VPN companies spend more on YouTube sponsorships than some countries spend on infrastructure. Every podcast, every tech channel, every gaming streamer — someone’s reading a script about how a VPN will make you invisible online and protect you from hackers. Most of it is misleading. Some of it is outright false. VPNs are useful tools, but the gap between what they actually do and what their marketing implies is enormous.
Let’s close that gap.
Key Takeaways
- A VPN encrypts your traffic between your device and the VPN server — it does not make you anonymous, invisible, or unhackable
- VPNs are genuinely useful on public WiFi, for bypassing geo-restrictions, and for hiding traffic from your ISP — beyond that, the benefits are overstated
- Most people don’t need a VPN for daily browsing — HTTPS already encrypts the content of your web traffic
- If you do want one, Mullvad and Proton VPN are the most trustworthy options — both have been independently audited and have strong no-logs track records
- Free VPNs are almost always a bad deal — you’re paying with your data instead of your wallet
How VPNs Actually Work (Technically)
When you connect to a VPN, your device establishes an encrypted tunnel to a VPN server. All your internet traffic routes through this tunnel before reaching its destination. Here’s what that means in practice.
Without a VPN, your traffic flows like this: Your device sends a request to your router, which sends it to your ISP, which routes it across the internet to the destination server. Your ISP can see every domain you visit (even with HTTPS — they can see you visited reddit.com, just not which specific page). The destination server sees your real IP address.
With a VPN, your traffic flows like this: Your device encrypts the data using a protocol like WireGuard or OpenVPN, sends it to the VPN server, which decrypts it and forwards it to the destination. Your ISP sees only encrypted traffic going to the VPN server’s IP address — they can’t see what you’re accessing. The destination server sees the VPN server’s IP address, not yours.
The Encryption Part
Modern VPN protocols use strong encryption. WireGuard uses ChaCha20 for symmetric encryption and Curve25519 for key exchange. OpenVPN typically uses AES-256-GCM. Both are considered cryptographically secure against any known attack, including quantum computing threats in the near term.
This encryption protects the traffic between your device and the VPN server. That’s it. Once the traffic leaves the VPN server, it’s subject to the same rules as any other internet traffic. If you visit an HTTP site (increasingly rare), the data between the VPN server and that site is unencrypted. If you visit an HTTPS site (the vast majority now), the content is encrypted regardless of whether you use a VPN.
This is the critical nuance that VPN ads skip over. HTTPS already encrypts the content of your communications. A VPN adds a layer of metadata protection — hiding which sites you visit from your ISP and hiding your IP address from the sites you visit. That’s valuable in certain situations, but it’s not the impenetrable force field the marketing suggests.
What VPNs Actually Protect
Your Traffic From Your ISP
Your ISP can see every domain you connect to via DNS queries and SNI (Server Name Indication) headers in TLS handshakes. In many countries, ISPs log this data and can sell it to advertisers or hand it to law enforcement. In the US, ISPs have been allowed to sell browsing data since 2017. A VPN prevents your ISP from seeing your DNS queries and the domains you visit.
Your IP Address From Websites
Every website you visit sees your IP address. This can be used to roughly geolocate you (usually to city level), and tracking networks use it as one signal for building advertising profiles. A VPN replaces your real IP with the VPN server’s IP, shared among potentially thousands of users.
Your Data on Untrusted Networks
This is the classic use case, and it’s legitimate. On public WiFi — coffee shops, airports, hotels — a malicious actor on the same network could potentially intercept unencrypted traffic or perform DNS hijacking. A VPN encrypts everything leaving your device, neutralizing these attacks. That said, with HTTPS everywhere and modern DNS security (DNS over HTTPS, DNS over TLS), the risk on public WiFi is lower than it was five years ago.
Bypassing Geo-Restrictions
Connecting to a VPN server in another country makes it appear as though you’re browsing from that country. This lets you access streaming content, news sites, or services that are geo-blocked in your location. Netflix, BBC iPlayer, and others actively block VPN IP addresses, so this is a constant cat-and-mouse game. Some VPNs are better at it than others.
What VPNs Do NOT Protect
This section matters more than the previous one. Here’s what a VPN won’t do for you, despite what the ads imply.
A VPN does not make you anonymous. You’re shifting trust from your ISP to the VPN provider. The VPN company can see everything your ISP used to see. If they log your traffic (some claim they don’t — more on that later), you’ve just moved the surveillance from one entity to another. Your browser fingerprint, cookies, and login sessions still identify you to websites. If you’re signed into Google with a VPN on, Google still knows it’s you.
A VPN does not protect you from malware. If you download a malicious file or click a phishing link, the VPN does nothing. The encrypted tunnel carries malware just as happily as it carries legitimate traffic. Some VPN providers bundle DNS-based ad/malware blocking, which is mildly useful, but it’s not a substitute for proper endpoint security.
A VPN does not protect you from yourself. If you post personal information on social media, reuse passwords, or fall for social engineering, a VPN is irrelevant. Most security breaches involve human behavior, not network interception. If you want to actually improve your security posture, start with a password manager — it’ll do more for you than a VPN ever will.
A VPN does not guarantee privacy from governments. Intelligence agencies have capabilities that go far beyond monitoring ISP traffic. If a three-letter agency is specifically interested in you, a commercial VPN is not going to save you. For the average person worried about mass surveillance, a VPN helps at the margins, but it’s one small piece of a much larger puzzle.
VPN Providers Worth Considering
The VPN market is flooded with providers, most of which are unremarkable. A few stand out for the right reasons.
Mullvad — The Privacy Purist’s Choice
Mullvad costs EUR 5/month. No discounts, no plans, no accounts. You get an account number — no email required. You can pay with cash mailed in an envelope. They’ve been independently audited multiple times, their infrastructure has been raided by police (who found nothing because there were no logs to find), and they’ve open-sourced their client apps.
Mullvad doesn’t have the flashiest apps or the largest server network. What they have is credibility. Their business model is aligned with privacy — they don’t want your data because they’ve structured their entire company to avoid having it.
The downside: Mullvad isn’t great for streaming geo-unblocking. They don’t play the cat-and-mouse game with Netflix as aggressively as others. If that’s your primary use case, look elsewhere.
Proton VPN — Best All-Rounder
Proton VPN is from the same Swiss company behind ProtonMail and Proton Pass. The free tier is genuinely usable — no data caps, no ads, reasonable speeds on servers in five countries. The paid plan ($10/month or $48/year on the two-year plan) adds servers in 110+ countries, P2P support, Secure Core (multi-hop routing through privacy-friendly countries), and NetShield ad/tracker blocking.
Proton VPN has been audited by Securitum, and all apps are open-source. Swiss jurisdiction means strong legal privacy protections. For someone who wants a VPN that does everything reasonably well — privacy, streaming, speed — Proton VPN is the most balanced choice.
IVPN — The Quiet Contender
IVPN is similar to Mullvad in philosophy: privacy-first, no gimmicks. They offer a Standard plan ($6/month) and a Pro plan ($10/month) with multi-hop and port forwarding. They’ve been audited, they publish transparency reports, and they accept various anonymous payment methods.
IVPN’s apps are clean and functional. They don’t have the brand recognition of NordVPN or ExpressVPN, but they have something more valuable: a consistent, verifiable commitment to not logging user activity.
What About NordVPN and ExpressVPN?
They’re fine. Both are competent VPN services with large server networks and good speeds. NordVPN ($3.39/month on the 2-year plan) offers Threat Protection (DNS-level blocking) and meshnet features. ExpressVPN has the Lightway protocol which is fast and efficient.
The reason I don’t rank them higher: both are owned by the same parent company (Kape Technologies, now renamed to Nord Security after acquiring NordVPN’s parent company merged operations). Kape’s history includes a company previously known as Crossrider, which was involved in adware distribution. They’ve cleaned up significantly, and current audits are favorable, but the history gives some privacy advocates pause. For most users, NordVPN and ExpressVPN are perfectly adequate. For privacy maximalists, Mullvad and Proton VPN have cleaner pedigrees.
Free VPNs: The Hidden Cost
There’s a saying in tech: if you’re not paying for the product, you are the product. This applies to free VPNs with almost no exceptions.
Research from CSIRO and other institutions has repeatedly found that free VPN apps — particularly on mobile — frequently contain tracking libraries, inject ads, and in some cases actively log and sell browsing data. Hola VPN famously turned its users’ devices into exit nodes for a botnet. SuperVPN, with millions of downloads on the Play Store, leaked 360 million user records in 2023.
The exceptions: Proton VPN’s free tier is legitimately good and funded by paying subscribers. Windscribe’s free plan (10GB/month) is reasonable. WARP by Cloudflare is a free privacy layer that improves DNS security, though it’s more of a privacy tool than a traditional VPN and Cloudflare does log some metadata.
As a general rule: if a VPN is free and you haven’t specifically verified its business model, assume your data is the revenue source.
When You Actually Need a VPN
Let me be specific about scenarios where a VPN genuinely adds value.
Public WiFi regularly. If you work from coffee shops, airports, or coworking spaces with shared networks, a VPN is cheap insurance. Yes, HTTPS protects most traffic, but DNS leaks and rogue hotspots are still real risks.
Your ISP is known to sell data or throttle traffic. In the US especially, ISPs have both the legal ability and financial incentive to monetize your browsing habits. A VPN prevents this.
Accessing geo-restricted content. Watching BBC iPlayer from outside the UK, accessing your home country’s streaming library while traveling, or using services blocked in certain regions.
Avoiding network-level censorship. In countries with aggressive internet censorship (China, Iran, Russia), VPNs are essential tools for accessing the open internet. Some protocols (like WireGuard over obfuscation) are specifically designed to evade deep packet inspection.
Torrenting. Regardless of what you’re downloading, using a VPN for P2P traffic prevents your ISP from seeing your torrent activity and protects your IP from being logged by monitoring firms in the swarm.
Working remotely for a company. Corporate VPNs exist for a reason — they create a secure tunnel to the company’s internal network. This is a different use case from consumer VPNs but it’s worth mentioning.
When You Probably Don’t Need a VPN
General browsing at home on a trustworthy ISP. If you’re in a country with strong privacy laws and an ISP that doesn’t sell data, a VPN adds minimal practical benefit for casual browsing. HTTPS covers the content; your ISP sees domain names but likely isn’t doing anything harmful with that information.
“Protecting” yourself from hackers. If your threat model is “random hackers,” a VPN is near the bottom of the list of useful defenses. Strong passwords, two-factor authentication, keeping software updated, and not clicking phishing links will protect you orders of magnitude more effectively. Check out our AI tools guide — modern security tools with AI capabilities are far more relevant to everyday threat protection than VPNs alone.
Achieving true anonymity. If you need actual anonymity (whistleblowing, journalism in hostile states), a consumer VPN is insufficient. You need Tor, TAILS, and operational security practices that go far beyond just hiding your IP.
Setting Up a VPN Properly
If you’ve decided a VPN makes sense for your situation, here’s how to avoid common mistakes.
Enable the kill switch. Every reputable VPN has a kill switch that blocks all internet traffic if the VPN connection drops. Without it, a momentary disconnection exposes your real IP. Enable it and leave it on.
Use WireGuard when available. It’s faster, more efficient, and has a smaller attack surface than OpenVPN (about 4,000 lines of code vs. 100,000+). Most modern VPN apps default to WireGuard or their own variant of it.
Check for DNS leaks. After connecting, visit dnsleaktest.com or ipleak.net to verify your DNS queries are going through the VPN and not leaking to your ISP’s DNS servers. This is especially important on Windows, which has a habit of sending DNS queries outside the tunnel.
Don’t use the VPN’s browser extension alone. Browser extensions only protect traffic from that browser. A full VPN app protects all traffic from your device — other browsers, apps, background services, everything.
Frequently Asked Questions
Is a VPN worth paying for?
It depends on your specific situation. If you regularly use public WiFi, live in a country where ISPs sell browsing data, or need to bypass geo-restrictions, yes — $3-5/month is reasonable for the protection and utility you get. If you mostly browse at home on a trusted network and don’t care about geo-restrictions, you can probably skip it. A password manager and two-factor authentication will do more for your security.
Can my employer see what I do on a corporate VPN?
Yes. A corporate VPN routes your traffic through your company’s network. They can log domains visited, monitor traffic patterns, and potentially inspect content depending on their setup. Never use a work VPN for personal browsing you wouldn’t want IT to see. Use your personal device and network for personal activity.
Do VPNs slow down your internet?
Yes, always, but the degree varies. Modern protocols like WireGuard add minimal overhead — typically 5-15% speed reduction on a good server. Connecting to a server far from your location or using an overloaded server makes it worse. For general browsing and streaming, the slowdown is usually imperceptible. For competitive online gaming, any added latency matters and you probably shouldn’t route game traffic through a VPN.
Are VPNs legal?
In most countries, yes. VPNs are legal in the US, EU, UK, Canada, Australia, Japan, and most of the world. They’re restricted or banned in China, Russia, North Korea, Iraq, Belarus, Turkmenistan, and a few others. Even in countries where VPNs are legal, using one to commit crimes is still illegal — the VPN doesn’t create a legal shield around your activity.
Can Netflix detect and block VPNs?
Yes, and they actively do. Netflix identifies VPN traffic through IP address databases, DNS analysis, and traffic pattern recognition. Large VPN providers constantly rotate IP addresses to stay ahead. Proton VPN and NordVPN are generally the most reliable for Netflix access, but no provider guarantees uninterrupted streaming access — it’s an ongoing arms race.
