ExpressVPN Features
Rating:5/5
Price:$8.32 – $12.95 per month
Refund period: 30 days
Based in which country: British Virgin Islands (BVI)
# devices per license: 5
# servers: 130 locations in 94 countries
Server locations:Include USA, Canada, UK, Australia, New Zealand, India, Japan, France, and Germany
Streaming sites unblocked: Netflix, Hulu, Disney+, BBC iPlayer, ABC, NBC, ESPN
Supports torrenting: Yes
Does VPN keep logs:Yes
24/7 customer support: Yes
Website: https://www.expressvpn.com

ExpressVPN has been in operation for 13 years and has 3 million subscribers. This business is owned by Kape Technologies and is one of the leading user-friendly VPN providers that took the private virtual network concept from an obscure technology that few understood into a standard feature on many desktops.

If you just want a good ease-of-use app for a secure VPN to get into US Netflix from anywhere in the world, access gaming sites safely, or download movies without the fear of being arrested, this is the VPN to choose.

The biggest issue to confront about ExpressVPN is its price – it isn’t cheap. However, the company would argue that Prada, Ferrari, and Rolex don’t compete on price either. If you want the best, you need to be prepared to pay for it.

Any VPN buyer has to play off requirements against budget. There are many cheaper VPNs available, and there are hundreds that are free. So, why pay for ExpressVPN? Unsurprisingly, just about all of the free VPNs are useless. They won’t provide effective privacy, and many have even been found to contain spyware and website highjacking routines. Astonishingly, many of the paid VPN services are no good either.

You might not need a VPN service that ticks all boxes of speed, strong security, and the ability to avoid geoblocking, in which case, you can explore other options. If you don’t want to compromise on the quality of service, ExpressVPN is the VPN provider to go for.

This section is where we get into the scientific and legal issues surrounding the ExpressVPN service, which will get very technical. However, the digestible version of this category of the review is:

  • Good legal protection
  • Strong encryption
  • Sufficient anonymity

The rest of this section is written for those who want detailed evidence before they make a purchase decision. If you don’t want to get bogged down in science, you can skip on to the next section. Now let’s crack open the ExpressVPN service and expose its anatomy.

Legal protection

The company’s location that provides your VPN can help you avoid legal issues. The entertainment industry in the USA has a lot of content that everyone wants to get without paying the asking price, so that sector has developed very aggressive legal tactics to defeat VPNs.

There are several examples of US entertainment lawyers forcing VPN services to divulge their client lists. They can do this without the targets of investigations being notified. One way to avoid prosecution in the USA for illegal downloading is to get a VPN service based somewhere obscure.

ExpressVPN has its head office in the British Virgin Islands (BVI). This is an overseas territory of the UK, and it is a few small islands to the east of Puerto Rico.  So, if US lawyers want to pummel the VPN service, they will need to fly to the BVI.   

If you have seen the movie The Laundromat or read about the Panama Papers, you might have heard of the BVI. The judges and legislators there are not quite up to speed on international technology … and don’t want to be. The same sunny negligence that gives tax avoiders legal protection in the BVI also benefits VPN users. US corporations don’t waste their money fighting legal cases in the British Virgin Islands.

A note on internet privacy

Data moves around networks and the internet in packets. A data packet’s header includes its source and destination addresses; this is how services like Netflix know which requests to block. This is also how your internet service provider (ISP) can block access to sites such as The Pirate Bay.

Data security is provided by encrypting the payload of a packet; connection privacy is provided by encrypting the entire packet, including its header. VPNs work through a system that is called “encapsulation.” This places a packet inside another packet. Routers need to be able to read a packet’s destination address; if the header is encrypted, it is impossible to know where to send the packet. So the carrier packet has a plain-text destination address on it, but this is the VPN address and not the address of the banned site that you want to access, which is buried in the encrypted header of the inner packet.

ExpressVPN privacy protection

The ExpressVPN app offers two VPN protocol options: OpenVPN and Lightway protocol. Both are open source and operate in a similar fashion. You can choose whether to run these protocols over TCP or UDP.

If you install the ExpressVPN app on macOS or iOS devices, you get the option to use IKEv2/IPSec. In the past, ExpressVPN offered PPTP, L2TP, and SSTP, but these are no longer supported. You can turn on the ExpressVPN service and connect to the Tor network. However, a specific Tor option is not built into the ExpressVPN app. WireGuard is not offered by ExpressVPN.

Whichever VPN protocol you choose, the VPN app encrypts all packets and places each into an outer packet with a plain-text header addressed to the VPN server you chose in the app. When the ExpressVPN server receives each packet, it removes the outer packet, decrypts the inner packet, and sends it on its way.

When your protected internet traffic passes through the gateway of your internet service provider, government-mandated activity logging procedures can’t see where that packet is really going – it just sees the ExpressVPN server address. Lawyers can force ISPs to hand over activity logs and trace an IP address to ExpressVPN, but then they are up against the legal system of the BVI.

ExpressVPN session encryption

The best way to undo the work of a VPN is to crack its encryption.  The privacy protection in ExpressVPN comes from a symmetric encryption cipher called AES-256. This is the Advanced Encryption Standard, which was commissioned by the US government to protect its own internet transmissions. That includes all of the communications of the US military.

The strength of an encryption cipher increases with the length of its key. ExpressVPN uses a 256-bit key for its AES encryption, which is the longest key available and provides uncrackable protection.  

There is no point in trying to crack AES-256 encryption. However, the system has a weak point: both sides in the connection need to share the key. The same key is used to encrypt and decrypt a message.

ExpressVPN session establishment

All a snooper needs to do to crack AES encryption is to get the key. So, there needs to be protection for the transmission of the AES key, and in VPN protocols, this is provided by asymmetric key encryption, also known as public-key encryption.

ExpressVPN uses RSA encryption to protect the transmission of the AES key. This is the same encryption system used for Transport Layer Security (TLS), which protects HTTPS secure Web page transactions.

The effective security of public-key ciphers is much weaker than symmetric key encryption systems. This is why ExpressVPN, like other VPN services, switches to a symmetric key system as soon as possible. While symmetric-key systems have key lengths in the order of hundreds, keys for public-key systems are measured in the thousands.

Most VPN systems in the world – particularly the free ones – use an RSA key 1024 bits in length. Most paid VPNs use an RSA key length of 2048 bits. ExpressVPN uses an RSA key that is 4096 bits in length. This is the strongest encryption that you will find in any VPN.

Don’t bother with a VPN that uses 1024-bit RSA encryption for session establishment because even the RSA organization now declares it unsafe.

DNS protection

Routers on the internet don’t understand the website addresses (known as URLs) that you type into the address bar of your browser; they only understand IP addresses. Before a browser can send a request for a Web page, it needs to discover the IP address of the server that hosts that site. That IP address goes in the packet header for the page request.

The mechanism that holds the cross-reference between website names and Web host IP addresses is called the Domain Name System (DNS). By default, your browser uses a DNS server specified by your ISP.

Almost every ISP blocks access to a large number of websites by sink holing the IP address for that website. For example, if you try to access ThePirateBay.org, your browser will display a message that tells you that the website doesn’t exist or that the site can’t provide a proper security certificate. This shows that you are being manipulated by your ISP.

ExpressVPN has its own private DNS system that evades ISP site blocking tricks. Cheaper VPNs don’t offer a private DNS service. This not only leaves those VPN clients, victims, to sink holing blocks but also exposes that user’s activity to the ISP logging system. This is known as a DNS leak; you don’t have that problem with ExpressVPN.

Another DNS service built into ExpressVPN is a smart DNS that operates in the browser extension. this gets around access blocks for streaming but doesn’t offer security.

IP leak protection

A lot of VPNs don’t offer protection from snooping and interference all of the time. Sometimes, traffic gets exposed, and the real destination of your connections gets revealed – this is called an IP leak. You don’t get IP leaks with ExpressVPN.

There are three main reasons that IP leaks occur:

  • The user forgets to turn the VPN on
  • The user turns the VPN off
  • The connection drops, breaking the VPN, then reconnects without the VPN

Although ExpressVPN can’t force its subscribers to keep the VPN turned on, there are features in the ExpressVPN app functionality that make keeping protection constantly active a lot easier. ExpressVPN provides unmetered charging and unlimited bandwidth, so there is no cost benefit to turning the VPN off from time to time.

Another reason that a VPN subscriber would turn the service off is that it slows the connection down to the point where the activity is impaired. This is particularly the case with video streaming or online games. One of the main reasons that your game suddenly slowed is because the internet connection performed badly.

Almost all VPNs slow down connections. The very cheap and free VPN service will slow down your connection to the point where you can’t do anything within a reasonable space of time. Just checking your email with some VPN services turned on can take forever.

ExpressVPN is very fast. Not only does it have almost no impact on connections, but its superior carrier agreements with trunking services mean that, for international connections, turning the ExpressVPN app on can increase your internet connection speed.

A setting that you will be asked about when the ExpressVPN system installs itself is whether to turn on the VPN at the system start up. It is a good idea to say yes to this offer because it removes the need for you to remember to turn the VPN on.

ExpressVPN Network Lock

One security feature that is available to you in the ExpressVPN app sounds frightening, but it is actually a good thing: the kill switch. ExpressVPN calls this the Network Lock.

The kill switch places a permanent block on your network card so that it will only receive traffic from your VPN. Don’t worry – the kill switch doesn’t permanently break your network card; you can turn the service off whenever you want. If you decide to stop subscribing to ExpressVPN and remove all of its software, the kill switch procedure also gets removed.

If your computer loses an internet connection, it will work quickly to re-establish the link. This means that an action that was being carried out at the time, such as opening a Web page, will take longer than usual, but it will go through eventually, so you won’t realize that your connection was dropped.

Although connections can be re-established quickly, the break will end the VPN session, and the reconnection processes will carry on in the normal way, ignoring the VPN. Thus, you turned the VPN on and then surfed to a website that you don’t want your ISP to know about. Sometime later, you notice that the VPN is not on, so the ISP has been logging your access to that no-longer-secret site. Thus, you need the Network Lock.

Internet anonymity

Anonymity and privacy are almost synonymous. Privacy is key to blocking internet controls – if your ISP doesn’t know what you are doing, it can’t stop you from doing it. However, there is still the danger that you could be traced.

The governments of most advanced economies have placed legal obligations on ISPs to log all the connections that it puts through from their clients to the wider world. Ordinarily, this is not a problem.

These logging requirements provide a paper trail. ISP logs allow government agencies and copyright lawyers to check what you were doing on the internet. This is why connection privacy is not enough. You also need anonymity.

A VPN can offer two types of anonymity: account anonymity and activity anonymity. Account anonymity requires a methodology that blocks the trail to a payment source, such as a bank account.

Examples of anonymous payment systems include voucher programs and gift cards. PayPal and also Bitcoin and other cryptocurrencies used to be considered completely anonymous. However, it now emerges that authorities have ways to trace the true owners of cryptocurrency wallets, so this method is not completely without risk.

Activity anonymity relates to the existence of logs. VPNs offer shared servers that forward all traffic out onto the internet for all clients from the same IP address. Anyone tracking connection to a specific target backward will reach the VPN server you are using. However, that won’t let them identify you as the specific VPN user connecting to that banned system.

Clients are referenced by a port number tacked onto the address, and the VPN system needs to keep track of the mapping between these two addresses. This is called Port Address Translation (PAT). It is important that these records are not retained once the session is closed.

ExpressVPN anonymity measures

ExpressVPN accepts payment by Bitcoin. As explained above, this doesn’t provide total anonymity anymore because Bitcoin can be traced. There isn’t a gift card payment option. The main payment options are credit cards and PayPal, which do not offer anonymity.

ExpressVPN operates shared servers with port address translation (PAT). Many other customers will have their internet traffic passing through the same VPN server as yours.

All of the traffic for all of the clients logged into one ExpressVPN server has the same source IP address on it. Unusually, the ExpressVPN system retains its address translation table in memory (RAM) and never writes it out to the hard drive. So, in theory, your activity can be traced if the police raid the data center when your session is active and prevent technicians from turning off the computer. However, such raids never happen. Once you end your connection, the PAT table entry for you is wiped.

ExpressVPN keeps long-term records of its customers’ activity. These record connections to a location with the date and data throughput of each session. It doesn’t log which server was connected to, which sites were visited, or the time of day.

It isn’t clear why ExpressVPN keeps those connection summary details. There are VPNs available that don’t do that, providing a complete no-logs policy. However, ExpressVPN doesn’t keep logs on which clients accessed which sites through the service.

ExpressVPN provides apps for desktops, laptops, and mobile devices. The list of operating systems that has an ExpressVPN app written for it is:

  • Windows
  • macOS
  • Linux
  • Chromebook
  • Android
  • iOS
  • Fire TV

You can install a browser extension for ExpressVPN in:

  • Chrome
  • Firefox
  • Edge

The ExpressVPN app can also be loaded onto Chromecast, Samsung smart TVs, Apple TV, and Roku. It is also available for Nintendo, Switch, Xbox, and PlayStation game consoles.

You can install apps on as many devices as you like. However, only five can be connected to the service simultaneously. Account sharing is not allowed except when all account users are members of the same family.

An advantage that ExpressVPN has over other VPN services is that it produces an app for routers. A router install counts as only one of the five-device allowance. You can get all of the devices in your home covered by the router VPN and then use your other four device allowances outside of the home.

The browser add-on is great, but it will only cover the browser, so if you have other internet-connected apps running, such as a torrent downloader, they won’t be protected. If the browser version is active, it counts as one device in your simultaneous connection allowance.

ExpressVPN is one of the few VPN systems that really cracks split tunneling. This is a method that you can use to exclude some applications from the VPN. The split tunneling features are available in the apps for Windows, macOS, Android, and routers.

ExpressVPN doesn’t publish the exact number of servers that it operates, but it must be assumed that it has at least one server in each listed location, and it has 130 locations. These are spread across 94 countries, with one location each in most nations.

In the USA, ExpressVPN operates servers in 16 cities. These are:

  • Atlanta
  • Chicago
  • Dallas
  • Denver
  • Lincoln Park
  • Los Angeles
  • Miami
  • New Jersey
  • New York
  • Phoenix
  • Salt Lake City
  • San Francisco
  • Santa Monica
  • Seattle
  • Tampa
  • Washington DC

One surprising absence from the list of countries in which ExpressVPN operates is India. The provider used to have servers there but withdrew in April 2022. This was in response to data retention laws from the Indian Computer Emergency Response Team that VPNs collect activity records and store them for five years. The company can provide access to websites in India via a proxy in London or another located in Singapore.

ExpressVPN is one of the leading VPNs for unblocking location locks. These blocks are particularly prevalent in video streaming services because entertainment companies pay for licensing rights for shows and movies based on territories.

For example, one company might have the right to show a particular movie in France, so if Netflix wants to buy it for all other territories, it would have to ensure that viewers in France can’t see that movie. Netflix is unusual because it is global. There are few other streaming services that have the same international reach.

For example, Hulu only streams in the USA, so its account creation checks take care of blocking out most attempts at cross-border access.

ExpressVPN can unblock all of the major streaming services for entertainment and sport. The key services that the provider claims that it can get into across borders are listed below, together with an indication of whether we tested the service.

ServiceTest
NetflixTests confirmed for access to the USA and France from the UK
Disney+Tests confirmed, accessing the USA from the UK
HuluSubscriptions to this service can only be made within the USA
BBC iPlayerTests confirmed, accessing the UK from the USA
ITV HubTests confirmed, accessing the UK from the USA
Channel 4Tests confirmed, accessing the UK from the USA
ABCTests confirmed, accessing from the UK
NBCTests confirmed, but access from the UK was possible without a VPN

ExpressVPN can also unblock ESPN, Amazon Prime, HBO, and YouTube TV.

ExpressVPN offers one service, but there are three payment plans, and the single variation in them is the payment cycle. Choosing a longer payment cycle provides a cheaper price per month. However, you have to pay for the entire ExpressVPN subscription period upfront.

    • One-Year Plan: $99.84 ($8.32 per month)
    • Six-Month Plan: $59.94 ($9.99 per month)
    • Monthly Plan: $12.95 per month

All new subscriptions, even on the One Month Plan, are entitled to a 30-day money-back guarantee. All you have to do is cancel your subscription before you have had the package for 30 days and get all your money back, no questions asked.

We examined the performance of the ExpressVPN service to identify whether it would slow down connections (latency). These tests were carried out in the UK on public Wi-Fi hotspots provided by Sky UK’s The Cloud. This service is owned by Comcast, which operates the same technology in the USA as the Xfinity Hub network. Tests on ExpressVPN speed were carried out using the Ookla system at speedtest.net.

Download and upload speeds

First, to establish an internet speed baseline, we tested a connection to a nearby server:

 The download speed shown was 11.61 Mbps, and the Upload speed was 0.93 Mbps. As seen below, turning on the VPN set within the UK didn’t make much difference to performance.

A big performance issue arose when testing the unprotected connection to a remote destination – this test went to Sydney, Australia:

As can be seen, a connection to the other side of the globe was slow, providing a download speed of just 1.48 Mbps, but the upload speed of 0.83 Mbps was very similar to the speed of a local connection without the VPN.

Turning on the ExpressVPN service with the server set to East London, it can be seen that the VPN dramatically improved the transfer speed on the connection:

The download speed improved to 11.02 Mbps, similar to the speed shown without a VPN on a local connection.

This pattern of performance continued no matter where the selected VPN server was. For example, channeling a connection to Sydney through a VPN server in New York, USA, gave a download speed of 11.69 Mbps and an upload speed of 0.92 Mbps. Connecting to Sydney while channeling traffic through the ExpressVPN server in Hong Kong gave a download speed of 10.46 Mbps and an upload speed of 0.85 Mbps.

This experiment shows how the trunking agreements signed by a VPN service for long-distance connections can actually improve the speeds offered by an unprotected connection.

IP, DNS, and WebRTC leaks

IP leak tests on the IPLeak.net website showed that there were no IP leaks in the ExpressVPN service.

The results for DNS performance were a little more complicated. The testing system detected the presence of 44 DNS servers. However, none of these was the DNS server used by the underlying service provider for the unprotected connection. So, there were no DNS leaks.

The fact that the testing system could not detect the Sky Cloud IP address shows that there were no WebRTC leaks.

  1. Sign up for a subscription at the ExpressVPN website after you have decided what payment plan to go for. You will see the subscription price advertised in your local currency, but you will actually be charged in US dollars no matter which country you are in.
  2. The system will generate a password for your account – your account name is the email address that you entered. After noting down the password and clicking on the next screen, you will be presented with a download page.
  3. This screen has links to download all of the desktop versions of the app; for the mobile versions, you need to go to the app store for your device’s operating system.
  4. The download screen also shows an activation code, which you will need to enter into the app. The page detects your operating system and displays a quick download button for the app that matches it.
  5. Click on the downloaded app to run the installer. You won’t be asked any questions during the installation process. Once it finishes, the app appears.
  6. Click on the Sign In button. You don’t need to enter your username and password to open the app, just the Activation Code.
  7. Click on the Continue button to proceed.
  8. You will then be asked whether you want ExpressVPN to launch on startup. It is important to click OK here to avoid IP leaks.
  9. The next screen asks you to allow the app to upload crash reports when things go wrong. You then get into the app.
  10. Click on the displayed location if you want to change it. Once you are happy with your choice of VPN server. Click on the big button to connect.
  11. Click on the same button to disconnect.
  12. The installation process creates a shortcut icon on your desktop. Click on this to open the app. After your first visit, the app does not require the Activation Code to run, and you don’t have to enter any login credentials either.
  13. You can see your account details by clicking on the My Account link at the top of any screen on the ExpressVPN website. You need to enter your username and password to get to this screen.

The mobile app must be downloaded from the Store for the mobile operating system. For example, you get the Android app from Google Play. Once the app has been downloaded and installed, you need to enter the Activation Code to get it to operate. You don’t need to enter that code on subsequent visits.

The display for the mobile app is almost identical to that of the desktop app. However, it has a few more features on the main screen, showing time spent on the VPN service. The image below shows the desktop app for Windows on the left and the mobile app for Android on the right.

The connection speed influence of the mobile app showed similar performance to the desktop system. That is, local VPN connections showed similar speeds to the unprotected connection, and international VPN connection speeds were close to those of the local connection, considerably faster than an unprotected connection to Sydney.

Will ExpressVPN let me watch Chinese TV from abroad?

ExpressVPN doesn’t have servers in China, but you can access the streaming services of the big Chinese free-to-air broadcasters in Hong Kong, and ExpressVPN does have servers there.

Can I use ExpressVPN for torrenting?

ExpressVPN does not forbid file sharing activities, and it doesn’t specify specific servers for the activity. You can use any of the ExpressVPN servers for torrenting.

Is ExpressVPN a fast VPN?

ExpressVPN is one of the fastest VPN services available. This means it is a very good choice for people who want to transfer large files, play live online games, or access video streaming services. There are no broadband capacity caps or data throughput limits.

Is ExpressVPN a firewall?

ExpressVPN acts as a firewall because the service makes it impossible for outsiders to work out your real IP address, and the VPN client on your computer will only accept traffic from the ExpressVPN server. That blocks any traffic a hacker might try to inject into the stream. Traffic between your device and ExpressVPN is fully encrypted.

Does ExpressVPN block infected files?

ExpressVPN doesn’t scan the contents of your internet traffic, so if you download a virus, the system won’t be able to block it. You should ensure you have a malware protection package and the ExpressVPN service.

To sum it up

ExpressVPN is very successful because it strives to be the best in every category. It has strong encryption, can evade detection in China, and has a wide distribution of servers in many countries. The service is fast and so it won’t ruin your video streaming or seize up your online game.

This is an excellent VPN but whether or not it offers good value for you depends on your own activities. Make a list of the services that you really need from a VPN, and then look for VPN providers that match those requirements. ExpressVPN will certainly be on that list, but it won’t be the only one. Make sure you also check out NordVPN, CyberGhost, Private Internet Access, Surfshark, and IPVanish.