What is a VPN? How it works and what it does (in plain English)

TL;DR

• A VPN encrypts your connection between your device and a VPN server, hiding your IP address from many websites
• It helps reduce exposure on public Wi-Fi and prevents ISP surveillance, but doesn't make you anonymous
• VPNs can't stop website tracking through cookies, fingerprints, or logged-in accounts
• Key features to look for: no-logs policy (audited), kill switch, modern protocols (WireGuard/OpenVPN), and private DNS
• Best for: protecting sensitive data on untrusted networks, preventing ISP monitoring, and basic privacy protection

What a VPN Does (and Doesn't)

✅ A VPN does: - Encrypts your connection between your device and the VPN server - Helps reduce exposure on public networks - Hides your IP from many websites and services - Routes traffic through a server you choose (changes apparent location)

❌ A VPN doesn't: - Make you anonymous - Stop all tracking (cookies and fingerprinting still exist) - Encrypt data end-to-end across the entire internet - Protect you from phishing, malware, or human error

You've heard VPNs protect your privacy. But what does that actually mean?

If you're browsing from a coffee shop, streaming from a hotel, or trying to keep your ISP from tracking your browsing data—does a VPN fix that? And what about all the tracking that happens after you land on a website?

This guide strips away the marketing speak and explains what VPNs actually do, how the technology works, and—just as importantly—what they can't protect you from. No hype. No absolute claims. Just the technical reality, explained clearly.

How VPNs Work: The Technical Basics

Encryption: Your Private Tunnel

A VPN creates an encrypted tunnel between your device and a VPN server. This means your internet traffic is scrambled so that ISPs, network administrators, and potential attackers can't see what you're doing.

Modern VPNs use two widely supported protocols:

• WireGuard is designed for high performance and modern cryptography. It's lean, fast, and built with current security standards.
• OpenVPN is a mature, widely supported protocol. It's been battle-tested for years and remains a reliable choice.

Both use strong encryption algorithms like AES-256 (Advanced Encryption Standard) or ChaCha20 to protect your data. What does that mean for you? Your traffic is encrypted between your device and the VPN server, making it unreadable to anyone trying to intercept it.

IP Address Masking

When you connect to a VPN, websites see the IP address of the VPN server—not your real one. This helps reduce exposure in a few ways:

• Privacy: Your ISP and network admin can't see which sites you visit
• Location: Websites see the server's location instead of yours
• Restrictions: You can route through servers in different regions to access region-specific content

Important caveat: Your VPN provider sees your real IP address. This is why a no-logs policy (audited) is critical—it's the only way to ensure your provider isn't collecting or storing connection data. Learn more: No-logs explained: what it means, what to look for, and how we design for it

The VPN Tunnel: Step-by-Step

Here's what happens when you use a VPN:

1. You connect to a VPN server (chosen location)
2. Your device encrypts all outbound internet traffic
3. Data travels through the encrypted "tunnel" to the VPN server
4. The VPN server decrypts your request and forwards it to the internet
5. Responses return through the same encrypted path back to your device

Think of it as a secure pipe: your ISP, public Wi-Fi operators, and network snoopers can see data flowing through the pipe, but they can't see what's inside.

Common VPN Use Cases (When They Actually Help)

Public Wi-Fi Protection

Open networks at airports, coffee shops, and hotels are convenient—but dangerous. Without encryption, attackers on the same network can intercept your traffic (a technique called packet sniffing) or even impersonate trusted services (man-in-the-middle attacks).

A VPN encrypts your connection before data leaves your device, protecting login credentials, messages, and browsing activity from local threats.

Learn more: VPN on public Wi-Fi: the real risks and a simple protection checklist

Hiding Activity from Your ISP

Your internet service provider can see every site you visit and every DNS query your device makes—and they often log this data. In many countries, ISPs sell anonymized browsing histories to advertisers or hand data over to government agencies.

A VPN encrypts your browsing history and DNS queries, so your ISP only sees encrypted traffic going to the VPN server. They know you're using a VPN, but not what you're doing.

Learn more: Private DNS: why DNS leaks happen and how Private DNS helps

Avoiding Location-Based Restrictions

By routing traffic through a server in a different location, you can access content that's restricted to specific regions. This works for some services—but it's not guaranteed.

Many streaming platforms, financial services, and regional websites actively detect and block VPN traffic. Your mileage will vary.

Preventing Bandwidth Throttling

Some ISPs slow your connection when they detect certain activities: streaming, torrenting, or gaming during peak hours. Because a VPN hides what you're doing online, ISPs can't selectively throttle specific types of traffic.

Trade-off: VPNs can also introduce overhead (encryption + routing distance) that may slow your connection. Modern protocols like WireGuard minimize this, but it's still a factor.

What VPNs Can't Protect You From

Website-Level Tracking

A VPN hides your IP address from websites, but it doesn't stop tracking that happens after you visit a site:

• Cookies follow you across websites, building behavioral profiles
• Browser fingerprinting identifies you based on device specs, fonts, and settings
• Logged-in sessions let platforms like Google and Facebook track you across the web

If you're signed into an account, the platform knows who you are—VPN or not. Privacy is a stack: you need a VPN plus privacy-focused browser settings and tracker blockers.

Learn more:
- Browser fingerprinting: what it is and how to reduce it
- Tracking 101: cookies, pixels, device IDs — and where a VPN fits

Malware, Phishing, and Human Error

VPNs don't scan files, block malicious sites, or prevent you from clicking phishing links. Those threats require different tools: antivirus software, browser security features, and user awareness.

A VPN encrypts your connection—it doesn't replace common-sense security practices.

The VPN Provider Itself

Your VPN provider technically sees: - Your real IP address - Which VPN server you connect to - When you connect and for how long - (If they choose to log) which sites you visit

This is why no-logs policies matter. If a provider doesn't log browsing activity and has been audited by a third party, they can't hand over data they don't have.

Choosing a VPN: What Actually Matters

Key Factors

1. No-logs policy (audited) – The provider shouldn't keep records of your browsing activity. Look for independent audits, not just claims.
2. Kill switch – Blocks internet traffic if the VPN connection drops, preventing accidental IP exposure.
3. Modern protocols – WireGuard or OpenVPN. Avoid outdated protocols like PPTP or L2TP.
4. Private DNS / DNS leak protection – DNS requests stay inside the encrypted tunnel instead of leaking to your ISP.
5. Jurisdiction – Where the company is based affects what data can be legally demanded.
6. Transparency – Public audits, open-source code, and clear privacy policies build trust.

Red Flags

• Free VPNs – If you're not paying, how does the service make money? Often: selling data or injecting ads.
• Absolute claims – "Total anonymity," "100% untraceable," "guaranteed privacy" are marketing myths.
• Vague logging policies – If the privacy policy is unclear or missing, assume the worst.
• No kill switch – This is a standard feature. If it's missing, skip the provider.

Learn more: Free vs paid VPNs: privacy, security, and the hidden tradeoffs