What a VPN Actually Does

A Virtual Private Network (VPN) creates an encrypted tunnel between your device and a server operated by the VPN provider. All your internet traffic travels through this tunnel before reaching its destination. This has two main effects:

1. Encrypts your traffic between your device and the VPN server. Anyone monitoring the network between you and the VPN server — your internet service provider (ISP), a hacker on the same Wi-Fi, or a government surveillance program — sees only encrypted gibberish instead of your actual traffic. They can tell you're connected to a VPN, but not what you're doing through it.

2. Masks your real IP address. Websites and services you connect to see the VPN server's IP address instead of yours. This hides your approximate geographic location and makes it harder (though not impossible) to trace your activity back to you.

That's it. Those two functions — traffic encryption and IP masking — are what a VPN does. Everything else in VPN marketing is either a consequence of these two features or an exaggeration.

What a VPN Does NOT Do

VPN marketing has created widespread misconceptions about what VPNs actually accomplish. Let's clear them up:

A VPN does not make you anonymous. Your VPN provider can see all the traffic that your ISP would otherwise see. You're shifting trust from your ISP to your VPN provider, not eliminating the need for trust. If you log into Google, Facebook, or Amazon while using a VPN, those services still know exactly who you are — your login credentials identify you regardless of your IP address.

A VPN does not protect you from malware. If you download a malicious file or click a phishing link, the VPN doesn't intercept it. Some VPN providers include basic malware blocking (essentially a DNS-level blocklist), but this is not a substitute for proper antivirus and safe browsing habits.

A VPN does not make you immune to tracking. Modern web tracking uses cookies, browser fingerprinting, login tracking, and device IDs — none of which a VPN affects. A VPN prevents your ISP from seeing your browsing history, but it doesn't stop Google or Facebook from tracking you across the web.

A VPN does not guarantee privacy. If your VPN provider keeps logs of your activity, your privacy is only as good as their policies and their ability to resist legal demands. Some VPN providers have been caught lying about no-logs policies.

A VPN doesn't always improve security. For most modern websites (those using HTTPS, which is the vast majority in 2026), your connection is already encrypted end-to-end between your browser and the website. A VPN adds another layer of encryption, but the critical encryption is already there.

When You Genuinely Need a VPN

Despite the limitations, there are real scenarios where a VPN provides meaningful protection:

Public Wi-Fi networks. Coffee shops, airports, hotels, and other public Wi-Fi networks are inherently less secure. While HTTPS protects the content of your communications, a VPN adds protection against more sophisticated attacks like SSL stripping, rogue access points, and DNS hijacking that can occur on compromised networks.

ISP monitoring. Your ISP can see every website you visit (by domain, even with HTTPS), when you visit them, and how long you spend there. In many countries, ISPs are legally required to retain this data. In the US, ISPs can sell your browsing data. A VPN prevents this monitoring.

Avoiding geographic restrictions. Accessing content that's restricted to specific countries — whether streaming services, news sources, or services not available in your area. This is probably the most common consumer use of VPNs.

Censorship circumvention. In countries with internet censorship (China, Iran, Russia, and others), a VPN can bypass government-imposed content blocks and provide access to the open internet. This can be a genuine safety concern for journalists, activists, and ordinary citizens.

Remote work. Many organizations require VPN connections to access internal resources. This ensures that corporate traffic is encrypted even when employees work from home or travel.

Hiding your IP from specific services. If you want to prevent certain services or peer-to-peer connections from seeing your real IP address, a VPN effectively masks it.

When You Don't Need a VPN

VPN marketing would have you believe you need a VPN every second you're online. In practice:

On your home network for general browsing: If you trust your ISP not to sell your data (or you're in a jurisdiction where they can't), and you're using HTTPS-enabled websites, a VPN adds minimal security. The convenience trade-offs (slightly slower speeds, occasional CAPTCHA challenges, some services blocking VPN IPs) may outweigh the benefits.

For "online security" in general. Strong passwords, 2FA, updated software, and safe browsing habits provide far more security than a VPN. If you have to choose between a VPN subscription and a password manager, choose the password manager every time.

When logging into personal accounts. If you're logged into Google, Facebook, or any service that identifies you by account, the VPN doesn't meaningfully improve your privacy on those services.

As a replacement for other privacy tools. A VPN doesn't replace an ad blocker, a privacy-focused browser, or encrypted messaging. It's one tool in a toolbox, not a complete solution.

Choosing a VPN Provider

If you've determined a VPN fits your needs, choosing the right provider matters enormously. The wrong VPN can make your privacy worse, not better.

Non-negotiable criteria:

• Independently verified no-logs policy. The provider should have undergone a third-party audit (by firms like Cure53, PricewaterhouseCoopers, or Deloitte) confirming they don't log your activity. Claims alone aren't enough — several providers who claimed "no logs" were caught retaining user data.
• Jurisdiction matters. Some countries have data retention laws that force VPN providers to log. Others participate in intelligence-sharing agreements (Five Eyes, Nine Eyes, Fourteen Eyes). Switzerland, Panama, and the British Virgin Islands are generally considered favorable VPN jurisdictions.
• Open-source clients. If the VPN app's code is open-source, independent researchers can verify it works as claimed and doesn't contain backdoors or tracking.
• Modern protocols. The VPN should support WireGuard or OpenVPN (see next section). Avoid providers that only offer outdated protocols.

Recommended providers:

• Mullvad ($5/month, no account needed): Based in Sweden. Accepts cash payment by mail. Independently audited. Open-source. Minimal data collection — they don't even require an email address.
• ProtonVPN (free tier available, paid from $5/month): Based in Switzerland. Part of the Proton ecosystem. Open-source. Audited by Securitum. The free tier is genuinely usable (no data caps, 5 countries).
• IVPN ($6/month): Based in Gibraltar. Independently audited. Open-source. Strong transparency practices.

VPN Protocols Explained

A VPN protocol determines how the encrypted tunnel is established and maintained. The protocol affects speed, security, and reliability.

WireGuard — The modern standard. Extremely fast (significantly faster than OpenVPN in most conditions), uses state-of-the-art cryptography (ChaCha20, Curve25519), and has a minimal codebase (~4,000 lines vs. OpenVPN's ~70,000). Its simplicity means fewer potential vulnerabilities and easier auditing. It's the best choice for most users in 2026.

OpenVPN — The established workhorse. Highly configurable, extensively audited, and battle-tested over two decades. Slightly slower than WireGuard but still performant. Uses OpenSSL for encryption, supporting a wide range of cipher suites. Available on virtually every platform.

IKEv2/IPsec — Built into most operating systems, making it convenient for mobile devices. Fast reconnection after network changes (switching from Wi-Fi to cellular). Secure when properly configured. Often used by corporate VPNs.

L2TP/IPsec — Older protocol, now considered less secure than alternatives. Avoid if other options are available.

PPTP — Obsolete and insecure. Has known vulnerabilities that allow traffic to be decrypted. Never use PPTP for any purpose.

The recommendation: Use WireGuard when available. Fall back to OpenVPN when WireGuard isn't supported. Avoid L2TP and PPTP entirely.

Free vs Paid VPNs

The VPN market is flooded with free options, and the old adage applies: if you're not paying for the product, you are the product.

Problems with most free VPNs:

• Data selling. Many free VPNs monetize by collecting and selling your browsing data — the exact activity you're trying to prevent. Studies have found free VPN apps that inject ads, install tracking cookies, and transmit unencrypted user data to third parties.
• Malware. Security researchers have identified numerous free VPN apps on Google Play and the App Store that contain malware, request excessive permissions, or function as part of botnets.
• Inadequate security. Some free VPNs use outdated encryption protocols, have DNS leaks that expose your real IP address, or don't actually encrypt traffic at all.
• Bandwidth and data caps. Free tiers that work legitimately typically impose severe limitations — 500 MB/month, restricted server locations, slow speeds.

Legitimate free options:

• ProtonVPN Free — No data cap, servers in 5 countries, no ads, no data selling. Limited to 1 device and medium speeds, but genuinely usable and trustworthy.
• Cloudflare WARP — Free, fast, and privacy-respecting. More properly a secure DNS/networking tool than a full VPN, but it encrypts your traffic and hides your DNS queries from your ISP.

When paying makes sense: If you need a VPN regularly — for public Wi-Fi, ISP privacy, or geographic content access — $5/month for a reputable provider is a worthwhile investment. It's less than a single coffee and protects the entirety of your internet activity.

Setting Up a VPN

Modern VPN setup is straightforward:

Desktop (Windows/macOS/Linux):

1. Choose and sign up for a VPN provider
2. Download their official app from the provider's website
3. Install and log in
4. Select a server location (nearest for best speed, specific country for content access)
5. Click connect
6. Verify it's working: visit whatismyipaddress.com — it should show the VPN server's location, not yours

Mobile (iOS/Android):

1. Download the VPN provider's app from the App Store or Google Play
2. Log in and grant the VPN configuration permission when prompted
3. Tap connect

Router-level VPN (advanced): For whole-network protection, some routers support VPN client configuration. This protects every device on your network — including smart home devices that can't run VPN software themselves. Check if your router supports OpenVPN or WireGuard client mode.

Configuration tips:

• Enable the kill switch feature (disconnects internet if VPN drops, preventing unprotected traffic)
• Enable DNS leak protection to ensure DNS queries go through the VPN
• Use WireGuard protocol when available for best speed
• Set the VPN to auto-connect on untrusted Wi-Fi networks

---

A VPN is a useful privacy tool when understood correctly — and a false sense of security when misunderstood. Use it for public Wi-Fi, ISP privacy, and content access, but don't mistake it for a complete privacy solution. Combine it with a privacy-focused browser, ad blocker, strong passwords, and careful data sharing for genuine online privacy.