How VPNs Actually Work (Not the Marketing Version)

VPN ads promise you invisibility, military-grade security, and complete freedom online. The reality is more specific, more limited, and actually more interesting than the marketing copy suggests.

The Tunnel: What Actually Happens

When you connect to a VPN, your device establishes an encrypted tunnel to a VPN server. All your traffic goes through that tunnel — your ISP sees encrypted packets going to one IP address (the VPN server) and can't read the contents. The websites you visit see the VPN server's IP address, not yours. That's the core mechanism. Everything else is details.

The tunnelling protocol matters. OpenVPN is battle-tested and widely supported. WireGuard is newer, faster, and leaner — its entire codebase is about 4,000 lines versus OpenVPN's hundreds of thousands, which means a smaller attack surface and significantly faster connection times. IKEv2 is good for mobile because it handles network changes (switching from Wi-Fi to cellular) without dropping the connection.

What the VPN Server Actually Sees

Here's what most VPN marketing glosses over: you haven't removed trust from the equation, you've moved it. Your ISP can no longer see your traffic. But your VPN provider can. They sit exactly where your ISP used to sit, with full visibility into every connection you make. A VPN that keeps logs can be subpoenaed. A VPN that sells data is worse than no VPN.

So the thing — this matters more than the encryption details. Choosing a VPN is choosing whom to trust with your traffic. No-logs policies, independent audits, and jurisdiction (where the company is legally incorporated and subject to data requests) are the real differentiators.

What a VPN Doesn't Protect You From

A VPN doesn't stop cookies from tracking you across sites. It doesn't prevent browser fingerprinting. It doesn't protect you from malware you install yourself. It doesn't make you anonymous — it shifts which party knows your traffic, not whether anyone does. If you log into Google while on a VPN, Google knows it's you. The VPN just means your ISP doesn't know you're on Google.

DNS leaks are a specific failure mode where your DNS queries bypass the VPN tunnel and go directly to your ISP's resolver — meaning your ISP can still see every domain you look up even while your other traffic is encrypted. Any VPN worth using has DNS leak protection built in. Test it anyway.

Speed: The Honest Version

VPNs are slower than direct connections. Encryption has a CPU cost. Adding a hop to every request adds latency. A good VPN on a fast connection might cost you 10-20% of your bandwidth and add 5-30ms of latency. A bad VPN on a congested server can cut your speed by 80%. The distance to the VPN server matters — connecting to a server on the other side of the world will feel noticeably slower.