Home/Blog/How to Choose the Right VPN
Buying GuideMay 12, 2026

How to Choose the Right VPN: 7 Things to Check

Not all VPNs are equal, and the wrong choice can actually be worse than using no VPN at all. Here is what to look for — and what to avoid — when selecting a VPN service.

8 min read

The VPN market is crowded with options ranging from completely free services that monetize your data to premium providers with rigorous no-log policies and military-grade encryption. Somewhere in between are dozens of mediocre VPNs that offer a false sense of security without actually protecting your privacy.

This guide gives you the framework we use to evaluate VPNs. These seven criteria cut through the marketing claims and identify what actually matters when your privacy is on the line.

1. Logging Policy: The Most Important Factor

A VPN's logging policy determines what data they collect about you and your activity. This is the single most important factor in choosing a VPN because it determines what the provider could theoretically hand over to authorities or expose in a breach.

What to Look For

No-log policy (also called zero-log or logless) means the VPN does not retain any records of your browsing activity, connection times, IP addresses, or bandwidth usage. Ideally, this should be verified by an independent third-party audit — a growing standard in the industry. Providers like NordVPN, ExpressVPN, and Mullvad have all undergone independent security audits of their no-log claims.

Some VPNs claim no-log policies but retain minimal connection logs (such as timestamps of when you connected, which server you used, or how much bandwidth you consumed). This data can sometimes be used to correlate activity even without recording what you did. The distinction between "no logs" and "minimal logs" matters — read the privacy policy carefully.

Red Flags

  • VPNs based in countries with mandatory data retention laws (the US, UK, Australia, and EU countries often require ISPs to retain data — VPN providers in these jurisdictions may face pressure)
  • VPNs that have handed over user data to authorities in the past
  • Vague or evasive privacy policies that do not clearly state what is collected
  • VPNs with a history of breach or data exposure

2. Jurisdiction: Where Is the VPN Based?

The country where a VPN is legally incorporated matters because it determines which laws govern the provider and what authorities can compel them to disclose. This is closely related to logging policy but distinct — a VPN can have an excellent no-log policy but still be subject to legal jurisdiction that could affect you.

What to Look For

Ideally, choose a VPN based in a country with strong privacy laws and outside the 5 Eyes, 9 Eyes, and 14 Eyes intelligence-sharing alliances. These alliances mean that even if a VPN provider itself does not log data, they could potentially be compelled to share information with partner countries.

Privacy-friendly jurisdictions include Switzerland, the British Virgin Islands, Panama, and Romania (though Romania's EU membership creates some complexity). NordVPN is based in Panama, Mullvad in Sweden, and ExpressVPN in the British Virgin Islands — all generally considered favorable for privacy.

Red Flags

  • VPNs based in countries with invasive surveillance programs or mandatory data retention
  • VPNs owned by companies based in privacy-unfriendly countries that could be subject to extraterritorial pressure
  • Lack of transparency about corporate ownership structure

3. Encryption Standards: What Protocol and Encryption Do They Use?

Encryption is what makes your VPN traffic unreadable to anyone who intercepts it. The quality of encryption depends on two things: the VPN protocol used and the encryption ciphers employed.

What to Look For

WireGuard is the current gold standard for VPN protocols — it is open-source, uses state-of-the-art cryptography (ChaCha20), and is significantly faster than older protocols. OpenVPN is also excellent (open-source, widely audited, uses AES-256) but is slower. IKEv2 is secure and fast but less transparent as a protocol.

For encryption ciphers, AES-256 is the industry standard and is considered unbreakable with current technology. ChaCha20 (used by WireGuard) is considered equivalent in security. Avoid VPNs that use weaker standards like PPTP or older Blowfish ciphers.

Additionally, check for perfect forward secrecy — a feature where new encryption keys are generated for each session, meaning that compromising one session does not retroactively expose past sessions.

Red Flags

  • VPNs that use PPTP protocol (obsolete, easily cracked)
  • VPNs that do not specify what encryption they use
  • VPNs that use self-signed certificates or outdated cipher suites
  • Lack of perfect forward secrecy

4. Kill Switch: Do They Have One?

A kill switch is a critical safety feature that immediately disconnects your internet if your VPN connection drops unexpectedly. Without a kill switch, your real IP address is exposed during the brief moment when the VPN connection fails and your device reconnects to the regular internet.

What to Look For

VPN kill switches come in two types: system-level (which blocks all internet traffic) and app-level (which only stops specific applications). Both are useful, but system-level is more comprehensive. The best VPN providers have kill switches enabled by default.

Some providers call their kill switch by different names: ExpressVPN calls it "Network Lock," NordVPN just calls it a "kill switch." The name does not matter — what matters is that it works reliably.

Red Flags

  • VPNs that do not offer a kill switch at all
  • VPNs where the kill switch is not enabled by default and users must manually activate it
  • Reports of kill switch failures or bugs from users

5. DNS and Leak Protection

Even when using a VPN, DNS queries can leak to your ISP's servers, and WebRTC can expose your real IP address in browsers. Quality VPN providers build in protection against both of these leaks.

What to Look For

Look for VPNs that run their own DNS servers (rather than relying on third-party DNS) and have DNS leak protection built into their applications. This ensures DNS queries are always resolved through the VPN tunnel, not through your ISP.

For WebRTC leaks, check if the VPN provider offers browser extensions with WebRTC leak prevention, or if they document how to configure your browser to prevent leaks. Some providers (like Mullvad) are particularly transparent about WebRTC risks.

Red Flags

  • VPNs that do not address DNS leaks in their feature set
  • VPNs without any guidance or protection regarding WebRTC leaks
  • User reports of DNS leaks after connecting to the VPN

6. Server Network: Location and Capacity Matter

The number of servers and their geographic distribution affects both the speed and versatility of a VPN. More servers means less congestion, and more server locations means more options for bypassing geographic restrictions.

What to Look For

Look for VPNs with servers in the countries you need to access. If you want to watch Netflix content available in the UK, you need a VPN with UK servers. If you need to access streaming services from multiple countries, broader server coverage is better.

Server count matters less than server quality — 500 servers in 30 countries from a well-maintained network can outperform 3,000 servers in 60 countries from an overcrowded or poorly managed one. Look for providers that invest in server infrastructure rather than just accumulating server counts.

Red Flags

  • VPNs with server counts that seem implausibly high (some free VPNs claim millions of servers)
  • VPNs with very few server locations, limiting your options
  • Reports of slow speeds, server overload, or frequent disconnections
  • VPNs that use virtual server locations (where the IP address appears to be in one country but the server is physically in another)

7. Transparency and Reputation

In the VPN industry, trust is everything. Providers make privacy claims that are difficult to verify independently, so a company's reputation, history, and transparency become important signals.

What to Look For

Look for providers that have undergone independent security audits of their infrastructure and no-log policies. These audits (conducted by firms like Cure53, PwC, or Leviathan Security) provide third-party verification of privacy claims. NordVPN, ExpressVPN, Mullvad, and Surfshark have all published audit results.

Open-source VPN clients (where the code is publicly available for security review) are another positive indicator. Mullvad and WireGuard are notably open-source. Additionally, look for providers that participate in bug bounty programs, as this indicates ongoing security scrutiny.

Red Flags

  • VPNs with no information available about who owns or operates the company
  • VPNs that have been involved in privacy scandals or data breaches
  • VPNs with opaque ownership structures (some VPN review sites are actually owned by VPN companies)
  • VPNs that make absolute claims like "complete anonymity" or "100% private"
  • Lack of a public bug bounty program or security contact

Bonus: Speed and Streaming Access

While privacy and security are the primary concerns, practical factors like speed and streaming access matter too — a VPN that protects your privacy but is too slow to use is not very useful.

Speed

VPN speed depends on dozens of factors including your base internet speed, server distance, server load, and the protocol used. WireGuard VPNs are generally fastest, followed by IKEv2. OpenVPN tends to be slower but more widely compatible. Expect a 10-30% speed reduction on average with a premium VPN; anything more than 50% reduction suggests a problem.

Streaming Access

If accessing streaming services is important to you, note that Netflix, BBC iPlayer, Disney+, and other services actively block VPN connections. Premium providers like ExpressVPN and NordVPN invest significantly in maintaining access to these services, while smaller providers often cannot keep up with the blocking efforts.

FAQ: Choosing the Right VPN

Is a free VPN ever safe to use?

Generally, no. Free VPNs must monetize somehow, and many do so by logging your activity and selling data to advertisers, injecting tracking cookies into your browser, or using insecure infrastructure. The one exception is ProtonVPN, which offers a genuinely free tier with no data limits and a no-log policy — though it is limited in servers and features compared to paid tiers. For anything beyond basic usage, a reputable paid VPN is worth the investment.

How much should I expect to pay for a quality VPN?

Quality VPN subscriptions typically range from $3-12 per month depending on the provider and subscription length. Most VPNs offer significant discounts for longer commitments (2-year plans are usually the cheapest). Be wary of VPNs that charge extremely high prices without clear justification — and of VPNs that are suspiciously cheap given their infrastructure costs.

Should I use my VPN provider's browser extension or the dedicated app?

The dedicated app is always more secure because it encrypts all traffic at the system level. Browser extensions only protect browser traffic and may not include all the features (like kill switches or DNS leak protection) of the full application. Use the browser extension only as a secondary option when you cannot use the full app.

How many devices can I connect simultaneously?

Most premium VPNs allow 5-10 simultaneous connections, with some offering unlimited connections (Surfshark, IPVanish). If you need to protect many devices, this matters. Note that some VPNs count router connections as a single device — installing a VPN on your router protects all devices on your network.

Does it matter if my VPN is owned by a larger company?

It can. Several VPN providers have been acquired by larger tech or cybersecurity companies, which may have different privacy practices or data-sharing policies. ExpressVPN was acquired by Kape Technologies (which also owns CyberGhost and Private Internet Access), and there have been concerns about what data these companies share. Transparency about corporate ownership matters — look into who ultimately owns the VPN you are considering.

The Bottom Line

Choosing the right VPN comes down to seven key criteria: logging policy, jurisdiction, encryption standards, kill switch availability, DNS/leak protection, server network, and transparency. These factors cut through the marketing language to identify what actually matters for privacy and security.

Our top recommendations based on these criteria include NordVPN, ExpressVPN, Mullvad, and Surfshark — all of which score well across all seven categories. For specific use cases, browse our comparison guides:

Continue Learning

Build your understanding of VPN technology and privacy. Continue reading our guides.

What Is a VPN? VPN Protocols Explained Browse All VPN Comparisons