Key Takeaways

  • A VPN encrypts your traffic between your device and the VPN server — the VPN provider can see what your ISP previously saw.
  • VPNs do not provide anonymity, do not protect against malware, and do not prevent websites from tracking logged-in accounts.
  • Genuine use cases: untrusted public WiFi, ISP traffic logging concerns, geo-restricted content.
  • WireGuard is now the protocol to look for — faster and more modern than OpenVPN.
  • Almost all free VPN services monetize through your data; ProtonVPN is the main exception.

VPN companies collectively spend hundreds of millions per year on advertising. YouTube sponsorships, podcast mid-rolls, influencer deals — the category is among the most aggressively marketed in consumer tech. That spending budget should itself tell you something: the margins are very good, and the product is easier to sell on fear than on technical merit.

This guide explains what a VPN actually does mechanically, where it genuinely helps, where it doesn't, and how to choose one if you decide you need it.

How a VPN Works

When you connect to the internet normally, your device sends requests through your ISP. Your ISP can see which domains you're visiting, when, and how often. The websites you visit can see your IP address, which roughly reveals your location and, by extension, your ISP.

A VPN creates an encrypted tunnel between your device and a server operated by the VPN provider. All your traffic travels through that tunnel — scrambled so that anyone monitoring the connection between you and the VPN server sees only encrypted noise. When your traffic exits the VPN server and reaches the open internet, it carries the VPN server's IP address, not yours. The destination website sees the VPN's IP, not your home IP.

That is the complete mechanism. Everything else in a VPN marketing pitch is either a consequence of this, an exaggeration of it, or unrelated to it.

What a VPN Actually Protects

Traffic from your ISP. Your ISP can no longer see which sites you're visiting or the contents of unencrypted traffic. In the United States, ISPs are legally permitted to sell browsing data to advertisers. A VPN moves that visibility from your ISP to the VPN provider.

Traffic on public networks. On an airport or hotel WiFi, the network operator — or anyone running a packet-sniffing attack on the same network — cannot read your traffic. HTTPS already encrypts the content of most web traffic, but a VPN additionally hides which domains you're connecting to, and protects any traffic that still travels unencrypted.

Your IP address from websites. Sites you visit see the VPN server's IP rather than yours. This is why VPNs can unlock geo-restricted streaming libraries — the Netflix server in the US sees a US IP address regardless of where you actually are.

What a VPN Does Not Protect

This is where the marketing diverges sharply from reality.

Browser fingerprinting. Your browser exposes a detailed fingerprint — screen resolution, installed fonts, timezone, canvas rendering behaviour, installed plugins — that can identify you across sessions regardless of your IP address. A VPN does nothing about this.

Logged-in account tracking. When you are signed into Google, Facebook, or any other account, those services track your activity through your login session, not your IP. Connecting through a VPN while signed into your Google account does not make you anonymous to Google.

Malware and phishing. Some VPN providers claim to offer malware or phishing protection. A handful have rudimentary DNS-based blocking that catches known malicious domains. None of this replaces a proper endpoint security setup. If you click a credential-phishing link, a VPN will not help you.

Anonymity. You have not become anonymous. You have shifted trust from your ISP to your VPN provider. If a VPN provider keeps logs — and some do despite claiming otherwise — those logs can be subpoenaed, hacked, or sold. For genuine anonymity, Tor is the appropriate tool, accepting that it is significantly slower.

When a VPN Is Genuinely Useful

Untrusted networks. Hotels, airports, coffee shops — any network where you don't control the router. The risk of passive traffic interception on these networks is real, even if HTTPS has reduced it. A VPN adds a meaningful layer here.

ISP traffic monitoring. If you're in a jurisdiction where ISPs sell browsing data, or you simply object to your ISP having that visibility, a VPN is a practical response — with the caveat that you are choosing to trust a VPN provider instead.

Geo-restricted content. Accessing streaming libraries tied to a different country, reaching research databases that restrict by region, or reading news sites that geoblock certain countries. This works reliably when the platform hasn't blocked the VPN's IP range.

Journalists and activists in restrictive regimes. VPNs provide meaningful protection for people operating under surveillance states, where hiding the fact that you're visiting certain sites matters. For extreme cases — people facing state-level adversaries — Tor plus careful operational security is more appropriate than a commercial VPN.

When a VPN Adds Little Value

General home browsing. On your own network, the main entity that could monitor your traffic is your ISP. If you're not concerned about ISP data collection and you're already using HTTPS-everywhere, a VPN adds friction with minimal security benefit.

Malware prevention. If this is your primary reason for wanting a VPN, address it with proper endpoint security software instead.

Anonymity from websites. If you are logged into your accounts, the sites you use already know who you are. A VPN changes your apparent IP; it does not change your identity to services that already have it.

How to Choose One

Jurisdiction. Where the company is incorporated determines which legal orders it must comply with. Providers in Switzerland, Iceland, and Panama operate under privacy-friendly legal frameworks with limited data-sharing treaties. Providers headquartered in the US, UK, or EU member states with heavy surveillance cooperation are subject to broader legal demands.

Audits. A no-logs claim is worthless without independent verification. Look for providers that have commissioned audits of their server infrastructure and logging practices from reputable third-party security firms — and published the results. Mullvad and ProtonVPN both do this. Most others either don't or publish only partial results.

Protocol. WireGuard is now the standard. It is faster than OpenVPN, uses less battery on mobile devices, and has a codebase small enough that security researchers can actually audit it end to end. Most major providers now offer WireGuard connections. If a provider only offers OpenVPN or IKEv2, they are behind the current standard.

Providers worth considering for most users: Mullvad (flat €5/month, no accounts, cash accepted, strong audit record), ProtonVPN (Switzerland-based, audited, free tier available), and IVPN (similar philosophy to Mullvad). NordVPN and ExpressVPN are adequate but carry the marketing-heavy baggage of the category.

Free VPNs

Operating a VPN network has real costs: server infrastructure, bandwidth, maintenance, support. A free service has to cover those costs somehow. The answer is almost always your data — sold to advertisers, harvested for analytics, or bundled into datasets that get sold to third parties. This is the opposite of the product's stated purpose.

Hotspot Shield, Hola, and a long list of lesser-known free VPN apps have been documented selling user data or injecting ads into traffic. The FTC and various consumer protection bodies have taken action against several of them.

ProtonVPN is the main exception: its free tier is funded by paying customers and is genuinely no-logs. Speed and server selection are limited on the free plan, but it is a legitimate option if you need a VPN occasionally and don't want to pay. Every other free VPN should be treated with considerable suspicion until proven otherwise.

A VPN is a narrow, specific tool: it encrypts traffic between your device and a server, and substitutes the server's IP for yours. It does that well. It does not make you anonymous, it does not stop malware, and it does not protect accounts you're already logged into. If those limitations match the problem you're trying to solve, a paid, audited VPN from a provider in a privacy-friendly jurisdiction is a reasonable €5–$10 per month purchase. If they don't, save the money.