Turn on a VPN, and suddenly you feel untouchable – the digital equivalent of pulling your hood up in a crowd. Spoiler: the hood has holes. VPNs are useful, sometimes seriously so, but the gap between what they promise and what they deliver is wide enough to matter. Here’s what’s actually happening when that little shield icon turns green.
What Gets Encrypted and What Doesn’t
The word “encryption” gets thrown around in VPN marketing like it covers everything. It doesn’t, and the distinction matters more than most people realise.
What the Tunnel Actually Covers
A VPN routes your traffic through an encrypted tunnel to its own server before it reaches the open internet. Your ISP sees a connection to a VPN server and nothing else – no sites, no DNS queries, no content. On public Wi-Fi, that’s a meaningful improvement over going bare. On a home connection, the benefit is narrower: you’re mainly hiding your activity from your ISP and swapping your real IP for the VPN’s.
Where the Protection Ends
A VPN has no visibility into what’s already on your device, so malware runs just fine with one enabled. Cookies, browser fingerprints, and login sessions still identify you – if you’re signed into Google, Google knows who you are regardless of which IP the traffic comes from. The VPN provider itself also sees your traffic, which is exactly why their logging practices matter. The tunnel is private to the company operating it.
Protocols: The Part Nobody Reads
The protocol is the engine under the hood – it defines the encryption, the connection speed, and how detectable the VPN traffic is. Most users pick a provider based on ads and never look at it once.
OpenVPN and WireGuard
OpenVPN has been the workhorse for over a decade – open-source, well-audited, and trusted by people who actually have something to lose. It’s slow by modern standards, but the security foundation is solid. WireGuard arrived and changed the conversation: roughly 4,000 lines of code versus OpenVPN’s 400,000. Fewer lines means a smaller attack surface and a much faster codebase. On mobile, especially, where you’re constantly switching between Wi-Fi and cellular, the reconnection speed difference is obvious. If your VPN still doesn’t support WireGuard in 2025, that’s a flag.
Proprietary Protocols and the Audit Problem
Some providers have developed their own protocols – typically WireGuard derivatives with obfuscation added to make VPN traffic look like normal HTTPS. That’s useful in countries where VPNs are actively blocked. The catch is that proprietary code can’t be independently reviewed the way open-source protocols can. A third-party audit helps, but only if it specifically covers the protocol and the logging infrastructure, not just the app UI. Check before you trust.
No-Log Policies: Easy to Claim, Harder to Prove
Every VPN on the market says it keeps no logs. Writing that on a webpage costs nothing. What actually matters is whether the claim has been tested against something more demanding than a marketing review.
Server Seizures Tell You More Than Privacy Pages
The most credible evidence for a no-log policy is what happens when law enforcement seizes a server. Several providers have been through it and handed over nothing useful – because there was nothing stored. That’s a more honest benchmark than any self-published audit. Third-party reviews from firms like Cure53 or KPMG add weight when they specifically examine the logging infrastructure rather than doing a surface-level application check.
Jurisdiction Isn’t Just Legal Boilerplate
Where a VPN is incorporated determines which legal frameworks it answers to. Providers based in 5/9/14 Eyes countries can face broader data disclosure requirements than those in Panama, Switzerland, or the British Virgin Islands. For most people streaming a show with a foreign IP, this is irrelevant. For journalists, activists, or anyone whose threat model involves a government, it’s the first thing worth checking.
Kill Switches and DNS Leaks: The Unglamorous Essentials
Feature lists on VPN product pages tend to run long. A lot of it is padding. Two things are worth actually caring about: whether the connection fails safely, and whether your DNS queries stay inside the tunnel.
The Kill Switch Problem
VPN tunnels drop. When they do, most operating systems will reroute traffic through your regular connection without asking. Your real IP appears, your traffic goes out unencrypted, and you’d have no idea it happened. A kill switch blocks all internet traffic the moment the tunnel fails. The implementation matters, though – a kill switch built into the app layer can be bypassed; one running at the OS or driver level is harder to circumvent. Check whether it’s enabled by default on your provider’s client.
DNS Leaks: When Everything Looks Fine But Isn’t
Every time you type a URL, your device makes a DNS request to translate it into an IP address. If that request goes to your ISP’s DNS server instead of the VPN’s, your ISP can see every domain you’re visiting, even if the actual content is encrypted. This is a DNS leak, and it’s common enough that it’s worth testing for. Go to dnsleaktest.com, run the standard test, and see whose servers are handling your queries. It takes under a minute, and the result is unambiguous.
Free VPNs and How They Pay the Bills
VPN infrastructure costs money – servers, bandwidth, staff, and audits. A free VPN has to cover those costs somehow. Usually, the answer is you.
Browsing data sold to advertisers, tracking scripts injected into traffic, and in the more egregious cases, users’ devices enlisted as exit nodes in commercial proxy networks. Hola VPN did exactly that – quietly routing paid traffic through its users’ connections for years. Legitimate freemium models exist, but they’re rare and easy to verify: the provider should have a clear, documented funding model. If you can’t figure out how a free VPN makes money, that’s not a mystery worth sitting with.
What a VPN Is Actually Good For
A VPN is a specific tool with specific uses. It’s good at a few things and irrelevant to many others, and the industry has a strong commercial interest in blurring that line.
Protecting traffic on networks you don’t control, keeping your browsing history away from your ISP, accessing geo-restricted content, and putting a layer of distance between your real IP and the sites you visit – those are the legitimate use cases, and a VPN handles them well. Targeted surveillance, device compromise, or account takeovers are different problems that a VPN alone won’t solve. Pairing it with DNS-over-HTTPS, a sensible browser configuration, and decent password hygiene gets you somewhere more meaningful than running a VPN and assuming you’re covered.
Where ZoogVPN Fits In
If the criteria above are your checklist, ZoogVPN covers it without a lot of noise. WireGuard and IKEv2 are both supported across platforms. The no-log policy has been maintained consistently, the kill switch works at the system level, and DNS leak protection is on by default. Servers in 50+ countries, apps that work on desktop, mobile, and router level, and a free plan that lets you actually test performance before paying for anything.
A VPN is worth paying for when it does what it’s supposed to. Start your free trial and see whether ZoogVPN earns it.
- Diana BestaievaContent Writer at ZoogVPN. Diana deeply explores the newest technologies and shares valuable insights engagingly and comprehensively. Keeping up with the tech news, she makes in-depth content, explaining complex concepts with ease.
