What a VPN Actually Does

A Virtual Private Network (VPN) creates an encrypted tunnel between your device and a VPN server. All your internet traffic travels through this tunnel before reaching its destination. This accomplishes two things:

1. Encryption of your traffic. Your internet service provider (ISP), network operator, and anyone monitoring the local network cannot see what websites you visit or what data you transmit. They see only encrypted traffic going to the VPN server.

2. IP address masking. Websites you visit see the VPN server's IP address instead of your real one. This makes it harder to correlate your browsing activity with your real identity or location.

In technical terms: your device establishes an encrypted connection to the VPN server using a protocol like WireGuard or OpenVPN. Your DNS queries and all internet traffic are routed through this tunnel. The VPN server then forwards your traffic to its intended destination, acting as an intermediary.

What this means in practice:

• Your ISP cannot see which websites you visit — they see only that you're connected to a VPN server
• The coffee shop's WiFi network cannot read your traffic — it's encrypted
• Websites see the VPN server's IP address and geographic location, not yours
• Your traffic appears to originate from wherever the VPN server is located

What a VPN Does NOT Do

VPN marketing is notorious for overclaiming. Here's what a VPN does not provide:

A VPN does not make you anonymous. Websites track you through cookies, browser fingerprinting, login accounts, and behavioral analytics. Connecting to Google or Facebook through a VPN while logged in still allows those companies to track everything you do. A VPN changes your IP address — it doesn't change your identity.

A VPN does not protect you from malware. If you download a malicious file or click a phishing link, the VPN won't help. The malicious content travels through the encrypted tunnel just as safely as legitimate content.

A VPN does not make public WiFi completely safe. While it encrypts your traffic from local eavesdropping, the vast majority of web traffic is already encrypted by HTTPS. A VPN adds a useful layer on public networks but isn't the magic shield marketers claim.

A VPN does not hide your activity from the VPN provider. You're shifting trust from your ISP to the VPN company. Instead of your ISP seeing your traffic, the VPN provider can see it. If the VPN provider logs your activity (or is compelled to by their government), your privacy may be no better or even worse.

A VPN does not prevent all tracking. Your browser fingerprint (screen resolution, installed fonts, browser plugins, timezone, language settings) creates a unique identifier regardless of your IP address. Sophisticated trackers can identify you even when your IP changes.

A VPN does not protect data you voluntarily share. Posting on social media, filling out forms, or providing information to websites exposes that data regardless of your VPN status.

When You Actually Need a VPN

Despite the marketing hype, there are legitimate scenarios where a VPN provides real value:

Public WiFi networks. While HTTPS provides encryption for individual connections, a VPN encrypts everything — including DNS queries, non-HTTPS traffic, and metadata. On public WiFi (airports, cafes, hotels), this is a worthwhile precaution against network-level attacks.

ISP tracking and data selling. In the US, ISPs are legally permitted to collect and sell your browsing data. A VPN prevents your ISP from seeing which sites you visit. If you object to ISP surveillance and data monetization, a VPN is the most practical countermeasure.

Accessing content while traveling. VPNs let you appear to be in a different geographic location. This is useful for accessing your home country's services while abroad — streaming services, banking websites, or news sites that may be geo-restricted.

Circumventing censorship. In countries with internet censorship (China, Iran, Russia, etc.), VPNs can bypass government-imposed blocks on websites and services. This is a critical tool for journalists, activists, and citizens in restrictive regimes.

Privacy from local network monitoring. In corporate environments, university networks, or shared networks where the network operator monitors traffic, a VPN prevents them from seeing your browsing activity.

Torrenting. If you use BitTorrent (for legitimate purposes like downloading Linux distributions or open-source software), a VPN prevents your ISP from monitoring your P2P activity and your real IP from being visible to other peers.

When You Don't Need a VPN

Home browsing with a trusted ISP. If you're on your own network, your ISP already knows your identity, and most sites use HTTPS, the VPN's benefit is limited to preventing ISP logging. If that's not a concern for you, the VPN adds latency without meaningful security benefit.

When you're already using encrypted services. If you're using HTTPS websites, end-to-end encrypted messaging (Signal, WhatsApp), and encrypted email (Proton Mail), your data is already encrypted. A VPN adds another encryption layer, but the data was already protected.

For "anonymous" browsing while logged into accounts. If you're logging into Google, Facebook, or Amazon while using a VPN, those companies know exactly who you are. The VPN hides your IP from them but doesn't prevent account-based tracking.

As a replacement for real security practices. A VPN doesn't substitute for strong passwords, two-factor authentication, keeping software updated, and safe browsing habits. It's one tool among many, not a comprehensive security solution.

Choosing a Trustworthy VPN

Since a VPN shifts trust from your ISP to the VPN provider, choosing a trustworthy provider is crucial:

No-logs policy (verified). The provider should not log your browsing activity, connection timestamps, or traffic data. Look for providers whose no-logs claims have been independently audited by reputable firms (Deloitte, PricewaterhouseCoopers, Cure53).

Jurisdiction matters. The provider's legal jurisdiction determines what government access laws apply. Providers in Switzerland, Panama, the British Virgin Islands, and Iceland operate under stronger privacy protections. Providers in Five Eyes countries (US, UK, Canada, Australia, New Zealand) face greater surveillance pressure.

Open-source and audited. Providers whose clients are open-source allow independent verification that the software does what it claims. Regular security audits by third parties provide additional confidence.

Revenue model. The provider should make money from subscriptions, not from your data. Be skeptical of free VPNs (see below).

Recommended providers (as of 2026):

• Mullvad: Swedish, no-logs, accepts anonymous payment (cash), open-source clients, independently audited. Arguably the most privacy-focused commercial VPN.
• Proton VPN: Swiss, no-logs (audited), open-source, free tier available, operated by the Proton Mail team. Strong privacy jurisdiction and transparent operations.
• IVPN: Gibraltar-based, no-logs (audited), open-source, transparent about limitations.
• WireGuard-based providers generally offer better performance due to the modern protocol.

VPN Protocols Explained

The protocol determines how the VPN tunnel is established and secured:

WireGuard:

• Modern, fast, and lightweight (~4,000 lines of code vs OpenVPN's ~100,000+)
• Excellent performance with minimal overhead
• Strong cryptography (ChaCha20, Curve25519, BLAKE2s)
• Built into the Linux kernel for native performance
• Recommended for most users. The default choice for modern VPN providers.

OpenVPN:

• Mature, proven protocol with decades of use
• Open-source and extensively audited
• Flexible configuration options
• Slightly more overhead and slower than WireGuard
• Still widely used and trusted

IKEv2/IPsec:

• Good for mobile devices — handles network changes (WiFi to cellular) smoothly
• Fast reconnection after temporary connection drops
• Built into many operating systems natively
• Strong security when properly configured

Protocols to avoid:

• PPTP: Obsolete and insecure. Broken encryption. Should never be used.
• L2TP/IPsec: Not inherently insecure but has been weakened by NSA capabilities. WireGuard and OpenVPN are better choices.
• Proprietary protocols: Unless independently audited, avoid "custom" protocols that providers create. Stick with established, open-source protocols.

Free vs Paid VPNs

The case against most free VPNs:

Running VPN infrastructure costs money — servers, bandwidth, development, and maintenance. If a VPN is free, the provider is making money somehow. Common monetization strategies for free VPNs:

• Selling your browsing data to advertisers and data brokers. This directly contradicts the privacy purpose of using a VPN.
• Injecting ads into your browsing sessions.
• Selling your bandwidth — using your device as an exit node for other users' traffic (this happened with Hola VPN, turning users' devices into a botnet).
• Bundling malware or tracking software with the VPN client.

A 2024 investigation found that the majority of the most popular free VPN apps on Google Play and the Apple App Store had serious privacy issues, including data sharing with Chinese companies, embedded tracking libraries, and missing encryption.

Exceptions — free VPNs worth considering:

• Proton VPN Free: Genuinely free tier from a reputable company. No ads, no data selling. Limited to slower servers in three countries, but the privacy protections are identical to the paid version.
• Cloudflare WARP: Free, built into the 1.1.1.1 app. Not a full privacy VPN (Cloudflare can see your traffic), but provides encrypted DNS and routing that improves security on untrusted networks.

The recommendation: If you need a VPN for privacy, pay for one from a reputable provider. The cost ($3-10/month) is trivial compared to the value of your browsing data and privacy.

VPN Alternatives Worth Considering

Depending on your specific needs, other tools may be more appropriate:

Tor Browser (for anonymity):

• Routes traffic through three random relay nodes
• Provides much stronger anonymity than any VPN
• Significantly slower than a VPN
• Not suitable for streaming or large downloads
• Best for: accessing the web anonymously, circumventing censorship in high-risk environments

DNS-over-HTTPS (DoH) and encrypted DNS:

• Encrypts your DNS queries (which sites you visit) from your ISP
• Built into Firefox (Cloudflare DoH), Chrome, and OS-level settings
• Doesn't encrypt the actual traffic — just DNS queries
• Free and easy to enable
• Best for: preventing ISP from logging which domains you visit

Browser-based privacy:

• Firefox with Enhanced Tracking Protection and Privacy Containers
• Brave browser with built-in ad/tracker blocking
• Browser extensions like uBlock Origin
• Private/incognito browsing (prevents local history but doesn't hide traffic from networks)
• Best for: reducing tracking without the overhead of a VPN

Tailscale/ZeroTier (for secure remote access):

• Create encrypted networks between your own devices
• Useful for accessing your home network while traveling
• Not a privacy VPN — doesn't mask your IP from websites
• Best for: secure access to personal resources

Use a VPN as one layer of a broader security strategy that includes strong, unique passwords (generate them with our password generator), two-factor authentication, and privacy-focused browser settings.

---

A VPN is a useful tool, but it's not the security silver bullet its marketing suggests. Use it when the threat model justifies it — on public WiFi, to prevent ISP tracking, to bypass geo-restrictions, or to circumvent censorship. But don't treat it as a substitute for fundamental security practices. The best security is layered, and a VPN is one valuable but limited layer.