What They Can and Can’t Do for You
What is a VPN, and How Can It Protect You?
Why did the government warn against using commercial VPNs?

You’ve seen the ads—“Protect yourself from hackers! Stay anonymous! Stop government spying!”—but how much of that is true? The reality is, most commercial VPNs aren’t the security silver bullet they claim to be. While VPNs can serve a purpose, their limitations are often misunderstood, and in some cases, they introduce more risks than they mitigate. In this article, we’ll break down what VPNs actually do, expose common misconceptions, and explain why even the U.S. government has warned against using them. If you’ve ever wondered whether a VPN is truly keeping you safe—or just giving you a false sense of security—keep reading.

A VPN (Virtual Private Network) is a method of tunneling traffic from one point to another. The purpose of a VPN depends on its specific use case. There are many ways a VPN can be utilized, but let’s focus on how it actually works and what it can and can’t protect you from.

Originally, I used VPNs to allow employees to access internal resources without exposing those tools directly to the internet. Today, new concepts like Zero Trust allow access without a full VPN. We’ll cover that in a later post, but for now, let’s look at how traditional VPNs work.

A VPN is networking software that creates a private tunnel between a machine and a remote network or another machine. Modern VPNs rely on two main types of tunneling:

1. IPSec VPNs – A traditional method using various protocols and ciphers to establish a secure connection. These can be set up for site-to-site, client-to-site, or other configurations, depending on authentication and authorization settings.
2. TLS-based VPNs – Transport Layer Security (TLS) is the modern standard, replacing SSL for web encryption. It uses asymmetric encryption with public and private key pairs, offering the same security level as HTTPS websites.

Historically, VPNs were used to allow remote access to private networks. Then came the rise of personal VPNs, marketed aggressively as a must-have security tool. You’ve seen the YouTube ads: “Protect yourself from hackers! Stay anonymous! Stop government spying!” But most of these claims are pure FUD (Fear, Uncertainty, and Doubt), designed to sell a product to people who don’t know better.

What a Commercial VPN Actually Does

A commercial VPN connects your device to a network owned by the VPN provider—nothing more. It doesn’t “secure” your internet. Your traffic is still crossing the internet, just through their servers instead of your ISP’s. The same risks apply, just in a different way.

Not all VPN marketing is nonsense, but much of it is misleading. Most people use VPNs to break End User License Agreements (EULAs)—bypassing Netflix region locks, for example. A VPN lets you appear as if you’re in a different country, but this violates the streaming provider’s terms. If that doesn’t bother you ethically, fine—but let’s be clear about what’s actually happening.

VPNs will allow you to hide your activity from your local network but may not be the best solution.

The Myth of “Public WiFi is Dangerous”

A decade ago, public WiFi was insecure. Today, almost all websites and services use TLS encryption, meaning a VPN doesn’t add any extra protection when using secure websites.

A VPN can hide your browsing from your ISP, but unless you configure DNS over HTTPS (DoH) or DNS over TLS (DoT), your DNS queries still leak valuable information. And remember—whether you pay $2/month or $100/month, your VPN provider now has access to all your traffic.

The “No-Logs” Lie

VPN providers claim they don’t keep logs. Many have been caught lying when subpoenaed. Even if logs are “anonymized,” traffic patterns can still identify you. If an attacker (or government) controls a service you connect to, they can correlate VPN exit traffic and de-anonymize your connection. If you can identify the IP used from any service accessed, that IP can be used to see where else that IP was used. I understand there is a lot of complexity. Simplified concepts about identifying User <-> IP. Also, just because the VPN provider really does not log, their network providers most likely do have logs.

VPNs and Shady Business Practices

Many commercial VPNs bundle “security tools” that are just repackaged open-source software, often outdated or ineffective. The ones who do have their own tools, the tools are not the best of breed. Even if you only look for free anti-virus or endpoint protection, there are usually better options. Do you really trust a $2.99/month company to protect your privacy and keep you “anonymous”? And why do they always have 80% off “limited-time” discounts? Reliable security doesn’t work that way.

What a VPN Can’t Do

• A VPN does not protect you from spam or phishing.
• A VPN does not make your device immune to network attacks.
• A VPN does not stop malware, spyware, or data leaks.

At best, a VPN lets you bypass network restrictions. At worst, it gives you a false sense of security and makes you careless online.

Who’s Really Running That VPN?

Some VPN providers are operated by governments to monitor users. Even TOR exit nodes are often controlled by intelligence agencies to see what’s coming out of the network.

Alternatives and Recommendations

1. If you need privacy from your ISP, set up your own VPN on a trusted VPS provider. This gives you the advantage of tunneling to a disparate network, but you own it. You can set this up on systems where you pay $10 or less per month.
2. If you just want to bypass region locks, a proxy is a simpler and more efficient option. You can also choose to only tunnel the specific traffic you need to. Many apps and tools support proxies.
3. If you need real anonymity, use TOR or another onion-routing service. These networks are designed to protect activists and whistleblowers, but even then, nothing is foolproof.
4. Always assume any service—even TOR—could be compromised. You never truly know who’s running the infrastructure.

Why the U.S. Government Warned Against Commercial VPNs

In early 2025, the U.S. government advised that commercial VPNs are more of a risk than a benefit for mobile computing.

8. Do not use a personal virtual private network (VPN). Personal VPNs simply shift residual risks from your internet service provider (ISP) to the VPN provider, often increasing the attack surface. Many free and commercial VPN providers have questionable security and privacy policies. However, if your organization requires a VPN client to access its data, that is a different use case.

Mobile Communications Best Practice Guidance (PDF)
– Cybersecurity & Infrastructure Security Agency

Many commercial VPNs are scams. Their security tools are worse than built-in options like Microsoft Defender, and their marketing is designed to manipulate users.

If you install a VPN on a work device, you might get reprimanded or fired. Many users accidentally leave their VPNs running, breaking corporate security policies or locking themselves out of work resources. If your location suddenly changes to an untrusted country, security systems might flag it as an anomaly—introducing more risk, not less.

Final Thoughts

A VPN isn’t magic. It’s just a tunnel. If you need one for legitimate reasons, set up your own. If you think a VPN alone will protect you from surveillance, hackers, or law enforcement—you’ve been misled.

Know what you’re actually protecting against, and don’t fall for the hype.

Start by defining the problem you are trying to solve. After that the answer will present itself by understanding the issues and limitations.