/Technology

There's a question that surfaces every single day across half a dozen different communities: *"which VPN should I use?"* The honest answer is that it depends on your threat model, but there's a surprisingly solid consensus in technical circles about what works, what fails, and what's pure advertising dressed up as a product. This article is not sponsored by any VPN. It's a distillation of what experienced users say in spaces where nobody has a financial incentive to lie. ## The trio the community actually defends If you dig through [r/privacy](https://www.reddit.com/r/privacy), [Privacy Guides Community](https://discuss.privacyguides.net), and [Hacker News](https://news.ycombinator.com) threads, you'll notice three names appearing with almost irritating consistency: **Mullvad**, **ProtonVPN**, and **IVPN**. Not because they're perfect, but because they share something most others frequently don't: an audited, verifiable track record. > *"Mullvad, IVPN, and Proton are the top tier for privacy-respecting VPNs. Windscribe and AirVPN are decent options but don't have the audit history to be in the same tier as the other three. Most other VPNs people mention either have a dubious history or no real proof of their privacy claims."* > > — anonymous user on [Lemmy.world](https://old.lemmy.world/comment/12231005), thread on Surfshark alternatives What unites these three options isn't price or server count. It's their structural approach to privacy: published independent audits, partially or fully open-source code, and in Mullvad's case, a no-logs policy stress-tested in practice when Swedish police raided their offices in 2023 and found no user data to seize. ## Mullvad: the favourite of people who take privacy seriously No email, no account, no registration. You pay €5/month and you can mail them cash in an envelope. Servers run exclusively on RAM and store nothing. Audited by Cure53 in June 2024, focusing on VPN server setup, backend systems and network configuration, with no critical issues found; and previously by Radically Open Security in 2023, confirming the strict RAM-only, no-logs policy. **What the community says:** In a [mid-2025 Lemmy thread](https://phtn.lemmy.blahaj.zone/post/lemmy.blahaj.zone/27985931) on VPN recommendations, one user laid out the logic cleanly: *"$5 is a low price for a service I trust way more than the others. You should wonder why the alternatives are so cheap."* The lack of port forwarding came up as a downside, but several users work around it with Headscale and Tailscale. On [Hacker News](https://news.ycombinator.com/item?id=38221332), the most cited technical argument is blunt: *"Everything runs on RAM and disappears the second a server is shut down. They really don't store anything. And you can buy a Mullvad account by mailing cash to them or with crypto, no need to create an account with an email address or anything."* On the [GrapheneOS forum](https://discuss.grapheneos.org/d/5050-opinion-on-riseup-vpn/40), one well-regarded contributor put it this way: *"From my experience and research I only recommend Mullvad and IVPN if privacy is your main goal. For me Mullvad had the additional benefit of being the most stable compared to IVPN and ProtonVPN, so I use it as my main and have an IVPN account as backup."* Strengths: no-logs proven in a police raid, RAM-only servers, anonymous payment, WireGuard with multi-hop. The main weakness is no port forwarding and a smaller server network of roughly 700 servers across 49 countries. ## ProtonVPN: the balance between usability and privacy Based in Switzerland, under Swiss law VPN providers are not required to store connection logs, and ProtonVPN consistently applies this principle, not recording user activity or connection histories. The free tier has no data limits, which makes it the most recommended starting point for people who have never used a VPN before. **What the community says:** On [Lemmy.world](https://old.lemmy.world/comment/12232693), users noted that Proton recently moved to a not-for-profit structure specifically to better protect user interests, and also lowered prices when their infrastructure costs went down. There was controversy in 2024 around the CEO's public comments, but as one user observed in a 2025 thread: *"the founder said some weird stuff last year, but so far the company itself hasn't demonstrated any questionable behaviour in regards to data, so it's still considered safe."* Between 2024 and 2025, Reversemode performed a comprehensive security audit of Proton VPN's apps and core infrastructure, with results published in January 2025 showing no critical issues. Strengths: legitimate free tier, Secure Core double-hop servers, Swiss jurisdiction, open source apps, large network with 17,400+ servers across 127 countries. The main consideration is that it requires an email to register, making it slightly less anonymous than Mullvad by design. ## What you definitely should not use ### HolaVPN: the most popular trap on the internet The security issues with HolaVPN begin with its software, which does not use encryption and leaks IP addresses. Each device with the free version is effectively turned into an exit node monetised by a commercial proxy service called Luminati, both owned by the same parent company, Hola Networks Ltd. Trend Micro found concrete evidence of massive scraping of online content through the Luminati network, including subscription-based scientific databases, private contact details of physicians and attorneys, and credit information. The firm also found that hackers had gained access to the network. Trend Micro's antivirus now classifies HolaVPN as unwanted software. In 2021, hackers breached Hola VPN's Chrome extension, targeting cryptocurrency users by redirecting them to phishing sites. The mechanism is elegantly perverse: while you think you're protecting your privacy, your device is serving as an exit node for third parties, and any illegal activity leaving through your IP address is tied to your identity. 175 million users are currently running this on their machines. > *"This is the least secure VPN I've ever seen. If you're doing anything that involves even a shred of privacy, look elsewhere."* > > — John Mason, TheBestVPN, [quoted in Newsweek](https://www.newsweek.com/hola-holavpn-luminati-cybersecurity-trend-micro-virtual-private-network-1264639) The same logic applies to any free VPN with no clear business model. If you're not paying for the product, you are the product. ## The technical stuff forums actually care about: kill switch and DNS leaks One of the most recurring discussions in communities like [SNBForums](https://www.snbforums.com), [GL.iNet forum](https://forum.gl-inet.com), and [OPNsense forum](https://forum.opnsense.org) revolves around a subtle but critical problem: the kill switch alone is often not enough. The failure scenario is this: you have WireGuard configured with split tunneling on Windows, the tunnel drops for a fraction of a second during a network change, and your OS immediately starts sending DNS queries through the unencrypted path. Result: your ISP sees exactly which domains you're visiting, even if the rest of your traffic is encrypted. From [SNBForums](https://www.snbforums.com/threads/rt-be88u-kill-switch-issue-with-wireguard-wan-ip-leak.95334/), a user debugging a router kill switch issue: *"The native kill switch seems ineffective — it blocks DNS requests, but the WAN IP address remains exposed as soon as the VPN tunnel drops."* The community-tested solution involves three iptables or nftables rules that completely block all outbound traffic whenever the VPN interface is inactive. On Windows, you create firewall rules that only permit UDP port 53 traffic destined for the DNS server inside the WireGuard tunnel, then block everything else. The detailed walkthrough lives at [engineerworkshop.com](https://engineerworkshop.com/blog/dont-let-wireguard-dns-leaks-on-windows-compromise-your-security-learn-how-to-fix-it/). The principle, as the forums state it plainly: if the tunnel isn't up, nothing leaves. Not almost nothing. Not just DNS. Nothing. On protocols, WireGuard is the community consensus for speed and auditability, with a smaller codebase, already integrated into the Linux kernel. OpenVPN remains the mature fallback for routers where WireGuard kill switch support is still inconsistent. For advanced setups, the [Privacy Guides discussion on VPNs on routers](https://discuss.privacyguides.net/t/ivpn-mullvad-or-protonvpn-on-a-router/28931) is worth reading in full. Test tools the community uses regularly: [ipleak.net](https://ipleak.net) and [dnsleaktest.com](https://dnsleaktest.com). Run these immediately after any configuration change. ## The elephant in the room: mass-market VPNs It would be dishonest not to mention the most heavily marketed VPN on the planet. NordVPN is technically competent, has good speeds, and its proprietary NordLynx protocol built on WireGuard is genuinely fast. Reddit users praise good speeds, a friendly user interface, and heavily discounted long-term subscription plans, and the no-logs policy is a big plus among privacy-conscious users. The concern raised by more technical communities is different: in 2018, a NordVPN server was compromised by an attacker who exploited credentials left open by a third-party datacenter. NordVPN only disclosed this in 2019. For users with an elevated threat model, that's enough to prefer alternatives that own and control their infrastructure directly. The unwritten rule in technical forums is this: the more a VPN spends on YouTube sponsorships and podcast ads, the more you should ask yourself where that money is coming from and whether the servers are actually run by the company whose name is on the product. ## Quick reference: community consensus For most people dealing with public Wi-Fi, geo-restrictions, or basic privacy, ProtonVPN's free tier is the answer. Zero cost, no data limits, Swiss jurisdiction, legitimate company with no excuse not to use it. For people who take privacy seriously, whether journalists, activists, or anyone with a persistent threat model, Mullvad at €5/month is the community answer when someone asks the serious version of the question. WireGuard, no account creation, RAM-only servers, anonymous payment, police-raid-proven no-logs. For advanced router setups, IVPN or Mullvad with WireGuard plus manual iptables kill switch rules. See SNBForums and OPNsense forum for implementation details. For everyone without exception: test your DNS after setup. A leaking VPN is worse than no VPN, because it gives you false confidence. --- *Sources*: * [r/privacy](https://www.reddit.com/r/privacy) * [Hacker News](https://news.ycombinator.com/item?id=38221332) * [Privacy Guides Community](https://discuss.privacyguides.net/t/ivpn-mullvad-or-protonvpn-on-a-router/28931) * [GrapheneOS Forum](https://discuss.grapheneos.org/d/5050-opinion-on-riseup-vpn/40) * [SNBForums](https://www.snbforums.com/threads/rt-be88u-kill-switch-issue-with-wireguard-wan-ip-leak.95334/) * [Lemmy 2025](https://phtn.lemmy.blahaj.zone/post/lemmy.blahaj.zone/27985931) * [Cyware/Trend Micro](https://social.cyware.com/news/researchers-warn-hola-vpn-users-of-weak-encryption-and-ip-address-leaks-ca9daa39) * [EngineerWorkshop](https://engineerworkshop.com/blog/dont-let-wireguard-dns-leaks-on-windows-compromise-your-security-learn-how-to-fix-it/)