How to get the maximum protection from your VPN

A finger pressing a padlock icon
(Image credit: Shutterstock)

Some people use VPNs for only a few very specific tasks - unblocking Netflix, anonymous torrenting and enhanced gaming, for example - but what if privacy is absolutely your top priority?

Are you one of those VPN users that wants to protect just about all of your traffic, all of the time, and with all your privacy settings turned up to the max?

Most VPN apps have all kinds of features you can use to ramp up protection, but they're not always obvious and many are turned off by default. In this article we'll look at how you can best configure your setup for the maximum possible privacy.

Automatically connect

VPN apps typically don't connect until you ask, but if you're slow off the mark, that could leave a lot of system and app traffic unprotected.

If you'd like to avoid this entirely, then set the app to launch when your system starts. NordVPN's Windows app has a 'Launch at Windows startup' setting, for instance, and most services have something similar.

Next, look for an option to automatically connect when the app starts. ExpressVPN's desktop app has a 'Connect to the last used location when ExpressVPN is launched' setting which gets the job done, and ProtonVPN has an equivalent 'Auto Connect' option on its Connection menu.

If having the VPN on all the time is a step too far, look for any other auto-connect options your app might have. Many providers have a setting to automatically connect whenever you access a new Wi-Fi network, for instance. Turn this on and the app will protect you right away, whenever you access a hotspot. So there's no need for you to connect manually and no chance that you'll forget and leave your traffic exposed.

The ProtonVPN Windows app displaying its Permanent Kill Switch dialog

(Image credit: ProtonVPN)

Block unprotected internet access

Automatic connections are a good start, but what if the VPN drops? Chances are your device will immediately switch to its regular unencrypted connection.

Turn on the kill switch and the app blocks your internet access if the VPN drops, reducing the chance that any data will be exposed.

But there could be a catch. By default, most kill switches only kick in if the VPN drops during a session. They won't protect you when your device boots, say, or if you accidentally hit the Disconnect button or close the app.

If that's a problem, and you don't want any traffic allowed unless the VPN is active, then look for an additional setting which turns the kill switch on all the time. ProtonVPN's sensibly-named 'Permanent Kill Switch' does exactly that, only allowing access to the internet when you're connected to the VPN.

Losing your internet is annoying, of course, and this could be a hassle if your VPN drops regularly - if that keeps happening, it might be a sign that you really need to be using another provider. But in the meantime, if your app has an 'auto-redial if the connection drops' option, make sure it's enabled to speed up reconnections.

It's a good idea to have the app raise an alert when it connects or the connection drops, too, so you're always aware of what's going on. If your app doesn't keep you informed, look for an option to 'Show notifications' or similar and check it's turned on.

Tighten up your VPN settings

VPNs often include all kinds of privacy-oriented settings and options, especially with their desktop apps. The defaults don't always offer the best protection, though, so it's a good idea to review them occasionally, make sure they're delivering what you need.

Does your app have specific options for DNS leak or IPv6 protection, for instance? Check they're enabled.

Some VPNs have a Custom DNS Feature which enables using your preferred DNS server when connected to the VPN. That can be a plus in some situations, such as using a server which blocks malicious websites (OpenDNS is a good example.) But it also means that server gets to see every domain you visit. Turn Custom DNS off unless you're confident that you trust the server, and you really need whatever extra features it offers.

Many apps include a crash reporting or similar feature which sends data back to the provider. Every VPN who does this says it's all anonymous and includes nothing that could identify you, and probably they're right. But even if the odds are it's entirely safe, there's no benefit for you in taking the gamble. Just turn it off.

NordVPN, Surfshark and others have two-factor authentication (2FA) systems, where you're asked to verify your identity via a mobile (or some other route) whenever you access your account. It takes a few extra seconds, but goes a very long way to prevent your account from being hijacked.

If you don't have 2FA, at least make sure you're using a secure and unique password for your VPN, and change it every few months, to reduce your exposure if the account is hacked.

Take a look at your app's preferred VPN protocol, too. Are you using the most secure option? As a general rule, modern is generally better (say yes to WireGuard, but ignore PPTP if you care about security), but if you're unsure, then you can use our guide to the best VPN protocol to work out which is best for you.

ExpressVPN's Split Tunneling settings

(Image credit: ExpressVPN)

VPN troubleshooting

Having your VPN active all the time increases privacy, but might introduce new problems, for example if the VPN conflicts with other apps. Fortunately, you can often address these with some quick settings tweaks.

Suppose a streaming app no longer works, for instance, because it detects the VPN and locks you out of the service. You might think that as you need to use that app, you'll have to give up on the idea of leaving the VPN connected.

But wait: maybe there's another way. If your VPN supports split tunneling, turn this on and you can set particular apps to bypass the VPN and use your regular internet connection instead. This isn't ideal, because you're removing the VPN's protection for those apps. But if they're not handling sensitive information, you may feel it's a step worth taking.

Connection times can be another annoying issue. If the VPN drops, it might take a few seconds before the app notices, redials, and maybe takes another 20 seconds before it connects and your internet is available again.

If that's a problem for you, take a look at the protocol you're using. OpenVPN is secure, but we've seen it take 10-20 seconds (sometimes even more) to connect with some providers. If your app has WireGuard or an equivalent modern protocol (NordLynx, Lightway), switching can reduce connection times to a couple of seconds, maybe less, making a huge difference to your experience of the service.

Mike Williams
Lead security reviewer

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.