A Macintosh Resource Site
for the Milwaukee Metro Area


My Personal Choice for a VPN

First published: May 2019. Latest revision: March 2023.

Introduction

A couple of articles ago, in “Summary of How to Choose a VPN,” I elaborated on the criteria that are factors influencing my choice of a VPN, discussing the most important factors first, but including pretty much all of the qualities I want to see in the VPN service that I use.

In this final article, I’ll revisit those criteria and briefly note how the VPN service that I’ve chosen measures up to each criterion.

My “working” list

Please note that the following narrative is written as if I very recently went through the process of creating my “working” list and investigating the VPNs on it. In reality, I went through this process in 2019. However, since I want to present to you what the process of choosing a VPN would be like at preesnt, using currently available resources, I'm presenting the narrative as if it recently occurred.

At the end of my previous article, “Lists of VPNs for Your Consideration,” I presented a list of several VPNs that had no severely problematic (i.e. no red-flagged) parameters on the “Simple VPN Comparison Chart” by “That One Privacy Guy.” (Please refer to my previous article for the reasons I consider the information on the VPN Comparison Charts by “That One Privacy Guy” to be unbiased and eminently useful.)

Starting with that final list of seven VPNs in my last article, I removed the three VPNs that had more than two yellow-flagged “cautionary” grades. However, I then added ProtonVPN back onto my “working” list. I did this in deference to the inclusion of ProtonVPN on the unbiased PrivacyGuides Recommended VPN Services list. (I did not think it was wise to eliminate from consideration a VPN that was recommended by PrivacyGuides, an organization for which I have great respect.)

Hence, I was left with five VPNs on my “working” list. The five VPNs are listed below with their corresponding “grades” as per the “Simple Comparison Chart”:

VPN Red Yellow Green R, Y, G bar graph
BolehVPN 0 2 7
IVPN 0 2 7
Mullvad 0 1 8
ProtonVPN 0 3 6
Trust.Zone 0 2 7

Legend:
Red = “something major of concern” or a severely problematic parameter
Yellow = “something of concern” or a cautionary parameter
Green = “generally good” or a positive and desirable parameter.

Next, I perused all of the parameters on the “Simple + Detailed VPN Comparison Chart” web page for each of the five VPNs and thoroughly checked the website of each VPN.

I also reviewed the findings of the unbiased and comprehensive testing of the security and privacy of VPNs performed by Consumer Reports, which I hold in high regard. (See more about this thorough VPN study by a well-respected organization in the “Consumer Reports security and privacy testing of VPNs” section of the “VPN Series Appendices” page.)

During these further investigations, I dropped BolehVPN from consideration because it only allows three simultaneous connections (I wanted to be allowed a minumum four simultaneous connections), its logging policy states that “we may turn on logs temporarily” (my preference is for a strict non-logging VPN) and BolehVPN does not support the new state-of-the-art WireGuard protocol.

I also dismissed Trust.Zone VPN from further consideration. Trust.Zone does not provide their own iOS or Macintosh applications. One must install and manually configure a third party OpenVPN or WireGuard application to use the Trust.Zone service on your Mac. I also noted that the Consumer Reports VPN White Paper testing report noted that, on a Windows computer, when a tunnel failure occurred, “Trust.Zone leaked DNS traffic, which should have been protected using the VPN kill switch feature.” (This is a very concerning failure for a VPN service to have.)

Of note, the list of 16 VPNs that underwent exhaustive testing, having survived the winnowing process on the Consumer Reports VPN testing procedure, did not include BolehVPN or Trust.Zone VPN. This fact validated my decision to drop these VPN services from my further review.

This left three VPNs remaining on my “working” list: IVPN, Mullvad and ProtonVPN. All three seem to be trustworthy VPN services and would be expected to provide a high level of security and privacy to their users. Interestingly, these three VPNs on my final list happen to exactly match the three recommended VPNs on the unbiased PrivacyGuides Recommended VPN Services list.

I imagine I would a satisfied user of any of these three VPN services, and I recommend them to you. However, My further investigations seemed to reveal that Mullvad best met all of my own criteria for a trustworthy VPN. Therefore, I conducted an even more in-depth online appraisal of Mullvad. I liked what I saw…

Indeed, after completing my final thorough analysis, the VPN that I chose for my own use was Mullvad.

A brief introduction to Mullvad

Mullvad (“mullvad” is Swedish for “mole” in English) was founded in 2009 and is a subsidiary of Amagicom AB, a company in Sweden. On the Mullvad home page, you’ll see something like this:

picture of Mullvad logo Privacy is a universal right

Privacy is fundamental to a well-functioning society because it allows norms, ethics, and laws to be safely discussed and challenged. Without privacy, a free and open society can neither flourish nor exist.

The next quote is from a 2019 Mullvad blog post titled “Our reason for being.”

The ability to control and manage our individual privacy has become crucially dependent upon security. Without security, you have no guarantee that your information will remain private. That’s why we exist.”

These statements mesh very well with my thoughts on privacy and security.

My threat model

The goals of my implementation of privacy and security measures for my Internet use include:


  • protection against hackers on public WiFi hotspots.
  • protecting against monitoring and logging by ISPs.
  • hiding my location and identity from websites.
  • hiding my true name from a correspondent.
  • being anonymous online and hiding my online activity

These goals do not mean I am trying to hide illegal activity or conceal government dissidence. Rather, I have these goals because:

I value my privacy.
When I want to withhold and protect my private information, I have the right to do so.

An important aid to protecting my privacy is a VPN, hence my desire to find a top-notch VPN service.

My VPN requirements, based on my threat model

I’ve developed a list of requirements that a VPN must fulfill for me. These criteria upon which I evaluate VPNs for my personal use include:


  • Trustworthiness
  • Privacy
  • Jurisdiction
  • Access to Services
  • Customer Support
  • Proactive Planning for the Future
  • Cost

I’ll elaborate on each of these points and explain how Mullvad satisfies my requirements.

Trustworthiness

I consider it of the utmost importance that the VPN service that I use embodies trustworthiness. The quality of trustworthiness is at least moderately subjective — it’s my overall “gut feeling” about how honorable, truthful, and reliable someone or something is to me.

Starting with my first exposure to Mullvad and continuing through the present time, Mullvad has always felt trustworthy to me. The Mullvad website is clean, uncluttered, and devoid of “hard-sell” tactics and pop-up windows. There are no overzealous or misleading claims of absolute 100% guaranteed perfect anonymity, security, and privacy. The website utilizes no “trackers” at all and no persistent browser “cookies” (unless you pay for Mullvad via credit card using the Stripe payment system).

The company name, owners, and principal employees are listed prominently on the Mullvad website instead of being hard-to-find or completely undeclared as with some other VPNs. Mullvad isn’t trying to hide the foundations of its business.

The majority of VPN services have “affiliate” programs, whereas Mullvad does not. An affiliate is a third party that receives a commission from the VPN when a customer purchases the VPN service after having been referred by the third party. (The referral is generally via a “VPN Review” website.)

As I’ve noted in earlier articles, this VPN <—> affiliate relationship is commonly derided for being fraught with deception: VPN affiliates and their review sites have been called “teeming cesspools of greed and lies” and only the very rarest of VPNs actually bother to “police” their affiliates. This situation is so problematic that the potential trust that I might have in a VPN is immediately impaired by the mere fact that the VPN has an affiliate program.

As noted on their “Policy on reviews, advertising, and affiliates ” web page, Mullvad has no affiliate program. Thus, in my opinion, as compared to so many other VPN services, Mullvad has chosen the more ethical path of foregoing the revenue-enhancing potential of paid reviews and affiliates. Mullvad states, “Of equal or perhaps even greater importance are the word-of-mouth recommendations from our satisfied customers who share our values. We strongly believe this will pay off in the long run.”

Another sign of trustworthiness is the length of time a VPN has been providing services. Mullvad has been doing so since 2009, which makes it an “old hand” in this relatively young consumer VPN business.

Privacy

If a VPN is to provide me with privacy, the less it knows about me, the better.

Privacy is a category in which Mullvad excels. This is from the “No-logging of user activity policy” page on their website:

Our anonymous, numbered accounts
We want you to remain anonymous. When you sign up for Mullvad, we do not ask for any personal information – no username, no password, no email address. Instead, a random account number is generated, a so-called numbered account. This number is the only identifier a person needs in order to use a Mullvad account. This is a fundamental difference that sets us apart from most other services.

(from https://mullvad.net/en/guides/no-logging-data-policy/)

Not surprisingly, this anonymous account creation system reminds me of the super-secrecy of one of those legendary “Swiss numbered bank accounts.” No name, no email, no street address, no IP address, no mother’s maiden name, “no nothin’” is required to register and activate an account with Mullvad!

The 16-digit account number that you are given when you register on Mullvad’s website serves as your sole identifier to Mullvad from that point on. After registering for an account, Mullvad knows nothing about you. Pay them via an anonymous method and they will still know nothing about you. It doesn’t get any more anonymous and private than that.

Mullvad has a strict no-logging data policy

Policy overview
The underlying policy of Mullvad is that we never store any activity logs of any kind. We strongly believe in having a minimal data retention policy because we want you to remain anonymous.

What we don't log
We log nothing whatsoever that can be connected to a numbered account’s activity.

(from https://mullvad.net/en/guides/no-logging-data-policy/)

A strict no-logging policy is absolutely critical to maintaining the privacy of VPN users. Mullvad meets this challenge.

Other important technical privacy features

Mullvad also fulfills the following technical “bullet points” that I consider desirable, many of which I noted in previous articles:

  • maintains its own public non-logging DNS servers
  • supports DNS leak protection
  • supports IPv6 tunneling as well as IPv6 blocking and leak protection
  • supports OpenVPN on a range of custom ports
  • provides a “kill switch” that disables your Internet access if you lose your VPN connection
  • offers only highly secure tunneling and encryption protocols
  • offers port forwarding, SOCKS5 proxy, multi-hopping and split tunneling
  • all OpenVPN servers use DHE for perfect forward secrecy (PFS)
  • etc., etc. (See more info on Mullvad’s “Why Mullvad VPN? ” page.)

I’ve performed extensive testing for DNS leaks and IPv6 leaks/support when using Mullvad, and all tests passed with flying colors. The Mullvad “kill switch” works reliably. Also, I have used the SOCKS5 proxy servers successfully and find them useful for certain circumstances.

Other characteristics that assure security

Mullvad’s VPN application is open-source software. Thus, the programming code is publicly posted and available for anyone to examine and critique. This provides a very valuable method of verifying the robustness of the programming, the validity of the security protocols that are used, and the identification and resolution of software issues.

Mullvad only offers the OpenVPN and WireGuard security protocols. The older and insecure Point-to-Point Tunneling Protocol (PPTP) that some other VPNs offer is, admirably, not even available to Mullvad users. OpenVPN, on the other hand, is the “tried and true” protocol for secure connections. It is open-source and its security has been very well tested. WireGuard is also an open-source protocol that is considered by many to be the most promising VPN security protocol yet developed. Although relatively new, WireGuard is coming to be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

I am currently using Mullvad with WireGuard on my Macs and on my iPhone and iPad and have found that the WireGuard claims of near-instantaneous establishment of secure tunneling and low battery consumption are indeed true. (This is a significant improvement as compared to using the OpenVPN protocol on my mobile devices.)

Mullvad regularly has third-party security audits performed. All VPNs claim to provide security to their users, but only a few VPNs have tested that security by opening their systems to auditing by third-parties. Beginning with the first audit of thier VPN app, Mullvad has undergone eight security-oriented audits (as of February 2023) of their VPN service. The occasional issues raised by those audits have been addressed by Mullvad.

Jurisdiction

This is one parameter of Mullvad that, at first glance, is not quite optimal. Mullvad is based in Sweden, which is a member of the 14-eyes coalition of countries that share “signals intelligence” with one another. (“Signals intelligence,” to put it bluntly, is governmental spying on its own citizens.) Thus, Mullvad is under the jurisdiction of a government that may share covertly obtained information with the other 13 countries in the 14-eyes coalition.

On the other hand, Sweden does not have a “key disclosure law” that, in other countries, can be used to require individuals or companies to surrender cryptographic keys to law enforcement.

More importantly, with its strict no-logging policy, Mullvad retains no sensitive user information on its servers. Thus, even if Mullvad’s servers were to be “raided” by Swedish authorities, no private user information would be found on them.

Furthermore, keep in mind that, as stated in the “Choosing a VPN” section on the VPN Comparison by That One Privacy Guy web page, “The location of the servers you connect to and the people who operate them is far more important than where a company is incorporated if you’re trying to protect yourself from governmental overreach.”

Thus, although it may be preferable to use a VPN service that is not based in a 14-eyes country, I feel that Mullvad’s strict no-logging policy substantially negates jurisdiction-based risks. If I’m feeling paranoid, I can always connect to one of Mullvad’s servers that is located in a non-14-eyes country to further enhance my privacy.

Access to services

Acceptable speeds, number and location of servers, and number of simultaneous concurrent connections are moderately important to me.

picture of Mullvad logo Mullvad allows five simultaneous connections to its servers. The median number for all the VPNs (nearly 200) listed on the “Detailed VPN Comparison Chart” is three connections. Given Mullvad’s five simultaneous connections, I need not worry that my iMac and iPhone are using the VPN connection in the background while I am actively connected to Mullvad on my iPad. So, I can just leave all of my devices connected all the time (and even add a device or two) and not bother signing in and out of the VPN connection on the various devices.

Historically, in late 2019, Mullvad offered servers in 39 countries, including 284 regular OpenVPN servers, 105 WireGuard servers, and 17 special “bridge” servers (which can help if one is behind a very restrictive firewall). This server count total of 406 was well above the median for other VPNs of 54 servers and 18 countries in the “Detailed Comparison Chart” of late 2019, and is more than adequate for my purposes. (As of this writing, the Mullvad server statistics include 476 WireGuard servers. This is over a 450% increase in the number of Mullvad’s WireGuard servers since late 2019 and is strong evidence for Mullvad’s commitment to the state-of-the-art WireGuard protocol.)

As compared to not using a VPN, connecting to the Internet through a VPN will always result in at least some slowdown in speed. I’ve found that the speed and responsiveness of using the Internet via Mullvad VPN is perhaps slightly slower than using no VPN. It’s a little hard to objectively judge this, however, without laborious back and forth testing. At any rate, my data transfer speeds are quite satisfactory when using Mullvad.

There is a listing of some ongoing VPN speed test results which may be useful at https://www.top10vpn.com/best-vpn/fastest-vpn/#full-vpn-speed-test-results. (Be aware that this site is an affiliate of many VPN companies, and hence its review results may be biased.) Mullvad has been consistently ranked within the top 10% of VPNs in the speed tests done by this site.

Customer Support

The Mullvad website provides a great deal of information about set-up, troubleshooting, features, options, policies, etc. I’ve learned quite a bit by browsing these Mullvad support resources. I’ve found that several questions that I had in mind had been anticipated by Mullvad and the answers were already there on the website.

Some VPNs offer “online chat” support for customers. Mullvad does not do so. In light of my positive experiences with Mullvad’s email support, I don’t consider this to be a major drawback. I have sent a few email support questions to Mullvad and all of them were answered quickly and to my satisfaction. Not surprisingly, given Mullvad’s commitment to privacy and security, they offer (and recommend) the option of using encrypted email when dealing with support issues.

Proactive Planning for the Future

I am impressed that Mullvad is active in preparing for future trends and issues that may affect VPN services. Mullvad has been at the forefront of VPNs with their adoption of the WireGuard protocol, which implements very promising VPN technology.

Looking even further into the future, Mullvad is working to mitigate the threat of quantum computing to privacy. They already have a “post-quantum strategy” in mind and are testing an open-source post-quantum secure VPN tunnel.

Cost

In 2019, the average cost of VPN service for the 185 VPNs listed on the “Detailed VPN Comparison Chart” of “That One Privacy Guy” was about $6.00 per month (based on a one-year subscription). Mullvad offers a flat monthly rate of €5 (5 euros), which is equivalent to about $5-6 per month (depending on exchange rates). Thus, the cost of the Mullvad service is quite reasonable and is comparable to the average cost of all VPNs.

Many VPN services quote an artificially high price for one month of service and then offer a “discount” for an extended contract of one, two or three years. Mullvad does not use this deceptive selling tactic. Mullvad quotes a monthly rate and its customers can choose to purchase from one month to 12 months of service at a time. Hence, there is no need to commit to a year-long (or longer) contract in order to obtain a reasonable price. Mullvad offers a 30-day money-back guarantee (except for cash payments).

Mullvad accepts payment in cash, Bitcoin, Bitcoin cash, Monero, bank wire, credit card, PayPal and pre-paid voucher. (Some additional methods are available to European customers.) With a bit of effort, several of these payment methods can be used with complete anonymity.

I would recommend that you consider the cost of a VPN but not let the fee be an overriding factor when entrusting a VPN with your Internet security and privacy. Even if another VPN costs only half as much as Mullvad, you’re only saving $3 a month. Is that savings worth using a less trustworthy VPN?

Corroboration of my choice of Mullvad

PrivacyGuides.org

PrivacyGuides.org is a website that I have found to be independent and unbiased in providing services, tools, and knowledge to protect one’s privacy against global mass surveillance. (I have referred to information on the PrivacyGuides website a few times in my series of VPN articles.)

The PrivacyGuides VPN criteria mesh very well with the VPN requirements that I had formulated. I strongly recommend that you peruse their current “VPN Provider Criteria.” It reiterates many of the points that I have raised relative to choosing a trustworthy VPN.

The PrivacyGuides “VPN Services” web page recommends just three VPN services that meet their requirements: Mullvad is one of those three VPNs.

Given that the criteria that I have developed for choosing a VPN service and the “VPN Provider Criteria” that PrivacyGuides has advanced are so similar, one would expect that our choices of “worthy” VPNs would also be similar. This is indeed the case…

In my article “Lists of VPNs for Your Consideration,” I presented a final list of seven VPNs that I felt were worthy of further consideration. That list contains not only Mullvad but also the two other VPNs (Proton VPN and IVPN) that PrivacyGuides currently recommends.

Wirecutter.com

Another website that provides reviews that are seemingly less-biased than most other websites is Wirecutter.com. Wirecutter’s “The Best VPN Service” review includes well-delineated and stringent criteria similar to the criteria of PrivacyGuides.

The introductory paragraph to the Wirecutter VPN review article echoes some of the themes that I have noted in my VPN articles:

As more people’s work and personal lives go digital, online privacy and security become increasingly important. Although a virtual private network, or VPN, is not a complete answer for protecting your online privacy, it can be a useful part of your security toolkit. However, the VPN industry is riddled with false promises and shady businesses. After sorting through dozens of VPNs and reviewing four security audits, we think the best option for most people is Mullvad, an open-source VPN that is not only trustworthy and transparent but also fast and reliable.

(from https://www.nytimes.com/wirecutter/reviews/best-vpn-service/)

I strongly recommend that you thoroughly read Wirecutter’s “Best VPN Service” review. It provides very useful information on the process of evaluation of a VPN service for your own use.

ConsumerReports.org

Consumer Reports has been testing products since 1936. They are an independent, nonprofit member organization with a mission to empower and inform consumers.

In late 2021, Consumer Reports conducted an “in-depth test of 16 well-known VPNs.” They reported:

… three VPNs came out ahead: Mullvad, IVPN, and Mozilla VPN. All three had characteristics that many security experts look for in nearly any technology platform, such as open-source code, public third-party security audits, and ways for outside researchers to report vulnerabilities. That’s all described below. And these VPNs all accurately described their products and services to consumers—something you can’t count on with many VPNs.

(from https://www.consumerreports.org/vpn-services/mullvad-ivpn-mozilla-vpn-top-consumer-reports-vpn-testing-a9588707317/)

Once again, Mullvad is a top choice. (Mozilla VPN, one of the other top choices, actually runs on Mullvad’s VPN servers.) The “VPN White Paper ” report that includes the full technical details of the Consumer Reports testing states that “Mullvad, IVPN, and Mozilla VPN—in that order—rose to the top…”

The Consumer Reports technical white paper technical report is very thorough and informative and I strongly recommend that you read it. As of this writing, the Consumer Reports “VPN White Paper” is the best recent source for unbiased, comprehensive and trustworthy information comparing VPN services that I have been able to find.

Additional sources

If you would like to pursue further reading about Mullvad, here are a few reviews and mentions of Mullvad from some more relatively unbiased sources:

More info about Mullvad


Summary

In this article, I’ve noted how Mullvad fulfills the characteristics of a VPN service that I noted to be most desirable in my previous article, “Summary of How to Choose a VPN.”

picture of Mullvad logo I’d like to add this more personal note: I’m sure there are a few other good VPN providers that might also fulfill my basic privacy and security requirements. Yet Mullvad goes beyond that — Mullvad just gives me a warm and cozy feeling in my gut!

The more I read about and use Mullvad, the more I like them. Somehow, Mullvad feels to me like they are the “good guys.” That sentiment is very appealing to me.

Mullvad has earned my trust.

I hope that this series of articles has at least opened your eyes a bit relative to privacy and security on the Internet.

For more in-depth information about the original research that I have done regarding VPN services and about the reliable sources of information about VPNs that I have found to be useful, see the “VPN Series Appendices” page.

Keep safe out there!