Packing privacy punch and unsurpassed speeds, the juggernaut virtual private network has battled its way back to the top after a year of brutal blows.
ExpressVPN, one of the largest commercial virtual private networks, retains our Editors’ Choice for VPNs in 2022 based on its exceptional performance during our updated independent testing. Along with features for gaming, streaming and secure torrenting, the VPN caused less than 2% of average internet speeds to be lost, and leaked no data in June privacy tests. In this review of ExpressVPN’s version 10.17.0, you can expect routine updates to price data and test results. Any editorial changes will be noted at the bottom of this article. Our review of the VPN’s previous version, ExpressVPN review: Pricey, but speedy and great for streaming, was first published Dec. 16, 2019.
- Current fastest VPN we’ve tested
- Unblocks Netflix, great for gaming and P2P
- Solid security and transparency, zero leaks
- Excellent customer support, easy refunds
- Owned by Kape Technologies
- Limited port forwarding
- No split-tunneling on MacOS Monterey
- Pricier than competitors
Since the last time I wrote about ExpressVPN, its story had taken a turn for the absurd.
Despite its undeniable improvements in speed and cost-value, its bar-raising transparency measures and relentless pursuit of enhanced security, the industry behemoth suffered a brutal two-punch combo to its reputation in 2021. First came the company’s purchase by Kape Technologies, the former ad-tech purveyor with a questionable past. A day later, the DOJ announced its CIO’s cooperation with the FBI in an unrelated DOJ investigation. The latter situation prompted a vocal thumbs-down from NSA whistleblower Edward Snowden.
When the bell rang, privacy savvy users around the world had just one key question: Should those of us with critical privacy needs trust ExpressVPN?
For the better part of half a year I’ve been examining every nook and cranny of ExpressVPN’s operation, squinting through sweat under blinding lights, quizzing engineers while compiling test results. I’ve done everything short of manhandling its bare-metal RAM and, somehow, the thing looks clean to me.
I’m surprised to be saying that, because after the Kape acquisition, I thought ExpressVPN’s earlier consumer-friendly terms of service and privacy-centric British Virgin Islands jurisdiction was toast. I assumed they would suffer the same interference that CyberGhost suffered from Kape after the company gobbled up that VPN (and several others) in the previous decade. In fact, I was ready to preemptively wave consumers away from ExpressVPN, assuming that changes for the worst were on deck. But I ultimately decided to wait for the company to codify its post-Kape terms of service — using the time to retest how ExpressVPN’s speed and security fared in 2022. In the meantime, ExpressVPN’s new terms of service have emerged, arguably better than they were before.
Now, all of that said: Do I trust ExpressVPN? No, I don’t trust VPNs, I gamble my career on them. But in the current environment, ExpressVPN is still the safest bet I’ve seen even for the most privacy-critical users.
ExpressVPN’s peerless performance and zealous transparency in the face of our heightened scrutiny make it worthy of its continued mantle as our Editor’s Choice. And because of that, I currently recommend it to even users with privacy-critical needs. Let me show you what I mean.
Speed: Leading the pack once again
- Average speed loss: 2% speed lost in April 2022 tests
- Number of servers: 3,000-plus
- Number of server locations: 160 in 94 countries (two in Hong Kong)
- Number of IP addresses: 30,000-plus
I ran my standard speed tests for ExpressVPN over the course of three days in April, using the VPN’s clients for Windows, MacOS, Android and iOS. Internet speeds in the US vary widely by state and provider. And with any speed test, results are going to rely on your local infrastructure, with hyperfast internet service yielding higher test speed results. That’s one reason we’re more interested in the average amount of speed lost, which is typically half or more for most VPNs.
Whatever ExpressVPN’s doing, they should keep doing it. When I tallied the results of my 2021 manual speed tests, I dreaded having to write about the industry’s previous speed-leader falling to the middle of the pack with a 52% overall speed loss after seeing it surge ahead in 2019 and 2020 with an astounding 2% speed loss. I never would have imagined seeing ExpressVPN bounce back to a 2% speed loss, even with the boost provided by its new Lightway protocol. Yet, here we are. Call it the Return of the King if you like, but I was stunned.
Overall average speeds without a VPN across all countries tested: 162.01 Mbps. With ExpressVPN using OpenVPN UDP protocol? 159.62 Mbps. Wow.
There were rough spots that dragged the average down, but never by much. New York servers, a regularly crowded sector of any VPN, still showed an average speed loss of less than 12%. I got an average of 124.31 Mbps connecting to a single server in the city without a VPN from my office in Kentucky. The average with OpenVPN UDP protocol enabled on ExpressVPN was 141.21 Mbps.
In areas of Europe where we normally see the fastest speeds with any VPN, the average speed loss was even tighter. Connecting to a single Paris server, OpenVPN UDP speed loss averaged a startling 0.59%. Average speed without a VPN was 124.2 Mbps, and with OpenVPN UDP it was 123.57 Mbps. I kept 99.49% of my non-VPN speeds.
Lightway UDP somehow managed to improve on an already astonishing Paris scores — with the same server, during the same testing rounds, at the same hour of the day — I retained an average 123.9 Mbps of my non-VPN 124.2 Mbps average.
OpenVPN protocol speeds, whether you’re working with UDP or TCP, are almost never as fast as what you get with more agile UDP protocols like those based on Wireguard or the light weight IKEv2 you normally see with VPN apps for iOS. ExpressVPN, however, is threatening to break that idea to pieces.
Cost: Premium price, but a rich payoff
- Price: 5 simultaneous connections for $13 per month, $60 for six months, or $100 for a year (bonus: get an extra three months free)
- Value: Most reliable for Netflix, 24/7 live support, 30-day refund
- Gaming: Low ping, Smart DNS, router app for multi-console
- Torrenting: No bandwidth caps, split-tunneling, all servers P2P friendly
- Platforms: Mac, Windows, Android, iOS, Linux, and a slew of others
Yes, $100 for 15 months of VPN service is a lot. And that’s with the discounted price of three extra months. ExpressVPN’s normal annual cost is $100 for 12 months. By comparison, a one-year subscription to NordVPN currently runs $60, then $100 annually after the first year. Surfshark and NordVPN are officially under the same corporate parent now, but Surfshark’s one-year plan is the cheapest we’ve seen among tested providers at $48. It too jumps up to $96 annually every year afterward. In both cases, ExpressVPN’s promo price is more expensive than the promo prices of NordVPN and Surfshark, but you get three months more service, and once the promo expires, ExpressVPN costs about the same as the other two. ExpressVPN’s month-to-month plan is $13, which is also on par with NordVPN’s at $12 and Surfshark’s at $13.
All three VPNs offer a better value for the spend with their two-year plans, but I can’t recommend two-year plans for any VPN anymore. Between company consolidation threats, global shifts in VPN laws and changes to encryption tech more widely, we don’t recommend making a two-year commitment to any VPN right now.
For its premium price, though, ExpressVPN delivers premium goods that work well with your other services and gear.
Its 30-day money back guarantee is an easy process via 24/7 customer service live chat. The agents are friendly, fast and don’t leave you hanging. And if you want to check into any quirks or try something new with ExpressVPN, you won’t have to wade through random forum posts and Google’s ad-filled result pages to find answers; the VPN’s knowledge base is massive and its in-site search works better than most, quickly delivering answers with straightforward tutorials.
Streaming, gaming and torrenting
ExpressVPN’s traffic obfuscation is reliable and its war chest of IP addresses large, so it easily works with streaming sites like Netflix, and lets sports fans bypass glitchy viewing area boundaries on a range of streaming consoles and smart TVs. For same-country and non-disguised streaming, its MediaStreamer Smart DNS feature boosts stream stability and makes Xbox VPN setup easy. Meanwhile, its ping rates routinely deliver some of the lowest numbers I’ve seen in any of my tests. And, even though ExpressVPN doesn’t have PlayStation-native apps, you can still cover most modern consoles by putting ExpressVPN directly on your router.
If you’re looking for a good torrenting VPN, this is the right bet. ExpressVPN doesn’t throttle peer-to-peer or downstream traffic, all of its 3,000-plus servers are P2P friendly, and it doesn’t impose bandwidth caps. Its encryption is rock-solid with a leak-protection add-on and can be split-tunneled for reduced lag while torrenting. And its killswitch hasn’t failed me yet.
All the same, mind the gap: A VPN stops your ISP from seeing the contents of your data, but it doesn’t stop them seeing (and balking at) how much data you’re moving. And, yes, there are port forwarding controls if you’re looking to fine-tune your seeding connections — but, sadly, they’re only on the ExpressVPN router app for now.
Security and privacy: Rock-solid encryption amid public doubts
- Jurisdiction: British Virgin Islands (BVI)
- OpenVPN and IKEv2 protocols: AES-256 cipher, RSA-4096 key, SHA-512 HMAC authentication and Perfect Forward Secrecy
- Lightway protocol: AES-256-GCM and Poly1305/ChaCha20 ciphers, D/TLS1.2 with Elliptic-Curve Diffie-Hellman authentication and Perfect Forward Secrecy
- No leaks detected
- Features: Killswitch, browser plug-in for IPv6, WebRTC and HTML5 coverage, in-app Leak Protection and Threat Manager ad-blocking features, split-tunneling (not available on MacOS Monterey)
- Perks: Free password manager
Since my last review, ExpressVPN’s security and transparency initiatives have continued to raise the industry bar, even as it has been hit with repeated blows to its reputation. NSA whistleblower Edward Snowden issued a death-sentence tweet last year, telling users to abandon ExpressVPN following an unrelated DOJ investigation into ExpressVPN’s CIO Daniel Gericke. Immediately following the DOJ news, a $936 million deal put ExpressVPN’s ownership in the hands of a London-based parent company that used to sell ad-tech and is backed by a billionaire previously convicted of bribery.
After months of scrutinizing the service since then, however, I’m still convinced that ExpressVPN’s fleet of RAM-only servers, heavily audited zero-trust deployment process, and aggressive transparency initiatives make it — for now — the VPN I’d most recommend to privacy-critical users. This closer look at the tech itself offers us a measure of cautious confidence, given that the above-average transparency of its build (or at least those portions which we can see) would very likely undermine Kape’s ability to harvest valuable, salable data from ExpressVPN users’ traffic — even if they wanted to. I no longer believe they do.
As I explain at length in this review’s companion commentary, an analysis of Kape’s public company filings from the past two years clearly show that Kape’s business model has diverged sharply from CrossRider’s — Kape’s previous incarnation, which relied on revenue generated by shady ad-tech. But with an all-new c-suite, Kape’s year-over revenue projections now appear to hinge entirely on the success of its expansion into a booming privacy tech market where VPNs live and die by their public reputation, and competitors routinely seek out and publicize each other’s weakness. As the largest single VPN provider, ExpressVPN arguably has the largest target on its back — and it’s the crown jewel in Kape’s portfolio. Following its ExpressVPN purchase, Kape’s revenues surged 89% and the company projects they will more than double by the end of 2022.
An inspection of the company’s debts also inspires additional confidence that Kape’s actions toward ExpressVPN will not include risking the VPN’s reputation (and profitability) by undermining the VPN’s continued technical integrity. Kape’s ExpressVPN acquisition opened the door to Kape’s expanded debt facility, which is now large enough and spread across a diverse enough group of banks, that it may serve as a hedge against the heavy-handed financial influence of any individual Kape c-suite member. In addition to the new influence of more lenders, ExpressVPN co-founders Peter Burchhardt and Dan Pomerantz got $237 million worth of shares in the $936 million purchase, landing them a collective 13.6% share of Kape that comes with a mandatory waiting period before they can cash out. Both are staying on with Kape, managing ExpressVPN’s operations. Burchhardt also got the right to appoint a non-voting board member for the foreseeable future — or so long as ExpressVPN accounts for at least 5% of Kape’s earnings.
A key excerpt minces no words:
“Customer data is controlled by and stored under ExpressVPN, not by its ultimate holding company, Kape Technologies PLC (UK) or other related entities. Express Technologies Ltd. operates under BVI jurisdiction, in accordance with BVI laws. Consequently, any demand via legal means for ExpressVPN customer data is subject to the BVI jurisdiction and laws; we fight vigorously to defend our rights (and those of our users) if an attempt is made to bypass the privacy protections provided for by the BVI. A parent, subsidiary, or related entity cannot be compelled to, nor would it voluntarily, provide data stored by Express Technologies Ltd.”
ExpressVPN also said it would not be sharing its hardware infrastructure with Kape’s other VPN properties, eliminating yet another hypothetical avenue of data mingling.
From my first leak tests in 2019 to my latest battery in 2022, ExpressVPN has remained watertight. Its killswitch, leak protection features and privacy-boosting plug-in still perform as reliably as ever. No IP address, DNS or other potentially user-identifying pieces of information were exposed during my standard tests using tools like DNS Leak Test from Perfect Privacy, IPLeak and IPv6 Test. But I didn’t stop there.
On both mobile and Wi-Fi, including both my private home network and CNET’s sandbox testing network, I ran ExpressVPN through a series of multi-round tests using VPN leak testing tools from its competitors and independent research firms, isolating variables in each round to account for browser and OS configurations.
Are you going to see a handful of trackers on its public-facing website? Yes. But when called out for it by The Markup’s Alfred Ng, they were cut from 11 overall to just two from Google (if you’re logged in), and are houseflies compared with real security concerns, easily swatted by ExpressVPN’s own Threat Manager or by default if you’re using the Brave Browser.
A close-up of ExpressVPN’s servers
ExpressVPN owns its own fleet of RAM-only bare-metal VPN servers so theoretically you don’t have to worry about shared- or leased-hardware vulnerabilities. ExpressVPN distinguishes its RAM-only protection with its TrustedServer process, a heavily audited zero-trust deployment model that it says doesn’t allow any special admin rights to any engineers or even executives.
The company says every TrustedServer release is also built twice independently, using two different build systems on two different machines, then it’s verified with a checksum.
“This means that any (internal or external) attacker would have to compromise two different environments at the exact same time to achieve the same attack on the same code,” ExpressVPN said.
There are plenty of places where clandestine logging can happen. In an interview with CNET, ExpressVPN’s engineers outlined their process for snoop-proofing seven potentially vulnerable junctures and say their system’s overall architecture design makes logging physically impossible through functions that identify, disable and redirect any logging attempts.
In places where VPNs are outlawed or its hardware is at risk, ExpressVPN’s go-to protection strategy has been to shut down hardware operations but launch virtual servers so users can keep connecting via its apps. Most recently, it did this in India to circumvent government orders for VPN companies to log user traffic. ExpressVPN’s logless server claims got their first trial by fire when a Turkish ambassador to Russia was assassinated and authorities who seized one of its servers during the investigation came up empty handed.
The baseline encryption protocols ExpressVPN uses are themselves a bit tougher than some of its nearest competitors. Like competitors Surfshark, NordVPN and TunnelBear, ExpressVPN offers OpenVPN and IKEv2 protocol options with an AES-256 cipher (the same basic security level you expect from HTTPS websites). However, ExpressVPN uses a more dense (and better future-proofed) RSA-4096 key with its SHA-512 HMAC authentication, compared with Surfshark’s RSA-2048 and the mixed varieties used by TunnelBear.
ExpressVPN’s open-source Lightway protocol was a particularly notable moment of industry bar-raising during the protocol races of 2020, when the drive to be the fastest VPN led some companies to rush out Wireguard protocol, which was faster but less-tested than open-source OpenVPN.
Like Wireguard, Lightway is built out of much faster building blocks, or primitives, with a smaller body of code that’s hard to attack. It uses ChaCha20/Poly1305 ciphers as a fallback to encrypt traffic, but it also uses AES-256-GCM. While Wireguard is UDP-only, Lightway has flexible TCP and UDP versions to allow for more stability in connections (and more security in many cases). On UDP connections, Lightway uses D/TLS 1.3 for authentication. For TCP, it’s TLS 1.2 (though it plans to move to 1.3 once that supports UDP).
Lightway was something of a thrown gauntlet. While it isn’t mile for mile as fast as the Wireguard, it’s an extremely close second and certainly faster off the starting line in connection time. It’s also more stable. More impressive, though, is that ExpressVPN’s Lightway deployment and subsequent success have upended the notion that VPN users must choose between protocols that deliver speed and those that deliver privacy.
Leak-plugging features and featured plug-ins
Not even the best VPN — nor the toughest encryption — can fully protect you against your own software and OS settings, though. That’s why, regardless of which operating system you’re using with ExpressVPN, there are three additional steps you should take that will eliminate more geolocation privacy risks on your desktop or laptop.
First, make sure you’ve installed the ExpressVPN browser extension — which incorporates the Electronic Frontier Foundation’s HTTPS Everywhere feature — after you’ve installed the main ExpressVPN client on your device. This is going to stop most HTML5 leaks. Currently, the extension is available for Chrome, Firefox and Edge. Second, enable ExpressVPN’s IPv6 Leak Protection feature by going to the Preferences section in the main desktop app, then to the Advanced tab.
Third, take advantage of ExpressVPN’s suite of open source leak test tools to check whether your changes have been successful or, or if you’d prefer verification without the hassle of GitHub, use reputable leak test tools like those available at independent research firm Top10VPN.
Transparency track record
Recent additions to ExpressVPN’s privacy tool chest also include its ad-blocking feature, Threat Manager, released in January. And its newest user perk, a password manager called Keys, which debuted in April.
Previously, ExpressVPN was dinged by reviewers for not producing enough independent, third-party audits — the gold standard in assessing VPN safety. That complaint is now outdated. Along with the 2018 audit of its already open-source browser extension and its deep-diving 2019 server audit by PricewaterhouseCoopers, ExpressVPN released a 2021 audit of Lightway by Cure 53 and a March audit of its Windows client by F-Secure. ExpressVPN’s full list of audits prior to this latest slate are still publicly available on its site.
The company isn’t stopping there, though. ExpressVPN told CNET it will release two new audits this month, including a fresh audit on its TrustedServer by Cure53.
The company’s transparency commitments extend to in-house privacy research lab as well, and its efforts at the forefront of the i2Coalition. The consortium of top tier VPNs aim to raise transparency and accountability standards across the VPN industry, and to inform policymakers who often don’t fully grasp the basics of complex tech they legislate. It also upped its bug bounty this year to $100,000, a move that followed a competing bounty loudly announced in October 2021 by a company that buys zero-day hacks and called for ExpressVPN’s metaphorical head on a platter.