SimFinder
Security

VPN Basics and How to Choose One

A VPN (Virtual Private Network) creates an encrypted tunnel between your device and a VPN server before your internet traffic reaches the local network. On an untrusted network — public Wi-Fi in a café, hotel, or airport — this prevents local observers, including rogue access points, from reading your traffic. What a VPN does not do: it does not stop malware or phishing, it does not make you anonymous, and it does not replace HTTPS. Understanding what a VPN actually protects is as important as knowing when to use one. If you have access to mobile data, using it instead of public Wi-Fi is often the simpler and more robust choice.

This guide covers how a VPN works at a practical level, how it relates to HTTPS, what to look for in a provider, when to use mobile data instead, and what the common misconceptions are. It does not recommend specific VPN products by name, because provider quality and policies change over time; the criteria here let you evaluate any provider on their current merits.

How a VPN Works: The Encrypted Tunnel

When you connect to the internet without a VPN, your traffic flows from your device to the local network (your home router, or a public Wi-Fi access point), then to your internet service provider or mobile carrier, and then to the destination server. Each of these intermediary points can observe your traffic unless it is encrypted at the application layer.

A VPN inserts an additional step. Before sending any application traffic, your device establishes an encrypted connection — the tunnel — to a VPN server operated by your VPN provider. All subsequent traffic is wrapped inside this tunnel. From the perspective of:

  • The local network (including any rogue access point or attacker on the same Wi-Fi): all outbound traffic from your device appears as encrypted VPN data. The attacker cannot read its contents.
  • Your ISP or mobile carrier: they see encrypted traffic to the VPN server’s IP address, not the destinations you are visiting.
  • The VPN server: it can see your traffic in plaintext (for HTTP) or the domain and metadata (for HTTPS), because it decrypts the tunnel to forward requests to the internet on your behalf.
  • Destination websites and services: they see the VPN server’s IP address, not your device’s IP address.

The key implication: the VPN provider replaces your ISP and local network as the party with visibility into your traffic. This is why the trustworthiness of the VPN provider matters as much as the technology.

One additional detail matters in practice. A VPN protects traffic that passes through the tunnel. If a VPN app is configured in split-tunnel mode — where only some traffic routes through the VPN and the rest goes directly — then the directly-routed traffic is not protected. Most VPN apps default to routing all traffic through the tunnel (full-tunnel mode), but this is worth confirming in the app’s settings, particularly on mobile where battery or performance considerations can influence the default.

What a VPN Protects — and What It Does Not

Understanding the exact scope of VPN protection prevents the most common mistakes in using one.

What a VPN does protect:

  • Traffic from passive eavesdropping on a shared local network (the primary use case for public Wi-Fi)
  • Traffic from rogue or evil-twin access points (since the tunnel is established before application traffic is sent)
  • DNS queries, which are routed through the VPN tunnel rather than to a DNS server visible to the local network
  • Your IP address from destination services (they see the VPN server’s IP)

What a VPN does not protect:

  • Malware already on your device. A VPN is a network-layer control. If malware is running on your device, it can exfiltrate data through the VPN tunnel along with your legitimate traffic — the VPN encrypts both.
  • Phishing attacks. If you navigate to a fake login page and enter your credentials, the VPN transmits those credentials to the phishing server faithfully. The VPN has no way to distinguish a legitimate site from a spoofed one.
  • Your identity on services where you are logged in. Logging in to an account tells the service who you are, regardless of which IP address the request came from.
  • Content you submit. A VPN encrypts traffic in transit, but the destination server receives your data in plaintext once the tunnel terminates at the VPN server.
  • Traffic if the VPN is not connected. This sounds obvious but matters: if the VPN connection drops momentarily and no kill switch is active, your device may send traffic directly.
  • Account takeover via credential reuse. If an attacker obtains your password from a data breach elsewhere and reuses it on another service, the attacker authenticates as you — the VPN is uninvolved in this attack path.

A VPN and HTTPS: How They Relate

Most internet traffic today uses HTTPS (TLS), which encrypts the content of communications between your browser and the destination server. HTTPS is independent of a VPN and applies end-to-end: even the VPN provider cannot read the content of your HTTPS-protected communications.

This raises a reasonable question: if HTTPS already encrypts your traffic, what does a VPN add?

The answer depends on the threat. HTTPS protects the content of a connection that has been correctly established with the legitimate server. It does not protect against:

  • An evil-twin access point that intercepts your traffic before your device can establish a TLS connection with the legitimate server
  • A local attacker who can observe which domains you are visiting (visible in DNS queries and TLS Server Name Indication before ECH is universally deployed)
  • An attacker who can present a fraudulent certificate if the user accepts a certificate warning

A VPN addresses these gaps differently. By establishing the encrypted tunnel before any application traffic is sent, a VPN ensures that the local network sees only tunnel traffic — the evil-twin attack has nothing to observe before the TLS connection reaches the legitimate server.

In practice: HTTPS-only mode in your browser is a necessary baseline. A VPN is an additional layer that specifically addresses the local-network threat. For public Wi-Fi, both together provide the strongest practical protection. For ordinary browsing on your home network or mobile data, HTTPS alone is generally sufficient for most threat models.

One nuance worth noting: Encrypted Client Hello (ECH), a TLS extension designed to encrypt the SNI field and prevent domain leakage to local observers, is an emerging standard that partially addresses one of the gaps that VPNs fill. ECH is not yet universally deployed by servers or supported across all networks, so it does not replace a VPN’s local-network protections in practice as of publication.

If you want to understand the related risk of mobile identity — particularly where SMS-based authentication intersects with network security — see SMS 2FA Security Risks for how SS7-based interception differs from local Wi-Fi threats.

Choosing a VPN Provider: Key Criteria

No-logs policy, independently audited

A no-logs policy is a provider’s commitment not to store records of your traffic, IP addresses, or connection timestamps. The strength of this claim depends on whether it has been verified. Several established VPN providers have commissioned independent audits of their logging architecture from security firms (such as Cure53, Deloitte, or KPMG). Published audit reports are a meaningful signal, but audits evaluate a snapshot in time and cannot guarantee future behaviour or policy changes following an acquisition or ownership change.

Look for providers that publish their audit reports, specify which firm conducted the audit, and include the date. Avoid providers who describe themselves as “no-logs” without any independent verification.

Jurisdiction

The country where a VPN provider is incorporated determines which legal frameworks can compel data disclosure. Providers in countries with strong data protection laws and no mandatory data retention requirements have fewer legal obligations to hand over records. This matters most in high-sensitivity use cases; for the typical public-Wi-Fi use case, jurisdiction is a secondary concern relative to the no-logs policy itself.

Protocol

The VPN protocol determines the cryptographic mechanisms and handshake used to establish and maintain the tunnel. Current options and their practical implications:

  • WireGuard: A modern protocol with a small, auditable codebase (less than 4,000 lines of code for the Linux kernel implementation, compared to tens of thousands for OpenVPN including its cryptographic library dependencies). Delivers high throughput and low latency. Widely adopted by commercial VPN providers as a default option.
  • OpenVPN: A mature, open-source protocol with a long audit history. More complex than WireGuard but highly configurable. A safe choice, particularly for users who need a proven, well-understood implementation.
  • IKEv2/IPsec: Well-suited to mobile devices because it re-establishes connections quickly after a network change (e.g., switching from Wi-Fi to cellular). Supported natively by iOS and Android for manual VPN configuration.
  • Avoid PPTP: PPTP uses cryptographic mechanisms that are considered broken by current standards. No new deployment should use PPTP.

Most commercial VPN apps select the protocol automatically and default to WireGuard where available. Manual protocol selection is rarely necessary.

Kill switch

A kill switch blocks all internet traffic if the VPN connection drops, preventing your device from falling back to an unprotected direct connection. On public Wi-Fi, a momentary VPN disconnect without a kill switch can expose traffic during the reconnection window. A kill switch is an important feature for security-focused VPN use. Confirm that the VPN app you choose includes a kill switch and that it is enabled by default or requires explicit opt-in.

Speed and infrastructure

VPN performance depends on server locations, server load, and the protocol used. A VPN adds latency because traffic is routed through an additional server. Providers with large server networks in many countries generally offer better performance by allowing connection to a server geographically close to you. Speed is a practical concern for video calls and streaming, but not a security consideration.

Multi-hop and additional features

Some VPN providers offer multi-hop configurations (also called double VPN), where traffic routes through two VPN servers before reaching the destination. This increases the cost for an adversary trying to correlate your traffic across both endpoints, but also increases latency. For most public-Wi-Fi use cases, a single-hop VPN is sufficient. Multi-hop is relevant for users with specific, elevated privacy requirements.

A related feature is DNS leak protection: when active, it ensures that DNS queries are resolved exclusively through the VPN tunnel and not sent to your ISP or the local network’s DNS server if the VPN connection is interrupted. Confirm that any VPN app you evaluate includes and enables DNS leak protection.

The Risk with Free VPNs

Providing VPN infrastructure — servers, bandwidth, support, security audits — has real ongoing costs. Free VPN services must cover those costs through some mechanism.

Documented issues with some free VPN services include:

  • Logging and selling user traffic data to third parties
  • Injecting advertising into web pages served through the VPN
  • Sharing bandwidth with other users, effectively turning devices into exit nodes
  • Bundling malware or adware in the application

None of these apply to all free VPN services, but the business model creates structural incentives that conflict with the stated purpose of protecting user traffic. For a service whose value is precisely that it handles your network traffic, the question of how the provider sustains itself financially is directly relevant.

Paid VPN subscriptions with a clear business model and published independent audits provide stronger guarantees. Some providers in this category offer free tiers with data or speed limits that are sufficient for limited use on public Wi-Fi.

One category worth distinguishing: VPN features built into browsers (such as Opera’s integrated VPN or Brave’s optional VPN product) only encrypt traffic from that specific browser. Other apps on your device — system processes, other browsers, mail clients — are not routed through the tunnel. For general device protection on public Wi-Fi, a system-level VPN app that routes all traffic is more appropriate than a browser-level VPN.

Setting Up and Using a VPN Effectively

On iPhone and iPad

Most VPN providers offer an app available through the App Store. Within the app, enable the kill switch option if one is available. You can also configure VPN connections manually at Settings → General → VPN & Device Management → VPN for IKEv2 connections.

For always-on VPN enforcement across all apps — where the device blocks all traffic if the VPN is not connected — full enforcement requires a Mobile Device Management (MDM) profile, which is typically only applicable in enterprise environments. VPN apps implement a software-level kill switch via the Network Extension framework, which provides practical protection for most users.

On Android

Go to Settings → Network & Internet → VPN → tap the gear icon on your configured VPN → enable Always-on VPN and Block connections without VPN. This is a system-level kill switch, separate from any toggle within a VPN app.

When to connect

Connect the VPN before doing anything else on an untrusted network, including before the captive portal login on hotel or airport Wi-Fi. Note that some captive portals require unencrypted HTTP traffic to display their login page; your device or VPN app may need to temporarily allow this. After completing captive portal authentication, reconnect the VPN before any other activity.

On an ongoing basis

If you use public Wi-Fi regularly — in your daily commute, at a co-working space, or while travelling — enabling always-on VPN or kill switch at the system level removes the need to remember to connect manually. The cost is a small increase in battery consumption and a slightly higher chance of connection issues in environments with unusual network configurations (some corporate networks, for example, block common VPN ports). For most users, the security benefit on untrusted networks outweighs the occasional connectivity friction.

For more context on captive portals and the sequencing of VPN connection on public Wi-Fi, see How to Use Public Wi-Fi Safely.

Mobile Data as an Alternative to Public Wi-Fi

The scenarios where a VPN matters most — public Wi-Fi with a rogue access point, an evil-twin network, passive eavesdropping by other network users — do not apply to mobile data. When your device uses a cellular data connection, traffic travels over the radio link between your device and the carrier’s cell tower, encrypted at the cellular layer. An attacker in the same coffee shop cannot passively observe your cellular traffic; that would require access to the carrier’s network infrastructure.

This has a practical implication: for sensitive activities — online banking, accessing work systems, logging in to accounts that control financial or identity assets — switching to mobile data entirely is a simpler and often more reliable protection than running a VPN on public Wi-Fi.

If you frequently travel internationally and use your home SIM’s data abroad, the cost of switching to cellular for sensitive tasks depends on your roaming plan. See Roaming Settings for how to configure data roaming, and see Lost or Stolen Device for what to do if the device carrying your SIM is compromised.

For travellers who use a separate local eSIM for data abroad, having a local data connection on the destination network reduces reliance on public Wi-Fi throughout the trip — removing the context in which VPN is most needed. This is a practical benefit of the local eSIM approach that is worth factoring into your connectivity planning before departure. Using SimFinder to compare local SIM or eSIM options for your destination can identify whether a local data plan is cost-effective compared to relying on public Wi-Fi.

Common Misconceptions About VPNs

“A VPN makes me anonymous.” A VPN replaces your ISP and local network as the party observing your traffic with the VPN provider. Services you log in to still know who you are. Your device’s fingerprint, browser fingerprint, and authentication cookies are unaffected by a VPN.

“A VPN protects me from hackers.” The phrase is vague. A VPN protects against specific threats: traffic interception on a shared local network, and exposure of your IP address. It does not protect against phishing, credential theft, software vulnerabilities, or malware. Account security — strong passwords, hardware security keys or authenticator apps rather than SMS for two-factor authentication — addresses the risks that a VPN cannot. See SIM Swap Fraud: What It Is and How to Protect Yourself for an example of an attack that bypasses VPN entirely by targeting your phone number.

“HTTPS makes a VPN unnecessary on public Wi-Fi.” HTTPS protects the content of connections that are correctly established with legitimate servers. It does not prevent interception at the local network layer before the TLS connection is established, which is where evil-twin and MITM attacks operate. A VPN specifically addresses this gap.

“A VPN encrypts everything on my device.” A VPN encrypts traffic sent through the VPN tunnel. Some apps or operating system components may use network interfaces that bypass the VPN tunnel; VPN app documentation typically clarifies whether all traffic is routed through the tunnel or only selected traffic.

“Any VPN is better than no VPN.” Not necessarily. A free VPN run by an unknown provider with no audit history and a data-monetisation business model may introduce risks that are worse than operating without a VPN on a specific network.

Summary: What to Look For and When to Use It

A VPN is a targeted tool that addresses a specific threat: traffic interception on untrusted networks. It is most useful when you are on a network you do not control — particularly public Wi-Fi. Key criteria when choosing:

  1. No-logs policy with published independent audit — the single most important selection factor
  2. WireGuard or OpenVPN protocol — current, well-audited cryptographic implementations
  3. Kill switch enabled — prevents traffic leakage on VPN disconnect
  4. DNS leak protection — ensures DNS queries stay within the tunnel
  5. Clear business model — avoid free services with no disclosed revenue source

What a VPN does not replace:

  • Strong, unique passwords and a password manager
  • Hardware security keys or authenticator apps (rather than SMS) for two-factor authentication
  • Keeping your operating system and apps up to date
  • Caution about which links you click and which files you open

VPN use is one layer in a broader set of security practices. Its specific contribution is protecting traffic in transit on networks you do not control. The other layers protect your accounts and device regardless of what network you are on.

When you are on mobile data, the local-network threat that VPNs address is absent. For sensitive tasks on any connection, switching to mobile data is the lowest-friction protection — no VPN required, no configuration risk. Where a local SIM option exists at your destination, using it reduces your dependence on public Wi-Fi and the scenarios in which a VPN is critical.

Related Guides

What to Do If Your Phone Is Lost or Stolen

Time-ordered response for a lost or stolen phone: locate with Find My, suspend your line, reissue the SIM, freeze mobile payments, and change passwords.

How to Use Public Wi-Fi Safely

Evil-twin APs, MITM, unencrypted traffic: public Wi-Fi risks explained, and five steps to stay safe — VPN, HTTPS-only, auto-join off, mobile data for banking.

Data Roaming Settings: How to Turn It On/Off Safely

How to toggle Data Roaming on iPhone and Android, avoid bill shock with data caps and per-app limits, and manage roaming on dual-SIM devices.

SIM Swap Fraud: How It Works and How to Protect Yourself

SIM swap fraud lets attackers hijack your phone number in minutes. Learn the warning signs, how AT&T Wireless Lock and Verizon Number Lock work, and why SMS-based 2FA is now your weakest link.

The Risks of SMS Two-Factor Authentication and Safer Alternatives

SMS OTP is classified a restricted authenticator by NIST SP 800-63B. Learn how SIM swap and SS7 attacks exploit it — and how to migrate to TOTP or passkeys.