VPN: 95% of the marketing is false

A journalist tells me he’s “protected” because he uses NordVPN. I ask him: protected against what? Silence. The VPN is there because a YouTube ad told him he needed one.

The common trap

VPN marketing has pulled off a remarkable feat: convincing millions of people that a VPN is a universal shield against every danger on the internet. “Protect your privacy. Stay anonymous. Secure your data.” These formulas plaster banners, YouTube sponsorships, and tech podcasts.

The reality is more prosaic. A VPN is a pipe. It shifts your trust: instead of your ISP seeing your traffic, your VPN provider sees it. That’s sometimes useful. Often, it’s not the answer to your actual problem.

The danger isn’t using a VPN. It’s believing it solves problems it doesn’t touch.

What a VPN actually does

Let’s be precise about the mechanics. When you activate a VPN:

Traffic between your device and the VPN server is encrypted. Someone eavesdropping on the café Wi-Fi or the hotel network sees an opaque stream toward a VPN IP address. They don’t see which domains you’re visiting, not the content. This is the most concrete protection a VPN provides.

Your real IP is hidden from the sites you visit. The site sees the VPN server’s IP, not yours. This is pseudonymization, not anonymity — a critical distinction I cover in the next section.

Censorship and geo-restriction bypass. In China, Russia, Iran: the GFW (Great Firewall) blocks domains and IP ranges. A VPN with a server abroad lets you route around these blocks — depending on the protocol used and the sophistication of local detection.

Unified outbound traffic for enterprises. This is actually the original VPN use case: forcing remote employees’ traffic through the company’s infrastructure to enforce centralized security and access policies.

What a VPN does NOT do

This is where the marketing lies by omission.

A VPN does not make you anonymous. Your VPN provider knows your real IP, your connection times, your traffic volume. If you paid by credit card, they know your identity. If their infrastructure is seized or compromised, this data can exist even if their policy says “no logs.” Real anonymity requires Tor, not a VPN.

A VPN does not protect your cookies, browser fingerprint, or logged-in accounts. You activate NordVPN and then log into Facebook. Facebook knows exactly who you are. Your browser fingerprint (screen size, installed fonts, plugins, typing patterns) is often sufficient to identify you regardless of IP.

A VPN does not encrypt the content of your communications. HTTPS already handles that. Any communication over an HTTPS site is end-to-end encrypted between your browser and the site’s server — the VPN adds nothing to the content layer.

A VPN does not protect against malware. A malicious file downloaded through a VPN tunnel is still malicious. A VPN is not an antivirus, not a sandbox, not an EDR.

A VPN does not hide your identity from services you’re logged into. If you’re signed into Google, Google identifies you. The exit IP is irrelevant.

When a VPN is genuinely useful

Untrusted public Wi-Fi. Cafés, hotels, airports, conferences: you don’t control the network. A VPN encrypts the transit between you and the VPN server. No attacker on that network can read your traffic or do DNS spoofing. This is the most solid use case.

Countries with active network surveillance. In China, your local ISP (which is effectively the state) sees all your DNS and HTTP traffic. A VPN to a foreign server routes around this — provided the protocol isn’t detected and blocked. WireGuard on a non-standard port, or obfuscation protocols (Shadowsocks, V2Ray), are preferable in these contexts.

Masking your IP for sensitive OSINT research. You’re researching an entity that might detect your IP (corporate site, adversary infrastructure). A VPN shifts the visible IP. Not perfect, but useful.

Secure remote access to corporate infrastructure. The classic use case: remote employees connect via VPN to reach internal resources. Self-hosted WireGuard on a VPS or company server is the cleanest option.

When a VPN is NOT the solution

Against advertising tracking. Ad networks use fingerprints, persistent cookies, mobile advertising identifiers, tracking pixels — not your IP. Changing your IP doesn’t alter your advertising profile. For that: uBlock Origin, Privacy Badger, Firefox with arkenfox.js, or Brave.

Against data breaches. When LinkedIn or a service you use gets hacked, it’s your email and password that leak — not your IP. A VPN doesn’t protect against this.

Against malware and phishing. Opening a malicious attachment through a VPN tunnel changes nothing about what happens on your machine afterward.

Provider breakdown

Mullvad: the sector reference for privacy. No-logs policy independently and repeatedly audited. Cash payments accepted, as well as crypto. WireGuard and OpenVPN. No email required — just a randomly generated account number. Open source. Swedish jurisdiction (not ideal politically, but the transparency policy compensates). If your use case centers on privacy, start here.

ProtonVPN: Swiss, open source, audited, integrated with the Proton ecosystem (mail, calendar). High trust level. Slower than Mullvad on some servers. Strong option for those already in the Proton ecosystem.

IVPN: similar to Mullvad in approach, less known, equally serious. Accepts cash and Monero payments. Worth considering.

AirVPN: technical community, solid log policy, good documentation. Fewer points of presence. For technical profiles who want fine-grained control.

NordVPN, ExpressVPN, Surfshark: massive marketing, acquisitions by investment groups (Kape Technologies for ExpressVPN and CyberGhost, Nord Security for NordVPN). Limited audit scope. Not recommended for sensitive uses. Adequate for unblocking geo-restricted content if that’s all you need.

Free VPNs: near-universally problematic. The business model of a free VPN is either selling your browsing data, injecting advertising into your traffic, or worse. Hola VPN notoriously resold its users’ bandwidth. Avoid categorically.

Self-hosted WireGuard on a VPS: you control the infrastructure. Excellent for corporate network access. Problem for privacy: you’re the sole client of that VPS — your outbound traffic is trivially identifiable. Good for encrypting transit, not for anonymization.

WireGuard vs OpenVPN

WireGuard is the modern protocol. Approximately 4,000 lines of code (OpenVPN has ~100,000) — drastically reduced attack surface, easier to audit. Significantly better performance, lower latency, instant reconnection. It’s the recommended default today.

OpenVPN remains relevant in specific cases: better compatibility with some corporate firewalls, more configuration flexibility, longer audit history. If you’re managing a corporate VPN with particular network constraints, OpenVPN may still be the right choice.

Common mistakes

Believing that activating a VPN means anonymity. See above. As long as you’re logged into your accounts, you’re identifiable.

Using a free VPN for sensitive use cases. The free VPN is the worst option for someone who genuinely needs protection.

Not verifying that DNS is in the tunnel. Some VPN configurations let DNS queries pass outside the tunnel (DNS leak). The site dnsleaktest.com lets you verify. If your DNS leaks, your ISP still sees which domains you visit.

Split tunneling for sensitive uses. Split tunneling (only some traffic goes through the VPN) is convenient but risky: traffic outside the tunnel is exposed. For truly sensitive sessions, all traffic must go through the tunnel.

Configuring the VPN after browsing. If you visited a site before activating the VPN, that site already has your real IP. Activate the VPN first.

• N1 Identify whether your use case actually justifies a VPN (untrusted public Wi-Fi? Censored country? Corporate network access?)
• N1 Choose Mullvad, ProtonVPN, or IVPN over consumer-grade providers
• N2 Verify no DNS leak with dnsleaktest.com after activation
• N2 Disable split tunneling for all sensitive sessions
• N2 For missions in censored countries: install and test the VPN BEFORE departure
• N2 Use WireGuard as the default protocol (faster, reduced attack surface)
• N3 For corporate network access: self-hosted WireGuard on a VPS or dedicated server
• N3 For high-sensitivity use cases: Tor instead of a commercial VPN (real anonymity)