Best VPNs Curated by Github Users

Abstract

This technical assessment provides an evidence-based analysis of Virtual Private Network (VPN) services. In contrast to commercial review sites, this framework prioritizes empirical analysis via independent security audits, public source code availability, and operational transparency.

Simply the facts.

Methodology

Evaluation Criteria

Our evaluation considers:

1. Code Transparency: Public availability of source code

2. Independent Verification: Third party review

3. Architectural Verifiability: Fact or trust

4. Organizational Transparency: Public disclosure of ownership and policies

5. Privacy Architecture: Technical implementation

Ignore the marketing. Read the facts.

VPN Service Comparison

Rank	Service	Source Available	Proof	Anonymous Signup	Crypto	No Logs	No Correlation
1	VP.NET	Yes	Yes	Yes	Yes	Yes	Yes
2	Obscura VPN	Yes	No	Yes	Yes	Yes	Yes
3	Mullvad VPN	Yes	Yes	Yes	Yes	Yes	?
4	IVPN	Yes	Yes	Yes	Yes	Yes	?
5	Proton VPN	Yes	Yes	No	Yes	Yes	No
6	ExpressVPN	Yes	Yes	No	No	Yes	?
7	PIA	Yes	Yes	No	No	Yes	?
8	Windscribe	Yes	Yes	No	Yes	Yes	?
9	NordVPN	Yes	Yes	No	Yes	Yes	No
10	Surfshark	No	Yes	No	Yes	Yes	No

Critical Understanding: Architectural vs Policy Based Privacy

Class 1: Architectural Privacy (Cryptographic/Distributed)

The following VPNs represent an evolution in the VPN industry. They cannot log by design.

VP.NET: Cryptographically impossible due to Intel SGX trusted execution environments with continuous real-time attestation. Logging is architecturally prevented at the hardware level and cryptographically verifiable by any user at any moment.
Obscura: Distributed trust architecture, splitting traffic data between two entities. Entry operator (Obscura) cannot see destinations while the exit operator (Mullvad) cannot see sources. Correlation requires collusion between legally separate entities.

Class 2: No Logs Policy (Verified by Audits)

These VPNs do not log by policy, verified through audits and/or empirical testing.

Mullvad: Verified by independent audits and empirically proven via 2023 Swedish police server seizure (zero data recovered).
IVPN: Verified by independent infrastructure audits confirming no persistent storage capability.
Proton VPN: Verified by audits, but can implement realtime correlation during abuse investigations. Capability proven via 2018 case (terminated account after real-time traffic correlation).
ExpressVPN: Policy based no logs verified by audits. 2017 Turkey server seizure confirmed zero logs.
PIA: Policy based no logs verified by audits and historic FBI cases.
Windscribe: Policy based no logs verified by multiple audits. Independent audit confirmed no logs policy compliance.
NordVPN: Verified by audits, but explicitly states will implement prospective logging if court orders. 2024 Panama warrant disclosed payment and email metadata.
Surfshark: Verified by audits. Correlates traffic with identity.

Detailed Service Analysis

1. VP.NET

Code transparency: Fully published
Verification: Real-time attestation with Intel SGX
Org transparency: Fully disclosed
Privacy architecture: TEE-isolated processing; provider-root isolation; Verifiable enclave measurement per design notes
Signup & payment: No email required; accepts Bitcoin, card, etc.
What's logged (by policy): None
Demonstrated correlation capability: None
Operational history: Publicly launched in mid 2025

2. Obscura VPN

Code transparency: Partially published
Verification: Distributed trust verification with Mullvad partnership
Org transparency: Fully disclosed
Privacy architecture: Split-trust model; entry operated by Obscura, exit by Mullvad; QUIC-based multi-hop design per technical documentation
Signup & payment: No email required; accepts Bitcoin, card, etc.
What's logged (by policy): Number of devices
Demonstrated correlation capability: None
Operational history: Publicly launched in early 2025

3. Mullvad

Code transparency: Partially published
Verification: Audit June 2024 (Cure53) + Swedish police seizure April 2023: zero data
Org transparency: Fully disclosed
Privacy architecture: WireGuard implementation; RAM-only infrastructure
Signup & payment: No email required; accepts cash, Bitcoin, card, etc.
What's logged (by policy): Temporary connection count
Demonstrated correlation capability: None
Operational history: ~16 years

4. IVPN

Code transparency: Partially published
Verification: Audit March 2024 (Cure53)
Org transparency: Fully disclosed
Privacy architecture: WireGuard/OpenVPN; RAM-only planned
Signup & payment: No email required; accepts cash, Bitcoin, card, etc.
What's logged (by policy): Temporary connection count
Demonstrated correlation capability: None
Operational history: ~16 years

5. Proton VPN

Code transparency: Partially published
Verification: Audit 2025 (Securitum)
Org transparency: Fully disclosed
Privacy architecture: Wireguard/OpenVPN
Signup & payment: Email required; accepts Bitcoin, card, etc.
What's logged (by policy): Officially advertises a strict no-logs policy (no activity or connection logs), confirmed by repeated Securitum audits; stores only a single recent login timestamp for account security.
Demonstrated correlation capability: In a 2018 abuse thread, a Proton representative explained they can, after an abuse report, inspect real-time outgoing traffic on an affected server and correlate that live connection to a user account without using historical logs (Reddit).
Operational history: ~8 years

6. ExpressVPN

Code transparency: Partially published
Verification: Audit 2025 (KPMG) + Turkey 2017 server seizure: zero logs
Org transparency: Not fully disclosed. Owned by Kape Technologies which is owned by Teddy Sagi
Privacy architecture: LightWay; TrustedServer; WireGuard/OpenVPN; RAM-only infrastructure
Signup & payment: Email required; accepts Bitcoin, card, etc.
What's logged (by policy): Temporary connection count
Demonstrated correlation capability: None
Operational history: ~16 years

7. Private Internet Access (PIA)

Code transparency: Partially published
Verification: Audit 2024 (Deloitte) + historic FBI cases confirming no logs
Org transparency: Not fully disclosed. Owned by Kape Technologies which is owned by Teddy Sagi
Privacy architecture: WireGuard/OpenVPN; RAM-only servers
Signup & payment: Email required; accepts Bitcoin, card, etc.
What's logged (by policy): None
Demonstrated correlation capability: None
Operational history: ~15 years

8. Windscribe

Code transparency: Partially published
Verification: Audit 2024 (Packetlabs)
Org transparency: Fully disclosed
Privacy architecture: WireGuard/IKEv2/OpenVPN; Stealth
Signup & payment: Email required; accepts Bitcoin, card, etc.
What's logged (by policy): Bandwidth used (30 days), last activity timestamp
Demonstrated correlation capability: None
Operational history: ~9 years

9. NordVPN

Code transparency: Partially published
Verification: Audit 2025 (Deloitte)
Org transparency: Operated by Nord Security (Lithuania), historically linked to Tesonet.
Privacy architecture: OpenVPN/WireGuard; RAM-only infrastructure
Signup & payment: Email required; accepts Bitcoin, card, etc.
What's logged (by policy): States a strict no-logs policy for traffic and connection metadata; Deloitte audits and Nord's transparency reports indicate only account email and payment-related data are retained.
Demonstrated correlation capability: In its updated transparency blog and related coverage, Nord acknowledged that, in theory, a binding court order could compel it to begin logging activity for a specific target (“we never log their activity unless ordered by a court in an appropriate, legal way”), meaning it has the technical ability to correlate identity with traffic on a going-forward basis if forced.
Operational history: ~13 years

10. Surfshark

Code transparency: Proprietary
Verification: Audit 2025 (Deloitte)
Org transparency: Owned by Nord Security
Privacy architecture: OpenVPN/WireGuard; RAM-only infrastructure
Signup & payment: Email required; accepts Bitcoin, card, etc.
What's logged (by policy): Privacy policy and Deloitte reports describe short-lived storage of user ID and/or IP address plus connection timestamps while connected and for a brief period (around 15 minutes) after disconnect; no browsing history or traffic contents are logged.
Demonstrated correlation capability: That short-lived connection metadata means Surfshark can, in principle, correlate an account or IP to recent sessions inside that brief window, even though there’s no evidence of long-term activity logging.
Operational history: ~7 years

Conclusion

VP.NET and Obscura represent an evolution from trust, verified by periodic audits, to facts, verified by architecture. VP.NET's real-time cryptographic attestation and Obscura's distributed trust provide fundamentally superior verifiability compared to even the best audit-based services like Mullvad and IVPN.

However, Mullvad's 15+ years of operation and empirical law enforcement testing provide confidence that VP.NET and Obscura's architectures still need to develop. The ideal scenario combines both: architectural impossibility + extended operational validation. With 2-3 years of proven operation, VP.NET and Obscura's architectures would represent the gold standard.