Disclaimer: The below review is my opinion, which I will try to provide as many examples for and as much evidence as possible to support. Readers can learn more about how I conduct my reviews, my methodology, etc – here. More information on review badges here.

This review’s roll was #19 (at the time of the roll, CactusVPN).

Last Updated Jul 21, 2016

CactusVPN, like another service I’ve recently reviewed, relies heavily on an “affiliate referral” aka “native advertising” marketing strategy. I’ve talked about this subject at length in past posts and such, so I won’t go on too much about it here. Some VPN and web service companies use this model in moderation – against their better judgment. Others embrace it wholeheartedly. CactusVPN appears to fall into the latter category – as one affiliate in particular has in the past stolen my work and posted it on their site. When affiliates are allowed to run around unchecked like this, it tells a lot about the company that pays them. Someone on the internet comes with a dissenting opinion of your business dealings? Just steal their work, make fake websites to take their web traffic and troll forum posts to discredit them, it’s all good!

It strikes me as incredibly irresponsible when those they partner with are given free reign to steal copyrighted and trademarked work of others with no expectation or standard to live up to. And as a side note: I did contact CactusVPN at the time the aforementioned offense occurred. They acknowledged that they would contact the third party regarding my complaint, but I never heard back, nor was the stolen material taken down. Now that we’ve established this, to the review!

Signing up for the service: Signing up for the service: The first thing CactusVPN asks you for is your full name. A privacy no-no. There’s a little note at the bottom of the sign up page that says, “Please, use your real IP address if it’s possible as we do not accept orders from Proxy or VPN IP.” Just the fact that they even ask for that makes me cringe. Is this, or is this NOT a service that those concerned with privacy should consider. Based on what’s mentioned above, I would say it is not.



Once more, and it’s a minor complaint, but it always seems like these companies rarely think out the customer experience. After registration, I was greeted with a hodgepodge of 5+ welcome emails/receipts. Just seems sloppy to me, and many services fall prey to this.

Configuring the service: Mercifully, the config files and the ca cert for OpenVPN manual connection is easily found on user portal and in no time, I had them downloaded and set up. The user portal provides a user name and password which is automatically generated. The default password is quite short (8 characters) and contained no uppercase letters or special characters, which is a fairly weak scheme. But all in all, everything was relatively easy to setup.

As we saw early on in my reviews, some companies forget to enable a certificate verification method in their server configs. This was the case with CactusVPN as this message appeared in the logs:

“WARNING: No server certificate verification method has been enabled”.

Basically, this creates an attack vector in which the server can be spoofed by a third party because it’s not being verified with the proper certificate. This is not a professional way to configure a VPN for security.

Speed & Stability tests: All tests performed at non-peak times using beta.speedtest.net (html5) or the speedtest.net app. Connecting using UDP, Default encryption was AES-128.



Speed Tests – CactusVPN – Desktop Latency Download Upload No VPN Trial 1 17 ms 97.14 mbps 11.99 mbps Trial 2 10 ms 95.92 mbps 12.32 mbps Trial 3 10 ms 95.03 mbps 12.37 mbps Average 12 ms 96.03 mbps 12.23 mbps Los Angeles Trial 1 31 ms 91.21 mbps 11.09 mbps Trial 2 33 ms 91.68 mbps 11.70 mbps Trial 3 32 ms 91.45 mbps 11.13 mbps Average 32 ms 91.45 mbps 11.31 mbps Comp to Bench +20 ms 95.23% 92.48% London Trial 1 274 ms 7.12 mbps 4.67 mbps Trial 2 275 ms 7.04 mbps 3.13 mbps Trial 3 277 ms 9.10 mbps 4.52 mbps Average 275 ms 7.75 mbps 4.11 mbps Comp to Bench +263 ms 8.07% 33.59% Bucharest Trial 1 383 ms 13.94 mbps 3.83 mbps Trial 2 386 ms 13.93 mbps 1.90 mbps Trial 3 382 ms 13.43 mbps 0.00 mbps Average 384 ms 13.77 mbps 1.91 mbps Comp to Bench +371 ms 14.34% 15.62% Amsterdam Trial 1 295 ms 18.07 mbps 4.03 mbps Trial 2 292 ms 18.12 mbps 2.92 mbps Trial 3 291 ms 18.21 mbps 2.78 mbps Average 293 ms 18.13 mbps 3.24 mbps Comp to Bench +280 ms 18.88% 26.53%

Speed Tests – CactusVPN – Mobile Latency Download Upload No VPN Trial 1 26 ms 74.74 mbps 14.49 mbps Trial 2 11 ms 74.76 mbps 14.44 mbps Trial 3 11 ms 74.90 mbps 14.23 mbps Average 16 ms 74.80 mbps 14.39 mbps Los Angeles Trial 1 35 ms 23.01 mbps 13.62 mbps Trial 2 35 ms 21.21 mbps 13.44 mbps Trial 3 36 ms 32.45 mbps 13.69 mbps Average 35 ms 25.56 mbps 13.58 mbps Comp to Bench +19 ms 34.17% 94.42% London Trial 1 277 ms 2.69 mbps 6.86 mbps Trial 2 276 ms 3.83 mbps 10.29 mbps Trial 3 274 ms 3.94 mbps 10.65 mbps Average 276 ms 3.49 mbps 9.27 mbps Comp to Bench +260 ms 4.66% 64.41% Bucharest Trial 1 382 ms 2.30 mbps 5.97 mbps Trial 2 388 ms 3.09 mbps 7.07 mbps Trial 3 407 ms 2.65 mbps 4.41 mbps Average 392 ms 2.68 mbps 5.82 mbps Comp to Bench +376 ms 3.58% 40.43% Amsterdam Trial 1 300 ms 2.75 mbps 8.21 mbps Trial 2 407 ms 2.90 mbps 10.26 mbps Trial 3 406 ms 2.91 mbps 5.54 mbps Average 371 ms 2.85 mbps 8.00 mbps Comp to Bench +355 ms 3.81% 55.63%

AES-128 is faster than AES-256, but not as strong. It’s considered okay for most uses, although it’s speculated that resourceful and determined government actors could break it if they wish. Note that for Desktop – Bucharest – Trial 3 – the upload test failed, so the 0.00 mbps figure is intentional. Domestic speeds were quite fast and international speeds were so-so.

Getting support: It seems like it’s become a little more common lately, but I’m a big fan of the low, medium, and high priority drop down selection on the support ticket form (assuming it gets used as its implied). Opening a ticket was very easy and the interface was simple. I asked a question about their logging policy as it related to bandwidth logging, which I don’t mention in the terms section, but which they do have a no excessive bandwidth consumption policy. They replied about a day and a half later telling me that they monitor (as opposed to log) to see which accounts are consuming “excessive” bandwidth in real time, which is fairly normal and necessary from a server admin standpoint. I wanted to make sure first and foremost they weren’t contradicting themselves.



Getting a refund: I replied to my support request from above with a refund request and without too much hassle it was granted.



Concerns in Terms & Conditions / Privacy Policy:

Terms and conditions were a bit longer than I’d have liked, but just shy of what would have earned CactusVPN the “Obtuse” stamp of shame.

CactusVPN respects the fact that the Internet provides a forum for free and open discussion and dissemination of information. However, when there are competing interests at issue, CactusVPN reserves the right to take certain preventative or corrective actions. In order to protect these competing interests…

Remember last review, how I said I’d made an observation in many of these company’s conditions pages? The trend appears to be 1) Say you’re concerned with and highly respect your user’s privacy, then 2) Immediately contradict yourself with a statement about something you do that potentially abuses it.

CactusVPN software and proxy filtering are bonus services and you can not consider them as they are part of service you’ve paid for. We reserve the right to stop providing this bonuses whenever we consider it necessary.

“Bonus services”. That’s a new one on me…

CactusVPN clients violate CactusVPN policy and the service agreement when the clients, their customers, affiliates, or subsidiaries engage in the following prohibited activities: Intellectual Property Violations

Client affiliates aren’t allowed to violate intellectual property – but CactusVPN’s affiliates are good to go! Utter hypocrisy.

Background Running Programs.

Background Running Programs are prohibited? So, no Email clients are to be used with this service? No chat applications? No Bitcoin wallets? It’s unlikely this is what this really means, but this is how it reads to me and there is no further explanation given.

We may send personally identifiable information about You to third parties when: We respond to subpoenas, court orders or legal processes which require us to disclose Registration Data or any information about You to law enforcement or other government officials as CactusVPN, in its sole discretion, believes necessary or appropriate.

“Just a head’s up, we’re all ready to sell you out if someone comes a-knockin'”

Final thoughts: Ethics have become one of the biggest hot-buttons for me when looking at VPN services and I can spot a shady operation from a mile away. CactusVPN’s affiliate program encourages third parties to act irresponsibly and seemingly without control or enforcement of any ethical standard – their lack of control over their reselling partners has affected me first hand as mentioned in my disclaimer at the start and I’m intimately aware of the damage this kind of irresponsible lack of expectation brings. The service’s configuration had some issues as well with the misconfiguration of the servers. It’s confusing that CactusVPN, like many others, state they are serious about privacy when they require names, IP addresses, etc on sign-up and not all of their terms and policies seem to reinforce this assertion. The service itself performed decently, although without a properly configured server, I would be wary of trusting the connection with my privacy. It isn’t the worst I’ve used, but CactusVPN achieves the bare minimum to qualify as “a functional VPN that someone could use”.

Update (7-21-2016): CactusVPN has reached out and informed me that the server certificate validation issue mentioned above (now with a strikethrough) has been fixed. I have not personally confirmed this, however.

FROM THE VPN COMPARISON CHART CATEGORY VPN SERVICE CactusVPN JURISDICTION Based In (Country) Moldova Fourteen Eyes? No Freedom Status Partly Free LOGGING Logs Traffic No Logs DNS Requests No Logs Timestamps No Logs Bandwidth No Logs IP Address No ACTIVISM Anonymous Payment Method No Accepts Bitcoin Yes PGP Key Available No Meets PrivacyTools IO Criteria No LEAK PROTECTION 1st Party DNS Servers No IPv6 Supported / Blocked No Offers OpenVPN Yes OBFUSCATION Supports Multihop Supports TCP Port 443 Supports Obfsproxy Supports SOCKS Supports SSL Tunnel Supports SSH Tunnel Other Proprietary Protocols PORT BLOCKING Auth SMTP No P2P Some SPEEDS US Server Average % 95.23 Int’l Server Average % 13.76 SERVERS Dedicated or Virtual SECURITY Default Data Encryption AES-128 Strongest Data Encryption AES-256 Weakest Handshake Encryption RSA-2048 Strongest Handshake Encryption RSA-4096 AVAILABILITY # of Connections 3 # of Countries 4 # of Servers 16 Linux Support (Manual) Yes WEBSITE # of Persistent Cookies 2 # of External Trackers 1 # of Proprietary APIs 6 Server SSL Rating A+ SSL Cert issued to Self PRICING $ / Month (Annual Pricing) 4.59 $ / Connection / Month 1.53 Free Trial Yes Refund Period (Days) 30 ETHICS Contradictory Logging Policies Falsely Claims 100% Effective Incentivizes Social Media Spam POLICIES Forbids Spam No Requires Ethical Copy No Requires Full Disclosure No AFFILIATES Practice Ethical Copy No Give Full Disclosure No

If you like the project and find my work useful, please consider donating – your generous contributions help pay for the hosting, tools, and time I need to do my research and keep the data fresh.