A Macintosh Resource Site
for the Milwaukee Metro Area


My Personal Choice for a VPN

First published: May 2019. Latest revision: April 2021.

Introduction

A couple of articles ago in “Summary of How to Choose a VPN,” I elaborated on the criteria that are factors influencing my choice of a VPN, discussing the most important factors first but including pretty much all of the qualities I want to see in the VPN service that I use.

In this final article I’ll revisit those criteria and briefly note how the VPN service that I’ve chosen measures up to each criterion.

My “working” list

At the end of my previous article, “Lists of VPNs for Your Consideration,” I presented a list of several VPNs that had no severely problematic (i.e. no red-flagged) parameters on the “Simple VPN Comparison Chart” available as part of the downloadable “Detailed VPN Comparison Chart ” on the VPN Comparison by That One Privacy Guy web page. (Please refer to my previous article for the reasons I consider the information on the VPN Comparison by That One Privacy Guy and privacytools.io websites to be unbiased and eminently useful.)

From that final list in my last article I removed VPNs that had more than two yellow-flagged “cautionary” grades. However, I then added ProtonVPN back onto my “working” list. I did this in deference to the inclusion of ProtonVPN on the PrivacyTools Recommended VPN Services list. I did not think it was wise to eliminate from consideration a VPN that was recommended by PrivacyTools, an organization for which I have great respect. Hence, that leaves five VPNs on my “working” list:

VPN Red Yellow Green R, Y, G bar graph
BolehVPN 0 2 7
IVPN 0 2 7
Mullvad 0 1 8
ProtonVPN 0 3 6
Trust.Zone 0 2 7

Legend:
Red = “something major of concern” or a severely problematic parameter
Yellow = “something of concern” or a cautionary parameter
Green = “generally good” or a positive and desirable parameter.

Next I perused all of the parameters on the “Detailed Comparison Chart” for each of the five VPNs and thoroughly checked the website of each VPN. Of these five VPNs, Mullvad seemed to best meet my own criteria for a trustworthy VPN, so I began a more thorough online investigation of Mullvad. I liked what I saw…

Indeed, after my thorough analysis, the VPN that I chose for my own use is Mullvad.

A brief introduction to Mullvad

Mullvad, founded in 2009, is a subsidiary of Amagicom AB, a company in Sweden. On the Mullvad home page, you’ll see something like this:

picture of Mullvad logo Privacy is a universal right

Privacy is fundamental to a well-functioning society because it allows norms, ethics, and laws to be safely discussed and challenged. Without privacy, a free and open society can neither flourish nor exist.

The next quote is from a 2019 Mullvad blog post titled “Our reason for being ”:

The ability to control and manage our individual privacy has become crucially dependent upon security. Without security, you have no guarantee that your information will remain private. That’s why we exist.”

These statements mesh very well with my thoughts on privacy and security.

My threat model

The goals of my implementation of privacy and security measures for my Internet use include:

  • protection against hackers on public WiFi hotspots.
  • protecting against monitoring and logging by ISPs.
  • hiding my location and identity from websites.
  • hiding my true name from a correspondent.
  • being anonymous online and hiding my online activity

These goals do not mean I am trying to hide illegal activity or conceal government dissidence. Rather the goals mean that:

I value my privacy.
When I want to withhold and protect my private information, I have the right to do so.

An important aid to protecting my privacy is a VPN, hence my desire to find a top-notch VPN service.

My VPN requirements as based on my threat model

I’ve developed a list of requirements that a VPN must fulfill for me. These criteria upon which I evaluate VPNs for my personal use include:

  • Trustworthiness
  • Privacy
  • Jurisdiction
  • Access to Services
  • Customer Support
  • Proactive Planning for the Future
  • Cost

I’ll elaborate on each of these points and explain how Mullvad satisfies my requirements.

Trustworthiness

I consider it to be of the utmost importance that the VPN service that I use embodies trustworthiness. The quality of trustworthiness is at least moderately subjective — it’s my overall “gut-feeling” about how honorable, truthful and reliable someone or something is to me.

Starting with my first exposure to Mullvad and continuing through the present time, Mullvad has always felt trustworthy to me. The Mullvad website is clean, uncluttered, and is devoid of “hard-sell” tactics and pop-up windows. There are no overzealous or misleading claims of absolute 100% guaranteed perfect anonymity, security and privacy. The website utilizes no “trackers” at all and no persistent browser “cookies” (unless you pay for Mullvad via credit card using the Stripe payment system).

The company name, owners and principal employees are listed prominently on the Mullvad website instead of being hard-to-find or completely undeclared as with some other VPNs. Mullvad isn’t trying to hide the foundations of their business.

The majority of VPN services have “affiliate” programs, whereas Mullvad does not. An affiliate is a third party that receives a commission from the VPN when a customer purchases the VPN service after having been referred by the third party. (The referral is generally via a “VPN Review” website.)

As I’ve noted in earlier articles, this VPN <—> affiliate relationship is commonly derided for being fraught with deception: VPN affiliates and their review sites have been called “teeming cesspools of greed and lies” and only the very rarest of VPNs actually bother to “police” their affiliates. In my mind, this situation is so problematic that the potential trust that I might have in a VPN is immediately impaired by the mere fact that the VPN has an affiliate program.

As noted on their “Policy on reviews, advertising, and affiliates ” web page, Mullvad has no affiliate program. Thus, in my opinion, as compared to so many other VPN services, Mullvad has chosen the more ethical path of foregoing the revenue-enhancing potential of paid reviews and affiliates. Mullvad states, “Of equal or perhaps even greater importance are the word-of-mouth recommendations from our satisfied customers who share our values. We strongly believe this will pay off in the long run.”

Another sign of trustworthiness is the length of time a VPN has been providing services. Mullvad has been doing so since 2009, which makes it an “old-hand” at this relatively young consumer VPN business.

Privacy

If a VPN is to provide me privacy, the less it knows about me the better.

Privacy is a category at which Mullvad excels. This is from the “No-logging of user activity policy” page on their website:

Our anonymous, numbered accounts
We want you to remain anonymous. When you sign up for Mullvad, we do not ask for any personal information – no username, no password, no email address. Instead, a random account number is generated, a so-called numbered account. This number is the only identifier a person needs in order to use a Mullvad account. This is a fundamental difference that sets us apart from most other services.

(from https://mullvad.net/en/guides/no-logging-data-policy/)

Not surprisingly, this anonymous account creation system reminds me of the super-secrecy of one of those legendary “Swiss numbered bank accounts.” No name, no email, no street address, no IP address, no mother’s maiden name, “no nothin’” is required to register and activate an account with Mullvad!

The 16-digit account number that you are given when you register on Mullvad’s website serves as your sole identifier to Mullvad from then on. After registering for an account, Mullvad knows nothing about you. Pay them via an anonymous method and they will still know nothing about you. It doesn’t get any more anonymous and private than that.

Mullvad has a strict no-logging data policy

Policy overview
The underlying policy of Mullvad is that we never store any activity logs of any kind. We strongly believe in having a minimal data retention policy because we want you to remain anonymous.

What we don't log
We log nothing whatsoever that can be connected to a numbered account’s activity.

(from https://mullvad.net/en/guides/no-logging-data-policy/)

A strict no-logging policy is absolutely critical to maintain the privacy of VPN users. Mullvad meets this challenge.

Other important technical privacy features

Mullvad also fulfills the following technical “bullet points” that I consider desirable, many of which I noted in previous articles:

  • maintains its own public non-logging DNS servers
  • supports DNS leak protection
  • supports IPv6 tunneling as well as IPv6 blocking and leak protection
  • supports OpenVPN on a range of custom ports
  • provides a “kill switch” that disables your Internet access if you lose your VPN connection
  • offers only highly secure tunneling and encryption protocols
  • offers port forwarding, SOCKS5 proxy, multi-hopping and split tunneling
  • all OpenVPN servers use DHE for perfect forward secrecy (PFS)
  • etc., etc. (See more info on Mullvad’s “Why Mullvad VPN? ” page.)

I’ve performed extensive testing for DNS leaks and IPv6 leaks/support when using Mullvad and all tests passed with flying colors. The Mullvad “kill switch” works reliably. Also, I have used the SOCKS5 proxy servers successfully and find them useful for certain circumstances.

Other characteristics that assure security

Mullvad’s VPN application is open-source software. Thus, the programming code is publicly posted and available for anyone to examine and critique. This provides a very valuable method of verifying the robustness of the programming, the validity of the security protocols that are used and the identification and resolution of software issues.

Mullvad only offers the OpenVPN and WireGuard security protocols. The older and insecure Point-to-Point Tunneling Protocol (PPTP) that some other VPNs offer is, admirably, not even available to Mullvad users. OpenVPN, on the other hand, is the currently accepted standard for secure connections. It is open-source and its security has been very well tested. WireGuard is also an open-source protocol that is considered by many to be the most promising VPN security protocol in development. (As of late March 2020, WireGuard was released in a “stable” version for Linux, having gone through an extensive review process.)

I am currently using Mullvad with WireGuard on my Macs and on my iPhone and iPad and have found that the WireGuard claims of near-instantaneous establishment of secure tunneling and low battery consumption are indeed true. (This is a significant improvement as compared to using the OpenVPN protocol on my mobile devices.)

Jurisdiction

This is one parameter of Mullvad that, at first glance, is not quite optimal. Mullvad is based in Sweden, which is a member of the 14-eyes coalition of countries that share “signals intelligence” with one another. (“Signals intelligence,” to put it bluntly, is governmental spying on its own citizens.) Thus, Mullvad is under the jurisdiction of a government that may share covertly obtained information with the other 13 countries in the 14-eyes coalition.

On the other hand, Sweden does not have a “key disclosure law” that, in other countries, can be used to require individuals or companies to surrender cryptographic keys to law enforcement.

More importantly, with its strict no-logging policy, Mullvad retains no sensitive user information on its servers. Thus, even if Mullvad’s servers were to be “raided” by Swedish authorities, no private user information would be found on them.

Furthermore, keep in mind, as stated in the “Choosing a VPN” section on the VPN Comparison by That One Privacy Guy web page,, “The location of the servers you connect to and the people who operate them is far more important than where a company is incorporated if you’re trying to protect yourself from governmental overreach.”

Thus, although it may be preferable to use a VPN service that is not based in a 14-eyes country, I feel that Mullvad’s strict no-logging policy substantially negates jurisdiction-based risks. If I’m feeling paranoid, I can always connect to one of Mullvad’s servers that is located in a non-14-eyes country to further enhance my privacy.

Access to services

Acceptable speeds, number and location of servers and number of simultaneous concurrent connections are moderately important to me.

picture of Mullvad logo Mullvad allows five simultaneous connections to its servers. The median number for the all the VPNs (nearly 200) listed on the “Detailed VPN Comparison Chart” at VPN Comparison by That One Privacy Guy is three connections. Given Mullvad’s five simultaneous connections, I need not worry that my iMac and iPhone are using the VPN connection in the background while I am actively connected to Mullvad on my iPad. So I can just leave all of my devices connected all the time (and even add a device or two) and not bother signing in/signing out of the VPN connection on the various devices.

As of March 2021, Mullvad offered servers in 35 countries, including 331 regular OpenVPN servers, 400 WireGuard servers and 39 special “bridge” servers (which can help if one is behind a very restrictive firewall). This server count total of 770 is well above the median for other VPNs of 54 servers and 18 countries in the “Detailed Comparison Chart” of late 2019, and is more than adequate for my purposes. (A 670% increase in the number of Mullvad’s WireGuard servers during the two-year period ending in March 2021 is evidence of their commitment to the state-of-the-art WireGuard protocol.)

Compared to not using a VPN, connecting to the Internet through a VPN will always result in at least some slowdown in speed. I’ve found that the speed and responsiveness of using the Internet via Mullvad VPN is perhaps slightly slower vs. using no VPN. It’s a little hard to objectively judge this, however, without laborious back and forth testing. At any rate, my data transfer speeds are quite satisfactory when using Mullvad.

I was able to perform a few “quick” speed tests comparing NordVPN vs. Mullvad vs. using no VPN on a very fast network at a local university. Download speed tests revealed the Mullvad connection achieved 94% of the speed of the full-bore non-VPN connection whereas the NordVPN connection speed was 47% of the non-VPN speed.

There is a listing of some ongoing VPN speed test results which may be useful at https://www.top10vpn.com/best-vpn/fastest-vpn/. (Be aware that this site is an affiliate of many VPN companies and hence its review results may be biased.) Mullvad has been consistently ranked within the top 10% of the VPNs in the speed tests done by this site.

Customer Support

The Mullvad website provides a great deal of information about set-up, troubleshooting, features, options, policies, etc. I’ve learned quite a bit by browsing these Mullvad support resources and have found that several questions that I had in mind had been anticipated by Mullvad and the answers were already there on the website.

Some VPNs offer “online chat” support for customers. Mullvad does not do so. I don’t consider this to be a major drawback because of my positive experience with Mullvad’s email support. I have sent a few email support questions to Mullvad and all of them were answered quickly and to my satisfaction. (Not surprisingly, given Mullvad’s commitment to privacy and security, they offer (and recommend) the option of using encrypted email when dealing with support issues.)

Proactive Planning for the Future

I am impressed that Mullvad is active in preparing for future trends and issues that may affect VPN services. Mullvad has been at the forefront of VPNs in adopting the WireGuard protocol, which implements very promising VPN technology.

Looking even further into the future, Mullvad is working to mitigate the threat of quantum computing against privacy. They already have a “post-quantum strategy” in mind and are testing an open-source post-quantum secure VPN tunnel.

Cost

In early 2019 the average cost of VPN service for the 185 VPNs listed on the ““Detailed VPN Comparison Chart” at VPN Comparison by That One Privacy Guy was about $6.00 per month (based on a one-year subscription). Mullvad offers a flat monthly rate of €5 (5 euros) which is equivalent to about $6 per month (depending on exchange rates). Thus, the cost of Mullvad service is quite reasonable and is comparable to the average cost of all VPNs.

Many VPN services quote an artificially high price for one month of service and then offer a “discount” for an extended contract of one, two or three years. Mullvad does not use this selling tactic. Mullvad quotes a monthly rate and its customers can choose to purchase from one month to 12 months of service at a time. Hence, there is no need to commit to a year-long contract in order to obtain a reasonable price. Mullvad offers a 30-day money-back guarantee (except for cash payments).

Mullvad accepts payment in cash, Bitcoin, Bitcoin cash, credit card, bank wire, and PayPal. (Some additional methods are available to European customers.) With a bit of effort, the first three payment methods can be used with complete anonymity.

I would recommend that you consider the cost of a VPN but not let the fee be an overriding factor when entrusting a VPN with your Internet security and privacy. Even if another VPN costs only half as much as Mullvad, you’re only saving $3 a month. Is that savings worth using a less trustworthy VPN?

Corroboration of my choice of Mullvad

PrivacyTools.io

PrivacyTools.io is a website that I have found to be independent and unbiased in providing services, tools and knowledge to protect one’s privacy against global mass surveillance. (I have referred to information on the privacytools.io website a few times in my series of VPN articles.)

Several months after writing the original version of this final article, I noted that the web page about VPN providers on the privacytools.io site had undergone substantial revision. The “VPN Provider Criteria” that they compiled had been considerably enhanced and expanded.

PrivacyTools updated VPN criteria mesh very well with the VPN requirements that I had formulated. I strongly recommend that you peruse their current“VPN Provider Criteria.” It reiterates many points that I have raised relative to choosing a trustworthy VPN.

Also changed on that web page was the previously published list of 18 “VPN providers with extra layers of privacy.” That list has been replaced by a “Recommended VPN Service” section. The only VPN that was recommended by privacytools.io in the initial version of that section was Mullvad. (In late January 2020, ProtonVPN and IVPN joined Mullvad as the only VPN services recommended by privacytools.io.)

Given that the criteria that I have developed for choosing a VPN service and the “VPN Provider Criteria” that privacytools.io has advanced are so similar, one would expect that our choices of “worthy” VPNs would also be similar. This is indeed the case…

In my article “Lists of VPNs for Your Consideration” I presented a final list of seven VPNs that I felt were worthy of further consideration. That list contains not only Mullvad but also the two other VPNs that privacytools.io currently recommends.

Wirecutter.com

Another website that provides reviews that are seemingly less-biased than most other websites is Wirecutter.com. In July 2020 the updated Wirecutter’s “Best VPN Service” review included well-delineated and stringent criteria similar to the criteria of PrivacyTools.io.

The introductory paragraph to the Wirecutter VPN review article echoes some of the themes that I have noted in my VPN articles:

As more people’s work and personal lives go digital, online privacy and security become increasingly important. A virtual private network, or VPN, can be a useful part of your security toolkit. But the industry is riddled with false promises and shady businesses. After sorting through dozens of VPNs and reviewing six security audits, we think the best option for most people is Mullvad, an open-source VPN that is not only trustworthy and transparent but also fast and reliable.

(from https://www.nytimes.com/wirecutter/reviews/best-vpn-service/)

I strongly recommend that you thoroughly read Wirecutter’s “Best VPN Service” review. It provides very useful information on the process of evaluation of a VPN service for your own use.

Summary

In this article I’ve noted how the Mullvad service fulfills the characteristics of a VPN that I suggested should be evaluated in my previous article, “Summary of How to Choose a VPN.”

I’d like to add this more personal note: I’m sure there are a few other good VPN providers that might also fulfill my basic privacy and security requirements. Yet Mullvad goes beyond that — Mullvad just gives me a warm and cozy feeling in my gut! The more I read about and use Mullvad the more I like them. Somehow, Mullvad feels to me like they are the “good guys.” That sentiment is very appealing to me.

Mullvad has earned my trust.

I hope that this series of articles has at least opened your eyes a bit relative to privacy and security on the Internet. Keep safe out there!