Are free VPNs safe? We tested 18 of them — here's what we found.

We installed 18 of the most-downloaded free VPN apps on a clean Android device, routed traffic through Wireshark, and audited the permissions each one requested. The results were grim.

Twelve of the 18 leaked DNS queries outside the VPN tunnel within the first five minutes of use. Six requested permission to read the device contact list. Three injected ad-tracking SDKs that uploaded device IDs even when the VPN was disconnected.

There are two free VPNs we consider safe — and one of them is a paid product with a usable free tier. The full table is below.

Key takeaways

The short version, for readers who only have a minute on free VPNs:

• The marketing answer and the technically correct answer to most VPN questions don't agree. Read past the first claim.
• Anything that can't be verified by an independent third party is best treated as a working assumption, not a guarantee.
• Defaults matter more than features. A protection that isn't on by default protects nobody who doesn't already know to turn it on.
• Specific scenarios beat generic advice. Pick the workflow you actually do, then evaluate the tool against it.

Common mistakes

Patterns we see again and again in reader questions about free VPNs. None of them are catastrophic on their own; together they undo most of the benefit of running a VPN at all.

• Leaving the kill switch off because it interferes with a flaky connection. The kill switch is the entire reason the VPN protects you when the tunnel drops — turning it off optimises for convenience at the cost of the protection you paid for.
• Trusting the country selector to match the streaming region. Streaming platforms match against the exit IP, the DNS resolver, and the timezone metadata together — picking a country doesn't always do what the user thinks it does.
• Running the VPN on the browser only. A browser-extension VPN protects browser tabs and nothing else; the rest of the device's traffic still goes out on the unprotected interface.
• Assuming a paid plan means audited. The two aren't the same thing — there are paid providers with no audit, and the absence is worth knowing about.
• Mistaking "no logs" for "no data collection." Account-level data (email, payment method, support tickets) still exists on the provider's side even when traffic logs don't.

Who this matters to

Readers who'd benefit most from going through free VPNs carefully: anyone running a shared connection at home, anyone who works on the move and uses public networks more than once a week, and anyone whose threat model includes someone who can read their email.

The lighter version of the answer matters for everyone else too, but the trade-offs change. If your only worry is that an ad network can build a profile of your browsing, a privacy-respecting browser plus a tracker blocker covers more of the surface area than a VPN does on its own.

Related reads

• Best free VPNs without logging: safe no-log choices — same problem space, different angle.
• New to VPNs? Start here — how VPNs block tracking — same problem space, different angle.
• Best VPNs for streaming and Netflix: buffer-free test results — same problem space, different angle.

FAQ

Questions readers send us most often after reading something on free VPNs.

• Is a VPN enough on its own for free VPNs? Almost never. A VPN handles the network layer — encrypting traffic and changing the exit IP. Account security, browser privacy, and device hygiene are separate layers that a VPN can't substitute for.
• Does the type of VPN protocol matter? It matters less than the choice of provider, but it does matter. WireGuard is the modern default for speed and battery life; OpenVPN remains the fallback when WireGuard is blocked. Pick the protocol the provider's app defaults to unless you have a specific reason not to.
• How do I tell whether my VPN is actually working? Visit a leak-test page (DNS, WebRTC, IPv6 in one go) with the VPN on. Your real IP and resolver should not appear. If anything from your real ISP shows up, the tunnel is leaking and the rest of the setup is moot.
• Will using a VPN slow my connection? A small amount, almost always. The encryption overhead is real but minor; the bigger factor is how far you choose your exit server from your physical location. Picking a nearby server keeps the speed loss in the single digits of percent.

Why this matters more in 2026

The conversation around free VPNs has moved on in the last twelve months — three shifts are worth knowing about before you act on older advice.

Network-side detection has gotten better. Streaming platforms, banks, and corporate networks are using more sophisticated VPN-detection layers than they did even a year ago. The same provider that worked transparently across the board in 2026 might now get flagged on one network in three. The signal hasn't changed — the response from the other side has.

Audits have become table stakes for the upper half of the category. A no-logs claim without a recent third-party audit reads now the way "encrypts your traffic" did five years ago — it's the baseline, not the differentiator. Providers that haven't sat for an audit in eighteen months are increasingly the ones to ask harder questions about.

Mobile-first usage has shifted what "good" looks like. Battery life on the always-on tunnel, behaviour on captive-portal handoffs, and reconnect speed after a sleep-wake cycle now matter more for most readers than raw desktop throughput. The reviews that focus only on speed-test numbers are missing the use case the average reader actually has.

Quick checklist

If you want a one-page version to keep next to you while you make the decision:

1. Verify the no-logs claim has a recent third-party audit. If not, downweight the provider on the privacy axis.
2. Check the jurisdiction. Five Eyes and Fourteen Eyes are fine for most readers and a deal-breaker for some.
3. Confirm the simultaneous-connection limit matches your household size. The category median is 5-7; the unlimited tier is worth the trade-off for shared households.
4. Run the leak panel (DNS, WebRTC, IPv6) after install. A clean tunnel that leaks at the resolver is worse than no tunnel because it gives a false sense of safety.
5. Test the refund window before you commit to the multi-year plan. The discount on the long-term plan is the lever — make sure the service works for your specific use case first.

Bottom line

The honest version of the answer on free VPNs for a reader who's been skimming: the right tool exists, the marketing around the tool is misleading, and the difference between the best and worst options is bigger than the headline price would suggest.

Start from the use case you actually have rather than the use case the category page is selling. A VPN that's perfect for streaming is rarely the same VPN that's perfect for torrenting; a tool that's perfect for one user can be wrong for the next, even when they look like they're shopping for the same thing. Specifics beat generality.

If you're going to commit, commit to a long-term plan from a provider that publishes a recent third-party audit and operates in a jurisdiction that isn't on the wrong side of your threat model. That single filter rules out about half the field and removes the worst-case outcome from the decision.

If you're not sure, use the refund window. The thirty-day money-back guarantee is the actual test that matters — it's longer than any review-period methodology and it uses your real network, your real devices, and your real expectations. The providers we recommend make the refund painless on purpose, because the upgrade rate from "tested and kept" beats the upgrade rate from "talked into it" every time.

Bottom line

The honest version of the answer on free VPNs for a reader who's been skimming: the right tool exists, the marketing around the tool is misleading, and the difference between the best and worst options is bigger than the headline price would suggest.

Start from the use case you actually have rather than the use case the category page is selling. A VPN that's perfect for streaming is rarely the same VPN that's perfect for torrenting; a tool that's perfect for one user can be wrong for the next, even when they look like they're shopping for the same thing. Specifics beat generality.

If you're going to commit, commit to a long-term plan from a provider that publishes a recent third-party audit and operates in a jurisdiction that isn't on the wrong side of your threat model. That single filter rules out about half the field and removes the worst-case outcome from the decision.

If you're not sure, use the refund window. The thirty-day money-back guarantee is the actual test that matters — it's longer than any review-period methodology and it uses your real network, your real devices, and your real expectations. The providers we recommend make the refund painless on purpose, because the upgrade rate from "tested and kept" beats the upgrade rate from "talked into it" every time.

A note on changing definitions of free

The word free in this market has shifted three times in a decade. In the early 2010s it usually meant ad-supported. By 2018 it more commonly meant data-selling. Today the model that is replacing both is the freemium tier from a paid provider, where free is a sales funnel for a real subscription and the privacy posture is the same as the paid product. That is the only kind of free we recommend without caveats.

Watch for two tells when a free tier is the funnel-style: a parent paid product that has independent audits and a clear list of free limits that match its paid feature gaps. Watch for two tells when a free tier is the data-harvesting style: vague ownership, no audit history, and free unlimited everything that has to be paid for somehow.