What a VPN Actually Protects You From (A Developer's Threat Model)
Every "VPN explained" post reads like a sponsored ad. Let's do this properly — at the protocol level, with the actual threats mapped to the actual mitigations.
TL;DR
A VPN mitigates Layer 3/4 threats: passive ISP observation, Wi-Fi sniffing, IP-based geolocation, and some MITM scenarios on unencrypted endpoints. It does nothing against application-layer threats: malware, phishing, logged-in session tracking, browser fingerprinting, or DNS-over-HTTPS leaks if you misconfigure it.
If you're thinking about a VPN as a security tool, map it against your actual threat model before you bother.
What a VPN actually does (at the packet level)
Your client encapsulates IP packets inside an encrypted tunnel (WireGuard uses ChaCha20-Poly1305, OpenVPN uses AES-GCM via TLS). The packets exit at the VPN server, which NATs them to the internet using its own public IP. The return path reverses it.
That's the whole mechanism. Two side effects:
- Your ISP sees one flow:
you -> vpn_endpoint:51820 UDP(encrypted) - Destination servers see
vpn_endpoint_ipas the source
Everything marketers claim about VPNs is downstream of those two facts.
Threat model: what a VPN mitigates
1. Passive ISP observation
Without a VPN, your ISP sees every DNS query and every TLS SNI. Yes, ESNI/ECH is rolling out, but coverage is still patchy — check yourself:
# See what your ISP can observe
tcpdump -i eth0 -A 'port 53 or port 443' | grep -E "Host:|server_name"
With a VPN up, that same capture shows one encrypted flow to your VPN endpoint. Nothing else.
In the US, ISPs have been legally allowed to sell browsing metadata since the 2017 repeal of the FCC broadband privacy rules. Several EU states still mandate metadata retention under national law despite the CJEU striking down blanket retention in Digital Rights Ireland.
2. Hostile LANs
Coffee shop, hotel, conference Wi-Fi. HTTPS covers content but not the SNI, not DNS (unless you're on DoH/DoT), and not the fact that someone on the same subnet can ARP-spoof your gateway.
Quick paranoia test on a shared network:
# Are you on the same subnet as random strangers?
ip -4 addr show
arp -a | wc -l
If that number is more than 2-3, you're on a shared LAN with untrusted peers. VPN on.
3. IP-based attribution
Every request logs your source IP. Combined with the TLS fingerprint (JA3/JA4) and browser fingerprint, it becomes a durable identifier. Swapping the IP breaks the geolocation component and forces adversaries to rely on the weaker signals alone.
4. ISP-level traffic shaping
Some ISPs still throttle based on DPI-identified traffic classes. Tunneled traffic is opaque to the classifier, so it gets the default QoS treatment. Not a privacy win, but a real performance win for some users.
Threat model: what a VPN does NOT mitigate
| Threat Vector | VPN helps? | What actually helps |
|---|---|---|
| Malware in downloaded binaries | No | Code signing verification, EDR, sandboxing |
| Phishing / credential theft | No | WebAuthn/passkeys, 2FA, password manager |
| Cross-site tracking post-login | No | Cookie isolation, container tabs, separate profiles |
| Browser fingerprinting (Canvas, WebGL, fonts) | Marginal | Firefox privacy.resistFingerprinting, Brave, Tor |
| TLS fingerprinting (JA3/JA4) | No | uTLS, custom client bindings |
| DNS leaks | Only if configured | Force DNS through tunnel, disable IPv6 or route it too |
| WebRTC IP leaks | Only if configured | Block WebRTC at browser level |
| Timing correlation attacks | No | Tor with entry guards |
| Application-level telemetry | No | Firewall rules, strict egress policies |
The leaks you need to test
A VPN that leaks your real IP is worse than no VPN — false sense of security. Check every time you change configs:
# Real IP check
curl -s https://ipinfo.io
# DNS leak check — should show VPN provider resolver, not ISP
dig +short txt ch whoami.cloudflare @1.1.1.1
nslookup -type=txt whoami.ds.akahelp.net
# IPv6 leak (common on WireGuard if you forget ::/0)
curl -s -6 https://ipv6.icanhazip.com || echo "No v6 leak"
# WebRTC — browser-only, use https://browserleaks.com/webrtc
If any of those don't match your VPN endpoint, your config is broken.
WireGuard kill switch, the lazy way
If the tunnel drops, default route falls back to the physical interface — traffic goes out in the clear and you don't notice. Here's a minimal kill switch using the PostUp/PreDown hooks:
[Interface]
PrivateKey = <your_key>
Address = 10.0.0.2/24
DNS = 1.1.1.1
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
[Peer]
PublicKey = <peer_key>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.example.com:51820
PersistentKeepalive = 25
Now if the tunnel goes down, packets get dropped instead of leaking to your ISP.
Protocols worth knowing
| Protocol | Crypto | Speed | Detectable? | Notes |
|---|---|---|---|---|
| WireGuard | ChaCha20-Poly1305, Curve25519 | Fastest | Yes (trivially) | Modern default. Tiny codebase (~4k LOC). |
| OpenVPN (UDP) | AES-GCM over TLS | Slower | Yes | Mature, configurable, heavier. |
| IKEv2/IPsec | AES, varies | Fast | Yes | Native on iOS/macOS/Windows. Survives network changes well. |
| Shadowsocks | ChaCha20/AES | Fast | Hard | Designed for censorship circumvention, not privacy. |
| AmneziaWG | WG + obfuscation | Fast | Hard | WireGuard with traffic shaping to defeat DPI. |
If your threat model is "casual privacy on untrusted Wi-Fi," WireGuard is the right answer. If it's "my network actively blocks VPN protocols," you need obfuscation.
FAQ
Does a VPN make you anonymous?
No. It breaks the IP-to-identity link at the network layer. It doesn't touch application-layer identity — cookies, logged-in sessions, fingerprints. Real anonymity is a Tor problem, not a VPN problem. torproject.org is the reference.
Self-hosted VPN on a VPS — good idea?
For privacy from your ISP, sure. For privacy in general, no — you now have a single static IP tied to your payment method on the VPS provider. You've just moved the trust boundary from the ISP to Hetzner or DigitalOcean.
Is the VPN the weak link or the browser?
The browser. Fingerprinting and logged-in session tracking bypass the VPN entirely. Fix the browser first.
Does HTTPS make VPNs redundant?
No. HTTPS protects content but leaks SNI, destination IP, and timing. A VPN covers those. They solve different problems.
WireGuard vs OpenVPN — which should I run?
WireGuard unless you have a specific reason not to. Smaller attack surface, faster, modern crypto. OpenVPN wins on configurability and firewall traversal (TCP/443).
Bottom line
A VPN is a Layer 3 privacy tool with a narrow, real, measurable scope. Map it against your actual threat model, don't buy the "military-grade encryption protects you from hackers" pitch, and always test for leaks after config changes.
Full long-form version on the original site with extra context: https://anonymous-proxies.net/posts/what-does-a-vpn-protect-you-from/
What's your VPN setup? WireGuard? Tailscale? Self-hosted? Drop your config quirks in the comments — especially the kill-switch patterns, I'm collecting.
Top comments (0)