Is a VPN encryption end-to-end?

No. A VPN encrypts traffic between your device and the VPN server. From the server onwards to the destination website, the connection is whatever the website itself uses (HTTPS for almost everything in 2026, but technically the VPN provider is in a position to see plaintext for any non-HTTPS traffic).

Does a VPN slow down my internet?

There is always some overhead — encryption, an extra physical hop, possible MTU adjustments. With a modern protocol on a nearby server, the difference is small and usually invisible for browsing, video, and gaming. The full breakdown is on the speed page.

Can my ISP tell I'm using a VPN?

For most protocols, yes — they can see encrypted traffic to a single endpoint, which is the signature of a VPN. With Reality-style transport that mimics HTTPS to a public site, an ISP cannot reliably distinguish your traffic from normal browsing of that site.

Do I need a VPN if I only use HTTPS sites?

HTTPS protects the contents of each connection, but your ISP still sees the domain name (via SNI), DNS lookups, and traffic patterns. A VPN moves all of that out of your ISP's view.

Are free VPNs the same thing, just free?

No. A VPN provider sees everything your ISP used to see. Free providers tend to monetise that visibility — selling data, injecting ads, or both. Detailed analysis lives on the free-VPN page.

How a VPN Actually Works

No marketing slogans. A practical walk-through of what happens between your device and the VPN server, what the encryption protects, what it doesn't, and where the DPI war fits in.

Try VnePN Free for 3 days — no card required

The 30-second version

A VPN does three concrete things. First, it encrypts the traffic between your device and a chosen server, so the network in between (your Wi-Fi, your ISP, an airport router) sees opaque bytes instead of which sites you are visiting. Second, it forwards that traffic out through the server, so the websites and apps you connect to see the server's IP address instead of yours. Third, it usually moves your DNS lookups inside the same encrypted tunnel, so the same intermediate networks can't see the names you are resolving either.

Everything else — kill switches, split tunneling, multi-hop, obfuscation — is built on top of those three primitives.

Step by step: a request through a VPN

1. App makes a request. Your browser wants to load example.com. Without a VPN, the OS would resolve the domain via your ISP's DNS, then open a TCP/TLS connection out through the default route.

2. VPN client intercepts. When a VPN is connected, a virtual network interface (tun0 on Linux/macOS, a WireGuard adapter on Windows) becomes the default route for outbound traffic. The OS hands every packet to that interface instead of the physical Wi-Fi.

3. Encryption. The VPN client encrypts each packet with the symmetric key negotiated during the handshake. Modern protocols use AES-256-GCM or ChaCha20-Poly1305 — both AEAD ciphers, so each packet is also authenticated. Tampering or replay is detected at the receiver.

4. Encapsulation. The encrypted payload is wrapped in an outer transport (UDP for WireGuard and most OpenVPN configs, TCP/443 with TLS for stealthier setups, plain TLS for VLESS+Reality). The outer packet is what travels across your ISP.

5. Server decrypts and forwards. At the VPN server, packets are decrypted, NAT-translated to the server's public IP, and sent to example.com. The site sees a request from the server, not from you.

6. Reply comes back. The response from example.com arrives at the server, gets re-encrypted, and is delivered back to your client through the same tunnel. Your app sees a normal HTTPS response, with no awareness that the path was different.

What a VPN actually hides

From your local network and ISP, a VPN hides: which domain names you resolve (when DNS goes through the tunnel), which IP addresses you connect to, which protocols you use beyond "encrypted traffic to a single endpoint", and the contents of every connection.

From websites you visit, a VPN changes: your apparent IP address, your geolocation as inferred from that IP, and any rate limits or geo restrictions tied to it.

From a curious passerby on the same coffee-shop Wi-Fi, a VPN hides: everything except the fact that you are connected to a VPN endpoint. They cannot see your banking session, your messenger, or your search history. Detailed coverage of that scenario lives on the Wi-Fi security page.

What a VPN does NOT hide

This part gets glossed over in most ads, so it is worth being concrete.

The VPN provider sees what your ISP used to see. If they keep logs, they have your full browsing history. The "no-logs policy" claim is exactly why provider choice matters more than the protocol used.

Logged-in identity is still you. A VPN does not log you out of Google, Facebook, or your bank. If you sign in to an account, that account still knows it is you, regardless of which IP you arrived from.

Browser fingerprinting still works. Canvas, fonts, screen resolution, WebGL — sites can re-identify you across IP changes. A VPN is not anti-tracking; that is a separate layer (uBlock Origin, Privacy Badger, hardened browser).

Local malware is unaffected. If your device is compromised, the malware sees plaintext data before it ever reaches the VPN tunnel.

Some leaks are protocol-specific. WebRTC can expose your local IP to a website even with a VPN connected. Test it with the WebRTC leak tester. DNS can leak similarly — see the DNS leak tester.

Protocols, in plain language

OpenVPN. The veteran. Mature, audited, runs over UDP or TCP. The trade-off is the recognisable handshake — fine on open networks, increasingly throttled on networks with DPI. More on the OpenVPN problem in Russia.

WireGuard. The modern minimalist. Tiny codebase, fast handshake, near-bare-metal throughput. Same caveat — its handshake is identifiable, so countries with DPI throttle it. Excellent on a home VPS or for site-to-site.

IKEv2/IPSec. The mobile-friendly classic. Reconnects fast on network changes, native on iOS and macOS. Same fingerprint problem.

VLESS+Reality. The current answer for restrictive networks. Carries data inside a real TLS handshake to a real public website, so DPI cannot tell it apart from regular HTTPS traffic. Deep dive here.

Shadowsocks. A SOCKS5 proxy with encryption, popular in China. Easier to fingerprint than Reality, but lighter to run. Often used as a secondary protocol in V2Ray/XRay setups.

When a VPN actually helps

Restrictive networks. When local DPI is throttling specific protocols or sites, a properly chosen VPN restores access. The "properly chosen" qualifier matters — see the OpenVPN page for why protocol choice is now first-order.

Public Wi-Fi. Coffee shop, hotel, airport. The threat isn't theoretical: same-network attackers, captive portal redirections, sometimes outright SSL stripping on cheap hardware. A VPN turns the local network into a dumb pipe.

Geographic friction. Streaming catalogues, regional pricing, tools that block IPs from specific regions. A VPN endpoint in another country is the simplest workaround.

Hiding traffic from your ISP. ISPs in many countries sell aggregated browsing data. A VPN moves that visibility from a company you don't trust to a company you've explicitly chosen.

Where it helps less: protecting against a targeted state-level adversary, anonymising you from a service you logged into, replacing endpoint security software. Different problems, different tools.

Frequently Asked Questions

See it in practice

Run VLESS+Reality on the same servers we just walked through. 3 days free, no card.

Try VnePN