A VPN masks your IP address
The core of VPN protection is hiding your IP address (Internet Protocol), a unique identifier for your device in connecting to the web via your Internet Service Provider (ISP). Your IP reveals certain details about you, like your ISP, device type, and approximate location.
With a VPN, your traffic is first routed through its server, replacing your personal IP with the VPN’s. This can help anonymize your traffic while connecting on the web. As we will see, a single IP obfuscation is not enough to protect you against all surveillance threats, even hackers.
A VPN should encrypt your data
VPN protection starts with data encryption before your traffic leaves your device. A VPN tunnel secures data between your device and the VPN server, ensuring only these endpoints can decrypt it. If intercepted, the data remains unreadable. While protocols like HTTPS encrypt most web connections, a VPN adds extra security. However, metadata – such as connection times, locations, and contacts – still leak from encryption, revealing patterns of communication to third parties.
Learn more in Nym's guide to encryption protocols with a VPN.
Location selection
With a VPN, you should be able to select which location (e.g., country) your VPN server is located. Your traffic will be given an IP address in that location, making it seem like you are accessing the web from there. This is useful in bypassing censorship restrictions or simply accessing geo-restricted content, though effectiveness depends on local restrictions.
Advanced VPN features
Some VPNs include additional features which can enhance privacy and security protections, or customize how data is handled by the VPN. Here are some important features to look out for:
- Kill switch: Instantly disconnects your internet if the VPN connection drops, preventing unprotected exposure.
- Split-tunneling: Lets users route specific traffic through the VPN while excluding other activities, balancing security and performance.
- DNS leak protection: Ensures all DNS requests go through the VPN’s encrypted tunnel instead of your ISP, preventing accidental data leaks.
- Multi-hop routing: Routes traffic through multiple servers, obfuscating IP addresses and other metadata many times. Note: Some VPN services offer “double VPN” or 2-hop modes, but they remain controlled by one entity, making these choices less private than other truly decentralized VPN options.
- Censorship resistance: Modifies the structure of data and traffic to avoid your traffic being targeted and blocked for using a known VPN.
- Ad blocker: Intercepts and blocks known ads before they connect with your device.
- Unlinkable payments: Ensures that your use of the VPN cannot be connected with your payment information.
Why do you even need a VPN?
What’s the use of a VPN in the first place, and who needs one? The short answer: anyone looking to protect their privacy online, or who need to access content that might be blocked in a particular location.
- Browse anonymously: Nothing we do online is private. There are parties and systems tracking, collecting, and selling and buying our metadata at every turn. These surveillance agents range from websites, data brokers profiling us to, government and intelligence agencies, and cybercriminals looking for financial exploits.
- Communicate privately: Even while using end-to-end encrypted messaging or email services, metadata records of conversations can reveal detailed accounts of our communication patterns, contacts, and locations.
- Access foreign-based content: Content on the internet is becoming increasingly splintered. Whether it’s subscribed streaming content available or news about what’s happening in the world, the ability to access it depends highly on the country we are in and what is or isn’t blocked by governments there.
- Transact securely: Online financial assets, services, and transactions continue to be a prime target for cybercriminals and hackers. Moreover, cryptocurrencies themselves are not truly anonymous and can be tracked via metadata surveillance tools.
- Overcome censorship: Billions of people worldwide live under hard censorship restrictions which limit access to essential information online.
A VPN can help with these many needs, but the success depends on the type of VPN. So let’s look at what is currently available.|
Types of VPNs
There are two general types of VPN architectures:
- Traditional (or centralized) VPNs
- Decentralized VPNs (dVPNs)
The difference between centralized and decentralized VPNs is based on how many physical servers are used to route your data, who controls them, and how data is handled in transit. So let's break it down.
Centralized VPNs
Most VPNs use centralized infrastructures, meaning that your traffic is relayed through a single VPN server which is owned or rented by one provider. One company thus handles all your traffic in one spot in order to mask your IP address. This means your online activity could be logged or recorded by the VPN company itself. If traffic records exist on a single server, privacy risks arise from potential breaches or government requests.
Many VPNs claim “no logs” policies, but details vary. Some store “operational logs” like IP addresses, while others share select data with marketing partners. Since centralized VPNs have potential access to your metadata, your actual privacy boils down to trusting their policies.
Decentralized VPNs (dVPNs)
Decentralized VPN technology has developed to get rid of this required trust. A dVPN should make it structurally impossible for all your traffic data to ever be loggable in one physical space.
Decentralization requires a minimum of 2 independent servers to route your traffic. True decentralization comes from the lack of any central point of failure or exploit. If one server is compromised or malicious, only a partial picture of your traffic will be revealed. Compromising multiple servers to compile a full traffic record becomes exponentially difficult as the number of servers increases.
It's also worth learning about hardware vs. software VPNs to understand how the type of setup can impact control, privacy, and scalability.
How does a VPN work?
As we’ve seen, there are very different types of VPN architectures, though the large majority are centralized. This makes a big difference for user privacy. So let’s look at what happens to your traffic as it passes through these different models.
Traditional VPN routing
With a traditional VPN service, your traffic should first be encrypted on your device before being tunneled to the sole VPN server. Once there, the IP address associated with your traffic will be replaced with the VPN’s own public IP, and the traffic decrypted to reveal where to send your request. When your traffic arrives at its final destination, it will appear to originate from the VPN server.
But who sees your identity exactly? On this one-hop model, the VPN is the sole intermediary for your traffic, so they will see both your IP address and the IP of who or what you’re connecting with. The recipient, however, will only see the IP address of the VPN. This provides a simple form of IP protection for you in relation to a recipient on the public web.
dVPN routing
With a dVPN, your traffic routes through at least two independent servers. The first sees your IP but not your destination, while the second sees your destination but not your real IP. Unlike centralized VPNs, dVPNs ensure no single location logs your full traffic. With NymVPN, privacy is built into the design.
What VPNs don’t do
Quality VPNs can clearly do a lot when it comes to increasing our privacy and anonymity online, but these capabilities depend highly on the VPN service provider and the architecture of its network. Additionally, there are things that VPNs simply cannot do, as well as vulnerabilities specific to each.
What no VPN can do
- Protect your device 100%: VPNs can do a lot to protect your data in transit against hacking attempts. However, they cannot protect your device from being compromised in the first place. If malware or spyware is already on your device, any VPN encryption and proxying cannot guarantee your privacy and security.
- Provide end-to-end encryption on their own: Your traffic will be end-to-end encrypted only if your initial connection is encrypted (e.g., through an HTTPS connection). VPN tunneled encryption only encrypts your data en route between your device and the VPN server. Once on the server, that layer of encryption is removed, revealing where to send your data on the public web. Without HTTPS or SSL/TLS encryption first established, your data will be in the clear, fully legible, and exploitable between the VPN server and the destination.
What traditional VPNs don’t do
- Make traffic logging impossible: Centralized VPNs can promise that they won’t keep logs of our traffic, but because their servers have access to the full route of what we do online, this ultimately requires our trust in them. dVPNs like NymVPN solve this problem with a can’t log network design.
- Protect your metadata: Metadata is information about information, such as your IP address, when and where you send data, and to whom. This metadata is not protected by centralized VPN encryption protocols: it leaks from it.
- Guarantee against data breaches: No security system is absolutely foolproof, and data servers are certainly no exception. VPN servers are a common and successful target for cyberattacks because they potentially contain the information of millions of users in one spot. So any data that a VPN service provider does keep records of can be potentially exposed.
- Ensure against surveillance: AI surveillance systems are capable of tracking user activities and patterns by surveilling VPN networks through end-to-end correlation attacks and traffic analysis. This makes centralized VPNs poor protections.
Guard against government interference. Governments and law enforcement agencies have been known to demand traffic and subscription records of VPN users. If a VPN service is located within the legal justification of a government surveillance request, such as the 14-eyes network of countries, then they can be legally compelled to disclose any records.
