What a VPN Actually Does
A Virtual Private Network creates an encrypted tunnel between your device and a VPN server. All your network traffic — HTTP requests, DNS lookups, everything — goes through this tunnel instead of directly to the internet.
- Your IP address appears to be the VPN server's IP address, not yours
- Your geographic location appears to be wherever the VPN server is
- Your ISP cannot see which sites you're visiting (they only see encrypted traffic to the VPN server)
- They can see you're connected to a VPN server
- They cannot see what you're doing through the tunnel
- They can see how much data you're transferring
The Technical Mechanism
Modern VPNs use one of several protocols:
**WireGuard** — the current standard. A lean protocol (~4,000 lines of code vs OpenVPN's ~70,000) using ChaCha20 for encryption and Curve25519 for key exchange. Fast, secure, and auditable.
**OpenVPN** — mature, widely supported, uses TLS. Slower than WireGuard but battle-tested.
**IKEv2/IPSec** — fast and good for mobile (handles network switching well). Often built into operating systems.
The tunnel itself uses a combination of asymmetric cryptography (to establish the connection and exchange keys) and symmetric encryption (to encrypt the actual traffic stream — typically AES-256 or ChaCha20).
What a VPN Actually Protects Against
**Your ISP monitoring your browsing.** Without a VPN, your ISP can see every domain you visit (they can read unencrypted DNS requests and see TLS SNI headers). With a VPN, they only see the VPN server.
**Surveillance on untrusted networks.** On a public WiFi network, someone performing a man-in-the-middle attack can intercept unencrypted traffic. A VPN prevents this.
**IP-based geolocation and region locking.** Services that serve different content based on IP (streaming libraries, pricing) see the VPN server's location.
**Basic IP address logging by websites.** Your residential IP address isn't logged by the sites you visit.
What a VPN Does NOT Protect Against
**Browser fingerprinting.** Your browser fingerprint (screen size, fonts, installed plugins, canvas/WebGL output) uniquely identifies you regardless of IP address. A VPN changes your IP; it doesn't change your fingerprint.
**Logged-in account tracking.** If you're logged into Google, Facebook, or any account while using a VPN, those services know it's you. Your IP is one signal among many.
**Tracking cookies and supercookies.** Cookies persist across VPN connections. A tracker that placed a cookie before you connected to the VPN still recognises you.
**DNS leaks.** Some VPN configurations allow DNS requests to bypass the tunnel, leaking the domains you visit to your ISP's DNS resolver. Check for DNS leaks after connecting.
**The VPN provider itself.** You're shifting trust from your ISP to the VPN provider. A VPN that logs your activity and hands it to law enforcement provides limited privacy. "No-logs" policies are hard to verify — prefer providers that have been independently audited or had their infrastructure seized without useful data being recovered.
**HTTPS content.** HTTPS already encrypts your traffic. A VPN doesn't add meaningful protection to HTTPS content beyond hiding which domains you're visiting.
Threat Modelling VPN Use
- Hiding browsing from your ISP (streaming, politics, healthcare searches)
- Using untrusted networks (hotels, airports, cafes)
- Bypassing geographic restrictions
- Preventing basic IP-based tracking
- Hiding activity from a government (traffic analysis, correlation attacks)
- Preventing tracking by major platforms you're logged into
- Fingerprinting resistance
For stronger anonymity, Tor provides stronger protection than a VPN by routing traffic through multiple hops with different operators, preventing any single party from correlating your source IP with your destination. The trade-off is significantly lower speed.
NoxaKit's IP Address Privacy Checker shows what information is visible from your IP address.