Free VPN apps are everywhere. Most are not safe. A few are. This piece distinguishes the two and explains why.
Why most free VPNs are not safe
Operating a VPN is genuinely expensive. Server infrastructure, bandwidth, customer support, security operations all cost real money. A VPN provider operating at meaningful scale typically pays $5-20 per active customer per month in infrastructure cost.
A free VPN provider has the same costs without the corresponding revenue. The money has to come from somewhere. The common funding models are:
- Selling user data to advertisers or data brokers
- Injecting advertisements or affiliate links into user traffic
- Selling user bandwidth as part of a botnet (HolaVPN was caught doing this in 2015; the practice continues at smaller free VPN providers)
- Limited free tier as upsell to paid product (legitimate, but the “free” tier is essentially a sales funnel)
- Operating as an intelligence collection front (rare but documented; some “free VPNs” have been linked to state-sponsored data collection)
The first four are common business models that generally make the free service unsafe to use. The fifth is rare but exists.
The free VPNs that are safe
Three categories of legitimately-safe free VPNs:
Limited free tier from established providers
ProtonVPN Free: limited to 3 server locations (US, NL, JP), no bandwidth cap, no ads. The free tier is an upsell to paid. Mozilla VPN, Surfshark VPN, NordVPN do not offer comparable free tiers; ProtonVPN is unique among major providers in offering an unlimited-bandwidth free tier.
Windscribe Free: 10 GB per month bandwidth, multiple server locations. Funded by paid tier upsell.
Atlas VPN Free: similar limited free tier. Less established company; somewhat less trustworthy than the above.
Open-source self-hosted VPNs
These are free in the sense that the software is free; you provide the server. Examples:
OpenVPN: classic VPN protocol, runs on any Linux server with proper configuration. You set it up, you maintain it.
WireGuard: modern VPN protocol, simpler setup than OpenVPN, runs on any Linux server.
Outline (by Jigsaw, Google’s research subsidiary): managed self-hosted Shadowsocks setup. You provide cloud server credentials; Outline handles the setup. Designed for journalists and activists in censored countries.
Algo VPN: scripted setup of a personal VPN on cloud providers (DigitalOcean, AWS, etc.). Sets up WireGuard or IKEv2 on a fresh cloud server in 10 minutes.
These are genuinely free if you have a small VPS. The VPS itself costs $4-7/month at Hetzner or DigitalOcean, but the VPN software is free.
For users who want a VPN they fully control: self-hosted is the answer. The trade-off is operational responsibility.
The unusual case of Mullvad
Mullvad does not have a free tier in the traditional sense. They offer a free trial via the standard signup process; you get an account number and can use it for whatever short period you choose without payment, then start paying €5/month after.
This is not really “free” but is meaningfully different from the typical “free 7-day trial” model in that there is no automatic charge after a period; you actively decide when to start paying.
For users who want to evaluate Mullvad before committing: this is essentially free.
Free VPNs that should be avoided
Hola VPN: documented history of using user devices as exit nodes for paying customers. Treats free users as botnet infrastructure.
Hotspot Shield Free: extensive history of advertising injection and tracker bundling.
VPN Master, VPN Free, Free VPN Proxy by SuperVPN, and the long tail of generic-named free VPN apps in the App Store: most have undisclosed funding sources, frequently include trackers and ads, sometimes have been documented selling user data.
Most VPN apps in the iOS App Store charging “$10 lifetime” or similar deeply-discounted prices: usually not legitimate VPN providers; frequently malware-adjacent or scam.
Free VPN apps that require excessive permissions on your phone (access to contacts, messages, photos): the permissions are not for VPN functionality; they are for data collection.
How to identify whether a free VPN is safe
Several practical heuristics:
Established company with a paid tier. ProtonVPN, Windscribe, etc. The free tier is upsell, not the primary product.
Transparency about funding. The provider clearly explains where money comes from.
No ads or affiliate injection in the free tier. If the app shows ads or modifies your traffic, the free tier is funded by selling your traffic.
No requirement for excessive permissions. Should only need network configuration permission.
No requirement to install custom CA certificates. Some sketchy VPNs install root certificates that let them intercept HTTPS traffic.
Open privacy policy that you can read. If it is vague or hides who collects what, treat as untrustworthy.
Audited or open source. Not all safe VPNs are audited or open source, but if a free VPN is, that is a positive signal.
A specific recommendation
For users wanting a legitimately free VPN: ProtonVPN Free. Unlimited bandwidth, no ads, established company, audited.
For users wanting a free VPN with broader features: Windscribe Free at 10 GB/month or Mullvad’s no-time-limit signup.
For users wanting to self-host: Algo VPN setup on Hetzner CX11 at €3.79/month. The VPS costs more than zero but the setup is straightforward and you fully control the infrastructure.
For users who absolutely cannot pay anything: ProtonVPN Free is the right answer. The 3-location limit is annoying but the service is genuinely safe.
For users in countries with restrictive networks: do not use random free VPNs you find in app stores. The risk of malicious or compromised apps is too high. ProtonVPN Free, Windscribe Free, or paid services are the safe options.
ProtonVPN | Windscribe | Algo VPN | Outline
Related: Why I keep recommending Mullvad, VPN ownership map 2026