So at this point, we all know that free VPNs are just data stealers. But what about open-source ones, like ProtonVPN or OpenVPN, are they safe to use?
Choosing a VPN is less about finding a solution which guarantees privacy and security, and more about finding a provider who you trust more than your ISP. Thus, it’s always going to be a subjective decision, but there are indicators of trust you can look out for.
The only tools we can say are objectively safe are tools which are secure by design, like Tor.
These things are also not the same thing.
ProtonVPN is a provider of VPNs whereas OpenVPN is a protocol (like https), many providers use OpenVPN including ProtonVPN. Likewise another popular protocol for making encrypted tunnels is Wireguard.
The issue is not about the software, but rather the trustworthiness of who runs it, that is because VPN companies are generally adding a single “hop” run by the same VPN provider. This means usage is “shifting” trust from your ISP by having all of your traffic routed from their network.
ISPs bound by government laws that might require recording of metadata - that can vary depending on country. A VPN provider isn’t required to record your address, or real name or credit card, and they may not keep logs. They’re also more likely to accept payment with Monero (an anonymous cryptocurrency).
There is no way to verify that they do not log however, third-party audits can attest that the time of the audit no logging was occurring.
As @jonah says, Tor is different as by design each node in the circuit (tor circuits consist of a guard, middle, exit node) aren’t run by the same people. The last node in the chain doesn’t necessarily know who is sending it data.
“Like ProtonVPN or OpenVPN”
These are not comparable things. ProtonVPN is a VPN service, OpenVPN isn’t a service. It is an open source VPN protocol, it and Wireguard, are the two most popular open solutions, but they are not VPN services, they are VPN technologies.
So at this point, we all know that free VPNs are just data stealers
While its a safe default assumption, and you should always be skeptical of any service that costs money to operate but is offered free of charge, its not as black and white as you make it out to be. Most but not All free VPN services are monetizing your data the same is true for other services in the privacy space. Reputable companies like Proton offer a free VPN for 2 reasons (primarily) the first is marketing, offering a free but limited service is a way to attract potential new customers, grow your brand awareness, and hpefully eventually convert some of the free users into sustainable paying customers. The second reason is to give back / offer basic services to those who really need them but can’t afford them.
While it is important whether a service uses open source software or not, what is more important in the context of your question (when should you trust/distrust a free service), what is most important is understanding that services business model and their incentives. This is important with free and paid services, but its usually more straightforward with paid services (the incentive is $$), with free services (and software to a lesser degree) you need to be more cautious and skeptical, and always ask yourself, why is this being offered for free, what are the incentives of the people behind this, how is it sustainable, and how does it benefit them to offer it freely?
With a VPN service specifically, its important to recognize that it fundamentally involves some trust in the service provider. Using a VPN service is a matter of shifting trust from a service you have less trust in (your ISP) to a service you have more trust in (your VPN). So its paramount that you have some trust in the VPN provider you choose, if you don’t, you are just shifting trusting from one untrusted 3rd party to another. @dngray’s answer addresses these aspects well.