Does your VPN have open-source apps? Here's why you should care

A hand writing the words Open Source
(Image credit: Shutterstock)

What's the most important factor when you're judging the best VPN? Speed, reliability, that it unblocks every streaming platform in the world? Maybe, but don't forget the apps. 

However it scores elsewhere, if the apps are short on features or difficult to use, that'll still trash your experience.

VPN providers understand this very well, and that's why most of them guard their apps closely. They keep them in-house, they're not used by other providers, and they're closed source - you can't see the source code.

This isn't a universal approach, though. Private Internet Access, ProtonVPN, Mullvad, AirVPN and others all have open-source VPN clients. Not only can developers look at the code to see how the apps work, other VPNs could even reuse it in their own apps.

While that sounds great, does it really matter to regular VPN users? Well, yes, we think it does. After all, almost all apps these days are built using open source software.

Although it’s not a magic bullet in itself, VPN providers who use open source software are a lot easier to trust, as their code is publicly available for experts to review. This makes it much more likely that any security bugs can be spotted and fixed quickly. You can also check exactly what kind of personal data of yours is sent to the VPN server

Here, we'll explore further the benefits of open-source apps and why it might be worth considering when picking a provider.

Transparency

Have you ever looked at a VPN provider's feature list and wondered how you can tell whether they're really delivering what they say?

Many VPNs promise they'll block malicious websites, for instance, or ads, or trackers. But how good are they at doing this? How can you test the feature? If this is some no-name free VPN app you've just found online, can you even be sure the feature exists at all, or that the provider has just made it up?

Choose a VPN which supports open source and it's a different story. Mullvad doesn't just claim to have ad and tracker blocking, its GitHub site shows how this works and even includes the lists of blocked domains for anyone to view.

Making a feature open source doesn't guarantee it's any good, of course. Still, just seeing Mullvad make the details available tells you it has some ad-blocking experience, and that the company has enough confidence in its solution to share it with the world.

An open source headline from the ProtonVPN website

(Image credit: ProtonVPN)

Trust

We've peeked under the hood of a lot of VPNs, but it still surprises us to see just how really, really bad some VPN apps can be. Some bad actors even deliberately infect VPN apps with spyware in order to monitor what users are doing. 

If a provider is willing to open up its software to scrutiny, though, that deserves a lot of credit. Regular users won't even think of looking at the code, but a few experts will take an interest, and a company must be very sure of its quality to take that risk.

This confidence might not be justified, of course. Maybe the code isn't so great after all. Perhaps other developers will check it out and find some major bugs. Although that's not ideal, there's a positive side: going open source helps a VPN identify issues it's missed, giving it the chance to fix them more quickly.

VPN Providers in some countries can also be subjected to secret court orders where they’re obliged to record data about VPN users. One way to do this would be to include a “backdoor” in the software which the provider can activate to start monitoring your connection.

Worse still, they can be required by law not to inform you they’re doing this, as happened to Ross Ulbricht a.k.a Dread Pirate Roberts, the head of the underground drugs website “The Silk Road”.

Using open source means experts can check the code to make sure this hasn’t happened. You should also consider choosing a VPN service that employs a “warrant canary”. This is where a provider regularly chooses to confirm that they have not been subjected to any secret warrants or subpoenas e.g. through a video address on the 1st of every month. If they ever fail to do this, you’ll know your data isn’t safe.  

Extensibility 

Software released under an open source license can be ‘forked’ or modified by anyone. This means if a skilled programmer feels a particular feature could be better or they want to add an extra feature. 

For example, AirVPN's Eddie is a free and open source OpenVPN app. It's packed with features, has built-in Tor support and runs almost everywhere (Windows, Mac, Android, Linux and more.) And, best of all, you can easily use it with any other providers who support OpenVPN.

Just by taking a look at Eddie’s Github page, it’s easy to see the code has been ‘forked’ over 70 times. This may be simply to make the code more efficient or to include add-ons like automatic connection to another VPN service. Some developers might even modify it to support other VPN Protocols like Wireguard

However Eddie, or indeed any other open source tools, get chopped and changed so the code can be made publicly available on sites like Github so others can benefit from these changes. 

Valve’s work on the Steam Deck is another great example of this in action : the company’s currently paying over 100 developers to maintain and improve the open source tools necessary to keep their product working such as graphics drivers. You may feel that they’re acting selfishly but actually this benefits the open source community too, as all improvements are made publicly available for others to use in their own software.  

How active is your VPN?

We think a quality VPN should regularly update its apps, optimizing the code, adding new features and fixing bugs. It's tricky to tell if a service lives up to these standards, though, because most give you no real details on what's changed in an update.

The open-source world is different because development happens in public, at sites like GitHub, and anyone can see what's going on.

You don't need any technical experience or knowledge to get some value from this. For an example, take a look at ProtonVPN on GitHub.

This lists the various project names (android-app, win-app, ios-app and so on), and when they were last updated. If a VPN hasn't updated anything in months, that looks like a problem. But as we write, ProtonVPN has updated every project within the past 9 days - a great performance.

If you're the type of person who normally reads down 'What's New' lists and are curious to see exactly what's changed, click 'win-app' and the Commits link for an in-depth list of every recent addition.

Even if an update has been released recently, take a look at the time between commits to check that this is being done regularly, otherwise your software may fall behind. 

The user interface of Eddie, AirVPN's open-source app

(Image credit: AirVPN)

Shelf life

Another beauty of switching to open source software, is that if a particular company or service stops being offered, the program is still available for others to ‘fork’. This can give you great peace of mind, as there’s nothing worse than using a proprietary program then being stuck because the developer no longer supports it. 

The UK government found this out the hard way in 2014 : when Microsoft dropped support for its elderly operating system Windows XP, the government hastily paid the company over £5.5 Million (around $9 Million) to continue support, as it was still running on so many of their machines. Microsoft also offered an “end-of-life” program to legacy users offering security updates but the British government decided not to pay for it, leaving their machines vulnerable. 

Compare and contrast this approach with France’s police force the “Gendarmerie Nationale”. When XP started to reach its end of life, they instead to install their own derivative of the FOSS (Free and Open Source) Linux operating system Ubuntu, called “GendBuntu” on almost all their machines. The Police had to hire an army of developers to make this change but now using open source software also saves them around 2 Million Euros ($2.17 Million) every year. 

As Ubuntu’s original source code is freely available to modify, there’s no danger that the police’s version of it, GendBuntu, will reach end of life until they choose to stop hiring developers to work on it.  

Having learnt their lesson, the UK government has now adopted the Open Document Format, and even managed to get Microsoft to support it in their Office 365 software. Microsoft’s reluctance to do this proves how powerful open source standards and software are, as “open document” files are supported in turn by open source software, so will never reach an “End of Life” as long as users still need them.  

Free tools

We've been focusing on the value of choosing a VPN with open-source technology, but that's not the whole story. Some providers make useful open-source tools which anyone can try, whatever service they're using.

Although you'll mostly get the best results from using your own VPNs apps, open source tools like Eddie could come in useful if, say, your VPN doesn't have an app for a particular platform, or you're trying to run it on old hardware (Eddie works on everything from Windows XP up, although using XP probably isn't a good idea for other security reasons, as you’ve seen.).

Another Eddie plus is that there's a portable edition. You could save Eddie to a folder on a USB key, then plug it into another PC, and connect to your VPN without having to install the full app. Interested? It's open source, so you're free to download it and check it out for yourself.

If your VPN provider supports the OpenVPN protocol, we also can’t recommend OpenVPN Connect enough. 

As the program is free and open source, it’s available for Windows, macOS, Linux, Android and iOS. Setup is incredibly simple using .ovpn configuration files supplied by your VPN provider.

OpenVPN Connect also supports similar features to regular ‘client’ apps offered by VPNs. There’s an option to “auto connect” when you switch on your device. The latest versions also have a built-in “kill switch”, which will block all network activity if your VPN connection fails for any reason. 

Both Eddie and OpenVPN Connect are all well and fine if your provider supports OpenVPN but what they use a different VPN protocol? 

The FOSS VPN tool OpenSwan supports connections via IPSec/IKEv2, which if set up properly using strong AES encryption is very safe. The tool is another ‘fork’, being based on the (now non-existent) FreeSwan project. Unlike its predecessor, OpenSwan supports only Linux at the time of writing but the developers encourage others to create their own ‘fork’ via Github. Again, as the software is open source, there’s no restriction on anyone doing so.

Windows and Mac Users can use alternative open source VPN tool SoftEther, which supports a number of different VPN protocols. This is also the favorite program of VPN Gate users. 

TOPICS
Mike Williams
Lead security reviewer

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.

With contributions from