VPNs & Tunnels#
Reference of consumer VPN providers, enterprise / cloud VPN products, and the underlying tunnel protocols. Also covers WireGuard / OpenVPN / IPsec basics and overlay-network products that compete with traditional VPN.
For Tor / I2P / Lokinet anonymity overlays, see OSINT Sources (privacy / circumvention) and Secure Messaging (Session). For identity / SSO that gates VPN access, see Identity Providers (IdPs).
Consumer / privacy VPN#
Provider |
Country |
Notes |
|---|---|---|
Mullvad |
SE |
Anonymous account-numbers; cash/crypto pay; no email; audited; SE jurisdiction. |
IVPN |
GI |
No-email; multi-hop; audited. |
ProtonVPN |
CH |
Free + paid; bundle with Proton Mail/Drive/Pass; audited; CH jurisdiction. |
NordVPN |
PA |
Large network; NordLynx (WireGuard); Meshnet (P2P). |
ExpressVPN |
BVI / KYBI |
Owned by Kape; Lightway protocol. |
Surfshark |
NL |
Owned by Nord (2022). |
Private Internet Acce |
ss (PIA) US |
Owned by Kape; large legacy. |
CyberGhost |
RO / Kape |
Owned by Kape. |
Windscribe |
CA |
Free tier; ROBERT DNS-blocking. |
TunnelBear |
CA |
Owned by McAfee; consumer-friendly UI. |
Hide.me |
MY |
Free tier; multi-protocol. |
Perfect Privacy |
CH |
Multi-hop; pricey. |
AirVPN |
IT |
Privacy-focused; OpenVPN-only historically. |
TorGuard |
US |
Multi-product. |
Astrill |
SY |
Popular in CN circumvention scene. |
PandaPow |
n/a |
CN circumvention. |
Cloud / enterprise VPN#
Product |
Notes |
|---|---|
AWS Client VPN |
Managed OpenVPN. |
AWS Site-to-Site |
Managed IPsec. |
AWS VPN CloudHub |
Hub-and-spoke aggregator. |
Azure VPN Gateway |
Site-to-site / point-to-site; OpenVPN / IKEv2 / SSTP. |
GCP Cloud VPN |
IPsec / IKEv2; site-to-site. |
GCP Cloud Interconnec |
t / Partner Interconnect Dedicated peering, not VPN. |
AWS Direct Connect |
Dedicated peering, not VPN. |
Azure ExpressRoute |
Dedicated peering, not VPN. |
Cisco AnyConnect |
Enterprise SSL/IPsec; renamed Secure Client. |
Palo Alto GlobalProte ct |
SSL VPN + Prisma Access. |
FortiClient + FortiGa te |
SSL/IPsec VPN. |
Pulse Secure / Ivanti |
SSL VPN; major target of nation-state activity. |
Citrix Gateway |
SSL VPN; major target. |
Check Point VPN-1 |
IPsec. |
SonicWall NetExtender |
SSL VPN. |
WatchGuard SSL VPN |
SSL VPN. |
OpenVPN Access Server |
Self-hostable commercial. |
Mesh / overlay / Zero-Trust#
Product |
Notes |
|---|---|
Tailscale |
WireGuard-based mesh; MagicDNS; SSH; identity-aware. |
Headscale |
Self-hosted Tailscale control plane. |
Netmaker |
Self-hosted WireGuard mesh. |
Netbird |
Open-source mesh. |
ZeroTier |
Layer-2 overlay; self-hostable; encrypted. |
Twingate |
ZTNA mesh. |
Cloudflare Zero Trust |
Cloudflare Tunnel + WARP + Access; the broad ZT play. |
Zscaler ZIA / ZPA |
Cloud SASE. |
Netskope |
SASE. |
Cato Networks |
SASE. |
Perimeter 81 |
SASE. |
Banyan Security |
ZTNA (acquired by SonicWall 2023). |
HashiCorp Boundary |
Identity-aware proxy. |
Teleport |
SSH / K8s / DB / app access proxy. |
Pomerium |
ZT identity-aware proxy. |
Okta Advanced Server |
Server access via Okta. |
StrongDM |
Access proxy. |
Smallstep step-ssh |
SSH cert-based access. |
Tunnel protocols#
Protocol |
Notes |
|---|---|
WireGuard |
RFC 8784-derived; small kernel module / userspace; UDP; X25519 + ChaCha20-Poly1305; mature default. |
OpenVPN |
TLS-based; UDP / TCP; mature, slower than WG. |
IPsec / IKEv2 |
RFC 7296; the enterprise + interop default; UDP 500 / 4500. |
L2TP / IPsec |
Legacy; L2TP for tunnel + IPsec for crypto. |
PPTP |
Legacy; broken (MS-CHAPv2); avoid. |
SSTP |
Microsoft TLS-based; AzureVPN. |
SoftEther |
OSS multi-protocol VPN server. |
Outline (Shadowsocks) |
Censorship-circumvention; Jigsaw (Google). |
Lightway |
ExpressVPN proprietary. |
NordLynx |
Nord WireGuard wrapper. |
Trojan / V2Ray / VMes |
s / VLESS / Reality Censorship-circumvention; CN-focused. |
Hysteria 2 |
QUIC-based circumvention. |
Tuic |
QUIC-based circumvention. |
Outline |
Shadowsocks-based. |
Snowflake |
Tor pluggable transport (WebRTC). |
obfs4 |
Tor pluggable transport. |
meek |
Tor pluggable transport (legacy). |
Self-hostable software#
Tool |
Notes |
|---|---|
WireGuard |
Linux kernel + userspace impls. |
wg-easy / wg-portal |
Web UI. |
PiVPN |
Pi-friendly OpenVPN / WG installer. |
StrongSwan |
IPsec daemon. |
LibreSWAN |
IPsec fork. |
OpenVPN |
OSS. |
SoftEther |
OSS multi-protocol. |
Algo |
Trail of Bits IPsec / WG installer. |
Outline VPN |
Self-host Shadowsocks-based. |
Pritunl |
OpenVPN-based commercial. |
ZeroTier-One |
OSS daemon. |
Tailscale CLI |
OSS client; control plane is SaaS (or Headscale). |
Operator / OPSEC notes#
Single-hop VPN ≠ anonymity. It moves trust from your ISP to the VPN; the provider can still log + correlate. For real anonymity, use Tor (or multi-hop + cash-paid VPN in series).
Audits + jurisdictions, Mullvad / IVPN / ProtonVPN / ExpressVPN have third-party audits; Mullvad served the most-tested no-logs warrant in SE; jurisdiction matters (FVEY vs neutral).
WireGuard is the default, ChaCha20 + X25519 + small attack surface; OpenVPN is fine but slower; IPsec is fine but interop-prone.
Kill switch + DNS leaks, always enable kill switch; test for DNS / WebRTC / IPv6 leaks (ipleak.net).
Static IP from VPN, some providers offer; useful for geo-locked services but a fingerprint.
TLS-in-TLS detection, Russia / Iran / China actively block obvious VPN protocols; obfuscation (obfs4, Reality, Hysteria) is required in those markets.
Enterprise VPN appliances (Pulse Secure / Ivanti, Citrix, Fortinet, SonicWall, Cisco ASA) are repeat targets of nation-state campaigns; patch + EDR + WAF + monitor.
Split-tunnel vs full-tunnel, split for performance, full for inspection; never split a privileged-access VPN.
Mesh / ZT replaces VPN for SaaS-heavy orgs; Tailscale + identity-aware proxies + per-app SSO covers most use cases without a tunnel.