VPN Services

Engineer/DeveloperSecurity Specialist

Authored by:

matta

The Red Guild | SEAL

Reviewed by:

Sara Russo

SEAL

Virtual Private Networks (VPNs) encrypt your internet traffic and route it through a remote server, hiding your IP address from the websites you visit and shielding your activity from anyone on your local network. But a VPN is not a magic shield — it solves specific problems, and understanding those problems is essential before choosing to use one.

HTTPS Is Not a VPN

A common misconception is that HTTPS makes VPNs unnecessary. They solve different problems:

HTTPS encrypts the content of a single connection between your browser (or app) and a specific server. It operates at the application layer — each connection is independently wrapped.
VPN wraps all your device's traffic at the network layer into a single encrypted tunnel to a gateway you trust. Every app, every protocol, every DNS query goes through it.

They overlap on encryption but diverge on almost everything else:

Aspect	HTTPS	VPN
What is encrypted	Content of a single connection	All traffic from the device
Who sees the destination	Your ISP, local network, anyone on path (via SNI)	Only the VPN provider
Who sees your IP	Every server you connect to	Only the VPN provider
DNS queries	Typically unprotected unless DoH/DoT is configured	Tunneled through the VPN (if properly configured)
Metadata (timing, volume, patterns)	Fully visible to the local network	Hidden from the local network, visible to the VPN provider

The Metadata Gap

Even with HTTPS everywhere, significant metadata leaks by default:

SNI (Server Name Indication) — The domain name is sent in plaintext during the TLS handshake. Anyone on your local network can see that you are connecting to a specific domain, even if they cannot see the page content. Encrypted Client Hello (ECH) aims to fix this but is not yet widely deployed.
DNS queries — Unless you have explicitly configured DNS over HTTPS (DoH) or DNS over TLS (DoT), every domain you resolve is broadcast as a plain UDP packet on port 53. Your local network and ISP see every lookup.
Traffic analysis — Packet sizes, timing, and burst patterns are often enough to infer what you are doing. Loading a video, sending a message, or browsing a specific site all have recognizable signatures.
Your IP address is your identity — Every server you connect to over HTTPS sees your real public IP, which is tied to your ISP account, approximate location, and in many jurisdictions, your legal identity.

If you only care about someone reading your messages, HTTPS is enough. If you care about someone knowing what you are doing — where you go, when, and how often — that is where a VPN earns its place.

Attack Surfaces on Public Networks

Public and open Wi-Fi networks (airports, hotels, coffee shops) introduce specific risks:

Common Risks

Rogue hotspot (evil twin) — Attackers set up networks mimicking legitimate ones. Devices auto-reconnect to the stronger, attacker-controlled SSID.
Captive-portal credential harvesting — Login pages on captive portals ask for email, phone, or OAuth tokens that can be sold or used in phishing.
Lateral scanning — Open client-to-client traffic allows anyone to probe SMB, AirDrop, SSH, and other exposed services.
Malicious updates — Man-in-the-middle positions allow tampering with insecure update channels.
Long-term device fingerprinting — MAC randomization has been defeated by browser and protocol fingerprinting and stable radio attributes.

Less Frequent Risks

DNS spoofing / rogue DHCP — Attackers respond to DNS or DHCP requests faster than legitimate servers, pushing a malicious resolver or gateway.
SSL stripping / downgrade — Intercepting HTTP-to-HTTPS redirects. Modern browsers display warnings or block this, but outdated or weakened browsers remain vulnerable.
Session hijack / cookie theft — Sniffed session cookies might allow attackers to replay your authenticated state.

Unsecure Browsers and Captive Portals

When connecting to a network with a captive portal, your OS fires a plain-HTTP request to a hard-coded URL. If it receives anything other than the expected response, it launches a minimal browser (mini-browser) to display the portal. These mini-browsers often lack the security features of full browsers — no extension support, limited certificate validation, and reduced script blocking.

Similarly, in-app browsers (WebViews) used by social media and messaging apps can inject JavaScript, share cookies with the host app, and lack address bars for verifying origins. Both scenarios weaken the protection HTTPS normally provides.

When You Need a VPN

Use this mental model to decide:

Public Wi-Fi, low risk — HTTPS and modern browsers already block most real attacks. A VPN is optional.
Public Wi-Fi, privacy matters — HTTPS plus encrypted DNS (DoH or DoT) is the baseline most people overlook. Add a VPN if you want to hide metadata from the local network.
Hiding metadata from your network — Add a VPN you trust, with a kill switch and no leaks. This hides destinations, DNS queries, and traffic patterns from your ISP and local network.
You are a real target — HTTPS and commercial VPNs are table stakes, not solutions. Focus on endpoint security, compartmentalization, and protocol-level privacy.

The mistake is not "not using a VPN." The mistake is not knowing what you are defending against or adopting technologies without understanding why, assuming one tool solves everything. If you do not define the threat, every tool looks like protection.

Choosing a VPN Service

When selecting a VPN service, consider the following factors:

No-logs policy — Ensure the VPN provider does not store information about your online activities. Look for providers that have undergone independent audits to verify this claim.
Encryption standards — Look for VPNs that use strong encryption (AES-256-GCM or ChaCha20-Poly1305) with modern protocols like WireGuard, which typically outperforms OpenVPN.
Kill switch — A kill switch ensures your internet connection is cut off if the VPN connection drops, preventing your data from being exposed.
DNS and IP leak protection — Verify the VPN tunnels DNS queries and prevents IPv6 or WebRTC leaks.
Server locations — A wide range of server locations allows you to access content from different regions and improves connection speeds.
Provider trust model — A VPN shifts trust from your ISP to the VPN provider. Evaluate the jurisdiction, ownership structure, and track record of the provider.

Limitations of VPNs

A VPN is not infallible. Consider these factors in your threat model:

Provider can log or get raided — If police serve a warrant or the company folds under subpoena, your traffic metadata can leak.
DNS and IP leaks still happen — Misconfigured clients, IPv6 routes, or split-tunnel mistakes send lookups to your ISP in the clear.
TunnelVision and rogue-route attacks — Can force traffic outside the tunnel if the local gateway manipulates DHCP or routes.
Browser fingerprinting survives — Device fonts, canvas/WebGL, and TLS quirks still identify you even with a new IP.
Malicious or free VPN apps — Many no-cost Android VPNs bundle adware or spyware.
Streaming and firewalls detect and block exits — Popular services blacklist known VPN ranges.
Kill-switch failure reveals your real IP — If the tunnel drops and no kill switch is active, traffic falls back to the raw internet.
Protocol metadata — WireGuard stores client IPs on the server for handshakes, a privacy trade-off.
Government blocking and legality — Some countries throttle, detect, or criminalize unapproved VPNs.
Endpoint still vulnerable — Malware on your laptop records keystrokes before encryption. A VPN cannot fix a compromised device.

DNS Leaks

HTTPS encrypts what you are saying, but not who you are talking to, when, how often, or how much data you are exchanging. A DNS leak occurs when your DNS queries bypass the VPN tunnel and go directly to your ISP's resolver, revealing the domains you visit. You can test for DNS leaks using tools like dnsleaktest.com.

Recommended VPN Services

These providers are commonly recommended by privacy-focused communities. Evaluate each against your own threat model:

MullvadVPN — Strong privacy policy, no-logs (audited), fast speeds, WireGuard support, account-number-only registration (no email required).
ProtonVPN — Strong focus on privacy, no-logs policy, free tier available, Secure Core architecture routes traffic through privacy-friendly jurisdictions, open-source apps.
IVPN — No-logs (audited), WireGuard and OpenVPN support, account-number-only registration, privacy-first business model.

Avoid free VPNs — they often come with data caps, slower speeds, and may monetize your data or bundle malware.

Tools and Measures

Select tools that match your threat model. You do not need all of these.

Network Level

Portable travel router — Devices like the GL.iNet Beryl or Slate run OpenWrt, let you force all traffic through a VPN before it leaves your pocket, and isolate your devices from untrusted networks.
Pi-hole — A DNS sinkhole that blocks ads and trackers at the network level. Pair it with Unbound for local recursive DNS resolution.
Curated VPN providers — Check Privacy Guides recommended providers and their selection criteria.
PiVPN or Algo — If you do not trust any VPN provider, run your own. Algo by Trail of Bits deploys a WireGuard server on any cloud VM in minutes.

DNS Level

DoH or DoT — Configure encrypted DNS at the OS level so it applies to all apps, not just your browser.
Cloudflare WARP (1.1.1.1) — Free app that encrypts DNS queries and device traffic through Cloudflare's network. Not a full VPN (does not anonymize or spoof location).
Mullvad DNS — Available at 100.64.0.2 (with ad/tracker blocking) or via their DoH endpoint. No account needed.
AdGuard DNS — Similar to Mullvad's offering with configurable filter lists and DoH/DoT support. Free tier available.
NextDNS — Granular custom blocklists with query logging (optional). Free up to 300k queries per month.

Device Level

Force HTTPS-Only mode — Safari, Firefox, Chrome, and Brave all support this. Prevents accidental HTTP connections.
iCloud Private Relay — Apple's two-hop proxy for Safari traffic. Not a VPN, not Tor, but separates who you are from where you are going. Only works in Safari on iCloud+ plans.
Disable WPAD — On Windows, disable "Automatically detect settings" in proxy config. WPAD lets a local network push a proxy configuration to your machine without asking.
Turn off auto-join for open networks — On iOS and Android, disable the setting that auto-connects to known open SSIDs.

Browser Level

Tor Browser — The only browser that truly defeats fingerprinting. Use it when anonymity matters.
Mullvad Browser — A fork of Tor Browser with the Tor network removed, designed to be paired with a VPN or used standalone. Trades network-level anonymity for a general-purpose privacy-hardened browser.
Brave — Fingerprint randomization on by default, built-in ad blocking, and optional Tor windows.
Firefox with hardening — Enable privacy.resistFingerprinting, HTTPS-Only mode, and a content blocker like uBlock Origin.

Verification Tools

EFF Cover Your Tracks — Shows your browser fingerprint uniqueness.
amiunique.org — Detailed fingerprint breakdown.
IPLeak.net — Checks IP, DNS, WebRTC, and torrent IP leaks.
BadSSL — Tests your browser's TLS and certificate handling.
DNS Leak Test — Checks whether your DNS queries are leaking outside the VPN tunnel.