Every privacy tool is only as useful as the accuracy of the threat model it is deployed against. A VPN is highly effective against certain threats: ISP traffic monitoring, network-level censorship by geographic location, packet sniffing on untrusted networks (airport Wi-Fi, hotel connections), and basic IP-based geolocation profiling.

A VPN is ineffective or unreliable against: VPN provider logging, government compulsion orders directed at VPN providers, browser and device fingerprinting, correlation attacks that link VPN traffic patterns to exit traffic patterns, and endpoint compromise (malware on your device sees your traffic before it enters the VPN tunnel).

VPN protocols determine the cryptographic and network engineering underpinning of the connection. The three dominant protocols in 2026 are WireGuard, OpenVPN, and IKEv2/IPSec, and they differ significantly in their characteristics.

WireGuard is the youngest of the three and has rapidly become the preferred choice for most security researchers and privacy professionals. Its codebase is remarkably small — approximately 4,000 lines of code compared to OpenVPN's hundreds of thousands — making it dramatically easier to audit and less likely to contain hidden vulnerabilities. It uses modern cryptographic primitives (ChaCha20 for encryption, Curve25519 for key exchange, BLAKE2 for hashing) that are considered best-in-class. It is faster, uses less battery on mobile devices, and reconnects more gracefully when network conditions change.

OpenVPN is battle-tested and highly configurable, with a long track record in enterprise and privacy-focused deployments. Its larger codebase is also its weakness from a security perspective, though many audits have been conducted and it remains trusted by security professionals for high-stakes deployments where the configuration options matter.

IKEv2/IPSec is built into most operating systems natively and is particularly effective for mobile connections due to its MOBIKE extension, which handles seamless handoff between networks. However, concerns have been raised about potential NSA interference in the IPSec standard, and security-focused users typically prefer WireGuard or OpenVPN.

Where a VPN provider is legally incorporated determines what legal mechanisms can be used to compel them to log or disclose user data. Providers incorporated in the United States are subject to National Security Letters and FISA orders, which can compel data disclosure with gag orders prohibiting the provider from notifying users. Providers in EU member states are subject to various data retention directives. Providers in countries outside major intelligence-sharing alliances (the Five Eyes, Nine Eyes, and Fourteen Eyes) face different legal frameworks.

Jurisdiction matters, but it is not the only factor and perhaps not even the most important one. A provider incorporated in a privacy-friendly jurisdiction but operating servers in data centers owned by US companies is still exposed to US legal process through that server infrastructure. What matters is the totality of the legal exposure, not just the incorporation address.

Virtually every commercial VPN provider claims to have a "no-log" policy. This claim has been verified to varying degrees across different providers. The gold standard for verification is a combination of independent technical audits of the provider's infrastructure and demonstrated behavior in cases where legal authorities have requested user data.

Several well-known VPN providers have faced legal demands from law enforcement and have been able to provide nothing because they genuinely maintained no logs. These cases are the most compelling evidence that a no-log claim is genuine. Providers who have demonstrated this in practice — through independent audits and through actual legal challenges — include Mullvad, ProtonVPN, and a small number of others who have been independently verified.

An often-overlooked aspect of VPN privacy is how you pay for the service. Purchasing a VPN with a credit card linked to your identity creates a record that you used that VPN service, held by the payment processor, your bank, and potentially the VPN provider itself. This can undermine the purpose of using the VPN.

Providers that accept cash payments by mail, Monero, or Bitcoin provide a meaningful improvement here. Mullvad, in particular, has offered anonymous account creation — where the account is a randomly generated number, no email required — combined with cash or Monero payment for years. This model allows a VPN relationship to exist without any link to your real identity at the account level.

Multi-hop can be implemented several ways. Some VPN providers (Mullvad, ProtonVPN) offer built-in double-VPN configurations within their apps, routing traffic through two of their own servers. This is easier to configure but concentrates trust in a single provider.

More robust multi-hop configurations involve routing traffic through VPN providers from different countries: connecting to VPN Provider A first, then establishing a second VPN connection through Provider A's tunnel to Provider B. This requires routing configuration to avoid traffic loops and may require using different VPN protocols on each leg. Tools like Wireguard's pre/post-up hooks and routing table manipulation can facilitate this, though it is a technically involved process.

A kill switch is a mechanism that blocks all internet traffic if the VPN connection drops, preventing your real IP address from being exposed during reconnection. On Linux and macOS, this can be implemented robustly using firewall rules (nftables or pf) configured to drop all traffic except that destined for the VPN server's IP address when the VPN interface is not active. On Windows, Windows Firewall with selective rules can achieve the same effect.

VPN provider apps typically include kill switch functionality, but the implementations vary in reliability and completeness. Technical users often prefer to implement kill switches at the OS level themselves rather than relying on VPN app implementations that may have gaps.

DNS queries — the lookups that translate domain names into IP addresses — can bypass VPN tunnels and expose your browsing activity to your ISP's DNS servers even when your traffic is VPN-protected. This occurs when the OS DNS resolution stack is not properly configured to route DNS through the VPN tunnel.

On Linux, configuring systemd-resolved or resolvconf to use DNS servers only accessible through the VPN interface prevents this. On Windows, configuring the network adapter DNS settings to point to VPN-internal resolvers and enabling the VPN provider's DNS protection achieves similar results. Periodic testing using DNS leak test tools is the only way to verify that protection is working.

WebRTC, the protocol underlying browser-based video and audio communication, can expose your real IP address to web pages even when a VPN is active. This is because WebRTC uses STUN servers to establish peer-to-peer connections and can reveal the local IP address assigned by your router as well as the public IP address associated with your physical connection.

In Firefox, WebRTC can be disabled entirely through about:config (setting media.peerconnection.enabled to false). In Chromium-based browsers, browser extensions like WebRTC Leak Prevent or uBlock Origin (with the relevant option enabled) can prevent leaks. Verifying protection using a WebRTC leak test site from within the browser is essential.

Tor's primary vulnerability is the global passive adversary: an entity capable of monitoring both the entry and exit points of the Tor network simultaneously. By correlating traffic patterns at the guard node (where they see packets entering from the client) with traffic patterns at the exit node (where they see packets leaving toward the destination), an adversary can de-anonymize users without breaking any cryptography.

This is not a theoretical attack. Academic researchers have demonstrated statistical correlation techniques that can link entry and exit traffic with high accuracy given sufficient monitoring capability. Nation-state adversaries with broad network surveillance capabilities — NSA, GCHQ, and their equivalents — have the technical capacity to attempt these attacks. This is the most important limitation of Tor for users facing state-level adversaries.

Expert users can configure guard node selection in Tor's configuration file (torrc). The EntryNodes directive allows specification of specific relays or countries as preferred entry nodes. The ExcludeNodes directive can be used to exclude specific nodes or entire countries from any circuit position. The StrictNodes directive forces these exclusions to be absolute rather than preferred.

The appropriate configuration depends on the threat model. Excluding nodes from countries known to run large numbers of malicious relays can reduce risk. However, being too restrictive in node selection can degrade performance significantly and may create distinctive traffic patterns that make you identifiable.

Tor Browser is configured by the Tor Project specifically to provide strong anonymity for web browsing. It standardizes many fingerprinting vectors: all users running the same version of Tor Browser present the same browser fingerprint to websites, making individual users indistinguishable from one another within the Tor user population. It blocks JavaScript by default in the safest security level (recommended for high-threat environments). It prevents cookies and site data from persisting between sessions.

Whonix takes a different approach: it uses two virtual machines (a Tor gateway VM and a workstation VM) to enforce network-level Tor routing for all traffic from the workstation. The workstation VM has no direct internet access — its only network route is through the gateway VM, which runs Tor. This means that even applications that are not Tor-aware have their traffic routed through Tor, and a compromised application cannot reveal the real IP address because the workstation literally has no direct internet route.

This isolation model is architecturally superior to software-level Tor routing for many use cases. It provides stronger protection against application-level de-anonymization (where a malicious or compromised application attempts to bypass Tor to reveal the real IP). The trade-off is the complexity and resource requirements of running multiple VMs.