ProtonVPN Review (2023)
Proton is a Swiss privacy services creator that began with a secure email service called Proton Mail. The company now offers a secure cloud file server called Proton Drive, an appointment scheduler called Proton Calendar, and a VPN service called Proton VPN. All of these services have a free plan, and it is also possible to get a bundle that includes all of these four services.
What we like
- The free plan is great
- Simultaneous connection allowance of ten devices
- Bundle plans offer secure file storage, email and calendar as well
- Private mini-Tor
- Connects to Tor network
- App for Ubuntu, Debian, Fedora, Manjaro, and Arch Linux
What we don't like
- Connection profiles and threat models are complicated
- The free version only gets three server locations
- No browser extensions
|Price:||$0 – $11.99 per month|
|Refund period:||30 days|
|Based in which country:||Switzerland|
|# devices per license:||10|
|Server locations:||89 locations in 64 countries, including the USA, Canada, the UK, Australia, New Zealand, India, Japan, France, and Germany|
|Streaming sites unblocked:||Netflix, BBC iPlayer, and Amazon Prime Video|
|Does VPN keep logs:||No|
|24/7 customer support:||No|
Proton Technologies AG is based in Switzerland and started up business in 2014. The company’s founders are some of the cleverest technicians on earth, they met while working at CERN, where some of them contributed towards the creation of the Hadron Collider. One of the company’s board members is Sir Tim Berners-Lee – the guy who invented the World Wide Web.
The business’s first product was Proton Mail, a secure email service. Proton VPN followed in 2017. The VPN service, like Proton Mail, is packed with security features. The system is open source, which means that its source code is published. However, the operational security measures in the VPN service mean that this transparency isn’t a security threat – no one can break into the system even though they know how it works.
A major feature of the Proton VPN system is its ability to connect to the Tor network. Proton also presents a mini Tor system of its own, which routes traffic through multiple VPN servers. This is called Secure Core, and it is similar to the double-hop VPN connections that are possible with rivals NordVPN and Windscribe.
The Proton VPN double hop system is offered with the first stretch passing through a location that has tight national privacy laws. There are in Switzerland, Iceland, and Sweden. This adds extra privacy controls to connections that pass through countries that have weak protection for consumers.
To strengthen the protection offered by Secure Core servers, Proton Technologies AG runs them in their own data centers. Proton VPN servers operate at high speed, and each has a 10 Gbps throughput rate.
The free plan of Proton VPN only gets access to servers in the USA, the Netherlands, and Japan. This VPN server network doesn’t have the same high speeds offered by the paid plan.
Privacy and security
The layers of security offered by Proton VPN and other Proton products simultaneously offer privacy. Security systems protect data from theft or damage; privacy systems block snoopers from tracking the activities of an individual. The steps that Proton VPN takes to protect both security and privacy are very effective.
The founders of Proton Technologies AG were based in Switzerland when they met each other – they all worked at the European Nuclear Research facility, CERN. This location is very fortunate for the VPN provider, and the exceptional privacy protection offered by the Swiss legal system must have been an influence on the founder’s decision to create their secure system where they already lived.
Switzerland has three laws that specifically relate to data protection and the individual’s right to privacy. The result of these laws is that it illegal to track the online activities of individuals or businesses in the country. Another advantage is that the IP address is classified as personal information in Switzerland even though, technically, in most cases, the IP address used by an individual’s computer belongs to its Internet service provider.
The Proton team researched the privacy and internet-related laws in other European countries and discovered that both Iceland and Sweden had equally excellent conditions for a VPN service.
Internet activity tracking
In many countries, not only is it legal for internet service providers (ISPs) to track the activities of their customers, it is demanded by the law. Not only are ISPs required to track online activities, but they are ordered to write those records to disk and store them for between six months and two years.
The purpose of these records is to provide source information for copyright lawyers and law enforcement agencies. This function is a particularly big threat to people who use P2P networks for file sharing.
Proton VPN logging policy
One of the reasons people subscribe to VPN services is to provide protection when torrenting. You can be traced in two directions. Copyright lawyers sometimes manage to sue the owners of torrent tracker websites, shut them down and get their connection logs. These records list the IP addresses of all of the connections made to the site’s server. They trace the IP address to the ISP that manages it and get a court order for their logs. With this information, they can see which customer was using that address at the time shown in the banned site’s connection logs. Then they get to you.
The other direction is to get the ISP’s activity records and see which users have connected to file sharing systems. This avenue is difficult in most countries because the lawyers need specific reasons to suspect individuals in order to get a court order for those ISP logs. However, in some countries, the process is not too difficult.
The VPN blocks the trail in both directions. A VPN user has an app on the protected device, which connects to a VPN server through an encrypted session, which is called a VPN tunnel. All communications over the internet from that device get diverted through the VPN server. This masks the real destination IP address of all traffic and confounds ISP logging.
All of the outgoing data packets that VPN services process for their customers get the source address replaced by an IP address that points to the VPN. So, if a lawyer is tracking back from a website, the path leads to the VPN server.
Receiving responses, the VPN server looks at its cross reference table to see which client is represented by the substituted IP address and sends the response on to that real IP address. That cross-reference system is officially called Network Address Translation (NAT). Proton VPN uses a double NAT process for extra security.
If a VPN stores that cross-reference long term, it creates an activity log that can be seized. Therefore, VPNs only provide real privacy if they don’t store those logs. Proton VPN has a no-logs policy, which is verified by audits carried out by an external organization.
The business maintains a Transparency Report on the Proton VPN website that details the implementation of its no-logs policy.
Proton VPN protocols
Network and Internet systems need to be organized along common guidelines. There is no point in one business creating its own rules on how to internet connections because the systems that are contacted won’t be compatible. Therefore, there are many freely available guidelines that Internet-active systems have to follow. These are called protocols.
Proton VPN offers four VPN protocols. These are:
- OpenVPN – This is the most widely-used VPN protocol in use in the VPN industry. It is provided by a freely available open-source library of functions.
- WireGuard – This is also a free, open-source system. It is new and is rapidly catching up with OpenVPN in popularity because it performs the same processes with greater efficiency.
- IPsec – This protocol operates right down at the network level, which makes it very efficient, and so it is widely used for mobile devices, which need to save on battery power.
- IKEv2 – The IPsec system is so low-level that it isn’t able to negotiate session parameters, such as encryption cipher and keys. So, the system has to be paired with a higher-level encryption key management system, and this is the function that the IKEv2 protocol performs.
The availability of these protocols in the Proton VPN app for each operating system is:
- Windows app: OpenVPN and WireGuard
- macOS app: OpenVPN, IKEv2/IPsec, and WireGuard
- Android app: OpenVPN, IKEv2/IPsec, and WireGuard
- iOS app: OpenVPN, IKEv2/IPsec, and WireGuard
- Linux app: OpenVPN
Session management is handled by a group of guidelines that are called Transport Layer protocols. These systems don’t all have to be used at the same time. In fact, the two main protocols were designed to be alternatives to each other. These are the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP).
TCP is called a connection-oriented system because it performs functions that verify that the other end in a link received all of the packets that were sent and will retransmit one if it got lost. The protocol also buffers packets as they arrive to make sure that they arrive in order – it will put them back in the right sequence if they don’t.
TCP slows down a connection, and that is a big problem for interactive applications, such as internet telephony or video chat. In these cases, the loss of a millisecond of data is less of an issue than holding up a data stream for buffering.
Therefore, there is an alternative Transport Layer system, which is lightweight. This is UDP. The User Datagram Protocol is called a connectionless system because it does almost nothing. It doesn’t maintain a connection or provide any guarantees over packet arrival, and that makes it a good choice for interactive processes.
OpenVPN can be run on TCP or UDP. WireGuard only operates with UDP. IPsec functions below the Transport Layer, so whether it uses UDP or TCP is not an issue. IKEv2 works with UDP.
VPN protocols procedures
Data travels around the internet in segments. Each segment has a header put on the front of it, and this has administrative data in it, such as the source and destination addresses. This structure with the payload and the header together is called a packet.
The VPN app that you install on your device is the VPN client. It manages VPN connections. Before turning the VPN on, you choose a server from a list. The VPN app then contacts that server and agrees on an encryption formula. The internet connection then becomes a VPN connection.
All packets passed between the VPN app and the VPN server are encrypted, including the packet headers. Routers on the internet need to be able to read packet headers so that they can know where to send the packets, and that isn’t possible when the headers are encrypted. So, the VPN client places the entire encrypted packet in the payload of another packet and addresses that to the VPN server.
The inner, encrypted packet is the real packet, and its header has the destination of the Web server that your browser is trying to contact. On receiving these packets, the VPN server extracts that inner packet and decrypts it. It then places its own address in the source address field of the header and sends the packet to its destination.
Every computer connected to the internet has to have a unique address, called an IP address. Because of the way that this series of addresses is distributed, to ensure that they are not duplicated, each IP address can be linked to a physical location. The benefit of using a proxy service is that it is a way to change your IP address.
When you connect to a VPN server, all of your internet traffic travels out of that server to its final destination, with the VPN server’s address on it as the origin of the request. Thus, though you might be in Japan, you can appear to be in the USA by connecting to a VPN server in the USA.
The contacted Web server only has the VPN server’s address to reply to. The VPN server receives the replies and passes them back to your computer with the same encryption method that the VPN app used.
Thus, your ISP cannot know what Web servers your computer is contacting.
Proton VPN encryption
Proton VPN uses a 256-bit key for its AES implementation, this is expressed as AES-256. A key is a variable in the encryption formula. Changing the value for the key completely alters the transformation of the original text. Hackers can guess the key by trial and error. However, the longer the key is, the longer it takes to guess. AES-256 would take more than a lifetime to guess, so it is very secure.
The Advanced Encryption Standard (AES is very secure, but it is a symmetric key system, which means that the same key is used to encrypt and decrypt data. This means that one side needs to send the key to the other side, which is a security system.
Proton VPN uses a public key encryption system called RSA to protect the transmission of the key. A public key system uses a pair of keys that are related but different. One encrypts, and the other decrypts. You can’t decrypt text with the encryption key, and you can’t guess the decryption key by looking at the encryption key. So, as long as the decryption key is kept private, it is safe to make the encryption key public.
During session establishment, the VPN app uses the VPN server’s public key to encrypt a message, and only the server can decrypt it. Similarly, the VPN server uses the VPN app’s public key to send messages, which includes the transmission of the AES key. Proton VPN uses a 4096-bit key for its RSA implementation. This seems very long compared to the 256 bits for the AES key. However, public key ciphers need much longer keys than symmetric key systems in order to be secure.
For a comparison of rival VPN systems, ExpressVPN, NordVPN, IPVanish, and CyberGhost use AES-256 with RSA-4096, Surfshark, and VyprVPN use AES-256 and RSA with a 2048-bit key.
The WireGuard system uses ChaCha20, another symmetric key cipher, instead of AES, and it uses a 256-bit key for that.
Proton VPN DNS leak protection
Web browsers use an addressing system called URLs that are based around domain names, such as nestvpn.org or google.com. These addresses are meaningless to routers on the internet because they work with IP addresses. Every domain name is mapped to the IP address of the Web server that hosts the site.
This mapping between domain names and IP addresses is held on a globally distributed database called the Domain Name System (DNS) to save your computer time, your ISP runs a DNS resolver, which delivers the IP address to your browser.
ISPs can use DNS queries to block access to banned websites by returning a dead-end fake IP address for the sites that it doesn’t like. The ISP can also use DNS queries to log your internet activity.
Proton VPN runs its own DNS resolver, and while you have the VPN service turned on, all DNS queries go down the VPN tunnel to that private DNS server. Thus, your ISP cannot block your activities or log the sites you visit as long as you keep the VPN turned on.
Proton VPN IP leak protection
An IP leak is an unintentional disclosure of an actual packet header containing its real destination address. The VPN app ensures that all internet traffic can only go to the VPN server before being forwarded to its real destination, and all traffic is thoroughly encrypted. The VPN server sends all of the incoming packets that it receives back to the VPN app in an encrypted format. Therefore, an IP leak just can’t happen when the VPN is turned on.
The only event that a user of Proton VPN needs to be aware of is if the VPN turns itself off. This can happen with any VPN service. If the VPN session ends without the user realizing it, regular use of the internet will continue unprotected.
The reason for this behavior is that VPN connections are sensitive, particularly protocols that run over UDP. While your internet connection is kept alive by TCP, the connectionless nature of UDP means that the VPN will easily assume that the session has ended if no activity is being transacted.
So, the VPN session will end while the internet connection continues. In this case, the user needs to be aware of the situation. Proton VPN has a mechanism called a kill switch that helps with this issue. If the kill switch is turned on, nothing gets onto the internet unless it is processed through the VPN app. If the VPN app does not have an open VPN connection, no traffic can get onto the internet.
VPN users soon notice when they no longer have internet access, and after a few occurrences of this, they realize that they need to turn the VPN back on. The kill switch can only work if the VPN app is open.
You can set up a condition in the Proton VPN app that permanently leaves communication from specific packages or to specific websites outside of the tunnel. This concept is called split tunneling. Having that designated traffic travel without protection isn’t regarded as an IP leak because its unprotected state is intentional.
Split tunneling can be implemented as either a split-include or a split-exclude. With the split-include mode, only named traffic goes through the tunnel, and everything else is left unprotected. With split-exclude, traffic to the named apps and sites stays out of the tunnel, and everything else travels in an encrypted state to the VPN server.
The split tunneling utility is only available in the Proton VPN apps for Windows and Android.
One of the main purposes of VPNs for private individuals is to get around regional restrictions of websites and streaming services. You might want to watch the main TV channels of another country, such as the USA or the UK. These channels usually show their programming live on the Web and also provide a catchup library of entertainment. However, they are only intended for viewing from within their home country, and they can tell when people from abroad try to get access.
If you are traveling, it can be annoying to have to miss out on TV from home. However, connecting to a VPN server in your home country gets you into the TV station websites for your favorite channels.
If you have a subscription to Netflix, Disney+, and Amazon Prime Video, you can still access the service when you are abroad. However, you get the video library for the country that you are in rather than the country that you are from. You can unblock these restrictions with a VPN.
We tested the Proton VPN system using the WireGuard protocol with a number of well-known streaming services, and here are the results:
|Netflix||Tests confirmed for access to the USA, the UK, France, and Japan|
|Disney+||Tests confirmed for access to the USA, the UK, France, and Japan|
|BBC iPlayer||Tests confirmed access|
|ITV Hub||Tests confirmed access|
|Channel 4||Tests confirmed access|
|ABC||Tests confirmed access|
|NBC||Tests confirmed access, but the video took a very long time to load|
Some of the servers don’t work as well as expected, although we only accessed the servers that were flagged for streaming, we couldn’t get streaming access into Netflix in the UK until the third server that we tried.
Proton VPN pricing
Proton VPN has two packages: Proton Free and Proton Plus. The Proton Plus package is the paid version. You can pay The Proton Plus plan can be paid on three subscription cycles: one month, one year, and two years. The two longer packages are discounted for the first payment period.
- One month: $9.99 per year
- One year: $119.88 ($9.99 per month) discounted to $71.88 ($5.99 per month) for the first year
- Two years: $239.76 ($9.99 per month) discounted to $119.76 ($4.99 per month) for the first year
These packages are available on the Proton VPN website, and all subscribers get a 30-day money-back guarantee.
You should also take a look at the service packages that are available on the main Proton site. These bundle together the four services of Proton – VPN, Mail, Drive, and Calendar, for little more than the VPN-only package.
The options are:
- Proton Free: $0 per month
- Mail Plus: $4.99 per month or $47.88 per year ($3.99 per month)
- Proton Unlimited: $11.99 per month or $119.88 per year ($9.99 per month)
You can pay for any Proton or Proton VPN subscription with a credit card, Bitcoin, PayPal, or cash. For cash payment, you need to email Proton for instructions.
We examined the performance of the Proton VPN service to record its influence on connection speed. The paid Proton Plus service, used for these tests, has no bandwidth restrictions, the basic plan, which is free, does have limited bandwidth and so might slow down connections more. These tests were carried out in the UK on The Three network with the Proton VPN app protocol set to WireGuard. Tests were carried out using the Ookla system at speedtest.net. In each test condition, five test runs were carried out, and the mean of these was taken for the result.
First, to establish a performance baseline, we tested a connection to a nearby server without the VPN turned on:
The mean download speed was 8.16 Mbps, and the mean upload speed was 6.37 Mbps, connecting to a test server in London.
Using Proton VPN through a VPN server in London and connecting to the same test server in London, the mean results were:
The download speed increased significantly to 13.80 Mbps, and the upload speed was 4.82 Mbps. Without the VPN, the tests did achieve these speeds briefly but could not sustain them. The VPN kept the connection at a consistently higher speed than offered without the Proton system being turned on.
Long-distance connections across the internet are slower because packets pass through more routers and have further to travel – this test without the VPN went to Sydney, Australia:
As can be seen, a connection to the other side of the globe wasn’t much slower than a local connection. The connection had a download speed of 7.77 Mbps and an upload speed of 5.97 Mbps, so the performance of the ISP dropped slightly due to distance.
Turning on the Proton VPN service, using the London VPN server, we connected to the same test server in Sydney.
The mean download speed improved to 12.95 Mbps and was at a similar level for all five test runs.
Running a test to Sydney through a Proton VPN server in New York, USA, creates a more complicated route. However, the connection speed was still better than that of the unprotected connection. The mean download speed for five test runs was 11.68 Mbps, and the mean upload speed was 6.00 Mbps.
How to install
- Choose a plan at the Proton VPN website. Create a username and password, enter your email address, and then press the Create Account button.
- After verifying you are human, you will be taken through to your account dashboard. Here you will be offered a choice of continuing with the Proton Plus account or switching to the Proton Unlimited bundle.
- Click on the button for whichever of these options you prefer. Choose your subscription button and then press the Pay button.
- Enter your payment details and press the Pay button again.
- Once the payment has cleared, you will be shown your account dashboard. Click on Downloads in the left menu panel.
- On the next page, clock on the Download Proton VPN button, wait for the transfer to complete, and then click on the downloaded file to run the installer. Click through the installer. Click the Finish button, and the app will open.
- For mobile devices, get the Android app from Google Play, and for the app for iPads and iPhones, go to the Apple App Store.
- Log into the app. The first time you open the desktop app, it will offer you a tour. Skip it or watch it to get to the main screen.
- You can just press the Quick Connect button to access the fastest server available. In the bottom left of the screen, you will see a list of countries. Just click on a country name to connect to a server or press the down arrow on that country line to see a list of servers. The circle symbol at the beginning of each server name shows its current load. Choosing the server with the lowest load will get you a faster service. The line also shows what city the server is in. A server with two circular arrows next to it is good for P2P traffic, and an onion symbol means this is a good server for a connection to the Tor network. A play symbol means that the server is optimized for streaming.
- Click on the hamburger menu to get to more functions. Click on Settings in this list.
- In the Settings screen, click on the Connections tab to see which protocol your app is set up with. The default is Smart, which chooses the most appropriate protocol for the connection. Click on the down arrow at the end of the Protocols line to see more options.
- Back on the main screen, hover, over one of the triangles on the map, to see that location’s name. Zoom in with the plus button above the map and press the minus button to zoom out. You can connect to a server in a country by hovering on its triangle and then moving the pointer up into the country name. This changes the name into a Connect button.
- Once the session is established, you will see a data throughput graph at the bottom of the map. Your new IP address and the active VPN protocol are shown in the top left of the app.
- Press the Disconnect button to close the session.
Does Proton VPN work in China?
Proton admits that the Chinese authorities block its traffic, so the VPN is no use for people in China who want to get access to websites outside the country.
What is the Proton VPN Visionary plan?
Proton VPN created the Visionary plan back in 2014 when it started up. The service raised money through crowdfunding and created a special VIP service for those people who contributed funds – this was the Visionary plan. The plan is no longer available.
What is Proton VPN NetShield?
NetShield is a security package that is built into the Proton VPN app. It is disabled for users of Proton Free. This group of services blocks malware from downloading from infected sites, and it is also an ad blocker and a tracker blocker.
Is Proton VPN a firewall?
Proton VPN is a proxy server, and it operates a system called Network Address Translation, which changes the IP addresses of its customers. This is what is sometimes referred to as a NAT firewall. The system won’t block viruses because it doesn’t examine the contents of the packets that it processes. However, it will prevent hackers from getting to your computer, and it will also absorb DDoS attacks.
Does Proton VPN get me Netflix for free?
Proton VPN can’t get you into Netflix if you haven’t got an account there. However, if you have a Netflix account and you are traveling, it can get you into the Netflix library for your home country by making it look like you are still there.
To sum it up
Proton VPN is reasonably priced, and it can actually improve the connection speeds over the unprotected connections offered by your ISP. This is a very good result because a VPN places a lot of extra work on managing each packet transfer and so should slow the connection down considerably.
Proton VPN has excellent privacy and security measures and has strong capabilities for dodging location restrictions at streaming services. The only downside of this VPN service is that it doesn’t work in China. It would also be nice to see some browser extensions from the Proton team.
The Proton Plus plan also gets you one secure email address and 1 GB of secure cloud file server storage space. It might be worth upgrading to the Proton Unlimited plan to extend the capacity of these two extra services.