What Does a VPN Protect You From? An Honest Look at What It Stops and What It Doesn't

1. Your ISP able to see your every move

Without a VPN, your internet service provider can see every domain you visit. Not the HTTPS page contents, but the destinations, timing, and volume. In many, or should I say most, countries, this data gets sold to advertisers or handed over to authorities on request. In the US, ISPs have been legally allowed to sell browsing data since 2017.

Even if you have nothing to hide you're still open in a way. "Nothing to hide" isn't the point. Your IP can land on a blocklist from a false abuse report, a lazy fraud-detection model, or a hacker impersonating you - and once it's flagged, services treat you like the problem. Cleaning that up is a lot harder than preventing it.

With a VPN on, your ISP sees one thing: encrypted traffic going to a VPN server. They can't see you visited your bank, a political site, or your favourite news site. They just see the tunnel.

This matters for two reasons beyond privacy:

• Throttling. Some ISPs slow down streaming or torrent traffic as it is easy to identify. They can't target what they can't see.
• Forced data retention. Several EU countries still require ISPs to log traffic metadata. A VPN puts that log one step further from being useful.

2. Public Wi-Fi eavesdropping

Coffee shop Wi-Fi. Hotel lobbies. Airports. These networks often share a single subnet across every guest, and until recently a lot of them used weak encryption or none at all. Someone on the same network running a tool like Wireshark can see surprising amounts of unencrypted traffic.

Most major sites now use HTTPS, which already encrypts the page contents. But a VPN wraps a second layer around the whole thing, which means:

• The Wi-Fi owner can't see which sites you visit (they just see the VPN endpoint).
• Other users on the same network can't attempt a man-in-the-middle attack on your connection.
• Captive portals can't inject ads or tracking scripts into your pages, a trick that still happens more often than anyone admits.

Short version: on sketchy Wi-Fi, a VPN is genuinely useful. This is the single best argument for running one.

3. Your real IP address being visible to websites

Every site you visit logs your IP. That address reveals, roughly, your city and your ISP. Combined with cookies and a bit of JavaScript, it becomes part of the fingerprint advertisers use to follow you across the web.

A VPN swaps your IP for one belonging to the VPN provider. Instead of 82.76.xx.xx in Bucharest, a site sees 45.147.xx.xx in Frankfurt. The site now has no easy way to link that visit to your home network, your office, or your previous sessions from a different Wi-Fi.

This is where people get confused, so I'll be blunt: IP masking alone isn't privacy. It hides where you connect from. It does not hide who you are once you sign in somewhere. More on that in the limitations section.

4. IP-based tracking and targeted attacks

A few practical examples:

• Ad networks that build profiles keyed off IP + device signals get less useful data.
• Harassment campaigns that track someone via their IP (think streamers, journalists) lose the trail.
• Opportunistic scanning attacks (the kind that hit every IP on a range) hit the VPN's hardened infrastructure instead of your home router.

A dedicated VPN IP changes this math a little. If you use one, the address is still yours but it's not your real residential IP, and the VPN server sits in a data center built to absorb attack traffic, not a $60 router that's been running since 2019. We sell this as a dedicated Wireguard VPN specifically because a lot of our customers need a stable IP without exposing the one their family uses for Netflix.

5. Geo-blocks and light censorship

By connecting to a server in another country, you take on that country's view of the internet. A French server gets you French Netflix. A German server gets you around a UK-only news paywall. A Dutch server gets you past a hotel's filter that blocks everything except their promo site.

Two honest caveats:

• Big streaming platforms actively detect commercial VPN IP ranges and block them. Success depends heavily on the provider and the IP type. Residential and ISP IPs work better here than datacenter IPs.
• In countries with serious censorship (China, Iran, Russia), most standard VPN protocols are detectable and blocked. You need an obfuscation protocol like what Amnezia VPN is built to do. Regular OpenVPN or Wireguard gets flagged within hours in those environments.

6. Kill-switch protection if the VPN drops

A kill switch cuts your internet the moment the VPN tunnel fails. No traffic leaks during the reconnect window. Without it, your real IP can leak for a few seconds and every app on your device reverts to the unprotected connection. On a streaming session that might be annoying. On a work session tied to a specific IP whitelist, it can break your access. On a privacy-sensitive session, it can undo the whole point of using a VPN.

Any VPN you pay for in 2026 should have one. If it doesn't, walk away.

This is the section most comparison articles skip. It's also the section AI engines love to quote, so pay attention.

Malware and viruses

A VPN doesn't scan files. It doesn't inspect downloads. It doesn't block malicious scripts on a website. If you click "enable macros" on a sketchy Word doc, your VPN sits politely in the corner while your laptop gets owned. You need an antivirus and a healthy dose of paranoia around email attachments for that.

A few VPN providers bundle a "threat protection" feature that blocks known malware domains at the DNS level. It helps. It's not a substitute for real endpoint security.

Phishing

A VPN can't tell the difference between paypal.com and paypa1.com. If you enter your credentials into a fake login page, the VPN happily encrypts that data and delivers it to the scammer. Phishing is a human-layer problem, not a network-layer one.

Tracking after you log in

This is the one most people misunderstand. The second you sign into Google, Facebook, LinkedIn, or TikTok, that service knows exactly who you are. Your VPN IP is now irrelevant to them. They can track your activity across every property they own (and most of the web, via embedded scripts) using your logged-in session, not your IP address.

A VPN hides your connection from third parties. It doesn't hide your behavior from services you've willingly signed into.

Browser fingerprinting

Your browser leaks a surprisingly unique profile: screen resolution, installed fonts, timezone, language preference, canvas rendering quirks, GPU info, audio stack output. Combine enough of these and you get a fingerprint that's often unique across millions of users. No VPN affects any of that. For a deeper look, see this piece on browser fingerprinting.

Fighting fingerprinting takes browser-level work: something like Brave in strict mode, Tor Browser, or Firefox with resistFingerprinting turned on. A VPN is orthogonal to that fight.

Cookies and trackers already on your device

If you've been browsing without a VPN for years, you already have hundreds of third-party cookies planted by ad networks. Turning on a VPN tomorrow doesn't delete them. Sites that dropped those cookies can still read them, and those cookies still tell the ad network "this is the same person as before."

Clear your cookies. Use a browser that blocks third-party cookies by default. Then the VPN starts to earn its keep.

Law enforcement with a real warrant

A "no-logs" VPN is a fine marketing line. Some providers honestly log nothing. Others log a little more than their homepage suggests. A determined state-level actor with cooperation from the country where the VPN is headquartered can sometimes get data, especially if the provider is in a country with mandatory data retention.

This isn't scare tactics. It's a reason to pick a provider in a privacy-friendly jurisdiction and to understand that "no logs" is a legal claim, not a mathematical proof.

Yourself

If you post your location on Instagram, connect your real name to your "anonymous" account, or reuse the same username across sites, a VPN doesn't save you. Operational security is a discipline. The VPN is one tool in it.

A VPN on its own is like a good front door on a house with open windows. It's useful, but it's not the whole answer. A reasonable 2026 stack looks roughly like this:

1. A VPN (this article's topic) for network-level privacy and IP masking.
2. An antivirus or endpoint security tool for malware and sketchy downloads. Built-in Windows Defender is fine for most people.
3. A password manager with unique passwords everywhere and 2FA on any account that matters. This beats almost every other security upgrade you can make.
4. A privacy-minded browser with tracker blocking. Brave out of the box, Firefox with uBlock Origin, or Safari with intelligent tracking prevention all work.
5. A tiny bit of discipline. Don't click weird links. Don't install random browser extensions. Assume every "you won!" email is a scam until proven otherwise.

Skip any of these and the VPN works harder than it should. Run all of them and your attack surface drops dramatically.

If you want the difference between proxies and VPNs laid out plainly, the proxy vs VPN article on our blog covers it. Short version for the impatient: a proxy routes one app's traffic, a VPN routes all of it, and each has cases where it's the better tool.

• Use public Wi-Fi often? Yes. This is the clearest case.
• Stream content that's geo-restricted? Probably yes, though pick a provider that maintains a working IP pool for streaming.
• Live in a country with heavy internet filtering? Yes, and you'll want obfuscation. A standard VPN won't survive a weekend in Iran.
• Just sit at home on a trusted network and only read the news? Honestly, no. Your ISP might see your DNS queries, but the privacy gain is marginal compared to fixing your password hygiene first.
• Work remotely for a client that needs IP whitelisting? Get a dedicated IP VPN so your address stays consistent. Shared VPN IPs get you locked out fast.

A quick checklist so you can filter the 400 VPN review sites that are all basically the same:

• Jurisdiction matters. Providers in Panama, Switzerland, or the British Virgin Islands have fewer legal obligations to log than ones in the US or UK.
• Protocol support. Wireguard is faster and has a smaller attack surface than OpenVPN. Amnezia-style obfuscation matters if you're dealing with active censorship.
• Kill switch, on by default. No exceptions.
• DNS leak protection. Surprisingly often missing from cheap providers. Test it yourself at dnsleaktest.com.
• Dedicated IP option. Not always needed, but if you do remote work or run services, you'll want it eventually.
• Independent audit. Real ones, not a logo on the homepage with no report attached.

For reference, the Electronic Frontier Foundation has a good explainer on how to evaluate providers if you want a vendor-neutral second opinion.