Infrastructure

VPNs Explained: What They Actually Hide (and What They Don't)

Every YouTube channel and podcast you listen to has a VPN sponsor. The marketing makes it sound like a VPN is a digital invisibility cloak. It isn't. It's a useful tool for specific threat models, and a placebo for others. Here's the engineer's view.

What a VPN actually is

A VPN (Virtual Private Network) routes your internet traffic through an encrypted tunnel to a server somewhere else, which then sends the traffic on to its destination on your behalf. Your ISP sees encrypted blobs going to the VPN; the website sees a request coming from the VPN.

That's it. Everything else is marketing on top.

What they hide (genuinely)

  • Your IP address from the websites you visit. Useful for accessing geo-restricted content, avoiding being targeted by IP.
  • Your DNS lookups and HTTP requests from your ISP. Useful if you don't trust your ISP, which in 2026 is most people.
  • Your traffic from local network observers. Coffee shop WiFi, hotel networks, corporate guest WiFi.
  • Your real IP from torrent peers (relevant if you torrent — your peers see your IP otherwise).

What they don't hide

  • Your identity from the sites you log into. If you log into Facebook over a VPN, Facebook still knows it's you.
  • Browser fingerprints. Canvas fingerprint, fonts, screen resolution, audio fingerprint — VPN doesn't help.
  • Tracking cookies. Those persist regardless of IP.
  • Account activity correlation. If you check your Gmail and then visit other sites, Google can correlate.
  • Your activity from the VPN provider. They see everything your ISP would have. You're just moving trust.

Threat models where VPN matters

Different concerns, different answers:

  • Hostile public WiFi: VPN helps. Use it.
  • ISP data selling / DNS sniffing: VPN helps. Encrypted DNS (DoH/DoT) also helps.
  • Bypassing geo-restrictions: Primary use case for most VPN customers.
  • Hiding from Google/Facebook/Meta: Useless. They identify you by login, cookies, behavior.
  • Hiding from nation-state actors: Use Tor, not commercial VPN.
  • Avoiding banking fraud detection: Will likely get your account flagged.
  • Stopping malware: VPN doesn't filter content. Use EDR for that — see our cybersecurity fundamentals post.

Picking a commercial provider

The market is largely consolidated. Reasonable picks in 2026:

  • Mullvad — pay in cash, no email required, anonymous account numbers. Most privacy-focused of the major options.
  • Proton VPN — Switzerland-based, audited, has a free tier.
  • IVPN — similar privacy posture to Mullvad, smaller server network.

Avoid: any "lifetime VPN" deal on AppSumo, any VPN that won't tell you who owns it, anything advertising on Spotify, anything that says "military grade encryption" (that's not a real thing). The marketing-heavy providers are usually owned by Kape Technologies, a holding company with mixed reputation.

Free VPN warning
Free commercial VPNs almost always make money by selling your data, injecting ads, or being scams. If you need a free option, use the Proton VPN free tier (legitimately limited but honest) or Tor (different threat model, slower).

Self-hosted alternative

If you trust yourself more than VPN providers, run your own. Options:

  • Tailscale — WireGuard-based mesh VPN, free for personal use, devices connect peer-to-peer. Best for accessing your own services remotely, not for hiding from websites.
  • WireGuard on a VPS — spin up a $5/mo VPS in any country, run WireGuard. Cheaper than commercial VPN, but doesn't help if you need to rotate IPs frequently.
  • Algo VPN — automates the above. Open source, well-maintained.

Myths to retire

  • "VPNs hide you from hackers." → Mostly meaningless. Real attacks don't depend on your IP.
  • "VPNs make you anonymous on the internet." → No. See above.
  • "VPNs stop your ISP from throttling Netflix." → Sometimes, but Netflix actively blocks many VPN IPs.
  • "VPNs are illegal in some countries." → Some restrict, few outright ban. Always check local law before relying on one.
  • "VPNs slow down your connection." → Always, by 10–30%. Pick a server close to you to minimize.

For deeper personal/business security guidance, see our cybersecurity fundamentals and ransomware defense posts.

Sources & References
  1. Mullvad — No-logging policy
  2. Proton VPN — Transparency reports
  3. EFF — Online privacy guidance
  4. WireGuard — WireGuard protocol
  5. Tailscale — Tailscale documentation