← All Articles

What a VPN Protects You From: Protections and Limitations

VPNs are often marketed as a complete privacy and security solution, but their actual protections are more specific and more limited than most users realize. A VPN can shield you from certain forms of surveillance, network attacks, and location based restrictions, yet it does nothing against many of the most common online threats. Understanding where a VPN is effective and where it quietly fails is essential for using it safely. This article breaks down what a VPN truly protects you from and what it never will.

Kasparas Kucinskas
Kasparas Kucinskas
24 min read
What a VPN Protects You From: Protections and Limitations
Key takeaways
  • A VPN effectively protects against ISP monitoring, public Wi-Fi snooping, and IP based attacks by encrypting traffic and hiding your real IP address.
  • VPNs do not stop phishing, malware, account compromise, or browser level tracking such as cookies and fingerprinting.
  • Public Wi-Fi security and censorship bypassing are among the strongest real world use cases for VPNs.
  • True online protection requires combining a VPN with secure browsing habits, device security, and careful account management.

A VPN is a cybersecurity tool that is used for two main purposes: hiding your real IP address, which can be used to identify your approximate location, and encrypting internet traffic, so third parties would have much more difficulty in seeing what you do on the web.

When used for their main purpose, VPNs are generally effective. While connected to a VPN, you adopt its IP address, so you appear to be browsing from another location in the world. Adding to that, a VPN encrypts your internet traffic from the point of your device to the point of the VPN server. This means your Internet Service Provider (ISP) or the owner of the Wi-Fi network you’re using couldn’t track your browsing history, downloaded or uploaded files, and other unencrypted traffic.

VPNs are not the be-all and end-all solution for cybersecurity, though. A VPN is not designed to protect you from social engineering schemes such as phishing, even if some VPNs can help. If you fall victim to hackers and download any type of malware, a VPN will be useless too. Finally, if your device is stolen or seized, it will be possible to access it directly if your hard drive is not encrypted.

In this article, we will cover each of these cases in detail, so you can be sure about what a VPN does and does not protect you from. Hacker attacks, government, institutional and social media tracking, social engineering: we cover everything you need to know, so keep reading.

What does a VPN protect you from?

Broadly speaking, a VPN protects you from third parties wanting to look into your internet activity. This might involve online trackers, internet connection vulnerabilities, or, in some instances, hacker attacks. We talk about each of them in detail below.

1. Tracking by ISP and intermediaries

ISPs and internet intermediaries (often referred to as the internet backbone) play essential roles in connecting us to the web. ISPs, or Internet Service Providers, are the companies that deliver your internet access. At the same time, they can see your IP address, the sites you visit, etc., often tracking you for analytics, advertising, or even in some occasions selling data to third parties. Intermediaries, which form the backbone of the internet, are responsible for transmitting data across long distances. Though they usually handle data anonymously, intermediaries can still log certain details, like where traffic comes from and goes to, adding another layer of potential tracking.

A VPN is a good defensive measure against this kind of surveillance. When you use a VPN, intermediaries and ISPs only see that you’re connected to the VPN server, instead of seeing the actual sites you visit.

In 2021, the US Federal Trade Commission reported that ISPs do indeed track this data and even profile their customers by things like race or sexual orientation.

2. Public Wi-Fi risks

The owner of a public Wi-Fi network could track your browsing activity if you are connected to it. Fake Wi-Fi networks are sometimes set up by hackers to steal your login data.

Thankfully, a VPN is the right tool to use if you are desperate for that daily cute cats video, but don’t have a connection of your own. By sending your data through an encrypted tunnel, a VPN prevents others from seeing what you do when connected to someone’s Wi-Fi network.

According to a 2023 Statista survey, the most common location with public Wi-Fi that compromised user data was a cafe/restaurant, with airports ranking second and hotels third.

3. Geo-blocking and censorship

Not all content on the web is available to everyone. Content providers limit availability based on languages and distribution agreements, while authoritarian and totalitarian governments do not want their citizens to see anything that might cause dissent.

Bypassing these types of limitations is exactly what a VPN is designed to do. In terms of content availability, you can connect to a VPN server in the US if you want to watch a show only available in that region. Streaming services work hard to limit users accessing their content this way so it might not always work.

Governments also implement similar measures, as VPNs are the most popular tool to beat government censorship. They continuously block IP addresses used by major VPNs to reduce their effectiveness. VPNs come out with new IPs and it all becomes an endless game of cat and mouse.

If you are having difficulties accessing content when connected to a VPN, consider switching to a decentralized VPN. They offer residential IP addresses, which are extremely unlikely to be blocked by a content provider or a government.

Internet censorship is a worldwide problem - 67% of all internet users live in countries that censor the free expression of their citizens, as cited by Freedom House.

4. Man-in-the-middle attacks

A man-in-the-middle attack, or MitM, is a practice where a hacker intercepts and sometimes even tampers with the communication between two parties on the internet. This can be done to observe and steal login data or to modify operations such as bank transactions.

One of the most common ways to set up a MitM attack is through a fake Wi-Fi network or by hacking a public hotspot to observe the browsing data of people using it. A VPN encrypts that data, negating a hacker’s access. These attacks could also be carried out with DNS spoofing: redirecting users to fake versions of real websites by manipulating DNS responses. When protected with a VPN, you are using its own DNS servers, which are exceedingly difficult to mess with.

The threat of MitM might even be combined with other kinds of attacks, such as phishing. The number of MitM by phishing attempts reaching people’s inboxes has increased by 35% in 2023 from the year before, as cited by a Cofense report.

5. DDoS attacks

A DDoS attack (Distributed Denial of Service) is an act of overwhelming a system with a huge amount of traffic in order to slow it down or make it crash completely. Even though these are rarely used against individuals, it’s not unheard of for angered tech-savvy gamers to try and find their opponents’ IP addresses and try to launch a DDoS on them.

A VPN protects against DDoS attacks, firstly, by concealing your real IP address, making it impervious to a direct attack. Secondly, attacks launched against you while connected to a VPN will actually target the VPN server, which is often equipped with anti-DDoS measures such as high traffic capacity, traffic filtering, and more.

F5 reports that global DDoS attacks have doubled in quantity over 2023 when compared to 2022, making the ability to protect yourself against them more relevant than ever.

6. Session hijacking

Session hijacking is an act of retrieving a unique user session identifier (session ID) from a real user of a web service and using it to impersonate said user.

VPNs might prevent session hijacking, but it’s not a surefire measure against such attacks. The encryption provided by a VPN generally helps conceal the session ID, but there can be exceptions: security vulnerabilities in the service you are connecting to or in the browser you are using might be exploited as well. Our advice here is to always use a VPN and trusted web services, and always update your software to the latest version.

Session hijacking attacks are difficult to detect: Crowdstrike reports that the average time to discover such a breach is 95 days.

7. Remote hacking

Remote hacking refers to an attacker gaining unauthorized access to a device or network from a remote location. This type of hacking is typically carried out over the internet, exploiting vulnerabilities in software. Once hackers infiltrate a target, they can steal sensitive information, manipulate data, or even use the compromised system to carry out further attacks.

VPN can protect you from remote hacking using the same principles as for many attack types mentioned before: by hiding your real IP address and encrypting browsing data. As a result, hackers would have a much harder time finding you and infiltrating the systems you use. Be aware, however, that regularly updating software and using strong, unique passwords is crucial for ensuring your online safety.

97% of organizations surveyed by Accenture have noticed an increase in cyber threats since the start of the Ukraine-Russia war in 2022. This increase most certainly trickles down to regular internet users too.

8. Bandwidth throttling

ISPs experience high fluctuations in their internet traffic usage. Normally almost no one uses the web at 4 am (except hardcore gamers), while everyone is doing something after work hours, around 7-9 pm.

To ensure that the whole network isn’t overwhelmed during peak hours, ISPs wield a technique called bandwidth throttling. This involves slowing down the connection of the most demanding users, who are most often gaming, downloading, or uploading files. These actions are commonly categorized according to the IP addresses of services a person is connected to. When you connect to a VPN, the ISP cannot identify what exactly you are doing on the web, and almost certainly won’t throttle your connection.

9. DNS exposure

When you browse the internet, your device sends DNS requests to a DNS server (usually provided by your ISP). The DNS server translates the domain name you entered (e.g., www.example.com) into an IP address of the website so your browser can load the correct webpage. These DNS requests can be peeped into by a curious third party while, for example, when you are using a public Wi-Fi network that has been infiltrated or set up by a bad actor.

A VPN can protect you from DNS exposure by using its own DNS servers for handling requests and encrypting the data sent between you and the web service you are using. Always connect to a VPN when using public Wi-Fi hotspots as four in ten people have had their personal data compromised on public Wi-Fi, according to a survey by Forbes.

VPNs can suffer from DNS leaks as well, but that almost always comes down to using a free, disreputable provider or mistakes when setting up the VPN.

VPN limitations that prevent you from complete protection

VPNs have certain limitations that prevent complete protection on the web:

  • VPN logs. Some VPN providers may keep logs of your activities, potentially exposing your data. VPN companies are subject to local laws, which may force them to share information with law enforcement.
  • Human error. A VPN can’t protect you from social engineering attacks, such as phishing, where attackers trick you into revealing sensitive information.
  • Data leaks. A VPN itself might fall victim to IP or DNS leaks, exposing your real IP address and web activity. These mostly happen when a VPN is set up incorrectly (very rare) or a free, disreputable VPN service is used.
  • Can’t protect the systems you use. VPNs offer limited protection if the websites you visit lack encryption on their side or have already been compromised by bad actors.

Ultimately, a VPN is a strong security tool, but it must be combined with other measures like strong passwords, antivirus software, and safe browsing habits to offer solid protection.

What will a VPN not protect you from?

A VPN will not protect you from malicious software in your device, tracking on the web that focuses on your browser and technical data, instead of your IP address and web activity. It will also not protect you from tracking by web services you have logged into and might only reduce your chances of making a human error such as falling victim to phishing or scam attacks.

1. Tracking

There are multiple types of tracking that do not depend on seeing a person’s IP address, and therefore, aren’t affected by VPNs:

  • Cookies. These are little files saved on your browser when you visit pages on the web. First-party cookies save your actions on a website, such as the items you added to a cart. Third-party cookies are used by advertisers to track you across multiple websites.
  • Device fingerprinting. Some websites track device info to identify you, such as your operating system, device type/name, resolution, and language.
  • Web beacons (pixels). They are tiny pieces of code on a website or email, used to record your actions in order to gauge the effectiveness of email marketing or to target you with ads urging you to come back to a website you’ve been in based on your actions there.

The tracking methods above successfully circumvent VPN protection because they are implemented by websites you visit. They target your device info and the actions you take on that site. VPNs cannot encrypt this data. Tracking is used everywhere - a Princeton University study found that 80% of the 1 million most popular websites use web beacons or similar tracking technologies.

2. Malware

Malware, short for malicious software, is designed to harm, exploit, or otherwise compromise a device or network. Common types of malware include viruses, ransomware, spyware, and trojans, all of which can steal data, damage systems, or take control of your device.

While a VPN protects your internet traffic by encrypting it and hiding your IP address, it cannot prevent malware from infecting your device. If you download a file containing malware or click on a malicious link, a VPN won’t stop the harmful software from executing. That’s why it’s important to combine VPN use with antivirus software and be cautious with links, downloads, and email attachments.

3. Phishing and social engineering

Phishing is a type of online scam where attackers impersonate legitimate organizations or individuals to trick you into revealing sensitive information, like passwords or credit card details. Phishing often takes the form of fake emails, messages, or websites that look authentic but are designed to steal your data. Phishing is a part of social engineering, the manipulation of individuals into sharing confidential information or performing actions that compromise security, often by exploiting trust or emotions, which can extend to real-world situations.

While a VPN encrypts your internet traffic and hides your IP address, it cannot protect you from phishing. Phishing attacks rely on tricking you into unknowingly handing over personal information. Even with a VPN, if you enter your login details on a fake website or click a malicious link, the VPN won’t stop your data from being stolen. To stay safe, always verify the source of emails or messages and be cautious with unfamiliar links.

4. Account compromise

Your online accounts can be compromised in several ways: weak passwords, reused credentials that hackers exploit via brute force (guessing), or password breaches. Phishing attacks can also trick you into revealing login details. Additionally, data breaches in websites or services you use can expose your information, regardless of whether you are using a VPN.

Once bad actors have your credentials, a VPN can’t prevent them from accessing your account. To protect your accounts, you need to use strong, unique passwords, enable two-factor authentication if it’s available, and be cautious of suspicious links or emails.

5. Software security flaws

Software security flaws, or vulnerabilities, can leave your device open to attacks, and a VPN won’t protect you from them. Hackers can exploit these flaws in your operating system, apps, or browsers to gain access to your data or install malware. Even if your traffic is encrypted through a VPN, vulnerabilities in the software you’re using can be targeted to bypass that protection.

Such flaws very commonly involve built-in issues taken advantage of by hackers before software creators can patch them (called zero-day exploits) or when people use old versions of software that aren’t safe anymore. To defend yourself against these threats, update your software regularly.

6. Government surveillance

Even with a VPN, governments have various ways to monitor your activities. They can use deep packet inspection (DPI) to analyze your internet traffic and detect patterns, even if it’s encrypted. Additionally, if your VPN provider keeps logs, governments can seize these records through legal pressure or warrants, potentially exposing your browsing history or connection data.

Take this with a grain of salt, however, as you would have to be a person of interest to attract such attention from law enforcement. If you are a regular, law-abiding citizen, you have nothing to worry about.

7. Social media risks

The more personal information you share about yourself on social media, the higher the probability of bad actors gaining access to that info and using it against you. Personal information can be used for social engineering attacks, such as faking text messages from your significant other. Information that you give out willingly cannot be protected by a VPN, that’s not its purpose.

Even though a VPN does conceal your IP address, you only have to log into a social media account without a VPN once and your actual IP can be recorded. It can then be used, for example, by a government agency trying to find your location or learn more about you.

8. Location-based services

Many services on the internet that record your location do so based on your IP address, which can be taken advantage of by connecting to a VPN.

However, if you use apps or browse the web using your mobile device, tablet, smartwatch - anything that has its own GPS locating capability, your actual physical location will be tracked instead. Therefore, make sure to manually turn off the location services of all smart devices if you do not want your location to be seen.

VPN protection against hackers

Does a VPN protect you from hackers? Yes and no. A VPN can protect you from hackers, but it’s not a cure-all solution. By encrypting your internet traffic and hiding your IP address, a VPN makes it harder for hackers to intercept your data or launch attacks directly on your device, as they usually need your IP to target you.

VPNs are especially useful for encrypting traffic on public Wi-Fi networks, where hackers commonly lurk, trying to steal login credentials or sensitive info. Never use public Wi-Fi without a VPN.

However, a VPN can’t protect you from everything. If you fall for a phishing scam or download malware, a VPN won’t stop that from happening. Human error is prevented by being careful when using the web, even though software can help as well. If a deal you are being offered in an email, for example, is too good to be true - it probably is, don’t click it. Suspicious text messages, SMS, or emails with external links are not to be trusted. Be aware of the risks and don’t act on instinct.

Not all hacker attacks happen due to human error. You can also get hit via an unpatched vulnerability in your software. Hackers are constantly testing popular websites and applications to find weaknesses to exploit. The only thing you can do about that is make sure that you always use the latest version of the software you use.

If hackers do succeed in compromising your system, the consequences can be severe. They could steal your personal information, money, or non-monetary assets, take over your accounts, install ransomware, or even use your device for their own attacks.

To summarize, while a VPN is a great layer of defense, it’s not enough on its own to fully protect you from determined hackers. Staying cautious and using other security measures (like antivirus, firewall software and strong passwords) is just as important.

Can a VPN be hacked?

In theory, yes, a VPN can be hacked. No entity is invulnerable to a hacker attack. If hackers get access to a single VPN server, they will have access to the connection logs of anyone who has used the server after the last log wipe. In addition, they could also retrieve VPN security keys that would be used to set up a fake server and possibly steal even more data. If hackers somehow got into the main database of a centralized VPN, much more info could be stolen: emails, passwords, payment information, usage logs (if collected), etc. The consequences of such a hack would be catastrophic.

On the other hand, decentralized VPNs are less vulnerable to hacks due to their infrastructure. Even if a hack was successful, there would be much less data available for hackers to steal because there is no central database, and centralized usage logs cannot be collected.

VPN hacks are a real threat: as of January 2024, there was a suspected vulnerability in the Ivanti VPN used by US government agencies that is being taken advantage of by hackers associated with the Chinese government, according to Wired.

What a VPN doesn’t hide?

A VPN does not hide all of your online activity. Firstly, if you’re logged into services like Google, Facebook, or others, your actions are associated with your account. The owner of the service often has the right to send you emails, suggest products, or show ads based on your actions on the website.

Social networks like Facebook have a tracking pixel that owners can put on their websites. If you browse the web while logged in to Facebook, your actions on these websites are associated with your Facebook account. As a result, the social media platform has a detailed view of your interests all over the web and can serve you ads accordingly.

Even without logging in, browser cookies save information from almost all websites you visited on your browser. It can range from items you put in a shopping cart to general topics you are interested in.

Your device specifications (model, operating system, language) aren’t hidden by a VPN at all and can still be tracked.

Finally, a VPN can’t hide your internet data usage from your ISP, which can still detect the amount of bandwidth you’re using, even if it can’t see the content of your traffic. This could be used with your non-VPN browsing data to identify browsing patterns and purposes of your internet use. This kind of data is used for profiling and might be sold by your ISP to advertisers.

Even though VPNs theoretically hide your online activity from third parties, they do not make you immune to the rule of law. We do not recommend engaging in illegal activities, even under the protection of a VPN.

You are not completely safe from law enforcement with a VPN. VPNs sometimes collect connection logs: data of which servers you connected to and when. It might even be possible (but quite rare) that the VPN you are using collects usage logs of the websites you visited, files downloaded, and more.

The result of that is if your VPN is contacted by law enforcement to provide information about you (the aforementioned logs, for example), it will have to hand it over if it’s within the jurisdiction of the institution asking.

How can you improve your protection against that? By choosing a decentralized VPN. dVPNs differ from regular, centralized VPNs because they utilize nodes, usually owned by individuals, instead of central servers of a single company. This results in the VPN provider not being able to see anything past which node you connected to. As such, logs of your browsing activity are very unlikely to exist. As a result, the VPN provider would have no browsing logs to hand over if the police came knocking.

Why do free VPNs offer less protection?

While free VPNs might seem appealing, they often come with significant compromises in terms of privacy and security. Many free VPNs earn money by collecting and selling your data to third parties, undermining the very privacy you’re seeking. Additionally, free services tend to have weaker encryption standards, fewer server locations, slower speeds, and be prone to DNS leaks, which can lead to less reliable protection and flexibility.

In contrast, paid VPNs often have more funds to invest in the best encryption, robust privacy policies (like no-log guarantees), and advanced features such as a kill switch, DNS leak protection, obfuscated servers, or a dedicated IP address. For more reliable privacy and security, we recommend opting for a quality paid VPN.

What can a decentralized VPN protect you from that a centralized VPN can’t?

Decentralized VPNs (dVPNs) provide stronger protection against government censorship and surveillance compared to traditional VPNs. Unlike centralized VPNs, which rely on a fixed set of servers that can be targeted or blocked by governments, dVPNs use a distributed network of nodes often owned by regular people, making it much harder for authorities to block or censor access.

Additionally, because a decentralized VPN doesn’t rely on a central authority, there’s no central database of usage logs for governments to seize or demand access to. This means your online activity is more protected from surveillance and government requests for user data, offering greater privacy and a more reliable way to bypass censorship in restrictive regions.

VPN protection compared to similar technologies

A few alternatives to VPNs exist if you are looking for other kinds of online protection: proxies and Tor. We glance into their differences below.

Centralized VPNsDecentralized VPNsProxiesTor
Hides IP addressYesYesYesYes
Encrypts trafficYesYesNoYes (Multi-layered)
Hides from ISPYesYesNoYes
Bypasses geo-restrictionsYesYesYesYes
Prevents government censorshipYes (can be blocked)Yes (hard to block)NoYes (very good at it)
Protects from hackers on public Wi-FiYesYesNoYes (but is slow)
Does keep logsVaries (some keep logs)No logs (due to decentralized structure)Varies (often keep logs)No logs (due to decentralized structure)

As a whole, decentralized VPNs offer the best balance of features for all-around protection. Tor generally provides more robust encryption, but connection speeds suffer greatly as a result. Adding to that, you have a very high probability of getting on an FBI watchlist if you use Tor. Proxies, on the other hand, should only be considered as an alternative if you’re looking to change your virtual location, but don’t require encryption.

How will VPN protection evolve?

As we look into the future of VPN protection, we can already see certain trends that influence how the VPN market will change. With cybercrime constantly on the rise, security tools have to work twice as hard to improve their services, offer more functions, and provide more one-size-fits-all solutions for regular users. Here are some of our predictions:

  • Multihop will become a default feature for most VPNs. Currently reserved for the more premium offerings, multihop is a feature that sends your data through more than one VPN server or node, making it harder for peeping Toms to see what you’re doing online. As time goes on, it should be adopted by most VPNs on the market and will be on by default.
  • Open-source solutions will become the norm. VPNs will turn back to the people and more brands will base their architecture on open-source solutions that can be inspected by anyone. This is the ultimate symbol of safety and transparency - perhaps new releases will even be audited by independent third parties for instant feedback.
  • VPNs will become a more integrated part of our systems. More operating systems and devices will incorporate VPNs into their base software offering and VPN protection will be on by default. At some point, we won’t even remember a life without them.
  • The speed difference with/without a VPN will be negligible due to improvements in architecture - there will be no downsides to connecting to a VPN.
  • dVPNs will come into the mainstream, as more and more people will see their advantages over centralized VPNs.

Frequently Asked Questions

Is a decentralized VPN safe?

A reliable decentralized private network is generally considered to be safer than a centralized VPN. The distributed architecture is designed to minimize single points of attack that malicious actors could use to intercept your data. It is also intended to make it technically very difficult for decentralized VPNs to collect logs. This design aims to reduce the need to rely solely on the VPN provider’s assurance that your data isn’t being collected or sold.

Are decentralized VPNs better than centralized VPNs?

A dVPN (or DPN depending on who you ask) is designed to offer enhanced privacy and security, aiming to be more resilient to censorship and cyber threats. They strive to provide superior anonymity and make it more difficult for entities to track or block your traffic. However, dVPNs currently lack the extensive outreach and advertising budgets that centralized solutions possess. This means that, despite the dVPN’s potential benefits, the technology isn’t as widely known as centralized VPNs. As the shift towards a decentralized web continues, this is expected to change as more people recognize the advantages of switching to dVPN solutions.

Is there a free decentralized VPN?

Yes, there are several free decentralized VPNs available. However, a free dVPN doesn’t always equate to the best option. All dVPNs require funds to make the network faster and more reliable for users. This means free dVPNs without a subscription package might need to find alternative ways to cover costs, which could include ads or, in some cases, selling user data. In some instances, they might share your IP with other users or transfer data through your device without your consent. By paying a small subscription fee, you can access a dVPN that aims to offer security by default, as well as superior performance and a more reliable service. Additionally, you’ll be supporting the future development of the decentralized web.