How to Ban a VPN (You Can't)
Parliament declined to name VPNs, then took the power to restrict them by regulation. Here is which VPNs a ban can reach, and what enforcing it would actually require.
What the law actually does
One arm of the British state publishes a guide on how to run a VPN safely, while another has just taken the power to restrict it. The National Cyber Security Centre, which is part of GCHQ, tells organisations that a virtual private network provides 'secure connectivity between devices in physically separate locations' and recommends IPsec for the purpose, advice its own page reaffirmed when it was last reviewed in May 2025.(NCSC, 2025) That the same government which explains how to build the tunnel should now legislate to close it would be no more than an irony, were it not that only one of the two departments involved appears to understand how a VPN actually works.
It is worth beginning with what the law says, because most of the coverage has misread it. On 21 January 2026 the House of Lords voted, by 207 to 159, for an amendment that would have banned the provision of VPN services to anyone under 18, a clause advanced without visible embarrassment under the title 'Action to prohibit the provision of VPN services to children in the United Kingdom'.(UK Parliament, 2026) That amendment did not survive, and what reached the statute book in its place, buried in the Children's Wellbeing and Schools Act 2026, is both quieter and considerably larger. Section 70 hands the Secretary of State a power to make regulations requiring providers of 'specified internet services' to prevent or restrict children's access, and it never once uses the word VPN, for the simple reason that it does not need to.(Legislation.gov.uk, 2026)
That distinction matters far more than the headlines allowed. A named ban is a target that can be argued with on the floor of the House, whereas a technology-neutral power is a blank space the same minister may fill in later, by regulation, under a small fraction of the scrutiny a clause in a bill would attract. No regulations have yet been laid, and the Act does little more than start a clock, requiring a progress statement within three months of Royal Assent and the first regulations within twelve months of that statement, so the honest description of the position in July 2026 is not that Britain has banned VPNs but that it has quietly built the lever and has not yet pulled it.
Which VPNs a ban can reach
Suppose that it does. The question an engineer would ask first, and that a minister apparently did not, is which VPNs a restriction could actually reach, because there are three quite different kinds of them, and they are nowhere near equal in how catchable they are.
The consumer app is the easy one. Services such as NordVPN, Proton and Surfshark reach their users through Apple's and Google's stores, so a regulator can lean on the stores, or on the companies behind the apps, to age-gate downloads or turn British minors away, which is precisely the route Michigan is now attempting in the United States, where House Bill 4938, introduced in September 2025, defines a 'circumvention tool' to include 'virtual private networks, proxy servers, and encrypted tunneling methods' and would compel internet providers to detect and block them on pain of fines reaching $500,000.(Michigan Legislature, 2025) That the bill has languished in committee ever since is a fair measure both of how easy such a clause is to write and of how hard it is to pass.
The corporate VPN is the awkward one, because every bank, hospital and law firm in the country relies on one to let staff reach internal systems from home, which is exactly the connectivity the NCSC recommends, so any rule that swept it up would break the working day for much of the economy. A serious restriction therefore has to carve the enterprise tunnel out while still catching the consumer one, which means drafting a definition that separates two things that are, at the level of the protocol, identical, and nobody has yet written that definition because it cannot be cleanly written.
The self-hosted VPN is the one that is not there to be caught at all. For roughly the price of a coffee a month, anyone can rent a virtual server and run WireGuard on it, a piece of free and open software that comes to about a dozen lines of configuration, and at that point there is no app in a shop to remove, no company on which to serve an order and no provider to fine, because the user has quietly become the provider. A restriction cannot age-gate something that a reasonably determined 15-year-old can assemble in an afternoon by following a tutorial.
None of this is speculation, because India has already run the experiment for us. In April 2022 its cyber-security agency ordered VPN providers to record their users' names, addresses and allocated IP addresses and to keep those logs for five years, which is exactly the information a no-log VPN is built never to hold, and rather than comply the major providers simply left.(CERT-In, 2022) ExpressVPN, NordVPN, Surfshark, Proton and CyberGhost withdrew their physical servers from the country and carried on serving Indian users from abroad. The directive remains in force, the VPNs still work, and the only thing the Indian state achieved was to push the servers beyond the reach of its own courts, so that a British obligation placed on providers, which is the most probable shape of any regulation made under Section 70, is pointed at precisely the same destination.
There is exactly one country in which a VPN restriction genuinely bites, and it repays a moment's attention to see why. China does not trouble itself with pulling apps from shops, choosing instead to inspect the traffic itself, its Great Firewall reading the shape of every connection as it passes and, since 2021, identifying even fully encrypted tunnels, the kind engineered to resemble nothing in particular, by measuring the statistical fingerprint of their first packet. Researchers presenting at USENIX in 2023 documented the apparatus in forensic detail, describing passive analysis carried out at national scale, suspect connections dropped for up to three minutes at a time and something like a quarter of them held under active observation.(Wu et al., 2023)
That is what enforcement actually costs. It is not a clause or an app-store policy but a system that examines what every citizen sends, for the plain reason that the only reliable way to catch a tunnel is to look inside the pipe that carries it. Even China has not closed the gap, since tools such as AmneziaWG pad WireGuard with meaningless data in order to blur the very fingerprint the firewall hunts for, at which point the firewall adapts, the tools adapt in turn, and the contest simply resumes.(Amnezia, 2025) The lesson is not that a sufficiently determined state cannot suppress VPNs, but that the price of the attempt is a permanent machine for watching everyone, and that the reward for building it is a fight without an end.
At the far extreme sits North Korea, where the ban is complete precisely because its citizens cannot reach the internet in the first place. They are given Kwangmyong, a walled national intranet with no exit, while the open web is reserved for a few thousand of the trusted, so that the only place a VPN ban ever works in full is a country that has already, in effect, banned the internet.(Recorded Future, 2024)
Even the friendliest comparison cuts against the plan. France has not banned VPNs, being a liberal democracy with a weakness for football, yet in May 2025 a Paris court ordered NordVPN, Proton and several others to block a couple of hundred pirate sports-streaming domains, treating the VPN companies as 'technical intermediaries' that could be conscripted into enforcement, an order the providers are now appealing.(franceinfo, 2025) That is the gentlest imaginable expression of the same instinct, the urge to reach past the user and lean on the tunnel instead, and even in its courteous French form it is already being resisted.
The children the ban is named for
All of which brings us back to the children in whose name the exercise is being conducted, and here the government's own evidence turns out to be the most awkward witness of all. When the age checks took effect in July 2025 it was adults who rushed to VPNs, with daily use briefly doubling to something like 1.5 million before subsiding, whereas children barely moved at all.(Ofcom, 2025) The best independent tracking, carried out by Internet Matters and echoed by a separate Childnet survey, found that roughly eight in every hundred children had used a VPN in the past year, a figure that had not moved across two years of the tracker and showed no rise attributable to children once the checks arrived.(Internet Matters, 2025)(Childnet, 2025) The measure aimed squarely at the young, in other words, is being routed around by their parents, while the young it names were largely never reaching for the tool to begin with.
There is a reason the state is turning to VPNs just now, and it is the larger restriction arriving behind them. That same Section 70 power is about to be used for its headline purpose, a ban on social media for under-16s, announced as firm policy in June 2026 and due to take effect in the spring of 2027.(DSIT, 2026) An age wall of that kind is exactly what a VPN steps around, since the moment you forbid a teenager an account you have handed them a reason to reach for the one tool that quietly relocates them to a country that does not care how old they are, which is why the logic that bars the account comes round, sooner or later, to bar the VPN. The chase has no natural end. The fear may nonetheless be overstated, because where such a ban already runs, in Australia, children are getting past it mostly by simpler means, with barely one teenager in twenty reaching for a VPN while most just keep the accounts the platforms never got round to deleting, which is why the government there this summer chose not to hunt the VPNs but to double the fines on the platforms.(Barnes et al., 2026)(Molly Rose Foundation, 2026)
Even a VPN restriction that somehow worked would leave the wall full of open doors. Harmful material, and the means of reaching it, travel by routes a VPN rule never touches, through the private messaging that the coming ban pointedly exempts, so that WhatsApp and Signal stay open, through Tor, which one professor of cyber-security calls practically impossible to prevent, through sideloaded apps and borrowed adult logins, and through the plain social workarounds, a friend's account or a faked birthday, that children reach for long before they reach for anything technical.(Open Rights Group, 2025)(Science Media Centre, 2026) Ofcom spent the spring of 2026 investigating grooming and illegal material on Telegram and a pair of chat sites, none of which a VPN law would have touched.(The Record, 2026) To treat the VPN as the gap in the defences is to mistake a single brick for the wall.
What a restriction can and cannot do
Set the account out plainly, then. A VPN restriction cannot stop a curious 15-year-old, who can stand up a private server in an afternoon or consult any of the countless guides a ban would helpfully advertise into existence. It can inconvenience the least technical users, who are seldom the people the panic is about. What it can do, if it is pursued in earnest, is furnish the justification for inspecting everyone's traffic, since that inspection is the only thing capable of making the ban real. A measure that fails at protecting children while succeeding at surveilling adults is not so much confused about its purpose as unwilling, for the moment, to say so aloud.
The right you have, and the machinery already built
Britain has never been short of ways to watch, either, and the ones it already holds reach a good deal further than any age check. Under the Investigatory Powers Act the government can require your internet provider to keep, for twelve months, a record of every service your connection reaches, so that even without a VPN the log of where you have been already sits with your ISP, available to a long list of public bodies on the right authorisation.(Investigatory Powers Act, 2016) The same Act lets a minister serve a secret technical capability notice on a company, compelling it to build a means of access and forbidding it, on pain of prosecution, from admitting the notice exists, which is, on the most credible reporting, what befell Apple in 2025 when it withdrew its strongest encryption from British users rather than comply.(SecurityWeek, 2025) These are separate laws from the one now reaching for VPNs, with separate purposes and separate overseers, and it would be wrong to fold them into a single plot. The point is narrower and rather more awkward. A state that already commands this much visibility does not need to restrict the VPN in order to watch its citizens, so the fact that it has taken the power to do so anyway tells you what the power is for.
There is also a right in the background that the whole argument turns on. People in Britain do have a legal right to private correspondence, set out in Article 8 of the European Convention and written into domestic law by the Human Rights Act, but it is a qualified right rather than an absolute one.(Human Rights Act, 1998) Article 8 permits the state to read your correspondence where it acts within the law, for a recognised aim such as the prevention of crime, and in proportion to that aim, and because the country has no written constitution the most a court can do with an Act it considers incompatible is issue a declaration that leaves the law fully in force. The European Court has held that even bulk interception is not inherently unlawful, only that the safeguards around it must be real.(European Court of Human Rights, 2021) A VPN is one of the few practical things that gives that thin right some weight, which is worth holding in mind when the same state proposes to take it in hand.
The alarm is neither new nor the property of one side, which is what makes the drift so telling. A decade ago, as shadow home secretary, Andy Burnham warned during the passage of what became the Investigatory Powers Act that a Britain bent on recording every citizen's internet use would make itself 'the envy of states such as North Korea, China and Iran'.(Open Rights Group, 2016) He is now the man most likely to be Britain's next prime minister, and the flagship of his politics is the very online-child-safety settlement whose enforcement runs through age checks and identity, and which members of his own benches are already trying to extend to VPNs.(IBTimes UK, 2026) To his credit he still resists the mandatory digital identity that would complete the picture. The point is not that any single politician is a hypocrite. It is that a good cause, pushed hard enough, manufactures the demand for the machinery, whatever the person at the top once understood.
Why 'nothing to hide' is the wrong argument
The stock reply to all of this is that the honest have nothing to hide, which is among the oldest bad arguments there is and among the most quietly corrosive. Privacy was never the concealment of wrongdoing. It is the ordinary condition of a free life, and the reasons an adult would rather the company that sells them broadband did not keep a log of their every move are dull, lawful and their own business, whether a diagnosis looked up after midnight, money moved between accounts, a new job sought behind an employer's back, a lawyer or a journalist consulted, or an abusive home quietly being left. A person's browsing is as revealing as their medical record, which is one reason the Convention protects correspondence, and not merely the correspondence of the innocent. The genuinely dangerous, in any event, are not the ones a restriction would reach, since serious crime is pursued with targeted warrants aimed at named suspects under the same Act, and the determined criminal will run his own tunnel long before the curious teenager does. Take the shop-bought VPN away and you catch no one who matters, having stripped a thin layer of privacy from the millions who were never the problem, which is the reliable signature of a measure that has mistaken looking busy for keeping people safe.
None of this arrives announced as surveillance. It comes wrapped in an emergency and a sympathetic cause, and it seldom leaves when the emergency does. Not long ago Britons were asked to show a certificate at the door of a nightclub to be let in, a temporary measure for a genuine crisis, and the certificate has gone while the habit of producing papers to enter ordinary life has not, being rebuilt now in the more durable shape of digital identity and the cameras that read faces on the high street.(UK Government, 2022) The worry here is older than Orwell. Bentham designed his panopticon so that the watched could never be certain they were not being watched, trusting the uncertainty to do the work of the guard, and Zamyatin housed the citizens of his one state behind walls of glass so that nothing needed to be hidden because nothing could be. What both men grasped, and what the nothing-to-hide argument keeps missing, is that a people who know they may always be seen are already a little less free, whatever they happen to be doing when the light is on.
The alternative that actually protects children
The genuinely frustrating thing is that protecting children online has a real solution, and this is plainly not it. If the object is to keep children out of adult spaces, or off the platforms the coming ban reserves for over-16s, the instrument is age assurance that can prove someone is over a given age without harvesting an identity, and that instrument already exists. Apple's Declared Age Range hands an application a bracket, 'over 18' or '13 to 15' and nothing more, leaving the actual birthday on the device, so that no document is uploaded, no database of faces is assembled and no VPN provider is pressed into service as a passport office.(Apple, 2025) The European Union's age-verification app goes a step further, designed around a zero-knowledge proof, so that it returns a plain yes to the single question of whether the user is over the threshold while storing neither a name nor a date of birth.(European Commission, 2026) Neither system is flawless, and both are burdensome beside the alternative of doing nothing, yet both are far less burdensome, and a great deal less dangerous, than compelling every VPN to demand papers at the door. The choice was never really one between safety and privacy. It was a choice between a design that protects children and a design that watches adults, and the government has so far reached for the second.
A VPN, in the end, cannot really be banned. It can only be turned into a reason to watch. Britain has built the lever, and the regulations that would work it are not yet written, so the question that now matters is whether anyone can make the case, in the months before they are, that pulling it will protect no child and inspect every adult, and that the instrument the state proposes to restrict is the very one its own security service still recommends.(UK Government, 2025)
Keeping your ISP out of your traffic
None of the above is advice to a minor about slipping past an age check. It is the older and duller reason people have run VPNs since well before the phrase 'online safety' was coined, which is that your internet provider can see, and record, every site you connect to, and a good many adults would simply rather it did not. If some future regulation makes the shop-bought VPN harder to buy, the same job can still be done in other ways, each with an honest trade-off attached.
- A hosted VPN remains the simplest option and stays perfectly legal for adults, with audited, no-logs providers such as NordVPN, Proton and Surfshark the usual choices; our UK guide ranks them and the methodology shows the working. It hides your browsing from your internet provider, though not from the VPN company itself.
- A self-hosted WireGuard tunnel, run on a rented server, gives you something no ban can remove, because you have become the provider, and it conceals your traffic from your home ISP while remaining visible to whoever hosts the machine.
- Tor offers the strongest anonymity of all by relaying your traffic through three separate hops, at the price of noticeable slowness and the occasional site that refuses to admit visitors arriving through it.
- Apple's Private Relay hides Safari browsing from your ISP for iCloud+ subscribers with almost no effort on your part, though it covers only Safari and only on Apple hardware.
- Encrypted DNS with ECH stops your provider from reading which sites you look up and, increasingly, which ones you open, a low-effort measure that remains partial until more of the web supports it.
- Decentralised VPNs and Shadowsocks route your traffic through volunteer or self-run nodes and are the hardest of all to block, though they are also the most fiddly to run and the most variable in quality.
One caveat runs through all of them. A VPN moves your traffic out of your internet provider's sight, but it cannot put you beyond the law, and wherever a provider is based a lawful order can reach the account records it actually keeps, whether under Britain's Investigatory Powers Act, the American CLOUD Act or the European Union's e-evidence rules. That is why a genuine, independently audited no-logs design matters more than any promise on a homepage, since none of those powers can hand over logs that were never kept.
None of these is a magic cloak, and none pretends to be. The point is only that the plumbing of a private connection is ordinary, well understood and impossible to legislate out of existence, so that a government may regulate the shops all it likes, but it cannot regulate the protocol. For the wider pattern this fits into, see our essay on the verification state.
The provider links above are affiliate links. They help fund the research; they do not change what is recommended or how it is scored.
Choosing a VPN that will not fold under pressure
Jurisdiction, an independent no-logs audit and a diskless build matter more than any marketing line, because a lawful order can only reach the records a provider actually keeps. Our UK guide ranks the providers that hold up, with the scoring shown in full.
References
- [1]Amnezia (2025) 'AmneziaWG Documentation', Amnezia. Available at: https://docs.amnezia.org/documentation/amnezia-wg/ (Accessed: 7 July 2026).
- [2]Apple (2025) 'Declared Age Range — Developer Documentation', Apple. Available at: https://developer.apple.com/documentation/declaredagerange/ (Accessed: 7 July 2026).
- [3]Barnes et al. (2026) 'Assessing early evidence of Australia's Social Media Minimum Age Act and adolescents' use', BMJ. Available at: https://doi.org/10.1136/bmj-2026-363695 (Accessed: 7 July 2026).
- [4]CERT-In (2022) 'Directions under sub-section (6) of section 70B, No. 20(3)/2022', Indian Computer Emergency Response Team. Available at: https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf (Accessed: 7 July 2026).
- [5]Childnet (2025) 'The VPN surge following age verification is not attributable to children', Childnet International. Available at: https://www.childnet.com/blog/new-research-from-childnet-shows-that-the-surge-in-vpn-use-following-the-introduction-of-age-verification-in-the-summer-is-not-attributable-to-children/ (Accessed: 7 July 2026).
- [6]DSIT (2026) 'Social media to be banned for under-16s in landmark government move', Department for Science, Innovation and Technology. Available at: https://www.gov.uk/government/news/social-media-to-be-banned-for-under-16s-in-landmark-government-move-to-give-kids-their-childhood-back (Accessed: 7 July 2026).
- [7]European Commission (2026) 'EU Age Verification Solution (FAQ)', European Commission. Available at: https://digital-strategy.ec.europa.eu/en/faqs/eu-age-verification-solution (Accessed: 7 July 2026).
- [8]European Court of Human Rights (2021) 'Big Brother Watch and Others v the United Kingdom (Grand Chamber)', ECtHR. Available at: https://hudoc.echr.coe.int/eng?i=001-210077 (Accessed: 7 July 2026).
- [9]franceinfo (2025) 'La justice francaise ordonne aux VPN de bloquer des sites illegaux de diffusion sportive', franceinfo. Available at: https://www.franceinfo.fr/sports/foot/piratage-la-justice-francaise-ordonne-pour-la-premiere-fois-aux-vpn-de-bloquer-des-sites-illegaux-de-diffusion-de-competitions-sportives_7252476.html (Accessed: 7 July 2026).
- [10]Human Rights Act (1998) 'Schedule 1 — Article 8 (right to respect for private and family life)', legislation.gov.uk. Available at: https://www.legislation.gov.uk/ukpga/1998/42/schedule/1 (Accessed: 7 July 2026).
- [11]IBTimes UK (2026) 'Burnham's under-16 social media ban plan faces push for added VPN restrictions', International Business Times UK. Available at: https://www.ibtimes.co.uk/uk-under-16-social-media-ban-vpn-challenge-1807188 (Accessed: 7 July 2026).
- [12]Internet Matters (2025) 'Data shows no rise in children's VPN use amid online age checks', Internet Matters. Available at: https://www.internetmatters.org/hub/research/data-shows-no-rise-childrens-vpn-use-amid-online-age-checks/ (Accessed: 7 July 2026).
- [13]Investigatory Powers Act (2016) 'Sections 87, 253 and 255 (retention notices, technical capability notices)', legislation.gov.uk. Available at: https://www.legislation.gov.uk/ukpga/2016/25/section/253 (Accessed: 7 July 2026).
- [14]Legislation.gov.uk (2026) 'Children's Wellbeing and Schools Act 2026, section 70', The National Archives. Available at: https://www.legislation.gov.uk/ukpga/2026/21/section/70/enacted (Accessed: 7 July 2026).
- [15]Michigan Legislature (2025) 'House Bill 4938 (Anticorruption of Public Morals Act)', Michigan Legislature. Available at: https://www.legislature.mi.gov/Bills/Bill?ObjectName=2025-HB-4938 (Accessed: 7 July 2026).
- [16]Molly Rose Foundation (2026) 'Australia Social Media Ban Research Briefing', Molly Rose Foundation. Available at: https://mollyrosefoundation.org/wp-content/uploads/2026/04/MRF_Australia-Social-Media-Ban-Research_Briefing-April-26.pdf (Accessed: 7 July 2026).
- [17]NCSC (2025) 'Virtual Private Networks (VPNs) — Device Security Guidance', National Cyber Security Centre. Available at: https://www.ncsc.gov.uk/collection/device-security-guidance/infrastructure/virtual-private-networks (Accessed: 7 July 2026).
- [18]Ofcom (2025) 'Letter from Dame Melanie Dawes on the Online Safety Act (VPN daily-active use)', Ofcom. Available at: https://www.ispreview.co.uk/index.php/2025/11/ofcom-monitoring-uk-vpn-use-due-to-circumvention-of-online-safety-act.html (Accessed: 7 July 2026).
- [19]Open Rights Group (2025) 'VPNs and the Online Safety Act', Open Rights Group. Available at: https://www.openrightsgroup.org/publications/briefing-vpns-and-the-online-safety-act/ (Accessed: 7 July 2026).
- [20]Open Rights Group (2016) 'Andy Burnham's demands on the Investigatory Powers Bill', Open Rights Group. Available at: https://www.openrightsgroup.org/blog/2016/andy-burnhams-demands-can-they-be-met (Accessed: 7 July 2026).
- [21]Recorded Future (2024) 'North Korea's Internet Behaviour', Insikt Group. Available at: https://www.recordedfuture.com/research/north-korea-internet-behavior (Accessed: 7 July 2026).
- [22]Science Media Centre (2026) 'Expert reaction to study on Australia's social media minimum age', Science Media Centre. Available at: https://www.sciencemediacentre.org/expert-reaction-to-study-assessing-early-evidence-of-association-between-australias-social-media-minimum-age-act-and-adolescents-social-media-use/ (Accessed: 7 July 2026).
- [23]SecurityWeek (2025) 'Apple Pulls Advanced Data Protection for New UK Users Amid Backdoor Demand', SecurityWeek. Available at: https://www.securityweek.com/apple-pulls-advanced-data-protection-for-new-uk-users-amid-backdoor-demand/ (Accessed: 7 July 2026).
- [24]The Record (2026) 'UK regulator to probe Telegram over CSAM allegations', Recorded Future News. Available at: https://therecord.media/uk-regulator-to-probe-telegram-over-csam-allegations (Accessed: 7 July 2026).
- [25]UK Government (2025) 'Keeping children safe online: changes to the Online Safety Act explained', gov.uk. Available at: https://www.gov.uk/government/news/keeping-children-safe-online-changes-to-the-online-safety-act-explained (Accessed: 7 July 2026).
- [26]UK Government (2022) 'England returns to Plan A as regulations on face coverings and COVID Passes change', gov.uk. Available at: https://www.gov.uk/government/news/england-returns-to-plan-a-as-regulations-on-face-coverings-and-covid-passes-change-today (Accessed: 7 July 2026).
- [27]UK Parliament (2026) 'House of Lords Division 3503 (Amendment 92)', votes.parliament.uk. Available at: https://votes.parliament.uk/votes/lords/division/3503 (Accessed: 7 July 2026).
- [28]Wu et al. (2023) 'How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic', USENIX Security Symposium. Available at: https://gfw.report/publications/usenixsecurity23/en/ (Accessed: 7 July 2026).
