Virtual Private Networks (VPN) have come into the spotlight in recent years. You've probably been exposed to some level of VPN marketing telling you that you "need" one to be private and secure online.
However, have you considered who really "needs" a VPN? Or whether a VPN is right for you?
VPN stands for virtual private network. A VPN creates an encrypted tunnel that allows you to securely connect to a remote network from anywhere in the world.
In certain use cases, a VPN can be a valuable tool in increasing your online privacy and security provided that other good security habits are followed and implemented. The encryption provided by a VPN, assuming all other potential leaks are mitigated, protects your internet traffic from prying eyes.
For more information about VPNs including how they work and their limitations, please see the main VPN section.
Ultimately, "who" needs a VPN boils down to your reason(s) for using one, which in turn is derived from your personal threat model.
Common reasons for using a VPN include encrypting your internet traffic from your internet service provider and 3rd parties, unlocking geo-restricted content, accessing remote networks more securely, and engaging in peer-to-peer (P2P) activities with increased privacy.
Generally, if you find that these apply to you and your particular threat model, then you may benefit from the use of a VPN. This is also assuming you follow other good security practices, such as always forcing HTTPS in your browser, and decent privacy practices such as blocking ads/trackers.
Some aggressive and deceptive VPN marketing may claim that a VPN will provide anonymity and some version of "maximum privacy." These claims are at the best, massively exaggerated and at the worst, false.
A VPN will not provide anonymity; the privacy benefits from using one greatly depend on other factors, which may be out of your direct control. It's also worth mentioning that VPNs are subject to various limitations; the biggest of these limitations being the trust-worthiness of your VPN provider!
This is all to say that a VPN is not a silver bullet for anonymity/privacy/security nor should it be treated as such.
With that said, if you're concerned about your Internet Service Provider (ISP) logging and selling your browsing history to whoever (which, by the way, is totally legal in the US as of writing), then a VPN can prove a good tool for protecting your privacy. Per the FTC, your ISP collects, shares, and uses browsing data in addition to personal identifiable information (PII) Furthermore, it's difficult to actually control your data and how it is used once collected.
Provided your choice of VPN uses a secure protocol such as OpenVPN or Wireguard and resists leaks, a VPN provides considerable privacy protection from ISP browsing, DNS query, and metadata collection. The encrypted tunnel a VPN establishes between your device and its servers provides this protection; essentially, when connected to the VPN, your ISP would only see that you are connected to the VPN. Browsing data and any associated metadata available for capture by the ISP instead gets routed through the VPN provider.
As you may have guessed, because of the amount of data that gets transferred through the VPN tunnel, you're placing a high degree of trust in the VPN provider. Thus, as previously stressed, you should use a trusted and verified no-logs VPN provider. Otherwise, you may find that your browsing data is still for sale/sharing - just by another party.
Be aware that the encryption and the resulting protection a VPN may provide from snooping ISPs and third parties can be compromised on other fronts. For example, a VPN can be subject to various leaks. In the case of protecting your browsing data from your ISP, DNS leaks can undermine this. DNS leaks occur when the VPN tunnel fails to include your DNS queries inside of it, enabling your ISP to potentially pick them up alongside any other leaked metadata.
Again, this stresses the importance of using a reputable VPN provider. Reputable VPN providers should work to stay ahead of leaks and security vulnerabilities and should implement high levels of encryption.
A VPN can also prove a valuable tool if you regularly connect to unfamiliar networks, such as public Wi-Fi found in many airports. The encrypted tunnel a VPN provides can prove useful in preventing eavesdropping from third parties sitting on the network (to include the network administrator). Thus your browsing traffic stays between you and your VPN service provider.
However, as consistently noted, you should make sure to only use HTTPS when visiting websites when connected to an unfamiliar network; a VPN cannot encrypt your connection to a website's web servers. When not using HTTPS, sensitive data such as passwords or credit card information can be easily seen and possibly intercepted by malicious actors.
Ultimately, his ties back into practicing good security hygiene such as not clicking/following suspicious links or downloading suspicious files. VPNs are not a good defense against malware.
Many P2P activities, such as torrenting, can directly expose your IP address to other users. Many people may find this unfavorable and seek to use a VPN to help preserve their privacy - by masking their IP address.
By extension, a VPN also masks your IP address from the sites you visit. This can aid in preventing some tracking and fingerprinting techniques from being as effective.
As a note, you should be careful to address IPv6 and WebRTC leaks, which can expose your IP address from even behind a VPN.
In today's more remote-friendly work environment, you may find that your IT department requires a VPN connection in order to access/remote in to the company network and services. Typically, this is a not through usage of a third party VPN provider; rather, your job's IT department creates its own in-house "service" that your device then connects to.
As described earlier, the encryption established by a VPN provides the bulk of its protection. Therefore, the VPN connection created by your IT department functions to prevent leakage of data while connected to the company's network. The VPN connection allows you to work from anywhere with relative security from eavesdropping third parties.
You should note that VPNs provided by your workplace aren't necessarily in the interest of your privacy in particular. Keep personal activities off your work devices and keep work off your personal devices to maintain your privacy.
In a more personal setting, if you're savvy enough to create your own secure at-home VPN, you can accomplish the same functionality for your network and access your home network from anywhere.
A VPN is an excellent tool for unblocking content.
Unblocking content can range from just skirting around the geo restrictions sometimes encountered while using streaming services like Netflix or Youtube to circumventing internet censorship imposed by a government.
In both cases you're "unblocking content" because if you attempted to access this content without the help of a VPN, you wouldn't be able to.
Perhaps the neatest thing about a VPN is that it can route your encrypted traffic through an intermediary server in a location of your choosing. You would choose a server location that permits viewing of the blocked content, and once you've connected, you can access region-locked content not available in your country.
Some services and governments may attempt to defeat VPN usage by blocking the known IP addresses of VPN providers.
If you've decided that using a VPN fits into your threat model (or maybe you just want to try one out - who knows!), then the next step would be choosing a VPN. As you should know, VPNs are most certainly not created equal!
And if you've done any sort of VPN provider research, then you're probably also aware that there are a ton of different VPN providers out there. Not all of them are trustworthy and not all of them provide the same exact features from service to service.
There are many factors you should look into when choosing a VPN provider, some of which include:
- Encryption protocols used - the ideals are either OpenVPN or WireGuard.
- Ownership - VPN provider consolidation has become popular over the last few years. Does the VPN have a parent company?
- Personal Identifiable Information Handling - What information is required to create an account? What are the policies surrounding how your information is logged or stored?
- Logging policies - is your usage being logged?
Naturally, this isn't an all inclusive list but these can be points that you'd certainly want to look into when choosing a VPN provider. Additionally, some users may value some qualities more than others.
Chances are your potential need(s) for a VPN rests with the use cases described above. In the case that it doesn't, you'll want to evaluate which potential use cases pertain to your personal needs and your threat model and just how much a VPN can alleviate this.
Remember that a VPN will not provide anonymity. A VPN is not a substitute for decent security hygiene nor "standard" privacy practices. A VPN shouldn't be used as a crutch for deficiencies in either area.
For example, prior to using a VPN, you should look into implementing other common privacy improvements such as: