Not all VPNs are created equal. Learn how to identify safe VPN services and avoid dangerous ones.
In my fifteen years as an IT security specialist working with Australian clients, "is VPN safe?" is one of the most frequent questions I hear. The answer frustrates people because it's not a simple yes or no: it depends entirely on which VPN service you're using and how you're using it. Some VPNs are extremely safe and provide excellent privacy protection. Others are actively dangerous and expose you to greater risks than not using a VPN at all.
Let me be direct: asking "is VPN safe?" is like asking "are cars safe?" The safety depends on the specific vehicle, its maintenance, and how it's driven. A well-engineered car with modern safety features, properly maintained and driven responsibly, is quite safe. A poorly built car with faulty brakes driven recklessly is a death trap. VPNs work the same way.
This page provides you with the knowledge to evaluate VPN safety yourself. I'll explain what makes a VPN safe or unsafe, highlight specific red flags to watch for, discuss the unique risks facing Australian VPN users, and provide concrete assessment criteria you can apply to any VPN service you're considering. By the time you finish reading, you'll be equipped to make informed decisions about VPN safety rather than blindly trusting marketing claims.
Before we discuss red flags and dangerous VPNs, let's establish what a genuinely safe VPN looks like. These are the criteria I use when evaluating VPN services for Australian clients. A safe VPN should meet all of these requirements, not just some of them.
| Safety Criterion | Why It Matters | How to Verify |
|---|---|---|
| Strong Encryption | Protects your data from interception. Minimum AES-256 encryption standard. | Check technical specifications page. Should explicitly state AES-256 or equivalent. |
| Modern Protocols | Older protocols like PPTP have known vulnerabilities. WireGuard or OpenVPN are current standards. | Review supported protocols in app settings or website specifications. |
| No-Logs Policy | Provider doesn't record your browsing activity, so there's nothing to compromise or hand over. | Read privacy policy carefully. Look for independent audits confirming no-logs claims. |
| Kill Switch Functionality | Automatically blocks internet if VPN disconnects, preventing accidental exposure of your real IP. | Check app features. Test by forcibly disconnecting VPN to ensure internet stops. |
| DNS Leak Protection | Prevents DNS requests from bypassing VPN tunnel and revealing your browsing to ISP. | Use testing tools like dnsleaktest.com while connected to VPN. |
| Transparent Ownership | You should know who operates the VPN and where they're based to assess legal obligations. | Research company registration, ownership structure, and jurisdiction on their website and independent sources. |
| Independent Security Audits | Third-party verification of security claims provides confidence beyond marketing statements. | Look for published audit reports from reputable security firms like Cure53 or similar. |
| Active Security Updates | Regular app updates addressing vulnerabilities show ongoing security commitment. | Check app update history in Apple App Store, Google Play, or desktop platforms. |
When I assess whether a VPN is safe for Australian users, these eight criteria form my baseline evaluation. A VPN service that fails on multiple points here should be avoided regardless of how attractive their marketing or pricing might be. Now, this doesn't mean every VPN that meets these criteria is perfect for every Australian user – there are other factors like performance, cost considerations for Australian budgets, and specific use cases – but these safety fundamentals are non-negotiable.
Now let's discuss the other side: what makes a VPN actively unsafe. I've analysed hundreds of VPN services over my career, and certain warning signs consistently appear in problematic providers. If you encounter any of these red flags, I strongly recommend finding an alternative service.
Let me share a real example that illustrates these risks. A few years ago, I had an Australian client who came to me worried about their online security. They'd been using a popular free VPN they'd seen advertised on social media. When I investigated, I discovered this "free VPN" was logging all user activity, injecting tracking cookies into browsing sessions, and had been caught redirecting e-commerce traffic to earn affiliate commissions without user knowledge. The client thought they were protecting their privacy but were actually giving a shadowy company comprehensive access to their internet activity.
This isn't an isolated incident. Academic research has repeatedly shown that many free VPN services engage in practices that directly undermine user privacy and security. Some inject malware, some sell user data to advertisers, some are fronts for data harvesting operations. When Australians ask me "is X VPN safe?" about free services, my response is almost always cautionary.
While I won't name and shame every problematic VPN service (that list would be exhaustingly long), certain categories of VPNs raise consistent safety concerns among Australian users. Let me address some common questions I receive about specific types of VPN services.
Common Questions: "Is X VPN safe?" (referring to free mobile apps like Turbo VPN, Touch VPN, Hoxx VPN, etc.)
Mia's Assessment: The overwhelming majority of free VPN apps available in app stores are unsafe. Research has shown many log user data, inject advertisements, contain malware, or sell user information. The economics simply don't support providing quality VPN service for free.
Exception: Free tiers from reputable paid services (like Proton VPN's limited free version) can be safe but have significant limitations.
Common Questions: "How to use Opera VPN?" "Is the built-in browser VPN safe?"
Mia's Assessment: Browser VPNs (like Opera's built-in feature) only protect traffic from that specific browser, not your entire device. They're technically more like proxies than true VPNs. Can be safe for basic browsing but don't provide system-wide protection. Not suitable if you need genuine privacy protection.
Better Approach: Use a proper VPN client that protects all your internet traffic, not just one browser.
Common Questions: "Is Norton VPN good?" "Is Bitdefender VPN good?" "Is Kaspersky VPN safe?"
Mia's Assessment: VPNs bundled with antivirus software vary significantly in quality. Some antivirus companies operate their own VPN infrastructure (safer), while others white-label third-party services (quality depends on that provider). Generally adequate for basic privacy but often lack features of dedicated VPN services.
Australian Consideration: Check if the VPN has Australian servers and whether data passes through countries with favourable privacy laws.
Common Questions: "Is Nord VPN safe?" "Is Express VPN safe?" "Is Proton VPN safe?" "Is Surfshark a good VPN?"
Mia's Assessment: Established premium VPN providers with transparent operations, independent audits, and track records of protecting user privacy are generally safe choices. These services invest in security infrastructure and have reputations to protect. Still require evaluation of specific factors like jurisdiction and legal compliance.
Verification Step: Always check for recent independent security audits and review their privacy policy yourself rather than trusting marketing claims.
Understanding theoretical VPN safety is valuable, but nothing beats actually testing your VPN to confirm it's working properly. Here are the practical verification steps I recommend all Australian VPN users perform. These tests help answer the question "is my VPN working?" from a security perspective.
Your VPN should hide your real IP address. Testing this is straightforward. Before connecting to your VPN, visit a site like whatismyipaddress.com and note your IP address and location (should show your actual Australian location). Now connect to your VPN and refresh the page. The IP address and location should change to match your VPN server location. If your real Australian IP address still shows, your VPN isn't working correctly.
I perform this test every time I evaluate a new VPN service or troubleshoot client issues. It's the most basic verification that your VPN is actually routing your traffic through its servers rather than leaking your connection.
Even if your IP address is hidden, DNS leaks can reveal your browsing activity to your ISP. DNS (Domain Name System) is what translates website names into IP addresses. If your DNS requests bypass the VPN tunnel, your ISP can still see which websites you're visiting even though they can't see the content.
To test for DNS leaks, connect to your VPN and visit dnsleaktest.com. Click "Extended test" and wait for results. The DNS servers shown should belong to your VPN provider or be generic servers in the VPN server's country – NOT your Australian ISP's DNS servers. If you see servers belonging to Telstra, Optus, TPG, or other Australian ISPs, you have a DNS leak and your VPN is not properly protecting your privacy.
Quality VPN services include DNS leak protection that forces all DNS queries through the VPN tunnel. If your VPN is leaking DNS requests, that's a significant safety concern and potentially indicates an unsafe or poorly configured VPN service.
WebRTC (Web Real-Time Communication) is a browser technology that enables video calling and other real-time communications. Unfortunately, it can also leak your real IP address even when connected to a VPN. This is because WebRTC can make direct peer connections that bypass the VPN tunnel.
Test for WebRTC leaks at browserleaks.com/webrtc while connected to your VPN. If you see your real Australian IP address listed under "Local IP Address" or "Public IP Address," you have a WebRTC leak. Some VPN apps include WebRTC leak protection, but you may also need to disable WebRTC in your browser settings or use browser extensions that block WebRTC requests.
Does your VPN have a kill switch, and does it actually work? The kill switch is a safety feature that blocks all internet traffic if your VPN connection drops unexpectedly. This prevents your real IP address and unencrypted traffic from being exposed during connection interruptions.
To test your kill switch: connect to your VPN, start streaming a video or downloading a large file, then manually disconnect your VPN connection (close the app or disconnect through settings). If the kill switch works properly, your internet connection should immediately stop – the video should freeze and the download should halt. If your internet continues working after disconnecting the VPN, you don't have functional kill switch protection, which is a significant safety concern.
While VPN safety principles are universal, Australian users face some unique considerations that affect how we should evaluate VPN services. Having worked with Australian clients for fifteen years and having personally navigated Australia's complex legal and regulatory environment, these are the Australia-specific safety factors I always assess.
Australia's mandatory data retention laws require internet service providers to log and store metadata about user activity for two years. This is one of the primary reasons many Australians use VPNs in the first place. However, an important question arises: do these data retention obligations apply to VPN providers operating in Australia?
The legal situation is somewhat complex. VPN providers that operate as telecommunications service providers in Australia could potentially fall under data retention requirements. This is why many VPN companies either don't operate infrastructure directly in Australia or carefully structure their services to avoid being classified as telecommunications providers under Australian law.
When evaluating whether a VPN is safe for Australian privacy protection, I always investigate how the provider handles Australian operations. Do they have physical servers in Australia? If so, what data retention policies apply to those servers? Are they subject to Australian jurisdiction and legal demands? A VPN service that maintains Australian servers but is incorporated in a jurisdiction with strong privacy protections (like Switzerland or Panama) offers a different privacy profile than one that's fully Australian-owned and operated.
Australia is part of the Five Eyes intelligence alliance (along with the United States, United Kingdom, Canada, and New Zealand). These countries share signals intelligence and have been documented engaging in mass surveillance programmes. From a VPN safety perspective, this raises questions about VPN providers based in Five Eyes countries.
If a VPN company is incorporated in Australia, the US, the UK, Canada, or New Zealand, it could potentially be compelled to cooperate with intelligence agencies, possibly even under gag orders that prevent them from disclosing such cooperation. This doesn't mean all Five Eyes VPN providers are unsafe, but it does mean their legal environment creates potential vulnerabilities that don't exist for providers based in jurisdictions outside the Five Eyes (and extended Nine Eyes and Fourteen Eyes) alliance.
My assessment: for maximum privacy assurance, particularly for sensitive use cases, VPN providers based outside Five Eyes countries offer stronger legal protections. However, this must be balanced against practical factors like having Australian server locations for good performance. Many Australians use VPNs primarily for protection against ISP surveillance and data breaches rather than nation-state threats, in which case the jurisdiction question becomes less critical.
Australian users face a unique challenge: we're geographically isolated from much of the world's internet infrastructure. This distance creates latency issues that are exacerbated when routing traffic through distant VPN servers. The natural temptation is to prioritise VPN services with servers in Australia or nearby Asia-Pacific locations for better performance.
However, this creates potential safety trade-offs. VPN servers physically located in Australia are subject to Australian jurisdiction and potentially Australian legal demands. Servers in some nearby countries face even more concerning legal environments (some Asian countries have restrictive internet laws and surveillance practices).
My recommendation for Australian users: use a VPN provider that offers servers in multiple locations. Connect to Australian or nearby servers for everyday browsing where performance matters, but understand that for maximum privacy protection in sensitive situations, you may want to connect to servers in jurisdictions with stronger privacy laws (like Switzerland or Iceland) and accept the performance penalty.
Let me address some of the specific safety questions I frequently receive from Australian VPN users. These represent real concerns from real people trying to protect their online privacy.
Partially, but not completely. A VPN protects against specific types of attacks, particularly on untrusted networks. If you're on public Wi-Fi at a café and a hacker on the same network is trying to intercept traffic, your VPN encryption prevents them from reading your data or stealing login credentials. This type of "man-in-the-middle" attack is one of the primary threats VPNs defend against.
However, VPNs don't protect against all hacking threats. They won't stop malware on your device, prevent phishing attacks, or protect you if you voluntarily hand over your credentials to a fake website. VPNs secure the connection between your device and the internet, but they don't address threats that originate on your device or that trick you into taking unsafe actions. That's why I always emphasise that VPNs are one component of security, not a complete solution.
Yes, this is one of the things VPNs do effectively. When you're connected to someone else's Wi-Fi network (at work, in a café, at a hotel, or even at a friend's house), the network owner can typically see which websites you visit by monitoring DNS requests and unencrypted traffic. A VPN prevents this by encrypting all your traffic before it reaches their network.
When you use a VPN on someone else's Wi-Fi, all they can observe is that you're connected to a VPN server. They can't see which websites you're visiting, what services you're using, or what data you're transmitting. Everything is encrypted and appears as meaningless gibberish to any network monitoring. This is particularly valuable for Australians who frequently work from cafés or use public Wi-Fi while travelling.
This is a nuanced question that requires a realistic answer. Can government agencies with sufficient resources determine that you're using a VPN? Yes, easily – VPN traffic has identifiable characteristics, and your ISP can see that you're connected to VPN servers. Can they see what you're doing through the VPN? That's much more difficult and depends on multiple factors.
If you're using a quality VPN with strong encryption and a verified no-logs policy, the content of your VPN traffic is essentially unbreakable with current technology. However, governments can potentially compel VPN providers to log information going forward, particularly if the provider is subject to their jurisdiction. This is why provider jurisdiction and trustworthiness matter so much.
For ordinary Australians using VPNs for legitimate privacy protection (avoiding ISP surveillance, securing public Wi-Fi, accessing geo-restricted content), the question of government tracking is largely theoretical. Australian authorities aren't dedicating sophisticated resources to monitoring typical VPN users. However, if you're involved in activities that might attract law enforcement or intelligence attention, you should understand that VPNs provide privacy, not perfect anonymity. True anonymity requires additional tools and techniques beyond just VPN use.
No, using a VPN is completely legal in Australia. This is a common concern, and I address it in detail on my page about VPN legality in Australia. VPNs are legitimate privacy and security tools used by businesses, security-conscious individuals, and anyone who wants to protect their online activity. The Australian government has not banned or restricted VPN use.
That said, while VPN use is legal, using a VPN to engage in illegal activities doesn't make those activities legal. If you use a VPN to download pirated content, that's still copyright infringement. If you use a VPN to access services in ways that violate their terms of service (like bypassing geographic restrictions on streaming services), that may breach contractual agreements even though VPN use itself is legal.
I've compiled my evaluation criteria into a practical checklist you can use when assessing whether a VPN service is safe. Before committing to any VPN, work through this checklist. Services that fail multiple criteria should be avoided.
Scoring Guide: 10-12 checks = Excellent safety profile | 7-9 checks = Good, acceptable for most uses | 4-6 checks = Questionable, investigate further | 0-3 checks = Unsafe, find alternative
I use this exact checklist when evaluating VPN services for client recommendations. It's based on fifteen years of experience and reflects both theoretical security principles and practical realities of the VPN industry. While no VPN is perfect, services that score well on this checklist represent genuinely safe choices for Australian users.
Safe VPN services require investment in security infrastructure. Learn what you should expect to pay for genuine protection.
Explore VPN Costs in Australia →After evaluating countless VPN services and helping thousands of Australians with their online security, my perspective on VPN safety comes down to this: yes, VPNs can be very safe and are essential privacy tools when you choose wisely. However, unsafe VPN services are worse than no VPN at all because they create a false sense of security while actually compromising your privacy.
The VPN industry contains both excellent privacy-protecting services and exploitative data-harvesting operations. Your safety depends entirely on your ability to distinguish between these categories. That's why I've provided you with the evaluation criteria, testing methods, and assessment checklists in this article – so you can make informed decisions rather than gambling with your privacy.
For Australian users specifically, remember that our unique legal environment (data retention laws, Five Eyes membership, geographic isolation) creates specific considerations that affect VPN selection. A VPN that's safe for an American user might not offer the same protections for an Australian user due to jurisdictional differences. Always evaluate VPNs through the lens of Australian privacy challenges.
If you're using a VPN right now, I encourage you to work through the verification tests I've described. Confirm that your VPN is actually working safely and protecting your privacy as claimed. If it fails these tests, consider switching to a provider that passes. Your online privacy is too important to trust to unverified marketing claims.
For more information about online privacy and VPN safety, I recommend these authoritative Australian sources: