I like using my virtual private network, or VPN, for casual activities like staying private while browsing the internet or unblocking streaming content from around the world, just like anyone else. But when I really need to lock down and make sure my privacy protections are optimal, I adjust a few of my VPN’s default settings.
Most VPN apps default to optimal speed and usability to help people get started with as little friction as possible and ensure the VPN runs smoothly out of the box. But while your VPN’s default settings will typically deliver enough protection, there are usually settings you can adjust to get a privacy boost.
There are many situations in which you’d need to optimize your VPN’s privacy settings. If you’re a lawyer, doctor, activist, whistleblower, journalist or anyone else engaging in an activity that requires critical privacy, you’ll want the most you can get out of your VPN at all times. If you’re in a region where VPN use is outlawed or restricted, you need to be extra careful to stay private, on top of taking steps to hide your VPN usage altogether.
Even if you’re mostly a casual VPN user who doesn’t fit into any of those categories, you’d want to take additional precautions if you’re torrenting or want to hide your activity from network administrators on public Wi-Fi — activities that often carry added risk.
These are the VPN settings I enable when I need optimal privacy
Some of these settings will likely be enabled by your VPN by default, but it’s still important to double-check the settings to make sure before using your VPN for any privacy-critical activities. Also, bear in mind that setting availability and functionality may differ slightly from one VPN provider to the next, but generally speaking, most of our top picks incorporate the following features in one way or another into their settings menus.
Kill switch
This one is usually enabled by default, and some VPNs (like Mullvad) don’t even let you disable it. And for good reason: The kill switch is arguably the most critical VPN privacy feature. It automatically kills your internet connection if the VPN unexpectedly disconnects, helping ensure that your online activity isn’t inadvertently leaked to your internet provider or network administrator. Having your kill switch enabled is important at any time, but especially when the privacy of your online activity is paramount. If your VPN doesn’t include a kill switch, you should start looking for a different VPN immediately.
DNS leak protection
Not every service does, but if your VPN has a separate setting for DNS leak protection, make sure it’s enabled at all times. DNS leak protection helps ensure that your DNS requests — attempts to access a website — are resolved through the VPN provider’s encrypted DNS servers rather than through your internet provider’s. If your device bypasses the VPN tunnel and sends your DNS requests to your internet provider, a DNS leak occurs and your internet activity can be exposed. You can easily check for DNS leaks by connecting to a VPN server and checking a site like ipleak.net or dnsleaktest.com.
Secure VPN protocol like OpenVPN, WireGuard or equivalent
Not all VPN protocols are equal. For optimal privacy, I recommend using either OpenVPN, WireGuard or an equivalent proprietary VPN protocol, if available. OpenVPN is a secure, time- and battle-tested VPN protocol that delivers decent speeds coupled with air-tight privacy. WireGuard is a newer protocol that typically gives you faster speeds while offering comparable privacy protections. Some VPNs like ExpressVPN and NordVPN have developed their own proprietary protocols that also offer fast speeds and top-notch privacy. NordVPN and others like Proton VPN and Windscribe also offer dedicated obfuscation protocols that aim to disguise your VPN traffic as regular internet traffic to help you evade firewalls. Outdated VPN protocols like PPTP or L2TP/IPSec should be avoided.
Obfuscation
If you’re in a region that restricts or outlaws VPN use (or if you’re on a restricted network at school or work), you’ll want to hide the fact that you’re using a VPN in the first place. Obfuscation is a tool many VPNs provide that can help you do that. Some VPN providers, like Windscribe, NordVPN and Proton VPN, have dedicated obfuscation-focused protocols you can use to try and hide your VPN use. Surfshark has obfuscation baked into its OpenVPN implementation, and ExpressVPN automatically activates its obfuscation technology when it detects network interference. Other VPNs have specialty servers specifically dedicated to obfuscating VPN traffic. Obfuscation is key for getting around restrictive firewalls and bypassing censorship efforts, but if you’re living in a country where VPNs are illegal, keep in mind that obfuscation may not have a 100% success rate.
Post-quantum encryption
More and more of the top VPNs are beginning to roll out post-quantum encryption, which is designed to protect users against potential future threats from quantum computers. Depending on your VPN provider, post-quantum encryption may be a separate setting you can toggle on or off, or it might automatically be enabled when using a specific VPN protocol. Even though we’re still years away from quantum computing being a threat to modern encryption, post-quantum encryption is still important to have now to protect against attackers who may attempt to intercept encrypted traffic now in hopes of decrypting it later with quantum computers.
Multi-hop
Multihop, sometimes called double-hop or double VPN, routes your connection through two VPN servers instead of just one. This common feature gives you an extra layer of encryption and can make it even harder to track you online. While multi-hop might be overkill for most VPN users, it can add a bit of extra peace of mind for someone with critical privacy needs who needs to take extra precautions. In addition to multi-hop, some VPN providers like NordVPN and Proton VPN also include a Tor over VPN feature, which routes your VPN connection through the Tor network and is another way to add a layer of encryption and boost your privacy.
IPv6 leak protection
IPv6 leaks can happen when your device or a website you’re visiting uses IPv6 and your VPN isn’t configured to handle IPv6 traffic, causing that traffic to route outside the encrypted VPN tunnel. This can expose your online activity to your internet provider. Although some VPN providers are rolling out full IPv6 support, many still do not support IPv6 traffic and instead are either configured to block IPv6 traffic altogether or have an IPv6 leak protection setting you can toggle on or off.
Auto-connect
Especially if you’re traveling and connecting to different public Wi-Fi networks, a VPN auto-connect feature can come in handy. This way, you can have your VPN automatically connect when you boot up your computer or launch your VPN app so you don’t risk forgetting to connect to the VPN on certain networks. Depending on the VPN, you can configure the auto-connect feature to automatically connect when on all networks, unknown networks or specific networks that you designate.
Threat protection features and other extras
Many VPNs offer extras like threat protection features that can help block ads and trackers from following you around the web and building a profile on you. Threat protection can also help block you from connecting to known malicious sites, protecting you from potentially handing over sensitive information to cybercriminals. Other extras like Mullvad’s DAITA, which can protect against AI-driven attacks, and Windscribe’s anti-fingerprinting feature can help boost your privacy even further. Check with your VPN provider’s settings to uncover bonus features that can enhance your online privacy in novel ways.
Bottom line
While using a VPN to unblock streaming content from around the world is a common use case, VPNs are primarily designed for privacy. Your VPN app might not optimize for privacy right out of the box, so make sure you take a bit of time to go through the settings and enable those that give you the level of privacy you require. Keep in mind that enabling certain settings (like multihop or obfuscation) can slow your connection speeds, but if your ultimate goal is optimal privacy, a slower connection is a worthwhile trade-off.
It’s also important to remember that VPNs are only part of the equation. On top of your VPN, I recommend adding a password manager and antivirus software to your toolbelt to truly optimize your online privacy and security.