If you’re running a VPN on your Android phone, you’re likely doing so because you want your browsing data to be as private and secure as possible. As such you want a VPN with the best available settings. It can be difficult to know and understand which settings are really important, so we’ve rounded up a list of the best VPN settings for Android and explain what they do.
Encryption and VPN protocol
The two most important settings involved in keeping your VPN connection secure are the VPN protocol and the encryption algorithm.
The best VPN protocol you can use is OpenVPN, it is the standard VPN protocol because it supports the best available encryption and is a well-developed protocol. Two other VPN protocols that offer equivalent security levels but haven’t been as thoroughly analysed yet are Catapult Hydra and WireGuard. Where possible, you should avoid the VPN protocols PPTP and L2TP as they are both old and have weak security.
The best encryption available at the moment is the 256-bit AES-GCM cipher, although the 256-bit AES-CBC cipher offers equivalent security at a slower speed. AES is short for Advanced Encryption Standard and is the actual cipher used to encrypt data. GCM and CBC are modes of operation for the cipher, CBC can only be parallelised or multithreaded when decrypting data, GCM, however, can be parallelised when encrypting and decrypting, hence the performance advantage.
256-bit refers to the size of the encryption key and the number of possible values it can have. 256-bit can also be written as 2^256 or 2 multiplied by itself 256 times. If the total number of possible encryption keys was written out in full it would start with a 1 and have 77 zeroes after it, to put that number in perspective, scientists believe this is roughly equivalent to the number of atoms in the observable universe. Even if you had dedicated access to supercomputers for centuries, you’d still not be likely to break AES.
The WireGuard protocol uses a different cipher suite, ChaCha20 to perform its encryption. ChaCha20 is equivalent in strength to 256-bit AES while being even faster to process, however, it is also newer and less thoroughly researched.
One final encryption option is PFS or Perfect Forward Secrecy. PFS is a setting that regularly changes the encryption key being used. This means that if your encryption key was ever compromised, it would only be able to decrypt a small amount of data. There is no reason not to use PFS if it is available.
Kill switch
A VPN kill switch is used to cut the internet connection of your device if it detects that it has disconnected from the internet. This protects you from having all of your browsing data leak from your VPN if you don’t notice that it has disconnected.
A VPN kill switch can be useful for everyone but is especially useful for mobile devices that can regularly switch networks which increases the risk of VPN connection issues.
Leak prevention
A VPN kill switch prevents a general leak of data, however, there are a few protocols that have a history of leaking information that could be used to identify you or track your activity. The main culprits are IPv6, DNS, and WebRTC.
IPv6 is an update to the IPv4 address scheme used to uniquely address all devices on the internet. IPv4 has now essentially run out of available IP addresses, nearly all 4.3 billion IPv4 addresses have been assigned. As such it’s necessary to switch over to the new addressing scheme which has a much larger address space. IPv6 uptake however has been slow, and many services and even ISPs don’t support it.
Unfortunately, if a VPN provider doesn’t support IPv6, they might end up ignoring it, at which point, your device could send and receive IPv6 traffic outside of the VPN even when you’re supposedly connected and protected. The correct procedure is for the VPN provider to either block all IPv6 traffic from leaving your device or to support IPv6 and route it over the VPN too. You can test if your IPv6 address is leaking with sites like ipv6leak.com.
DNS or Domain Name System is the protocol used to translate human-readable URLs to the IP address of the server. Disappointingly, VPNs have a history of allowing DNS requests to leak out of the VPN connection. DNS is a plaintext protocol, meaning it’s not encrypted. This means that even if you change your preferred DNS server, away from your ISP provided one, your ISP can still read and track what websites you’re browsing to via your DNS traffic.
All protocols that send data to the internet, including DNS, should be routed over the VPN. This allows the encryption of the VPN tunnel to protect your DNS data from snooping. You can test if your DNS requests are leaking with websites like dnsleaktest.com.
WebRTC or Web Real-Time Communication is a browser-based API used for peer-to-peer connections. Unfortunately, it can leak your real IP address to the other party, even if you’re using a VPN. Blocking WebRTC is therefore a good idea. Some VPNs will offer the ability to block it, others will not. You can block WebRTC with other programs if needed, for example, the ad-blocking browser extension “uBlock Origin” includes a setting to block WebRTC. You can test if WebRTC is leaking your IP address on websites like browserleaks.com/webrtc.
