When you look up VPN-related topics, you mostly just find articles on how these services can help you bypass geo-blocks, save money, and secure your data. But there's not a lot of info about VPN history itself.
So, I decided to put together this 10-minute but in-depth article that discusses the most important things about it - how VPNs got their start, how they changed over the years with new developments, and what the future has in store for them.
VPN History - From Government & Corporate to Commercial
VPN technology had its start in government projects and corporations. Initially, they were just meant to offer government officials and corporate employees a secure way to remotely access files from home, downtown, or while on a trip abroad.
But over the years, VPNs went from that to large, successful commercial services.
More and more people got access to the Internet - 300+ million after 2000, and nearly 900 million by 2005. Suddenly, it wasn't just engineers, programmers, project managers, and C-level staff that was using the Internet regularly for work and to communicate with other people.
So, demand started to grow for commercial VPN services among regular online users too.
4 Things That Encouraged the Transition
In my opinion, these are the factors that made commercial VPNs so successful:
1. Privacy Scandals
WikiLeaks started showing the world just how much shady stuff goes on behind the scenes, and how much governments loved to censor the web back in 2006.
Besides that, a lot of privacy scandals happened over the years that convinced people that the Internet isn't as private and safe as we all liked to think.
And it all culminated with Edward Snowden's leaks between 2013 and 2014. That's when people found out just how much governments spy on online users.
Because of that, VPNs became a popular way for Internet users to stop government agencies, hackers, and ISPs from spying on them.
2. Internet Censorship
China is one of the most notable examples. The country started censoring the Internet in 1997, and its government immediately started work on the Great Firewall of China the very next year.
Besides that, Southeast Asian countries, Middle Eastern countries, and also Russia started heavily censoring the Internet as it became available in their regions.
Obviously, people in those areas and tourists visiting those countries started using VPNs to get around government censorship.
3. Streaming Platforms
Video-on-demand services started showing up around 2006. Amazon Video, Netflix, Hulu - you had quite a lot of options.
Unfortunately, those services used geo-restrictions. So people who were living or traveling outside a specific country (usually the US), didn't get access to all that entertainment - that is until they started using VPNs to bypass geo-blocks.
4. Vulnerable WiFi
WiFi might be useful, but its risks are pretty serious. What started out with flaws that could jam networks and hacking threats eventually culminated with the KRACK attack - a cyber attack that can break WPA2 encryption (the current WiFi security standard).
Plus, not even WPA2's successor (WPA3) is 100% without flaws.
All in all, WiFi proved time and time again how unreliable it is over the years. So, online users just started running VPN connections whenever they used WiFi to secure their traffic.
VPN History Timeline - Development Over the Years
To make things as simple as possible, I think it's best to focus mainly on VPN protocols when talking about technological achievements. After all, they're responsible for establishing the encrypted VPN tunnel.
Also, keep in mind that VPN providers aren't the ones who came up with the idea of VPN protocols. Some of them are government-funded projects, while others are the work of independent teams that use open-source code.
If you'd like to learn more about VPN protocols, and see a more in-depth comparison of the most popular ones, check out our guide on that topic.
1995 - PPTP & IPSec
VPN history starts when these protocols officially saw the light of day in 1995. But they were in development years before that date.
PPTP (Point-to-Point Tunneling Protocol) was the brainchild of a consortium of various companies - Microsoft being the most notable. Its main purpose was to secure remote connections to work and home computers.
Nowadays, PPTP is no longer so widely used by VPN providers. While it's very fast, it's also very risky. The NSA can actually decrypt it, and it's vulnerable to bit-flipping attacks and dictionary attacks. Plus, firewalls can block PPTP traffic quite easily.
IPSec (Internet Protocol Security) started out as a DARPA project in the early 1970s and grew into an NSA-backed project between 1986 and 1991 whose goal was to create security protocols for the Internet.
After many name changes and different companies working on it, the protocol was eventually called IPSec. Like PPTP, its goal was to allow computers to communicate safely over the web.
Overall, IPSec is pretty secure, but we did recently find out the protocol has a pretty serious flaw. The good news is that IPSec VPN connections are only vulnerable if they use IKEv1 instead of IKEv2.
Still, not many providers offer standalone IPSec connections. Usually, they pair it up with L2TP and IKEv2.
1998 - IKE
IKE (Internet Key Exchange, also called IKEv1) is a protocol used in IPSec to set up a security association - basically exchanging encryption keys to make sure there is secure communication between two devices.
I haven't really seen any VPN providers offer standalone IKEv1 connections - not even IKEv1/IPSec connections, in fact. That's likely because IKEv1 isn't as secure as its successor.
2000 - L2TP
L2TP (Layer 2 Tunneling Protocol) is a protocol that supports VPN connections, and which also helps ISPs deliver their services. It has its origin in two different protocols - Cisco's L2F (Layer 2 Forwarding) protocol, and Microsoft's PPTP protocol.
The protocol attempted to solve the TCP meltdown issue by also using a UDP port. While that offered better stability, there was still one big problem - the L2TP tunnel provided zero encryption.
Because of that, L2TP was always (and continues to be) paired up with IPSec. So, you'll only see VPN providers offering L2TP/IPSec connections, not L2TP connections. The security is pretty decent since you get double encapsulation - first like a PPTP connection, and then like an IPSec connection.
2001 - OpenVPN
James Yonan developed OpenVPN and used GPL (GNU General Public License) to publish it.
We can easily say this was a turning point in VPN history since this was the first open-source VPN protocol. Also, OpenVPN made it possible for peers to authenticate each other with:
- Pre-shared keys;
- Usernames and passwords;
- And digital certificates.
OpenVPN offered great security, and it achieved that by mixing TLS and SSL. It also underwent security audits, and the results were good. I mean, one audit found two vulnerabilities, but they got fixed quickly.
Pretty much all VPN providers offer OpenVPN connections nowadays, but you can also set up your own server.
If you'd like to learn more about the OpenVPN protocol, follow this link.
2005 - IKEv2
2005 is when IKEv1 got officially updated to IKEv2. That fixed IKEv1's security vulnerabilities, and also added more useful functionality - particularly MOBIKE (IKEv2 Mobility and Multihoming Protocol), which helped the VPN connection resist network changes.
Basically, that meant your VPN connection wouldn't go down if you switched from a WiFi network to mobile data on the spot.
Furthermore, IKEv2 brought along better DoS protection. And even though it was closed-source, there are open-source implementations of it like OpenIKEv2 and Openswan.
2008 - SSTP
Microsoft developed SSTP (Secure Socket Tunneling Protocol), and introduced it with Windows Server 2008 and Vista SP1. While it still encrypted data packets with PPTP, it made sure they stay safe by following that up with the SSTP header which uses SSL encryption.
While SSTP is secure, stable, and flexible, some people doubt its efficiency because it's closed-source. Also, only Microsoft owns it, and the company is part of the PRISM surveillance program.
Of course, when SSTP came out, that wasn't such an issue since that kind of info wasn't public knowledge.
2014 - SoftEther & Chameleon
SoftEther started out as research for Daiyuu Nobori's master's thesis at the University of Tsukuba. But it didn't take long for it to become a successful VPN protocol implementation. It quickly grew popular thanks to it:
- Being open-source;
- Offering high-end security;
- Providing better speeds than OpenVPN and PPTP.
And SoftEther wasn't just a protocol. It was also a server that was able to support other protocols (SSTP, L2TP/IPSec, IPSec, and OpenVPN).
As for Chameleon, it's pretty unique since it's the only protocol on this list that was actually developed by a VPN provider (VyprVPN) and only belongs to them. Because of that, though, it's not open for inspection.
Despite that, I still consider Chameleon a noteworthy part of VPN history because it's the only protocol (to my knowledge) that uses a form of obfuscation, meaning it also hides your VPN traffic, not just your regular traffic. So, your ISP or government won't know you're using a VPN.
That is really useful in places where using a VPN can result in legal issues or countries where VPN connections are normally throttled or blocked.
2019 - WireGuard
Written by Jason A. Donefield, WireGuard is the newest VPN protocol so far. According to its documentation, it aims to surpass the OpenVPN and IPSec protocols in terms of performance. Just like OpenVPN, WireGuard was published under GPL.
Even though it runs inside the Linux kernel, WireGuard is cross-platform compatible. What's more, it's also simpler to use than OpenVPN or SoftEther since its code isn't too complex (it only has around 3,700 lines).
As for security, WireGuard aims to offer only the best and latest measures:
- ChaCha20 encryption;
- Poly1305 message authentication;
- Curve25519 for ECDH (elliptic curve Diffie-Hellman) key agreement;
- 1.5-RTT (1.5 Round Trip Time) handshake that offers PFS;
- BLAKE2s hashing (much faster than the regular SHA-3 most protocols use).
But for now, WireGuard is still a work in progress. So, we might see new features and more improvements in the near future (like it being able to use TCP port 443).
Other Noteworthy Developments
This is gonna be a quick rundown of other important developments that took place over the course of more recent VPN history. I can't really organize them chronologically since it's near impossible to tell exactly who was responsible for each development, and when VPNs started using it.
With that out of the way, here they are:
- Split Tunneling - Split tunneling allows you to only route some of your traffic through the VPN tunnel. Pretty useful if you want to access both foreign and local content, for example.
- Kill Switch - A great feature that automatically cuts off your Internet access if your VPN connection goes down. You can go online once the connection is up and running again. Some Kill Switches work at an application level - meaning they let you choose which apps shut down when your connection goes down.
- Obfuscation - Like I mentioned when discussing the Chameleon protocol, obfuscation is a way for VPNs to hide their own traffic. They don't change it, though. Instead, obfuscation just masks it. It's a great way to prevent bandwidth throttling from ISPs, bypass VPN censorship, and stay safe in countries that legally punish VPN usage.
- Double VPN/VPN Chains - A double VPN is when you use two VPN servers simultaneously. A VPN chain is when you connect to more than two VPN servers at the same time. Some providers (like NordVPN) even started offering double VPN features that automatically send your traffic through multiple servers.
- Enhanced Encryption - VPN services started using more and more powerful encryption over the past years, like AES, Camellia, ChaCha20, and RSA, alongside larger encryption keys (128-bit and 256-bit).
- DNS Leak Protection - A DNS leak is when your ISP can still see your DNS requests (what websites you access) even if you're using a VPN. So, some VPN providers have recently started adding built-in DNS leak protection in their clients.
- Tor Over VPN - "Tor over VPN" just means a VPN provider supports Tor traffic on their servers. While I don't really consider Tor safe or private, using it together with a VPN can offer a decent level of privacy.
What Was the First VPN App?
As far as I can tell, the first official commercial VPN app to hit the market was StrongVPN. The company behind it dates back to 1994, and it was in the business of selling computer parts. They officially made VPN history by launching StrongVPN in 2005.
According to some old reviews I managed to dig up, StrongVPN had 440 servers (give or take a few), a 7-day money-back guarantee, and unlimited bandwidth around the time it launched. They also offered pre-configured routers, 24/7 support, and pretty fast speeds.
Unfortunately, it was lacking in terms of security. You mainly had the PPTP protocol (some reviewers mentioned L2TP and IPSec too), and limited access to OpenVPN (it really depended on the plan you chose, and the server availability). StrongVPN also used static IP addresses - not exactly the best choice for privacy.
Plus, the pricing was pretty steep, and you needed to sign up for a three-month minimum period. Oh, and some reviewers noted concerns about StrongVPN keeping "records."
It wasn't much, but it was the best you got in terms of commercial VPNs back then.
Nowadays, the service is obviously more different. It has more servers, a 30-day money-back guarantee, keeps zero logs, and offers way better protocol support - OpenVPN (widely available now on their servers), IKEv2, L2TP/IPSec, IPSec, WireGuard, and SSTP.
In case you'd like to read a more recent review of StrongVPN, check out our take on it.
After StrongVPN, these were the next apps to hit the market:
- PureVPN (2007)
- VyprVPN (2009)
- ExpressVPN (2009)
How Many VPN Services Are There on the Market Now?
The simple truth is that there's no exact number I can give you. New VPN services constantly pop up on the market or change their branding.
So, keeping track of them all is near impossible.
But I can give you an estimate - it's likely that there are currently hundreds of VPN providers on the market.
Decentralized VPNs - A Reality?
The idea of a decentralized Internet and online services became very popular over the past years. Regular users having power over how things work instead of a central authority sounds appealing, after all.
So, it's not very surprising that we might or might not see decentralized VPNs in the near future.
In fact, there already is a work in progress, and it's called the Tachyon Protocol.
I didn't mention it in the "VPN History Timeline - Development Over the Years" section because it's not exactly just a VPN protocol. Instead, it's a whole Internet protocol that will allegedly support all sorts of technologies - VPNs, IoT, storage, DNS, etc.
From the get-go, it's obvious why a decentralized VPN sounds good:
- It would ensure that there is absolutely no way a VPN service could go behind your back, and log your traffic.
- It would also eliminate the risk of data breaches and leaks, or rogue employees.
- Censorship wouldn't be a problem either - like VPNs blocking torrent traffic, for example.
What's more, Tachyon also promises to deliver faster and more stable connections. And it claims to achieve this level of decentralization by combining PPTP with blockchain technology.
That sounds a bit bad since PPTP is not secure at all, but the Tachyon protocol allegedly uses end-to-end ECDHE-ECDSA encryption to provide security.
The protocol is linked to IPX, cryptocurrency which acts as tokens for the network, and helps with stuff like incentives and identity verification.
My issue with that is pretty simple - market manipulation. It happens often with Bitcoin, and even more often with other cryptocurrencies - especially new ones like IPX.
And usually, the way the price fluctuates influences the development of the backed product or service.
Also, Tachyon VPN isn't really in a finished state right now. It's in its Alpha phase, and only has two public servers you can use.
For now, it's hard to say whether we really will get a real, reliable decentralized VPN in the next years. According to the roadmap, a GA (General Availability) VPN release should happen somewhere in 2020, likely between July and October.
At the moment, I'd say that a decentralized VPN isn't really feasible. If people will stop seeing cryptocurrencies as a get-rich-quick scheme in the future, it might become a reality.
Though, I would be more than happy for Tachyon to follow through on their promises and prove me wrong.
What Does the Future Have in Store for VPNs?
According to the statistics I managed to find - quite a lot.
The market will grow significantly by 2022 - roughly $35.73 billion. And large companies are noticing that since they started buying VPN services in bulk.
What's more, VPN usage will likely continue to grow primarily in Asia and the Pacific, Latin America, and the Middle East. Those regions currently have the highest VPN usage rates.
Actually, speaking of usage - it's grown quite a lot over the past years. 2017 saw an increase of 185% compared to 2016, and the usage continued to grow by 165% in 2018. At this rate, I think it's safe to say that more and more people will start using VPNs regularly in the near future.
Also, it seems VPNs grew to the point where providers form their own organizations. That's what happened in December 2019 - NordVPN, VyprVPN, ExpressVPN, NetProtect, and Surfshark formed the VTI (VPN Trust Initiative) led by i2Coalition.
The goal of the VTI is to promote online safety, improve and reinforce industry standards, and promote industry-led regulations. Whether that's gonna be good for users' online privacy and freedom, or is just gonna help those providers monopolize the VPN market remains to be seen.
Overall, VPN history is definitely gonna get more interesting in the following years.
What About You, Though?
What's your opinion on how the VPN industry is going to change in the future? Or what other parts of VPN history do you think deserve some attention?
Let us know in the comments below.