← Back to Blog

    What Is a VPN? A Complete Guide for 2026

    Understanding how virtual private networks actually work, what they can and cannot protect you from, and how to choose the right solution for your needs.

    SecurityPublished · 18 min read· By Security Education

    Evidence-based review per our 28-criteria methodology · affiliate disclosure

    1. Executive summary

    A Virtual Private Network (VPN) creates an encrypted tunnel between your device and a remote server, routing your internet traffic through this secure connection. When properly implemented, VPNs provide meaningful protection against specific threats: network-level surveillance, IP address tracking, and unencrypted data interception on untrusted networks (National Cyber Security Centre, 2024).

    However, VPNs are frequently misunderstood. They do not provide anonymity, cannot prevent browser fingerprinting, and require trusting your VPN provider with data you're hiding from others. Research has documented significant security failures in many commercial VPN products (Khan, M.T. et al., 2018), making informed provider selection essential.

    This guide explains how VPNs actually work at a technical level, what protection they realistically offer, and how to evaluate whether a VPN is appropriate for your specific threat model.

    2. How VPNs work: the technical foundation

    Understanding VPN technology requires examining what happens at each stage of the connection process. When you connect to a VPN, several technical operations occur in sequence.

    Connection establishment

    The VPN connection begins with authentication and key exchange:

    1. Client authentication: Your device proves its identity to the VPN server, typically using username/password, certificates, or cryptographic keys.
    2. Key exchange: Both parties negotiate encryption keys using protocols like Diffie-Hellman key exchange, ensuring that even if the exchange is intercepted, the keys cannot be derived (Nir, Y. et al., 2018).
    3. Tunnel creation: An encrypted tunnel is established, with all subsequent traffic encapsulated within this secure channel.

    Traffic encapsulation

    Once the tunnel is established, your internet traffic is processed as follows:

    • Encryption: Your original IP packets are encrypted using the negotiated keys.
    • Encapsulation: The encrypted data is wrapped in new packets addressed to the VPN server.
    • Transmission: These outer packets travel across the internet to the VPN server.
    • Decapsulation: The VPN server removes the outer layer and decrypts your original traffic.
    • Forwarding: Your traffic is sent to its intended destination, appearing to originate from the VPN server's IP address.

    What your ISP sees

    With a VPN active, your Internet Service Provider observes encrypted traffic between your device and the VPN server. They can see that you're using a VPN and the volume of data transferred, but cannot inspect the contents or determine which websites you're visiting (Electronic Frontier Foundation, 2024).

    3. VPN protocols compared

    VPN protocols define how the encrypted tunnel is created and maintained. Each has different characteristics affecting security, performance, and compatibility.

    WireGuard

    WireGuard is a modern protocol designed with simplicity and performance as primary goals(Donenfeld, J.A., 2017). Key characteristics include:

    • Codebase: Approximately 4,000 lines of code, compared to hundreds of thousands for OpenVPN.
    • Cryptography: Uses ChaCha20 for symmetric encryption, Curve25519 for key exchange, and BLAKE2s for hashing.
    • Performance: Significantly faster than OpenVPN in most benchmarks, with lower latency.
    • Limitations: Less mature than OpenVPN; some privacy concerns around static IP assignment (addressed by implementations like Mullvad's).

    OpenVPN

    OpenVPN is a well-established open-source protocol with extensive audit history (OpenVPN Inc., 2024):

    • Flexibility: Supports various encryption algorithms and authentication methods.
    • Maturity: Over 20 years of development and security auditing.
    • Compatibility: Works on virtually all platforms and can operate over TCP or UDP.
    • Limitations: More complex configuration; generally slower than WireGuard.

    IKEv2/IPsec

    Internet Key Exchange version 2, combined with IPsec, is standardised in RFC 7296 (Kaufman, C. et al., 2014):

    • Mobile support: Excellent at maintaining connections during network changes (MOBIKE extension).
    • Native support: Built into Windows, macOS, and iOS without additional software.
    • Security: Strong when properly configured, but implementation quality varies.
    • Limitations: More complex protocol stack; some implementations have had vulnerabilities.

    Deprecated protocols

    Several older protocols should be avoided:

    • PPTP: Known cryptographic weaknesses; considered broken since the late 1990s.
    • L2TP without IPsec: Provides no encryption on its own.
    • SSTP: Proprietary Microsoft protocol; limited audit and scrutiny.

    4. Encryption and security standards

    VPN security ultimately depends on the underlying cryptographic primitives. Understanding these standards helps evaluate provider claims.

    Symmetric encryption

    Symmetric encryption protects the actual data in transit. Current standards include(McKay, K. & Cooper, D., 2019):

    • AES-256-GCM: The most widely deployed standard; approved for classified US government information.
    • ChaCha20-Poly1305: Faster on devices without hardware AES acceleration; used by WireGuard.
    • AES-128: Still secure but offers less margin against future cryptanalytic advances.

    Key exchange

    Key exchange protocols establish shared secrets without transmitting them directly:

    • ECDH (Elliptic Curve Diffie-Hellman): Standard for modern VPNs; Curve25519 is common.
    • RSA key exchange: Being phased out in favour of ECDH for forward secrecy.
    • Post-quantum considerations: Current VPN encryption will be vulnerable to future quantum computers; hybrid approaches are emerging.

    Perfect forward secrecy

    Perfect forward secrecy (PFS) ensures that compromise of long-term keys doesn't expose past session data. Modern VPN protocols achieve PFS by generating ephemeral keys for each session(Rescorla, E., 2018). This means that even if a VPN provider's master keys are later compromised, previously recorded encrypted traffic cannot be decrypted.

    5. What VPNs actually protect

    VPNs provide meaningful protection against specific, well-defined threats. Understanding these helps set realistic expectations.

    Network-level surveillance

    VPNs effectively protect against observers on your local network or between you and the VPN server(European Union Agency for Cybersecurity, 2023):

    • Public Wi-Fi attackers: Cannot intercept or modify your traffic on coffee shop, hotel, or airport networks.
    • ISP logging: Your ISP sees only encrypted traffic to the VPN server, not your actual destinations.
    • Local network administrators: Workplace or school networks cannot monitor your VPN-protected traffic.

    IP address protection

    Your real IP address is hidden from destination websites and services:

    • Geographic masking: Websites see the VPN server's location, not yours.
    • IP-based blocking: Circumvents restrictions based on your home IP address.
    • Reduced tracking: Makes IP-based tracking across sites more difficult (but not impossible).

    Geographic access

    VPNs enable access to region-restricted content by appearing to be in a different location:

    • Streaming services: Access content libraries from different countries (though services actively block VPNs).
    • News and information: Bypass censorship in restrictive countries.
    • Price comparison: Access different regional pricing for services and products.

    6. What VPNs cannot protect

    VPN marketing often overstates capabilities. Understanding limitations is essential for proper security planning.

    Browser fingerprinting

    VPNs do not prevent browser fingerprinting—techniques that identify users through browser characteristics rather than IP addresses (Laperdrix, P. et al., 2020). Fingerprinting methods include:

    • Canvas fingerprinting: Unique rendering differences in how browsers draw graphics.
    • WebGL fingerprinting: Hardware-specific rendering patterns.
    • Audio context fingerprinting: Variations in audio processing.
    • Font enumeration: Installed fonts reveal system configuration.

    Research shows that browser fingerprints can identify users across sessions and even across different browsers on the same device (Cao, Y. et al., 2017).

    Account-based tracking

    When you log into services like Google, Facebook, or Amazon, your activity is tracked regardless of VPN use. These services know who you are because you've authenticated, making IP address irrelevant for identification purposes.

    Endpoint security

    VPNs encrypt traffic in transit but cannot protect against:

    • Malware on your device: Keyloggers and spyware see data before encryption.
    • Compromised websites: Phishing and malicious downloads work identically with or without a VPN.
    • Social engineering: VPNs don't protect against manipulation tactics.

    VPN provider visibility

    Critical point: your VPN provider can see everything your ISP would otherwise see. You're not eliminating surveillance; you're choosing who conducts it. This makes provider trust and jurisdiction essential considerations (Khan, M.T. et al., 2018).

    7. Choosing a VPN: trust models and considerations

    Selecting a VPN requires evaluating trust, technical capability, and operational practices.

    Trust considerations

    The fundamental question: who do you trust more—your ISP or a VPN provider? Consider(Electronic Frontier Foundation, 2024):

    • Jurisdiction: Where is the provider incorporated? What laws apply to data requests?
    • Business model: How does the provider make money? Free VPNs often monetise user data (Ikram, M. et al., 2016).
    • Ownership: Who owns the company? Has ownership changed recently?
    • Track record: How has the provider responded to legal demands or security incidents?

    Technical indicators

    Evaluate technical practices beyond marketing claims:

    • Independent audits: Has the provider's infrastructure and no-logs claims been verified by reputable auditors?
    • Open-source clients: Can the VPN software be independently reviewed?
    • RAM-only servers: Do servers avoid persistent storage that could be seized?
    • Warrant canary: Does the provider maintain and update a warrant canary?

    Known vulnerabilities

    Research has documented widespread problems in commercial VPN products (Perta, V.C. et al., 2015):

    • IPv6 leaks: Many VPNs only tunnel IPv4 traffic, exposing IPv6 requests.
    • DNS leaks: DNS queries may bypass the VPN tunnel, revealing visited domains.
    • WebRTC leaks: Browser WebRTC can expose real IP addresses even with VPN active.
    • Traffic correlation: Sophisticated adversaries may correlate traffic entering and leaving VPN servers.

    Systematic analysis of VPN applications found that many popular products had significant security flaws (Ramesh, R. et al., 2022), including traffic leaks, weak encryption, and deceptive practices.

    Self-hosting option

    For users who trust themselves more than any provider, self-hosted VPNs offer complete control:

    • Advantages: No third-party trust required; complete control over logging and configuration.
    • Disadvantages: Single server location; your hosting provider sees traffic; requires technical expertise.
    • Tools: WireGuard, OpenVPN, or Algo VPN for automated deployment.

    8. Advanced features and configurations

    Understanding advanced VPN features helps optimise protection for specific use cases.

    Kill switch

    A kill switch blocks all internet traffic if the VPN connection drops, preventing accidental exposure:

    • Application-level: Only blocks traffic from specific applications.
    • System-level: Blocks all traffic; more secure but can cause connectivity issues.
    • Always-on VPN: Operating system feature (available on Android, iOS, Windows) that enforces VPN use.

    Split tunnelling

    Split tunnelling routes only specific traffic through the VPN:

    • Use case: Access local network resources while VPN is active; reduce latency for non-sensitive traffic.
    • Risk: Traffic outside the tunnel is unprotected and may leak information about VPN-protected activity.
    • Recommendation: Avoid split tunnelling for security-critical applications.

    Multi-hop connections

    Some providers offer routing through multiple VPN servers:

    • Benefit: Additional protection against compromised single servers; harder traffic correlation.
    • Cost: Increased latency; reduced speeds; more points of potential failure.
    • Reality check: For most threat models, single-hop VPNs are sufficient.

    Leak protection testing

    Regularly verify your VPN configuration doesn't leak identifying information:

    • IP leak test: Verify websites see only the VPN server's IP address.
    • DNS leak test: Confirm DNS queries route through the VPN.
    • WebRTC leak test: Check that WebRTC doesn't expose your real IP.
    • IPv6 leak test: Ensure IPv6 traffic is either tunnelled or blocked.

    References

    1. [1]Cao, Y. et al. (2017) 'Cross-Browser Fingerprinting via OS and Hardware Level Features', Network and Distributed System Security Symposium. Available at: https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/cross-browser-fingerprinting-os-and-hardware-level-features/ (Accessed: 21 January 2026).
    2. [2]Donenfeld, J.A. (2017) 'WireGuard: Next Generation Kernel Network Tunnel', Network and Distributed System Security Symposium. Available at: https://www.wireguard.com/papers/wireguard.pdf (Accessed: 21 January 2026).
    3. [3]Electronic Frontier Foundation (2024) 'Surveillance Self-Defense: Choosing a VPN', Electronic Frontier Foundation. Available at: https://ssd.eff.org/module/choosing-vpn-thats-right-you (Accessed: 21 January 2026).
    4. [4]European Union Agency for Cybersecurity (2023) 'Remote Working Security Guidelines', ENISA. Available at: https://www.enisa.europa.eu/publications/remote-working-security (Accessed: 21 January 2026).
    5. [5]Frankel, S. et al. (2005) 'RFC 4301: Security Architecture for the Internet Protocol', Internet Engineering Task Force. Available at: https://datatracker.ietf.org/doc/html/rfc4301 (Accessed: 21 January 2026).
    6. [6]Ikram, M. et al. (2016) 'An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps', ACM Internet Measurement Conference. Available at: https://dl.acm.org/doi/10.1145/2987443.2987471 (Accessed: 21 January 2026).
    7. [7]Information Commissioner's Office (2024) 'Guide to the UK GDPR', ICO. Available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ (Accessed: 21 January 2026).
    8. [8]Kaufman, C. et al. (2014) 'RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2)', Internet Engineering Task Force. Available at: https://datatracker.ietf.org/doc/html/rfc7296 (Accessed: 21 January 2026).
    9. [9]Khan, M.T. et al. (2018) 'An Empirical Analysis of the Commercial VPN Ecosystem', ACM Internet Measurement Conference. Available at: https://dl.acm.org/doi/10.1145/3278532.3278570 (Accessed: 21 January 2026).
    10. [10]Laperdrix, P. et al. (2020) 'Browser Fingerprinting: A Survey', ACM Transactions on the Web. Available at: https://dl.acm.org/doi/10.1145/3386040 (Accessed: 21 January 2026).
    11. [11]McKay, K. & Cooper, D. (2019) 'NIST SP 800-175B: Guideline for Using Cryptographic Standards in the Federal Government', National Institute of Standards and Technology. Available at: https://csrc.nist.gov/publications/detail/sp/800-175b/rev-1/final (Accessed: 21 January 2026).
    12. [12]National Cyber Security Centre (2024) 'Using a VPN', NCSC. Available at: https://www.ncsc.gov.uk/guidance/using-a-vpn (Accessed: 21 January 2026).
    13. [13]Nir, Y. et al. (2018) 'RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3', Internet Engineering Task Force. Available at: https://datatracker.ietf.org/doc/html/rfc8446 (Accessed: 21 January 2026).
    14. [14]OpenVPN Inc. (2024) 'OpenVPN Protocol', OpenVPN Documentation. Available at: https://openvpn.net/community-resources/openvpn-protocol/ (Accessed: 21 January 2026).
    15. [15]Perta, V.C. et al. (2015) 'A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients', Proceedings on Privacy Enhancing Technologies. Available at: https://petsymposium.org/2015/papers/perta-vpn-pets2015.pdf (Accessed: 21 January 2026).
    16. [16]Ramesh, R. et al. (2022) 'VPNalyzer: Systematic Investigation of the VPN Ecosystem', Network and Distributed System Security Symposium. Available at: https://www.ndss-symposium.org/ndss-paper/vpnalyzer/ (Accessed: 21 January 2026).
    17. [17]Rescorla, E. (2018) 'The Transport Layer Security (TLS) Protocol Version 1.3', Internet Engineering Task Force RFC 8446. Available at: https://datatracker.ietf.org/doc/html/rfc8446 (Accessed: 21 January 2026).

    NordVPN

    Top-rated VPN with excellent features

    Get Deal

    Cookie Preferences

    We use essential storage and anonymous aggregate site metrics. Optional event analytics only run if you opt in.

    Learn more
    Questions or concerns?

    Contact us via X, Substack, or see our Cookie Policy for full details.