VPN marketing has gotten so bad that “military-grade encryption” and “lightning-fast speeds” have become meaningless background noise. So let’s skip that. After spending a few months actually using the major services for daily browsing, streaming, and the occasional DNS leak test, here’s what I think holds up and what doesn’t.
Short version: a VPN is probably worth it if you stream foreign content, work from coffee shops, or live somewhere your ISP resells browsing data. It is probably not worth it if you’re just hoping to become “anonymous” online — that’s a much bigger problem than a tunneled connection solves.
Quick Verdict
Best overall: NordVPN — consistently fast on WireGuard (they call it NordLynx), RAM-only server fleet, and its no-logs policy has been audited multiple times by Deloitte and PwC. Not perfect, but the least bad of the big three. For full test results, see our NordVPN review 2026.
Runner-up: ExpressVPN — expensive, but the Lightway protocol and TrustedServer architecture are genuinely well-engineered. Worth it only if you specifically need reliability in hostile networks.
Budget pick: Surfshark — cheap, unlimited devices, and the same Dutch parent company as Nord these days (worth knowing). Adequate, not exceptional.
How I Actually Tested These
I’m not going to invent a hardware lab. I used each service for roughly a week of real daily traffic from a fiber connection in Europe, a hotel Wi-Fi in the US, and a flaky LTE hotspot. Speed tests ran through speedtest.net and Cloudflare, streaming checks hit Netflix (US, UK, JP), BBC iPlayer, and Disney+, and I ran DNS and IPv6 leak checks through ipleak.net and dnsleaktest.com after each connection. I also read the privacy policies — all of them — which was more revealing than any benchmark.
Numbers below are rough impressions, not laboratory claims. Anyone quoting “89.2 Mbps retention” to you is almost certainly making it up.
The Contenders at a Glance
| VPN | Best for | Entry price | Server count (per provider) | Notes |
|---|---|---|---|---|
| NordVPN | All-round use | ~$3/month (2yr) | ~6,300 | RAM-only, WireGuard-based NordLynx |
| ExpressVPN | Reliability in restrictive networks | ~$6.67/month (1yr) | ~3,000 | Lightway protocol, TrustedServer |
| Surfshark | Households with many devices | ~$2.19/month (2yr) | ~3,200 | Unlimited connections |
| CyberGhost | Set-it-and-forget-it streaming | ~$2.03/month (3yr) | ~9,700 (claimed) | 45-day refund window |
| Proton VPN | Privacy-first users | Free, or ~$5/month | ~4,900 | Swiss jurisdiction, open-source clients |
A note on server counts: these are whatever the provider publishes. Nobody audits them, and “server” can mean a physical machine or a virtual instance. Larger numbers are not automatically better.
NordVPN — The Default Recommendation, With Caveats
NordVPN is what I’d hand to a non-technical friend who asks what to install. Its NordLynx implementation (WireGuard with a double-NAT layer to avoid WireGuard’s static IP problem) is fast enough that you stop noticing it’s on — which is the real speed test that matters. On my fiber line, the hit was small enough to be in the noise; on hotel Wi-Fi, the VPN was frequently faster than the raw connection because the hotel was deep-inspecting traffic.
Pricing (current at time of writing): around $12.99 monthly, ~$4.99 on the annual plan, ~$3.09 on the two-year plan. 30-day refund window.
What it gets right:
- NordLynx is genuinely quick, and their server fleet runs diskless (RAM-only), which matters because a seized or subpoenaed server literally cannot hand over historical logs — there’s nothing on the disk to hand over.
- Multiple no-logs audits by big-four firms. Worth noting: these audits cover a snapshot in time, not continuous behavior, and they inspect what Nord tells them to inspect. Better than nothing, not the same as proof.
- Threat Protection (their DNS-based blocklist) is competent and works even when the tunnel is down.
- Meshnet is actually useful for personal remote access without standing up a Tailscale tunnel.
What it gets wrong:
- Nord had a 2018 server breach at a third-party data center that they didn’t disclose for months. That’s a real credibility hit, and anyone pretending it never happened is lying by omission. They did overhaul infrastructure afterward, which is how we got the RAM-only fleet.
- The Linux app is still a second-class citizen — CLI only, no GUI, and the kill switch has historically been less reliable than on Windows.
- Obfuscated servers (for restrictive networks) are only available on the OpenVPN protocol, not NordLynx, so you lose the speed advantage exactly when you need it.
ExpressVPN — The Expensive One That Earns It in Specific Cases
ExpressVPN costs roughly double the competition and I think that’s defensible only for a specific user: someone who needs a VPN that reliably connects from hostile networks (China, Iran, corporate deep-packet-inspection firewalls) and who values support that answers you in English within a minute at 3am.
Pricing is around $12.95/month, $9.99 on the six-month plan, and ~$6.67 on the annual plan. No two-year discount, which is itself a data point — they’re not competing on price.
What it gets right:
- TrustedServer is the RAM-only pattern done well — every reboot wipes state, there’s no persistent filesystem, and the entire stack reloads from a read-only image. This was audited by PwC and KPMG.
- Lightway (their WireGuard alternative, built on wolfSSL) genuinely handles network changes gracefully. If you move between Wi-Fi and LTE, it reconnects before you notice.
- Obfuscation is built into every server, not a separate menu option, so the “this network blocks VPNs” experience is unusually good.
- Jurisdiction is the British Virgin Islands, which actually has no mandatory data retention laws and no MLAT with the US — a meaningful distinction from “based in Panama” marketing copy from other providers.
What it gets wrong:
- Price. At roughly $80/year it is the most expensive mainstream option, and for someone who just wants Netflix in another country that’s hard to justify.
- Kape Technologies, the parent company, also owns CyberGhost, Private Internet Access, and Zenmate — and Kape has a messy past involving an adware company called Crossrider. The current operation seems fine; the corporate history is worth knowing before you hand them ten years of subscription data.
- Only eight simultaneous devices, which is stingy given the price. Surfshark offers unlimited for a quarter of the cost.
Surfshark — Cheap, Cheerful, and Owned by Nord
Surfshark is fine. That’s meant as praise at this price. It’s the one I recommend when someone has a family of five, three smart TVs, a Switch, and no interest in learning about split tunneling. Unlimited simultaneous connections is a genuinely differentiated feature — most providers cap you at eight or ten, which adds up fast in a typical household.
Pricing is roughly $15.45 monthly, $2.99 on the annual plan, and ~$2.19 on the two-year plan.
What it gets right:
- Unlimited devices, WireGuard support, and split tunneling (“Bypasser”) on Windows and Android. macOS is still partial — a persistent annoyance.
- CleanWeb handles ad and tracker blocking at DNS level, which is sometimes more effective than a browser extension and sometimes not.
- Independent audit of their infrastructure by Deloitte in 2023, though not of their no-logs claims specifically.
What it gets wrong:
- Surfshark merged with Nord Security in 2022. They operate as separate brands but have a shared parent. If your threat model cares about avoiding provider concentration, buying “both” is really buying one. This is almost never mentioned in affiliate reviews.
- Speeds were clearly behind NordLynx and Lightway in my week with it. Fine for streaming; noticeable on large file transfers.
- The macOS app has dropped the connection on me more than once during sleep/wake cycles, and the kill switch didn’t always catch it. That’s the kind of failure that matters — a silent fallback to unencrypted traffic is worse than no VPN at all because you think you’re covered.
CyberGhost — The Weakest of the Group
I’m going to be direct: CyberGhost is the one I’d skip. The server count marketing is impressive, the 45-day refund window is genuinely the longest in the industry, and the streaming-optimized server labels are helpful for non-technical users. But the actual experience is a step below the others.
Speeds were inconsistent across servers — one Frankfurt endpoint would be fast, the next would be a third of that, with no obvious reason. The app on macOS felt dated. Most importantly, CyberGhost is also owned by Kape, and its privacy policy has historically been less tightly worded than ExpressVPN’s despite sharing the same corporate parent.
Pricing is attractive on the 3-year plan (~$2.03/month), but locking in three years with a provider whose software is already weaker than competitors is a bad trade. The refund window is long, but most people won’t actually invoke it.
Skip unless you specifically want the NoSpy servers in Romania (which are a legitimate feature — dedicated hardware on their premises, outside 14 Eyes jurisdiction) and nothing else on the list suits you.
Proton VPN — The Idealist’s Pick
Proton VPN is the only provider on this list I’d trust for something that genuinely mattered — a journalist protecting a source, an activist in a repressive country. The clients are open source, the Secure Core architecture routes your traffic through hardened entry nodes in Switzerland, Iceland, or Sweden before exiting (a real multi-hop, not marketing theater), and the company has a documented history of pushing back on legal requests rather than quietly complying.
Pricing: there’s a genuinely usable free tier with no ads, no data caps, and no dark patterns — rare to the point of being unique. Paid plans start around $4.99/month on a two-year commitment.
What it gets right:
- Swiss jurisdiction matters because Switzerland has no mandatory telecoms data retention for VPN services (as distinct from ISPs) and a judicial process that at least requires a court order. It’s not magic, but it’s more than most.
- Open-source clients on every platform. This means bugs and backdoors are at least theoretically visible.
- The free tier is the only one I’d trust. Most “free VPNs” make money by selling your browsing data; Proton’s business model is paid subscribers for the other Proton products (Mail, Drive, Pass), so the free tier is essentially marketing.
What it gets wrong:
- Streaming is a real weakness. Netflix unblocking works sometimes, fails other times, and the company is visibly not prioritizing the cat-and-mouse game. If “VPN for Netflix” is your main use case, look elsewhere.
- Speeds on non-Plus servers are throttled, which is fair but worth knowing.
- The free tier only includes three countries. That’s enough for privacy but not for geo-shifting.
What Each Use Case Actually Needs
Streaming
Pick NordVPN. Streaming unblocking is a perpetual cat-and-mouse game, the results change month to month, and the big services are clearly winning against smaller VPNs. Nord has enough scale to keep rotating IP ranges ahead of the blocklists. CyberGhost is also competent here if you want the dedicated-streaming-server handholding.
Privacy from your ISP
Any of the audited providers does this job. The bar is low: you’re preventing your ISP from selling your DNS queries to advertisers, not evading a nation-state. Proton VPN or NordVPN are both solid.
Public Wi-Fi
Here’s a controversial take: in 2026, most traffic is already HTTPS, and public Wi-Fi attacks are a much smaller problem than they were a decade ago. A VPN is still worth it for non-HTTPS metadata (DNS lookups, SNI), but “my VPN saved me from hackers at Starbucks” is mostly a marketing fantasy. Any of the options above handles this.
Gaming
If latency matters, you probably don’t want a VPN on. When you do, ExpressVPN with Lightway had the most consistent ping for me — but any VPN will add tens of milliseconds, and WireGuard-based protocols are generally better than OpenVPN here.
Torrenting
NordVPN with its kill switch enabled. Make sure split tunneling is off for your torrent client unless you’ve explicitly verified the routing. The single biggest failure mode in this use case is the tunnel dropping and your client continuing over the raw connection — a kill switch that actually works is non-negotiable, and this is where I’d rule Surfshark out.
Households and many devices
Surfshark, by default, for the unlimited-connections feature. Or any provider installed on your router — which is the actually-correct answer if you’re technical enough to flash OpenWRT.
The Real Case For a VPN
Let me be honest about what a VPN does and does not do.
It does: hide your DNS queries and destination IPs from your ISP, let you appear to browse from another country, protect you from passive surveillance on untrusted networks, and make casual tracking harder.
It does not: make you anonymous, protect you from browser fingerprinting, stop tracking when you’re logged into Google, defeat targeted surveillance by a state actor, or undo the fact that you just logged into your real bank account through the tunnel.
The “no-logs” question is more nuanced than marketing admits. There are connection logs (when you connected, from what IP), metadata logs (bandwidth totals, session duration), and activity logs (what sites you visited). A provider can truthfully say “we don’t keep activity logs” while still retaining enough metadata to de-anonymize someone under legal pressure. The only way to know is to read the privacy policy, and the only way to really know is when a provider is legally compelled to produce records and publicly can’t — which has happened to ExpressVPN and Proton, and is the strongest signal any of them have.
Warrant canaries, incidentally, are mostly theater. Their legal enforceability is untested, and a provider under a gag order can simply stop updating one without explanation. Treat them as a soft signal, not proof.
The Real Case Against a VPN
You will lose some speed. WireGuard-based protocols (NordLynx, Lightway, plain WireGuard) are close enough to native that you won’t notice on a fast connection. OpenVPN is slower. IKEv2 is fine on mobile but shows its age on throughput.
You’ll occasionally break things. Banks flag VPN traffic, some government portals refuse it, and CAPTCHAs get more aggressive when you look like traffic from a datacenter. Split tunneling (routing specific apps around the VPN) helps but isn’t available on every platform — notably, iOS makes this harder than it should be.
“Jurisdiction” isn’t where the servers are. A BVI-headquartered company can still run servers in Germany that are subject to German law. What matters is where the company is, because that’s who receives subpoenas. Claims about jurisdiction are only meaningful if you understand the distinction.
Free VPNs are, as a category, unsafe. The majority make money by logging and reselling what you do. Proton VPN is the one exception I trust, and even then, the free tier exists because paid subscribers fund it. Our free vs paid VPN analysis documents exactly how each model monetizes you.
Pricing, Honestly
| Provider | Roughly what you’ll pay per year (best plan) |
|---|---|
| CyberGhost | ~$24 (3-year) |
| Surfshark | ~$26 (2-year) |
| NordVPN | ~$37 (2-year) |
| Proton VPN Plus | ~$60 (2-year) |
| ExpressVPN | ~$80 (1-year) |
These are introductory prices. Renewal rates are higher — often meaningfully so — and this is the single sleaziest industry practice. Set a calendar reminder for one month before your renewal and either negotiate or rotate.
Hardware Worth Considering
If you want VPN protection on devices that can’t run a VPN client (smart TVs, game consoles, IoT gear), installing the VPN on a capable router is the clean solution. The ASUS AX6000 handles OpenVPN and WireGuard client mode natively, which saves you from flashing third-party firmware.
Separately, if you’re thinking carefully about privacy, a hardware security key does more for your actual threat model than any VPN. A YubiKey 5 NFC on your email account is the single biggest upgrade most people can make.
Final Answer
Is a VPN worth it in 2026? For most people, yes — but for narrower reasons than marketing suggests. Streaming access, ISP-level privacy, and confidence on untrusted networks are the real wins. “Becoming anonymous” is not.
My pick remains NordVPN for default use, with Proton VPN if you actually care about privacy as a threat model and ExpressVPN if you specifically need reliable connections from hostile networks. Surfshark for big households where per-device licensing gets painful. CyberGhost I’d skip.
Whichever you pick, actually run a DNS leak test after you connect. You’d be surprised how many installs ship with IPv6 leaking straight past the tunnel.
Related Reading
For platform-specific picks, see our streaming VPN comparison, privacy-focused VPN guide, and mobile VPN testing. The VPN myths article covers what marketing gets wrong.
FAQ
Do VPNs actually make you anonymous?
No. They give you privacy against your ISP and a different apparent IP — that’s it. Browser fingerprinting, cookies, and the fact that you’re logged into services with your real identity all defeat “anonymity” independently of the tunnel. For serious anonymity you need Tor, disciplined browsing habits, and a threat model that justifies the hassle.
Will a VPN noticeably slow me down?
On a modern WireGuard-based protocol (NordLynx, Lightway, plain WireGuard), the hit is small enough that most people don’t notice for normal browsing and streaming. OpenVPN is visibly slower. The one thing that will always hurt is connecting to a geographically distant server — physics wins.
Can I share one subscription across devices?
Yes. Nord allows 10, Express 8, Surfshark unlimited. Or install it on a capable router and cover the whole network at once — the cleanest solution for households with consoles and smart TVs.
Do VPNs work with Netflix?
Some of the time, with some providers, on some servers. Netflix aggressively blocks known VPN IP ranges, providers rotate ranges in response, and results change month to month. Nord and Express are currently the most consistent. Proton is the least. This will be different by the time you read it.
Are free VPNs safe?
As a category, no. They monetize by logging and selling. Proton VPN’s free tier is the one exception I trust, because Proton’s business model funds it through paid subscriptions to other products. Anything else advertising “100% free unlimited VPN” should be treated as spyware until proven otherwise.
What should a good VPN cost?
Roughly $25–$40 a year on a multi-year plan for a competent provider. Much less than that and you’re either looking at a short-term promo or something whose business model you should investigate. Much more than that and you’re paying for brand or specific capabilities (China reliability, premium support) that most users don’t need.
Can my employer see VPN usage on a company device?
Yes. Corporate IT can detect VPN traffic via network monitoring even when they can’t read its contents, and many corporate firewalls block VPN protocols outright. Check your acceptable use policy before installing anything on a work machine — “the tunnel is encrypted” is not the same as “my employer can’t tell I did this.”
Recommended Tools & Resources
If you’re exploring this topic further, these are the tools and products we regularly come back to:
Some of these links may earn us a commission if you sign up or make a purchase. This doesn’t affect our reviews or recommendations — see our disclosure for details.