What is a VPN? A VPN (Virtual Private Network) is a technology that creates an encrypted tunnel between a device and a network over an untrusted intermediate network like the public internet. The tunnel makes the device’s traffic look (from the outside) like ordinary encrypted traffic between two endpoints; what’s inside the tunnel is private and protected from inspection by anyone watching along the route. VPNs were originally a business technology for connecting remote employees to corporate networks; they’ve since become a mainstream consumer product for privacy, geo-restriction circumvention, and security on untrusted networks like coffee-shop WiFi.
This post walks through what a VPN actually does, the two major use cases (corporate remote access and consumer privacy/security), what VPNs protect against and what they don’t, the difference between common VPN protocols, and how to think about choosing a VPN for the right reason.
What a VPN actually does
A VPN does three things technically:
- Encrypts the traffic between the device and the VPN endpoint, so anyone watching the network in between (the WiFi access point, the internet service provider, anyone monitoring at intermediate hops) sees only encrypted data.
- Tunnels the traffic through the encrypted connection, so the traffic appears (from the outside) to be a single encrypted stream between the device and the VPN endpoint, regardless of what’s actually being sent.
- Reassigns the apparent source of the traffic to the VPN endpoint. Websites and services receiving the traffic see the VPN endpoint’s IP address, not the device’s original IP address.
The combination is what gives VPNs their characteristic properties. The encryption protects the content. The tunneling hides the specific destinations and protocols being used. The source reassignment changes how the traffic appears to its eventual destination, which is useful for both privacy (hiding the user’s location from the destination) and for accessing resources that are restricted by network location (corporate networks, region-locked content).
The two major use cases
Corporate VPN: remote access to internal resources
The original VPN use case is connecting remote employees to a corporate network as if they were physically in the office. A traveling salesperson, a work-from-home employee, or a contractor establishes a VPN connection from their laptop to the company’s VPN endpoint. Through that tunnel, they can access internal file servers, internal applications, internal databases, and other resources that aren’t published to the public internet.
The corporate VPN model assumes a hard perimeter: trusted internal network, untrusted external internet, VPN as the controlled gateway between them. For decades this was the standard remote-work architecture. Modern enterprise security is moving toward zero-trust models that don’t rely on the network perimeter (where every access request is evaluated regardless of network location), but corporate VPNs remain widely deployed and will be for years.
Common corporate VPN products include traditional IPSec/SSL VPN appliances from vendors like Cisco, Palo Alto, Fortinet, Check Point, and SonicWall, as well as cloud-delivered options that overlap with the broader zero-trust networking category.
Consumer VPN: privacy, security on untrusted networks, geo-restriction
The consumer VPN market is a different beast. Consumer VPN services (NordVPN, ExpressVPN, Surfshark, Mullvad, Proton VPN, and many others) sell subscriptions that let users route their internet traffic through the VPN provider’s servers in various countries. The use cases:
- Security on untrusted networks: when connecting from coffee-shop WiFi, hotel WiFi, or other networks that might be monitored or compromised, a VPN encrypts the traffic so a network-level attacker can’t see what the user is doing.
- Privacy from ISPs: in jurisdictions where ISPs can monitor or sell browsing data, a VPN hides the actual traffic from the ISP (the ISP sees only encrypted traffic to the VPN endpoint).
- Geo-restriction circumvention: streaming services and other geographically-restricted content can be accessed from regions other than the user’s actual location by connecting to a VPN endpoint in the allowed region.
- Avoiding surveillance and censorship: in countries where the government monitors or restricts internet use, VPNs (sometimes combined with specialized obfuscation tools) provide a layer of protection.
The consumer VPN market has grown substantially over the past decade. The marketing for these products often overstates the privacy benefits; the actual benefits are real but more nuanced than the advertising suggests.
What VPNs protect against (and what they don’t)
VPNs are useful for specific threats and not useful for others. Knowing the difference avoids both false confidence and unnecessary cost.
What VPNs protect against:
- Network-level eavesdropping on untrusted WiFi (coffee shops, airports, hotels). A network-level attacker can’t read your traffic if it’s encrypted.
- ISP-level monitoring of browsing destinations and content. The ISP sees encrypted traffic to the VPN endpoint, not the actual destinations.
- Exposure of your real IP address to destination websites and services. The VPN endpoint’s IP is what they see.
- Geographic restrictions enforced by IP address.
- Casual tracking that relies on IP-address persistence.
What VPNs do NOT protect against:
- Malware on the device. A VPN encrypts traffic in transit; it doesn’t scan for or block malicious software.
- Phishing. A VPN doesn’t change the content of the websites you visit; if you enter your password on a phishing site, the VPN doesn’t help.
- Browser fingerprinting. Modern web tracking uses many signals besides IP address (browser characteristics, screen size, fonts, behavior patterns). A VPN changes the IP but not the rest.
- Logged-in account tracking. If you’re signed into Google or Facebook through a VPN, those services know it’s you regardless of your IP address.
- Cookies and persistent identifiers. Cookies set before you connected via VPN continue to identify you afterward.
- Surveillance by the VPN provider itself. The VPN provider can see all your traffic (since it’s the endpoint that decrypts and forwards it). The provider’s logging and privacy practices matter a lot.
- Strong adversaries who can observe traffic at both ends of the VPN (entry point and exit point). For threats at the level of nation-state intelligence services, basic VPNs are not sufficient defense.
The consumer VPN marketing pitch of "complete online privacy" overstates what the technology actually delivers. VPNs are useful tools for specific threat models; they’re not a complete privacy solution.
VPN protocols (in plain English)
A few protocol names show up consistently in VPN documentation:
OpenVPN is a long-standing open-source VPN protocol. Mature, widely supported, configurable. Used by many commercial VPN services and most corporate VPN deployments. Performance is good but not the fastest available.
WireGuard is a newer protocol (designed in the late 2010s, mainstream by the early 2020s) that focuses on simplicity, security, and performance. The codebase is much smaller than OpenVPN’s (often cited as easier to audit), and the performance is typically faster. Most modern consumer VPN services have moved to WireGuard or a proprietary protocol derived from it.
IPSec is the underlying protocol for many corporate VPN deployments (often combined with IKEv2 for the key exchange). Mature, widely supported by network hardware vendors, but more complex to configure than newer alternatives.
SSL/TLS-based VPNs (often called SSL VPN or clientless VPN) tunnel traffic through standard TLS connections. The advantage is that they work through firewalls that allow HTTPS traffic, which is more or less everywhere. Common in corporate remote-access scenarios.
For most consumer use, the protocol choice is invisible (the VPN provider picks defaults that work). For corporate deployments, the protocol is a design decision driven by compatibility, performance, and security requirements.
Choosing a VPN for the right reason
Before subscribing to a consumer VPN service, the useful question is: what specific threat or use case are you trying to address?
- If the answer is “security on coffee-shop WiFi,” a VPN is a reasonable tool, though modern HTTPS adoption means much of this risk has already been addressed by the browser; the marginal protection from a VPN is smaller than it was a decade ago.
- If the answer is “accessing region-restricted content,” a VPN is the right tool. Be aware that some streaming services actively block known VPN endpoints, and the cat-and-mouse game between VPN providers and content providers is ongoing.
- If the answer is “privacy from my ISP,” a VPN helps with that specific threat, with the caveat that you’re now trusting the VPN provider instead of the ISP. The trust transfer is meaningful; pick a VPN provider with a strong, audited privacy posture.
- If the answer is “complete online privacy,” a VPN alone won’t deliver that. Browser hardening, search engine choice, account hygiene, and other practices matter more than the VPN for many privacy goals.
- If the answer is “remote access to my employer’s resources,” use the corporate VPN your employer provides. Don’t substitute a consumer VPN; it won’t give you access to internal resources, and it may violate corporate security policy.
The mismatch between what consumer VPN marketing promises and what VPNs actually deliver is significant. Used for the right reason, VPNs are useful. Used as a generic privacy panacea, they overpromise.
Frequently Asked Questions
Is a VPN the same as a proxy?
Both route your traffic through an intermediate server, but they’re not the same. A proxy typically handles a single protocol (often HTTP/HTTPS) and may not encrypt the traffic between your device and the proxy. A VPN typically handles all your network traffic (every application, every protocol) and always encrypts the tunnel. VPNs are more comprehensive; proxies are simpler and often faster for their narrower use case.
Will a VPN slow down my internet connection?
Yes, modestly. The encryption and the additional hop to the VPN endpoint add latency and reduce throughput compared to a direct connection. The slowdown is often 10–30% on a modern VPN with WireGuard or a good OpenVPN configuration, more if the VPN endpoint is geographically distant or the provider’s infrastructure is under-resourced. For most browsing, video streaming, and routine work, the slowdown is barely noticeable. For latency-sensitive work like gaming or video calls, the difference is more apparent.
Are free VPNs safe to use?
Generally not, with some exceptions. The fundamental issue is that operating a VPN service has real costs (servers, bandwidth, support), and free services usually monetize through ads, data collection, or worse. Some free VPNs have been shown to log user traffic, inject ads, sell user data, or contain malware. The exceptions are reputable services that offer limited free tiers as a path to paid subscriptions (Proton VPN, Windscribe, and a handful of others). The principle: if you’re not paying for the product, understand how the provider is monetizing.
Do I need a VPN if I’m using HTTPS everywhere?
HTTPS encrypts the content of your web traffic, so an eavesdropper on the network can’t see the page content or the data you send. HTTPS does NOT hide which websites you’re connecting to (the DNS lookups and TLS handshake reveal the hostnames) and does NOT hide your IP address from the websites you visit. A VPN adds those layers. For many users, the value of a VPN beyond HTTPS is modest in normal use and larger in specific contexts (untrusted networks, privacy-sensitive browsing, geo-restriction needs).
Is using a VPN legal?
In most countries, yes. A handful of jurisdictions (China, Russia, Iran, North Korea, a few others) restrict or ban VPN use, and using a VPN there can carry legal risk. In Western countries and most of the world, VPN use for legitimate purposes is unambiguously legal. Using a VPN to commit a crime is still a crime; the VPN doesn’t change the underlying legality of the activity it carries.
