What Does a VPN Do?
The Short Version
A VPN (Virtual Private Network) creates an encrypted tunnel between your device and a server somewhere else on the internet. Instead of your traffic going directly from your home to the websites you visit, it travels through that tunnel first. The website sees the VPN server’s IP address instead of yours, and your internet provider sees encrypted data instead of your browsing activity.
That’s it. That’s the whole concept.
What Happens Without a VPN
Every time you visit a website, your internet provider (ISP) can see exactly where you’re going. They know what sites you visit, when you visit them, and how often. In the US, ISPs are legally allowed to collect and sell this browsing data to advertisers and data brokers.
Here’s the path your traffic takes:
Your device --> Your ISP --> WebsiteIn this setup, two parties can see what you’re doing. Your ISP sees everything because all your traffic passes through their network. The website sees your home IP address, which can be used to identify your general location and track you across visits.
What Happens With a VPN
A VPN inserts an encrypted tunnel between you and the internet:
Your device --> Encrypted tunnel --> VPN server --> WebsiteNow your ISP can see that you’re connected to a VPN server, but they cannot see what you’re doing inside that tunnel. The websites you visit see the VPN server’s IP address instead of your home IP. Your browsing activity is hidden from your ISP and your identity is hidden from the websites.
What a VPN Actually Protects
Your browsing privacy from your ISP. This is the big one. Your ISP handles every packet of data that leaves your home. Without a VPN, they can see all of it. With a VPN, they see encrypted noise.
Your IP address from websites. Websites normally see your home IP address, which reveals your general location and can be used to track you across the internet. A VPN replaces that with the VPN server’s IP.
Your data on public WiFi. If you connect to WiFi at a coffee shop or hotel, anyone on that network could potentially see your traffic. A VPN encrypts everything so it doesn’t matter.
What a VPN Does NOT Protect
This is where the VPN industry gets dishonest.
A VPN does not make you anonymous. You’re still logged into your Google account, your Facebook, your email. Those companies know exactly who you are regardless of your IP address.
A VPN does not protect you from malware. If you click a malicious link or download infected software, a VPN won’t stop it. That’s what firewalls, IDS/IPS, and DNS filtering are for.
A VPN does not protect you from yourself. If you type your credit card number into a phishing site, the VPN faithfully encrypts that data and sends it to the attacker.
A VPN does not hide you from your VPN provider. This is the part most VPN companies don’t want you to think about. When you use a VPN, you’re not eliminating the middleman. You’re replacing your ISP with your VPN provider. Instead of trusting Comcast with your traffic, you’re trusting NordVPN or ExpressVPN or whoever.
The question isn’t “should I use a VPN?” The question is “do I trust my VPN provider more than my ISP?”
The Trust Problem
Most commercial VPN providers ask you to trust them. They claim “no logs” policies and run slick ad campaigns. But here’s the thing: you have no way to verify any of it. Their servers are closed. Their code is proprietary. Their infrastructure is invisible to you.
You’re replacing one black box (your ISP) with another black box (your VPN provider). Maybe the new box is better. Maybe it’s worse. You literally cannot know.
This is the fundamental problem with the entire consumer VPN industry. Trust without verification is just faith.
How VPN Protocols Work
A VPN protocol is the set of rules that determines how your data gets encrypted and transmitted through the tunnel. There are several, but two matter:
OpenVPN has been the standard for years. It works, but it’s slow. The codebase is around 100,000 lines of code, which makes it hard to audit for security vulnerabilities. It runs in userspace, which means every packet has to bounce between the operating system kernel and the application, adding overhead. Typical throughput is around 600 Mbps regardless of how fast your internet connection is.
WireGuard is the modern replacement. The entire codebase is about 4,000 lines. It runs in the kernel, so packets don’t bounce around. It uses modern cryptography (ChaCha20 for encryption, Curve25519 for key exchange) that’s faster and more secure than what OpenVPN uses. Typical overhead is 5-15%, meaning on a 1 Gbps connection you’ll still get 800-900 Mbps.
WireGuard is simpler, faster, and easier to audit. There’s really no reason to use OpenVPN anymore unless you have a specific legacy requirement.
Network-Level vs Device-Level VPN
Most consumer VPN services work at the device level. You install an app on your phone, another on your laptop, another on your tablet. Each device runs its own VPN connection. This approach has problems:
- You have to install and manage apps on every single device
- IoT devices (smart TVs, cameras, thermostats) can’t run VPN apps at all
- If you forget to turn it on, you’re unprotected
- Each app is another piece of software you’re trusting with your data
A network-level VPN works differently. Instead of each device running its own VPN, the VPN runs on your firewall. Every device that connects to a specific network automatically routes through the VPN. No apps to install, nothing to forget to turn on, and even devices that can’t run apps (like your smart TV) get VPN protection.
What to Look For in a VPN
If you’re evaluating VPN services, here’s what actually matters:
Can you verify their claims? If a VPN provider says “no logs,” can you actually confirm that? Can you inspect their server configuration? Can you see what software is running? If the answer is no, their “no logs” claim is just marketing.
What protocol do they use? WireGuard is the answer you want to hear. If they’re still pushing OpenVPN as their primary protocol, they’re behind.
Where are their servers? Jurisdiction matters. A US-based VPN is subject to US law. A Swiss-based VPN is subject to Swiss law. Neither is inherently better or worse, but you should know what legal framework applies to your data.
What’s their business model? If a VPN is free, you are the product. If a VPN costs $2/month and runs thousands of servers worldwide, the math doesn’t work unless they’re cutting corners somewhere. Quality infrastructure costs real money.
Do they own their servers? Many VPN providers rent servers from cloud providers. That means a third party has physical access to the hardware your traffic passes through. Providers that own or directly control their hardware have fewer points of failure.
Summary
A VPN is a privacy tool, not a security tool. It hides your browsing from your ISP and your IP address from websites. It does not make you anonymous, protect you from malware, or guarantee your safety online.
The biggest risk with any VPN is trading one unverifiable trust relationship (your ISP) for another (your VPN provider). The best VPN is one where you don’t have to take anyone’s word for anything because you can see exactly how it works.