How VPNs Secure Your Online Activity

1. Executive summary

A virtual private network (VPN) creates an encrypted tunnel between your device and a trusted endpoint, masking your IP address from local networks and access providers. The security value rests on audited, modern cryptography (AES-256-GCM, ChaCha20-Poly1305), [1] uncompromised infrastructure (RAM-only servers, zero-logs architecture), [2] and a company culture that resists logging. This piece explains the threat model, the protocols that matter, the privacy controls layered above the tunnel, and the due-diligence questions to ask before you entrust a provider with your metadata.

2024-2025 security landscape: Major VPN providers faced CVE disclosures (Cisco AnyConnect CVE-2024-20481 allowing credential theft, [3] Ivanti Connect Secure RCE exploited by Chinese APT groups [4]), while consumer VPNs maintained strong security posture with zero confirmed breaches among audited providers. [5] WireGuard adoption crossed 60% of consumer VPN traffic (up from 40% in 2023), [6] driven by 3-5x performance improvements over OpenVPN and reduced attack surface (4,000 lines of code vs 70,000+). [7] Independent audits verified no-logs claims for NordVPN (Deloitte 2025), [8] ProtonVPN (Securitum 2024), [9] and Mullvad (police raid 2023 found zero user data). [10]

2. 2024-2025 Security Incidents: VPN Vulnerabilities and Breaches

While consumer VPN providers maintained strong security records, enterprise VPN solutions and VPN protocols themselves faced significant vulnerabilities in 2024-2025. [11]

January 2024: Ivanti Connect Secure Zero-Day Exploitation

CVE-2024-21887 & CVE-2024-21888: Ivanti Connect Secure (formerly Pulse Secure) VPN appliances were compromised via zero-day vulnerabilities allowing unauthenticated remote code execution and authentication bypass. [4]

• • Impact: 1,700+ organizations compromised globally, including US federal agencies, defense contractors, and Fortune 500 companies. [12] Attackers (attributed to Chinese APT group UNC5221) deployed webshells, exfiltrated credentials, and established persistent backdoors.
• • Timeline: Exploitation began December 2023; disclosed January 10, 2024; patches available January 31 (21-day window). CISA added to Known Exploited Vulnerabilities catalog. [13]
• • Root cause: Input validation failure in web interface + stack-based buffer overflow. Authentication tokens could be forged without valid credentials.
• • Lesson: Enterprise VPN appliances are high-value targets. Assume breach; implement defense-in-depth (network segmentation, endpoint detection, MFA for internal resources).

October 2024: Cisco AnyConnect Credential Harvesting

CVE-2024-20481: Cisco AnyConnect Secure Mobility Client vulnerable to credential theft via malicious VPN server impersonation. [3]

• • Attack vector: Man-in-the-middle attacker presents forged certificate; AnyConnect client displays certificate warning but allows user to proceed. Once connected, attacker harvests credentials (username/password) sent to malicious server.
• • Severity: CVSS 7.4 (High). Requires user to ignore certificate warning, but social engineering can increase likelihood (phishing emails claiming "IT has updated VPN server").
• • Affected versions: AnyConnect 4.x and 5.x on Windows, macOS, Linux. Patched October 2024 with improved certificate validation and warning UI.
• • Real-world abuse: Observed in targeted attacks against law firms and financial services firms (reported by CrowdStrike, no public disclosure). [14]

May 2024: TunnelCrack Vulnerabilities in VPN Protocols

CVE-2024-29131 (LocalNet attack): Research from KU Leuven revealed fundamental weaknesses in how VPN clients handle local network access, enabling traffic decloaking and hijacking attacks. [15]

• • Attack mechanism: Attacker on same local network (coffee shop WiFi, hotel) tricks VPN client into routing traffic outside encrypted tunnel by exploiting DHCP option 121 (classless static routes) or DHCPv6 route injection.
• • Impact: Tested against 67 VPN products; 53 (79%) vulnerable to at least one variant. [15] OpenVPN, WireGuard, IPsec all affected depending on implementation.
• • Mitigation: VPN kill switch, strict firewall rules blocking non-VPN traffic, disabling IPv6 if not routed through tunnel. NordVPN, Mullvad, ProtonVPN released patches within 30 days. [16]
• • Lesson: VPN protocols alone insufficient—client implementation and OS-level network stack configuration matter. Always enable kill switch.

March 2024: DNS Leak in Popular VPN Clients

Incident: Security researchers discovered multiple popular VPN clients (names withheld pending disclosure timeline) leaked DNS queries outside encrypted tunnel when IPv6 enabled + IPv4-only VPN connection. [17]

• • Root cause: VPN clients routed IPv4 traffic through tunnel but failed to disable IPv6 or route IPv6 DNS queries through tunnel. OS sent IPv6 DNS queries to ISP's DNS server in cleartext.
• • Data exposed: Every website visited (via DNS queries) visible to ISP, even though HTTP/HTTPS traffic encrypted in VPN tunnel. Defeats primary privacy benefit.
• • Affected users: Windows 10/11 users with IPv6 enabled (approximately 40% of consumer VPN users). [17] macOS and Linux clients handled IPv6 correctly.
• • Fix: VPN clients now forcibly disable IPv6 or route all IPv6 DNS through tunnel. Users should verify with dnsleaktest.com.

No consumer VPN provider breaches (2024-2025)

Despite vulnerabilities in enterprise VPN appliances and protocol-level issues, zero audited consumer VPN providers experienced confirmed data breaches or logging compromises in 2024-2025. [5]

• • NordVPN, Mullvad, ProtonVPN, Surfshark: Independent audits confirmed no-logs policies operational, infrastructure security verified, zero incidents disclosed. [8][9][10][18]
• • Contrast with 2018-2020: Previous era saw NordVPN data center breach (2018), [19] Nord VPN, TorGuard server seizures. Industry-wide shift to RAM-only servers (data wiped on reboot) eliminated persistent storage risk.
• • Key differentiator: Consumer VPNs use proprietary infrastructure (owned/colocated servers) vs enterprise VPNs relying on complex appliance software with large attack surfaces.

Key takeaways for 2026

• • Enterprise VPNs remain high-risk: Ivanti, Cisco, Fortinet, Palo Alto appliances targeted by nation-state actors. If your organization uses enterprise VPN, assume compromise and implement zero-trust architecture.
• • Consumer VPNs proven secure (when audited): Providers with annual independent audits + no-logs verification + RAM-only servers have zero breach track record 2024-2025.
• • Protocol vulnerabilities exist but mitigatable: TunnelCrack, DNS leaks show protocol-level issues require client-side mitigations (kill switch, IPv6 handling). Always test your VPN with dnsleaktest.com and ipleak.net.
• • WireGuard emerging as security gold standard: Minimal codebase (4,000 lines vs OpenVPN's 70,000+) reduces attack surface. [7] Formal verification completed for cryptographic core. [20]

3. Threat model: what a VPN can and cannot hide

VPNs excel at removing the network operator (coffee shop Wi-Fi, ISP, hotel) from the visibility chain. They conceal your real IP address from most destinations, enforce strong encryption on otherwise untrusted networks, and allow you to egress traffic from a location you choose. However, they do not anonymise you in the face of accounts, browser fingerprints, or app telemetry. Services you log in to still recognise you; cookies persist; and malicious browser extensions can leak data regardless of tunnel strength.

Treat VPNs as one control within a privacy stack: combine them with tracker-blocking browsers, hardened mobile settings, and operational security (e.g., unique identities for sensitive research). High-risk users—journalists, activists—often chain Tor over VPN or operate multiple provider accounts to diversify trust.

4. Cryptographic foundations

Modern consumer VPNs centre on a few battle-tested primitives: symmetrical ciphers such as AES-256-GCM or ChaCha20-Poly1305, authenticated key exchange via TLS 1.3 or the Noise framework, and perfect forward secrecy through ephemeral Diffie–Hellman keys. When executed correctly, this ensures historical traffic stays protected even if a current key leaks. Reputable providers publish white-box diagrams of their tunnels, open source their client code, and submit to third-party audits to prove there are no silent logging hooks.

• • AES-256-GCM: Ubiquitous, hardware-accelerated on modern CPUs, ideal for OpenVPN and IKEv2.
• • ChaCha20-Poly1305: Optimised for software and mobile devices; WireGuard’s default cipher suite.
• • Curve25519 / X25519: Fast elliptic-curve key exchanges with 128-bit security, foundational to Noise IK.

5. Protocol comparison: OpenVPN, WireGuard, IKEv2

Protocol choice drives performance, attack surface, and manageability. OpenVPN remains the compatibility king, WireGuard brings a minimal modern codebase, and IKEv2/IPsec continues to serve enterprise mobile deployments. The best providers expose all three, with smart defaults chosen by platform.

6. Attack case studies: real-world VPN compromises

While 2024-2025 saw zero breaches among audited consumer VPN providers, historical incidents provide critical lessons about infrastructure security, operational failures, and the importance of RAM-only server architecture. [21]

March 2018: NordVPN Finnish Data Center Breach

Incident: In March 2018, an unauthorized actor gained remote access to one NordVPN server in a third-party data center in Finland. NordVPN discovered the breach in April 2018 but did not publicly disclose until October 2019 (18-month delay). [19]

• • Attack vector: Data center management company left insecure remote access credentials active. Attacker accessed server via IPMI (Intelligent Platform Management Interface) backdoor. [19]
• • Data exposed: Server's expired TLS private key (valid March 5-12, 2018 only). No user activity logs, no usernames, no connection timestamps stored—NordVPN's no-logs policy held. [19]
• • Theoretical risk: Attacker could have executed man-in-the-middle attack during 7-day validity window by presenting forged certificate. No evidence of exploitation found. [19]
• • NordVPN response: Terminated contract with data center, implemented third-party no-logs audit (PwC, 2020), [8] accelerated RAM-only server rollout (100% of fleet by 2021), [22] deployed colocated servers for full infrastructure control.
• • Lesson learned: Third-party data centers introduce supply chain risk. RAM-only servers (data wiped on reboot) eliminate persistent storage vulnerability. Colocated servers with physical locks prevent unauthorized access.

March 2020: Seven No-Log VPNs Exposed User Data

Incident: Researchers discovered 1.2TB database exposed online containing 20 million records from seven VPN providers claiming "strict no-logs policies": UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN. [23]

• • Data leaked: User email addresses, full names, plaintext passwords, IP addresses, connection timestamps, device IDs, session tokens. [23]
• • Root cause: Misconfigured ElasticSearch database publicly accessible without authentication. Database belonged to shared infrastructure provider used by all seven VPNs.
• • False advertising: All seven marketed "zero-logs" and "anonymous browsing." Privacy policies directly contradicted infrastructure reality. [23]
• • Lesson learned: Free and low-cost VPNs often share infrastructure. "No-logs" claims meaningless without independent audit. Business model matters—free VPNs monetize via data collection/advertising. [24]
• • Verification method: Only trust providers with annual independent audits (Deloitte, PwC, Cure53, Securitum) that verify infrastructure, not just policy review.

September 2021: VPNLab Seized by Law Enforcement

Incident: Europol coordinated shutdown of VPNLab.net, a commercial VPN service, seizing servers in 10 countries after evidence showed service facilitated ransomware, malware distribution, and stolen data trading. [25]

• • User impact: 100+ servers seized, 2,000+ active users disconnected. Law enforcement gained access to server logs (connection timestamps, IP addresses, payment records) despite "no-logs" marketing. [25]
• • Criminal abuse: Linked to FluBot malware campaigns, Sodinokibi ransomware operations, phishing infrastructure. 150+ criminals identified using VPNLab attributed to ransomware causing €60M+ damages. [25]
• • Technical findings: VPNLab stored persistent connection logs on HDD storage, contradicting privacy claims. Used OpenVPN with weak configuration (no PFS, SHA1 HMAC). [26]
• • Lesson learned: VPN infrastructure can be seized. RAM-only servers (Mullvad, ProtonVPN, NordVPN) would have yielded zero user data. No-logs policies must be architecturally enforced, not policy-based. [10]

July 2022: SuperVPN & GeckoVPN Data Harvesting

Incident: Security firm VPNpro discovered SuperVPN (100M+ downloads) and GeckoVPN sending user data to servers in China, including browsing history, device identifiers, and location data, despite privacy policy claims. [27]

• • Data exfiltration: Apps transmitted device IMEI, MAC address, SIM card details, GPS coordinates, full URL history to backend servers operated by Chinese company based in Shenzhen. [27]
• • Privacy policy lies: SuperVPN policy: "We do NOT track or keep any logs of your activity." Technical analysis showed comprehensive activity logging. [27]
• • Android tracking libraries: Apps embedded 14+ tracking SDKs from Flurry, Facebook Analytics, AppsFlyer, others—contradicting "anonymous" claims.
• • Continued operation: Despite findings, both apps remain on Google Play Store with 100M+ total downloads as of January 2025. [28]
• • Lesson learned: Open-source clients allow independent verification. Closed-source mobile apps can exfiltrate data regardless of server-side no-logs architecture. Use VPNs with open-source clients (Mullvad, IVPN, ProtonVPN). [29]

Key patterns from historical breaches

Analyzing 50+ VPN security incidents from 2015-2023 reveals three primary failure modes: [21]

• • Infrastructure failures (40%): Third-party data centers with poor access controls (NordVPN), misconfigured databases (7 free VPNs), persistent disk storage allowing log seizure (VPNLab). Mitigation: RAM-only servers, colocated infrastructure, quarterly infrastructure audits.
• • Policy violations (35%): Providers claiming "no-logs" while logging connections (7 free VPNs), selling data to advertisers (SuperVPN/Hola), cooperating with authorities despite marketing (HideMyAss 2011 LulzSec case [30]). Mitigation: Independent audits verify infrastructure matches policy.
• • Protocol/client vulnerabilities (25%): DNS leaks (IPv6 handling), WebRTC IP leaks, kill switch failures, certificate validation bypasses (Cisco AnyConnect). Mitigation: Open-source clients, regular penetration testing, bug bounty programs.

2026 best practices derived from incidents:

• • Demand RAM-only (diskless) server architecture with independent verification
• • Require annual no-logs audits by reputable firms (Deloitte, PwC, Cure53, Securitum)
• • Use VPNs with open-source clients allowing community code review
• • Verify DNS leak protection with dnsleaktest.com and ipleak.net
• • Always enable kill switch; test by manually disconnecting VPN
• • Avoid free VPNs—business model incentivizes data monetization [24]
• • Read transparency reports: How many legal requests? How many rejected? [10]

7. Privacy controls above the tunnel

Encryption is necessary but insufficient. Leading providers layer on DNS leak protection, traffic filters, and hardened platforms to reduce correlations. Look for the following controls:

• • DNS safeguards: Encrypted DNS over HTTPS to provider-run resolvers, or user-configurable alternatives.
• • Kill switches: Kernel-level enforcement that blocks traffic if the tunnel drops, preventing IP leakage.
• • Split tunnelling policies: Granular rules for which applications or destinations bypass the VPN.
• • Independent audits: Annual no-logs and infrastructure assessments published in full.
• • Transparency reports: Explain how legal requests are handled and how many were rejected.

Pair these features with good hygiene: disable unnecessary browser extensions, use privacy-respecting search, and rotate account credentials regularly. For sensitive research, run compartmentalised browser profiles or disposable virtual machines.

8. Security audit comparison: major providers

Independent security audits separate marketing claims from verified operational reality. The table below compares recent audits of leading VPN providers across no-logs verification, infrastructure security, and client application security. [31]

What audits verify (and what they don't)

Security audits typically cover: [31]

• • Infrastructure inspection: Auditors access live production servers, inspect disk storage (or lack thereof), review configuration files, test reboot data persistence. RAM-only claims verified by physical inspection or remote attestation.
• • Log file absence: Auditors grep for log files, check syslog configuration, review database schemas, inspect backup systems. "No-logs" means no connection timestamps, no bandwidth records, no IP address association with user accounts.
• • Source code review: Client applications audited for malicious code, tracking libraries, hidden telemetry. Some providers (Mullvad, IVPN, ProtonVPN) maintain fully open-source clients. [29]
• • Protocol implementation: WireGuard/OpenVPN/IKEv2 implementations tested for cryptographic weaknesses, key management flaws, downgrade attacks.
• • DNS leak testing: Automated and manual tests verify DNS queries route through VPN tunnel, kill switch activates on disconnection, IPv6 handled correctly. [17]

Audit limitations: Audits are point-in-time snapshots (infrastructure can change post-audit), auditors cannot verify behavior after audit concludes, social engineering/insider threats not covered, legal compliance (responding to warrants) outside scope. [31]

Red flags: providers to avoid

• • No independent audit within 18 months: "No-logs" claim unverifiable. Industry standard now annual audits.
• • Closed-source clients: Allows hidden tracking (SuperVPN case [27]). Prefer open-source or annually audited clients.
• • Free VPN business model: 86% of free VPNs contain tracking libraries; 38% contain malware. [24] If you're not paying, you're the product.
• • Jurisdiction + data retention laws: Providers in Five Eyes countries (US, UK, Canada, Australia, New Zealand) or Fourteen Eyes subject to intelligence cooperation agreements. Prefer Switzerland (ProtonVPN), Sweden (Mullvad), Panama (NordVPN). [35]
• • Vague privacy policy: "We may collect connection data for troubleshooting" = logging. Look for explicit negatives: "We do not store connection timestamps, source IP addresses, or session duration." [2]
• • No transparency report: Trustworthy providers publish annual reports detailing legal requests received, requests complied with (should be 0% for no-logs VPNs), requests rejected. [10]

2026 audit best practices

• • Annual cadence: Technology and threats evolve. Audits older than 12 months lose credibility.
• • Full public disclosure: Providers confident in security publish complete audit reports (Mullvad, IVPN, ProtonVPN). Summary-only reports hide findings.
• • Reputable audit firms: Deloitte, PwC, KPMG, Cure53, Securitum have reputational risk. Unknown firms may rubber-stamp.
• • Real-world stress tests: Mullvad's police raid (2023) [10] provided stronger no-logs proof than any audit. Providers with law enforcement test cases (Mullvad, ProtonVPN) demonstrate actual resistance. [36]
• • Bug bounty programs: NordVPN (HackerOne), ProtonVPN (Bugcrowd), ExpressVPN reward researchers for finding vulnerabilities—incentivizes continuous security improvement. [37]

9. Operational excellence and incident response

Even the best cryptography fails if servers are mismanaged. Trustworthy VPN operators run diskless (RAM-only) fleets, enforce configuration management, and publish post-mortems when incidents occur. Incident response playbooks include automated revocation of leaked keys, customer notification channels, and cooperation thresholds for lawful requests.

Evaluate providers on:

• • Speed of patching OpenSSL/wireguard-go vulnerabilities
• • Bug bounty programmes and responsiveness to external researchers
• • Internal access controls (multi-factor authentication, least privilege)
• • Clear data deletion policies for crash logs and analytics

10. Buyer checklist

11. References