Skip to content

VPNs: What They Do (and What They Don't)

A VPN encrypts your traffic and hides your IP address from the sites you visit, shifting trust to your VPN provider rather than eliminating it. Let's talk about what VPNs actually provide, without typical VPN puffing.

πŸ“– The Basics

What It Is

A Virtual Private Network (VPN) creates an encrypted tunnel between your device and a server operated by the VPN provider. All your internet traffic travels through that tunnel before reaching its destination. From your ISP's perspective, they see that you're connected to a VPN server and nothing else. From the perspective of the website you're visiting, they see the VPN server's IP address, not yours.

That's it. That's the mechanism. The marketing around VPNs routinely inflates this into something much broader like "total online anonymity," "military-grade protection," "complete privacy." The reality is far simpler: a VPN is a specific tool for a specific job, and understanding exactly what job that is determines whether it's actually useful for your situation.

How It Works

graph LR
    A["πŸ’» Your Device<br/>─────<br/>VPN On"] --> B["πŸ“‘ Your ISP<br/>─────<br/>Sees: encrypted VPN tunnel only"] --> C["πŸ”’ VPN Server<br/>─────<br/>Sees: your IP<br/>and destination"] --> D["🌐 Destination Site<br/>─────<br/>Sees: VPN IP, not your real IP"]

Diagram: A VPN encrypts traffic between your device and the VPN server. Your ISP sees only an encrypted tunnel; the destination site sees the VPN's IP address, not yours.

What a VPN Does

When you connect to a VPN, your device encrypts all outgoing traffic before it leaves. That encrypted traffic travels to the VPN provider's server, which decrypts it and forwards it to its destination. The practical effects:

  • Your ISP can't see your traffic content. They can see that you've connected to a VPN server. They cannot see which sites you're visiting or what you're doing there. For people whose ISP actively monitors, throttles, or logs their activity, this is a meaningful privacy improvement.
  • Websites see the VPN server's IP, not yours. Sites that track IP addresses for targeting, geo-restriction, or identification see the VPN's address. Your real IP isn't logged by the destination. This is also a meaningful privacy improvement.
  • Traffic on untrusted networks is encrypted. On a coffee shop Wi-Fi, hotel network, or airport hotspot, your traffic passes through infrastructure you don't control and don't know who operates. A VPN encrypts everything before it hits that network, which protects against passive interception on the local network. While this can be a security benefit, it's becoming less useful as most websites now encrypt using HTTPS, which makes this a far smaller concern than it used to be.

What a VPN Does Not Do

  • It does not make you anonymous. The VPN provider itself sees your real IP address. While many privacy-focused VPN providers implement safeguards like no-logging policies, your VPN is always a shift of trust from your ISP to your VPN provider.
  • It does not protect you from all tracking mechanisms. Cookies, browser fingerprinting, login sessions, tracking pixels...none of these are affected by a VPN. Hiding your IP address is one of many ways you can be tracked online.
  • It does not encrypt traffic that wasn't already encrypted. HTTPS protects the content of web connections; a VPN adds a layer around the outside. If a site doesn't use HTTPS (rare now but not extinct), a VPN doesn't fix it.
  • It does not protect against malware, phishing, or on-device threats. Some VPNs offer DNS-level blocking of known malicious domains, which catches some threats, but this is a secondary feature.

The VPN Tunnel Explained

Modern VPNs run on WireGuard, which has become the new VPN standard. WireGuard has a small, auditable codebase, performs faster than older protocols like OpenVPN, and has a strong security track record. As of 2026, leading providers are adding post-quantum encryption (PQE) to WireGuard implementations to protect against future quantum computing threats.

Key VPN Features Explained

  • Kill switch: automatically blocks all internet traffic if the VPN connection drops, preventing your real IP from leaking during disconnects. Non-negotiable for mission-critical tasks.
  • DNS leak protection: ensures your DNS queries route through the VPN tunnel rather than directly to your ISP's DNS servers. Without this, your ISP still sees the domains you're visiting even while your other traffic is tunneled.
  • No-logs policy, independently audited: VPN providers routinely claim they don't log user activity. Claims without third-party verification from named auditors reviewing actual server infrastructure are marketing, not evidence. Look for published audit reports and regular re-audits. These are meaningful trust signals.

A Note On Free VPNs

Operating a VPN requires real infrastructure. If there's no subscription revenue, something else is paying the bills. The documented patterns with standalone free VPNs include logging and selling user traffic, injecting ads into browsing sessions, and using your device as an exit node for other people's traffic.

There are exceptions: free tiers of reputable paid providers are meaningfully different. These exist as limited versions of verified products, not as revenue schemes built around user data.

The point isn't that all free VPNs are a problem, but they do almost always deserve further inspection.

On Ownership and Consolidation

The VPN industry has significant consolidation. Kape Technologies acquired CyberGhost in 2017, Private Internet Access in 2019, and ExpressVPN in 2021. The reality is a large chunk of the VPN industry is controlled by a few companies, with independent providers becoming harder to find. It's always worth knowing who ultimately owns a VPN provider as part of your trust evaluation. Users who prefer independent, single-purpose providers with no corporate lineage concerns have legitimate reasons to consider that.

Jurisdiction, the 5/9/14 Eyes, and What Actually Matters

The Five Eyes (US, UK, Canada, Australia, New Zealand), Nine Eyes (adds France, Netherlands, Norway, Denmark), and Fourteen Eyes (adds Germany, Belgium, Italy, Spain, Sweden) are intelligence-sharing alliances that can compel companies in member countries to produce user data. This is real, but often overstated in VPN marketing.

The nuance that matters: a no-logs VPN in a Five Eyes country has nothing to hand over. A dishonest provider in a non-14 eyes country can still log and produce your data if compelled or motivated.

What's a lot more important are:

  • Specific Provider jurisdiction: where the company is legally based, and which laws govern compelled disclosure.
  • Server location: where the physical server you connect through actually sits. A provider based in Iceland can run servers in the US. Legal obligations apply to the company, not to every country it operates servers in.

For most threat models, a verified no-logs policy from a reputable independent provider matters far more than whether their HQ is inside or outside an Eyes country. If your threat model involves a well-resourced state adversary, Tor is a more appropriate tool anyway.

Multi-Hop VPNs and Two-Party Relays

A multi-hop VPN routes your traffic through two or more servers instead of one. Your ISP sees you connect to server A, the destination sees server B's IP, and neither end can see the full picture. Most major providers offer this as a feature. The tradeoff is speed: double routing adds latency.

There's an important distinction that most multi-hop marketing glosses over: same-company multi-hop and two-party relays are not the same thing. If both hops are operated by the same company, that company still has access to both ends of your connection. So the privacy improvement over single-hop is modest.

A true two-party relay uses two independent organizations...one sees who you are but not where you're going, the other sees where you're going but not who you are. Neither alone can link your identity to your destination. Two services worth knowing about that use this model:

  • Apple iCloud Private Relay: Apple operates the first hop (knows your IP, not your destination) and a third-party CDN (Akamai, Fastly, or Cloudflare) operates the second (knows the destination, not your IP). Significant caveat: it only covers Safari on Apple devices and doesn't route all system traffic.
  • Obscura VPN: a full-system VPN using Obscura as the first hop and Mullvad as the second. Designed so that Obscura knows who you are but not where you're going, and Mullvad knows the destination but not who you are. Unlike Private Relay, it covers all traffic on the device, not just the browser.

Decentralized VPNs (dVPNs)

Decentralized VPNs use peer-to-peer networks of independent nodes, often incentivized through cryptocurrency tokens rather than servers operated by a single company. The promise is that with no central entity, there's no central point to compel or subpoena.

The theory is sound, but the current reality is more complicated. Most dVPN implementations default to a single-hop connection through one node, which means you're trusting whoever runs that node not to log your activity, essentially the same trust problem as a centralized VPN but with a less accountable operator. Exit node operators in peer-to-peer networks can observe unencrypted traffic, and vetting individual node operators isn't practical for most users.

dVPNs are worth watching as the space matures, but aren't a clear upgrade over reputable centralized providers for most threat models right now, especially when Tor is a more reputable option for higher threat models.

🎯 Why It Matters

In March 2018, an attacker breached a NordVPN server at a third-party data center in Finland through an insecure remote management system the data center had installed without NordVPN's knowledge. TLS keys were obtained, potentially usable for a man-in-the-middle attack against users on that specific server. NordVPN learned about the breach in April 2019. They disclosed it publicly in October 2019, a full eighteen months after the breach, six months after they found out.

The technical damage was limited: the server held no user logs, and the stolen keys had expired. But the timeline is the real story. A company whose entire value proposition is "trust us with your internet traffic" chose to sit on a known security incident for a year and a half. NordVPN has taken a lot of steps to try and rectify this incident, but this is the central difficulty with VPNs as a category.

Unlike a password manager or an encrypted messaging app, where the security properties are to some degree verifiable through code audits and architecture reviews, a VPN's most important property depends almost entirely on trusting a company. You can read their privacy policy. You can read their audit reports. But at the end of it, you're handing over a lot of trust.

This is also why the threat model question matters more for VPNs than for almost any other tool in this wiki.

A VPN is the right tool for ISP visibility, untrusted networks, hiding your IP online, and geo-restricted content. It's not the right tool for completely solving website tracking (cookies and fingerprinting are unaffected), genuine anonymity (that's Tor), or threats involving your VPN provider's own data. Knowing the difference makes it a useful layer rather than a false ceiling on what you think you're protected from.

For current provider comparisons across objective criteria like audit status, jurisdiction, ownership, open-source status, protocol supportβ€”see vpn.techlore.tech, Techlore's dedicated VPN comparison tool.

πŸ’‘ Common Misconceptions

"A VPN makes you anonymous."

A VPN shifts trust from your ISP to your VPN provider. The provider sees your real IP and where you're going. Strong providers don't log, and independent audits exist to back that up, but anonymity isn't what a VPN sells. If genuine anonymity is what you need, Tor is the right tool.

"VPNs are useless."

This is the opposite misconception that's gained ground in the last few years, often as pushback against overblown VPN marketing. It's also wrong. VPNs solve specific problems: ISP-level visibility, public-network exposure, IP-address linkage to your activity, geographic restriction. There isn't a convenient alternative for getting any of those benefits since Tor is too slow for everyday browsing, and "just trust HTTPS" doesn't cover the metadata or the IP question.

"Free VPNs are just paid VPNs without the price tag."

Operating a VPN costs real money. Standalone free VPNs that don't charge users typically pay the bills by selling user data, injecting ads, or even turning your devices into exit nodes for other people's traffic. The legitimate exception is the free tier of a reputable paid provider, which is a limited version of a verified product, not a separate revenue model built on your activity.

"A VPN will tank my internet speed."

It used to be a real complaint. In 2026, with modern protocols like WireGuard and well-provisioned servers, the speed cost on a reputable VPN can be quite small on a good connection. Picking a server geographically close to you helps. For ordinary browsing and most everyday use, the speed difference is rarely something you'd notice without measuring it.

πŸ—£οΈ Henry's Take

There are two common misconceptions about VPNs that pull in opposite directions. One is the "VPNs are anonymous" story most VPN marketing sells. The other is a counter-reaction that's emerged in some technical circles: that VPNs are essentially useless because HTTPS exists and most people don't need one.

Like many things, the truth is somewhere in the middle. VPNs solve specific, real problems. They hide site visits from your ISP. They mask your IP from the sites you're visiting. They protect traffic on networks you don't control. They route around region locks. My position is that a VPN is a useful tool for the right job...not a security blanket and not snake oil.

My actual personal setup is on the more elaborate end. I run Tailscale for access to my home network and NAS from anywhere, and I use the Mullvad exit-node feature inside Tailscale so a single connection covers both remote access and my privacy needs. If I didn't have a NAS, I would just use a single, standard VPN connection.

One genuinely underrated free option worth mentioning: Orbot. It's technically a Tor proxy rather than a VPN, but on Android and iOS it can route all app traffic through the Tor network system-wide which functions as a free, decentralized alternative to a commercial VPN for situations where you don't have one set up. It's slower than a VPN, but there's no subscription, no provider to trust, and the traffic is distributed across Tor relays rather than a single company's infrastructure. It's covered in more depth in the Understanding Tor article.

For most people, the most underused entry point is a browser-based VPN. System-wide VPN is more thorough, but it also breaks specific sites in ways that are hard to undo cleanly. A browser-based VPN lets you whitelist sites with one toggle when something doesn't work. If you're on Apple's ecosystem, iCloud Private Relay is right there for the cost of iCloud+, it's genuinely good and I wish Apple would ship it system-wide. If you're on Firefox, the new built-in VPN (free, 50 GB per month) is one of the cleanest entry points I've seen. For paid providers, vpn.techlore.tech is where I update data on various VPN providers.

βœ… Henry's Picks

For provider-by-provider comparisons across audit status, jurisdiction, ownership, and open-source status, vpn.techlore.tech is Techlore's VPN comparison tool.

Reputable paid providers:

  • Mullvad: Open-source apps, no email required (account is a generated number), accepts cash and Monero, regular independent audits. The benchmark for "collects as little about you as the technology allows." What I use.
  • Proton VPN: Open-source apps across platforms, audited, with a usable free tier.
  • IVPN: Open-source apps, anonymous signup, regularly audited. Similar profile to Mullvad with a slightly different feature set.
  • AzireVPN: Swedish-based, no-logs, WireGuard-first, and one of the few providers that runs its own bare-metal servers with RAM-only infrastructure. Smaller footprint than Mullvad but similar ethos.
  • Obscura VPN: A two-party relay VPN using Obscura and Mullvad as independent hops so no single entity can see both who you are and where you're going. Full-system coverage unlike Private Relay.

Browser-based options:

πŸ”— Go Deeper

Related wiki articles:

Techlore content:

  • Go Incognito v2, Lesson 4.9β€”Proxies & VPNs

External sources:

Found an error? Report it here β†’