VPN (virtual private network)

A VPN (Virtual Private Network) is a service that routes your internet traffic through a server operated by a provider, encrypting the connection between your device and that server. To the rest of the internet, your traffic appears to originate from the VPN server, not from your home or office network. The VPN provider sees what you do; your local ISP sees only that you connected to the VPN server.

What it means in practice

A VPN solves three specific problems and creates one new one. Problem 1: your local ISP no longer sees which sites you visit. Problem 2: the sites you visit no longer see your real IP address (they see the VPN server’s). Problem 3: open Wi-Fi networks (cafes, hotels, airports) cannot easily intercept your traffic. The new problem: the VPN provider becomes a single point of trust. Choosing the wrong provider trades local-ISP visibility for VPN-provider visibility, which is worse if the VPN logs traffic, sells data, or sits in a jurisdiction that complies with broad subpoenas. The audit and ownership questions matter more than the marketing claims. Mullvad, Proton VPN, and IVPN have published independent audits and have transparency reports that align with their no-log claims. Most other consumer VPNs (NordVPN, ExpressVPN, Surfshark, CyberGhost, Private Internet Access) sit under conflicted ownership structures or have weaker audit histories.

Who uses it, and against whom

Use cases scale by threat tier. Tier 1 (most users): hide browsing from local ISP, bypass geo-blocking, get a clean IP on hostile networks. Tier 2 (privacy-conscious): defeat advertising-network IP correlation, route around censorship in restricted countries, maintain consistent identity across changing networks. Tier 3 (high-target): combine VPN with Tor for traffic-correlation defense, use multi-hop configurations to break single-jurisdiction subpoena reach, route specific identities through dedicated VPN profiles to maintain compartmentation. Adversaries the VPN does not defeat: account-level identification (logging into your real-name Gmail through a VPN is still your real-name Gmail), browser fingerprinting (the VPN changes your IP, not your browser identity), endpoint malware (the implant captures everything before encryption).

What you can change today

Pick a no-log VPN with audited claims: Mullvad ($5/month, anonymous billing, Swedish jurisdiction), Proton VPN (free tier viable for occasional use, paid tier $5-10/month, Swiss jurisdiction), or IVPN (privacy-focused, more expensive, no affiliate program). Install on every device including the work laptop. Enable kill switch so traffic stops if the VPN drops rather than leaking. Enable DNS leak protection. For the first month, run always-on and audit which apps break under VPN (banking apps and streaming services often do); add narrow split-tunnel exclusions only where necessary. Avoid free VPNs, ad-supported VPNs, and VPNs from companies whose primary business is advertising or VPN-review websites.

Related articles