How VPNs Work

You’re at a coffee shop, connected to their free WiFi, checking your bank account. Without a VPN, everything you send across that network is visible to anyone else on the same network who knows where to look. Your passwords, your account numbers, the exact pages you’re viewing. Public WiFi networks are particularly vulnerable, which is why understanding how WiFi works helps you appreciate why encryption matters. Now imagine a tunnel of light surrounding your laptop, bending your internet traffic through a secret pathway before it emerges somewhere else. That’s what a VPN does: it wraps your internet connection in encryption and routes it through its own servers, replacing your real location with whatever server you choose.

The short answer

A VPN (Virtual Private Network) creates an encrypted connection between your device and a remote server operated by the VPN provider. All your internet traffic flows through this encrypted tunnel, meaning your internet service provider, the coffee shop network, and any casual snoopers can’t see what you’re doing online. The website you visit sees the VPN server’s IP address instead of yours, adding a layer of location privacy. However, the VPN provider itself can see your traffic, so a VPN protects you from network-level surveillance but not from the service you’re using or from a dishonest VPN provider.

The full picture

The encryption layer

The foundation of any VPN is encryption (VPNs use many of the same principles explained in how encryption works). When you connect to a VPN, your device and the VPN server perform a handshake, establishing a secure channel using cryptographic protocols. The two most common protocols today are OpenVPN (an open-source standard battle-tested since 2001) and WireGuard (a newer protocol offering faster speeds with roughly 4,000 lines of code compared to OpenVPN’s roughly 70,000, making it far easier to audit for security flaws).

Once established, this encrypted tunnel means anyone intercepting your packets sees only gibberish. Your ISP can see you’re connected to a VPN (the IP address gives it away), but they can’t see which websites you’re visiting or what data you’re transmitting.

IP addresses and what they reveal

Every device connected to the internet has an IP address, a numeric identifier that functions something like a postal address for data packets. When you visit a website, your computer sends a request from your IP address, and the website sends the response back to it. This is how websites know roughly where you are (city-level accuracy is common) and how they track repeat visitors. To understand the broader infrastructure that makes this possible, explore how the internet works.

A VPN replaces your real IP address with the IP address of its server. Connect to a VPN server in Tokyo, and websites will think you’re browsing from Tokyo. This is how Netflix geo-spoofing works (though Netflix actively fights this), and how people access content restricted to specific countries. It’s also why journalists and activists use VPNs to mask their location in restrictive regimes, though that’s a high-stakes use case where mistakes can have serious consequences.

Split tunneling: when you don’t want everything through the VPN

Not everything needs to go through the VPN tunnel. Most modern VPN apps let you configure split tunneling, choosing which apps or websites use the VPN connection and which use your normal internet path. Some providers also offer multi-hop connections, routing your traffic through two or more servers in sequence, making it significantly harder to trace your activity back to you. This comes with a speed cost, typically reducing your connection speed by 50% or more.

Kill switches: the safety net

One of the most important features of any reputable VPN is a kill switch. If your VPN connection drops unexpectedly, a kill switch immediately blocks all internet traffic from your device until the VPN is reconnected or you manually override it. Without this protection, your device would seamlessly fall back to your normal internet connection, and you’d never know you were suddenly exposed. For privacy-conscious users, a kill switch isn’t optional; it’s essential.

What a VPN doesn’t do

This is where expectations frequently exceed reality. A VPN does not make you anonymous. Websites can still track you through cookies, browser fingerprinting, and login information. Your VPN provider knows your real IP address and can see all your traffic. Trustworthy providers claim not to log this data, but you’d be taking their word for it.

A VPN also doesn’t protect you from malware or phishing. If you visit a malicious website and download something, the VPN isn’t going to stop it. Some providers bundle additional security tools, but these are separate protections, not something the VPN encryption itself provides.

Why it matters

Privacy on the internet isn’t a binary state where you’re either fully exposed or completely hidden. It’s a series of layers, and a VPN addresses one specific layer: the network between you and the first server you communicate with. It stops your ISP from selling your browsing history (which the FCC regulated in 2016 before Congress used the Congressional Review Act to repeal those protections in 2017, leaving ISPs free to sell browsing data without consent). It prevents WiFi snoopers on public networks from stealing passwords. It makes it harder for advertisers to build a complete profile of your activity.

But using a VPN also requires trust. You’re shifting trust from your ISP (who already sees everything) to your VPN provider (who now sees everything). This is why the VPN provider’s logging policy matters enormously. Services based in countries with strong privacy laws (Switzerland, British Virgin Islands, Panama) and that have undergone independent security audits are generally more trustworthy than those operating from the US or countries with mandatory data retention laws.

The practical reality is that most people don’t need military-grade anonymity. They need protection from the immediate threats: the person next to them on Starbucks WiFi, their ISP’s data harvesting, and the general drift toward a surveillance-heavy internet. A VPN addresses those threats reasonably well, as long as you understand what it’s actually doing.

Common misconceptions

“A VPN makes you 100% private and untraceable.” This is perhaps the most persistent myth. The reality is that the VPN provider itself has complete visibility into your traffic. They promise not to log it, but unless they’ve been independently audited (and even then, you hope they’re telling the truth), you’re taking their word. Additionally, websites can still identify you through the cookies you carry, your browser fingerprint, and the accounts you log into. A VPN is one tool in a privacy toolkit, not a complete solution.

“Using a VPN is illegal in most countries.” This varies dramatically by jurisdiction. In most Western democracies, using a VPN is perfectly legal (you’re allowed to encrypt your own internet traffic). Countries like China, Russia, Iran, and North Korea restrict or ban VPN usage, but the laws target providers and circumvention, not individual users in most cases. The idea that VPNs are universally illegal is simply wrong for the majority of readers.

“All VPNs are basically the same.” The differences matter enormously. Some VPNs (typically free ones) make money by harvesting and selling your browsing data, defeating the entire purpose. Others have IP leaks, DNS leaks, or weak encryption that exposes your activity despite the VPN connection. Speed varies dramatically between providers and even between servers within the same provider. The best VPNs have been audited, maintain transparency reports, use modern protocols like WireGuard, and operate in privacy-friendly jurisdictions. For a tool that’s supposed to protect you, choosing a reputable paid service makes a real difference.