VPNs are often sold as a “privacy silver bullet,” but that framing causes more confusion.
A VPN does not make you anonymous.
It does not stop cookies, logins, browser fingerprinting, or payment-based identification.
What a VPN actually does is much narrower and more technical:
- It encrypts your internet traffic in transit
- It prevents your ISP or local network from seeing which destinations you connect to
- It makes websites see the VPN server’s IP instead of your real one
- That’s privacy at the network level, not identity hiding.
I wrote a detailed blogpost. Check it out.
Your internet traffic is already encrypted in transit, that what the “s” in https means.
A VPN does exactly two things: Hides your traffic from your ISP (but shows it to the VPN provider instead) and masks your IP and physical location.
Everything else is advertising and marketing gimmicks
It does, however, make a certain level of anonymity at least possible as long as you scrub your cookies regularly, never log into the same accounts over the VPN that you were using without it, and never buy anything over the VPN.
In the end, you have to sit down and ask yourself what information you’re trying to protect from whom, and how much trouble protecting it is worth. You don’t want your nosy cousin who works at your ISP to know you look at furry porn, well, a VPN should be good enough for that (provided you don’t use the ISP’s DNS). If you’re trying to conceal your actions from a nation-state-level observer, you’ve got a lot more work to do.
As far as I understand, a certain level of data hygiene will do wonders for even a basic setup.
For example, on our server, we have a container that maintains a kill-switched connection to a subscription VPN. Several other containers, including one with a browser, can only route their traffic through that container, and we don’t use any of them for anything personal or outside their intended purpose. We basically act as if there are completely different people on that connection, like we have a secret second family. Remote activity is done through a self-hosted VPN to the home network, then VNC to the containers.
If we want to use the subscription VPN on other devices, we connect to a different location and possibly use Tor browser for extra anonymity. No activity or information overlap, ever.
I often VPN to my home network while on the go. The overall web experience is so much worse without DNS level ad blocking.
- It means you’re letting a different company (VPN provider instead of ISP) see everything you do. In countries with sane privacy laws (i.e. not the US) this is very often a net negative for your privacy, as your ISP will be bound by your country’s privacy laws and most VPN providers are foreign (and often based in the US).
Good blog. You touch on this point in the blog but IMHO it should be one of your main talking points.
Not all VPNs are fraud. Purchasing a good VPN plan should be done after a lot of research. Because the most popular or cheaper could be the worst one.
Agreed, hence the “very often” and not “always”. You are always trusting the VPN provider to not fuck you over, and there probably are a few who don’t.
That’s just about all I need. Vpn + privacy browser is as much effort as I’m willing to put in. Beyond that it gets really frustrating.
True… Using Tor is a big pain.
- It encrypts your internet traffic in transit
It encrypts it in part of the transit, the part between the VPN server and the target is the same as it would have been without a VPN
- It prevents your ISP or local network from seeing which destinations you connect to
True but now your VPN provider can see everything your ISP would have. Depending on the jurisdiction of your ISP and VPN, that could make it better or worse
Ill always use a vpn as theres no other way to stop advertisers seeing your local host ip.
Its not sufficient to stop them tracking, by miles, but its necessary.
Yes VPNs are necessary. At least when using a public network.
Even your home network can be comprimised,
Practically speaking, not really. And at that point the state has a warrant and been in your home or someone highly technical in your home is there and there isn’t really shit you can do except block physical access to everything.
The odds that someone is intercepting and mitm your TLS/SSL behind your edge is absurdly low.
Yeah, no, you are extremely mistaken: Home routers are routinely compromised.
I’m not even talking about your government snooping on you but that’s not unheard of either.
- It encrypts your internet traffic in transit
Note that most sites use TLS these days, so your data is already encrypted in transit.
Yeah but app dns requests and background services are sometimes not TLS. When using VPN all traffic is encrypted. Thus safer.
True, however TLS does not encrypt the hostname/IP address of the servers that you are connecting to, so your ISP can monitor the servers you visit. A VPN provides an encrypted tunnel for your traffic, so your ISP can only see that you are communicating with the VPN server. However, the VPN provider can see the hostname/IP of the servers in order to forward the traffic to its destination.
Ideally the VPN provider does not monitor or keep logs of the connections, but this is not always the case. A VPN offers privacy from the ISP or from other clients connected to the local network when using public WiFi.
It can also provide some level of anonymity, because the server that you are connecting to will only be able to see the VPN IP address connecting to them, instead of your home IP address. It is possible to still be identified by other means besides your IP address, like using cookies or browser fingerpinting.
The hostname will be encrypted eventually (ESNI) but you’re right that the IP address is visible.
Destination IP is starting to mean less and less these days, given there’s a large amount of sites that use shared IPs rather than dedicated ones (for example, if they use Cloudflare, Vercel, Netlify, AWS CloudFront, etc.)
ESNI has largely been dropped in favor of ECH
Most web data. “Who you’re talking to” isn’t.
Not everything is good about VPNs, you should check your DNS configuration also.
Yes you are right. You should run DNS leak tests.
