What a VPN actually does
← All posts
A user showed me a VPN ad on her phone last month and asked if she should buy it. The ad had a hooded figure at a coffee shop. Ominous music. A scrolling list of things hackers were apparently doing to her bank account while she ordered a latte. Fifteen dollars a month and you’ll be safe.
I explained why it would be overkill.
The pitch she'd seen is selling a problem that was real over ten years ago and has mostly been engineered out of the modern web. That doesn't mean VPNs are useless. It means almost nobody in the VPN industry is selling them for the reasons they're actually useful. Once you know what one really does, you can decide whether you need one.
What a VPN actually is
A VPN creates an encrypted tunnel from your device to a server somewhere else. From that server, your traffic continues on to whatever site you're visiting. To the website, the traffic looks like it came from the VPN server, not from you. To the network you're physically connected to (the coffee shop wifi, your home router, your hotel), the traffic looks like an unreadable stream of data going to one specific place. The local network can't see anything past that.
That's the entire idea of behind a VPN.
A VPN does not block malware or stop phishing. It doesn’t not make you anonymous and it does not protect against the website you're connecting to. It moves the place your traffic appears to start, and it encrypts the first leg of the trip.
Selling fear
Back when the VPN industry built its marketing playbook, lots of websites still ran over plain HTTP. The lock icon in your address bar was new and not the default. An attacker on the same wifi could plausibly grab passwords out of the air or hijack your session. Wifi sniffing was a real thing.
Then HTTPS happened. Now almost every site you'd care about encrypts your traffic by default. Browsers warn you before letting you visit a non-encrypted site. Banking apps add their own encryption on top of HTTPS. The router at the coffee shop sees that you're connecting to your bank. It cannot see what you type into the login page.
So the sales pitch is selling protection against an attack that mostly doesn't work anymore. The remaining genuine public-wifi risk is the captive portal, the "agree to the terms" page that loads when you join a hotel or airport network. Attackers run fake versions of those to harvest credentials or push malicious downloads. A VPN does not help with that at all. If the page convinces you to type a password or accept a fake update, you're done either way.
When to use a VPN
Privacy from the network you're on. Even with HTTPS, the router and your internet service provider can still see which sites you connect to. Not what you type on them, but the names and how long you spend there. A VPN hides that pattern from whoever runs the network. The ISP sees you connecting to a VPN server and stops seeing anything past it. If you don't want your apartment building's wifi or Comcast building a record of every site you visit, that's a real reason to use one.
Remote access to your office. This is what gave VPNs their name. Your office has files, printers, or systems that only work when you're on the office network, and you need to use them from somewhere else. A business VPN lets your laptop pretend it's plugged in at the office. This is the version your IT person sets up for you, and it's the only kind that's actually solving the problem people in offices used to solve with VPNs. There are even cheap and free options for small businesses. Tailscale is one of them. The personal plan is free for up to six users. Business plans start around $6 to $8 per user per month. There's no server in the office to maintain.
Appearing to be in a different country. Streaming content locked to a different region, services that don't work where you are, sites blocked in the country you're traveling in. This works because the website sees the VPN server's address, not yours. Legitimate use, but also against the terms of service of every streaming platform on the planet, so factor that in.
What the pitch leaves out
A VPN does not make you anonymous. It moves your apparent location from your home to wherever the VPN server is. Your browser fingerprint, your logged-in accounts, the cookies your devices carry, the way Google recognizes you across sessions, all of that is unchanged. Real anonymity requires Tor, careful habits, and a different relationship with the internet than most people want. A consumer VPN gives you privacy from your network and your ISP.
A VPN does not protect you from hackers. It encrypts the first leg of your traffic. Phishing emails still phish. Malware still installs. Your password can still be stolen if you type it into a dummy site. Don’t feel a false sense of security just because you have a VPN turned on.
Need a VPN?
For personal use, the two I trust are Proton VPN and Mullvad. Both have been independently audited. Both have business models that don't depend on selling your traffic.
Proton VPN has a free tier (one device, limited servers, unlimited time). Paid plans run about $10 a month if you go monthly, around $5 if you pay annually. It’s even less on a two-year commitment. Same company makes Proton Mail and Proton Drive, and the bundle is reasonable if you want all three.
Mullvad charges a flat €5 a month (about $6 US), no tiers, no sales, no first-year discount that doubles at renewal. The price has not changed since 2009. You can pay with cash mailed to Sweden if that's the kind of thing you'd want to do.
For small-business remote access, Tailscale (mentioned above) is the easy answer.
What to skip
The free VPN apps in your phone's app store, almost without exception. The business model is selling your traffic to advertisers, and several of them have been caught doing worse. The thing you were hoping a VPN would prevent (someone reading what you do online) is what they're doing for a living. Free, in this category, is a warning label.
The VPN bundled with your antivirus subscription. Norton, McAfee, and the rest sell these as upsell justification. They tend to be slow, they expire when the antivirus expires, and the company isn't really in the VPN business. If you're picking from scratch, pick something else.
So?
If you've got HTTPS in your browser, MFA on the accounts that matter, and a healthy suspicion of links in email, you do not need a consumer VPN for safety. You might want one for ISP privacy, office access, or to get around a geographic lock. Don’t give in to the fear.
Joel
