← Back
TL;DR: Proton VPN is the right default for most self-hosters who want a privacy-respecting VPN without DIYing one. It's not the fastest (Mullvad edges it on raw throughput) and the WireGuard config download flow is clunkier than it should be in 2026. But it's the only mainstream VPN whose corporate structure, audit history, and Swiss jurisdiction actually line up with the privacy claims on the marketing page. If you're picking one paid VPN this year, this is the safe choice. If you have an unusual workload — torrenting, country-specific streaming, running a VPN-behind-VPN setup — read the "where it falls down" section before subscribing.
Why I'm reviewing this (and why most VPN reviews are useless)
Most "VPN reviews" you find on Google in 2026 are either:
- Affiliate-stuffed listicles from sites that have never actually run the product, or
- Speed-test screenshots from a fiber connection in Stockholm that tell you nothing about how it performs from a Hetzner VPS in Helsinki.
I run a self-hosted stack on a Hetzner CPX22 in Helsinki (see the 30-day VPS uptime & latency benchmark for the actual numbers on that box). I needed a VPN for three concrete things:
- Outbound IP rotation for a handful of scrapers that politely respect rate limits but still get blocked when they all share my home IP.
- A trustworthy exit node for my laptop when I'm on cafe / airport Wi-Fi.
- Port forwarding for one self-hosted service that I want reachable behind a clean static IP without leaking my real residential one.
I subscribed to Proton VPN Plus on March 24, 2026 and have run it daily since. This is the writeup after 60 days.
Disclosure. The Proton link in this post is a plain referral (not yet an affiliate link — my application to Proton's partner program is pending re-review). Same price for you either way. I subscribed on my own card and I run Proton Mail and Drive on separate paid accounts as well. I'm not getting paid to like this. If/when the affiliate application is approved, this link will be swapped for the partner URL and this paragraph will say so explicitly. — enim
What I tested
| Use case | Tested? | Where |
|---|---|---|
| Linux WireGuard config | ✅ | Hetzner CPX22 (Ubuntu 24.04) |
| macOS native client | ✅ | M1 MacBook Air |
| Port forwarding | ✅ | "P2P"-marked servers (double-arrow icon) |
| Kill switch | ✅ | both Linux + macOS |
| DNS leak | ✅ | dnsleaktest.com + manual dig |
| WebRTC leak | ✅ | browserleaks.com |
| Speed: same continent | ✅ | Helsinki → Amsterdam exit |
| Speed: trans-Atlantic | ✅ | Helsinki → New York exit |
| Streaming unblock | ⚠️ partial | Netflix US, BBC iPlayer |
| Torrenting | ✅ | NL-Free-PF + qBittorrent |
| Multi-hop | ✅ | CH → IS chain |
| Tor over VPN | ✅ | Onion routing through Proton exit |
Where it wins
Jurisdiction + corporate structure is real, not marketing. Proton AG is a Swiss stock corporation whose primary shareholder is the non-profit Proton Foundation (Geneva). The point of that structure is to lock the privacy mission into the cap table — it's harder to acquire and pivot a company whose controlling shareholder is a foundation with a stated charter than one whose owners are PE funds answering to LPs. This isn't unique among VPNs (Mullvad does the right things too) but it's the structure that survives an acquisition attempt.
Independent audits, public. Proton publishes its annual no-logs audits by Securitum in full at protonvpn.com/blog/no-logs-audit — the most recent one covers the actual server infrastructure, not just the privacy policy text. I read it; it's not a rubber stamp.
The WireGuard configs are clean. No proprietary protocol on top, no Lightway-style "fast UDP" magic. You get standard WireGuard .conf files you can drop into /etc/wireguard/ and run with wg-quick up. (If you've never set up raw WireGuard, my WireGuard VPN setup walkthrough covers the from-scratch path.) This matters because I can verify what's happening at the protocol level and I'm not depending on Proton's closed-source client for the cryptography.
Kill switch is real on Linux. Most Linux VPN clients ship with a "kill switch" that's a iptables rule the GUI adds and removes. The Proton CLI installs an nftables-based set of rules and systemd-resolved overrides that actually survive a process crash. I tested by SIGKILLing the client mid-connection — outbound traffic stopped. With WireGuard direct, you have to roll your own with PostUp / PostDown hooks.
Port forwarding works (P2P-marked servers only). Proton supports incoming connections on any server marked "P2P" in the client — they're flagged with a double-arrow icon in the country list. You enable port forwarding once in client settings, get a forwarded port assigned per-session, and you can run a self-hosted service behind it. It's not as flexible as a dedicated IP from a cloud provider, but it's the right answer for "I want this reachable without exposing my home IP."
Speed is fine for everything that's not raw single-stream throughput. Helsinki → Amsterdam exit on a 1 Gbit Hetzner link: ~620 Mbit/s sustained, 18ms added latency. Same path with Mullvad: 740 Mbit/s, 16ms. Difference matters for iperf3 benchmarks; doesn't matter for any actual workload I run.
Where it falls down
The WireGuard config download flow is awful in 2026. You log into the account portal, click through three menus to get to "WireGuard configurations", create a new key per device (one at a time, no bulk), and download each .conf file individually. If you want 5 different exit countries, that's 5 separate clicks-through-menus + 5 downloads. Mullvad has a single-page bulk download. This is the one place where the UX feels like 2019.
Streaming is genuinely a coin flip. Netflix US worked from 3 of the 5 US servers I tried on day one. By week three, only 1 of the 5 worked. By week six, none did. BBC iPlayer worked from UK servers but not consistently — about 60% of sessions get the "not available in your region" error. If streaming is your reason to subscribe, you'll be disappointed. Get one of the streaming-focused VPNs instead.
No SOCKS5 proxy. I wanted to point a handful of headless containers at a SOCKS5 proxy that exits via Proton, without running the WireGuard tunnel system-wide. Proton doesn't offer SOCKS5 — it's WireGuard or OpenVPN only. (Mullvad does, and this is the one place I still use Mullvad as well.)
Multi-hop costs you 40% throughput, every time. A Switzerland → Iceland multi-hop chain dropped me from 620 Mbit/s to ~370 Mbit/s. Expected and unavoidable — but if you read marketing that says "no performance impact," that's not what I measured.
The Linux CLI is fine, the Linux GUI is bad. I'm not going to dwell on this — most ByteGuard readers will use the CLI. But: the GUI on Ubuntu 24.04 is laggy, the system-tray indicator is unreadable on dark themes, and on Fedora 40 it didn't launch at all. Use the CLI.
Account portal 2FA is TOTP-only. No FIDO2, no Webauthn. For a privacy company in 2026 this is a baffling omission. Proton Mail has full 2FA-key support. The VPN account portal does not.
Speed tests (60-day averages)
These are from a Hetzner CPX22 in Helsinki, 1 Gbit link, multiple times per day over 60 days. Each cell is the median of ~180 iperf3 runs.
| Exit | Latency added | Down (Mbit/s) | Up (Mbit/s) |
|---|---|---|---|
| Amsterdam NL | +18 ms | 620 | 590 |
| Frankfurt DE | +14 ms | 660 | 610 |
| Stockholm SE | +6 ms | 740 | 700 |
| Zurich CH | +22 ms | 580 | 540 |
| New York US | +95 ms | 280 | 240 |
| Tokyo JP | +260 ms | 95 | 80 |
| Multi-hop CH→IS | +42 ms | 370 | 310 |
For context, my baseline Helsinki→public-internet from the same Hetzner box: 920 Mbit/s down, 870 Mbit/s up, 4 ms to the nearest CDN node.
DNS leak audit
I ran the full battery — dnsleaktest.com extended test, ipleak.net, manual dig @resolver +short whoami.akamai.net, browser WebRTC inspection — on each of the 7 exits above, on both Linux WireGuard direct and the macOS client.
Result: no leaks observed in 168 audited connections. The Linux WireGuard config sets PostUp / PostDown rules that route DNS through Proton's resolver only; the macOS client uses a system-level VPN extension that does the same. WebRTC was unaffected on the macOS client; on Linux I manually disabled WebRTC in Firefox about:config.
Honest verdict
Subscribe to Proton VPN if: - You want a privacy-respecting paid VPN and don't want to think about it - You self-host and want a clean WireGuard config you can drop into /etc/wireguard/ - You want port forwarding for one or two self-hosted services without a dedicated cloud IP - You already use Proton Mail / Drive and want one account / one bill
Get Mullvad or IVPN instead if: - You need SOCKS5 (Proton doesn't offer it; Mullvad does) - You need consistent streaming unblock (neither Proton nor Mullvad is great for this — you want a streaming-specialist provider) - You need raw maximum throughput on single-stream WireGuard (Mullvad is 15-20% faster in my tests) - You hate logging into account portals (Mullvad doesn't have accounts — just an anonymous token)
Don't subscribe to any VPN at all if: - Your threat model is "stop my ISP from selling browsing data" → use a privacy-respecting DNS resolver (NextDNS, Quad9) and call it done. A VPN here is overkill and adds an attack surface. - Your threat model is "evade nation-state surveillance" → a commercial VPN is not the right tool. Get a Tails USB stick + Tor.
Setup: drop-in WireGuard for a Linux VPS
If you're using this on a server (not your laptop), the cleanest path is direct WireGuard without the Proton client. Here's the exact flow I use on Ubuntu 24.04.
# 1. Get the WireGuard config from the account portal
# (account.protonvpn.com → Downloads → WireGuard configuration)
# Download a .conf for the exit country you want.
# 2. Install WireGuard
sudo apt update && sudo apt install -y wireguard-tools
# 3. Drop the config in place (NL-NL-1.conf becomes proton-nl.conf)
sudo mv ~/NL-NL-1.conf /etc/wireguard/proton-nl.conf
sudo chmod 600 /etc/wireguard/proton-nl.conf
# 4. Start it
sudo wg-quick up proton-nl
# 5. Verify exit
curl -s https://api.ipify.org
# should return a Proton NL IP, not your Hetzner one
# 6. Enable on boot (optional — you might want this manual)
sudo systemctl enable wg-quick@proton-nl
To bring it down: sudo wg-quick down proton-nl.
If you want only certain containers to use the tunnel (which is what I do for the scraper containers), the answer is split-routing via Docker networks or ip rule — that's its own writeup and is queued for a follow-up post.
Where I'd use it in the ByteGuard stack
I run Proton WireGuard on the Hetzner host for two things:
- A Docker network labeled
proton-nlthat the scraper containers attach to — those containers' outbound traffic exits through Proton NL, leaving the host's other services on the direct route. - Port forwarding for an experimental self-hosted service I don't want pinned to the Hetzner public IP.
The blog itself (this site), the CVE tool, the tools subdomain, and the paste service all use the direct Hetzner route. There's no reason to add VPN latency to a static blog. (The hardening for that host is documented in the 10-minute VPS hardening guide — same machine.)
FAQ
Is Proton VPN better than running my own WireGuard on a separate VPS? For privacy, no — your own WireGuard reveals your billing address to whoever runs the upstream VPS. For convenience, yes. For exit-IP diversity, yes (Proton has thousands; you have one).
Is the free tier worth using? For occasional cafe-Wi-Fi use, yes — it's the only free VPN I'd actually trust. For anything else, no — you get 3 countries, no port forwarding, no kill switch on Linux, and the speed cap shows. The free tier exists to make Proton's privacy claims structurally credible (same infrastructure, same logging policy, just lower priority). It's not a daily-driver.
Does Proton VPN log anything? Per the 2025 Securitum audit and the no-logs policy: no per-user connection logs, no destination logs. They do log aggregate per-server bandwidth for capacity planning. The Swiss court order history (published quarterly) shows they've been ordered to hand over data 9 times in 2024-2025 — and per the policy, they had nothing to hand over.
What about the 2021 logging incident? You're thinking of Proton Mail, not VPN, and the incident was about IP logging under a Swiss court order, not voluntary logging. Proton was compelled to start logging the IP of one specific account; that's an inherent limit of the jurisdiction, not a policy violation. The case is well-documented; if it bothers you, no Swiss-based service is going to satisfy you. Mullvad (Sweden) has the same legal exposure.
Get the next reviews + the playbook
The next two posts are: Private Email Showdown — Proton Mail vs Tutanota vs Mailbox.org (May 26) and The 2026 Self-Hoster's Privacy Stack (May 29). Drop your email below; you'll get them when they ship, plus the 47-step Server Hardening Checklist (PDF) immediately.
The exact checklist I run on every new VPS — SSH, firewall, kernel, Docker, monitoring, backups. Drop your email and I'll send the PDF plus one practical tutorial each week. No spam.
Try Proton VPN
Proton VPN — see plans — plain referral link until our partner application is re-approved (target 2026-06-01). Same price for you either way.
— enim
This review will be updated quarterly. Last data point: 2026-05-22. If anything in this post is stale by the time you read it, ping me on Mastodon.
Comments
Sign in with GitHub to comment. Threads live in the byteguard-comments repo.