Connectivity

VPN: 95% of the marketing is false

What a VPN really protects, what it doesn't, and how to choose the right one for the right use.

Published July 17, 2025 16 min read General

Last reviewed: February 20, 2026

This version was translated with AI assistance and reviewed by a human.

A journalist proudly shows me the green icon in his menu bar: “I’m protected, I’ve got NordVPN.” I ask him against what. Silence. He has a £3.50-a-month subscription and the conviction that he’s invisible. While we talk, his phone is logged into his Google account, into WhatsApp, into his work Gmail. The VPN changes none of those things. He bought a feeling, not a protection.

Angle de lecture

Particulier RSSI / DSI

The usual trap

VPN marketing has pulled off a feat few industries can match: convincing tens of millions of people that a very specific technical object is a universal shield against every danger on the internet. “Protect your privacy. Become anonymous. Secure your data.” These slogans paper over YouTube banners, podcast sponsorships, in-app ads. They’re repeated so often that they’ve replaced understanding with a reflex: a security problem, therefore a VPN.

The problem isn’t the product. A VPN is a perfectly honest tool once you know what it does. The problem is the gap between what you were sold and what the object actually performs. A VPN is an encrypted tunnel between your device and a server. Full stop. It moves your point of trust: instead of your internet provider seeing your traffic, it’s your VPN provider who sees it. Sometimes that move is useful. Often, it doesn’t touch the problem you think you’re solving.

The real danger isn’t using a VPN. It’s believing it covers you on terrain it doesn’t even graze — and therefore lowering your guard precisely where it doesn’t protect you. The journalist in my epigraph is more exposed with his VPN than he’d be without it, because he substituted a monthly purchase for operational hygiene. That’s the worst-case scenario: false confidence. The rest of this article exists to rebuild the exact boundary between what the thing does and what it doesn’t, so you stop paying for an illusion and start using it where it has real value.

Let’s break down the mechanics, because that’s the only way to kill the myth. When the tunnel is active, three things happen, and three only. One: the traffic between your device and the exit server is encrypted, therefore invisible to any observer sitting between the two — local Wi-Fi network, internet provider, mobile carrier. Two: your real IP address is replaced, in the eyes of destination servers, by that of the VPN’s exit point. Three: if the configuration is clean, your DNS requests also travel inside the tunnel, which prevents the local network from inferring the domains you visit. That’s the entire technical contract. Everything marketing piles on top of it is abusive extrapolation.

And what the VPN never does deserves to be stated just as bluntly. It does not encrypt the content of your communications end-to-end: that’s the role of HTTPS, already present on the vast majority of the web, and the VPN adds nothing to that content. It doesn’t erase your cookies, your session, your browser fingerprint. It protects you neither from malware downloaded through the tunnel, nor from a phishing email, nor from a booby-trapped attachment — a malicious file stays malicious whether it arrives encrypted or not. And it doesn’t make you anonymous to the services you’re logged into: if you’re signed in to Google, Google knows who you are, whatever the exit IP. The VPN acts on a single layer, transport. It is blind to everything else.

The real threat model: who sees what

The only question that matters before switching on a VPN: against whom? A serious threat model isn’t built with adjectives (“safer”, “private”) but with named actors and precise capabilities. Let’s walk back up the chain of your traffic, link by link, and look at who sees what with and without a tunnel.

Without a VPN, on a Wi-Fi network you don’t control (café, hotel, airport, conference room), the threat actor is someone on the same network. With HTTPS now ubiquitous, they can no longer read the content of your pages. But they see the domain names you resolve if your DNS isn’t encrypted, they can attempt a MITM on a captive portal, and they know the destination IP addresses. The VPN cleanly closes this vector: everything leaves encrypted toward the VPN server, the local observer sees only an opaque stream. It’s the most solid use case, and it’s also the only one where the benefit is clear and measurable.

Without a VPN, facing the sites you visit, the site sees your real IP. With a VPN, it sees the exit server’s IP. That’s the second real function: masking your IP from a one-off third party. Useful for OSINT research where you don’t want the target to log your address, useful for getting around a geo-restriction. But this is pseudonymization, not anonymity — and the nuance will decide everything else.

Now the actor the marketing conjures away: your VPN provider itself. When you activate the tunnel, you don’t remove the observer, you replace it. The provider sees your real IP at the moment of connection, your timing, your volumes, and the destinations toward which it routes your traffic. Its policy says “no-log”? That’s a contractual promise, not a law of physics. It’s worth exactly what the independent audit that verified it is worth, and what the jurisdiction able to compel it is worth. If its infrastructure is seized or compromised, that data can exist despite the promise. You’ve moved your trust from a regulated ISP to a company you often know nothing about.

And the actors the VPN never touches: the services you’re logged into (Google, Facebook, your bank identify you by your session, not by your IP), the ad networks (which use fingerprinting, cookies, mobile identifiers — the IP is secondary), and everything that touches your machine itself (malware, phishing, booby-trapped files pass through the tunnel without any obstacle). The VPN protects one segment of transport. It protects neither the content encrypted elsewhere, nor your application-level identity, nor your endpoint.

The “provider” link decides everything

Since switching on a VPN amounts to replacing one observer with another, the only criterion that matters for privacy is neither speed, nor number of countries, nor price: it’s how much you can trust the one who sees everything pass through. Three variables let you assess that coldly.

First, the logging policy and its audit. “No-log” has value only when verified by an independent third party, ideally repeatedly, and tested against reality: has it ever been served by an authority, and what was it able to hand over? A provider that structurally has nothing to give — because it keeps no data linking a session to an identity — resists a legal demand that a “no-log on its word” provider won’t withstand. Next, jurisdiction: the country where the company is incorporated, mutual legal assistance treaties, legal retention obligations. A good policy in a bad jurisdiction stays fragile. Finally, the business model, which tells you everything: a free VPN has to fund itself, and it almost always funds itself by reselling your browsing data or injecting advertising into your traffic — that is, by doing exactly what you thought you were protecting yourself against. Hola VPN even resold its users’ bandwidth to make an exit botnet of it. For sensitive use, the free VPN is the worst option, not the cheapest.

The provider landscape then sorts itself quickly. Mullvad and IVPN represent the serious end: repeated audits, payment in cash or Monero, no email required, open code. Proton VPN follows, in Switzerland, audited, integrated into a coherent ecosystem. At the other end, the heavily-advertised brands — the ones whose names you know because they sponsor half of YouTube — have almost all been bought up by investment groups, with audits of limited scope and conflicts of interest over data. They’ll do in a pinch to unblock a geo-restricted catalogue. They are not a privacy choice.

WireGuard, OpenVPN, and self-hosting

On the protocol side, the matter is settled for everyday use. WireGuard fits in roughly 4,000 lines of code, where OpenVPN lines up nearly 100,000: an attack surface reduced by an order of magnitude, therefore far easier to audit, markedly higher performance, low latency, near-instant reconnection when you change networks. It’s the reasonable default today. OpenVPN keeps its relevance in specific cases: compatibility with certain restrictive enterprise firewalls, configuration flexibility, a longer audit history. If you administer corporate remote access with particular network constraints, OpenVPN can still be the right choice — but for personal use, WireGuard first.

That leaves the option of self-hosted WireGuard on a VPS, tempting for anyone who wants to control everything. It’s excellent for one thing: encrypting your transit over a hostile network toward infrastructure you control. It’s bad for privacy, and that needs saying clearly: if you’re the only client of that server, your outbound traffic is trivially attributable to you — you have no crowd to blend into, unlike a provider pooling thousands of users behind each exit IP. Self-hosting gives you control, not anonymity.

Censorship contexts change the rules

In a country that practices active network filtering — China, Russia, Iran — the calculation shifts. Your local internet provider is, in effect, a state surveillance apparatus: it sees the entirety of your DNS and HTTP traffic, and it blocks IP ranges and whole protocols. A VPN to a foreign server gets around that, provided the protocol isn’t detected and cut. China’s Great Firewall knows how to recognize and block classic VPN handshakes; you then need WireGuard on a non-standard port, or outright obfuscation protocols designed to look like ordinary traffic (Shadowsocks, V2Ray). And the operational rule allows no exception: the VPN must be installed, configured, and tested before departure. Once on the ground, app stores and provider websites are often inaccessible. Trying to download the client from the destination airport means arriving too late.

The right approach: one tool, one use, a clear boundary

The pragmatic shift fits in one sentence: a VPN is not a security posture, it’s a transport function you activate for a precise use and assess on that use. Stop asking “what’s the best VPN” and start with “what exactly do I want to prevent”. The answer dictates the choice — or the absence of one.

If your goal is to encrypt your transit over an uncontrolled network, any serious VPN will do, and the criterion becomes technical reliability: WireGuard protocol by default (roughly 4,000 lines of code against ~100,000 for OpenVPN — reduced attack surface, instant reconnection, low latency), a kill switch that cuts everything if the tunnel drops, and DNS forced inside the tunnel so it doesn’t leak. If your goal is privacy from your provider, the criterion becomes trust in the provider: Mullvad is the reference — no-log audited repeatedly by third parties, payment in cash or crypto possible, no email required (just a random account number), open source. Proton VPN is the other serious choice, Swiss, audited, open source. IVPN in the same spirit. Everything else — the heavily-advertised brands, bought up by funds, with audits of limited scope — is fine for unblocking Netflix and nothing else.

If your goal is real anonymity — journalistic sources, whistleblowers, contexts where your identity must be impossible to link to your activity — then no commercial VPN is enough. You need Tor, designed so that no single node knows both who you are and what you’re doing. The VPN never replaces Tor; at best it precedes it. Confusing the two is the kind of mistake that costs a source, not a subscription.

And if your goal is none of the three — you want “fewer ads” or “to stop being tracked” — then the VPN simply isn’t the tool. The measure that changes something is a serious blocker (uBlock Origin), a hardened browser, and encrypted DNS. Buying a VPN for that is putting a padlock on the wrong door.

Once the use and the provider are chosen, three settings separate a VPN that actually protects from a decorative one. The kill switch first: it cuts all network connection if the tunnel drops, which avoids the most common leak — the instant the VPN reconnects after a network change and your traffic goes in the clear for a few seconds. Without a kill switch, those seconds are enough to expose your real IP to the site you were browsing. DNS inside the tunnel next: many configurations let DNS requests exit via the system resolver, therefore visible to the local network and the ISP even with the VPN active. A test on dnsleaktest.com after connecting tells you in thirty seconds whether you’re leaking. Split tunneling finally, which routes only part of the traffic through the VPN: handy for keeping access to a local printer or a banking service that blocks VPN IPs, but a trap for a sensitive session — everything outside the tunnel is exposed. For a session that matters, you turn off split tunneling and run everything through the tunnel.

The last reflex is a matter of order: you activate the VPN before connecting, never after. If you open a site, then switch on the tunnel, the site has already logged your real IP and your device may already have resolved domains in the clear. The late gesture is cosmetic. The discipline fits in one sentence: tunnel first, browsing second.

What this means concretely

For you, as an individual

A VPN is useful on untrusted public Wi-Fi and for masking your IP from a one-off third-party site. It is not anonymity, it is not identity protection, and it replaces neither your antivirus nor your vigilance against phishing. Three actions, this week, all under £200 — most at £0:

Decide whether you actually need one — Ask yourself a single question: do I regularly connect to Wi-Fi networks I don’t control, or do I need to mask my IP from sites? If yes, get Mullvad (£5 a month, no commitment, payable in cash, no-log audited). If no — if you’re at home on your own line or on 4G/5G — you don’t need a VPN. Save the subscription.
Configure it correctly, once and for all — Enable the WireGuard protocol, enable the kill switch, and check for the absence of a DNS leak on dnsleaktest.com after connecting. Cost: £0, ten minutes. A poorly configured VPN that leaks DNS protects only your peace of mind.
Don’t count on it for what it doesn’t do — To escape advertising tracking: install uBlock Origin (free). To avoid being identified on the services you use: sign out of accounts when you want to browse “separately”, or use a dedicated browser profile. The VPN does neither.

For you, CISO / CIO / executive

The central point of attention: consumer VPN ≠ enterprise VPN. These are two objects with nothing in common but the name, and confusing them in your awareness communications creates false security among your staff.

1. The enterprise VPN is an access building block, not a privacy tool. Zscaler, Cloudflare Access, Tailscale, self-hosted OpenVPN: these products exist to give your staff controlled access to internal infrastructure and to apply centralized policies. They don’t “make anonymous”, they don’t “protect privacy” — that’s not their job. Direct consequence: never carry over consumer marketing vocabulary into your internal guides. A staff member who believes the corporate VPN makes them “private” will lower their guard on phishing and identity leakage, which are your real risks.

2. The “tunnel into the internal network” model is on its way to obsolescence. The traditional access VPN places the authenticated user on the network, with broad implicit trust — a compromised endpoint behind the VPN moves laterally. The market is shifting toward ZTNA and Zero Trust: access by application, not by network, continuously verified. Direct consequence: if your architecture still rests on a single VPN concentrator exposing the whole LAN, put migration toward per-resource access on your roadmap. The VPN remains a building block, not the boundary.

3. The consumer VPN on work devices is a blind spot. Staff install NordVPN or a free VPN on their work machine “to protect themselves”, routing the company’s traffic through an unknown third party, sometimes outside the EU, sometimes a data reseller. Direct consequence: your policy must explicitly prohibit unapproved consumer VPNs on managed endpoints, and your fleet management solution (MDM) must be able to detect it. A free VPN on a machine that touches your data is an exfiltration you pay for yourself in user comfort.

Mistakes we see all the time

Believing that turning on the VPN makes you anonymous. As long as you’re logged into your Google, Apple, Meta accounts, you’re identified, IP masked or not. Anonymity goes through Tor and identity discipline, never through a simple tunnel.
Using a free VPN for sensitive use. The business model of a free VPN is you: reselling browsing data, injecting advertising, or worse. It’s exactly the opposite of what you’re looking for.
Not checking for a DNS leak. Many configurations let DNS requests exit the tunnel. Your ISP then sees all the domains you visit, VPN active or not. A test on dnsleaktest.com takes thirty seconds.
Activating the VPN after starting to browse. If you connect to a site before switching on the tunnel, your real IP is already logged. The VPN first, browsing second — otherwise the gesture is cosmetic.
Confusing enterprise VPN and privacy VPN. The first is an access control, the second a personal tool. Mixing them in a communication produces falsely reassured staff.
Downloading it on the ground in censored countries. In China, Russia, Iran, app stores and VPN sites are often blocked. Trying to install the client from the destination airport is generally too late: it must be installed, configured, and tested before departure.

Actionable checklist

N1 Define the use before the tool: uncontrolled Wi-Fi? one-off IP masking? access to the corporate network? real anonymity? — each answer dictates a different solution
N1 If consumer privacy: choose Mullvad, Proton VPN, or IVPN, never a heavily-advertised provider or a free VPN
N2 Enable WireGuard as the default protocol and the kill switch
N2 Check for the absence of a DNS leak on dnsleaktest.com after connecting
N2 Activate the VPN BEFORE connecting to a network or a site, never after
N2 For advertising tracking and fingerprinting: uBlock Origin + hardened browser, not a VPN
N3 For real anonymity (source, whistleblower): Tor, never a commercial VPN alone
N3 Mission in a censored country: install, configure, and test the VPN before departure
N3 On the organization side: prohibit consumer VPNs on managed endpoints and detect them via MDM
N3 On the organization side: plan the shift from full-tunnel network VPN to per-resource access (ZTNA / Zero Trust)

Going further

The references that hold up are in the frontmatter. Read first ProtonVPN’s threat model(opens in a new tab): it’s one of the rare provider documents that honestly states what its product protects against and what it doesn’t. Mullvad’s no-log audits(opens in a new tab), repeated and public, show what a verifiable promise looks like rather than a marketing slogan. And WireGuard’s whitepaper(opens in a new tab) explains why a 4,000-line protocol replaced a 100,000-line behemoth — a good reminder that security is won by reducing the attack surface, not by stacking up features. For the logical next step, see Public Wi-Fi, DNS hardening, and eSIM for travel.

Sources and further reading

Mullvad — No-logs audit [official]
ProtonVPN — Threat model [official]
WireGuard — Protocol whitepaper [paper]
Cloudflare — Zero Trust / Cloudflare Access [official]