Skip to content
How we compare

Sham VPN vs NordVPN, ExpressVPN, ProtonVPN, Mullvad

An honest, source-by-source look at where Sham VPN beats the big global VPNs — and where they still beat us. Updated as the market changes.

Censorship-grade obfuscation

VLESS+Reality, Shadowsocks-obfs

  • Sham VPN
    Native — first-class protocol
  • NordVPN
    Only via dedicated Obfuscated Servers, OpenVPN-XOR, limited regions
  • ExpressVPN
    Lightway-UDP with built-in obfuscation
  • ProtonVPN
    Stealth protocol (WireGuard-based)
  • Mullvad
    Not native — bridge over WireGuard/TCP manually

WireGuard

Modern, fast, audited protocol

  • Sham VPN
    Yes
  • NordVPN
    Yes
  • ExpressVPN
    Yes
  • ProtonVPN
    Yes
  • Mullvad
    Yes

Syria / MENA regional nodes

Low-latency for the region we serve

  • Sham VPN
    Built for the region — Syria-adjacent egress
  • NordVPN
    Turkey + UAE, no Syria
  • ExpressVPN
    Turkey + UAE, no Syria
  • ProtonVPN
    Israel / Turkey only, sparse
  • Mullvad
    No native MENA presence

Local payment (ShamCash)

Pay in SYP without a card

  • Sham VPN
    Yes — direct transfer with reference code
  • NordVPN
    No
  • ExpressVPN
    No
  • ProtonVPN
    No
  • Mullvad
    No

Crypto accepted

BTC, USDT, ETH

  • Sham VPN
    BTC, USDT (TRC-20 / ERC-20), ETH — direct
  • NordVPN
    BTC only, via third-party processor
  • ExpressVPN
    BTC via BitPay
  • ProtonVPN
    BTC + other coins
  • Mullvad
    BTC + 10+ coins + cash by mail

No activity logs

What goes through the tunnel stays unrecorded

  • Sham VPN
    Yes
  • NordVPN
    Yes
  • ExpressVPN
    Yes
  • ProtonVPN
    Yes
  • Mullvad
    Yes

Independent no-logs audit

Third-party verification of the no-logs claim

  • Sham VPN
    Not yet — independent audit on the roadmap
  • NordVPN
    Deloitte (multiple)
  • ExpressVPN
    PwC, KPMG (multiple)
  • ProtonVPN
    Securitum
  • Mullvad
    Cure53 (multiple)

Open-source client apps

We recommend FOSS apps — no closed black box on your device

  • Sham VPN
    Hiddify, Streisand, v2rayNG — all FOSS, source on GitHub
  • NordVPN
    Proprietary, closed-source app
  • ExpressVPN
    Proprietary, closed-source app
  • ProtonVPN
    Own client is open source
  • Mullvad
    Own client is open source

Sign up without an email

How much of you we have to know to let you connect

  • Sham VPN
    Email + Telegram required (trial flow)
  • NordVPN
    Email required
  • ExpressVPN
    Email required
  • ProtonVPN
    Email required
  • Mullvad
    Random account number, no email

Competitor data from each provider's own public marketing pages and audit reports, summarised. We checked these and link out where claims are non-obvious. If a row looks out of date, write to [email protected].

Peace of mind

What we know about you — and what we never will

The table shows where we sit against other VPNs. This section shows the actual data flow: what passes through your tunnel never gets recorded, what we ask for is the minimum we need to bill you, and the apps you install on your phone are FOSS so you can verify there's no spyware on top.

We don't log your activity

Your VPN session is a tunnel — that's it. We do not record the sites or apps you connect to, the DNS queries inside the tunnel, the IP addresses you reach, or how long you spent on each. The Marzneshin panel that runs the VPN side keeps only the bandwidth counters we need for usage display; no per-connection log, no traffic capture.

Minimum-data billing account

We collect what's needed to ship you a working subscription and to reach you about it: email (receipts, magic-link sign-in), Telegram (instant order updates without spam-folder roulette), and the payment reference you choose. We don't ask for your name, address, ID number, phone number, or social media. Email and Telegram are required only because a VPN without a way to recover your subscription URL is unusable; we keep both at the contact layer only.

FOSS apps you install — not our black box

The VPN clients we recommend (Hiddify, Streisand, v2rayNG, OpenVPN, sing-box) are all open-source and published on GitHub. Their code is auditable by anyone in the world; thousands of developers and security researchers already do. We deliberately don't ship a closed-box Sham VPN app because that single binary would become the place anyone could quietly add tracking or telemetry. The FOSS app on your device only talks the protocol — there's nowhere to hide a tracker.

Operational transparency

Our nodes live across multiple operators and jurisdictions. The subscription URL on your device rotates if you suspect it has leaked — one click in your account. We publish our privacy policy in plain language (no legal-team mumbo) and the email contact for security reports leads to a human, not a ticket queue.

How the technology works

Why the protocol mix — not just "we have a VPN" — is what keeps you connected

Blocking a VPN is no longer as simple as banning its server IP. ISPs and state firewalls now use Deep Packet Inspection (DPI) — pattern-matching on packet size, handshake signature and port behaviour — to recognise that a connection is a VPN even when it's encrypted. So "I have WireGuard" is not the whole answer. What disguises that WireGuard traffic, and which fallback you have when one disguise is fingerprinted, decides whether you stay online during a crackdown. Sham VPN runs three modern protocols side by side and your client picks the one that's currently invisible on your network.

WireGuard — modern, fast, small surface

What it fixes
Older protocols (OpenVPN, IKEv2/IPsec) have decades of accumulated complexity — and bugs. WireGuard's entire kernel module fits in 4,000 lines of code, audited multiple times, with crypto primitives chosen by Trevor Perrin (Signal Protocol author).
What it does for you
3-5× the throughput of OpenVPN, near-zero battery cost on mobile, instant roaming between WiFi and 4G without dropping the tunnel. Default protocol when nothing is actively blocking VPN traffic.
When it isn't enough
WireGuard's handshake has a recognisable shape — DPI systems can fingerprint it and drop the packets before they reach our server. That's where Reality and Shadowsocks-obfs come in.

VLESS + Reality — today's gold standard for censorship resistance

What it fixes
DPI systems used in Iran, China, and other tightly-filtered networks were trained to spot the original Shadowsocks and VMess handshakes. They block them within seconds. Reality was designed specifically to defeat this.
What it does for you
Reality forwards the first packets of your connection through an actual, popular TLS website (e.g. apple.com, microsoft.com) before the real VPN handshake happens. From the DPI's point of view your traffic IS an Apple connection — there's no "this looks like a VPN" signature to match against. Active probing (the attacker poking the server to see if it responds like a VPN) also fails because Reality serves the real Apple TLS certificate from a real Apple server.
When we deploy it
Recommended for users in actively-censored networks (Syria, Iran, parts of Turkey when filtering tightens). Your client auto-falls-back to it when WireGuard handshakes are dropped.

Shadowsocks + obfs — battle-tested fallback

What it fixes
Reality is the newest disguise; not every old phone or low-spec device supports it yet. Shadowsocks with the obfs plugin has been carrying traffic out of restricted networks since 2012 — older clients still rely on it.
What it does for you
The obfs layer wraps Shadowsocks traffic as plain HTTP, WebSocket, or a TLS handshake — whichever your network is least likely to inspect. Even legacy DPI hardware that pre-dates Reality has trouble distinguishing it from regular web browsing.
When we deploy it
Default fallback when the client is running on hardware Reality doesn't support, or when a specific network is dropping Reality packets faster than Shadowsocks ones.

Multi-protocol fallback — no single point of failure

What it fixes
Censorship engineering is adversarial: every protocol that works today gets fingerprinted tomorrow. A single-protocol VPN has one bad day when its handshake gets a CVE-style signature added to the country-wide DPI list.
What it does for you
Your subscription URL carries credentials for all three protocols. The recommended clients (Hiddify, Streisand, v2rayNG) automatically detect when the current protocol is being blocked and switch to a working one — usually within seconds, often without you noticing the interruption.
Why this matters
When a government rolls out new DPI rules at 09:00, single-protocol VPNs lose their entire user base for hours or days. Multi-protocol setups lose maybe one connection before the client retries with a different disguise.

Under the hood — the boring crypto details

WireGuard uses ChaCha20-Poly1305 for symmetric encryption, Curve25519 for key exchange, BLAKE2s for hashing — modern primitives, no legacy AES-CBC. Shadowsocks ciphers default to AES-256-GCM or ChaCha20-IETF-Poly1305 depending on the platform. DNS queries are routed inside the tunnel by default in the client configs we ship ("DNS leak protection" is on by default, not an opt-in toggle), so your ISP and the network in front of you never see what domain you're resolving. The recommended FOSS clients also include kill-switches that drop traffic if the tunnel goes down — enable in the app's settings if you need leak resistance under any failure mode.

What you actually get

Every plan, every feature — no tier-locked surprises

Other VPNs split features across "Standard / Plus / Premium" tiers and pay-walls (multi-hop, dedicated IP, ad-blocker, password manager). We don't. Every Sham VPN plan includes everything on this list. The plan you pick decides only how long it runs and how many devices.

Unlimited bandwidth — no throttling, no caps

Stream, download, video-call, gaming, software updates — no per-month quota, no slow-down after X GB. The bandwidth counter on your account page is for your information; we don't act on it.

3-5 simultaneous devices

3 on monthly / quarterly plans, 5 on yearly. Use the same subscription URL on phone, laptop, AndroidTV, partner's device — whichever combination of three (or five) you like. Switch devices any time; we don't lock you out.

Works on every major platform

iOS, Android, Windows, macOS, Linux, AndroidTV via the FOSS clients we recommend (Hiddify, Streisand, v2rayNG, OpenVPN, sing-box). Set it up once per device with the subscription URL; no per-platform separate purchase.

All three protocols on every plan

WireGuard + VLESS+Reality + Shadowsocks-obfs all live on the same subscription URL. Your client picks the one that works on your current network. No "upgrade to Premium for obfuscated servers".

15-day full trial — no card, no auto-charge

Verify your email and link Telegram and the 15-day trial activates instantly. Full plan, no bandwidth limit, no feature limit, no device limit. There is no card on file, so there's no auto-charge to forget about. If you don't pay at the end of day 15, your subscription stops; no surprise debits.

Native English + Arabic support

Support tickets and Telegram messages are answered by humans who speak both English and Arabic natively — no machine-translation, no "please write in English only". Same humans, no offshore tier-1 queue.

No refund policy because there's nothing to refund — you only pay after spending 15 full days on the actual product. If something stops working post-payment, support will fix it or your subscription gets extended at no charge; we don't take money for a broken service.

Where we are

Syria-based — and that's why we built this

Most VPNs treat "censorship" as a slide in a deck. We built Sham VPN because we live under the conditions the comparison table describes — blocked sites, throttled traffic, ISPs that recognise VPN handshakes and cut them. We're not theorising the problem; we're solving it for ourselves first.

  1. We design for adversarial networks because we use the result

    Every protocol decision (Reality first, multi-protocol fallback, FOSS clients with no telemetry) was made by people who watched their own previous VPN setups get fingerprinted and blocked. We're the first customer of every change we ship.

  2. There is no log to subpoena

    The privacy-first concern operators hear about Syria-based infrastructure is "what if a government compels you to log". The honest answer: we don't log activity, period. There's no activity table to hand over because the data isn't being collected. The architecture is the policy.

  3. Arabic isn't a translation, it's a co-language

    Every page on this site exists in both English and Arabic, written by the same team — not run through translation software. The support inbox is answered by humans who think in Arabic. Service for the region, by people from the region.

Why FOSS apps

Why the apps we recommend are categorically safer than a closed-box VPN app

The VPN itself is a tunnel — bytes in, bytes out. The real risk surface in a consumer VPN setup is the *app on your device*, because that's where login screens, ad SDKs, crash reporters, and (in worst-case examples) flat-out telemetry have all been found. "It's open source" is shorthand for a stack of concrete, testable security properties — here's what they actually mean.

  1. 1. Anyone can read every line of source

    Hiddify, Streisand, v2rayNG, OpenVPN client, sing-box — the full source for each is on GitHub. Anyone in the world (you, your security-paranoid friend, a journalist, a CSIRT) can search the codebase for things like "contact our server", "phone home", "analytics". Closed VPN apps make this impossible: you're trusting marketing copy about what's inside the binary you just installed.

  2. 2. Independent researchers actively audit them

    These clients are used by millions of people in censored networks — Iran, China, Russia, Belarus. Civic-tech orgs (OONI, Citizen Lab, Tor Project) and university security labs publish audits on a rolling basis. Real CVEs get filed, real fixes ship, real release notes link to real bugs. Closed VPNs publish audits only when their marketing budget allows; the rest of the time you have no visibility into what changes.

  3. 3. Reproducible builds — verify the binary matches the source

    Hiddify, sing-box, and most modern FOSS VPN clients ship reproducible builds: take the source from GitHub, run the documented build command, get a binary with the same SHA-256 hash as the one on the Play Store / App Store. If the published binary ever stops matching the source, the security community notices within hours and shouts. With a closed-source app there's no source to compare against — you can't tell if the version on your phone is the version you think it is.

  4. 4. No hidden ad SDKs or analytics frameworks

    A common pattern in free closed-source VPN apps: bundle Firebase Analytics, AppsFlyer, Adjust, Facebook SDK. Each of those reports your device ID, IP, install source, and session timing to a third party — defeating the entire point of using a VPN. The FOSS clients we recommend ship with zero ad/analytics SDKs by policy; their maintainers reject those PRs, and forks that try to add them lose users immediately.

  5. 5. We deliberately don't ship our own "Sham VPN" app

    A custom Sham VPN-branded app would be one closed binary that you install on your phone, on which we could quietly push any update. Even if we promised never to add tracking, you'd have no way to verify the promise — you'd be back in trust-our-marketing territory. By directing users to existing FOSS clients we remove ourselves from the trust chain at exactly the place where trust is hardest to verify. Your VPN config (which is just text — a URL + credentials) is the only thing of ours that touches your device.

Bottom line: when a closed-source VPN app promises "no logs", you're trusting a promise. When a FOSS app does the same thing, you're trusting math — the protocol that's running, the source you (or thousands of others) can read, and the build that you can reproduce. The first relies on the company staying honest forever. The second works even if we don't.

Honest answers

Questions people ask before they trust a VPN

What does the 15-day free trial actually include?
The full plan. Unlimited bandwidth, all three protocols (WireGuard / VLESS+Reality / Shadowsocks), three simultaneous devices, every server location, every client app. No bandwidth slowdown after X GB, no feature gating, no "upgrade to Premium for obfuscation". Verify your email and link Telegram, the trial activates instantly. No card is on file so there's no auto-charge at the end — if you don't choose to pay on or before day 15, the subscription simply stops.
Do you offer a refund?
We don't, and here's the honest reason: the 15-day trial is the refund — you spend 15 days on the actual full product, with no card on file and no auto-charge, before you decide to pay anything. That's a longer and more honest evaluation period than the 30-day money-back of the big international VPNs, because there's no "we have to wire it back, expect 5-10 business days" friction. If something breaks post-payment, support fixes it or extends your subscription at no charge.
Do you log my browsing activity?
No. We do not record the websites or apps you visit, the DNS lookups inside the tunnel, or the IPs you reach. The only operational counter we keep is the total bandwidth used in the current billing period, used to display "X GB this month" on your account page. There is no per-connection log, no traffic capture, and no profile being built from your usage.
Why do you need my email and Telegram?
Two reasons: (1) to deliver the subscription URL and recovery link — without an email or Telegram contact you'd have no way to get your VPN config back if you lose your device; (2) to confirm you're a real human for the 15-day free trial, which would otherwise be abused. After payment, email + Telegram remain at the contact layer only — they are not joined to your traffic, and we never share them with third parties.
Sham VPN is Syria-based. Doesn't that worry me about privacy?
Fair question, and we answer it directly: yes, the organisation is based in Syria. The reason that doesn't compromise your privacy is the architecture, not the paperwork. We don't collect activity logs — there's no per-connection record, no DNS query log, no traffic capture. So the worst case (a legal request for "this customer's browsing history") returns no data because the data was never stored. Operating from inside the region we serve also means we know what the threat model actually looks like, which is why we run Reality + Shadowsocks-obfs by default rather than as an upgrade.
Why isn't your no-logs policy independently audited yet?
Honest answer: independent audits (Cure53, Securitum, Deloitte, PwC) cost tens of thousands of euros and require legal/operational maturity that's still being put in place. It's on our roadmap. Meanwhile our claims are testable: the panel source (Marzneshin) is open-source upstream, the client apps we recommend are open-source, and if you suspect we're misbehaving you can verify directly that no app on your device is reporting back to us.
What happens if a government subpoenas you for my data?
We can only hand over what we have. Because we don't log activity, the answer to "what sites did this customer visit" is "we don't know, the data does not exist in our systems". We do have your contact details (email, Telegram) and payment records — those would be subject to lawful requests like any company. If receiving a subpoena, we publish a notice in our security report channel and reach out to affected users where legally permitted.
How do I know your recommended apps aren't spying on me?
Read the source. Every app we link in our install guides (Hiddify, Streisand, v2rayNG, sing-box, OpenVPN) is open-source, published on GitHub, and has thousands of public contributors. You can build the binary yourself from source. The lack of a closed-box "Sham VPN app" is deliberate — we don't want to be in a position where one update can quietly add a tracker.
Can I pay without revealing my identity?
Yes — pay in cryptocurrency (Bitcoin, USDT on TRC-20 or ERC-20, or ETH). We accept direct on-chain transfers, no third-party processor that would forward your wallet to a card network. ShamCash works the same way: a peer-to-peer wallet transfer with no card on file. Your payment record is the transfer reference you choose, not a real-name account.
Where are your servers? Do they store anything?
Servers are distributed across multiple operators in regions optimised for low-latency MENA access. Each node runs only the routing software (xray + marznode), with no per-user log files on disk. The bandwidth counter syncs back to the central panel; nothing else does. If you'd like the live node list, /servers shows the public regions; the exact provider mix changes as we add capacity.
Do you offer Arabic-speaking customer support?
Yes — native, not machine-translated. Every page on this site exists in Arabic and English. Support over email or Telegram is answered by the same humans in whichever language you write in. There's no offshore tier-1 queue and no "please translate to English first" gate.
Do you protect against DNS / IP / WebRTC leaks?
The Sham VPN protocols (WireGuard, VLESS+Reality, Shadowsocks) all route DNS inside the tunnel by default in our recommended client configs, so your ISP cannot see your queries. The recommended FOSS clients also support kill-switches that drop traffic if the tunnel goes down — enable this in the app settings if leak resistance is critical for you.
Can I rotate my subscription URL if it leaks?
Yes — one click in your /account page. The old URL stops resolving immediately; the new one updates instantly across our edge. Useful if you shared a screenshot of your config or want to revoke access from a lost device. We don't charge for rotations and there's no limit.
About the free ones

If a VPN is free, where's the money coming from?

Free VPN apps still pay for servers, bandwidth, app-store distribution, support teams. Someone is paying. Audit reports over the past decade have documented free VPNs selling user traffic to analytics brokers (Hola), bundling ad-injecting frameworks (HotspotShield), embedding Facebook + Google analytics SDKs that report device IDs back to a marketing pipeline, or shipping outright malware (a 2020 study found that 18 of the top 20 free Android VPN apps contained DNS leaks, embedded trackers, or required intrusive permissions). The business model is "you are the product" — your browsing data, your device fingerprint, or your idle bandwidth resold as a residential proxy. A paid VPN whose only revenue is your subscription does not have that incentive.

Ready to try the differences yourself?

15-day free trial, no card. Pay with ShamCash, crypto or anything in between when you're ready.

Start your free trial