← Back to Learn
Guide

Complete VPN Guide

How VPNs work, what they actually protect, what they don't — and how to verify yours is working correctly.

15 min readPrivacy and securityUpdated 2026

What is a VPN?

A VPN — Virtual Private Network — is a technology that creates a private, encrypted connection between your device and a server operated by the VPN provider. All your internet traffic is routed through this server before reaching the open internet.

The result: websites and services you visit see the VPN server's IP address, not yours. Your Internet Service Provider (ISP) can see that you're connected to a VPN, but cannot see what you're doing. Anyone monitoring the network between you and the VPN server — on a public WiFi hotspot, for example — sees only encrypted data that's meaningless without the decryption key.

VPNs were originally developed for corporate use — allowing employees to securely access company resources from remote locations. Consumer VPNs grew significantly over the past decade as awareness of online privacy issues increased and the technology became much simpler to use.

What happens to your traffic without a VPN

Understanding what a VPN protects requires understanding what your traffic looks like without one. Every connection you make passes through multiple parties — and each one can observe certain aspects of your traffic.

Your ISP can see

  • Every DNS lookup you make (all domains you visit)
  • Destination IP addresses and connection times
  • Volume of data transferred
  • Unencrypted HTTP traffic content
  • Connection metadata even for HTTPS traffic

Websites can see

  • Your real IP address and approximate location
  • Your browser fingerprint
  • Device type and operating system
  • Referral source and browsing behavior
  • Time on site and interaction patterns

On public WiFi, attackers can see

  • Unencrypted HTTP traffic (forms, cookies)
  • DNS lookups (which sites you're visiting)
  • Connection metadata for HTTPS traffic
  • Patterns that reveal what apps you're using

With a VPN, the picture changes

  • ISP sees only: VPN connection, encrypted data volume
  • Websites see: VPN server IP, not yours
  • Public WiFi attackers see: encrypted tunnel only
  • The VPN provider sees everything (trust is shifted)

How VPNs actually work — technically

A VPN connection involves several cryptographic operations working together to secure your data. Understanding the basics helps you evaluate VPN providers' claims and spot weaknesses.

  1. 1
    Handshake and key exchange — When you connect to a VPN server, your client and the server perform a cryptographic handshake. This typically uses asymmetric encryption (like RSA or Elliptic Curve Diffie-Hellman) to securely agree on a shared session key without that key ever being transmitted over the network. This is the same principle used by HTTPS.
  2. 2
    Authentication — Both sides verify each other's identity. Your client authenticates to the server using credentials (username/password, certificate, or pre-shared key). The server presents a certificate proving it is who it claims to be, preventing man-in-the-middle attacks.
  3. 3
    Encrypted tunnel creation — Once authenticated, the VPN establishes an encrypted tunnel using a symmetric cipher like AES-256. Your device sends all traffic through a virtual network interface, where it's encrypted before leaving your device.
  4. 4
    Encapsulation — Your original internet packets (with their original destination IP addresses) are wrapped inside new packets addressed to the VPN server. The VPN server receives these, decrypts them, and forwards the original requests to the internet on your behalf.
  5. 5
    Return path — Responses from websites arrive at the VPN server, which encrypts them and sends them back through the tunnel to your device. Your device decrypts the response and displays it — all in milliseconds.

VPN encryption explained

Encryption is what makes VPN traffic unreadable to eavesdroppers. Here are the key terms you'll encounter when evaluating a VPN.

AES-256

The gold standard for symmetric encryption. Used by governments, militaries, and financial institutions worldwide. A 256-bit key means 2²⁵⁶ possible combinations — computationally infeasible to brute-force. AES-256-GCM is preferred as it also provides data integrity verification.

Perfect Forward Secrecy (PFS)

A critical feature that generates new encryption keys for each session. If one session key is ever compromised, past sessions remain protected. Look for VPNs that use ephemeral key exchanges (ECDHE, DHE) to ensure PFS.

ChaCha20-Poly1305

An alternative to AES that performs better on devices without hardware AES acceleration (older phones, some embedded devices). Used by WireGuard and some configurations of OpenVPN. Considered equally secure to AES-256-GCM.

HMAC Authentication

Ensures that VPN packets haven't been tampered with in transit. Uses a hash function (typically SHA-256 or SHA-512) to compute a message authentication code. If the HMAC doesn't match, the packet is discarded — protecting against replay and injection attacks.

VPN protocols compared

The protocol determines how the encrypted tunnel is created and maintained. Different protocols make different tradeoffs between speed, security, and compatibility.

ProtocolSecuritySpeedBest for
WireGuardExcellentVery fastModern devices — recommended default
OpenVPNExcellentMediumMaximum compatibility and auditability
IKEv2/IPsecExcellentFastMobile — great reconnection on network changes
SSTPGoodMediumWindows environments, firewall traversal
L2TP/IPsecFairMediumLegacy support only
PPTPBrokenFastDo not use — cryptographically compromised

WireGuard in depth

WireGuard is the newest major VPN protocol, released in 2019. Its codebase is just ~4,000 lines — compared to OpenVPN's ~100,000 — making it much easier to audit for security vulnerabilities. It uses modern cryptography primitives (ChaCha20, Curve25519, BLAKE2s) and typically outperforms OpenVPN by 2–4x in throughput. Most major VPN providers now support it.

OpenVPN in depth

OpenVPN has been the industry standard for over a decade. It runs over TCP or UDP on any port — making it effective at bypassing firewalls that block VPN traffic. Being open-source and widely audited makes it a trusted choice for high-security use cases. The main downside is overhead: it's slower than WireGuard and uses more battery on mobile devices.

Types of VPNs

The term "VPN" covers different use cases. Understanding the distinctions helps you choose the right solution for your needs.

Consumer privacy VPN

Services like Mullvad, ProtonVPN, or ExpressVPN are designed for individuals who want to protect their privacy, mask their IP address, or access geo-restricted content. They operate servers in many countries and offer simple apps. This is what most people mean when they say "a VPN."

Corporate remote access VPN

Allows employees to connect to their company's internal network from anywhere. Common solutions include Cisco AnyConnect, Palo Alto GlobalProtect, and Pulse Secure. Traffic is routed through the company's data center, where corporate security policies are applied. This VPN is for work, not personal privacy.

Site-to-site VPN

Connects two or more networks permanently — for example, a company's main office and a branch office. Devices on either side can communicate as if they were on the same local network. Managed at the router or firewall level, not individual devices. Common in enterprise environments.

Self-hosted VPN

Advanced users can run their own VPN server using tools like WireGuard, OpenVPN Access Server, or Tailscale. This eliminates the need to trust a third-party VPN provider — useful if you trust your own server environment more than a commercial service. Best for accessing your home network remotely.

What VPNs don't protect you from

VPN marketing often overstates protections. Understanding what a VPN actually does and doesn't do prevents dangerous overconfidence in your security posture.

Browser fingerprinting

Websites can identify you using your browser's configuration — screen resolution, installed fonts, time zone, language settings, and more — without using your IP address at all. A VPN does nothing to prevent this.

Logged-in accounts

When you're signed into Google, Facebook, or any other service, they know who you are regardless of your IP address. A VPN doesn't prevent these platforms from tracking your activity when you're authenticated.

Malware and phishing

A VPN does not protect your device from malicious software you download, or from phishing sites that trick you into entering your credentials. These threats operate at the application layer, above the network layer where VPNs work.

The VPN provider itself

All your traffic passes through the VPN provider's servers. If they log and share data, or if they're compelled by law enforcement, your privacy is compromised. You're shifting trust from your ISP to your VPN provider — not eliminating trust entirely.

How to choose a VPN

The VPN market is crowded with hundreds of providers, many making identical claims. Here's how to separate trustworthy services from marketing noise.

Must-have features

  • Independently audited no-logs policy
  • Strong encryption (AES-256 or ChaCha20)
  • WireGuard or OpenVPN protocol support
  • Kill switch (blocks internet if VPN drops)
  • DNS leak protection
  • IPv6 leak protection
  • Transparent ownership and jurisdiction

Red flags to avoid

  • Claims of "100% anonymous" or "military-grade" without specifics
  • No independent security audits
  • Free VPNs with no clear business model
  • Headquartered in high data-retention jurisdictions
  • History of logging despite claims otherwise
  • Owned by data brokers or adtech companies
  • Only supports PPTP or L2TP protocols

The no-logs question

"No logs" is the most important claim in VPN marketing and the hardest to verify. Look for providers that have submitted to independent third-party audits of their infrastructure and policies — not just their client app. Real-world tests also matter: providers that have received government requests and couldn't hand over user data (because they had none) provide much stronger evidence than any marketing claim.

How to verify your VPN is actually protecting you

Connecting to a VPN is not enough — you need to verify that it's working correctly and not leaking your real information. Three types of leaks can expose you even when connected to a VPN.

IP leak test

Verify that websites see the VPN server's IP address, not your real one. Check our IP lookup tool while connected to your VPN.

Check your IP →

DNS leak test

Verify that DNS lookups are routed through the VPN, not your ISP's servers. DNS leaks reveal your browsing activity even when your IP is hidden.

Run DNS leak test →

WebRTC leak test

WebRTC — used for video calls and P2P — can bypass VPNs and reveal your real IP via JavaScript. This is a browser-level issue that VPN clients often can't prevent.

Run VPN leak test →

Testing procedure

  1. Note your real IP address without the VPN connected.
  2. Connect to your VPN and choose a server in a different country.
  3. Run each leak test above and confirm the displayed IP matches the VPN server, not your real IP.
  4. Disconnect and reconnect to test the kill switch — internet traffic should stop entirely while the VPN reconnects.
  5. Repeat periodically, as provider updates can sometimes introduce regressions.

Advanced VPN features worth knowing

Split tunneling

Allows you to choose which apps or destinations go through the VPN and which use your regular connection. Useful for accessing local network resources (printers, home storage) while routing sensitive browsing through the VPN. Available in most premium VPN clients.

Kill switch

Blocks all internet traffic if the VPN connection drops unexpectedly. Without a kill switch, your device reverts to your real IP the moment the VPN disconnects — potentially exposing you during the reconnection window. This feature should always be enabled.

Multi-hop (Double VPN)

Routes traffic through two VPN servers in different countries. The first server knows your real IP but not your destination; the second knows the destination but not your real IP. Significantly slower, but useful for very high-risk scenarios.

Obfuscation

Some VPNs can disguise their traffic to look like regular HTTPS. This helps bypass deep packet inspection (DPI) used by ISPs or governments to block VPN usage. Important in countries with restrictive internet policies, or networks that actively block VPN protocols.

Common VPN myths debunked

"A VPN makes me completely anonymous."

A VPN hides your IP address and encrypts your traffic, but it doesn't make you anonymous. Browser fingerprinting, logged-in accounts, cookies, and tracking pixels can still identify you. Anonymity requires layered techniques — a VPN is one piece, not the whole solution.

"Free VPNs are just as good as paid ones."

Running VPN infrastructure is expensive. Free VPNs sustain themselves somehow — typically by logging and selling your browsing data to advertisers, showing ads, or imposing bandwidth limits that make them impractical. Studies have found some free VPNs contain malware. The cost of a quality paid VPN ($3–8/month) is much less than the value of your browsing data.

"VPNs are illegal."

VPNs are legal in most countries and are used daily by businesses, remote workers, and security professionals. They are restricted or banned in some authoritarian countries (China, Russia, Iran), but legal use of VPNs for privacy and security is widely accepted internationally.

"A VPN protects me from viruses and hackers."

A VPN is a network privacy tool, not a security product. It cannot detect malware, block phishing sites, or stop you from being hacked through application vulnerabilities. You still need an updated operating system, good security practices, and potentially antivirus software.

Key takeaways

  • A VPN creates an encrypted tunnel that hides your IP and traffic from your ISP and local networks.
  • WireGuard is the recommended modern protocol — fast, secure, and easy to audit.
  • A kill switch and DNS leak protection are essential features — verify they work.
  • VPNs shift trust from your ISP to your VPN provider — choose one with audited no-logs claims.
  • VPNs don't prevent fingerprinting, protect logged-in accounts, or stop malware.
  • Always test your VPN for IP, DNS, and WebRTC leaks after setup.

Next steps

Test your VPN for leaks →Full Privacy Guide →Network Security Guide →