A Macintosh Resource Site
for the Milwaukee Metro Area


My Personal Choice for a VPN

First published: May 2019. Latest revision: November 2019.

Introduction

A couple of articles ago in “Summary of How to Choose a VPN,” I elaborated on the criteria that are factors influencing my choice of a VPN, discussing the most important factors first but including pretty much all of the qualities I want to see in the VPN service that I use.

In this final article I’ll revisit those criteria and briefly note how the VPN service that I’ve chosen measures up to each criterion.

My “working” list

At the end of my previous article, “Lists of VPNs for Your Consideration,” I presented a list of several VPNs that had no severely problematic (i.e. no Red or failing) parameters on the “Simple VPN Comparison Chart” available as part of the downloadable “Detailed VPN Comparison Chart ” at thatoneprivacysite.net. (Please refer to my previous article for the reasons I consider the information on the thatoneprivacysite.net website to be unbiased and eminently useful.)

From that final list in my last article I have now removed VPNs that had more than two Yellow “cautionary” grades. That leaves four VPNs on the list:

VPN Red Yellow Green R, Y, G bar graph
BolehVPN 0 2 7
IVPN 0 2 7
Mullvad 0 1 8
Trust.Zone 0 2 7

Legend:
Red = “something major of concern” or a severely problematic parameter
Yellow = “something of concern” or a cautionary parameter
Green = “generally good” or a positive and desirable parameter.

Next I perused all of the parameters on the “Detailed Comparison Chart” for each of the four VPNs and checked the websites of the four VPNs. Of these VPNs, Mullvad seemed to best meet my own criteria for a trustworthy VPN, so I began a more thorough online investigation of Mullvad. I liked what I saw…

Indeed, after my thorough analysis, the VPN that I chose for my own use is Mullvad.

A brief introduction to Mullvad

Mullvad, founded in 2009, is wholly owned by Amagicom AB, a company in Sweden. On the Mullvad home page, you’ll see something like this:

picture of Mullvad logo Privacy is a universal right

It is fundamental to a well-functioning society. It allows norms, ethics, and laws to be safely discussed and challenged. Without privacy, a free and open society can neither flourish nor exist.

The next quote is from a recent Mullvad blog post titled “Our reason for being ”:

The ability to control and manage our individual privacy has become crucially dependent upon security. Without security, you have no guarantee that your information will remain private. That’s why we exist.”

These statements mesh very well with my thoughts on privacy and security.

My threat model

The goals of my implementation of privacy and security measures for my Internet use include:

  • protection against hackers on public WiFi hotspots.
  • protecting against monitoring and logging by ISPs.
  • hiding my location and identity from websites.
  • hiding my true name from a correspondent.
  • being anonymous online and hiding my online activity

These goals do not mean I am trying to hide illegal activity or conceal government dissidence. Rather the goals mean that:

I value my privacy.
When I want to withhold and protect my private information I have the right to do so.

An important aid to protecting my privacy is a VPN, hence my desire to find a top-notch VPN service.

My VPN requirements as based on my threat model

I’ve developed a list of requirements that a VPN must fulfill for me. These criteria upon which I evaluate VPNs for my personal use include:

  • Trustworthiness
  • Privacy
  • Jurisdiction
  • Access to Services
  • Customer Support
  • Proactive Planning for the Future
  • Cost

I’ll elaborate on each of these points and explain how Mullvad satisfies my requirements.

Trustworthiness

I consider it to be of utmost importance that the VPN service that I use embodies trustworthiness. The quality of trustworthiness is at least moderately subjective — it’s my overall “gut-feeling” about how honorable, truthful and reliable someone or something is to me.

Starting with my first exposure to Mullvad and continuing through the present time, Mullvad has always felt trustworthy to me. The Mullvad website is clean, uncluttered, and is devoid of “hard-sell” tactics and pop-up windows. There are no overzealous or misleading claims of absolute 100% guaranteed perfect anonymity, security and privacy. The website utilizes no “trackers” at all and no persistent “cookies” (unless you pay for Mullvad via credit card using the Stripe payment system).

The company name, owners and principal employees are listed prominently on the Mullvad website instead of being hard-to-find or completely undeclared as with some other VPNs. Mullvad isn’t trying to hide the foundations of their business.

The majority of VPN services have “affiliate” programs, whereas Mullvad does not. An affiliate is a third party that receives a commission from the VPN when a customer purchases the VPN service after having been referred by the third party. (The referral is generally via a “VPN Review” website.)

As I’ve noted in earlier articles, this VPN <—> affiliate relationship is commonly derided for being fraught with deception: VPN affiliates and their review sites have been called “teeming cesspools of greed and lies” and only the very rarest of VPNs actually bother to “police” their affiliates. In my mind, this situation is so problematic that the potential trust that I might have in a VPN is immediately impaired by the mere fact that the VPN has an affiliate program.

As noted on their “Policy on reviews, advertising, and affiliates ” web page, Mullvad has no affiliate program. Thus, in my opinion, as compared to so many other VPN services, Mullvad has chosen the more ethical path of foregoing the revenue-enhancing potential of paid reviews and affiliates. Mullvad states, “Of equal or perhaps even greater importance are the word-of-mouth recommendations from our satisfied customers who share our values. We strongly believe this will pay off in the long run.”

Another sign of trustworthiness is the length of time a VPN has been providing services. Mullvad has been doing so since 2009, which makes it an “old-hand” at this relatively young consumer VPN business.

Privacy

If a VPN is to provide me privacy, the less it knows about me the better.

Privacy is a category at which Mullvad excels. This is from the “No-logging of user activity policy” page on their website:

Our anonymous, numbered accounts
We want you to remain anonymous. When you sign up for Mullvad, we do not ask for any personal information – no username, no password, no email address. Instead, a random account number is generated, a so-called numbered account. This number is the only identifier a person needs in order to use a Mullvad account. This is a fundamental difference that sets us apart from most other services.

(from https://mullvad.net/en/guides/no-logging-data-policy/)

Not surprisingly, this anonymous account creation system reminds me of the super-secrecy of one of those legendary “Swiss numbered bank accounts.” No name, no email, no street address, no IP address, no mother’s maiden name, no nothing is required to register and activate an account with Mullvad!

The 16-digit account number that you are given when you register on Mullvad’s website serves as your sole identifier to Mullvad from then on. Mullvad knows nothing about you. Pay them via an anonymous method and they will still know nothing about you. It doesn’t get any more anonymous and private than that.

Mullvad has a strict no-logging data policy

Policy overview
The underlying policy of Mullvad is that we never store any activity logs of any kind. We strongly believe in having a minimal data retention policy because we want you to remain anonymous.

What we don't log
We log nothing whatsoever that can be connected to a numbered account’s activity.

(from https://mullvad.net/en/guides/no-logging-data-policy/)

A strict no-logging policy is absolutely critical to maintain the privacy of VPN users. Mullvad meets this challenge.

Other important technical privacy features

Mullvad also fulfills the following technical “bullet points” that I consider desirable, many of which I noted in previous articles:

  • maintains its own public non-logging DNS servers
  • supports DNS leak protection
  • supports IPv6 tunneling as well as IPv6 blocking and leak protection
  • supports OpenVPN on a range of custom ports
  • provides a “kill switch” that disables your Internet access if you lose your VPN connection
  • offers only highly secure tunneling and encryption protocols
  • offers port forwarding, SOCKS5 proxy, multi-hopping and split tunneling
  • all OpenVPN servers use DHE for perfect forward secrecy (PFS)
  • etc., etc. (See more info on Mullvad’s “What is a VPN? ” page.)

I’ve performed extensive testing for DNS leaks and IPv6 leaks/support when using Mullvad and all tests passed with flying colors. The Mullvad “kill switch” works reliably. Also, I have used the SOCKS5 proxy servers successfully and find them useful for certain circumstances.

Other characteristics that assure security

Mullvad’s VPN application is open-source software. Thus, the programming code is publicly posted and available for anyone to examine and critique. This provides a very valuable method of verifying the robustness of the programming, the validity of the security protocols that are used and the identification and resolution of software issues.

Mullvad only offers the OpenVPN and WireGuard security protocols. The older and insecure Point-to-Point Tunneling Protocol (PPTP) that some other VPNs offer is, admirably, not even available to Mullvad users. OpenVPN, on the other hand, is the currently accepted standard for secure connections. It is open-source and its security has been very well tested. WireGuard is also an open-source protocol that is considered by many to be the most promising VPN security protocol in development. Although WireGuard has not yet achieved full release status, it seems to have no major issues.

I am currently using Mullvad with WireGuard on my iPhone and iPad and have found that the WireGuard claims of near-instantaneous establishment of secure tunneling and low battery consumption are indeed true. (This is a significant improvement as compared to using the OpenVPN protocol on my mobile devices.)

Jurisdiction

This is one parameter of Mullvad that, at first glance, is not quite optimal. Mullvad is based in Sweden, which is a member of the 14-eyes coalition of countries that share “signals intelligence” with one another. (“Signals intelligence,” to put it bluntly, is governmental spying on its own citizens.) Thus, Mullvad is under the jurisdiction of a government that may share covertly obtained information with the other 13 countries in the 14-eyes coalition.

On the other hand, Sweden does not have a “key disclosure law” that, in other countries, can be used to require individuals or companies to surrender cryptographic keys to law enforcement.

More importantly, with its strict no-logging policy, Mullvad retains no sensitive user information on its servers. Thus, even if Mullvad’s servers were to be “raided” by Swedish authorities, no private user information would be found on them.

Furthermore, keep in mind, as stated in the “Choosing a VPN ” article on the thatoneprivacysite.net website, “Where the servers you’re connecting to and the people who operate / have control of them are located are more important than where a company is incorporated, to protect yourself from government overreach.”

Thus, although it may be preferable to use a VPN service that is not based in a 14-eyes country, I feel that Mullvad’s strict no-logging policy substantially negates jurisdiction-based risks. If I’m feeling paranoid, I can always connect to one of Mullvad’s servers that is located in a non-14-eyes country to further enhance my privacy.

Access to services

Acceptable speeds, number and location of servers and number of simultaneous concurrent connections are moderately important to me.

Mullvad allows five simultaneous connections to its servers. The median number for the all the VPNs (nearly 200) listed on the “Detailed VPN Comparison Chart ” at thatoneprivacysite.net is three connections. Given Mullvad’s five simultaneous connections, I need not worry that my iMac and iPhone are using the VPN connection in the background while I am actively connected to Mullvad on my iPad. So I can just leave all of my devices connected all the time (and even add a device or two) and not bother signing in/signing out of the VPN connection on the various devices.

As of late 2019, Mullvad offered 282 regular OpenVPN servers (in 38 countries), 103 WireGuard servers and 17 special “bridge” servers (which can help if one is behind a very restrictive firewall). This server count is well above the median for other VPNs of 54 servers and 18 countries in the “Detailed Comparison Chart,” and is more than adequate for my purposes.

Compared to not using a VPN, connecting to the Internet through a VPN will always result in at least some slowdown in speed. I’ve found that the speed and responsiveness of using the Internet via Mullvad VPN is perhaps slightly slower vs. using no VPN. It’s a little hard to objectively judge this, however, without laborious back and forth testing. At any rate, my data transfer speeds are quite satisfactory when using Mullvad.

I was able to perform a few “quick” speed tests comparing NordVPN vs. Mullvad vs. using no VPN on a very fast network at a local university. Download speed tests revealed the Mullvad connection achieved 94% of the speed of the full-bore non-VPN connection whereas the NordVPN connection speed was 47% of the non-VPN speed.

I found some ongoing VPN speed test results (of nearly 20 VPN services) which may be useful at https://www.bestvpn.com/guides/vpn-speed-tests/. (Just be aware that this site is an affiliate of many VPN companies and hence its review results may be biased.) In early 2019, Mullvad was consistently among the top 4 or 5 VPNs in the speed tests done by this site.

Customer Support

The Mullvad website provides a great deal of information about set-up, troubleshooting, features, options, policies, etc. I’ve learned quite a bit by browsing these Mullvad support resources and have found that several questions that I had in mind had been anticipated by Mullvad in that the answers were already there on the website.

Some VPNs offer “online chat” support for customers. Mullvad does not do so. I don’t consider this to be a major drawback because of my positive experience with Mullvad’s email support. I have sent a few email support questions to Mullvad and all of them were answered quickly and to my satisfaction. (Not surprisingly, given Mullvad’s commitment to privacy and security, they offer (and recommend) the option of using encrypted email when dealing with support issues.)

Proactive Planning for the Future

I am impressed that Mullvad is active in preparing for future trends and issues that may affect VPN services. Mullvad has been at the forefront of VPNs in adopting the WireGuard protocol, which implements very promising VPN technology.

Looking even further into the future, Mullvad is working to mitigate the threat of quantum computing against privacy. They already have a “post-quantum strategy” in mind and are testing an open-source post-quantum secure VPN tunnel.

Cost

In early 2019 the average cost of VPN service for the 185 VPNs listed on the “Detailed VPN Comparison Chart ” at thatoneprivacysite.net was about $6.00 per month (based on a one year subscription). Mullvad offers a flat monthly rate of €5 (5 euros) which is equivalent to about $5.75 per month, or about $69 per year. Thus, the cost of Mullvad service is quite reasonable and is just a bit less costly than average.

Many VPN services quote an artificially high price for one month of service and then offer a “discount” for an extended contract of one, two or three years. Mullvad does not use this selling tactic. A monthly rate is quoted and customers can choose to purchase from one month to 12 months of service at a time. Hence, there is no need to commit to a year-long contract in order to obtain a reasonable price. Mullvad offers a 30-day money back guarantee (except for cash payments).

Mullvad accepts payment in cash, Bitcoin, Bitcoin cash, credit card, bank wire, and PayPal. (Two additional methods are available to European customers.) With a little bit of effort, the first three payment methods can be used with complete anonymity.

I would recommend that you consider the cost of a VPN but not let the fee be an overriding factor when entrusting a VPN with your Internet security and privacy. Even if another VPN costs only half as much as Mullvad, you’re only saving $3 a month. Is that savings worth using a less trustworthy VPN?

Corroboration of my choice of Mullvad

PrivacyTools.io is a website that I have found to be independant and unbiased in providing services, tools and knowledge to protect one’s privacy against global mass surveillance. (I have referred to information on the privacytools.io website a few times in my series of VPN articles.)

Several months after writing this final article, I noted that the web page about VPN providers on the privacytools.io site had undergone substantial revision. The “VPN Provider Criteria” that they compiled had been considerably enhanced and expanded. Their updated VPN criteria mesh very well with the VPN requirements that I had formulated. I strongly recommend that you peruse their “VPN Provider Criteria.” It reiterates many points that I have raised relative to choosing a trustworthy VPN.

Also changed on that web page was the previously published list of 18 “VPN providers with extra layers of privacy.” In fact, that list has been replaced by a “Recommended VPN Service” section. In that section, the only VPN recommended by privacytools.io is Mullvad.

Another new section on that page, “Other Providers Worth Mentioning,” lists two other VPNs: ProtonVPN and IVPN. Although these two VPNs are felt to not quite merit a recommendation from privacytools.io, they are rated as being “strong” contenders in the VPN space vs. scores of other VPNs.

Given that the criteria that I have developed for choosing a VPN service and the “VPN Provider Criteria” that privacytools.io has advanced are so similar, one would expect that our choices of “worthy” VPNs would also be similar. This is indeed the case…

Mullvad is my first choice VPN and is also the only VPN that is recommended by privacytools.io.

Furthermore, in my article “Lists of VPNs for Your Consideration,” I presented a final list of seven VPNs that I felt were worthy of further consideration. That list contains not only Mullvad but also the two VPNs that privacytools.io considers to be strong contenders.

Summary

In this article I’ve noted how the Mullvad service fulfills the characteristics of a VPN that I suggested should be evaluated in my previous article, “Summary of How to Choose a VPN.”

I’d like to add this more personal note: I’m sure there are a few other good VPN providers that might also fulfill my basic privacy and security requirements. Yet Mullvad goes beyond that — Mullvad just gives me a warm and cozy feeling in my gut! The more I read about and use Mullvad the more I like them. Somehow, Mullvad feels to me like they are the “good guys.” That sentiment is very appealing to me.

Mullvad has earned my trust.

I hope that this series of articles has at least opened your eyes a bit relative to privacy and security on the Internet. Keep safe out there!