What is a VPN?
Defining the acronym:
VPN = Virtual Private Network
The easiest way to explain what a VPN is - without getting overly technical - is to explain how one works.
A VPN creates an encrypted connection between your device and the VPN server. This is frequently and commonly referred to as the "tunnel."
Assuming the encryption protocol of the tunnel is up-to-par, there are very few methods which can directly penetrate it.
Essentially, barring any leaks, the information that passes through this tunnel between your device and the VPN provider is secure and "private" from just about any third party you can think of - to include your Internet Service Provider (ISP).
How a VPN can benefit your privacy
- Hides your internet traffic from the likes of your ISP, governments, and other 3rd parties
The encrypted tunnel that VPNs create effectively hide your internet traffic from third parties, including your ISP. For example, your ISP would only see that you're (1) online and (2) connected to a VPN service.
Assuming other factors are either kept in check or not present, this means that your browsing history and connections are kept private between you and your VPN provider only. And ideally, your VPN provider would have a verified "no logs" policy so even they wouldn't necessarily "know" about your internet activities.
Please note that in order to get the maximum amount of privacy out of a VPN, you should take care to also set your network/devices to use an encrypted and privacy-friendly DNS provider.
Though some providers route DNS traffic with their own servers (which in itself may not be ideal), a VPN is not a drop-in replacement for securing DNS lookups. Even a VPN provider's DNS servers can leak from the tunnel and if your device/network is defaults to using unsecure resolvers such as those of your ISP, then your DNS traffic is for the taking by any entity willing to do low-effort snooping.
Learn more about the importance of DNS privacy
In addition to using secure and private DNS resolvers, you should also force HTTPS connections within your browser. Furthermore, and ideally, you would be using a properly configured privacy browser that should handle this for you. A VPN provider cannot encrypt the connection between its servers and a website's servers for you.
Learn more about HTTPS and browsers
Lastly, please be very cognizant that a VPN is not a silver bullet against many different entities.
Depending on your "adversary," they may be capable of employing advanced techniques both online and offline to expose your internet activities. A common example of this is that your adversary may take advantage of leaks coming from your VPN tunnel or probe and exploit other operational weaknesses surrounding your VPN.
- Hides your IP address from the sites you visit and during P2P activities
When both configured and working properly, a VPN masks your IP address from the sites you visit and Peer-to-Peer (P2P) sharing you may engage in, such as torrenting. Instead, the IP address that gets shared is that of your VPN provider's server.
While this doesn't provide anonymity, hiding your IP address can benefit your overall privacy since you're removing the availability of another piece of potentially identifying information about you and your device(s).
Your IP address is a great indicator of your general location - and combined with other supplemental bits of information, your location can be pinpointed with a high degree of accuracy. However, on the other hand, hiding your IP address accomplishes little if you don't utilize other privacy and security tactics as well.
To ensure that your IP address doesn't get accidentally revealed, you'll want to make sure your VPN provider resists IPv6 leaks and you'll want to address the potential for WebRTC leaking your actual IP address from within your own browser.
Additionally, you should be aware that your VPN provider will have your IP address(es) since you're connecting to their servers!
- Protects and encrypts data when on unfamiliar networks
This is a benefit primarily for those who may often find themselves using Wi-Fi networks outside of their home. For example, people who travel a lot with their personal or business/work devices may take advantage of free Wi-Fi at the airport and/or hotels.
A good and trustworthy VPN can virtually eliminate most common risks associated with using unfamiliar and/or public Wi-Fi networks.
Many Wi-Fi networks are poorly secured. This means that "danger" has a higher probability of being present - and there's not much you can do to control that, as you can with a network that you control.
Remember, especially for public Wi-Fi networks, any device within range can join -- including that of a malicious actor. Therefore, the risks of getting caught in common network attacks - typically variations of the man-in-the-middle attack model - are far higher.
VPNs can provide some additional benefits not necessarily tied to privacy, but relevant enough to highlight here.
For one, VPNs are good tools for navigating around censorship. Many jurisdictions who engage in mass media censorship also go to lengths to make access to VPNs harder for the population - which is a testament to their effectiveness.
VPNs are also great tools for accessing geo-restricted content since you have the ability choose a server that's not location in the blocked jurisdiction(s). Once you select a server in a locale where the geo-restriction is not present you now have access to that previously blocked content!
Who needs a VPN?
As with many things you'll run into within the privacy-conscious world and on your own journey, determining whether you need a VPN falls within a gray area. Though, you can say VPNs themselves are a special gray area.
The short answer is: it depends on your threat model.
In general, if you are looking to hide your traffic from the likes of your ISP/3rd party eavesdroppers or hide your IP address from websites/P2P activities, then a VPN may be a worthwhile tool for you. But, of course, this is assuming you've taken other steps in improving your privacy and protecting your data.
Remember, VPNs have a number of limitations and you should consider how these limitations factor into your unique situation and goal(s). VPNs are not a silver bullet. VPNs are not a drop-in replacement for good privacy and security practices. VPNs are not a "privacy shortcut."
If you are a user seeking anonymity, then your best option is not using a VPN - despite what marketing materials may say. Your best bet would be to get familiar with the TOR browser and trusted live operating systems such as Tails.
Choosing a VPN
If you've determined a VPN fits the bill for you and your privacy journey, then how do you go about choosing one?
Ultimately, this is dependent on a number of interacting factors, some of which are personal to you. However, as a general rule of thumb you should:
- Avoid most "free VPNs." Generally, free VPNs are the epitome of "if it's free, you are the product." They frequently collect your data and have highly invasive privacy practices. Remember, whatever VPN you use theoretically has a high level of access to your browsing history and connectivity.
- Avoid VPN providers located in the US or the Five-Eyes.
More information from Privacy Guides.
- Ensure the provider has OpenVPN protocol support at a minimum
- Ensure the VPN provider has a reliable killswitch.
- Ensure the provider engages in minimal data collection... think: what information is needed to sign up, logging policy, etc.
- Trustworthiness of your VPN provider
This is the biggest limitation when it comes to VPNs. It's not to be underestimated in any capacity.
Truthfully, the security and privacy gained from using a VPN really begins with the provider.
Remember, a VPN provider has direct access to a ton of data about you:
- Payment information - especially if you've used traditional payment methods which create a paper trail right to you
- Any information provided during account creation
- The IP addresses of the devices you use to connect to the VPN servers
- The entirety of your browsing activity
If your VPN provider is not trustworthy, then why trust them with any of the information points above?
Unfortunately, evaluating the trustworthiness of a provider can be hard (sometimes until after the fact) and pretty subjective. However, some key things to look for include:
- The provider's marketing tactics. Unreal claims are little more than fancy lies. Be highly aware of "100%" anything claims as nothing in this world is perfect - not even your momma.
- Ownership. Who actually owns the VPN service? Sometimes "COOLVPN" is actually owned by "NOTCOOLVPN." Look at whether the company has been acquired/bought and by who. In the VPN world, "friends" can turn into "not friends" overnight. Examples:
Private Internet Access buyout.
Fun fact: they're now owned by the same company.
- Third party security audits. Especially for "no logs" policies. Most reputable VPN providers are willing to publicize third party security audits because it bolsters their claims. The absence of one can be cause for concern.
- Data breaches. Has a VPN provider been breached? What information was leaked? Was the information leaked anything the provider claimed not to have "logged" or "stored?" How was the data breach handled?
- Your devices (that may not send all traffic through the VPN)
Some devices aren't able to have VPN clients installed and therefore can't route their traffic through a VPN. This is usually the case for the likes of IoT devices such as smartTVs.
Some devices may not route all network traffic through the VPN connections. Some devices are more prone to doing this than others. This can be due to the device itself, device settings, firewalls, or any other software present.
Traffic leaking such as this can undo what security and privacy benefits you may have gained when using the VPN. More than likely, your device will revert to using your ISP's IP address or continue its connection to a network even without the VPN connection present.
On a device with a VPN client installed, a good and trustworthy VPN provider should provide a reliable killswitch in the event your connection to the VPN service is jeopardized. Since the connection to the VPN provider can be jeopardized by your device, your ISP, or the provider themselves, a killswitch automatically terminates your connection.
Some users may be thinking how they could use their router to provide VPN encryption. The good news is that it's possible and would provide the benefits of using a VPN to all devices connected to the network all without installing the VPN on each device. Even devices that can't install a VPN client - such as most IoT devices - could potentially benefit. The router could initiate the killswitch for all devices as well.
However, it's highly important to note that most consumer grade routers don't have the processing power to ensure VPN encryption for the multitude of device's that may be present on a home network. Thus, if you have a ton of different devices that can't have a VPN client directly installed on them, then they can't benefit from a VPN connection.
- Subject to various leaks
This is in an addition to the second limitation described above.
Unfortunately, even when a connection is establisjed, VPNs themselves can be leaky things - especially when these leaks aren't mitigated. There are a number of ways a VPN connection can "leak," and therefore fall short in providing you the promised security and/or privacy you expect.
IPv6 leaks. Even though IPv6 is due to replace IPv4, many websites and web services still utilize IPv4. Some ISPs support IPv6 and therefore supply your devices with both an IPv4 address and a IPv6 address.
Sometimes, VPN providers will successfully mask your IPv4 address while failing to mask your IPv6 address. This is an IPv6 leak.
Your VPN provider should block IPv6 traffic so that the IPv6 version of your IP address doesn't leak everywhere.
DNS leaks. This occurs when the VPN tunnel fails to include your device's DNS queries within its encryption. This enables the likes of your ISP to view your DNS queries - and therefore your browsing traffic - which defeats the purpose of the VPN in the first place.
DNS leaks can happen a couple of different ways. More than likely your device might route DNS traffic outside of the VPN tunnel (which goes back to part of limitation number 2) and/or your device might send your DNS queries to a third party server. The second situation is far less of a concern if you configure either your router or your devices to use
trusted, secure, and private DNS servers
If you're experiencing DNS leaks while using your VPN, you should first review your settings on both your device and the VPN client.
WebRTC leaks. This doesn't directly have to do with the VPN provider itself. However, it is very pertinent to VPN users. Even with the most solid VPN provider and all VPN client-related settings in check, it's still possible for your IP address to leak from behind the VPN due to WebRTC leaks.
Rather than messing with your VPN client settings, you'll have to go through the settings of the browser(s) you use to correct WebRTC leaks.
Learn how to stop WebRTC leaks.
- Jurisdiction matters more than some other tools/services
For many privacy-related services, jurisdiction matters.
The general rule of thumb is to avoid any or providers services that operate within any of the Five Eyes countries. For some providers/services, this may not matter as much.
However, given the amount and type of information that a VPN provider has access to (as detailed earlier) and how it can be compelled to record/store such information, jurisdiction proves far more important for VPN services.
Because of this, you'll more than likely want to strive for your VPN provider to be outside the greater 14 eyes.