What is a VPN?

Chapter 1 — What is a VPN and Why?

A Virtual Private Network creates an encrypted tunnel between your device and a server somewhere else on the internet. All your network traffic travels through that tunnel — your ISP sees only that you're connected to a VPN server, and the websites you visit see the VPN server's IP address, not yours.

That's the core promise. But VPNs are surrounded by more marketing noise than almost any other technology, so this chapter focuses on something more important than the setup instructions: understanding precisely what a VPN actually does and doesn't protect, and what problem you're solving before you reach for one.

How It Works — The Tunnel

without VPN                                                
your device ──── plain request ────► ISP ──► internet ──► website
with VPN                                                    
your device ══ encrypted tunnel ══► VPN server ──► internet ──► website
                       ISP sees: connected to VPN      website sees: VPN server IP

The encrypted tunnel is established using a VPN protocol — WireGuard, OpenVPN, or IKEv2/IPsec being the most common today. Each protocol handles key exchange, encryption, and packet encapsulation differently. Chapter 2 covers the protocol comparison in detail. For now, the important thing is what the tunnel achieves:

  • Your ISP can no longer see which sites you visit or what you send — only that you have a VPN connection open.
  • Anyone on your local network (a café Wi-Fi operator, a hotel network) cannot inspect your traffic.
  • Websites and services see the VPN server's IP address and country, not yours.

Legitimate Use Cases

Public Wi-Fi protection
Coffee shops, hotels, airports — any shared network. Encrypts your traffic so the network operator (or anyone running a packet sniffer on the same network) can't read it. The single most practical use case.
🏠
Accessing your home network remotely
A self-hosted WireGuard or OpenVPN server at home lets you access your NAS, home server, printers, and local devices as if you were on the LAN — from anywhere. This is the most compelling use case for self-hosting a VPN.
🏢
Corporate remote access
Companies use VPNs to let remote employees access internal systems — intranet, internal APIs, file servers — that aren't exposed to the internet. The reason "VPN" often means "work VPN" to most people.
🌍
Bypassing geographic restrictions
Streaming services, news sites, and some government services restrict content by IP location. Connecting through a VPN server in another country appears to come from that country. Works until the service blocks the VPN's IP range.
🔒
ISP traffic shaping avoidance
Some ISPs throttle specific traffic (streaming, torrents). Since the ISP can't see what's inside the VPN tunnel, traffic shaping based on content type no longer works.
🛡
Hiding activity from your ISP
In countries where ISPs are required to log browsing history, a VPN moves trust from the ISP to the VPN provider. Only worthwhile if the VPN provider is more trustworthy than the ISP — and subject to their jurisdiction.

What a VPN Does and Doesn't Protect

A VPN protects against...
  • Your ISP logging the sites you visit
  • Packet sniffing on shared/public Wi-Fi
  • Websites seeing your real IP address
  • IP-based geographic blocking
  • Basic traffic analysis by a local network operator
  • ISP selling your browsing data (where legal)
A VPN does NOT protect against...
  • Tracking cookies and browser fingerprinting
  • Malware already on your device
  • Phishing — clicking a bad link still works
  • Google/Facebook tracking you when logged in
  • A VPN provider who logs your traffic
  • DNS leaks if misconfigured
  • WebRTC IP leaks in browsers
  • Account takeover or data breaches at services you use
The trust shift, not the trust removal: A VPN doesn't make you anonymous — it moves trust from your ISP to your VPN provider. Your VPN provider can see everything your ISP previously could. The relevant question is: who do you trust more? For a commercial VPN, that means reading the provider's logging policy carefully and understanding which country's laws they operate under.

Common VPN Myths

Myth: "A VPN makes me anonymous online."
False. You're authenticated with the VPN provider, and if you're logged into any account (Google, Facebook, your email), the service knows exactly who you are regardless of which IP you connect from. A VPN hides your IP from the sites you visit; it does not hide your identity.
Myth: "A VPN protects me from hackers."
Mostly false. A VPN encrypts traffic between your device and the VPN server — it doesn't protect against malware, unpatched software, weak passwords, or phishing. Most "hacking" happens at the application layer, which the VPN doesn't touch.
Myth: "I need a VPN to be safe on public Wi-Fi."
Largely outdated. In 2026, almost all websites use HTTPS, which already encrypts traffic end-to-end. A packet sniffer on café Wi-Fi sees encrypted HTTPS data, not your passwords. A VPN adds a second layer, but the threat it solves here is much smaller than it was in 2010.
Myth: "A free VPN is fine."
Almost never. Free VPN services need to monetise somehow — commonly by logging and selling your traffic data, which is exactly what you're trying to avoid. Some have been caught injecting ads, harvesting credentials, or running malware through the tunnel.

Matching a VPN to Your Threat Model

The right question isn't "should I use a VPN?" but "what am I protecting against, and is a VPN the right tool for it?" These scenarios show where a VPN helps and where it doesn't:

Using hotel Wi-Fi for work
Risk: network operator or another guest sniffing traffic.
VPN helps — encrypts the local hop
Hiding browsing from your ISP
Risk: ISP logging habits and selling data or complying with government requests.
VPN helps — but VPN provider now holds the same data
Accessing home server remotely
Need: reach internal devices without exposing ports.
Self-hosted VPN is ideal
Avoiding targeted advertising
Risk: ad networks tracking you across sites.
VPN doesn't help — cookies and fingerprinting work regardless
Watching geo-blocked content
Need: appear to be in a different country.
Works until the service blocks VPN IP ranges
Staying safe from malware
Risk: clicking bad links, drive-by downloads.
VPN doesn't help — use updated AV and a browser with safe-browsing

Self-Hosted vs Commercial VPN

The remaining chapters in this course focus on self-hosted VPNs — running your own WireGuard or OpenVPN server. This is different from a commercial VPN service like ProtonVPN or Mullvad:

  • Self-hosted — you run the server. Traffic exits from your home IP or a VPS you control. No third-party provider to trust. Ideal for accessing your own network remotely. Does not hide your IP from websites (they see your home IP).
  • Commercial VPN — a company runs thousands of servers. Traffic exits from a shared IP pool in whichever country you choose. Useful for geo-unblocking and hiding your IP. You must trust the provider's no-logs claims.
This course covers both. Chapters 3–6 cover setting up WireGuard and OpenVPN servers yourself. Chapter 7 covers using commercial VPN clients (ProtonVPN and Mullvad) on Linux, including CLI usage and DNS leak testing. Chapter 8 brings it together with troubleshooting and security hardening.
Next — Chapter 2: VPN Protocols Compared. WireGuard, OpenVPN, IKEv2/IPsec, and L2TP are not interchangeable — each makes different trade-offs between speed, security, and compatibility. Chapter 2 explains how each works and when to choose which.