What Is a VPN &
How Does It Work?

What is an IP address?

Your IP address (Internet Protocol address) is a unique numerical label assigned to your device by your Internet Service Provider. Think of it as your home address on the internet — it tells other computers where to send data when you request a website, video, or any online service.

Every time you visit a website, your IP address is automatically shared with that website's server. This is technically necessary for data to be delivered back to you — but it also means every site you visit knows exactly who you are and approximately where you are.

There are two versions in use today:

• IPv4 — the traditional format, e.g. 203.0.113.47
• IPv6 — the newer format, e.g. 2a06:98c0:3600::103 — designed to handle the massive expansion of internet-connected devices

What is a VPN?

A VPN (Virtual Private Network) is a service that encrypts your internet connection and routes it through a server in a location of your choice. When you use a VPN, websites and services see the VPN server's IP address — not your real one.

VPNs were originally developed for businesses to allow employees to securely access company networks remotely. Today, they're used by hundreds of millions of people for personal privacy, security on public Wi-Fi, and bypassing geographic content restrictions.

The key things a VPN does:

• Hides your real IP address — replaces it with the server's IP
• Encrypts your traffic — nobody (not even your ISP) can see what you're doing
• Masks your location — websites think you're in the server's country
• Protects on public Wi-Fi — prevents man-in-the-middle attacks

How a VPN hides your IP address

Without a VPN, your connection to a website goes directly from your device → your ISP → the website. At every step, your real IP address is visible.

With a VPN, the route changes: your device → encrypted VPN tunnel → VPN server → website. The website only sees the VPN server's IP address. Your ISP can see you're connected to a VPN but cannot see where you're going or what you're doing.

Modern VPNs use AES-256 encryption — the same standard used by governments and militaries worldwide. Even if your traffic were intercepted, it would take longer than the age of the universe to crack without the key.

Why you need a VPN

You might think you have nothing to hide — but that's not really the point. Here's why people who care about their digital rights use a VPN:

VPN protocols: WireGuard vs OpenVPN vs IKEv2

The VPN protocol determines how your device communicates with the VPN server — directly affecting speed, security, and battery life. Three protocols dominate modern VPN apps:

WireGuard is the recommended default for most users — it has a smaller codebase (easier to audit for security flaws), significantly faster throughput, and excellent battery efficiency on mobile. Most major providers now support it under a branded name (NordVPN calls it NordLynx; ExpressVPN has Lightway).

OpenVPN has been the industry standard for over 20 years and remains widely trusted — particularly on desktop and in corporate environments. It supports both TCP and UDP transport, making it useful for bypassing restrictive firewalls that block other protocols.

IKEv2/IPSec is especially well-suited to mobile devices because it handles network switching — moving from Wi-Fi to 4G, for example — gracefully without dropping the VPN connection.

Some providers also offer proprietary protocols built on top of these foundations. NordVPN's NordLynx is WireGuard with an additional double NAT layer to address WireGuard's static IP assignment limitation. ExpressVPN's Lightway is a custom protocol built on wolfSSL, designed to connect faster than WireGuard on poor network conditions. These proprietary protocols are generally only available on that provider's own apps — you can't use NordLynx with a generic WireGuard client.

For most users, the right choice is to leave the protocol on "automatic" in the VPN app — modern clients select the optimal protocol based on your network conditions. Manual selection is useful if you're experiencing connection drops (try TCP-mode OpenVPN), slow speeds (switch to WireGuard), or if you're on a network that blocks VPN traffic on standard ports.

Kill switch, DNS leak protection, and split tunneling

When comparing VPN providers, you'll encounter a standard set of features. Here's what each one actually does and when it matters:

No-logs policies: what they mean and how to verify them

Every reputable VPN provider claims a "no-logs" or "zero-logs" policy — meaning they don't record your browsing activity, connection timestamps, original IP address, or the VPN IP you were assigned. But how much does this claim actually mean?

The key distinction is between connection logs (timestamps, server locations, bandwidth used) and activity logs (websites visited, files downloaded). Some providers who claim "no logs" still keep connection logs — which can reveal patterns of use even without specific browsing data.

Independent audits add meaningful verification. Firms like PricewaterhouseCoopers, Deloitte, and KPMG have audited major VPN providers' infrastructure and log-handling practices. An audited no-logs policy is more trustworthy than an unverified claim — though no audit is a permanent guarantee since infrastructure and policies can change after the audit date.

When evaluating no-logs claims, look for: (1) a named third-party auditor, (2) a recent audit date (within 2 years), (3) the scope of the audit (does it cover the full infrastructure or just specific servers?), and (4) any real-world legal tests the provider has faced.

It's also worth understanding what data providers are permitted to retain for operational reasons. Most reputable providers collect minimal data necessary to enforce subscription limits — typically a hashed email address and payment record. This is not the same as activity logging. Read the privacy policy carefully: look for explicit statements about what is and is not stored, rather than relying solely on marketing language like "zero logs" or "no spy" in the product name.

Free VPNs deserve special scrutiny here. Providing VPN infrastructure is expensive — servers, bandwidth, and maintenance add up. If a VPN costs nothing, the business model almost certainly involves monetising user data in some form, whether through targeted advertising, selling anonymised usage statistics, or injecting tracking scripts into web traffic. Several high-profile free VPN apps have been caught doing exactly this. The cost of a reputable paid VPN — typically $3–5 per month on a long-term plan — is worthwhile compared to surrendering your browsing history.

VPN jurisdiction: 5-Eyes, 9-Eyes, and 14-Eyes explained

The country where a VPN provider is legally incorporated determines which laws govern your data — and specifically whether a government can compel the company to disclose user information.

The Five Eyes alliance is an intelligence-sharing agreement between the USA, UK, Canada, Australia, and New Zealand. Member nations share intercepted signals intelligence with each other. A VPN based in a Five Eyes country could theoretically be compelled to hand over user data — and that data could then reach all five governments through intelligence-sharing channels.

The Nine Eyes extends this to include Denmark, France, the Netherlands, and Norway. The Fourteen Eyes further adds Belgium, Germany, Italy, Spain, and Sweden.

In practice, a strong audited no-logs policy matters more than jurisdiction alone. A VPN provider that has nothing to hand over cannot be compelled to disclose data — regardless of which country it operates from. That said, providers outside the 14-Eyes alliance face fewer mandatory disclosure requirements, offering an additional layer of protection for high-risk users.

Jurisdiction also affects data retention laws. Some countries legally require ISPs and service providers to retain connection logs for a specified period — typically 6 to 24 months. A VPN incorporated in such a country could theoretically be required to begin logging user data in the future, even if they don't currently. Providers registered in Panama, the British Virgin Islands, or Switzerland have consistently resisted these kinds of legislative pressures, which is one reason privacy-focused VPNs often incorporate there deliberately.

One nuance worth understanding: a VPN's servers may be physically located in 14-Eyes countries even if the company is incorporated elsewhere. Physical server presence could expose those servers to local law enforcement action. Providers that use RAM-only servers (which cannot retain data between reboots) or diskless configurations mitigate this risk — even if a server is physically seized, there is no persistent data to recover. NordVPN and ExpressVPN have both moved to RAM-only server infrastructure as a result of past incidents.

Ways to hide your IP address

A VPN is the most practical option for most people, but it's not the only one. Tor Browser provides stronger anonymity at the cost of speed. Proxy servers hide your IP for single-app traffic without encryption. SSH tunnels are a technical option for developers. Each method involves different trade-offs in speed, privacy level, and ease of use.

For a full breakdown of every method — including a comparison table of VPN vs Tor vs Proxy — see the dedicated guide:

How to choose a VPN

There's no single "best" VPN — the right choice depends on your priorities. Here are the key factors worth comparing:

• Jurisdiction — where the company is legally registered affects what laws govern your data
• Audit history — third-party audits provide independent verification of no-logs claims
• Protocol — WireGuard and OpenVPN are widely considered reliable; some providers offer proprietary protocols
• Server network — more locations means more IP options and generally better regional performance
• Device limits — some providers allow unlimited simultaneous connections; others cap at 5–10
• Free tier — a few providers offer limited free plans; most offer money-back guarantees on paid plans

For most people, a well-known provider with an audited no-logs policy, WireGuard support, and a kill switch will cover every realistic privacy need. The differences between the top five providers are smaller than VPN marketing suggests — any of them is vastly better than using no VPN at all, especially on public Wi-Fi or in a country with aggressive ISP monitoring. Pick one, enable the kill switch, and use it consistently rather than spending weeks comparing minute technical differences between providers.

How to set up a VPN on Windows (step by step)

Most VPN providers offer dedicated apps that make setup straightforward. Here's how it works with any major provider:

1. 1
   Choose a provider and sign up. Select a VPN provider (see our provider comparison), create an account, and choose a plan. Most reputable providers offer a 30-day money-back guarantee, so you can test it risk-free.
2. 2
   Download the Windows app. Go to the provider's official website and download the Windows client. Only download from the official site — never from third-party sources or app stores unless the provider directs you there.
3. 3
   Install and log in. Run the installer and follow the prompts. Log in with your account credentials. The app will automatically sync the latest server list.
4. 4
   Connect to a server. Click "Quick Connect" to connect to the nearest fast server, or choose a specific country from the server list. For streaming geo-restricted content, choose a server in the target country.
5. 5
   Verify your connection. Visit our homepage to confirm your IP address has changed to the VPN server's IP and your location reflects the server's country. Your real IP and ISP should no longer be visible.