What Does a VPN Actually Protect?
Table of Contents
What a VPN Actually Does
VPN marketing has done a remarkable job convincing people that flipping a switch makes you invisible online. The truth is far less dramatic, and understanding the gap between marketing and reality is essential for anyone who cares about their privacy.
A Virtual Private Network creates an encrypted tunnel between your device and a server operated by the VPN provider. All your internet traffic travels through this tunnel before reaching its final destination. That is fundamentally all it does. The implications of this simple mechanism are significant, but they are also limited in specific and important ways.
When you connect to a VPN, your device establishes an encrypted session with the VPN server. From that point forward, anyone sitting between you and that server (your ISP, your network administrator, someone on the same coffee shop WiFi) sees only encrypted gibberish. They can tell you are connected to a VPN server, but they cannot read the contents of your traffic or determine which websites you are visiting.
The Encryption Tunnel
sequenceDiagram
participant Device as Your Device
participant VPN as VPN Server
participant ISP as Your ISP
participant Site as Website
Device->>ISP: Encrypted VPN traffic
Note over ISP: Can see VPN connection
Cannot read contents
ISP->>VPN: Encrypted VPN traffic
VPN->>VPN: Decrypts your traffic
VPN->>Site: Normal HTTPS request
Note over Site: Sees VPN server IP
Not your real IP
Site->>VPN: Response
VPN->>ISP: Encrypted response
ISP->>Device: Encrypted response
How traffic flows through a VPN tunnel - your ISP sees encrypted data, the website sees the VPN server's IP address
The encryption used by modern VPN protocols is strong. WireGuard uses ChaCha20 for symmetric encryption and Curve25519 for key exchange. OpenVPN typically uses AES-256-GCM. These are not getting broken by your ISP or by someone sniffing WiFi packets at the airport. The encryption itself is not the weak link in the VPN privacy model.
The real question is not whether the tunnel is secure. It is what happens at both ends of it.
What Your ISP Sees (and Stops Seeing)
Without a VPN, your Internet Service Provider has a remarkably complete picture of your online activity. Even with HTTPS encrypting the content of your connections, your ISP can see every domain you visit through DNS queries (unless you use encrypted DNS), the IP addresses you connect to, the timing and volume of your connections, and SNI (Server Name Indication) headers that reveal the hostname in TLS handshakes.
This is not theoretical. ISPs in the United States were granted explicit permission to sell customer browsing data when Congress rolled back FCC privacy rules in 2017. In the UK, the Investigatory Powers Act requires ISPs to retain connection records for 12 months. In Australia, mandatory data retention laws require ISPs to store metadata for two years.
A VPN collapses all of this visibility into a single data point: you are connected to a VPN server. Your ISP can see how much data you transfer and when, but the destination information disappears into the encrypted tunnel.
This is a genuine and meaningful privacy improvement for anyone whose threat model includes ISP surveillance or data collection.
Protection on Local Networks
The other scenario where VPNs provide clear value is on untrusted local networks. Public WiFi at hotels, airports, coffee shops, and conferences presents a real attack surface. While HTTPS protects the content of most web connections, an attacker on the same network can still observe DNS queries, see which servers you connect to, and potentially exploit unencrypted services running on your device.
A VPN eliminates local network surveillance entirely. Everything leaves your device encrypted, bound for the VPN server. The local network operator and anyone else on that network sees nothing useful.
For security researchers doing work at conferences like DEF CON, where network attacks are basically a spectator sport, a VPN is not optional. It is baseline operational security.
The Trust Shift Problem
Here is the part that VPN marketing conveniently omits: a VPN does not eliminate surveillance. It moves it. Instead of your ISP seeing your traffic, your VPN provider sees your traffic. You have not removed a trusted intermediary. You have replaced one with another.
graph TD
subgraph Without_VPN["Without VPN"]
A[Your Device] -->|DNS queries visible| B[ISP]
A -->|SNI headers visible| B
A -->|Connection metadata| B
B -->|Can log/sell data| C[Destination]
end
subgraph With_VPN["With VPN"]
D[Your Device] -->|Encrypted tunnel| E[VPN Provider]
E -->|Sees all traffic| F[Destination]
G[ISP] -->|Sees only VPN connection| E
end
subgraph Trust_Question["The Question"]
H{Who do you trust more?}
H --> I[Your ISP]
H --> J[Your VPN Provider]
end
A VPN shifts trust from your ISP to your VPN provider - the surveillance capability does not disappear
The question becomes: do you trust your VPN provider more than your ISP? That is not always an easy question to answer. Your ISP is a regulated entity in a known jurisdiction with a physical address. Many VPN providers are shell companies registered in offshore jurisdictions with no meaningful oversight.
"No-logs" policies are marketing claims, not technical guarantees. Several VPN providers who advertised strict no-logs policies have been caught logging user data when compelled by law enforcement. IPVanish provided connection logs to the Department of Homeland Security in 2016 despite advertising a zero-logs policy. PureVPN provided logs to the FBI in 2017 under similar circumstances.
Some providers have undergone independent audits of their infrastructure to verify their no-logs claims. This is better than nothing, but an audit is a snapshot in time, not a continuous guarantee. Infrastructure can change the day after an audit concludes.
What a VPN Does Not Protect
The list of things a VPN does not protect against is long and important. Understanding these limitations is more valuable than understanding VPN benefits, because false confidence is worse than no confidence at all.
Website tracking and fingerprinting. When you visit a website through a VPN, the website still sees your browser fingerprint, your cookies, your login state, and everything you do on the site. Google can still track you across the web. Facebook still knows what pages you visit with their tracking pixel. A VPN changes your IP address, but modern tracking relies far less on IP addresses than most people assume.
Malware and phishing. A VPN encrypts your traffic. It does not inspect it. If you download malware or enter your credentials on a phishing site, the VPN dutifully encrypts that activity along with everything else. Some VPN providers offer DNS-based ad and malware blocking, but this is a bolt-on feature, not a core VPN function.
Application-level data collection. The apps on your phone collect and transmit data about your behavior regardless of whether you use a VPN. A VPN changes the source IP of those transmissions but does nothing about the data itself. Your phone's advertising ID, location data from GPS, and app telemetry all flow through the VPN tunnel unchanged.
Correlation attacks. A sufficiently motivated adversary who can observe traffic entering the VPN and traffic exiting it can correlate the two through timing analysis. This is relevant for state-level adversaries and is one reason why Tor uses a three-hop model instead of a single-hop tunnel.
DNS Leaks and WebRTC Leaks
Even when a VPN is working correctly in principle, implementation details can undermine it. DNS leaks are the most common failure mode. If your device sends DNS queries outside the VPN tunnel (to your ISP's DNS resolver, for example), your ISP can still see which domains you are visiting even though the actual connections route through the VPN.
Good VPN clients force all DNS queries through the tunnel and use the provider's own DNS resolvers. Bad ones do not, and the user never knows the difference without actively testing.
WebRTC leaks are another common issue. WebRTC, the technology behind browser-based video calls and peer-to-peer connections, can reveal your real IP address even when a VPN is active. This happens because WebRTC uses STUN servers to discover your public IP for establishing peer connections, and this process can bypass the VPN tunnel.
Testing for these leaks is straightforward. Sites like dnsleaktest.com and browserleaks.com will show you exactly what is exposed. If you use a VPN and have never tested for leaks, you should assume you have them until proven otherwise.
VPN Protocols Compared
The protocol your VPN uses matters more than most users realize. The three protocols worth considering in 2025 are WireGuard, OpenVPN, and IKEv2/IPsec.
WireGuard is the newest and leanest. Its codebase is roughly 4,000 lines of code compared to OpenVPN's 100,000+. Smaller codebases are easier to audit and less likely to contain undiscovered vulnerabilities. WireGuard is faster than OpenVPN in most scenarios and establishes connections almost instantly. The downside is that WireGuard's default implementation stores the last known IP address of connected peers, which has privacy implications. Most VPN providers work around this with double-NAT or periodic key rotation.
OpenVPN has been the industry standard for years. It is mature, well-audited, and extremely configurable. It runs over either TCP or UDP, making it harder to block than protocols that only use UDP. Performance is slower than WireGuard, but it remains a solid choice.
IKEv2/IPsec handles network switching gracefully, making it a good choice for mobile devices that move between WiFi and cellular. It reconnects quickly after network changes, which is something OpenVPN handles poorly.
Avoid PPTP. It is cryptographically broken and has been since 2012. If your VPN provider still offers PPTP, that tells you something about their security priorities.
When a VPN Actually Matters
Given all these caveats, when should you actually use a VPN? The answer depends entirely on your threat model.
Use a VPN when:
- You are on an untrusted network (public WiFi, hotel networks, conference networks)
- You want to prevent your ISP from logging your browsing activity
- You need to access resources on a private network remotely (the original use case for VPNs)
- You are in a jurisdiction where certain content is blocked at the ISP level
- You are doing security research and need to separate your research traffic from your personal traffic
A VPN will not help when:
- You are trying to be anonymous online (use Tor instead)
- You are trying to prevent tracking by websites you visit
- You are trying to protect against malware or phishing
- You are trying to hide activity from a state-level adversary with access to both ends of the tunnel
For security researchers and penetration testers, a VPN is one layer in a broader operational security strategy. If you are testing wireless networks with a tool like the BLEShark Nano, a VPN protects your upstream internet traffic while you work. But the VPN is not doing the security research - it is just keeping your internet traffic private while you do it.
Practical Privacy Beyond VPNs
If you care about privacy, a VPN should be one component of a layered approach, not your entire strategy. Combine it with encrypted DNS (DNS-over-HTTPS or DNS-over-TLS), a browser configured to resist fingerprinting, an ad blocker that removes tracking scripts, and awareness of what data you share with the services you use.
Use a VPN that has been independently audited, publishes transparency reports, and operates in a jurisdiction with strong privacy laws. Pay for it with cryptocurrency or cash-purchased gift cards if you want to avoid linking your payment identity to your VPN account. And test for DNS and WebRTC leaks regularly.
The most important thing is to understand what your VPN does and does not do. A VPN is a useful tool for a specific set of problems. It is not a magic privacy force field, and treating it like one leaves you exposed in all the ways it was never designed to protect.
If you are getting started with wireless security research and want a compact, capable tool for BLE sniffing, WiFi analysis, and more, the BLEShark Nano gives you serious capability in a pocket-sized form factor.
Get the BLEShark Nano - $36.99+