Few consumer privacy products are as oversold as the VPN. The advertising, much of it on YouTube and podcasts, promises that turning on a VPN protects you from hackers, makes your traffic anonymous, hides you from the government, and unlocks streaming. Some of these claims are technically true in narrow cases. Most are misleading. Cutting through the marketing matters because the legitimate use cases for a VPN are real and worth understanding clearly.
What a VPN actually is
A Virtual Private Network is a tunnel that encrypts traffic between your device and a server operated by the VPN provider. From your local network’s perspective, the only traffic visible is encrypted communication with the VPN provider. From the perspective of websites and services you connect to, your apparent IP address is the VPN server’s, not yours.
That is essentially the entire technology. The protocols (OpenVPN, IPsec/IKEv2, WireGuard) differ in performance and implementation detail, but the threat model is the same in each case.
WireGuard, designed by Jason Donenfeld and merged into the Linux kernel in 2020, has become the dominant modern protocol because of its simplicity (under 4,000 lines of code), strong cryptography (Curve25519, ChaCha20-Poly1305, BLAKE2s), and high performance. The specification is at wireguard.com.
What a VPN actually hides
The IP address you appear to connect from. Websites and services see the VPN server’s IP, not yours.
The fact and content of your specific destinations from your local network. Your ISP, your employer’s network, the airport Wi-Fi all see only that you are talking to the VPN provider; they do not see the websites you visit. They do see, with traffic analysis, when you are online and how much data you transfer.
Some forms of geographic restriction. Streaming services and websites that geofence by IP can be bypassed by connecting through a VPN server in the desired country, though major services (Netflix, BBC iPlayer, etc.) actively detect and block known VPN IP ranges.
What a VPN does not hide
Your traffic from the VPN provider itself. The VPN sees everything you do; it has merely replaced your ISP as the entity in a position to observe. Whether this is an upgrade depends entirely on whether the VPN provider is more trustworthy than your ISP.
Identity revealed by your activity. Logging into Google, Facebook, or any account immediately tells those services who you are regardless of IP address. The VPN does not anonymise the application layer.
Browser fingerprinting. The fingerprint travels with you regardless of IP. See the separate post on browser fingerprinting for the full picture.
Tracking by trackers and analytics. Cookies, pixel-based tracking, and identity-graph matching all operate independently of network-level IP.
DNS leaks if not configured properly. Operating systems sometimes route DNS queries outside the VPN tunnel. The DNS leak test at dnsleaktest.com is the standard quick check.
WebRTC leakage. As mentioned in the fingerprinting post, WebRTC can disclose local IP addresses to JavaScript bypassing the VPN. Browser settings and extensions handle this.
Government investigation. A subpoena to the VPN provider in a cooperating jurisdiction can compel disclosure of connection logs. "No-logs" claims are central to provider marketing and inconsistent in practice.
Real use cases for a VPN
Three categories where a VPN delivers genuine value:
Untrusted networks. Coffee shops, hotels, conferences. The VPN protects against Wi-Fi-level adversaries who might be sniffing or injecting into traffic. The need is reduced by HTTPS being almost universal in 2026, but DNS lookups, TLS server-name indication, and traffic patterns still leak useful information without a VPN.
Geographic content restrictions. Mostly for streaming and for accessing services that geofence. Whether this is legal in your jurisdiction varies; whether the provider’s terms of service permit it is consistently no.
Bypassing local network surveillance. Workplace networks, country-level filtering (Iran, Russia, Turkey, China to a partial degree). Tor is a stronger answer for the most adversarial cases; commercial VPNs are easier and adequate for moderate ones.
What a VPN does not solve
Identity privacy on the modern web. The fingerprint and identity-graph layer means that "anonymous browsing" requires Tor Browser plus discipline, not a VPN.
Protection against malware. The VPN routes traffic; it does not inspect content for threats. Some commercial VPNs include malware-domain blocking, which is useful but is a separate feature.
Hiding from your service providers. If you log into Gmail, Gmail knows it is you regardless of VPN. The IP address change is invisible to most adversary models that matter.
Evaluating VPN providers
Provider trust is the entire question. Independent considerations:
Audit history. Has the provider’s no-logs policy been audited by reputable third parties? Mullvad, Proton VPN, IVPN, ExpressVPN, NordVPN, and Surfshark have all published audits in recent years. Audit quality varies; the existence of an audit is necessary but not sufficient.
Jurisdiction. Operating from a "Five Eyes" or "Fourteen Eyes" country (US, UK, Canada, Australia, New Zealand, plus the broader European intelligence-sharing partners) may or may not matter to your threat model. Switzerland, Panama, and the British Virgin Islands are common provider jurisdictions chosen partly for legal reasons.
Diskless / RAM-only servers. Some providers run their server fleet entirely in memory, with no persistent storage. This makes log retention technically more difficult and is a useful structural commitment.
Anonymous payment options. Cash, Monero, Bitcoin via mixing, payment-time privacy. The credible providers offer these.
Open-source clients. Mullvad and Proton VPN have open-source clients on multiple platforms. Closed-source clients can do anything; open-source clients can be inspected.
History. Has the provider been involved in past incidents? IPVanish handed user logs to the FBI in 2016 despite advertising no-logs. The provider’s track record matters more than its current marketing.
Specific provider notes
Without endorsing any particular provider, the ones that consistently rate well in independent technical analysis include Mullvad, Proton VPN, IVPN, and (less unanimously) NordVPN, ExpressVPN, and Private Internet Access. The ones to avoid are typically free or very cheap providers, the ones with aggressive YouTuber sponsorships and weak audit histories, and any provider whose business model is unclear.
Mullvad in particular operates a flat-rate flat-anonymity model (no email required, account number is the credential, accepts cash) that has set the floor for what a privacy-respecting commercial VPN looks like. They are at mullvad.net.
Self-hosted alternatives, Tailscale (peer-to-peer, identity-based, not strictly a VPN but solves overlapping problems), Algo VPN, Outline (VPN over Shadowsocks for censorship circumvention), give more control at the cost of more configuration.
The simple framing
Use a VPN when you do not trust the local network and would benefit from your ISP / coffee shop / hotel not seeing your traffic.
Use a VPN when you need to appear to come from a different country.
Do not use a VPN expecting it to make you anonymous on the modern web. It will not.
Pick a provider that has been audited, has a credible jurisdictional structure, accepts anonymous payment, and has not been caught lying. Recognise that you are trusting them with the visibility your ISP would otherwise have.
The VPN is a useful, narrow tool. The decade of inflated marketing is finally beginning to be balanced by clearer journalism about what the technology does. Buying one with realistic expectations is the right move; buying one expecting privacy magic is not.