Disclaimer: The below review is my opinion, which I will try to provide as many examples for and as much evidence as possible to support. Readers can learn more about how I conduct my reviews, my methodology, etc – here. More information on review badges here.
This review’s roll was #153 (at the time of the roll, VPNArea)
Updated Jan 4, 2017
Signing up for the service: After studying dozens of VPN storefronts, you get a feel for what a company believes about its own product and its customers. The ways that some companies present their product says a lot about what they think they’re selling. Some companies clearly understand the weight of their product and the severity of the situations many of their customers face. In response to these solemn realities, such VPN services will provide detailed guides and information about VPNs in general and what to look for when purchasing them. They will stay involved with the community and regularly communicate ideas about security and privacy, beyond the obvious and superficial. They will do this with little to no desire for recognition and for no other reason than to educate. This says a lot about a company that is willing to dedicate resources in order to provide some foundational knowledge – to edify those that might just be starting out on their journey for privacy. As a natural consequence, those companies gain credibility by demonstrating ability and savvy about the industry and their product.
Then there are others that dress up their site with wacky cartoons, peppered with quotes from their own advertisers about how great their service is.
Sadly, the latter is true for a good 75-90% of the services I review and it is also the case for VPNArea.
A few things about the sign-up process struck me with VPNArea. First off, when comparing the plans available, WebRTC/DNS Leak was absent for the monthly plan, whereas it was apparently included in the 6 months and 1 year plans. Properly configuring their service to the extent they can prevent leaks is a no-brainer. Trying to tout such a feature as an add on and not a core component is not okay. Imagine making the decision about which car to purchase, and a salesman pushing one on you that didn’t have a windshield. Ludicrous, right? Next, the sign up process requires providing your full name. From a privacy standpoint, this is also obviously not okay.
Configuring the service: After downloading my config files, I noticed that they were oddly named, apparently with the purpose of the server (P2P, etc), but some of them were not so obvious. There also appeared to be a differently-named, redundant ca cert file, which made me nervous about how the configuration might go. Thankfully I was able to get the config right (on my end at least, see below). Inconsistent server configs were certainly a concern, see below.
Disappointingly, the members area of the website was not even secure and still used HTTP. This is a huge letdown considering forum posts, contact forms, AND DOWNLOADS are all insecure.
Speed & Stability tests: Note that, on Desktop, the USA server tested refused to connect. Settings were double checked and everything was set up correctly. The other servers connected using the same login credentials and settings. Desktop tests run using AES-256 over UDP, UK’s mobile config was set to use TCP instead of UDP for a lukewarm reason discussed below. The US server tested on Desktop was also not among the config files for mobile.
|Speed Tests – VPNArea – Desktop|
|No VPN||Trial 1||20||ms||96.78||mbps||12.41||mbps|
|Comp to Bench||-20||ms||0.00%||0.00%|
|Comp to Bench||+253||ms||35.27%||38.28%|
|Hong Kong||Trial 1||402||ms||20.75||mbps||3.41||mbps|
|Comp to Bench||+383||ms||23.12%||21.27%|
|Comp to Bench||+345||ms||9.81%||25.19%|
|Speed Tests – VPNArea – Mobile|
|No VPN||Trial 1||23||ms||74.17||mbps||14.34||mbps|
|Comp to Bench||-22||ms||0.00%||0.00%|
|Comp to Bench||+266||ms||18.81%||69.72%|
|Hong Kong||Trial 1||408||ms||13.32||mbps||5.72||mbps|
|Comp to Bench||+387||ms||16.23%||39.81%|
|Comp to Bench||+345||ms||14.53%||56.34%|
The US server not connecting was a bit of a letdown, but the international server speeds were respectable with an average of over 20% of the original Desktop speeds. I later learned (see below) that the US server I tested was officially offline for some reason. I was given their apologies and told, “we’re working on reinstating it”. Either way, it was down.
Getting support: I sent an email to support asking about the server config discrepancy above including the connection protocol differences. Support replied within 24 hours and had a simple and concise explanation for the US server I had tested being down, so I should note that the US test is probably not typical, however, I will leave the results as it looks like this particular server is still down. That’s just how the chips fall with spot checks sometimes. The TCP/UDP server config difference still bothers me, but supposedly it is a result of their own testing that they’ve chosen to do it this way. This is one more reason I strongly prefer a config file generator so I know what I’m getting because I specify it before it’s even downloaded. The support rep seemed to be generally helpful, so they don’t get dinged here.
Getting a refund: I requested a refund and support responded within 24 hours granting it without question or hassle.
And here we go…
We may add to, change or remove any part of these Terms, at any time without prior notice to you other than listing of a later effective date than the one set forth at the top of this policy. Such modification shall be effective immediately upon posting at the Site. As your next visit to a Site or use of the Services may be governed by different Terms, we encourage you to look for a new effective date on these Terms when you visit the Site or use the Services. It is your responsibility to check these Terms periodically for changes. If we make any material changes to these Terms, we will endeavor to provide registered users with additional notice of any changes, such as at your e-mail address of record, when you log-in to your account, or when you log-in to the Services. Cause who doesn’t want to dig through their VPN company’s terms of service on a regular basis? “Endeavor to” in this case is the cop out clause in this paragraph.
Accounts are for single user, but can be shared among friends/family
Pointing this out, simply because it’s unusual for a company to allow multiple people to use connections to their service. More interesting than anything.
Offshore Security EOOD (VPN Area) may, with prior notice, change the fees it charges you for accessing the Services at any time.
All prices are quoted for one user on one device. You agree that all fees charged by Offshore Security EOOD (VPN Area) for accessing the Services will be automatically charged to your payment account on file with Offshore Security EOOD (VPN Area), at the time of any automatic renewal of your subscription for Services. It’s absurd and very anti-consumer to change the fees you are being charged automatically and without notice. Beware! Offshore Security EOOD (VPN Area) may also at any time modify or discontinue, temporarily or permanently, all or any part of the Services or your account, with or without notice, and you agree that Offshore Security EOOD (VPN Area) will not be liable to you or any third party for any such modification, suspension or discontinuance. Making the above even worse, now you’re agreeing that they are allowed to terminate your service for no reason and without notice. I don’t know this for certain, but this may actually be illegal in some countries… The trnsmission or posting of chain letters or pyramid schemes Typo. Account sharing (e.g. allowing others to use your account information to access the Services) is not permitted. Reinforcing the contradiction from above. Actual service coverage, speeds, locations and quality may vary. No kidding. Actual service coverage, speeds, locations and quality may vary. Offshore Security EOOD (VPN Area) will attempt to provide the Services at all times, except for limited periods for maintenance and repair. However, the Services may be subject to unavailability for a variety of factors beyond our control including emergencies, third party service failures, transmission, equipment or network problems or limitations, interference, signal strength, and may be interrupted, limited or curtailed. Delays or omissions may occur. We are not responsible for data, messages or pages lost, not delivered, delayed or misdirected because of interruptions or performance issues with the Services or communications services or networks. Also a condor may die mid-flight and crash through a window, hitting one of our workers in the eye, causing them to spill coffee on his computer and the service might crap out for a week or two. Take some friggin’ responsibility for your service, good grief. Offshore Security EOOD (VPN Area) DOES NOT WARRANT THAT THE SITE OR SERVICES WILL BE AVAILABLE, WILL MEET YOUR REQUIREMENTS OR WILL OPERATE IN AN UNINTERRUPTED, ERROR-FREE OR COMPLETELY SECURE MANNER OR THAT ERRORS OR DEFECTS WILL BE CORRECTED. Offshore Security EOOD (VPN Area) DOES NOT MAKE ANY REPRESENTATIONS, WARRANTIES, OR CONDITIONS REGARDING THE USE OR THE RESULTS OF THE USE OF THE SITE OR SERVICE, IN TERMS OF THEIR ACCURACY, RELIABILITY, TIMELINESS, COMPLETENESS, OR OTHERWISE.
Everything from above beautifully summed up in one paragraph. To create an account, you will need to provide certain personal information, such as your name, your country,city and e-mail. Perhaps one of the unannounced policy changes will be a DNA sample and first born child to go along with this. If you choose to pay with a credit card, the only information collected will be collected by PayPal. Anybody else see what’s wrong with this statement? Why does PayPal need to collect anything if I’m not using them to pay? We may also use personal information for the following reasons: To verify your identity when you login to the Site or Service… So that we may periodically send you promotional information that we think may interest you, about products, services, and offers made available by us Oh, well if my info is only being used to identify me and fill my inbox with spam…
We may engage third parties, such as Google Analytics, to track and analyze non-personally identifiable Site data.
They use Google Analytics.
We use security measures that are consistent with industry standards to protect your personal information from loss, theft, misuse or unauthorized access or disclosure or destruction,. All employees are kept up-to-date on our security and privacy practices. Assuming they look them up on their own from time to time, as our terms and privacy practices may change at any given moment without notice. Where appropriate, we use encryption, access controls, passwords, and/or physical security measures to protect the personal information we collect and maintain about you against unauthorized access and disclosure. I could have sworn it’d be “appropriate” to use encryption to protect the ovpn configs and cert files that I download – as well as my communication with the company, but maybe that’s just me.
VPNArea is by no means set up to be a privacy centered company. From their terms to their website, the whole outfit screams, “canned web service”. Their terms of service are hostile, their website is insecure where it counts most, and to top it all off, they use native advertising as a crutch to offset the need for a commercial VPN company to survive on a quality, well executed service.
The only good things about my experience were relatively fast international servers and a snappy refund. I honestly wonder if the many affiliate “reviewers” (ie: resellers) that bestow high praise with their quotes about VPNArea, aren’t destroying their own credibility in the process
– because, for all of the reasons I cite in this review, VPNArea is, in my estimation, a Pile of Junk.
Update (1-4-2017): VPNArea has reached out me with several corrections and updates. The relevant bits have either been removed or struck out. I will address them here:
The comparison chart showing WebRTC and DNS leak protection being a feature of 6 and 12 month plans, but not 1 month ones was a mistake made by VPNArea which has since been corrected on the website. This has been struck out above and the “broken” stamp has been removed.
Member’s Area security has now been configured to force HTTPS, the above section has been struck through and the “website” stamp has been removed.
Sign up no longer requires a full name or country. Terms of Service have also been updated to reflect this. The “exposed” stamp has been removed.
Terms have also been updated to negate typos and contradictions mentioned above. Generally the changes were very positive and have become much more friendly to the user, however, they’re still not perfect. They have changed enough so that the “obtuse” stamp has been removed.
They have added a PGP key to their contact forms, which has been updated on the chart.
Overall, I’m immensely impressed with the response by VPNArea and the sheer number of changes made in such a short amount of time. While I still don’t think VPNArea is a perfect VPN solution, they should be commended for their efforts. As such, I no longer believe their service to be a “Pile of Junk”, therefore, this stamp has also been removed.
|FROM THE VPN COMPARISON CHART|
|JURISDICTION||Based In (Country)||Bulgaria|
|Enemy of the Internet||No|
|Logs DNS Requests|
|Logs IP Address|
|ACTIVISM||Anonymous Payment Method|
|PGP Key Available||Yes|
|Gives back to Privacy Causes||Yes|
|Meets PrivacyTools IO Criteria||Yes|
|LEAK PROTECTION||1st Party DNS Servers||No|
|IPv6 Supported / Blocked||Yes|
|Supports TCP Port 443|
|Supports SSL Tunnel|
|Supports SSH Tunnel|
|Other Proprietary Protocols|
|PORT BLOCKING||Auth SMTP|
|SPEEDS||US Server Average %||0|
|Int’l Server Average %||22.73|
|SERVERS||Dedicated or Virtual|
|SECURITY||Default Data Encryption||AES-256|
|Strongest Data Encryption||AES-256|
|Weakest Handshake Encryption|
|Strongest Handshake Encryption|
|AVAILABILITY||# of Connections||5|
|# of Countries||56|
|# of Servers||186|
|Linux Support (Manual)||Yes|
|WEBSITE||# of Persistent Cookies||5|
|# of External Trackers||1|
|# of Proprietary APIs||5|
|Server SSL Rating||B|
|SSL Cert issued to||Self|
|PRICING||$ / Month (Annual Pricing)||4.92|
|$ / Connection / Month||0.98|
|Refund Period (Days)||7|
|ETHICS||Contradictory Logging Policies|
|Falsely Claims 100% Effective||Yes|
|Incentivizes Social Media Spam|
|Requires Ethical Copy||Yes|
|Requires Full Disclosure||No|
|AFFILIATES||Practice Ethical Copy|
|Give Full Disclosure||No|
If you like the project and find my work useful, please consider donating – your generous contributions help pay for the hosting, tools, and time I need to do my research and keep the data fresh.