VPN advertising promises invisibility. "Protect your privacy with one click." "100% anonymous online." "Military-grade encryption." That is marketing, not a threat model.
A VPN is a tool. Like any tool, it is built for specific tasks and completely unsuitable for others. Buying a VPN without a threat model means buying a feeling of security, not an actual protection level.
This article answers one question: Does a VPN protect you from what you actually want to be protected from?
"A VPN shifts trust. It does not eliminate it."
What a VPN Actually Does
A VPN builds an encrypted tunnel between your device and a server run by the VPN provider. All traffic flows through this tunnel before reaching the public internet.
That has three concrete consequences:
- IP masking: Websites and services see the VPN server's IP address, not your real one. Your actual location stays hidden.
- Encryption toward your ISP: Your internet provider sees that you are connected to a VPN server. It does not see which sites you visit or what data is transmitted.
- Trust shift: Instead of your ISP, you now trust the VPN provider. That provider sees your traffic, unless it operates a genuine no-logs policy and actually enforces it.
What a VPN does not do: it does not prevent browser fingerprinting, cookie tracking, JavaScript analysis or Google login correlation. The IP address has been irrelevant to the ad industry for years.
Protection by Threat Model
Five real scenarios, honestly assessed:
| Threat | VPN Protection | Why |
|---|---|---|
| Public Wi-Fi (hotel, café, airport) | 10/10 | Data leaves your device already encrypted, an attacker on the same network sees only noise |
| ISP surveillance / DNS logging | 9/10 | ISP sees only the encrypted VPN connection, no content, no domains |
| Targeted law enforcement | 8/10 (Mullvad/Proton) · 0/10 (free VPN) | No-logs provider with proven raid resistance vs. a provider that sells logs |
| State mass surveillance / DPI | 7/10 | Deep packet inspection identifies VPN protocols with 85–99% accuracy (depending on method): traffic is recognizable, content is not |
| Ad industry / Google / Meta | 1–2/10 | Browser fingerprinting makes the IP address irrelevant: tracking runs via canvas, fonts, GPU |
The most important takeaway: buying a VPN to escape Google or Meta is money spent on the wrong problem. Buying a VPN to stay safe on café Wi-Fi is exactly the right call.
DNS and VPN: The De-Anonymization Paradox
This is the section most VPN guides skip, and the one that causes the most mistakes in practice.
Many privacy-conscious users combine a personalized NextDNS profile with a VPN. The idea sounds reasonable: better filtering through NextDNS, encryption through the VPN. The problem is in the details.
Your NextDNS profile is linked to your account. It has a unique configuration: which blocklists are active, which domains you whitelist, which DNS queries you send. This yes/no answer matrix creates a logical fingerprint that makes you uniquely identifiable. If those queries travel through the VPN tunnel, NextDNS may not learn your real IP, but it learns your behavioral pattern, which amounts to your identity.
Even when using Mullvad with DNS queries staying inside the tunnel: Mullvad's own dashboard sometimes shows a "Leaking DNS servers" warning. This is usually a technical false alarm when requests correctly remain within the tunnel. The rule still stands:
DNS Recommendation by Goal
- Anonymity goal with VPN: Use the VPN's own DNS (e.g. Mullvad DNS Adblock). Do not route NextDNS through the tunnel. The NextDNS profile creates a fingerprint that defeats VPN anonymity.
- Home network without VPN: NextDNS at the router level is a solid choice — good filtering, easy management, no fingerprint problem (you are already identifiable via your home IP anyway).
- Home network combined with VPN: VPN traffic uses VPN DNS, local traffic uses NextDNS, separate configuration per connection.
Mullvad vs. ProtonVPN
Anyone looking for a serious VPN provider usually ends up at one of these two. Both are worth recommending. The difference lies in the threat model.
| Criterion | Mullvad | ProtonVPN |
|---|---|---|
| Account required | No, anonymous account number only | Yes, email address required |
| Anonymous payment | Cash, Monero, Bitcoin | Bitcoin possible, but account is linked |
| Server infrastructure | RAM-only servers, no persistent storage | Standard servers with independent audit |
| Raid test | 2023: police raid with no usable result | Regular independent audits |
| Legal framework | Sweden | Switzerland (protects VPN, not email) |
| Price | Flat 5 EUR/month | Free tier + paid plans |
Mullvad is the clear choice for maximum anonymity: no name, no email, RAM-only, proven under pressure. ProtonVPN makes sense if you are already in the Proton ecosystem (Proton Mail, Proton Drive) and prefer a bundle. Swiss law protects the VPN service specifically, not necessarily the other services in the suite.
Cash Grab? Free vs. Paid VPNs
The VPN market is full of providers running aggressive advertising: "100% anonymous", "No logs guaranteed", "Military encryption." That is not inherently false, but marketing is not engineering, and ad copy is not an audit.
Free VPNs are the real problem. Servers cost money. If you are not paying, you are the product. Numerous studies have documented that free VPN apps sell user data, inject traffic or log and resell DNS queries. Stay away.
Reputable paid providers deliver real value, but only for the right scenarios. Paying for Mullvad at 5 EUR/month gets you: ISP encryption, public Wi-Fi protection, IP masking, RAM-only infrastructure and a provider that under genuine legal pressure could not hand over data because none existed.
What you do not get: invisibility to Google, anonymity despite a browser fingerprint, or protection against targeted surveillance at the OS level.
Recommendation by Goal
I want to use public Wi-Fi safely
Any reputable paid VPN will do. Mullvad or ProtonVPN are first choice. Keep it active whenever you are not on your home network.
I want to keep my ISP out of my browsing history
Mullvad or ProtonVPN with DNS-over-VPN (no external DNS routed through the tunnel). Prefer RAM-only servers.
I want maximum anonymity
Mullvad: register anonymously, pay with Monero or cash, RAM-only servers, Mullvad DNS Adblock instead of an external DNS profile. Add Mullvad Browser for the cleanest combination.
I want to get rid of Google and Meta
A VPN barely helps here. The effective measures are: Firefox or LibreWolf with uBlock Origin, no Google account in the browser, no Meta apps. More: Privacy Browser Comparison.
On Android: GrapheneOS + Mullvad VPN
GrapheneOS has a built-in per-app VPN kill switch. You can specify which apps are allowed to use the VPN and which are not, no root required, directly in the OS. Install Mullvad VPN from the F-Droid repository or the official Mullvad download, enable always-on and kill switch. This is the cleanest mobile setup available.