Personal VPNs Offer Safer Wi-Fi: Three Services Compared
It's a truth universally acknowledged that public Wi-Fi hotspots aren't secure, but they're so convenient that most of us use them anyway. That's why there was something of a panic last year when Eric Butler showed everyone how easy it is to hijack Facebook, Twitter and PayPal accounts on open Wi-Fi networks via his FireSheep Firefox add-on.
Of course, not everything you do in an open Wi-Fi environment can be picked up by digital eavesdropping. Secure HTTPS servers are great, but it's likely that your e-mail account and many social networking sites don't use HTTPS servers, or maybe just use them for logging in. Or worse, have you submit your user name and password from an HTTP page to get to an HTTPS server. (There is at least one add-on for Firefox that offers HTTPS protection, but only for certain sites.)
In the end, online transactions are only as secure as their most open link, and the most open link of all is the gap between the laptop and the wireless access point. The technology that can really close that link is a tunneling virtual private network (VPN). VPNs establish a secure tunnel between your device and the first server you connect to.
Theoretically, if you're employed at a company that uses a VPN, you could use that corporate VPN to secure your coffee-shop connection -- but most companies frown on such use of their resources. So the obvious choice is to rent a connection from a personal VPN provider.
Personal VPN services have been marketing themselves as hotspot security measures for almost a decade. Once you get past the initial learning hump, it's a relatively simple and inexpensive way to lock down your communications. I looked at three of the more established players: HotSpotVPN, StrongVPN and WiTopia.
Choosing a VPN
The first step is to understand what these providers offer. For a fee, personal VPN providers provide an end-to-end secure connection to one of their servers, which can be located in a variety of places. Personal VPN providers offer some choice of servers, so you can pick those nearest to you for better response time, but some charge extra for wider choice. In addition to security, this can provide you with anonymous browsing and a virtual regional presence (so that if you're abroad, you can appear to be logging on in the United States and retain access to regionally restricted sites like Hulu or Netflix On Demand).
The personal VPN providers reviewed here offer two basic flavors of VPN. The most basic (and slightly cheaper) is built into the operating systems of practically every computing device: point-to-point tunneling protocol (PPTP). VPN providers give you settings for their servers to plug into your operating system. It's robust enough for most people, but is blocked in certain regions and by certain service providers. It also requires mucking around in your operating system for configuration and selection of a separate network device, which might not be feasible if you're on the road using a company laptop for some personal surfing.
A more robust and recent development is an SSL-based technology from OpenVPN, which uses client software to manage connections. This works on Windows, Mac and various Linux and Unix platforms.
Once configured, these services all work the same way: You turn on the OpenVPN client software when you're ready to connect to a public hotspot and make sure the OpenVPN software isn't showing a red (not connected) or yellow (attempting to sync up) color. If it's green, you're connected to a VPN server that's either owned or leased by your VPN provider, and can enter passwords in a public Wi-Fi hotspot with confidence.
How we tested
To evaluate the three services in this roundup, I signed up for each and used online documentation and technical support resources to configure and set up connections on three identical netbooks. The servers I picked for each were geographically as close to the test location as I could find: New York City.
All the services provided the degree of privacy required (they effectively blocked information from a nearby machine running FireSheep), and so to differentiate between them, I looked at these key factors:
Setup: Configuring PPTP sets up a new network connection, a process that's as hard or easy as your operating system makes it. The personal VPN provider gives you a user name, password and server address, and you set up the network connection accordingly.
An installation of OpenVPN requires a key and certification files, which are copied to a configuration folder. The OpenVPN client software is off-the-shelf, but each vendor has a slightly different approach to configuration. WiTopia and HotSpotVPN include key and certification details in a customized installer download; StrongVPN required more tinkering.
All three services I tested offer both PPTP and OpenVPN options. For the purposes of this review, I used OpenVPN because it was easier to implement, more flexible and easier to remove afterwards.
Ease of server selection: A VPN connection tunnels through the local access point to a specific VPN server: With personal VPNs, you pick the server nearest to your access point. This will, of course, vary if you travel. Each personal VPN provider has different servers. At the very least, you'll want easy access to a pick list of servers.
Pricing: It's not simply a question of what costs less. It's a question of paying for what you'll use. WiTopia provides buffet-style pricing: access to all its servers worldwide for an annual prix fixe. At the other end of the spectrum, HotSpotVPN provides day rates and weekly rates, while Strong VPN bundles servers into packages based on location.
Performance: Using a fourth netbook as a control, I timed connection and load times at various times for common sites, including Facebook, YouTube, and several news sites and e-mail providers. Several loads included long videos to test buffering time. To eliminate latency, I set up a dedicated 802.11n access point and ran identical tests serially on each netbook.
As expected, the control was more responsive in stopwatch testing than the machines using VPN services, but except for video buffering, not noticeably so. Server load responses are notoriously hard to evaluate in this kind of test, but StrongVPN's servers seemed to show the least latency when buffering and streaming videos.
Next page: How various VPN services work
Of the three providers in this roundup, HotSpotVPN provides the most options and requires the most knowledge up front. It's great that the service lets you pick conference packages for a day or three days or a week, but you do need to do your homework before you buy.
The HotSpotVPN Web site is sparse on pre-sales information, and the support site is a no-frills affair with a knowledge base, trouble ticket system and FAQ. Unlike StrongVPN and WiTopia, HotSpotVPN does not provide online chat consultation for those who don't know whether they want to connect to a 128-bit Blowfish server via PPTP or something a bit more robust using SSL-based OpenVPN. But once you've settled on what you want, the site does provide some handy configuration videos to step you through the setup process for various operating systems.
The ordering process is quick and painless. Within a minute of ordering a basic one-month OpenVPN package (I opted for the least expensive and least robust 128-bit Blowfish encryption), the company had delivered setup instructions via e-mail.
People using their operating system's PPTP capability are given configuration details that are easy enough to follow -- especially if you view the videos at the HotSpotVPN site. People choosing the OpenVPN option get a link to a download page that remains active for 48 hours. Linux and Mac users and people using Windows XP are provided with automatic installers; Windows 7 users need to jump through a few hoops -- run an installer and a separate configuration package.
The service is pretty much a set-it-and-forget-it operation. When you run the OpenVPN client software under Windows, for example, you see an icon in your system tray that's green when connected to the VPN server, red when it's not and yellow when it's attempting to sync up. Once you have a handle on that detail, you just keep paying the subscription fees and you'll keep getting secure Wi-Fi connections. Theoretically, using a VPN slows down a network connection, but in the case of HotSpotVPN, it's nothing I noticed.
If you have technical questions, you don't get as much live support as users of WiTopia or StrongVPN. You visit the company's Web site and fill out trouble tickets for questions that the FAQs and knowledgebase cannot answer. There's a neat browser sidebar that is useful for some self-help steps, but in general, I felt a bit more on my own than with the other services.
At a Glance:
Prices: HotSpotVPN-1 (PPTP-based): $3.88/day, $6.88/week, $8.88/month, $88.80/year. HotSPotVPN2 (OpenVPN-based, with complimentary PPTP account): $10.88/month or $108.80/year (128-bit encryption), $11.88/month or $118.80/year (192-bit encryption), $13.88/month or $138.80/year (256-bit encryption).
Pros: Simple installation and configuration, flexible duration contracts (including one-day and one-week conference rates), OpenVPN accounts include complimentary PPTP connections for handheld devices.
Cons: Complicated pricing tables with different rates for different encryption rates and services, fewer support options.
During this evaluation, I called upon the service to help during a holiday weekend and waited more than 24 hours for a response, which seemed like an excessively long wait -- although in fairness to the company, the answer to my question was lurking in the knowledge base.
HotSpotVPN does provide a handy additional service called TunnelGuardian, which as of this writing was still in beta. It's a Web proxy that uses port 80 to close the back door to visits from malware and ads. To turn on TunnelGuardian, you need to find your way around your Web browser's proxy settings -- which is not covered by the setup videos -- and point to one of two proxy servers. It's not 100% effective, and it doesn't work on HTTPS port 443, but it does add an additional layer of protection for the extra-cautious.
If you're comfortable plowing into VPN-related technology without much interactive help or guidance, HotSpotVPN delivers the goods in affordable short-term packages. Those who don't know Blowfish from AES-256 may want to opt for something with a more consumer-friendly approach.
When you first log on to StrongVPN's Web site, you can see at a glance that the company has a lot going for it. To begin with, it has a strong showing of servers: 146 servers around the globe, including 94 in the United States. It uses gigabit switches. It can handle VoIP traffic. And it provides 24/7 live technical support.
What's a little harder to see is which of StrongVPN's services will fit your needs. The company packages its offerings in an almost bewildering array. There are Lite, Standard and Deluxe packages -- Lite packages offer servers in San Francisco, New York and Miami; Standard adds Los Angeles, Washington D.C., Dallas, Seattle and Chicago; and Deluxe adds everywhere else in the world. There are single-city a la carte offerings if you don't travel much. And each package is available in PPTP and OpenVPN flavors.
Fortunately, the company provides excellent support for sales and technical advice. StrongVPN offers online chat support in two forums: on its own site using Zopim's off-the-shelf LiveChat application (something that WiTopia also uses) and on Skype. At several key points during the evaluation, this team proved highly responsive: I never waited more than a minute for online chat assistance and the team was never at a loss to respond to any issue.
I finally picked the Lite OpenVPN package and received a confirmation e-mail immediately after placing the order. Ten minutes later, I also got a fulfillment e-mail with links for downloading and configuring the OpenVPN client software.
Configuring the OpenVPN client to work with StrongVPN servers feels a little kludgy. After you install the software, a box pops up asking for the URL of a custom configuration Zip file. That URL is part of StrongVPN's confirmation e-mail, and it's a custom-prepared set of files for each customer. You have to copy and paste the URL from your confirmation e-mail to complete the configuration -- not a tricky step, but it's something that the other vendors in this review handle more smoothly.
Next page: Another VPN service--and which to choose?
From that point on, you simply run the off-the-shelf OpenVPN software and you're tunneling securely from your laptop to StrongVPN's servers.
It's impossible to say definitively that StrongVPN's servers were more responsive than anyone else's. There are too many variables to account for. However, I ran through a suite of Web pages and videos using identical machines and lab conditions for each personal VPN in this review, and found StrongVPN's servers almost as responsive as the control machine running an unsecured connection.
At a Glance
Prices: PPTP packages: $7/month (SF, NY, Miami); $12/month (SF, NY, LA, Chicago), $15/month (multiple cities worldwide). OpenVPN packages: $10/month (SF, NY, Miami); $15/month (8 cities), $20/month (multiple cities worldwide). All servers: $30/month (multiple cities worldwide). All packages have a 3-month minimum.
Pros: Strong showing of servers worldwide, fast server response times, 24/7 support via chat and Skype, static IP addresses.
Cons: Complicated pricing policy, changing servers requires logging in to StrongVPN's Web site and ordering new configuration files.
So far so good, but there are a few dings against StrongVPN. First, it's not the easiest solution if you want to change servers around. Just to make sure I had the most responsive server, I checked the company's Web site and decided to try another New York server that the site told me had five free slots. I logged in to my account, clicked the Change Server slot, and was e-mailed another link to a Zip file with configuration data.
This isn't a big deal for someone with tech smarts, but it turned out that StrongVPN limits the number of times you can do this: Lite packages allow for five server changes a month (with three trial switches during the first month); Standard and Deluxe offer two more server changes, for a total of seven per month. Any more changes and you will need to purchase a switching upgrade, which starts at an extra $5/month.
StrongVPN is a mixed bag. Its service team is very responsive and very knowledgeable. Its server selection is large and its latency seems to be minimal. But it uses the same off-the-shelf OpenVPN client software that the other personal VPN providers do, so it doesn't stand out from the pack in that respect, and its doesn't modify the configuration process as smoothly as the others. And the packages that the company offers are flexible, but can be overwhelming to an untrained customer.
Understanding off-the-shelf VPNs isn't easy, even for someone with grounding in networking. WiTopia's strength is that the company does a lot of the work for you up front.
Instead of making you research pricing tables for abstruse services, you pick from one of just three packages: one year of PPTP-based privacy, one year of OpenVPN-based privacy or a combo package of both. The annual fees range from $50 to $70, and once you've picked your poison, you don't have any significant hurdles to jump through.
Within a minute of creating an account and ordering a personal VPN SSL at WiTopia's site, I received the receipt and setup instructions, including a URL for downloading the client software. WiTopia's installation package included the personalized key the OpenVPN client software needed to configure my account, so as soon as the installation was over, I was ready to connect.
Unlike the other services in this roundup, WiTopia provides access to all its servers right in the OpenVPN client software. Where HotSpotVPN and StrongVPN make you log in at their Web sites, request a server change and reconfigure the access program, WiTopia gives you a pick list. Right-click on the Windows tray icon and you can browse 60 servers in a variety of locations across the globe; as long as you remember to disconnect from your current server first, you can connect within seconds to another.
Server hopping's not something you need to do every day, but it's definitely handy. For example, if you suddenly want to step up your security level from a standard 128-bit to a more industrial-strength 256-bit encryption, you can look for a more robust server from the list.
And if you travel, you may want to pick a server that's nearer to your current location. That's because the further you are from your VPN server, the more sluggish the response tends to be. If you're from New York and working in Chicago, you might not notice much lag. If you're from San Francisco and visiting Manchester, England, you'll definitely want to log on to a Manchester server (or even a New York one) to bump up your response time.
At a Glance
Prices: $69.99/year (OpenVPN and PPTP combo); $59.99/year (OpenVPN only); $39.99/ (PPTP only).
Pros: Simple pricing, 30-day money-back guarantee, easy installation and configuration, easy to switch servers, servers available around the world at no extra cost.
Cons: No short-term contracts for conferences or vacations, no static IP addresses.
At the time of this review, WiTopia didn't assign a static IP address, which could muddy things up if you share a server with a WiTopia customer who abuses the service (such as a spammer or torrent abuser, for example). But during the review, neither this potential drawback nor any of the other factors that might affect performance (such as overloaded switches or servers) put much of a crimp in my online experience. If there was any latency in my network connection, it wasn't noticeable, and stopwatch testing of a typical heavy-traffic network activity -- video streaming -- showed very little buffering delay compared to a control that wasn't using a VPN.
Like StrongVPN, WiTopia provides on-the-spot help via online chat. I tested this feature in several sessions during the course of this evaluation, and on each occasion WiTopia's staff proved very prompt and helpful. They handled product selection, billing and technical questions with equal speed; and when I scaled the service down to remove the PPTP option, I received a refund via PayPal in less than five minutes.
WiTopia provides services that are easy to understand and adopt. Its support proved very responsive, and although the company offers only annual subscriptions, the rates are reasonably priced.
HotSpotVPN's 1-, 3-, and 7-day conference packages are great for getting your feet wet in this class of products. And StrongVPN's sprightly servers seemed to serve up videos with a little less buffering time than the others.
That said, WiTopia provides the most customer-friendly approach to setting up and selecting servers. For the price, you get pick-list access to servers worldwide from the OpenVPN application in the Windows tray. If you don't mind committing to a year's service up-front, it's the most cost-effective and easy way to get into personal VPNs.
Matt Lake is an author, award-winning technology journalist and technical services coordinator in the field of education.