What Is a VPN and How Does It Work? (2026 Guide)
A VPN, or virtual private network, encrypts your internet traffic and routes it through a server in a location you choose. Your ISP, network operator, and the websites you visit see that server's IP address, not yours.
That single mechanism covers every VPN use case: keeping your browsing history from your internet provider, securing a connection on public Wi-Fi, accessing a company network remotely, and reducing location-based tracking.
This guide covers how VPNs work at the protocol level, what they actually hide from your ISP and from the sites you visit, and the criteria that separate a provider worth trusting from one relying on marketing copy.
The provider comparisons include NordVPN, ExpressVPN, ProtonVPN, Mullvad, and Internxt VPN, a privacy-first option that combines VPN with encrypted cloud storage.
What Is a VPN?
The name breaks down into three words that each describe something specific. "Virtual" means the private network is software-defined, not a physical dedicated line. "Private" refers to encryption: the contents of your traffic are unreadable to anyone without the decryption key. "Network" refers to the fact that you are connecting through a managed infrastructure of servers, not directly with the websites you visit.
VPNs were originally built for businesses. Employees working remotely needed a way to access internal company systems over the public internet without exposing those systems to anyone on the network between them. That use case still accounts for a large share of VPN usage today. The consumer version works on the same technical principles, with the VPN provider's server acting as the secure exit point instead of a corporate network gateway.
How Does a VPN Work?
A VPN works by creating an encrypted tunnel between your device and a server the VPN provider operates. Your traffic travels through that tunnel, exits from the server, and reaches the internet from there. The steps below explain what that process looks like at the packet level and which protocol handles it.
The encryption tunnel: what actually happens to your traffic
When you connect to a VPN, your device and the VPN server perform a handshake to establish a shared encryption key. From that point, every packet of data leaving your device is encrypted before it leaves, wrapped inside a new packet addressed to the VPN server, and sent across the public internet. When it arrives at the server, it is decrypted and forwarded to its actual destination. The response from that destination follows the same path in reverse.
This produces two practical changes. First, your traffic is unreadable in transit: anyone intercepting a packet between your device and the VPN server sees encrypted data, not content. Second, the destination server sees the VPN server's IP address as the origin of the request, not your device's address.
Reputable VPNs use AES-256 for symmetric encryption, the same standard used by financial institutions and government agencies for sensitive data. The key exchange that sets up the session uses either TLS or the Noise Protocol, depending on the protocol in use, so the shared key is never transmitted across the network in a readable form.
VPN protocols: WireGuard, OpenVPN, and IKEv2 compared
The protocol determines how the encrypted tunnel is established and maintained. Different protocols make different trade-offs between speed, security, and stability across network changes.
| Protocol | Speed | Security | Best for |
|---|---|---|---|
| WireGuard | Fastest | High | General use, mobile |
| OpenVPN | Medium | Very high | Privacy-sensitive use |
| IKEv2/IPsec | Fast | High | Mobile, reconnection stability |
| L2TP/IPsec | Slow | Medium | Legacy systems only |
| Proprietary (Lightway, NordLynx) | Very fast | High | Speed-optimised services |
WireGuard is the current standard for most consumer VPN use. Its codebase is roughly 4,000 lines compared to OpenVPN's 100,000+, which means less surface area for vulnerabilities and faster independent audits. It uses the Noise Protocol for key exchange and ChaCha20 for encryption, and it re-establishes connections faster than older protocols when switching between Wi-Fi and mobile data.
OpenVPN has been the privacy benchmark for over a decade. It is open-source, extensively audited, and supports both UDP and TCP transport. The trade-off is speed: it runs in user space rather than the kernel, which adds overhead and makes it noticeably slower than WireGuard on most connections. The choice between WireGuard and OpenVPN comes down to whether speed or maximum auditability is the priority for your use case.
IKEv2/IPsec is built into most mobile operating systems natively, which makes it fast to connect and reliable when switching networks. It reconnects automatically after a dropped connection. The limitation is that IKEv2 is not open-source in its most common implementations, which makes independent code audits harder.
Proprietary protocols like ExpressVPN's Lightway and NordVPN's NordLynx (built on WireGuard) are designed for speed and are backed by their respective independent audits, but their closed-source components cannot be publicly verified the same way WireGuard or OpenVPN can.
What Is a VPN Used For?
Five use cases account for most consumer VPN usage. Some involve genuine security benefits; others are more about convenience. Knowing which category your situation falls into helps you decide how much to spend and which provider fits.
Protecting traffic on public Wi-Fi
Public Wi-Fi networks in airports, hotels, and cafes are unsecured by default, meaning anyone on the same network can potentially intercept unencrypted traffic. A VPN encrypts everything leaving your device before it reaches the router, so even if someone intercepts a packet, they see only ciphertext.
This is the clearest security case for a VPN: the threat is well-documented, the protection is direct, and any reputable paid provider covers it. If you primarily use a browser on public networks, a VPN browser extension is a lightweight alternative to a full desktop app, though a full client offers broader coverage across all apps on the device.
Keeping your browsing history from your ISP
Without a VPN, your ISPcan see every domain you visit, how long you spend there, and when. In many countries they are legally permitted to store and sell that data to advertisers, or hand it to authorities without a warrant. A VPN routes your traffic through its own server first, so your ISP sees only that you connected to the VPN and nothing beyond it.
The trade-off is that your VPN provider now occupies the position your ISP previously held, which is exactly why no-logs audits exist and why the audit record of the provider you choose matters more than their marketing copy.
Remote work and accessing company networks
Corporate VPNs create a private tunnel from an employee's device into a company's internal network, making a remote connection behave as if the device were physically inside the office. This was the original purpose of VPN technology.
Consumer VPNs work on the same technical principles, though they connect to the provider's servers rather than a private corporate gateway. For employees using a company-issued VPN client, setup is managed by IT. For freelancers, contractors, or teams in regulated industries such as healthcare, legal, or finance, a provider with documented audit credentials and GDPR compliance offers a more auditable record than one whose infrastructure has not been independently reviewed.
Avoiding geographic restrictions
Websites and streaming services use IP addresses to determine a visitor's location and restrict content accordingly. A VPN replaces your visible IP address with the server's, so connecting through a server in another country makes you appear to be located there.
Note that streaming platforms actively detect and block known VPN server addresses, and success rates vary by provider and by server. Whether a given VPN reliably unblocks a specific service depends entirely on the provider. Check their official documentation for confirmed support rather than assuming it works.
Reducing targeted advertising based on your location
Advertisers use IP addresses as one signal among many to build location profiles and serve targeted ads. A VPN changes your visible IP address, which disrupts that signal, but it does not block all tracking.
For more complete protection against ad tracking, a VPN works alongside a privacy-focused browser and a DNS-level ad blocker rather than as a standalone solution.
What Does a VPN Actually Hide?
A VPN changes who can see your traffic, not whether your traffic can be seen at all.
What your ISP can and cannot see
With a VPN active, your ISP can see that you connected to a VPN server, the IP address of that server, the volume of data transferred, and the timing of that connection. What they cannot see is anything beyond the VPN server: the domains you visited, the content of pages you loaded, your search queries, or anything you sent or received. From the ISP's perspective, all your internet activity collapses into a single encrypted connection to one address.
This matters for anyone whose ISP operates under laws that permit traffic logging, data sales to advertisers, or disclosure to authorities without a warrant. It does not change what the websites you visit can see on their end.
What the website you're visiting can see
The website you visit sees the IP address of the VPN server, not your real one. Everything else remains visible: your browser type, operating system, screen resolution, installed fonts, and any other signals that contribute to a browser fingerprint. If you are logged into an account, the site knows exactly who you are regardless of which IP address the connection came from. Cookies set before you turned on the VPN persist after you turn it on.
A VPN changes your IP address. It does not change your browser identity, your account sessions, or your behaviour on the site. Using a VPN as an anonymity tool on sites where you have an active account does not work. Those two things cannot coexist. A VPN is one layer of hiding your IP address, not a complete identity shield.
Types of VPN
Not all VPNs serve the same purpose. The three main categories differ in who operates them and what they are protecting.
| Type | Who uses it | What it connects | Who controls it |
|---|---|---|---|
| Personal VPN | Individual consumers | Device to provider's server | VPN provider |
| Remote access VPN | Employees, contractors | Device to company network | Company IT |
| Site-to-site VPN | Businesses | Two or more office networks | Company IT |
Personal VPNs are the consumer product most people mean when they say "VPN." You install an app, connect to a server the provider operates, and your traffic exits from there. The provider is responsible for the infrastructure, the no-logs policy, and the audit.
Remote access VPNs connect an individual device to a private corporate network. Most companies issue these to employees who work remotely. The traffic exits onto the company network rather than the public internet, and the company's IT team controls the configuration.
Site-to-site VPNs connect two entire networks rather than one device to a network, typically linking offices in different locations so they operate as a single internal network. This category is outside the scope of what consumer VPN services provide.
The rest of this article covers personal VPNs.
How to Choose a VPN
Key points:
- Jurisdiction affects legal exposure, but architecture determines what data actually exists to disclose
- Open-source clients allow independent code review; closed-source clients require trust
- Protocol support determines speed, security, and auditability trade-offs
- Price differences are large enough to matter, but the cheapest option is rarely the most transparent
Where is the provider based and what does that mean?
A VPN provider is subject to the laws of the country they operate in. The Five Eyes (US, UK, Canada, Australia, New Zealand), Nine Eyes, and Fourteen Eyes are intelligence-sharing treaties that create legal frameworks for cross-border data requests. Providers based in treaty member countries can be compelled to cooperate with requests from any member government.
Switzerland sits outside all three treaties and requires a local court order for data disclosure. Panama and the British Virgin Islands have no data retention laws. Spain is a Fourteen Eyes member but is bound by GDPR, which places strict data minimisation obligations on any service operating there.
| Provider | Jurisdiction | Eyes membership |
|---|---|---|
| Internxt VPN | Spain (GDPR) | Fourteen Eyes |
| ProtonVPN | Switzerland | None |
| Mullvad | Sweden | Fourteen Eyes |
| NordVPN | Panama | None |
| ExpressVPN | BVI (Kape Technologies) | None |
Jurisdiction matters less when the provider's architecture makes retention impossible regardless. It matters most when two providers have equivalent privacy design and you are choosing between them on legal exposure alone.
What does the provider actually store by design?
Every major VPN claims a no-logs policy. The more precise question is what their architecture makes technically possible to retain, not what their policy says they choose not to.
A log-minimisation policy means the provider could retain data but chooses not to. A zero-knowledge architecture means the service is built so that connection metadata is not collected in a form the provider can reconstruct or disclose. The latter is a structural constraint rather than a policy decision. Providers that implement zero-knowledge design at the VPN level offer a different level of assurance than providers who simply promise not to look.
ProtonVPN is built on zero-knowledge principles and has been independently audited by Securitum annually since 2022. Internxt VPN states a no-logs policy and publishes open-source clients, but its VPN architecture has not been independently audited at the time of writing. Mullvad goes further operationally: it requires no email address at signup and accepts cash payment, minimising the personal information the provider holds from the start.
Can you read the code yourself?
An open-source VPN client means the code running on your device is publicly available for independent review. Anyone can inspect how encryption is implemented, what data the app transmits, and whether the client behaves consistently with the provider's stated policy. Closed-source clients require trust in the provider's word.
| Provider | Open-source clients |
|---|---|
| Internxt VPN | Yes |
| ProtonVPN | Yes |
| Mullvad | Yes |
| NordVPN | No |
| ExpressVPN | No |
Open-source code is not the same as a completed independent audit, but it is the condition that makes a meaningful audit possible at all.
What does the plan actually include?
VPN plans vary on server coverage, simultaneous device limits, bundled tools, and whether the VPN is sold as a standalone product or included with other services.
| Service | Monthly | Annual | Devices | Refund |
|---|---|---|---|---|
| Internxt VPN | Bundled with all paid plans | Bundled with all paid plans | Multiple devices | 30 days |
| NordVPN | $12.99 | $4.99/mo | 10 | 30 days |
| ExpressVPN | $12.95 | $8.32/mo | 8 | 30 days |
| ProtonVPN | $9.99 | $5.99/mo | 10 | 30 days |
| Mullvad | €5/mo flat | €5/mo | 5 | No contract |
| Surfshark | $12.95 | $3.99/mo | Unlimited | 30 days |
Internxt VPN is included in all paid Internxt plans (Essential 1TB, Premium 3TB, and Ultimate 5TB) rather than sold as a standalone product. It is the only provider in this table that bundles VPN with secure cloud storage under a single plan.
VPN Limitations: What a VPN Does Not Do
A VPN has one function. It encrypts the connection between your device and a server and replaces your IP address at the destination. Everything outside that scope is not covered, and several common assumptions about what a VPN protects against are incorrect.
A VPN does not make you anonymous. Anonymity requires that no party in the chain can connect your activity to your identity. A VPN removes your ISP from that chain but replaces them with the VPN provider. If the provider keeps logs, or if you use the VPN while logged into accounts, your identity is not hidden. Reducing who can see your traffic is not the same as removing the ability to identify you.
A VPN does not protect against malware. If you download malicious software, a VPN does nothing to prevent it executing on your device or transmitting data from it. Encrypted malware traffic is still malware traffic. A VPN encrypts the path to the server, it has no visibility into what is running locally on your device.
A VPN does not stop tracking via cookies, fingerprinting, or logged-in accounts. Websites identify users through browser fingerprints, persistent cookies, and account sessions regardless of which IP address the connection comes from. Advertising networks that use cross-site tracking do not rely on IP addresses alone. Changing your IP address disrupts one signal out of many.
A VPN will reduce your connection speed. Every VPN adds latency because your traffic is encrypted, routed through an additional server, and decrypted before it reaches its destination. The impact depends on protocol (WireGuard introduces less overhead than OpenVPN), server distance, and current server load. For most browsing the difference is small. For latency-sensitive use cases like competitive gaming or real-time video calls, it can be noticeable enough to matter.
A VPN does not protect against phishing. A fraudulent site designed to look like your bank is equally dangerous with or without a VPN active. The VPN encrypts the connection to the site; it does not evaluate whether the site itself is legitimate.
A VPN is only as trustworthy as its provider. If a provider retains logs regardless of their stated policy, or their infrastructure is compromised, the protection fails at the source. Open-source clients and independent audits are the structural response to this concern. ProtonVPN and Mullvad have both completed audits by named security firms. Internxt VPN publishes open-source clients on GitHub, which means anyone can inspect what data the app transmits and how encryption is implemented. The code is readable regardless of whether a formal audit has been completed.
On the question of whether to keep a VPN on all the time: there is no security downside to leaving it running continuously, but the speed reduction is constant when you do. A reasonable approach is to keep it active on untrusted networks (public Wi-Fi, shared connections) and turn it off on trusted home networks when the latency overhead is not worth the marginal privacy gain. That decision depends on your threat model, not on a general rule.
Frequently Asked Questions
Does a VPN hide your IP address?
Yes, a VPN replaces your visible IP address with the IP address of the VPN server you connect through. Websites, advertisers, and network observers see the server's location and address, not your device's.
Can my internet provider see what I do when I use a VPN?
With a VPN active, your ISP can see that you connected to a VPN server but cannot see the websites you visit or the content of your traffic. Everything beyond the VPN server is encrypted and invisible to your internet provider.
Should I use a VPN?
A VPN is worth using if you regularly connect to public Wi-Fi, want to keep your browsing history from your ISP, or work remotely with access to sensitive systems. If your main goal is accessing content from another region, check whether the specific provider supports that service before subscribing, as not all VPNs reliably unblock streaming platforms.
Can a VPN provider be forced to hand over my data?
A provider operating in a jurisdiction that receives a valid legal request may be compelled to cooperate. A provider with a no-logs architecture has nothing to hand over regardless. Internxt VPN states that no browsing logs or connection metadata are retained, and operates under GDPR, which places strict data minimisation obligations on what can be collected in the first place.
What is a VPN kill switch?
A kill switch automatically cuts your internet connection if the VPN drops, preventing your real IP address and unencrypted traffic from being exposed during the disconnection gap. It matters most on untrusted networks where a brief VPN failure without a kill switch would expose your activity to whoever is monitoring that network.
Is it safe to use a VPN based in a Fourteen Eyes country?
Fourteen Eyes membership means a government can legally request data from services operating in that country. A provider with a strict no-logs policy has nothing material to hand over. Internxt VPN operates under Spanish law and GDPR, both of which impose data minimisation obligations, and states that no browsing logs or connection metadata are retained.
What devices can I use Internxt VPN on?
Internxt VPN works as a Chrome extension and can be used on Windows and macOS desktop devices. There is no standalone mobile app, so it does not cover iOS or Android devices.
Which countries can I connect to with Internxt VPN?
Internxt VPN covers up to five server countries, but access is plan-gated. Free and Essential plans include France only. Premium plans add Germany, Poland, and Canada. The Ultimate plan includes all five: France, Germany, Poland, Canada, and the UK. If you need servers outside these locations, a provider with a larger network is a better fit.
Is Internxt VPN free?
Internxt VPN is available as a free Chrome extension with access to one server country (France). Paid Internxt plans unlock additional countries and unlimited speeds.
Making the right call
The VPN industry has a trust problem. Dozens of providers sell privacy without being able to prove it, and most people never check. The difference between a provider worth paying for and one that is not usually comes down to two things: whether an independent firm has verified the no-logs claim, and whether the client code is readable by anyone who wants to look. Those two filters cut the market down considerably.
What is left is a short list of providers with different trade-offs. Internxt VPN sits among them — open-source, GDPR-based, bundled with encrypted cloud storage, and honest about where it currently stands on independent verification. For a product still building its audit record, that transparency is itself a signal worth noting.