What a VPN actually is
VPN stands for virtual private network. The name comes from its original corporate use: giving a remote worker a secure connection into an office network as if their laptop were plugged in there. Consumer VPNs repurpose that same technology for privacy and to change the apparent origin of your traffic.
Mechanically, a VPN does two things at once. First, it builds an encrypted tunnel between an app on your device (the VPN client) and a server operated by the VPN provider. Second, that server acts as a relay: it takes your traffic out of the tunnel, forwards it to whatever service you asked for, and sends the reply back through the tunnel to you. Because the request comes from the VPN server, the destination sees the server's IP address, not the one your ISP gave you.
How the tunnel works, step by step
Walk a single web request through the system:
- Your client encrypts the packet. Before anything leaves your device, the VPN client wraps your outgoing packet — destination address, data, and all — inside an encrypted envelope. The only readable part is the outer header, which is addressed to the VPN server's IP.
- Your ISP forwards an opaque blob. The encrypted packet travels across your local network and through your ISP exactly like any other traffic. But your ISP can no longer see where you are ultimately going or what you are sending. All it sees is a stream of encrypted packets flowing to one address: the VPN endpoint. It can tell you are using a VPN and how much data you move, but not the contents.
- The VPN server decrypts and forwards. The packet arrives at the VPN server, which unwraps the envelope, reads the real destination, and sends the request out to the internet under its own IP address. The reply comes back to the server first.
- The reply is re-encrypted and returned. The server wraps the response in the tunnel again and sends it back to your client, which decrypts it and hands the data to your browser. From the browser's point of view, nothing unusual happened.
The upshot: the leg your ISP and local network can watch is fully encrypted, and the leg the destination can watch appears to originate from the VPN server. You haven't made your traffic invisible — you've relocated who can see what.
The common protocols, and how they honestly differ
The tunnel needs a set of rules for how to negotiate keys, encrypt data, and keep the connection alive. That rule set is the protocol. A handful dominate, and they are not interchangeable.
WireGuard — modern, fast, lean
The newest mainstream option and, for most people, the best default. WireGuard runs on a small codebase (a few thousand lines, versus hundreds of thousands for older stacks), which makes it easier to audit and generally faster, with lower latency and quicker reconnects. Its one wrinkle is that it was designed around fixed device addresses, so providers add their own layer to rotate addresses for privacy. If your app offers it, WireGuard is usually the pick.
OpenVPN — mature and flexible
For years the de facto standard for consumer VPNs: battle-tested, extensively audited, and highly configurable. It can run over TCP on port 443, which makes its traffic resemble ordinary HTTPS and helps it slip through restrictive firewalls that block other protocols. It is heavier and typically a bit slower than WireGuard, but its flexibility keeps it relevant.
IKEv2/IPsec — great on mobile and roaming
IKEv2 (paired with the IPsec suite) is the quiet workhorse on phones. Its standout feature is how gracefully it handles a changing network: walk out of Wi-Fi range and your phone switches to cellular, and IKEv2 re-establishes the tunnel almost instantly instead of dropping. It is fast, stable, and natively supported on iOS, Android, and Windows.
PPTP and L2TP — legacy, and one to avoid
PPTP is insecure and should not be used. Its encryption has been broken for many years and is considered trivial to defeat; treat any “free VPN” that only offers PPTP as offering no meaningful protection at all. L2TP is a tunneling protocol with no encryption of its own, so it is paired with IPsec (L2TP/IPsec); it works but is slower and has largely been superseded by the three options above. If you have a real choice, reach for WireGuard, OpenVPN, or IKEv2.
What a VPN genuinely protects
- It hides your IP from the destination. Websites and services see the VPN server's address instead of your real one, which breaks the direct link between your connection and your location or ISP-assigned identity. You can see the difference for yourself on the What is my IP page — it will show the VPN server's address while you are connected.
- It encrypts you on hostile or public Wi-Fi. On an airport, café, or hotel network you don't control, anyone else on that network — or whoever runs it — can attempt to snoop on unencrypted traffic. The VPN tunnel means they see only ciphertext headed to the VPN endpoint, which is the single most concrete everyday benefit.
- It defeats local-network and ISP snooping. Your ISP can normally log the domains you visit even when the page contents are HTTPS-encrypted. With a VPN, that visibility moves off the ISP. It also stops nosy network administrators on shared or campus networks from profiling your browsing.
What a VPN does not do
This is where marketing tends to overpromise. A VPN is a narrow tool, and understanding its limits is the whole point.
- You now trust the VPN provider instead of the ISP. The server has to decrypt your traffic to forward it, so it sits in exactly the position your ISP used to. It can see the destinations you connect to. You have not eliminated the trusted middleman — you have swapped one for another, and you should choose that one deliberately.
- It does nothing against browser fingerprinting, cookies, or logged-in accounts. Changing your IP does not change the fingerprint your browser broadcasts, the cookies already on your machine, or the fact that you are signed into your accounts. If you log into an account, that service knows exactly who you are regardless of what IP you arrive on. See what websites can see about you for the full picture of non-IP identifiers.
- It is not anonymity. A VPN is a privacy and relocation tool, not an anonymity system. For that, the design goals are different — this is where Tor and its multi-hop routing come in. If anonymity is your actual goal, read the VPN vs proxy vs Tor comparison to see why a single VPN hop is the wrong tool for it.
The logging and trust question
Because the provider can see your destinations, everything hinges on what it does with that visibility. Many services advertise a “no-logs” policy, meaning they claim not to record which sites you visit or which IPs you were assigned. The honest framing is that this is a promise, not a technical guarantee you can verify from the outside. Independent audits or claims tested in court are stronger signals than a marketing badge, but they still require you to trust the operator and its jurisdiction. The right question is never “is the encryption strong?” — it almost always is — but “do I trust this company with the visibility my ISP used to have?”
Leaks: the ways your real IP escapes the tunnel
A VPN only protects you if all your traffic actually goes through the tunnel. Several common failure modes let your real IP slip out even while the VPN shows as connected. These are worth testing rather than assuming.
- DNS leaks. DNS is the lookup that turns a domain name into an IP address. If those lookups go to your ISP's resolver instead of through the tunnel, your ISP still sees every domain you visit — defeating much of the point. Confirm your lookups are tunneled with the DNS leak test.
- WebRTC leaks. WebRTC is a browser feature for real-time audio and video that can, as a side effect, reveal your real local and public IP addresses directly to a web page, bypassing the VPN entirely. Check whether your browser is exposing you with the WebRTC leak test.
- IPv6 leaks. Many VPNs were built around IPv4 and mishandle IPv6. If your connection has working IPv6 but the tunnel only carries IPv4, requests can escape over the uncovered IPv6 path and expose your real address. A VPN that does not explicitly route or block IPv6 is a common source of silent leaks.
If you want to change your apparent IP as an end in itself rather than build an encrypted tunnel, the broader menu of options — including proxies and Tor — is covered in how to hide your IP address.
The short version
A VPN encrypts everything between your device and a server you've chosen, then relays your traffic so the outside world sees the server. That protects you from your ISP and from snoops on the local network, and it hides your IP from the sites you visit. It does not make you anonymous, it does not stop fingerprinting or cookies, and it hands the visibility your ISP had to the VPN provider. Seen clearly as a tool that moves trust rather than erasing it, a VPN is useful — sold as an anonymity cloak, it will let you down.
Related reading
- VPN vs proxy vs Tor — when a single VPN hop is the wrong tool and something else fits better.
- How to hide your IP address — the full menu of ways to change your apparent origin.
- DNS leak test — confirm your domain lookups actually go through the tunnel.
- WebRTC leak test — catch the browser feature that can expose your real IP.
- What websites see — the non-IP identifiers a VPN does nothing about.
- What is my IP? — watch your apparent address change when the tunnel is up.
- Networking glossary — plain-English definitions for the terms in this guide.
Frequently asked questions
Does a VPN make you anonymous?
No. A VPN hides your IP address from the websites you visit and encrypts your traffic against your local network and ISP, but it does not make you anonymous. Websites can still identify you through cookies, logged-in accounts, and browser fingerprinting, and your VPN provider can see the traffic your ISP used to. A VPN moves trust from your ISP to the VPN operator — it does not remove the need to trust someone.
Which VPN protocol should I use?
For most people WireGuard is the best default: it is fast, has a small modern codebase, and reconnects quickly. OpenVPN is a mature, flexible alternative that is good at getting through restrictive networks. IKEv2/IPsec is excellent on phones because it survives switching between Wi-Fi and cellular. Avoid PPTP entirely — its encryption has been broken for years and it should be considered insecure.
Can my VPN provider see my traffic?
Yes. The VPN server decrypts your traffic in order to forward it, so the provider is in the same position your ISP was: it can see which sites you connect to, and for unencrypted (plain HTTP) connections it can see the contents. HTTPS still protects the contents of most traffic, but the provider can always see the destinations. This is why the provider's logging policy and trustworthiness matter more than any marketing claim about encryption strength.
