Best VPN for India 2026: virtual servers and CERT-In
If you live in India and you read a "best VPN for India 2026" listicle, you are reading a category that fundamentally restructured itself four years ago and has not been the same since. The CERT-In directive of April 2022 told every VPN provider operating in India to retain user identity, IP allocations, and declared purpose for five years. The major Western brands physically removed their Indian servers within months. The honest market for Indian users in 2026 looks different than it did in 2021, and most listicles have not caught up.
The short answer for the best VPN for India 2026: VPNs are legal to use, the CERT-In rules apply to providers operating in India rather than to users, the major reputable brands now offer virtual India locations rather than physical Indian servers, and the protocols that matter for the things Indian users actually do (streaming home content abroad, accessing geo-restricted services, privacy from your ISP, Kashmir-style regional shutdown resilience) are mostly unchanged. Here is what really happened, who left, who stayed, and how to pick a VPN that fits your situation.
What CERT-In actually requires
CERT-In is the Indian Computer Emergency Response Team. The April 2022 directive applies to VPN providers, cloud providers, virtual private server operators, and data centre operators with infrastructure in India. The relevant provisions:
Five years of customer KYC retention. The required fields include name, address, phone number, email, the IP address allocated to the customer, the contract period, the payment method, and the declared purpose of use of the VPN. That last item is unusual. Most retention regimes ask for what the service was, not what the customer used it for. The directive came into force on June 27, 2022.
Six-hour incident reporting. Any cybersecurity incident has to be reported to CERT-In within six hours of identification. For comparison, the EU's GDPR allows 72 hours. Six hours is operationally tight even for well-resourced incident response teams.
Logs synchronised to Indian time, NTP-synced to NIC or NPL servers. Logs maintained for 180 days for general system and network activity, separate from the five-year customer retention.
Penalties under Section 70B(7) of the IT Act reach up to one year imprisonment for company officers, plus monetary fines.
The directive's structure is incompatible with a no-logs commitment by design. NordVPN, ExpressVPN, Surfshark, Proton, and Mullvad have all marketed extensively on no-logs commitments and most have third-party audits. CERT-In required them to maintain exactly the kinds of records they had spent years building infrastructure to not keep.
Who left India
The big brands chose physical removal over compliance.
ExpressVPN removed Indian servers on June 2, 2022, four weeks before the directive's effective date.
NordVPN removed Indian servers on June 26, 2022, the day before the deadline.
Surfshark removed Indian servers on June 27, 2022, the day the directive came into force.
ProtonVPN removed Indian servers in early 2023 after initially attempting an alternative compliance path.
Mullvad removed Indian servers and never added virtual replacements. Mullvad's position is that running virtual India servers from abroad is a workaround that does not deliver the user experience of a physical India server, so they prefer not to ship it.
IPVanish, Private Internet Access, and several smaller providers also withdrew physical infrastructure.
The shift is real but most Indian users did not lose VPN access. They lost the option of a VPN provider that operates Indian data centre infrastructure and a no-logs commitment simultaneously. After June 2022, those two properties became mutually exclusive in the Indian market.
What "virtual India server" actually means
NordVPN, ExpressVPN, and Surfshark all responded with virtual India locations. NordVPN added its first virtual India server in January 2024. The mechanism is straightforward.
A virtual India server is a server physically located somewhere else, most commonly Singapore, occasionally London or the Netherlands, that has an Indian IP address routed via a peering arrangement so traffic appears to originate from India. From the perspective of any service that geolocates by IP (Hotstar, Sony LIV, Disney+ Hotstar, Indian banking, Indian government services), the connection looks Indian.
The trade-off is latency. A virtual India server hosted from Singapore adds the Singapore-India round trip to every request. For most use cases this is not noticeable. For latency-sensitive workloads (some online games, real-time trading, certain regulated banking interactions), the difference is real. A user connecting from Mumbai to a Singapore-hosted virtual India server has a worse experience than they would have had in 2021 connecting to a physical Mumbai server.
The legal point matters. CERT-In rules apply to providers operating infrastructure in India. A virtual India server hosted from Singapore is, legally, a Singapore server with an Indian IP. The provider is not subject to CERT-In retention rules for that server because the infrastructure is not in India. NordVPN, ExpressVPN, and Surfshark can offer virtual India locations while continuing to honour their no-logs commitments because their compliance jurisdiction is the country the server actually sits in.
This is what a reasonable Indian user gets in 2026: an Indian IP for the services that need one, no-logs commitment from the provider, and a small latency penalty for the routing path. For most use cases the difference from a physical India server is unnoticeable.
Is a VPN legal in India?
Using a VPN is legal for individuals in India. The CERT-In directive does not regulate VPN use; it regulates VPN providers. There is no Indian law that criminalises connecting through a VPN, configuring a VPN client, or paying for a VPN subscription.
What India does regulate is the conduct that happens through the VPN. Section 66A of the IT Act (struck down by the Supreme Court in 2015 but with related provisions still in force), Section 67 (obscene content), and various IT Rules cover specific online conduct. Using a VPN does not protect against prosecution for those activities; it changes only the technical detectability.
Corporate VPNs are explicitly permitted. Employees connecting from home to a company network through a corporate VPN are unaffected by CERT-In rules, which target consumer-facing VPN providers operating Indian infrastructure.
The January 2025 wave of app store removals targeted specific consumer VPN apps (Cloudflare 1.1.1.1, Hide.me, PrivadoVPN, and others) under separate I4C orders, not the CERT-In directive. Those removals affected app store availability, not the legality of VPN use itself. We covered that wave in detail in the CERT-In four-years-on post.
Use cases that actually matter for Indian users
The reasons Indian users want a VPN have not changed since 2022. The technical answer for each one has.
Streaming home content from abroad. NRIs in the US, UK, or Gulf states want to access Hotstar, Sony LIV, ZEE5, Voot, and the regional cricket and IPL streams. A virtual India server with an Indian IP unlocks these. The latency penalty is small for streaming because the use case is bulk download, not low-latency interaction. NordVPN, ExpressVPN, and Surfshark all handle this well.
Streaming foreign content from inside India. Indian users wanting Netflix US, BBC iPlayer, Hulu, or Amazon Prime US connect through an exit in those countries. This is the standard global use case for VPNs and works identically to anywhere else. Fexyn's Frankfurt, Helsinki, Cyprus, and Ashburn servers cover the major Western libraries.
Privacy from your ISP. Indian ISPs (Airtel, Jio, BSNL, Vi) operate under Indian data retention requirements. A VPN provides the standard transit privacy from the local ISP. This is the baseline use case that most VPN buyers globally want.
Regional shutdown resilience. The 2019-2021 Kashmir shutdown lasted 552 days, the longest internet shutdown in any democracy. Whenever a regional shutdown happens (Manipur 2023, periodic Punjab shutdowns, occasional state-level disruptions during exam periods), users in affected regions sometimes find that VPN connections survive when general internet does not. The mechanism is that shutdowns often target specific app or service traffic rather than IP-layer connectivity to international destinations. A working VPN connection lets traffic flow through the international gateway even when domestic-app blocking is in effect.
Geo-restricted services. Some international services, including some financial and gaming platforms, restrict access from Indian IPs. Connecting through a VPN exit in your home country (for NRIs) or a third country (for general access) resolves this for legitimate cases.
Activist and journalist use. India ranks 159th on the 2024 Reporters Without Borders Press Freedom Index. Journalists, researchers, and activists who need transit privacy use VPNs as standard operational security. The threat model differs from the streaming or geo-unblock use case; protocol selection matters more.
The Kashmir question
The August 2019 to February 2021 Kashmir shutdown changed how Indian users think about internet access. For 552 days, residents of Jammu and Kashmir lived with restricted or no internet, then with 2G-only connectivity, then gradually restored 4G access. During the shutdown, VPN use surged among the people who could still get any connectivity at all. The shutdown affected almost 13 million people and produced extensive reporting on what works during a state-mandated communications restriction.
What VPNs do not do during a full IP-layer shutdown is route around the shutdown itself. If the ISP cuts physical connectivity, no software solution restores it. What VPNs can do during partial shutdowns (where international IP connectivity is intact but specific services or app traffic are blocked) is route around the application-layer blocks.
In 2026, regional shutdowns continue at smaller scale. Manipur had ongoing connectivity restrictions for much of 2023 and 2024 in response to ethnic violence. Smaller shutdowns happen during periods of communal tension, around exam dates to prevent cheating, and during specific protest events. A VPN with a censorship-resistant protocol (Reality+Vision in our case) survives application-layer blocks that catch standard WireGuard or OpenVPN.
This is not the most common Indian use case but it is the use case where protocol choice matters most. If you live in a region prone to shutdowns or you travel to one regularly, the protocol the VPN ships matters more than the brand recognition.
Which providers fit which Indian use cases
For NRIs streaming Indian content abroad, NordVPN's virtual India server, ExpressVPN's virtual India server, or Surfshark's virtual India server are the working options. All three connect cleanly from major Western markets, all three honour no-logs claims because the actual server is in Singapore or Europe, and all three have enough virtual India bandwidth to handle Hotstar and Sony LIV streaming without buffering. Pricing varies; ExpressVPN is the most expensive, Surfshark the cheapest of the three.
For Indian residents wanting Western content, any major VPN works. The choice comes down to price and protocol support. We have written extensively on protocols elsewhere.
For privacy from your ISP, any reputable VPN works. The brand-vs-brand differences matter less than the choice between any reputable VPN and no VPN at all. Avoid free VPNs because the free-VPN business model relies on monetising your traffic in ways that defeat the privacy purpose.
For regional shutdown resilience, the choice narrows. You want a VPN that ships VLESS Reality with the Vision flow because that is the protocol that survives application-layer DPI. Most major brands do not ship Reality. The smaller subset that does (Astrill, Fexyn, several self-host stacks) is the working set for shutdown scenarios.
For activists and journalists, the threat model includes legal pressure on the VPN provider. Mullvad's position of explicitly not retaining customer identity (no email required to sign up, anonymous payment options, account numbers rather than usernames) is the gold standard for this use case. ProtonVPN's Swiss jurisdiction and audit history is the other commonly recommended option. Mullvad does not ship Reality, so the trade-off for shutdown scenarios is different from the trade-off for activist scenarios; you may need both.
Fexyn's position for Indian users
We do not have a physical India server. We do not have a virtual India server in 2026 either. Our four servers are in Frankfurt, Helsinki, Cyprus, and Ashburn. For an Indian user, our value proposition is exit access to Western content libraries, transit privacy from your Indian ISP, and Reality+Vision protocol support for regional shutdown scenarios.
We are the wrong choice if your primary use case is unlocking Hotstar, Sony LIV, or ZEE5 from outside India. A user in London who wants Indian streaming should pick NordVPN or ExpressVPN, both of which offer virtual India servers that actually deliver the Indian IP your streaming services need.
We are a reasonable choice if your primary use case is exit access from inside India to Western content, ISP privacy, or shutdown resilience. Frankfurt and Ashburn are the typical exit choices for Indian users; both have strong peering with US and European libraries.
The 7-day free trial covers all three protocols and all four server locations. India falls in our middle pricing tier. Crypto billing via 0xProcessing is supported.
What this means for you
If you are an NRI streaming Indian content abroad, pick NordVPN, ExpressVPN, or Surfshark for the virtual India server. Their no-logs commitments are intact because the actual server is hosted outside India. The latency penalty is small.
If you are an Indian resident wanting Western content or general privacy, almost any reputable VPN works. Pick on price and protocol support rather than brand. Avoid free VPNs.
If you live in a region prone to internet shutdowns, pick a VPN that ships VLESS Reality with the Vision flow. The major brands' obfuscation modes (Lightway, NordLynx with stealth, Camouflage) work intermittently but are not designed for the censorship-resistance use case the way Reality+Vision is.
If you are an activist or journalist, Mullvad and Proton remain the strongest recommendations on the privacy side. Pair with a Reality-shipping service if your threat model includes regional shutdown scenarios.
If you are reading this because you are confused about whether VPNs are legal, they are. CERT-In regulates VPN providers operating in India, not users.
Try Fexyn free for 7 days. Stealth (VLESS Reality with Vision flow) is included on every plan. The India country page has the localised setup detail. The CERT-In four-years-on post covers the regulatory background in depth.