Virtual Private Networks (VPNs) have been around for decades, yet they remain one of the most misunderstood security technologies in IT. Some people think VPNs make them “anonymous”. Others believe HTTPS has made VPNs obsolete. In enterprise environments, VPNs are sometimes dismissed as legacy technology in favour of Zero Trust or cloud-native access.
The truth, as usual, sits somewhere in the middle.
A VPN is not a silver bullet, but it is still one of the most effective, practical, and widely deployed security controls for protecting data in transit — particularly on untrusted networks.
From real-world experience, VPNs continue to play a critical role in:
- Public WiFi security
- Remote access to corporate resources
- Protecting sensitive traffic from interception
- Reducing attack surface on unmanaged networks
This article breaks down what a VPN actually is, how it works at a technical level, where it adds value today, and where its limitations begin.
What Is a VPN?
A VPN (Virtual Private Network) is a technology that creates an encrypted tunnel between your device and another network endpoint, typically a VPN server. All traffic passing through this tunnel is:
- Encrypted before leaving your device
- Decrypted only at the VPN endpoint
- Protected from local interception while in transit
In simple terms, a VPN ensures that anyone between you and the VPN server sees only encrypted data, even if the underlying network is completely untrusted.
This is critically important on:
- Public WiFi networks
- Hotel and airport networks
- Shared corporate guest networks
- ISP-managed infrastructure
How a VPN Connection Actually Works (Without the Marketing Fluff)
When you connect to the internet without a VPN, your traffic:
- Leaves your device unencrypted or partially encrypted
- Passes through local routers, access points, and ISPs
- Can be inspected, logged, or manipulated along the way
When you connect with a VPN enabled:
- Your device establishes a secure tunnel to a VPN server
- All traffic is encrypted before it leaves your device
- The VPN server forwards traffic to the internet on your behalf
- Responses return through the same encrypted tunnel
This means:
- Local attackers cannot see your traffic
- Public WiFi operators cannot inspect payloads
- ISPs see only encrypted data, not destinations or content
- Your real IP address is masked behind the VPN server
From a security standpoint, the VPN becomes your trusted network boundary, regardless of where you physically connect.
Why VPNs Still Matter in a World of HTTPS and Zero Trust
A common argument is: “Everything is HTTPS now, so VPNs aren’t needed.”
This is only partially true.
HTTPS Protects Applications — VPNs Protect Everything
HTTPS encrypts specific application traffic, but it does not:
- Protect DNS requests by default
- Prevent metadata leakage
- Secure background services
- Protect non-HTTP protocols
- Stop local network reconnaissance
A VPN encrypts all traffic, regardless of application or protocol.
In real-world security incidents, HTTPS alone has not prevented:
- Session hijacking
- DNS poisoning
- Malicious captive portals
- Traffic analysis attacks
VPNs significantly reduce these risks.
Common VPN Use Cases (That Actually Make Sense)
1. Public WiFi Security (Still the #1 Use Case)
Public WiFi remains one of the highest-risk environments for endpoint devices.
From hands-on experience:
- Rogue access points are trivial to set up
- Packet sniffing is still common
- Misconfigured hotspots are everywhere
A VPN neutralises most of these attacks by encrypting traffic before it hits the airwaves.
If you only ever use a VPN in one situation, this should be it.
2. Remote Access to Corporate Networks
Enterprise VPNs allow users to:
- Access internal systems securely
- Authenticate using corporate identity providers
- Enforce access policies centrally
- Reduce exposure of internal services
Even in Zero Trust models, VPNs are often still used as:
- A transport layer
- A fallback access mechanism
- A secure tunnel for legacy systems
3. Privacy and ISP Visibility
Without a VPN, your ISP can:
- See every site you visit
- Log DNS requests
- Profile usage patterns
- Throttle or prioritise traffic
A VPN does not make you invisible, but it significantly reduces third-party visibility into your online behaviour.
For professionals working with sensitive material, this matters.
4. Geographic Access and Content Restrictions
Many services restrict content by location due to licensing agreements.
A VPN allows you to:
- Route traffic via different regions
- Test geo-specific behaviour
- Access region-locked services
While often marketed for streaming, this is also useful for:
- Application testing
- Security validation
- International troubleshooting
What Makes a Good VPN (From an IT Perspective)
1. Secure Protocols
Avoid outdated protocols like PPTP entirely.
Look for support for:
- OpenVPN (TLS-based)
- IKEv2/IPsec
- WireGuard
These offer strong encryption and modern security guarantees.
2. No-Logging Policy (That Actually Means Something)
A VPN provider should:
- Not log connection metadata
- Not log browsing activity
- Be transparent about jurisdiction
Remember: you are shifting trust from your ISP to the VPN provider.
Choose carefully.
3. Server Locations and Exit Nodes
A good VPN should offer:
- Multiple geographic regions
- Redundancy and failover
- Nearby servers for performance
Latency matters — physics still applies.
4. Performance and Bandwidth
Encryption adds overhead, but a quality VPN should:
- Maintain stable connections
- Offer unmetered bandwidth
- Minimise speed degradation
In practice, expect around a 5–15% speed reduction on a well-implemented service.
5. Cross-Platform Support
A professional-grade VPN should support:
- Windows
- macOS
- Linux
- iOS and Android
- Router-level configurations (optional)
Consistency across devices is critical.
Free VPNs vs Paid VPNs: The Hard Truth
From a security standpoint, free VPNs are rarely free.
Common issues with free services:
- Aggressive logging
- Advertising injection
- Limited encryption protocols
- Bandwidth throttling
- Poor reliability
If privacy and security matter, a reputable paid VPN is almost always the safer choice.
Will a VPN Slow Down My Internet?
Yes — but usually not enough to matter.
Performance impact comes from:
- Encryption overhead
- Distance to VPN server
- Server congestion
In real-world testing, a high-quality VPN typically introduces:
- Minimal latency increase
- Negligible impact on browsing
- Slight reduction in maximum throughput
For most professional workloads, the trade-off is worth it.
Important Limitations of VPNs (What They Don’t Do)
A VPN does not:
- Protect against malware you install
- Stop phishing attacks
- Replace endpoint security
- Make you anonymous online
- Secure compromised devices
VPNs are one layer — not the entire security stack.
How Do You Get a VPN, and Which One Should You Choose?
Depending on your needs, you can either use a VPN from your workplace, create a VPN server yourself, or sometimes host one out of your house — but realistically the vast majority of people are just looking for something to protect them while torrenting or help them watch some media online that they can’t seem to access from their country.
The easiest thing to do is simply head to one of these sites, sign up, and download the VPN client for your Windows PC, Mac, Android, iPhone, or iPad. It’s as easy as that. These are just a few examples so do your research first because there may be another better suited to your needs. This is very important because you do not want to sign up only to find there are some restrictions set and the performance is less than desired.
- ExpressVPN – This VPN server has the best combination of ease-of-use, powerful encryption, really fast servers, and supports streaming media and torrenting. One of the more expensive VPNs available, but it comes with a truckload of features, and if you use Netflix, then you can get Unlimited Netflix streaming.
- Hotspot Sheild – This VPN is simple but extremely effective with very good levels of security and privacy. This VPN also has unlimited Netflix streaming and comes with real-time Malware protection.
- Tunnelbear – This VPN is really easy to use, is great for using at the coffee shop, and has a (limited) free tier. It’s not good for torrenting or streaming media, though. Unrestricted access to Netflix.
- StrongVPN – Not quite as easy to use as the others, but you can definitely use it for torrenting and streaming media. Unrestricted access to Netflix.
- HidemyAss – One of the more established VPN services with an extensive range of server locations. Unrestricted access to Netflix.
- NordVPN – NordVPN is one of the more fully-featured VPN services. It is extremely secure and keeps no logs at all which is also a big drawcard for those who care about privacy. Simple to use and has bonus features such as Malware protection. Unrestricted access to Netflix.
All of them have free trials, so you can easily get your money back if you change your mind.
Final Thoughts: VPNs Are Still a Core Security Control
Despite newer technologies and evolving architectures, VPNs remain:
- Relevant
- Effective
- Widely deployed
- Easy to misuse if misunderstood
For IT professionals, a VPN should be viewed as:
- A transport security layer
- A public network protection mechanism
- A privacy-enhancing control
- A complement to Zero Trust — not a competitor
In an environment of increasing surveillance, credential theft, and network-based attacks, a VPN remains one of the simplest ways to meaningfully reduce risk.
Used correctly, it’s still one of the most valuable tools in the modern security toolkit.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.