VPNs Explained: What They Actually Hide (and What They Don't)

Every YouTube channel and podcast you listen to has a VPN sponsor. The marketing makes it sound like a VPN is a digital invisibility cloak. It isn't. It's a useful tool for specific threat models, and a placebo for others. Here's the engineer's view.

What a VPN actually is

A VPN (Virtual Private Network) routes your internet traffic through an encrypted tunnel to a server somewhere else, which then sends the traffic on to its destination on your behalf. Your ISP sees encrypted blobs going to the VPN; the website sees a request coming from the VPN.

That's it. Everything else is marketing on top.

What they hide (genuinely)

• Your IP address from the websites you visit. Useful for accessing geo-restricted content, avoiding being targeted by IP.
• Your DNS lookups and HTTP requests from your ISP. Useful if you don't trust your ISP, which in 2026 is most people.
• Your traffic from local network observers. Coffee shop WiFi, hotel networks, corporate guest WiFi.
• Your real IP from torrent peers (relevant if you torrent — your peers see your IP otherwise).

What they don't hide

• Your identity from the sites you log into. If you log into Facebook over a VPN, Facebook still knows it's you.
• Browser fingerprints. Canvas fingerprint, fonts, screen resolution, audio fingerprint — VPN doesn't help.
• Tracking cookies. Those persist regardless of IP.
• Account activity correlation. If you check your Gmail and then visit other sites, Google can correlate.
• Your activity from the VPN provider. They see everything your ISP would have. You're just moving trust.

Threat models where VPN matters

Different concerns, different answers:

• Hostile public WiFi: ✅ VPN helps. Use it.
• ISP data selling / DNS sniffing: ✅ VPN helps. Encrypted DNS (DoH/DoT) also helps.
• Bypassing geo-restrictions: ✅ Primary use case for most VPN customers.
• Hiding from Google/Facebook/Meta: ❌ Useless. They identify you by login, cookies, behavior.
• Hiding from nation-state actors: ❌ Use Tor, not commercial VPN.
• Avoiding banking fraud detection: ❌ Will likely get your account flagged.
• Stopping malware: ❌ VPN doesn't filter content. Use EDR for that — see our cybersecurity fundamentals post.

Picking a commercial provider

The market is largely consolidated. Reasonable picks in 2026:

• Mullvad — pay in cash, no email required, anonymous account numbers. Most privacy-focused of the major options.
• Proton VPN — Switzerland-based, audited, has a free tier.
• IVPN — similar privacy posture to Mullvad, smaller server network.

Avoid: any "lifetime VPN" deal on AppSumo, any VPN that won't tell you who owns it, anything advertising on Spotify, anything that says "military grade encryption" (that's not a real thing). The marketing-heavy providers are usually owned by Kape Technologies, a holding company with mixed reputation.

Self-hosted alternative

If you trust yourself more than VPN providers, run your own. Options:

• Tailscale — WireGuard-based mesh VPN, free for personal use, devices connect peer-to-peer. Best for accessing your own services remotely, not for hiding from websites.
• WireGuard on a VPS — spin up a $5/mo VPS in any country, run WireGuard. Cheaper than commercial VPN, but doesn't help if you need to rotate IPs frequently.
• Algo VPN — automates the above. Open source, well-maintained.

Myths to retire

• "VPNs hide you from hackers." → Mostly meaningless. Real attacks don't depend on your IP.
• "VPNs make you anonymous on the internet." → No. See above.
• "VPNs stop your ISP from throttling Netflix." → Sometimes, but Netflix actively blocks many VPN IPs.
• "VPNs are illegal in some countries." → Some restrict, few outright ban. Always check local law before relying on one.
• "VPNs slow down your connection." → Always, by 10–30%. Pick a server close to you to minimize.

For deeper personal/business security guidance, see our cybersecurity fundamentals and ransomware defense posts.