You might have heard of VPNs from some commercials, or you're using one right now and want to brag about how it keeps your network "secure" as if you knew better.
So what is VPN exactly? Is it all that good?
If you have these questions or, on the other hand, haven't even heard of a VPN at all, you're reading the right post. You'll find the necessary general information on this type of network connection for travelers -- with an emphasis on travelers -- and how to get one for free.
Most importantly, you'll learn when to use a VPN and when not. Hint: VPN is not synonymous with security, privacy, or the lack thereof.
Dong's note: I first published this post on April 1, 2019, and updated it on April 26, 2023, to add additional relevant information.
What is a VPN
VPN, short for virtual private network, is a method to create a secure(*) logical (virtual) connection within a physical network structure to make a device at one geophysical location be part of a system at another.
(*) The VPN connection is encrypted by default securing all traffic within it. This encryption notion tends to be exaggerated to prop up the importance of VPNs.
Without a VPN, a computer's connection to the Internet is encrypted by the application -- some applications' connections might not be secure, but most are.
For example, your browser is using a secure connection to display this page, as indicated by the lock (or shield) icon in the URL, whether you're using a VPN or not.
Depending on the VPN protocol and the way a server is set up, one VPN connection can be more secure than another. The drawer below will give you some brief highlights.
Three VPN protocols in brief
The following are popular standard VPN protocols:
WireGuard
Wireguard is the latest VPN protocol. Debuted in 2016, initially only for Linux, but since 2020 has been available cross-platform (Windows, macOS, BSD, iOS, Android).
Using cryptography, the new protocol is slated to be extremely simple yet fast. WireGuard is still under development but has proven to be the most secure, easiest-to-use, and simplest VPN solution.
WireGuad is on the way to possibly replacing all existing protocols below.
OpenVPN
As the name suggests, OpenVPN is a flexible VPN protocol that uses open-source technologies, including OpenSSL and SSL.
As a result, it has a high level of customizability and is the most secure. It also can't be blocked.
In return, OpenVPN requires extra client software, making it less practical. But this protocol is the best if you want to be serious about VPN.
L2TP/IPsec
Short for Layer 2 Tunnel Protocol is the second most popular VPN protocol -- it's also a built-in application in most modern operating systems -- and an interesting one.
It has no encryption by default, so it's not secure where the IPsec -- or IP security -- portion comes into play to provide encryption. Therefore, this protocol is rigid in port use and can be blocked by a third party.
The point is L2PT/IPsec is great when it works. And it does in most cases, which ultimately depends on whether the local network of the remote device allows it to pass through.
PPTP
Short for point-to-point tunneling protocol, PPTP is the oldest among the four and is on the way out.
First implemented in Windows 95 and has been part of the Windows operating systems and many other platforms since PPTP is well-supported and the easiest to use.
However, it's also the least secure. It's better than no VPN at all, and it does its purpose of making a remote device part of a local network.
That said, if you take security seriously, or have other options, skip it. On the other than, it sure is better than nothing and good enough for most home users.
Specifically, you can be thousands of miles away from home, but the device you're using via a VPN can be part of your home network. Thus, it's like the device (and, therefore, you) is still at home.
If that sounds odd, that's because VPN is not normal. It's for specific needs. So the question is, why do you want to be part of these complicated "shenanigans"?
Well, that brings us to the good in a VPN -- why we'd want one at all.
Benefits of using a VPN: Being part of a remote network
The main and possibly only advantage of using a VPN is that you can "spoof" your device's online location. In a way, you can hide it.
Hide from whom you might wonder. From the network the device's physically part of in real-time, or from other parties on the Internet (like a website or a streaming service) it's accessing. It doesn't exist to the former; to the latter, it appears to exist elsewhere.
Let's take a specific example. You're at a cafe in Europe, and your laptop connects to the venue's free public Wi-Fi. Additionally, if it's also connected to your home (or office) VPN in the US, the following will be true:
- Privacy and security via isolation: Your device, for the most part, is invisible to the local network at the cafe. Specifically, the computer of the guy sitting next to you that connects to the same Wi-Fi network will not "see" yours. Whatever you do online is, for the most part, unknown to any parties around you.
- Location masking: To the Internet, your laptop will appear to be at the location of the VPN server, wherever it is. As a result, among other things, you can access services available to the server's locale. In this particular case, you can watch Netflix shows accessible only to the US audience, for example.
- Working remotely: When traveling, a VPN allows you to access your home/office network's resources like you were there. For example, you can open a file on your office's server and even print a document to the office printer.
So, in short, using a VPN, a remote device becomes part of the network at the VPN server's location, no matter the distance between them.
Disadvantages of using a VPN: Being part of a remote network
Nope, it wasn't a typo. The disadvantages of a VPN are precisely where its advantages are. A VPN is a double-edged sword. Having to connect to a third party before anything else means a couple of things:
There are advanced ways to use VPN selectively for particular services or devices of a network, etc. But that's a different story.
- Slow speed, high latency: Since all Internet traffic goes through a remote server, the connection is now slower and with higher latency. Specifically:
- The download speed at the remote device will depend on the upload speed at the server's end. The actual rate will be whichever of the two that's slower.
- Your device will get double the latency. You're effectively dealing with two Internet connections, the local and that of the VPN server.
- Privacy risk: The owner of the VPN server has access to all of your VPN-connected device's Internet traffic and possibly the traffic of your local network. Keep this in mind before you opt for a third-party VPN service.
- Extra work or cost: You must set up a VPN server and maintain it or pay for a service.
- Isolation: Depending on the configuration, the device might be unable to access local services, including other devices within your home network, since it's part of a remote network.
So as you might have noticed, a VPN is not inherently better for online privacy or security. It's just a way to make you look like you're somewhere else and all that implies. With a VPN, your information might be more secure, or it might not. And it can also be more vulnerable.
And a VPN will always make your Internet connection worse, by little or by a lot, depending on the server and where you are.
Assumptions about VPNs and security
The privacy and security notion of using a VPN involves a few assumptions, including:
- The local physical network you're using is not safe. That can be true when you use an unknown open free Wi-Fi network, but it's not always the case.
- The remote network (where the VPN server is) is safe. That's likely true when you VPN into a home (or office) network, but also not always so.
- The owner of a VPN service always means well. That is almost always untrue when you use a third-party VPN service.
These assumptions are the selling points third-party VPN providers often use to convince you to have one. Literally, there's no VPN commercial without the word "security."
Many paid VPN providers -- all of them, in fact -- offer deep incentives via affiliation and referral payouts. And that's the reason behind the never-ending myriad of online content advocating their "security" and "privacy" half-truth. When you click on the sign-up link, the writers make money.
Once again, keep this in mind:
The owner of the VPN server has access to all of your device's traffic. A third-party VPN service charges you a monthly fee and gains access to your data. It's a double whammy.
That brings us to the next important part: When to use a VPN and when not to.
When to use a VPN
Again, a VPN allows for being part of a remote network, so you only need one when you're not physically there. Most of the time, that means when you're traveling or working from home.
In the former, you want to be isolated from the possibly sketchy network you're using, and in the latter, you want to be able to access your office's resources.
Another situation where you might want a VPN is when you need to access a service unavailable at your locale. For example, if you're in China and want to access Facebook, a VPN (located outside of China) will help.
Finally, when you want to hide your identity from the Internet service provider or any other party over the Internet, a VPN will help -- your online presence can't be traced back to you. (I'm not advocating illegal activities here.)
When not to use a VPN
Generally, if you don't need to hide your identity or access some remote services/resources, there's no need to use a VPN. Using one, in this case, only makes things worse.
Many folks have a VPN installed on their home computer for "security purposes." That's completely unnecessary, with nothing in return. And when you use a third-party VPN service that way, you also put your privacy at great risk -- you're being spied on.
Virtual Private Network (VPN) vs Domain Name System (DNS)
While seemingly unrelated, a VPN server (or any network, for that matter) always involves DNS.
DNS works like a directory service that identifies and points a device to the website you want to access. After that, your device will interact with the site directly, independently from the DNS server.
On the other hand, a VPN always routes all of your device's traffic through the VPN server. Furthermore, a VPN server also uses a DNS server of its own. So if you use a VPN, you'll likely use the DNS setting of the VPN's owner.
That said, a remote device connecting to a VPN network will use the DNS server of that network. Consequently, the VPN server can manage, monitor, and control all aspects of connected clients.
A few easy ways to have a VPN
There are a few ways to get a VPN connection. You can subscribe to a paid service, use a free one, or set one up on your own.
Buying a paid VPN service
Using a paid service gives you ease of use and flexibility -- you can use it for mobile and regular computers.
A paid service tends to promise to deliver fast performance, though that depends on many other factors, like the actual location of the remote device.
The downside is, well, it's not free. And, if a VPN service itself is hacked, which has happened, its privacy protection aspect is canceled. And you only find out about this after the fact. Also, again, keep in mind that you're giving away your online privacy.
That said, I generally don't recommend buying a VPN subscription -- mostly because you can get one for free. You're already giving away valuable personal information; why should you pay for it?
Using a free VPN service
Since VPN is so valuable regarding user data collection, Internet giants like Google, Apple, and Cloudflare all offer free VPN (and DNS) services.
Take "free" with a grain of salt since information about your connection -- even when gleaned anonymously -- is valuable.
If you use an Android phone, it comes with one from Google. iOS devices will automatically get one from Apple. All you have to do is go to the VPN section of the device and turn it on. (This section also allows you to create a VPN connection with a standard server.)
Other than that, there are also those from other parties. Among those, Cloudflare's WARP is quite popular and useful. The drawer below will give you more info.
Cloudflare's WARP
Touted as the "VPN for those who don't know what VPN stands for," WARP is easy to use. All you need is to install the app on your device -- running Android, iOS, macOS, Linux, or Windows -- and choose to turn the VPN on, and that is it.
WARP was initially introduced in April 2018 as a DNS app, allowing users to use Cloudflare's 1.1.1.1 DNS address as their own. Since then, the app has evolved into something much bigger, including a comprehensive VPN function.
WARP is free to use, and Cloudflare promises to make your device more secure and faster access to the Internet. (There's also a paid version called WARP+ that promises to deliver even better speed.)
By the way, Cloudflare promises to respect WARP users' privacy. Here's what it told me on the matter:
- "1. We don't write user-identifiable log data to disk;
- 2. We will never sell your browsing data or use it in any way to target you with advertising data;
- 3. Users don't need to provide any personal information โ not your name, phone number, or email address โ to use the 1.1.1.1 App with WARP; and
- 4. We will regularly hire outside auditors to ensure we're living up to these promises."
Turning your Wi-Fi router into a personal VPN server
Setting your server takes a bit of work but is the best way to go about having VPN. It's free, and you're in charge of your data.
VPN is one of the most common advanced features for home Wi-Fi routers released in the past ten years. Almost all routers, including Asus, Netgear, Synology, and TP-Link, have this feature.
Generally, to use a router's VPN, you first need to set up Dynamic DNS, which I detailed in this post on DDNS. After that, configure the VPN protocol of your choice, as mentioned above.
Besides standard VPN servers, many routers also have a simplified app-based VPN solution. Specifically, Ubiquiti's AmpliFi routers come with Teleport, and Asus routers have Instant Guard. Both are valuable and well-thought-out VPN solutions for mobile users, as I detailed in this post on Instant Guard vs Teleport.
Finally, a home router can handle between three and thirty VPN clients simultaneously, depending on the model -- enough for any personal needs.
The takeaway
Considering how easy it is to have a VPN these days, it's generally a good idea to use it when connected to a local network whose security you're unsure about.
Here are a couple of recap bullet points to keep in mind:
- A VPN connection is only applicable when:
- you need to access something not available to your current physical locale.
- you want to be anonymous when online.
- Building your own VPN server is best, but using a third-party service is OK when that's an easy option.
- A VPN only makes things worse when you're already using a safe network
Using a VPN doesn't guarantee online privacy or security. It only changes your exposure by moving your risks from one party to another.
When you're home, getting connected via a VPN is like using your neighbor's landline phone instead of your own.
Your conversation is safe from those prying on your house, but your privacy is at the mercy of your neighbor. If your home is not bugged, you actually increase your privacy risks unnecessarily. And there's no guarantee that their place is more secure than yours.
That's not to mention the hassle of walking out of your home to a different building.
The most important takeaway is that VPN is not synonymous with security or privacy, and using one willy-nilly can cause adverse effects on this front.
Dong, liked your article on VPN. One of the advantages for using it at home is to disguise your identity and encrypt your data from your ISP. Not using a VPN allows your ISP to see your streaming activity and possibly throttling your bandwidth. Either you give up some privacy to a VPN provider or to your ISP. I figure that keeping my ISP provider at bay is more important.
That’s not necessary, Al. For that, you can just change your DNS. The ISP always knows the volume of data going through your account, though. I think only cellular providers would restrict streaming, and they do but mostly by throttling the ceiling speed. But I haven’t tried all the available broadband services.
Hello Dong. My router alerts me of daily attacks on my NAS, and when I traced the IP address, I found that it originated from DigitalOcean. After reporting the IP address to DigitalOcean, I was informed that the company scanning my NAS surveys the internet as part of their research. I’m wondering if using a VPN would protect me from such scans.
Nope, it’ll still be scanned, maybe more, maybe less frequently, just that the party who scans you won’t know that you’re the same party that was scanned before.
By the way, to avoid being scanned, you just need to change or close the NAS’ default ports. But being scanned is not a big deal, that’s like being looked at by a person (who uses a pair of binoculars from afar) or having someone looking through your windows or ringing your doorbell in real life. The only harm is the sound (the notifications of your protection app) which can be turned off or tuned down.
Most protection apps go heavy on alerts to prove that they are “effective”. Port scans are not “attacks.”
Hi Dong,
A year or so ago, you helped me in my decision to set up the Netgear Orbi mesh network. I wish I remembered to read your posts about VPN and other tech since then! We just returned from a 2 week vacation in Spain. I purchased a one month VPN subscription from NordVPN based on other articles and doing some research to see if I should continue the subscription. Your post tells me not to do so. So, thanks.
We do plan to do more international travel in the future. [I rarely need access in cafes, etc but I realize that ‘national’ travel poses security risks too.] It seems like I can use a ‘free’ VPN like WARP. I also know that Netgear and my Verizon Wireless also provide VPN but I’ve found problems in speed and access trying them in the past.
So, I want to:
– confirm that I do not need to continue with NordVPN
– ask if I should use Netgear and/or Verizon over something like WARP.
Thanks again for straight-forward articles and advice.
Dan
NordVPN is evil, Dan, it’s so popular because its affiliation pays well — each time you click on a link and sign up the owner of the article gets a cut. But you need to make that decision yourself. Give this post another read and you’ll know what to should do.
great info
Hi Dong,
I’ve been using WARP for a couple of months when I’m out and about and love it. About a couple of weeks back though, I got a notification from Cloudflare that it will install a VPN profile to allow them to secure my internet traffic. There were the usual promises of collecting as little data as possible and never selling my personal information. Do you think it’s worth staying on WARP with the VPN profile thing? Or would I be better off using Asus’ Instant Guard VPN app which also comes free with its router?
You can use it, Richard, but, as I mentioned in the post, only when you’re not at home or have need for a VPN. Else, you’re just a sheep. ๐
Haha, true that. No such thing as a free lunch! VPN’s only on when I’m out of the house.
You got it! ๐
The ASUSWRT-Merlin site touts leveraging AES acceleration to improve performance of OpenVPN on the router. How effective is this in real world situations? Any benchmarks?
Other than certain ASUS models, do other companies support AES acceleration with VPN? Would it be worthwhile to upgrade?
I don’t have any benchmark, Edan, since I generally use VPN only while on the road and just for myself. But it works. Also, VPN is not a big factor in how I evaluate routers.
Why don’t you just say you don’t know.
I don’t know. Maybe that’d make me sound dismissive?
It’s difficult to find info on router VPN performance. Some routers have AES which improves performance.
I hope you add VPN performance to your test criteria. You may also want to round numbers on ratings. Two digits of precision are more than good enough. Generally, a 5% difference in performance would never be noticed. It’s really a tie.
Thanks for the input, Edan, but the halves are important in ratings. Generally, the main job of a home router is to host the local network. Just like the USB-based storage feature, the VPN support is not the primary function and shouldn’t be compared to that of a real business VPN server. Also, it’s very hard to test a VPN connection since the performance depends greatly on the remote party and the parties in between.
If you do set up a benchmark for VPN, it would have to be for machines within the same LAN. One side would be a touchstone that would have the highest throughput possible.
You are right that consumer routers would not function to the same level as a business VPN. The problem is that I don’t see any independent benchmarks.
Consumer router VPNs have the ability to allow people with AppleTV and other such devices to connect to other networks. This means throughput becomes critical as do thermal issues.
One use case I would like to figure out is to make the network in my father’s home connect to the network in my home. This way I could view all the computers and devices in both networks as though they were on the same.
You can’t really test a VPN using a machine in the same LAN, Edan. That either won’t work in certain routers — most don’t allow for NAT loopback — or if it does it doesn’t represent how the VPN would work with a remote party. In any case, what you’re looking to do with your dad’s home will NOT work well, it almost never will. I speak from experience.
Most people when browsing a network via a VPN using Windows Explorer (or Mac Finder) would interact with it the same way as they do a folder within a local network. Most often, they’d double-click to open a file to open it. When you do it via a VPN, and if the file is relatively large, that will cause the system to freeze. Specifically, a file needs to be fully loaded into the computer’s memory before it can be edited meaning the system will have to download it in its entirety from the remote server, and the same thing will happen in the opposite direction when you save the changes. An Internet connection (which a VPN is) is never as fast or as latency-free as a local network. Generally, it’ll take at least a few seconds to deliver a few MB of data over the Internet. And a few seconds is not something a person, who’s expecting normal performance, would understand. They would click some more and that will cause the connection and the system to overload. VPN works OK for streaming or surfing because that type of application doesn’t require an instantaneous response.
You should read this post again. The performance of a VPN connection depends on the Internet speeds of BOTH parties (the server and the remote user) AND parties in between that you have no control over, namely services providers, and various switches and routers.
Anyhow, sometimes the reason you can’t find what you’re looking for is simply that that thing doesn’t exist, no matter how much you want it to.
Good overview article. I am an Ex-Pat and live outside the U.S.
I have a MESH WiFi network throughout our home. That MESH is connected to our FiberOptic internet service which is very good and reliable.
I have a separate ASUS Router, centrally located in our home that is configured and connected to a VPN server in the U.S.
We have our modern flat screen TVโs connect to the internet for streaming in two ways. The built-in TV Apps connect the TVโs Wi-Fi to the VPN Router so those App get U.S. content.
We only stream. No ISP/cable TV service. We also have Apple TV units on those TVโs that connect directly to the internet along with our NAS drives for media content.
Sometime VPN servers can bog down due to heavy traffic.
When that happens, I use the nice ASUS phone App that allows me to switch VPN server to another one I have set up in the router.
Before I had to hook the router directly up to a PC and use the web GUI to do the same thing.
Home PCโs, phones, etc. can connect to either network for specific needs.
You’re a perfect candidate for the free Cloudflare WARP mentioned in this post, Joe.
I realize you are trying to simplify a complex topic but certain aspects of your article are a bit misleading.
1) The software that provides the perceived increase in security is the NAT(Network Address Translation) that makes makes the internet see traffic as coming from the VPN endpoint instead of your home computer not the VPN per say. It gets muddled because “VPN services” typically do both as one bundle.
2) Strictly speaking a VPN tunnel creates a (typically) encrypted link from your computer to another computer/network but doesn’t necessarily need to allow you access to the internet from that point. e.g. VPN from home into work to access work computers only, but not route the rest of your internet traffic through work.
3) Most computers will allow you to route some sites through VPN and others directly to internet. It can be quite a pain to manage for multiple sites but can be done
4) some routers now allow you to setup traffic to go through an external VPN service now
You’re correct, Joe. There are many flavors of VPN and things are about nuances. The gist of the post, though, is that most of the time, we, as home users, don’t need VPN, especially when we’re home, or don’t need it for what we’re made to believe that we do.
I agree with Joe’s post. The security aspect of VPN’s when connected to insecure networks cannot be overstated. It never ceases to amaze me how many people I see in airports and coffee shops connected to public networks and logging into email or internet sites, apparently oblivious to the danger that creates. All should be urged to utilize a VPN or an alternative to protect their online activity outside of their home network.
Read the post, Kevin!
Hey Dong, are there any routers yet with support for WireGuard? VPN support seems to be a pretty standard feature, but if I am going to run a VPN at this point I want it to be WireGuard. Seems weird that routers are so slow to add support.
WireGuard is very new, Tyler. My guess is it’ll be a while before it’s implemented within a router’s firmware.
Hi Dong. I use a VPN router to connect my Satellite TV box to use the services from my home country. I also connect to the same router for normal internet usage. The problem here is the speed has been reduced because of the VPN. Is it possible to fix the VPN to one band to connect to the TV and leave the other band free and unfettered to offer greater speeds for the rest of my internet work?
No in general, but that depends on the router’s firmware. https://dongknows.com/asus-routers-and-merlin-firmware/
Thanks, so ideally it is best to have a dedicated VPN router for the TV and another to serve as mesh router for general usage?
Best or not depends on what you need, Peter. Me for example, I don’t use VPN at all when I’m at home. The post explains all that.
All the facts mentioned here are really important to stay always protected.
In my view, creating your own vpn requires skilled staff to set up, and it has some disadvantages… and you won’t be able to unblock web content as you route traffic through your local IP / all paid providers offers a huge variety of servers from all over the world. So all in all I would prefer going with verified providers.
I can’t scroll on the page… because “content copy disabled” even tho I can copy the content on my non-jailbroken phone using Safari ๐คจ
Thanks for letting me know. I’ll fix that. By the way, you can scroll if you rest your finger on the text part (and not a photo).