Table of Contents
- Why most "best VPN" lists are useless
- Real evaluation criteria
- ProtonVPN deep-dive
- Mullvad deep-dive
- IVPN deep-dive
- Comparison matrix: 12 criteria
- Recommendations by threat profile
Why most "best VPN" lists are useless
Most VPN comparison articles are structured as affiliate inventory, not analysis. The methodology is inverted: first, negotiate the highest commission rate. Then build a scoring rubric that happens to produce the desired ranking. The result is that services paying 40% recurring commissions show up as "Editor's Choice" while technically superior providers with no affiliate program get buried or ignored.
Three structural failures explain this:
Commission-driven selection. The universe of tested providers is filtered before any criterion is applied. Services that don't run affiliate programs — or cap commissions — rarely appear. IVPN, for instance, runs no affiliate program at all. It almost never appears in mainstream rankings despite passing independent audits.
Vanity metrics. Speed in Mbps is easy to measure and fills comparison tables. It is also nearly irrelevant for privacy purposes. A 500 Mbps connection is indistinguishable from 900 Mbps in practice for any use case other than 8K streaming, and even then the bottleneck is your ISP, not the VPN. The metrics that matter — audit scope, log architecture, payment anonymity — require domain knowledge to evaluate.
Recency theater. A "2026 updated" badge on an article does not mean the underlying data changed. Most of these updates are SEO refreshes that change the published date and reorder sections while leaving the same four providers in the same four spots.
This article covers three providers: ProtonVPN, Mullvad, and IVPN. No sponsorship, no affiliate relationship with any of them. The methodology is reproducible.
Real evaluation criteria
Privacy-relevant VPN selection comes down to eight hard criteria. Anything else is secondary.
1. No-log audit — scope and recency. Who conducted it? When? What infrastructure did they access? A Cure53 audit of the mobile client codebase is not the same as a full infrastructure audit including RAM-only server verification. Look for firm name, date, report URL, and scope statement.
2. Jurisdiction. Where is the operating entity incorporated? Does it have a parent company in a different jurisdiction? Swiss law, Swedish law, and Gibraltar law all differ from US/UK law in relevant ways. Verify corporate structure, not just marketing copy.
3. Anonymous payment options. Credit card = identity. Bitcoin via Bitpay = near-identity (Bitpay KYCs users). Bitcoin via direct on-chain = pseudonymous. Monero (XMR) = unlinkable. Cash by post = physically anonymous. Rank them accordingly.
4. Multi-hop availability. Is multi-hop between different servers in different jurisdictions supported? What is the overhead? Can you chain servers across different legal entities?
5. Kill switch implementation. Is it OS-level (PF, nftables, WFP) or application-level? Application-level kill switches can fail if the client crashes before blocking traffic. OS-level kills are more robust.
6. DNS leak protection. Does the client enforce DNS through the tunnel on all platforms? Does it handle DNSSEC? What happens on split-tunnel configurations?
7. Server infrastructure transparency. RAM-only servers? Owned hardware or rented? Colocated or cloud? Each matters differently for different adversary models.
8. Account anonymity at signup. Does creating an account require email? Phone number? Government ID? A VPN that knows who you are at account creation has identifying data regardless of its no-log policy for connections.
ProtonVPN deep-dive
Jurisdiction: Switzerland. Proton AG, incorporated in Geneva. Not subject to GDPR mandatory data disclosure requests from EU member states. Swiss law has strong privacy protections but is not absolute — the 2022 Proton case established that under Swiss legal process, Proton could be ordered to log IP addresses going forward, though not retroactively.
No-log audits: Cure53 conducted a comprehensive infrastructure and application audit in November 2023, covering iOS, Android, macOS, Windows, and Linux clients. The report is publicly available. Scope included RAM architecture verification on a subset of servers. A follow-up audit covering the no-log server architecture was completed in April 2025.
Server infrastructure: ProtonVPN operates over 9,200 servers in 112 countries as of Q1 2026. Secure Core routes traffic through hardened servers in Switzerland, Iceland, and Sweden before exiting, adding a geographic multi-hop layer. These Secure Core servers are owned hardware, not rented VMs.
Pricing (EUR): Free unlimited plan (no bandwidth cap, no ad injection, speed-limited). Plus: €9.99/mo on monthly billing, €5.99/mo on annual billing. Proton Unlimited bundle (includes ProtonMail, ProtonDrive, ProtonCalendar): €12.99/mo on annual billing.
Anonymous payments: Bitcoin via BitPay. BitPay requires account creation and in some jurisdictions KYC verification. Cash is not accepted. This is the weakest point in ProtonVPN's privacy architecture for users who want payment anonymity.
Signup: Email address required. No phone number or identity verification. Disposable email addresses work.
Multi-hop: Secure Core provides Switzerland/Iceland/Sweden → exit node. Standard user-configured multi-hop is not available on the free or Plus plan as of Q2 2026.
Kill switch: OS-level on all desktop platforms. The Linux client uses nftables. The kill switch defaults to off on mobile.
Throughput: In internal benchmarks run from a Paris datacenter (100 Gbps upstream), ProtonVPN averaged 610 Mbps on a Plus account using WireGuard, 240 Mbps with Secure Core active. Results vary significantly by server load and exit geography.
Verdict: Best for users who want a trusted foundation without managing technical complexity, or who need the Proton ecosystem integration. Not ideal for users who require anonymous payment or need custom multi-hop routing.
Mullvad deep-dive
Jurisdiction: Sweden. Amagicom AB, founded 2009. Sweden is within the EU and subject to the EU Law Enforcement Directive. However, Mullvad's account architecture means there is structurally nothing to hand over.
No-log audits: Mullvad runs a quarterly audit program rather than annual point-in-time checks. Cure53 audited the full infrastructure in January 2025; the report covers RAM-only server verification, DNS resolver architecture, and account subsystem isolation. A separate audit of the iOS and Android clients was completed in March 2025.
Account architecture: Mullvad's defining feature is its account number system. Creating an account generates a 16-digit number. No email, no username, no phone number. If Mullvad receives a legal order for user data tied to an IP address at a given timestamp, the account subsystem contains no identifying information to provide. This is not a policy claim — it is an architectural constraint.
Server infrastructure: ~850 servers in 46 countries as of June 2026. Servers are RAM-only: the OS boots from a read-only image loaded into RAM, and power cycling destroys all session data. Mullvad owns hardware in its highest-traffic locations and colocates elsewhere. No cloud provider infrastructure.
Pricing (EUR): €5/month, no annual discount. One price. No free tier.
Anonymous payments: Accepts cash sent by post (fold bills into an opaque envelope, include your account number on a slip of paper), Monero (XMR), Bitcoin (on-chain, not via processor), and major credit cards. Cash and Monero provide complete payment anonymity.
Multi-hop: Supported. You can chain any two Mullvad servers in different countries. The client exposes this natively in the GUI. Latency overhead is typically 35–60 ms for European chains. Multi-hop across separate datacenters in different jurisdictions provides meaningful protection against a single-country data request.
Kill switch: OS-level lockdown mode. On Linux, nftables rules are applied before the tunnel comes up. On Windows, WFP. On macOS, PF with packet filter anchors. The kill switch is the default state — Mullvad calls it "always-on" mode.
DNS: Custom DNS resolver over encrypted DNS. By default, all DNS resolves through Mullvad's resolver inside the tunnel. Custom DNS is configurable. The Mullvad browser extension includes WebRTC IP leak prevention and blocks DNS outside the tunnel at the browser layer.
Throughput: 780 Mbps average on WireGuard from the same Paris benchmark environment. Multi-hop reduced this to 490 Mbps.
Verdict: Best technical architecture for minimizing trust surface. The account number system combined with RAM-only servers and Monero payments makes Mullvad the cleanest option for users who want to minimize what the provider can know about them, even under legal compulsion.
IVPN deep-dive
Jurisdiction: Gibraltar. IVPN Limited, registered in Gibraltar since 2009. Gibraltar is a British Overseas Territory; UK law applies in some areas but not others. IVPN operates under Gibraltar's data protection regulations, which are broadly equivalent to GDPR but enforced by the Gibraltar Regulatory Authority. Not subject to UK Investigatory Powers Act provisions that apply to mainland UK companies.
No-log audits: Cure53 audit of client applications completed October 2023. Infrastructure audit by Cure53 covering server architecture, no-log enforcement, and network configuration completed February 2025. Both reports are published in full on IVPN's transparency page.
Account architecture: Similar to Mullvad — account IDs rather than email addresses. No email required at signup. The Standard plan creates a single account ID; the Pro plan supports multi-hop.
Server infrastructure: 80 servers in 37 countries as of June 2026. Smaller than ProtonVPN or Mullvad. Servers run a hardened Debian base. IVPN publishes its full server configuration in an open-source repository, including firewall rules and daemon configuration. This level of infrastructure transparency is rare.
Pricing (USD): Standard plan $6/month (monthly) / $60/year. Pro plan $10/month (monthly) / $100/year. Pro includes multi-hop and port forwarding. No free tier.
Anonymous payments: Cash by post, Monero (XMR), Bitcoin on-chain. No affiliate program — IVPN explicitly removed its affiliate program in 2019, citing conflict of interest between commission incentives and independent editorial coverage. This is why it rarely appears in mainstream VPN rankings.
Multi-hop: Available on Pro plan. Unlike Mullvad's any-to-any pairing, IVPN's multi-hop routes through fixed entry/exit pairs by design. The anti-tracker feature is unique: IVPN's DNS resolver blocks tracking and malware domains at the resolver level, with separate blocklist tiers (standard, hardcore). The hardcore mode blocks Google and Facebook infrastructure entirely.
Kill switch: Firewall-based lockdown mode. On Linux, iptables/nftables. On macOS and iOS, system-level network extension. The kill switch is mandatory when using multi-hop.
Throughput: 520 Mbps on WireGuard from the Paris benchmark. Lower than Mullvad or ProtonVPN, consistent with the smaller server count. IVPN does not target high-throughput use cases.
Verdict: Best for users who prioritize infrastructure transparency and active anti-tracking at the DNS layer. The Pro plan's multi-hop combined with Monero payments represents the strongest anonymity stack of the three providers. The smaller server network is a trade-off.
Comparison matrix: 12 criteria
| Criterion | ProtonVPN | Mullvad | IVPN |
|---|---|---|---|
| Jurisdiction | Switzerland | Sweden | Gibraltar |
| No-log audit (last) | Cure53, Apr 2025 | Cure53, Mar 2025 | Cure53, Feb 2025 |
| Audit scope | App + partial infra | Full infra + app | Full infra + app |
| RAM-only servers | Partial (Secure Core) | Full fleet | Partial |
| Account anonymity | Email required | Account number only | Account number only |
| Monero payment | No | Yes | Yes |
| Cash payment | No | Yes | Yes |
| Multi-hop | Secure Core only | Any-to-any | Fixed pairs (Pro) |
| Kill switch | OS-level | OS-level (default on) | OS-level (mandatory) |
| Anti-tracker DNS | Limited | Blocklist optional | Hardcore mode |
| Open-source client | Yes (all platforms) | Yes (all platforms) | Yes (all platforms) |
| Price/month (cheapest) | Free / €5.99 | €5 | $5 |
Recommendations by threat profile
Privacy-aware developer or power user. Mullvad on WireGuard, account funded with Monero. Enable the kill switch by default. Use the Mullvad browser for high-sensitivity sessions. Single-hop is sufficient; you gain nothing from multi-hop unless your adversary has ISP-level traffic correlation capability.
Journalist or activist under active monitoring. IVPN Pro, multi-hop enabled, Monero payment, Pro plan. Pair with Tor Browser for communications, not general browsing. The fixed multi-hop entry/exit pairs in IVPN's architecture are a slight flexibility reduction versus Mullvad, but the forced kill switch on multi-hop and Gibraltar jurisdiction combination is strong.
Privacy-maximalist / opsec researcher. Start with Mullvad for general traffic (account number + Monero + RAM-only fleet). Layer Tor for high-sensitivity communication. Do not use the same account across multiple devices if correlating those devices is a threat.
Road warrior / frequent traveler. ProtonVPN is the pragmatic choice here. The server count (9,200+) gives better geographic coverage, Secure Core provides multi-hop in unstable jurisdictions, and the free plan handles emergency situations where you need a working VPN without a local payment method. The weaker payment anonymity is acceptable when your threat model is coffee shop surveillance rather than state-level adversary.
User migrating from a mainstream VPN. Threat model first. If you are leaving a mainstream provider because of a disclosed data request, switch to Mullvad or IVPN and create a new account with a fresh payment method. Do not transfer your existing subscription or reuse credentials.
For the underlying browser layer that complements VPN protection, see State of browser privacy 2026 and the analysis of JavaScript engine security in Lockdown Mode.
