Truth about vpns: a non-technical analysis
All the traffic coming from your home network, from behind your router, shares the external IP of your router. The internet side (WAN) gets an IP address like 72.43.124.56 (which we'll use for our examples) and the home network side gets an address of 10.0.0.1 or 192.168.0.1 ( or a derivative as defined by standards). So all traffic from behind your router, on the LAN, uses the return address of 72.43.124.56. A service on your router called NAT keeps track of which traffic is coming from which device so it knows where to send return traffic. So my pc has a LAN address of 192.168.0.34, which my router assigned it using the DHCP service. But, when I type in www.newegg.com in my browser, something else has to happen first, it has to know the IP address of newegg.com, which is different based on your geographical region.
Typing https://www.newegg.com in my browser causes my computer to check it's recent memory and see if I've accessed newegg recently. If so, it gets the newegg.com IP address from memory. If not, it goes to the router, who see's it sending a DNS request, and sends the request to a DNS server, as set in the router, to get the correct IP address of newegg.com for my geographical region. The DNS server sends the correct IP address back to the router at 72.43.124.56. The router keeps track of connections and sends the DNS request back to 192.168.0.34.
Next the computer uses the IP address of newegg to make an https request to https://www.newegg.com . The newegg server establishes a connection to the router which passes it through to the PC. The newegg server asks for the type of device requesting the web page (mobile or desktop) and for the type of browser being used. Using this information, the server sends the correct web page back to the browser and shows you a correct page for your geographical location, your browser, and your device (mobile or desktop). All this happens in milliseconds with a good internet connection.
But in this interaction, you have revealed information to both the DNS server and the newegg server. You have revealed your geographical location, not down to the street level, but usually the closest city. You have revealed to the DNS server that you're visiting the newegg.com site. All this comes from the 72.43.124.56 address.
Servers use the geographical information to offer their services only where they are allowed. Parts of Xfinity's DVR services are only available if you connect from your home IP. Many streaming services have to limit their programs by country as well. Using your IP address is how they do this.
So now what does a VPN actually do? I provides you with a fake IP in another region. If you're traveling in Europe, but want to view programming in the States, you use a VPN to say you're in a particular city. Usually there are many cities and countries to choose from with good VPN providers, so sometimes you get to choose not just the country you want to pretend to be in, but the city in that country.
Now not only does a VPN provide a different geolocation, but it provides a light level of anonymization. Each VPN connection shares an IP with other users of the VPN, so it makes it harder to actually trace the traffic back to the real original IP. Lots of users using a single VPN address is a light level of protection against tracing who was making the connection.
Some VPN providers also provide a type of DNS protection that protects the user from the DNS server knowing who actually made the request for the IP address.
So a VPN provides a low level of anonymizing and DNS protection. Why would we care? Your ISP uses this data and sells it, just like Google sells what it learns about you from google.com and your Android phone. A VPN does help you from being taken advantage of by the services you are already paying for.
Again, a VPN tunnels your data from your device to the VPN server in the country/city you choose. Then from there the internet works as normal.
But, for a VPN to work, it has to keep records of what data is going where. Some VPNs say they don't keep paper or digital records, but there is no actual way to verify this until they get a warrant from a government demanding to know about a specific connection.
Similarly, the way the internet and server work, if there's not a record on the server ( at least temporarily), your data won't get back to you. Also you have to consider your billing and payment method. If you pay by credit card, then there is certainly a record of you buying the service.
The way servers work, if there isn't a record of connections to where and the speeds, then there can't be any type of service improvement or Quality of Service, as it's called on an internet adapter. Some VPNs block downloading torrents from sites like Pirate Bay. So unless they're monitoring your connections, they wouldn't know if you were torrenting. So some level of records are required for a VPN service to function.
So is it worthwhile? It depends on what your threat-vector is. Are you concerned with government accessing your browsing behaviors, or are you concerned with hackers and google stealing your browsing data to sell it without your approval? VPNs are more effective against non-governmental spies.
To provide another level of obfuscation, if you are concerned about federal spying on your browsing and transactions, you should use a VPN not headquartered in the United States or Europe ( or in your country). Not that it makes it impossible, but it just adds one more jurisdictional level of hassles for spies to go through to monitor your browsing data.
For countries where websites are restricted, news only comes from the government, and websites need approval by censors, a good VPN will bypass the restrictions by making it look like you're in another country. But again, this requires caution in picking a secure VPN.
For years, the United States government bugged cryptographic hardware sold by the world's biggest cryptography company. How do you know the VPNs aren't secretly run by governments? Judging by history, I guarantee some of them are. Which ones? Good question.
Another issue with VPNs is that since the internet moved to https (encrypted connection webservers), it's more difficult for third parties to see what data is being transferred. The IPs aren't hidden, since the routers and switches need to know where the data is going and coming from, but the data enclosed in the packets is encrypted. Again, it's not impossible for someone to perform an attack and steal the certificate for the packets, but it is much more difficult than it use to be with http. Https decryption keys are different for each connection ( conversation per device) so it does provide a decent level of protection again low level hackers and generic threats. Pushing https is one of the good things Google has done for the network. Before that, it was much easier to read the network data and even pretend to be a server in order to steal passwords and funds.
A good VPN will provide a certain level of protection for emails, geolocation, downloading a pirated movie or two, or downloading pirated software. If your computer uses IPv6, you'd have to get a VPN that protects IPv6 as well as IPv4, or you won't be protected. While on a VPN, it's just safer to disable IPv6 on your device.
The highest level of security is provided by the TOR network. TOR was developed by the United States Navy to enable secure communications, but every few years another vulnerability is found and exploited in that as well. TOR is also slow, because of its routing methodology which is how it provides the anonymity. There can be nefarious TOR bridges (as their called) or nefarious exit nodes on TOR also. But for all the technology available to non military civilians, TOR is certainly the most secure. But with the constant balancing between security vs. convenience, TOR is usually only used in the most critical situations.
So while we shouldn't believe all the advertising about VPNs, they have their place and proper use. ( Some apps even use geolocating as a security measure as well, like a banking app not letting someone from Pakistan log into your bank account in California ). Do you need one from email or online purchases? No. For browsing the latest bowel reconstruction techniques? Not really, unless that's illegal in your country. For downloading a copy of that movie you have on VHS so you can watch it without a VHS player? Sure. For downloading a preactivated copy of Windows 11? If you want malware in your Windows, sure.
