18 Essential Questions to Ask Your VPN Provider

By Riley ThompsonTechnology News

18 Questions to Ask Your VPN Provider

Welcome, readers! This is Pavluu, and today I’m joined by my editor, Vergil. We’ve adapted a timely guide on VPN services just for you.

Choosing a VPN service can be tricky. Maybe you don’t trust your internet provider to protect your privacy (and, as the US FTC recently concluded, you probably shouldn’t). Maybe you don’t trust your government—or any government or corporation, for that matter. If you’re the type who likes to research before using a service, this guide is for you.

If privacy is a top concern, you may not want your VPN research to become public knowledge. While many people use VPNs, deep research can make you look like someone with something to hide. To reduce this risk, consider using free VPNs (like Calyx VPN) and webmail (like VFEmail) during your research. For even more privacy, use VFEmail via the Tor network.

There’s a lack of reliable, trustworthy information about VPN services online. We recommend ignoring sites with headlines like “Best VPNs” or “VPN Reviews.” Most are paid reviews, and some post negative reviews of VPNs that refuse to buy positive coverage. Even honest sites often just list popular services without considering quality. If you must use a VPN review site, look for those that don’t use affiliate links.

When searching, focus on VPN providers that meet your specific privacy goals. Carefully review their websites, terms of service, and privacy policies. Look for clear, unambiguous language and be wary of legal boilerplate.

For example, if you plan to share copyrighted media via BitTorrent, avoid providers that explicitly prohibit this. If you need access to many locations, choose accordingly, but remember there’s a trade-off between variety and security. Providers with many IPs in different countries are more likely to use virtual private servers (VPS) rather than dedicated physical servers.

How potential VPN providers answer your questions can be as telling as the answers themselves. Look for quick, complete, clear, and accurate responses. Vague or incorrect answers to technical questions suggest dishonesty or incompetence. Slow replies don’t bode well for future customer support.

Below are some questions to ask a VPN provider before purchasing, along with expected answers and explanations. For technical details, check out the OpenVPN How-to Guide and the official WireGuard page.

Questions

  1. Is there a monthly bandwidth usage limit?
  2. Do you throttle connections that exceed bandwidth limits?
  3. How many simultaneous connections are allowed per account?
  4. How many hops are in your VPN connections?
  5. What type(s) of VPN encryption do you use, and why?
  6. Do you support perfect forward secrecy? If so, how?
  7. Do you provide users with Diffie-Hellman key files?
  8. How do you authenticate clients—certificates and keys, or usernames and passwords?
  9. Do you use HMAC-based TLS authentication? If so, why?
  10. Do you ever send usernames and passwords to clients via email?
  11. Does each client have a unique certificate and key?
  12. Where are your VPN gateway servers located—on hosting, in one place, or in-house?
  13. Do any of your VPN gateway servers run on VPS or cloud servers?
  14. How are your servers secured?
  15. Where is user account information stored?
  16. How is communication between servers secured?
  17. Is port forwarding allowed for users?
  18. Are all client ports forwarded by default? If so, on which servers?

Answers and Explanations

  • Is there a monthly bandwidth usage limit?
    In recent years, this has become less common, but some providers use it on free tiers to let users try the service before upgrading. Paid plans with usage limits are more typical of VPN resellers—best to avoid providers that impose them.
  • Do you throttle connections that exceed bandwidth limits?
    The best answer depends on your goals. Naturally, you want the fastest connection. However, if your connection is much faster than others using the same VPN exit, you’ll stand out, reducing your anonymity.
  • How many simultaneous connections are allowed per account?
    Multiple addresses can be convenient for using several aliases or devices at once. However, this can also lead to account sharing abuse, overloading servers and slowing connections.
  • How many hops are in your VPN connections?
    Most VPNs offer single-hop connections: you connect to a gateway server, and your traffic exits to the internet from that server (or another in the same local network). Single-hop makes it easier for attackers to correlate incoming and outgoing traffic.
  • What type(s) of VPN encryption do you use, and why?
    OpenVPN can operate in two modes. One uses a shared static key for authentication and encryption—easy to set up, but if the key is compromised, all past traffic can be decrypted. No reputable provider should use this. If you receive only one key file, open it in a text editor: if the last line says ‘CERTIFICATE’, you’re fine; if it says ‘KEY’, ask for a refund.
    The other mode uses SSL/TLS for the control channel and periodically changing static keys for the data channel. If a data channel key is compromised, only that session’s traffic is at risk, not past or future sessions—this is “perfect forward secrecy.”
    By default, OpenVPN uses 1024-bit RSA for certificates and BF-CBC (128-bit) for data. This is usually sufficient, but providers using 2048-bit RSA and AES-256-CBC (256-bit) are more security-conscious. Both BF-CBC and AES-256-CBC use Cipher Block Chaining (CBC) mode. If your provider uses something else (CFB, OFB, etc.), ask why.
    The newer WireGuard protocol is spreading quickly among VPN providers. It wasn’t designed with commercial VPN privacy in mind. Competent providers should address these issues:

    1. Peer public IPs are stored in memory (should implement key management to remove/restore configs).
    2. Tunnel IP address assignment/rotation (should use callbacks to generate new IPs for all servers).
    3. Lack of perfect forward secrecy (should use automatic key pair regeneration at regular intervals).
  • Do you support perfect forward secrecy? If so, how?
    Any provider using OpenVPN in SSL/TLS mode provides perfect forward secrecy. Extra claims beyond this should be viewed skeptically. WireGuard requires special measures to support forward secrecy.
  • Do you provide users with Diffie-Hellman key files?
    This is a trick question. OpenVPN uses static Diffie-Hellman key files for perfect forward secrecy, but these are only needed on the server. Any provider giving them to users is incompetent.
  • How do you authenticate clients—certificates/keys or usernames/passwords?
    In SSL/TLS mode, OpenVPN clients authenticate servers by checking for a certificate signed by a CA provided by the VPN. OpenVPN supports two client authentication methods: certificates/keys or usernames/passwords. Servers can use both, but that’s overkill. For p2p connections, certificate/key authentication is crucial. For VPN services, unique client certificates can be a privacy risk.
  • Do you use HMAC-based TLS authentication? If so, why?
    With TLS authentication (tls-auth), servers ignore SSL/TLS handshake packets from clients without the correct HMAC signature. This protects against DoS attacks, port scans, and more. If implemented, providers may give you a key (usually ‘ta.key’) or negotiate it on the fly. Any provider claiming this is needed for perfect forward secrecy is either dishonest or incompetent.
  • Do you ever send usernames and passwords to clients via email?
    This is risky, mainly for the provider. Attackers intercepting credentials during delivery can gain access or lock out paying users. There’s also a risk of users being drawn into criminal activity. If you change your password immediately after receiving it, you’re safe. If you can’t log in to change it, complain and demand a new account. For otherwise good providers, this isn’t a dealbreaker.
  • Does each client have a unique certificate and key?
    Another trick question. Providers may give all clients the same certificate or rely solely on username/password authentication. Unique certificates/keys are good for enterprises, but for VPN services, they can link user accounts to logged traffic. Some providers claim unique certificates help neutralize malicious users, but usernames can do the same and are easier to invalidate. If this matters to you, test it by buying two short-term subscriptions with Bitcoin via Tor and using temporary email addresses.
  • Where are your VPN gateway servers located—on hosting, in one place, or in-house?
    Another trick question. Be wary of any provider claiming to run all servers in-house—ask how they afford high-speed infrastructure in multiple countries. The most plausible answer is they build their own servers and colocate them. Bonus points for physical security measures like embedding RAM in epoxy and disabling USB ports. The most likely acceptable answer is dedicated servers, with extra points for full-disk encryption and storing short-term logs in RAM (tmpfs).
  • Do any of your VPN gateway servers run on VPS or cloud servers?
    Providers should never run VPN gateways on VPS or cloud servers. As virtual machines, they’re fully controlled by the host OS, making all actions and data accessible. Providers should always use dedicated physical servers, properly secured against unauthorized access.
  • How are your servers secured?
    VPN services typically use three types of servers: gateway servers (establish VPN connections and route traffic), web servers (host the website), and authentication/account servers. All client traffic passes through gateway servers. If these aren’t properly secured, attackers can compromise user privacy by logging traffic. Gateways should be hardened to industry standards (e.g., CIS Benchmarks or NSA guidelines). Most importantly, VPN gateways shouldn’t run other network services like web hosting or user authentication, as this increases risk. You can check open ports/services with a port scanner like nmap, but note that many providers use non-standard ports (like 80 or 443) to bypass firewalls.
  • Where is user account information stored?
    Ideally, providers should store this data on their own encrypted, well-secured servers. They should also separate authentication data (needed by gateway servers) from account data (which may include logs, emails, and payment records).
  • How is communication between servers secured?
    Well-designed VPNs use networks of specialized servers that securely communicate. For example, gateway servers must contact authentication servers to verify users. Internal systems may use sales data to create/update accounts and update authentication servers. Given the sensitivity of this data, all inter-server communication should be strongly encrypted, usually via persistent OpenVPN or IPSec tunnels.
  • Is port forwarding allowed for users?
    When connected to a VPN, the gateway server protects your device from potentially hostile incoming connections, like a router or firewall. However, allowing incoming connections on specific ports is necessary for running servers or participating in p2p networks. This is called port forwarding. When enabled, your device is directly exposed to the internet on those ports, without VPN protection. Attackers can exploit vulnerabilities in services listening on forwarded ports, compromising your device and potentially your privacy and anonymity.
  • Are all client ports forwarded by default? If so, on which servers?
    Some VPNs forward all client ports by default, some only on certain servers, and some vary without clear documentation. You can check with a port scan, but note that different clients sharing the same exit IP may have the same ports forwarded.

Authors: Vergil & Pavluu

Onion Market – a free p2p exchange on Telegram.

Leave a Reply