What a VPN Actually Does

A VPN (Virtual Private Network) creates an encrypted tunnel between your device and a VPN server. All your internet traffic — DNS queries, HTTP/HTTPS requests, everything — flows through this tunnel. To your ISP, the coffee shop router, and any WiFi attacker, your traffic appears as an opaque encrypted stream to the VPN server's IP address.

What a VPN Does NOT Do

A VPN does not make you completely anonymous or invincible. Understanding these limitations is critical:

  • Doesn't hide your browsing from the VPN provider: The VPN provider sees all your traffic — choose one with a strong no-logging policy
  • Doesn't protect against compromised VPN endpoints: If the VPN server is malicious or compromised, all bets are off
  • Doesn't prevent phishing or malware delivered over HTTPS: If you download a malicious file over HTTPS, the VPN doesn't protect you
  • Doesn't hide you from the website you're visiting: Google, Facebook, and your employer still see your real IP if you're logged in
  • Doesn't protect against local physical attacks: PoisonTap, Rubber Ducky, and other physical attacks can bypass VPN protection
  • Can be detected and blocked: Some networks block VPN traffic by detecting the protocol
VPN Protocols Compared
ProtocolSpeedSecuritySetup DifficultyBest For
WireGuard Fastest Excellent (modern cryptography) Easy Performance, modern deployments
OpenVPN (UDP) Fast Excellent (open source, audited) Moderate General purpose, transparency
IKEv2/IPSec Fast Good Easy (built into most OS) Mobile devices, roaming connections
OpenVPN (TCP) Moderate Excellent Moderate Firewall-evading, stable connections
L2TP/IPSec Slow Moderate (NSA-backdoored suspected) Easy Legacy compatibility only
PPTP Moderate Broken — DO NOT USE Easy Nothing. Never use this.
Split Tunneling vs Full Tunnel Full Tunnel (Default on Most VPNs)

All traffic goes through the VPN tunnel. Your ISP and local network see only encrypted VPN traffic. You can't access local resources (printers, local servers) while connected, but you're maximally protected.

Split Tunneling

Only some traffic goes through the VPN. Other traffic (e.g., local network resources, corporate applications) goes through the normal internet path. This is common in enterprise VPN configurations.

# Split tunneling example (OpenVPN client config)

route-nopull          # Don't route ALL traffic through VPN

route 10.0.0.0 255.0.0.0 vpn_gateway  # Route corporate traffic through VPN

route 0.0.0.0 0.0.0.0 net_gateway     # Everything else goes normal route

If you configure split tunneling incorrectly, traffic you expect to be protected (like web browsing) may leak through the normal internet path, especially during VPN reconnection events. If you use a VPN for security on public WiFi, use full tunnel mode — the minimal performance cost is worth the certainty.

Commercial vs Enterprise VPN
Commercial VPNEnterprise VPN
ExamplesNordVPN, ExpressVPN, Mullvad, ProtonVPNGlobalProtect, Cisco AnyConnect, FortiClient, Tailscale
PurposePrivacy, general securityCorporate network access
ConfigurationUser sets up individuallyIT department manages centrally
AccessFull internet via VPN serverCorporate network resources only
LoggingVaries — choose no-log providersFull corporate logging and monitoring
Cost$3–$13/monthPer-user licensing, often included in security suite
Recommendations For Individuals (Public WiFi Protection)
  • WireGuard via a reputable provider (Mullvad, NordVPN, ProtonVPN)
  • Enable the VPN kill switch (stops all traffic if VPN drops)
  • Use full tunnel mode on public WiFi
  • Avoid free VPNs — they monetise your data
For Organizations
  • Corporate VPN required for all remote work, especially from public networks
  • Deploy VPN profiles via MDM for managed devices
  • Consider Zero Trust Network Access (ZTNA) solutions like Cloudflare Access or Twingate as modern alternatives
  • Monitor for unauthorized VPN usage (shadow IT risk)