VPNs have become popular and are often touted as a tool to improve privacy. While this is sometimes true, it is important to tread carefully when choosing an VPN. A good place to start is looking at which VPN providers meet the requirements for running a trustworthy VPN service. A trustworthy VPNs must be free software, that is non-negotiable. First, inspection is required in order trust software. Having the source is the only way to see all the things the software is doing. F-Droid reviews the apps that we ship on this website, which lets us spot potential issues and anti-features. And we are happy to hear that reputable VPN providers make the effort to get their apps on f-droid.org to build trust with their users. From there, Reproducible Builds provides a strong link between the source code and the actual app binaries that run on the device.

The best VPNs are the ones that use free software both for the client app, and for running the services. Indeed all OpenVPN, Shadowsocks, and WireGuard VPNs are based on free software since those standards are defined by free software projects. F-Droid looks into this as part of the reviews, and marks apps with relevant Anti-Features, like the Non-Free Network Services mark if the server side is not free software. And there are a number of free software projects that make it a lot easier to setup and run a VPN or proxy services. Here are some that are on f-droid.org:

• Bitmask is a generic client for the LEAP VPN setup which powers Calyx VPN, Riseup VPN, and more.
• eduVPN is a VPN client for Let’s Connect VPN setup which powers eduVPN.
• OpenVPN for Android is a generic OpenVPN client for any VPN provider that offers it.
• Outline is an offering designed to let anyone run their own VPN based on Shadowsocks.
• WireGuard is a generic WireGuard client for any provider that offers it.

So far, none of the VPN providers have taken the plunge into fully supporting reproducible builds. There is some progress: some of the releases of WireGuard, Tailscale, and Mysterium VPN have been reproduced on our verification server. But these apps are not setup for the full reproducible publishing setup, which confirms that the f-droid.org version matches the upstream developer’s version exactly, then publishes with the upstream signature. The F-Droid community is helping more and more apps achieve reproducible builds, which VPN app will be the first?

There are also a number of apps that are dedicated to a given provider. Although there are generic clients available, there are good reasons for a free software provider to ship a custom app. First, it can make configuration dead simple. Calyx VPN and Riseup VPN have no accounts at all, so just install the app, and turn on the VPN. Second, it allows the provider to include multiple methods of connecting and automatically switch between them, depending on what works best. We decide which apps to include based on what is best for the users. A VPN client that offers no additional functionality and just serves as a rebrand of an existing client does not serve users well. In order for an app from a specific provider to be included, it must provide real value to our users. Here is a list of some related examples:

• IVPN
• Lavabit Encrypted Proxy
• Mullvad VPN
• Mysterium VPN
• ProtonVPN
• Purism Librem Tunnel

We also get lots of direct messages asking us to include various proprietary VPN apps, or promote various VPN services for a fee. That is of course a non-starter. The first step is free software.