ExpressVPN Review 2018 | Is This The Best Fast and Secure VPN?

Today we’re going to review one of the VPN industry’s top dogs…ExpresVPN, and pick it apart piece by piece to see if it stands up to all the hype.

ExpressVPN is often touted as being one of the ‘fastest’ VPNs, which is a rather overused claim I’ve seen the vast majority of VPN services make.

 

However, ExpressVPN consistently gets good reviews and delivers a reliable service. But is ExpressVPN worth it, or are there some drawbacks making this provider unfit to secure your most personal and priceless data?

Let’s take a closer look, starting with a little background information regarding the company.

ExpressVPN – The Background

ExpressVPN is based out of the British Virgin Islands, which is advantageous for several key reasons.

It is generally undesirable to use a VPN service located in a country known for wiretapping scandals on the domestic population, coercing domestic businesses to forfeit sensitive customer records to governmental agencies, and sharing information international intelligence programs, such as the FiveEyes program.

As such, many users try to avoid VPN services based in the US, UK, Canada, Australia and New Zealand. It seems that of these five countries, people generally fear companies originating from the US the most due to the scandalous information leaked by Edward Snowden.

Fortunately, ExpressVPN is based outside the jurisdiction and subjugation of these countries and is headquartered in the British Virgin Islands.

At first glance, I was worried that the UK would have some manner of control over ExpressVPN since the British Virgin Islands are a British overseas territory.

However, it seems that there is a lot of gray area regarding the power of outside influences since the BVI tends to maintain some degree of autonomy by creating its own laws and regulations.

In fact, the BVI doesn’t have mandatory data retention laws, which is one reason why ExpressVPN can get away without logging users’ data (we’ll talk about this in much greater detail in a later section), which is great for privacy.

The key takeaway here is that ExpressVPN is headquartered in an extremely favorable location with lax data regulations with a very little governmental meddling.

Pricing

Next up, we’re going to take a look at the pricing model of ExpressVPN, including payment methods and money back guarantees. But first, let’s look at monthly costs. ExpressVPN offers three different payment options, as follows:

  1. Monthly subscription – $12.95
  2. Six-month subscription – $9.99
  3. Annual subscription – $8.32

expressvpn-pricing

ExpressVPN review

I’d also like to take a moment to offer my opinion on ExpressVPN’s pricing model. Compared to the rest of the market, ExpressVPN is, admittedly, more highly priced than its competition.

Consider that some providers, such as Private Internet Access VPN, only cost a mere $3.33 per month with an annual subscription.

I really think that $12.95 per month is a bit too high for a VPN tunnel, especially when there are cost savings with longer-term subscriptions.

Honestly, I think that $9.99 a month is still a little high, and greater than the majority of other services cost. $8.32 per month isn’t terrible, but it’s still in the middle and high end of the spectrum.

Furthermore, there isn’t a free version or a free trial of ExpressVPN. A few competitors do offer free trials or completely free versions. ExpressVPN, however, makes do with a 30-day money back guarantee, which is better than nothing.

I suppose you could view it as a free trial, but instead of consciously subscribing at the end of the free trial, you simply need to contact customer support to get your money back if you disliked the service before its too late.

Still, this 30-day guarantee is longer than others. I’ve seen many that only lasted for a week or two, so 30 days feels pretty generous.

At the very least, it’s a great way to remove risk for new subscribers and to give them a chance to test out the application and server speeds. Next, I wanted to talk about payment options as well.

Bitcoin has become a semi-standard payment option over the last few years and is frequently accepted as a valid means of payment, especially with digital services. ExpressVPN does accept anonymous Bitcoin payments, which might be a necessity in countries that track citizens’ online purchases of VPNs and security tools.

There are, however, all of the normal payment options as well, including Visa, MasterCard, American Express, Discover, JCB, PayPal, and several other less common alternatives.

To sum it up, ExpressVPN accepts all the normal payment options you would expect, as well as several unlikely payment methods.

ExpressVPN Key Features

The first feature I wanted to discuss was the relative size of ExpressVPN’s network of servers, which is more expansive than most other alternatives. In fact, I think I’ve only seen two or three other providers who had servers in more countries around the world.

HideMyAss VPN is the leader, with servers in approximately 200 countries around the world, though it varies from month to month as servers are decommissioned and new servers are brought online.

It’s more typical for the average service to have somewhere around 30 or 40 countries in which servers are hosted, so ExpressVPN definitely surpasses standard services with regards to global connection options.

In fact, unless you’re from a remote corner of the Internet, I’d wager that ExpressVPN hosts a server in every location users who simply want to unblock websites would want to connect.

In addition, I adore the fact that the software comes with a built-in kill-switch. A kill-switch will halt Internet traffic and downloads in the case of a VPN failure.

After all, if a VPN tunnel crashed and your traffic and downloads resumed shortly thereafter, all of your data would be sent through your local ISP in an unencrypted format. Such an occurrence is potentially disastrous if you’re downloading files via BitTorrent in an unforgiving region.

I was also moderately pleased to see users are afforded up to three simultaneous connections per account. This feature would allow an individual user to secure a laptop, smartphone, and tablet at the same time.

Or a user could share the simultaneous connections with family members. However, be aware ExpressVPN lags behind the rest of the market in terms of simultaneous connections.

Although it didn’t use to be so, these days providers are frequently offering five simultaneous connections per account.

I’ve even seen a small handful offer six simultaneous connections or more. Still, having said that, I do genuinely think that three connections are more than adequate for most people.

In summary, the following outlines ExpressVPN’s list of general features:

  • Servers in over 148 locations in 94 countries
  • Kill-switch included in the client
  • Up to three simultaneous connections per account
  • Split tunneling features
  • Zero-knowledge DNS
  • Fast and reliable servers
  • Available on Windows, Mac, Android, iOS, Routers (i.e. DD-WRT), and Linux

ExpressVPN Connections: OpenVPN – TCP vs. UDP

ExpressVPN offers a variety of connection protocols; in fact, I think ExpressVPN offers more connection protocol options than the average competitor. It’s fairly typical to see competitors use between one and three different protocols, but ExpressVPN technically has five. The greatest of which, and the one I would recommend using, is OpenVPN.

However, there are two different types of OpenVPN: UDP and TCP. On ExpressVPN’s website, it recommends trying UDP connections before TCP connections. Why is that? Well, UDP connections are typically faster than TCP connections because the underlying protocol has less overhead.

When data is sent via UDP, if a unit of data is lost along the way, it’s lost for good. The UDP protocol will not retransmit that data.

That’s great if the data was inconsequential anyway. For instance, if the data in question was a sliver of voice data, it wouldn’t do too much good to retransmit the datagram and have it arrive at the receiver out of order; otherwise, the voice quality would suffer and the call would sound garbled and unintelligible.

On the other hand, some types of data are incapable of tolerating packet loss, such as a file download. Unless each and every iota of data is successfully transmitted to the receiver, the file download would become corrupt.

Do note, however, that a VPN tunnel encapsulates other protocols like a wrapper. Even if you use OpenVPN with UDP, the VPN tunnel may be encapsulating a TCP session, in which the encapsulated protocol would retransmit data if there was packet loss.

The key takeaway here is that OpenVPN over UDP is generally faster than OpenVPN over TCP, which is why it’s recommended as the default option.

ExpressVPN Connections: PPTP

The next protocol offered by ExpressVPN I wanted to discuss is PPTP (Point-to-Point Tunneling Protocol), which is a rather archaic and antiquated protocol. PPTP was originally designed by a Microsoft consortium way back in 1999 (in computer-years, that’s about as old as a velociraptor fossil).

And even though PPTP still has its uses (though they are few and far between), I would advise to just avoid this protocol altogether.

The problem with PPTP is that it currently only offers weak security. Hackers and researchers found holes and flaws in this protocol’s security algorithms and found ways to break it. True enough, this protocol does encrypt data, but it isn’t the strongest form of encryption in use today.

In fact, using fairly inexpensive software, PPTP can be cracked, and all of the data sent through the PPTP tunnel could potentially be seen by a malicious third party.

How is PPTP useful, then? Well, PPTP has less overhead than other protocols, like OpenVPN. PPTP is actually a very lightweight protocol, so some folks prefer to use it on account of reduced overhead and a faster connection.

The catch is that the data sent through the tunnel cannot (or at least should not) be sensitive personal information. So, for instance, if all a user wants to do is unblock a foreign on-demand streaming site to watch the documentary Planet Earth, PPTP is likely an acceptable option.

After all, who really cares if a hacker gets their hands on your streaming video data and breaks the PPTP protocol, only to reconstruct the data and see an image of a fish or a bear?

The problem, however, is that users may inadvertently send other types of personal data through the PPTP tunnel while streaming their favorite shows. Besides, OpenVPN over UDP is more than adequate for streaming, so I’d caution you from ever using PPTP.

ExpressVPN Connections: SSTP

Unlike PPTP, SSTP (Secure Socket Tunneling Protocol) is a perfectly suitable and viable option to use in favor of OpenVPN. Yet again, since OpenVPN is open source software and platform independent, chances are just about any system you use will have OpenVPN available. But if you wanted to try another protocol just to see if you could get a superior connection, then SSTP isn’t a bad choice.

This protocol employs a type of encryption based on the SSL (Secure Sockets Layer) 3.0 protocol, which is standard and very secure. In fact, whether you knew it or not, you’ve already used an SSL-based protocol before, namely HTTPS.

Believe it or not, one of the great advantages of SSTP is the fact that it’s well suited for evading censorship imposed by firewalls and other networking devices.

For instance, it's possible to run a VPN connection over port 443 with SSTP, which would look like any other plain and boring HTTPS connection to a firewall. And also note that it’s highly impractical for any given network to block port 443 because just about everyone uses HTTPS these days.

Blocking port 443 would cause all sorts of web pages to stop functioning, from online banking sites to social media.

However, SSTP is very different from OpenVPN in one key regard: SSTP is not an open standard. Rather, it is a closed-source protocol developed by Microsoft. For some folks, that’s a huge red flag for a couple reasons.

Because OpenVPN is open source, any old average Joe or third party can view the source code. As such, OpenVPN lends itself well to security audits by independent third-party organizations.

In contrast, SSTP does not, and Microsoft has a dark and dismal history of complying with Federal US agencies like the NSA.

Microsoft was infamously included in a long list of domestic corporations who enabled the NSA to spy on US citizens, as evidenced by Edward Snowden. For that matter, Skype – which is under Microsoft ownership now – even allowed the NSA to spy on conversations.

For these reasons, people are still a little wary of SSTP encryption. Yet again, I would recommend sticking with OpenVPN, but I would prefer SSTP over PPTP.

ExpressVPN Connections: L2TP/IPsec

The last ExpressVPN protocol bearing consideration is L2TP/IPsec. This protocol, like PPTP, is readily available by default on most operating systems and is widely used. It is worth noting, however, that L2TP/IPsec is really two technology combined like Russian nesting dolls.

L2TP encapsulates IPsec; though on it’s own, L2TP offers no encryption. Instead, the IPsec protocol provides encryption.

Furthermore, note that IPsec encryption can utilize AES encryption, which can be 128, 256, 512-bits or longer in length. In reality, it’s fairly common to see AES-128 or AES-256 encryption used, which is strong enough encryption that the cipher cannot be broken – at least, not with modern technology. But, this protocol does have some drawbacks.

The first of which is the fact that it is fairly simple to block. While SSTP and OpenVPN are a little more malleable and configurable, L2TP/IPsec is not. Plus, it carries extra overhead with it since the data has to be encapsulated twice.

But the most glaring issue is yet another suspicion of governmental tampering. In fact, it is thought that the IPsec protocol was intentionally designed with some flaws due to governmental influence, though the details of cryptography are pretty heavy reading for the average user.

There does seem to be a lot of gray areas and lacks a definitive conclusion, so at best I’d call it reasonable speculation.

Nevertheless, I do think that L2TP/IPsec is a reasonable alternative for OpenVPN. In fact, if OpenVPN isn’t available, I’d say that L2TP/IPsec is your next best option, over SSTP and PPTP. In my experience, however, I haven’t run into a situation where OpenVPN failed or encountered significant problems.

In summary, the following outlines the types of connections offered by ExpressVPN:

  • OpenVPN, using both TCP and UDP (preferred)
  • SSTP (preferred when OpenVPN and L2TP/IPsec are unavailable)
  • L2TP/IPsec (preferred when OpenVPN is unavailable)
  • PPTP (avoid using if possible)

Logging Policy and Privacy Features

I did want to take a moment talk about logging as well, as it is one of the most important features of any VPN service. Most people think that VPN service providers have a 100% zero logging policy, and sometimes VPN providers make extravagant claims regarding a strict stance against logging.

But the reality is that any service is going to have to log some data – that’s just the nature of IT. Syslog data is often kept on servers for troubleshooting purposes, and even mainstream services commonly log metadata.

If you’re starting to feel paranoid, don’t worry – ExpressVPN, like most other providers, doesn’t log any user activities. In fact, you can feel reassured with the peace of mind you aren’t being spied upon by reading the following line from ExpressVPN’s privacy policy:

“We do not collect logs of your activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of your IP address, your outgoing VPN IP address, connection timestamp, or session duration.”

So, if ExpressVPN doesn’t log users’ activities or connection data, what does it log? The following list summarizes the information that ExpressVPN does record about its users:

  • Name, email address and payment information – required to set up an account
  • VPN connection summary statistics, such as the number of active connections on a server and the amount of data being sent through a server to measure its capacity
  • VPN connection diagnostics and crash reports, but users can opt out of this monitoring anytime if they so choose
  • Which build version of the app a user has active, for the purpose of aiding troubleshooting scenarios with the support department
  • Whether or not VPN connections are successfully established, but not your source IP address or what time of the day a user tries to connect
  • A quantity recording the total amount of traffic sent, yet not the contents of that traffic (basically a meter to see the volume of data users are sending through the tunnels)

And before moving on to the next section, I did want to describe in great detail the data which ExpressVPN does not record about its users:

  • Which websites you visit
  • The user’s true IP addresses
  • Which individual users connect to which specific VPN server locations, or at which time a user was connected

As you can see, even though ExpressVPN logs data (like every other provider), the data that does get logged isn’t really consequential. I would love to have a VPN service with a pure no-logging policy, but it just isn’t possible because the service needs to record some data for account management and billing purposes.

Still, rest assured that ExpressVPN won’t be able to see what you’re doing online and that it won’t share your email address with third parties either.

Doing so would be an invasion of privacy and betrayal of trust that would diminish the trust users have in ExpressVPN. That said, ExpressVPN does have to comply with the authorities, as would any other company in any other country. ExpressVPN’s Privacy Policy clearly states the following:

The BVI has no data retention laws, and any legal order requiring a BVI company to disclose customer records must come from the BVI High Court. Under BVI law, information requests from foreign courts or law enforcement are subject to a ‘dual criminality’ provision, meaning that the request is upheld by the BVI High Court only if the same crime is punishable by at least a one-year prison sentence under BVI law, had it taken place in the BVI. Should we receive a valid legal order from the BVI High Court, it is important to note that ExpressVPN does not collect any IP addresses, browsing history, traffic data, or DNS queries that could be used to identify any specific user.

ExpressVPN Speed Test

I did also want to take the time to run a speed test, too. However, do note that your mileage may vary, and the ultimate speed of any connection depends on a great many factors.

Some of the factors include which country you’re connecting to, how far away the VPN server from your current location, your personal Internet connection bandwidth, which protocol you’re using, whether or not your data travels through networks that impose rate limiting, and a whole variety of other factors.

More often than not, however, with the exception of countries imposing harsh Internet censorship and restrictions, connections are pretty darn fast. I’m personally using Google Fibre, although it’s not the full Gigabit connection, but rather the 5Mbps connection.

I tested several servers and found that I more or less had a speed consistent with my connection when not using a VPN tunnel.

I’m curious to see what the upper threshold for these VPN servers is on faster connections. At any rate, the following two results show my speed tests for Hong Kong and London:

  • Hong Kong – Download: 5.05Mbps; Upload: 0.98Mbps; Ping: 202ms;
  • London – Download: 5.07Mbps; Upload: 0.99Mbps; Ping: 100ms;

Customer Support

The last component of ExpressVPN’s service left to be addressed is customer support. Customer support is 24/7 and can be initiated via a live chat system (my favorite) or by email, but email is almost always the slowest option.

These days, I do feel a little strange using live chat because more often than not, some portion of the conversation (and in some cases all of it), is handled by a bot.

Still, I was able to ping the support department via live chat and get a response within 15 seconds. The support staff (or bot) seemed to be pretty knowledgeable, too.

I asked several questions regarding the strength of different security protocols and got detailed answers, as well as answers to general knowledge questions regarding the features of the service.

But there’s also more to the support department. I was impressed with the number of articles, how-to’s, and troubleshooting guides detailing steps to solving the most common problems.

I’m certain that the knowledge base can’t account for every eventuality and error, but ExpressVPN sure did do a great job of providing solutions to the majority of common issues.

Final Thoughts – Is ExpressVPN Worth It?

Overall, ExpressVPN is a fantastic provider with a well-rounded set of features. It’s no wonder this service a clear industry leader. In particular, I was pleased with the scope of server locations and the choice between UDP/TCP when using OpenVPN. I also thought the support was great, and that the online knowledgeable was more than adequate.

I also admired the integrity of the privacy policy and the no-logs policy, and couldn’t be happier that ExpressVPN is based in the British Virgin Islands.

There is no such thing as a perfect provider, however, and there was one thing that I really didn’t care for: the price. I think this service is too expensive unless you opt for the annual subscription plan.

Sure, paying $12.95 per month when you could get another ‘similar' service for $5.00 or $6.00 per month may seem expensive, but when considering that you are trusting your entire online privacy to one of these companies…you really do get what you pay for.

In the case of ExpressVPN, that is 24/7 customer support AND the piece of mind that your data is secure. This is a quality service, so the slightly increased costs are justified by the “you get what you pay for” mentality.

Sources and References