Your Dom Vpn Client
Using APKPure App to upgrade Your Freedom, fast, free and save your internet data. The description of Your Freedom The all-in-one VPN tunneling, firewall & proxy bypassing, anonymization and anti-censorship solution.
Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows 10
- Previous: Step 5. Configure DNS and Firewall Settings
In this step, you'll learn about the ProfileXML options and schema, and configure the Windows 10 client computers to communicate with that infrastructure with a VPN connection.
No Android client. A virtual private network helps to keep your data private and your devices safe and secure - we've reviewed all of the best VPN services so you can be sure you're. When you connect to a VPN, you usually launch a VPN client on your computer (or click a link on a special website), log in with your credentials, and your computer exchanges trusted keys with a far away server. Once both computers have verified each other as authentic, all of your internet communication is encrypted. BrowserCam gives Your Freedom VPN Client for PC (computer) download for free. Discover how to download and Install Your Freedom VPN Client on PC (Windows) that is. The all-in-one VPN tunneling, firewall & proxy bypassing, anonymization and anti-censorship solution Is your Internet access being censored? Are some things on the Internet simply not accessible to you? Trick-or-treating will be allowed your free dom vpn client Tuesday until 6:30 p.m. Portageville, MO: Trick-or-treating moved to your free dom vpn client Tuesday, Oct. 30 from 5-8 p.m. Hoxie: Trick-or-treating moved to Tuesday, Oct.
You can configure the Always On VPN client through PowerShell, SCCM, or Intune. All three require an XML VPN profile to configure the appropriate VPN settings. Automating PowerShell enrollment for organizations without SCCM or Intune is possible.
Note
Group Policy does not include administrative templates to configure the Windows 10 Remote Access Always On VPN client. However, you can use logon scripts.
ProfileXML overview
ProfileXML is a URI node within the VPNv2 CSP. Rather than configuring each VPNv2 CSP node individually—such as triggers, route lists, and authentication protocols—use this node to configure a Windows 10 VPN client by delivering all the settings as a single XML block to a single CSP node. The ProfileXML schema matches the schema of the VPNv2 CSP nodes almost identically, but some terms are slightly different.
You use ProfileXML in all the delivery methods this deployment describes, including Windows PowerShell, System Center Configuration Manager, and Intune. There are two ways to configure the ProfileXML VPNv2 CSP node in this deployment:
OMA-DM. One way is to use an MDM provider using OMA-DM, as discussed earlier in the section VPNv2 CSP nodes. Using this method, you can easily insert the VPN profile configuration XML markup into the ProfileXML CSP node when using Intune.
Windows Management Instrumentation (WMI)-to-CSP bridge. The second method of configuring the ProfileXML CSP node is to use the WMI-to-CSP bridge—a WMI class called MDM_VPNv2_01—that can access the VPNv2 CSP and the ProfileXML node. When you create a new instance of that WMI class, WMI uses the CSP to create the VPN profile when using Windows PowerShell and System Center Configuration Manager.
Even though these configuration methods differ, both require a properly formatted XML VPN profile. To use the ProfileXML VPNv2 CSP setting, you construct XML by using the ProfileXML schema to configure the tags necessary for the simple deployment scenario. For more information, see ProfileXML XSD.
Below you find each of the required settings and its corresponding ProfileXML tag. You configure each setting in a specific tag within the ProfileXML schema, and not all of them are found under the native profile. For additional tag placement, see the ProfileXML schema.
Important
Any other combination of upper or lower case for 'true' in the following tags results in a partial configuration of the VPN profile:
<AlwaysOn>true</AlwaysOn>
<RememberCredentials>true</RememberCredentials>
Connection type: Native IKEv2
ProfileXML element:
Routing: Split tunneling
ProfileXML element:
Name resolution: Domain Name Information List and DNS suffix
ProfileXML elements:
Triggering: Always On and Trusted Network Detection
ProfileXML elements:
Authentication: PEAP-TLS with TPM-protected user certificates
ProfileXML elements:
You can use simple tags to configure some VPN authentication mechanisms. However, EAP and PEAP are more involved. The easiest way to create the XML markup is to configure a VPN client with its EAP settings, and then export that configuration to XML.
For more information about EAP settings, see EAP configuration.
Manually create a template connection profile
In this step, you use Protected Extensible Authentication Protocol (PEAP) to secure communication between the client and the server. Unlike a simple user name and password, this connection requires a unique EAPConfiguration section in the VPN profile to work.
Instead of describing how to create the XML markup from scratch, you use Settings in Windows to create a template VPN profile. After creating the template VPN profile, you use Windows PowerShell to consume the EAPConfiguration portion from that template to create the final ProfileXML that you deploy later in the deployment.
Record NPS certificate settings
Before creating the template, take note the hostname or fully qualified domain name (FQDN) of the NPS server from the server’s certificate and the name of the CA that issued the certificate.
Procedure:
On your NPS server, open Network Policy Server.
In the NPS console, under Policies, click Network Policies.
Right-click Virtual Private Network (VPN) Connections, and click Properties.
Click the Constraints tab, and click Authentication Methods.
In EAP Types, click Microsoft: Protected EAP (PEAP), and click Edit.
Record the values for Certificate issued to and Issuer.
You use these values in the upcoming VPN template configuration. For example, if the server’s FQDN is nps01.corp.contoso.com and the hostname is NPS01, the certificate name is based upon the FQDN or DNS name of the server—for example, nps01.corp.contoso.com.
Cancel the Edit Protected EAP Properties dialog box.
Cancel the Virtual Private Network (VPN) Connections Properties dialog box.
Close Network Policy Server.
Note
If you have multiple NPS servers, complete these steps on each one so that the VPN profile can verify each of them should they be used.
Configure the template VPN profile on a domain-joined client computer
Now that you have the necessary information configure the template VPN profile on a domain-joined client computer. The type of user account you use (that is, standard user or administrator) for this part of the process does not matter.
However, if you haven’t restarted the computer since configuring certificate autoenrollment, do so before configuring the template VPN connection to ensure you have a usable certificate enrolled on it.
Note
There is no way to manually add any advanced properties of VPN, such as NRPT rules, Always On, Trusted network detection, etc. In the next step, you create a test VPN connection to verify the configuration of the VPN server and that you can establish a VPN connection to the server.
Manually create a single test VPN connection
Sign in to a domain-joined client computer as a member of the VPN Users group.
On the Start menu, type VPN, and press Enter.
In the details pane, click Add a VPN connection.
In the VPN Provider list, click Windows (built-in).
In Connection Name, type Template.
In Server name or address, type the external FQDN of your VPN server (for example, vpn.contoso.com).
Click Save.
Under Related Settings, click Change adapter options.
Right-click Template, and click Properties.
On the Security tab, in Type of VPN, click IKEv2.
In Data encryption, click Maximum strength encryption.
Click Use Extensible Authentication Protocol (EAP); then, in Use Extensible Authentication Protocol (EAP), click Microsoft: Protected EAP (PEAP) (encryption enabled).
Click Properties to open the Protected EAP Properties dialog box, and complete the following steps:
a. In the Connect to these servers box, type the name of the NPS server that you retrieved from the NPS server authentication settings earlier in this section (for example, NPS01).
Note
The server name you type must match the name in the certificate. You recovered this name earlier in this section. If the name does not match, the connection will fail, stating that “The connection was prevented because of a policy configured on your RAS/VPN server.”
b. Under Trusted Root Certification Authorities, select the root CA that issued the NPS server’s certificate (for example, contoso-CA).
c. In Notifications before connecting, click Don’t ask user to authorize new servers or trusted CAs.
d. In Select Authentication Method, click Smart Card or other certificate, and click Configure. The Smart Card or other Certificate Properties dialog opens.
e. Click Use a certificate on this computer.
f. In the Connect to these servers box, enter the name of the NPS server you retrieved from the NPS server authentication settings in the previous steps.
g. Under Trusted Root Certification Authorities, select the root CA that issued the NPS server’s certificate.
h. Select the Don’t prompt user to authorize new servers or trusted certification authorities check box.
i. Click OK to close the Smart Card or other Certificate Properties dialog box.
j. Click OK to close the Protected EAP Properties dialog box.
Click OK to close the Template Properties dialog box.
Close the Network Connections window.
In Settings, test the VPN by clicking Template, and clicking Connect.
Important
Make sure that the template VPN connection to your VPN server is successful. Doing so ensures that the EAP settings are correct before you use them in the next example. You must connect at least once before continuing; otherwise, the profile will not contain all the information necessary to connect to the VPN.
Create the ProfileXML configuration files
Before completing this section, make sure you have created and tested the template VPN connection that the section Manually create a template connection profile describes. Testing the VPN connection is necessary to ensure that the profile contains all the information required to connect to the VPN.
The Windows PowerShell script in Listing 1 creates two files on the desktop, both of which contain EAPConfiguration tags based on the template connection profile you created previously:
VPN_Profile.xml. This file contains the XML markup required to configure the ProfileXML node in the VPNv2 CSP. Use this file with OMA-DM–compatible MDM services, such as Intune.
VPN_Profile.ps1. This file is a Windows PowerShell script that you can run on client computers to configure the ProfileXML node in the VPNv2 CSP. You can also configure the CSP by deploying this script through System Center Configuration Manager. You cannot run this script in a Remote Desktop session, including a Hyper-V enhanced session.
Important
The example commands below require Windows 10 Build 1607 or later.
Create VPN_Profile.xml and VPN_Proflie.ps1
Sign in to the domain-joined client computer containing the template VPN profile with the same user account that the section Manually create a template connection profile described.
Paste Listing 1 into Windows PowerShell integrated scripting environment (ISE), and customize the parameters described in the comments. These are $Template, $ProfileName, $Servers, $DnsSuffix, $DomainName, $TrustedNetwork, and $DNSServers. A full description of each setting is in the comments.
Run the script to generate VPN_Profile.xml and VPN_Profile.ps1 on the desktop.
Listing 1. Understanding MakeProfile.ps1
This section explains the example code that you can use to gain an understanding of how to create a VPN Profile, specifically for configuring ProfileXML in the VPNv2 CSP.
After you assemble a script from this example code and run the script, the script generates two files: VPN_Profile.xml and VPN_Profile.ps1. Use VPN_Profile.xml to configure ProfileXML in OMA-DM compliant MDM services, such as Microsoft Intune.
Use the VPN_Profile.ps1 script in Windows PowerShell or System Center Configuration Manager to configure ProfileXML on the Windows 10 desktop.
Note
To view the full example script, see the section MakeProfile.ps1 Full Script.
Parameters
Configure the following parameters:
$Template. The name of the template from which to retrieve the EAP configuration.
$ProfileName. Unique alphanumeric identifier for the profile. The profile name must not include a forward slash (/). If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
$Servers. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com.
$DnsSuffix. Specifies one or more commas separated DNS suffixes. The first in the listis also used as the primary connection-specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
$DomainName. Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types:
- FQDN - Fully qualified domain name
- Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a period (.) to the DNS suffix.
$DNSServers. List of comma-separated DNS Server IP addresses to use for the namespace.
$TrustedNetwork. Comma-separated string to identify the trusted network. VPN does not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
The following are example values for parameters used in the commands below. Ensure that you change these values for your environment.
Prepare and create the profile XML
The following example commands get EAP settings from the template profile:
Create the profile XML
Important
Any other combination of upper or lower case for 'true' in the following tags results in a partial configuration of the VPN profile:
<AlwaysOn>true</AlwaysOn>
<RememberCredentials>true</RememberCredentials>
Output VPN_Profile.xml for Intune
You can use the following example command to save the profile XML file:
Output VPN_Profile.ps1 for the desktop and System Center Configuration Manager
The following example code configures an AlwaysOn IKEv2 VPN Connection by using the ProfileXML node in the VPNv2 CSP.
You can use this script on the Windows 10 desktop or in System Center Configuration Manager.
Define key VPN profile parameters
Escape special characters in the profile
Define WMI-to-CSP Bridge properties
Determine user SID for VPN profile:
Define WMI session:
Detect and delete previous VPN profile:
Create the VPN profile:
Save the profile XML file
MakeProfile.ps1 Full Script
Most examples use the Set-WmiInstance Windows PowerShell cmdlet to insert ProfileXML into a new instance of the MDM_VPNv2_01 WMI class.
However, this does not work in System Center Configuration Manager because you cannot run the package in the end users’ context. Therefore, this script uses the Common Information Model to create a WMI session in the user’s context, and then it creates a new instance of the MDM_VPNv2_01 WMI class in that session. This WMI class uses the WMI-to-CSP bridge to configure the VPNv2 CSP. Therefore, by adding the class instance, you configure the CSP.
Important
WMI-to-CSP bridge requires local admin rights, by design. To deploy per user VPN profiles you should be using SCCM or MDM.
Note
The script VPN_Profile.ps1 uses the current user’s SID to identify the user’s context. Because no SID is available in a Remote Desktop session, the script does not work in a Remote Desktop session. Likewise, it does not work in a Hyper-V enhanced session. If you’re testing a Remote Access Always On VPN in virtual machines, disable enhanced session on your client VMs before running this script.
The following example script includes all of the code examples from previous sections. Ensure that you change example values to values that are appropriate for your environment.
Configure the VPN client by using Windows PowerShell
To configure the VPNv2 CSP on a Windows 10 client computer, run the VPN_Profile.ps1 Windows PowerShell script that you created in the Create the profile XML section. Open Windows PowerShell as an Administrator; otherwise, you’ll receive an error saying, Access denied.
After running VPN_Profile.ps1 to configure the VPN profile, you can verify at any time that it was successful by running the following command in the Windows PowerShell ISE:
Successful results from the Get-WmiObject cmdlet
The ProfileXML configuration must be correct in structure, spelling, configuration, and sometimes letter case. If you see something different in structure to Listing 1, the ProfileXML markup likely contains an error.
If you need to troubleshoot the markup, it is easier to put it in an XML editor than to troubleshoot it in the Windows PowerShell ISE. In either case, start with the simplest version of the profile, and add components back one at a time until the issue occurs again.
Configure the VPN client by using System Center Configuration Manager
In System Center Configuration Manager, you can deploy VPN profiles by using the ProfileXML CSP node, just like you did in Windows PowerShell. Here, you use the VPN_Profile.ps1 Windows PowerShell script that you created in the section Create the ProfileXML configuration files.
To use System Center Configuration Manager to deploy a Remote Access Always On VPN profile to Windows 10 client computers, you must start by creating a group of machines or users to whom you deploy the profile. In this scenario, create a user group to deploy the configuration script.
Create a user group
Vpn Gate Client
Fishman pro lbx 300 manual. In the Configuration Manager console, open Assets and ComplianceUser Collections.
On the Home ribbon, in the Create group, click Create User Collection.
On the General page, complete the following steps:
a. In Name, type VPN Users.
b. Click Browse, click All Users and click OK.
c. Click Next.
On the Membership Rules page, complete the following steps:
a. In Membership rules, click Add Rule, and click Direct Rule. In this example, you’re adding individual users to the user collection. However, you might use a query rule to add users to this collection dynamically for a larger-scale deployment.
b. On the Welcome page, click Next.
c. On the Search for Resources page, in Value, type the name of the user you want to add. The resource name includes the user’s domain. To include results based on a partial match, insert the % character at either end of your search criterion. For example, to find all users containing the string “lori,” type %lori%. Click Next.
d. On the Select Resources page, select the users you want to add to the group, and click Next.
e. On the Summary page, click Next.
f. On the Completion page, click Close.
Back on the Membership Rules page of the Create User Collection Wizard, click Next.
On the Summary page, click Next.
On the Completion page, click Close.
After you create the user group to receive the VPN profile, you can create a package and program to deploy the Windows PowerShell configuration script that you created in the section Create the ProfileXML configuration files.
Create a package containing the ProfileXML configuration script
Host the script VPN_Profile.ps1 on a network share that the site server computer account can access.
In the Configuration Manager console, open Software LibraryApplication ManagementPackages.
On the Home ribbon, in the Create group, click Create Package to start the Create Package and Program Wizard.
On the Package page, complete the following steps:
a. In Name, type Windows 10 Always On VPN Profile.
b. Select the This package contains source files check box, and click Browse.
c. In the Set Source Folder dialog box, click Browse, select the file share containing VPN_Profile.ps1, and click OK.Make sure you select a network path, not a local path. In other words, the path should be something like fileservervpnscript, not c:vpnscript.
Click Next.
On the Program Type page, click Next.
On the Standard Program page, complete the following steps:
a. In Name, type VPN Profile Script.
b. In Command line, type PowerShell.exe -ExecutionPolicy Bypass -File 'VPN_Profile.ps1'.
c. In Run mode, click Run with administrative rights.
d. Click Next.
On the Requirements page, complete the following steps:
a. Select This program can run only on specified platforms.
b. Select the All Windows 10 (32-bit) and All Windows 10 (64-bit) check boxes.
c. In Estimated disk space, type 1.
d. In Maximum allowed run time (minutes), type 15.
e. Click Next.
On the Summary page, click Next.
On the Completion page, click Close.
With the package and program created, you need to deploy it to the VPN Users group.
Deploy the ProfileXML configuration script
In the Configuration Manager console, open Software LibraryApplication ManagementPackages.
In Packages, click Windows 10 Always On VPN Profile.
On the Programs tab, at the bottom of the details pane, right-click VPN Profile Script, click Properties, and complete the following steps:
a. On the Advanced tab, in When this program is assigned to a computer, click Once for every user who logs on.
b. Click OK.
Right-click VPN Profile Script and click Deploy to start the Deploy Software Wizard.
On the General page, complete the following steps:
a. Beside Collection, click Browse.
b. In the Collection Types list (top left), click User Collections.
c. Click VPN Users, and click OK.
d. Click Next.
On the Content page, complete the following steps:
a. Click Add, and click Distribution Point.
b. In Available distribution points, select the distribution points to which you want to distribute the ProfileXML configuration script, and click OK.
c. Click Next.
On the Deployment settings page, click Next.
On the Scheduling page, complete the following steps:
a. Click New to open the Assignment Schedule dialog box.
b. Click Assign immediately after this event, and click OK.
c. Click Next.
On the User Experience page, complete the following steps:
Select the Software Installation check box.
Click Summary.
On the Summary page, click Next.
On the Completion page, click Close.
With the ProfileXML configuration script deployed, sign in to a Windows 10 client computer with the user account you selected when you built the user collection. Verify the configuration of the VPN client.
Note
The script VPN_Profile.ps1 does not work in a Remote Desktop session. Likewise, it does not work in a Hyper-V enhanced session. If you’re testing a Remote Access Always On VPN in virtual machines, disable enhanced session on your client VMs before continuing.
Verify the configuration of the VPN client
In Control Panel, under SystemSecurity, click Configuration Manager.
In the Configuration Manager Properties dialog, on the Actions tab, complete the following steps:
/sonic-heroes-2-psp-iso.html. a. Click Machine Policy Retrieval & Evaluation Cycle, click Run Now, and click OK.
b. Click User Policy Retrieval & Evaluation Cycle, click Run Now, and click OK.
c. Click OK.
Close the Control Panel.
You should see the new VPN profile shortly.
Configure the VPN client by using Intune
To use Intune to deploy Windows 10 Remote Access Always On VPN profiles, you can configure the ProfileXML CSP node by using the VPN profile you created in the section Create the ProfileXML configuration files, or you can use the base EAP XML sample provided below.
Note
Intune now uses Azure AD groups. If Azure AD Connect synced the VPN Users group from on-premises to Azure AD, and users are assigned to the VPN Users group, you are ready to proceed.
Create the VPN device configuration policy to configure the Windows 10 client computers for all users added to the group. Since the Intune template provides VPN parameters, only copy the <EapHostConfig> </EapHostConfig> portion of the VPN_ProfileXML file.
Create the Always On VPN configuration policy
Sign into the Azure portal.
Go to Intune > Device Configuration > Profiles.
Click Create Profile to start the Create profile Wizard.
Enter a Name for the VPN profile and (optionally) a description.
Under Platform, select Windows 10 or later, and choose VPN from the Profile type drop-down.
Tip
If you are creating a custom VPN profileXML, see Apply ProfileXML using Intune for the instructions.
Under the Base VPN tab, verify or set the following settings:
Connection name: Enter the name of the VPN connection as it appears on the client computer in the VPN tab under Settings, for example, Contoso AutoVPN.
Servers: Add one or more VPN servers by clicking Add.
Description and IP Address or FQDN: Enter the description and IP Address or FQDN of the VPN server. These values must align with the Subject Name in the VPN server's authentication certificate.
Default server: If this is the default VPN server, set to True. Doing this enables this server as the default server that devices use to establish the connection.
Connection type: Set to IKEv2.
Always On: Set to Enable to connect to the VPN automatically at the sign-in and stay connected until the user manually disconnects.
Remember credentials at each logon: Boolean value (true or false) for caching credentials. If set to true, credentials are cached whenever possible.
Copy the following XML string to a text editor:
Important
Any other combination of upper or lower case for 'true' in the following tags results in a partial configuration of the VPN profile:
<AlwaysOn>true</AlwaysOn>
<RememberCredentials>true</RememberCredentials>Replace the <TrustedRootCA>5a 89 fe cb 5b 49 a7 0b 1a 52 63 b7 35 ee d7 1c c2 68 be 4b</TrustedRootCA> in the sample with the certificate thumbprint of your on-premises root certificate authority in both places.
Important
Do not use the sample thumbprint in the <TrustedRootCA></TrustedRootCA> section below. The TrustedRootCA must be the certificate thumbprint of the on-premises root certificate authority that issued the server-authentication certificate for RRAS and NPS servers. This must not be the cloud root certificate, nor the intermediate issuing CA certificate thumbprint.
Replace the <ServerNames>NPS.contoso.com</ServerNames> in the sample XML with the FQDN of the domain-joined NPS where authentication takes place.
Copy the revised XML string and paste into the EAP Xml box under the Base VPN tab and click OK.An Always On VPN Device Configuration policy using EAP is created in Intune.
Sync the Always On VPN configuration policy with Intune
To test the configuration policy, sign in to a Windows 10 client computer as the user you added to the Always On VPN Users group, and then sync with Intune.
On the Start menu, click Settings.
In Settings, click Accounts, and click Access work or school.
Click the MDM profile, and click Info.
Click Sync to force an Intune policy evaluation and retrieval.
Close Settings. After synchronization, you see the VPN profile available on the computer.
Next steps
You are done deploying Always On VPN. For other features you can configure, see the table below:
| If you want to.. | Then see.. |
|---|---|
| Configure Conditional Access for VPN | Step 7. (Optional) Configure conditional access for VPN connectivity using Azure AD: In this step, you can fine-tune how authorized VPN users access your resources using Azure Active Directory (Azure AD) conditional access. With Azure AD conditional access for virtual private network (VPN) connectivity, you can help protect the VPN connections. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application. |
| Learn more about the advanced VPN features | Advanced VPN Features: This page provides guidance on how to enable VPN Traffic Filters, how to configure Automatic VPN connections using App-Triggers, and how to configure NPS to only allow VPN Connections from clients using certificates issued by Azure AD. |
You may know what a VPN, or Virtual Private Network, is; you probably don’t use one. You really should be using a VPN, and even if you don’t think so now, at some point in the future you may consider it as important as your internet connection.
When we took at look at your five favorite VPN service providers, we noticed a few things. First, being the “best” is big business for VPN providers, and they’ll fight dirty to be one of them. Second, there are so many VPN providers that it’s difficult to choose a really good one. VPNs are not all created equally, and in this post, we’re going to look at what a VPN is, why you want one, and how to pick the best one for you. Let’s get started.
Advertisement
Five Best VPN Service Providers
If you have a need to encrypt and secure your internet connection—whether you're using an…
Read more ReadAdvertisement
What Is a VPN?
Put simply, a Virtual Private Network, or VPN, is a group of computers (or discrete networks) networked together over a public network—namely, the internet. Businesses use VPNs to connect remote datacenters, and individuals can use VPNs to get access to network resources when they’re not physically on the same LAN (local area network), or as a method for securing and encrypting their communications when they’re using an untrusted public network. Photo by Pavel Ignatov (Shutterstock).
Advertisement
When you connect to a VPN, you usually launch a VPN client on your computer (or click a link on a special website), log in with your credentials, and your computer exchanges trusted keys with a far away server. Once both computers have verified each other as authentic, all of your internet communication is encrypted and secured from eavesdropping.
The most important thing you need to know about a VPN: It secures your computer’s internet connection to guarantee that all of the data you’re sending and receiving is encrypted and secured from prying eyes.
Advertisement
Whether the VPNs you’re familiar with are the ones offered by your school or business to help you work or stay connected when you’re traveling or the ones you pay to get you watch your favorite shows in another country as they air, they’re all doing the same thing. For much more detail on what VPNs are, how they work, and how they’re used, check out this How Stuff Works article.
Advertisement
Why You Need a VPN, or How You Can Benefit from Using One
A VPN alone is just a way to bolster your security and access resources on a network you’re not physically connected to. What you choose to do with a VPN is a different story. Usually, VPN users fall into a few separate categories:
- The student/worker. This person has responsibilities to attend to, and uses a VPN provided by their school or company to access resources on their network when they’re at home or traveling. In most cases, this person already has a free VPN service provided to them, so they’re not exactly shopping around. Also, if they’re worried about security, they can always fire up their VPN when using airport or cafe WI-Fi to ensure no one’s snooping on their connection. Photo by Ed Yourdon.
- The downloader. Whether they’re downloading legally or illegally, this person doesn’t want on some company’s witch-hunt list just because they have a torrenting app installed on their computer. VPNs are the only way to stay safe when using something like BitTorrent—everything else is just a false sense of security. Better safe than trying to defend yourself in court or paying a massive fine for something you may or may not have even done, right?
- The privacy minded and security advocate. Whether they’re a in a strictly monitored environment or a completely free and open one, this person uses VPN services to keep their communications secure and encrypted and away from prying eyes whether they’re at home or abroad. To them, unsecured connections mean someone’s reading what you say.
Advertisement
- The globetrotter. This person wants to watch the Olympics live as they happen, without dealing with their crummy local networks. They want to check out their favorite TV shows as they air instead of waiting for translations or re-broadcasts (or watch the versions aired in other countries,) listen to location-restricted streaming internet radio, or want to use a new web service or application that looks great but for some reason is limited to a specific country or region.
- Some combination of the above. Odds are, even if you’re not one of these people more often than not, you’re some mix of them depending on what you’re doing. In all of these cases, a VPN service can be helpful, whether it’s just a matter of protecting yourself when you’re out and about, whether you handle sensitive data for your job and don’t want to get fired, or you’re just covering your own ass from the MPAA.
Advertisement
Even if none of the above really sound right to you, you can still benefit from using a VPN. You should definitely use one when you travel or work on an untrusted network (read: a network you don’t own, manage, or trust who manages.) That means opening your laptop at the coffee shop and logging in to Facebook or using your phone’s Wi-Fi to check your email at the airport can all potentially put you at risk.
Advertisement
We’ve shown you how to build your own VPN for remote gaming and browsing that also protects your security, shown you how to make a VPN even more secure, and shown you dozens of services that operate free and paid VPNs you can sign up for and use. We’ve even put the question to youseveraltimes to tell us which VPN service providers you think are the best. So how do you pick a solid VPN service?
Build Your Own VPN to Pimp Out Your Gaming, Streaming, Remote Access, and Oh Yeah, Security
Even if you have no idea what a VPN is (it's a Virtual Private Network), the acronym alone…
Read more ReadAdvertisement
What Makes for a Good VPN?
The best VPNs offer a solid balance of features, server location, connectivity protocols, and price. Some are great for occasional use, others are geared towards getting around the location restrictions companies put on their apps and services, and others are targeted at people who do heavy downloading and want a little privacy while they do it. Here’s what you should look for.
Advertisement
- Protocol: When you’re researching a VPN, you’ll see terms like SSL/TLS (sometimes referred to as OpenVPN support,) PPTP, IPSec, L2TP, and other VPN types. We asked Samara Lynn, Lead Analyst for Networking and Small Business at PCMag, whether or not a user shopping for a VPN should shop for one over another. “SSL is what is commonly used these days. All of these protocols will provide a secure connection,” she explained, and pointed out that most solutions are invisible to the end-user anyway. Strictly, each protocol has its benefits and drawbacks, and if you’re concerned about this (specifically, PPTP vulnerabilities,) you’re probably already aware of them. Most users don’t need to be concerned about this—corporate users on the other hand, are probably all using IPSec or SSL clients anyway.
- Corporate and Exit Locations: Depending on what you’re using a VPN for, your service’s location—and the exit locations you can choose—are important to consider. If you want to get around a location restriction and watch live TV in the UK, for example, you want to make sure your VPN service provider has servers in the UK. If you’re concerned about privacy or state-sponsored snooping, you may want to pick a service operated outside of your home country. Similarly, if the service is based on the US, they’re subject to US laws, and may be forced to turn over usage data to the authorities upon request. Many people make more of this than they should (we’ve seen overseas services turn over their data to friendly governments without any hesitation repeatedly), but it’s important to make sure a VPN has servers in multiple locations—or at least the location you’re interested in—when shopping.
- Logging: When you connect to a VPN, you’re trusting the VPN service provider with your data. Your communications may be secure from eavesdropping, but other systems on the same VPN—especially the operator—can log your data if they choose. If this bothers you (e.g., you’re the privacy/security advocate or the downloader), make absolutely sure you know your provider’s logging policies before signing up. This applies to location as well—if your company doesn’t keep logs, it may not matter as much where it’s located. (There’s a popular rumor that US-based VPN providers are required to log, in case the government wants them. This isn’t true, but the government can always request whatever data they have if they do log.) For a good list of VPN providers that don’t log your activities when connected (and many that do), check out this TorrentFreak article.
Advertisement
- Anti-Malware/Anti-Spyware Features: Using a VPN doesn’t mean you’re invulnerable. You should still make sure you’re using HTTPS whenever possible, and you should still be careful about what you download. Some VPN service providers—especially mobile ones—bundle their clients with anti-malware scanners to make sure you’re not downloading viruses or trojans. When you’re shopping, see if the providers you’re interested in offer anti-malware protection while you’re connected. For example, previously mentionedHotspot Shield offers malware protection to its premium users. It may not be a dealbreaker for you, but it’s always good to have someone watching your back.
- Mobile Apps: If you’re going to spend money on a VPN service provider (or even if you use a free one, frankly), you should be able to get a consistent experience across all of your devices. Most prominent providers offer desktop and mobile solutions for individual users, and while corporate and school networks may be a bit behind the curve here, they’re catching up too. Make sure you don’t have to use two different VPNs with two different policies and agreements just because you want to secure your phone along with your laptop.
- Price: Finally, go into your user agreement with both eyes open. You should read the privacy policy for the service you’re interested in, and be very aware of the differences between free and paid services. For example:
- Free VPN Providers are more likely to log your activities and serve contextual ads while you’re connected. They’re also more likely to use your usage habits to tailor future ads to you, have fewer exit locations, and weak commitments to privacy. They may offer great features, but if logging and privacy are important to you, you may want to avoid them. However, if you just need quick, painless security while traveling on a budget, they’re a great option.
- Subscription VPN Providers usually take your privacy a bit more seriously, since you’re paying for the service. It’s unusual for them to show ads, although whether they do logging or store data about your usage varies from company to company. They usually offer free trials so you can give the service a shot first, but remember: just because you’re paying for a service doesn’t mean you shouldn’t do your homework.
Advertisement
A mix of features and price make a good VPN, but plenty of bad VPNs masquerade as good ones. Look for articles written by trustworthy sources that discuss the merits of each service based on its features, versus simple rundowns and user testimonials, which are almost always polluted by a combination of fanatical users and corporate bootstrapping in attempt to get their names out to potential customers.
Which VPNs Are The Best?
When we ran our recent Hive Five on VPN service providers, we heard from VPN providers begging to be included, angry CEOs who claimed their company was maliciously left out, and others accusing some of the contenders of illegal or unethical behavior. We took at look at the poll and the claims, and while there’s no definitive proof the poll was gamed, we decided to come up with our own top five, based on our own research rather than reader feedback, that are great whether you’re the privacy advocate, the student, or the downloader.
Advertisement
Private Internet Access
Supports: Windows, OS X, Linux, iOS, Android
Protocols: SSL, PPTP, IPSec, and L2TP. You can also configure Private Internet Access to work on your DD-WRT or Tomato router (via SSL/OpenVPN) for constant security.
Home Country: United States, and has exit servers in the US, Canada, the UK, Switzerland, Romania, and the Netherlands.
Logging Policies: The service keeps no logs of your activity whatsoever (in fact, the only things they do keep are your email address and payment information,) uses shared IPs, and has committed to keeping your data private. Price: Pricing starts at $7/mo to $40/yr, and you can read more about their plans and pricing here.
Advertisement
proXPN
Supports: Windows, OS X, iOS
Protocols: SSL, PPTP.
Home Country: United States, with exit servers in the US, The Netherlands, Singapore, and the UK.
Logging Policies: proXPN keeps minimal logs of your activity. proXPN collects your email address, payment information (if you’re a premium user,) bandwidth usage, connection duration, and login/logout times. They’ve committed to only keeping those logs for 14 days or less, and promise to never share their logs with anyone, period.
Price: proXPN has a free plan, which limits your transfer speeds to 300kpbs and restricts you to one exit location (Miami) in the United States. Premium accounts unlock support for PPTP (if you want to connect a mobile device or a router,) remove the transfer cap, and allows you to choose from any of the company’s other exit locations. Premium plans start at $10/mo, and you can read more about their pricing and plans here.
Advertisement
TorVPN
Supports: Windows, OS X, Linux, iOS, Android
Protocols: SSL (they often refer to it as OpenVPN), PPTP, and full SSH tunneling.
Home Country: Hungary, with exit servers in Hungary.
Logging Policies: The service doesn’t log your connection aside from bandwidth usage to compare against your quota, and your payment details. They also are committed to your privacy, and specifically say they won’t surrender their data without a Hungarian court order.
Price: Free TorVPN users are limited to 1GB/mo downloaded before they’re cut off, and Premium accounts start at 5 EUR/mo ($7mo) for 5GB/mo and go up to 30 EUR/mo ($38/mo) for 100GB. Keep in mind they have a no-refunds policy, and that even though you ride the Tor network, they’re a separate entity from the Tor Project. You can read more about their pricing and plans here.
Advertisement
TorGuard
Supports: Windows, OS X, Linux, and iOS and Android via built-in VPN
Protocols: SSL (OpenVPN), PPTP, and L2TP, (with 256 bit security)
Home Country: Panama, with exit servers in The Netherlands, Romania, Ukraine and Panama.
Logging Policies: TorGuard wholeheartedly supports privacy, so you can feel a bit more secure that your connection is secure and anonymous. They purge their logs daily, and only keep payment information and registration info. They don’t even keep login/logout times.
Price: Depending on whether you’re the privacy advocate, the downloader, or a combination of the two, TorGuard offers plans specifically for anonymity (starting at $6/mo), for torrenting (starting at $5/mo), or for overall VPN services ($10/mo). You can read more about TorGuard’s pricing and plans here.
Advertisement
WiTopia
Supports: Windows, OS X, Linux, iOS, Android, webOS, Chromebooks.
Protocols: SSL, PPTP, IPSec, and L2TP (with 256 bit security)
Home Country: United States, with exit servers in 10 US cities, and countries in Latin and South America, Asia, Australia, Europe, Africa, and the Middle East—way too many to list here.
Logging Policies: WiTopia does not log information that can be attributable to individual users, purges logs weekly, and only saves registration information and payment details when you sign up.
Price: $50/yr to $70/yr depending on the level of encryption and protocols you need. They also sell a VPN router you can take with you when you travel. You can read more about WiTopia’s pricing and plans here.
Advertisement
Alternatively, Roll Your Own VPN
We’ve shown you how to roll your own VPN using Hamachi, and even how to set upPrivoxy to secure your web browsing once you have your personal VPN set up. Hamachi isn’t the only option: you can also download and configure OpenVPN (a free SSL VPN) on your own home server, or if you have a router that supports it, enable OpenVPN on your home router so you can connect back to it when you’re abroad. Combined with Privoxy, you get the privacy and anonymity benefits of a VPN without spending a dime.
Advertisement
How to Secure and Encrypt Your Web Browsing on Public Networks (with Hamachi and Privoxy)
When you're browsing from a public Wi-Fi connection—like at your favorite coffee shop—anyone…
Read more ReadBoth of these options put control in your hands, and while they’re not quite as anonymous as subscription methods or offer international exit locations, they do give you the the most important benefits of a VPN: security, privacy, and anonymity while you’re away from home.
Advertisement
Samara Lynn is Lead Analyst, Networking and Small Business at PCMag.com. You can follow her on Twitter at @samaralynn. She graciously volunteered her expertise for this post, and we thank her.
Vpn Client Software
Advertisement
Title image remixed using konmesa (Shutterstock) and Toria (Shutterstock).