checking performance with the benchmarking sites Speedtest.net and TestMy.net.
Download speeds from our UK data center averaged 120Mbps. That’s better than some, and enough for most tasks, but there are much better performers around. Our last ExpressVPN OpenVPN results averaged 130Mbps, for instance, but its Lightway protocol got us 165Mbps, Hotspot Shield reached 200Mbps, and NordVPN’s NordLynx reached 330Mbps and more.
US performance was better at 160-200Mbps, a huge recovery from the terrible results we saw in the last review, where ProtonVPN peaked at 12Mbps. You can still get significantly higher speeds elsewhere – Hotspot Shield median speeds ranged from 328Mbps to 415Mbps during our last tests – but, again, ProtonVPN is probably good enough for most users, devices and tasks.
Long distance connections delivered more mixed results, from a decent 25-35Mbps when connecting from the UK to Australia, to a snail-like 2Mbps on the UK to South Korea route. We can’t draw any big conclusions from that, because speeds over this kind of distance can be affected by many factors beyond the VPN, but it still raises some questions. If you’re aiming to connect to locations around the world, be sure to speed test the service carefully while you’re within the 30-day money-back guarantee.
ProtonVPN sells itself mostly on privacy and security, but it has some unblocking abilities, too.
It got us into US YouTube content, for instance. That’s relatively easy, but it also breezed past the defenses of the much trickier BBC iPlayer, and allowed us to stream whatever we liked.
We successfully accessed UK and US Netflix with ProtonVPN’s Plus plan, although as we’ve seen before, the player sometimes took a very long time to play anything, and occasionally timed out, forcing us to try again.
ProtonVPN also succeeded with Disney+. We saw similar performance issues, but these appeared related to accessing the site and launching the player; once streaming, we saw no playback issues.
The service got us access to Amazon Prime Video, too, this time with no speed problems at all.
ProtonVPN’s unblocking performance had some odd quirks, then, but it still managed to unblock every service we tried, and that’s what really matters.
(Remember, though, you need at least a ProtonVPN Plus account to get this level of performance. The free and Basic accounts won’t do.)
With ExpressVPN and some other providers, you can turn to live chat support and get an update on the situation, maybe a recommendation of which server to use, in under five minutes. ProtonVPN doesn’t have live chat support, though, and while you can send an email, the company says the response time is ‘usually within 1-2 days.’ Most providers reply within hours, not days.
We posted a test question on Saturday evening, and received a reply on Monday morning, so right in the middle of ProtonVPN’s estimate. The reply was clear and helpful, too, offering multiple suggestions and asking well-chosen questions, just in case our issues weren’t resolved.
The good news continued up to the end of the review, when we ran our usual set of privacy tests. All ProtonVPN servers were in the locations promised, and they all returned the same IP and DNS address, with no DNS or WebRTC leaks to give our real identity away.
ProtonVPN unblocks almost everything, and its well-designed apps are now open source and independently audited. We’ve had speed issues with the service and the lack of live chat means it can take a while to get support, but this is a decent service, and we have to applaud any VPN which offers a free, unlimited bandwidth plan. Give it a try.