A modern VPN service is not what you think it is

Yegor Sak -

I'll be honest - the objective of this article is for you to buy a Windscribe subscription. If by the end of this post you're still not convinced to do so, you are probably cognitively malnourished.

You may have heard that a VPN is a magical tunnel that protects your data from evil hackers, makes your browsing activity private from everyone and guarantees total anonymity thanks to military grade encryption (AES420). According to your favorite Youtuber and average VPN review site, this is 100% accurate and you should click that link to get 69% off for a limited time only.

The factual reality is that none of those things are true, and you are basically fed bullshit. Why? For the same reason Ja Rule promoted the Fyre Festival, and Steven Seagal promoted Bitcoiin (yes, with two 'I's) - succulent cash money, the all mighty greenback.

What is a VPN, really

A VPN is a technology that networks two or more devices, allowing a remote machine to connect to a local network in order to access some internal resources. A VPN "tunnel" can optionally use encryption, so no external party can see the data you're transmitting or receiving – if they happen to be watching (hint: they are). That's it, that's all VPN technology does.

What a VPN is Not

Contrary to popular belief, a traditional VPN does:

  1. NOT drastically improve your level of privacy
  2. NOT make you anonymous
  3. NOT use "military grade encryption"
  4. NOT protect you from hackers

I'll go into detail on this a bit later, but let's focus on the basics first.

VPN Technology vs VPN Provider

When you hear the term "VPN" you're probably thinking "VPN provider" not the underlying technology, which is somewhat of a misnomer. Most VPN providers take the core technology and, at a minimum, do the following things:

  1. Disable the ability to access local resources and routes all traffic to the Internet instead (which is the exact opposite of what VPN technology was meant to do)
  2. Operate authentication infrastructure that can create and disable credentials you would use to connect to a VPN server
  3. Make a splashy website that feeds you lies
  4. Pay VPN reviewers to say nice things

In very simple terms, when you use a VPN provider, a VPN server sits in between your computer and the destination website you wish to access.

So when you need to catch up on the latest video content from your favorite streaming site (wink, wink), but it's asking you for your ID because your IP was deemed to be located in a country that requires it, you connect to a VPN server and the destination site sees a different IP instead of yours, hopefully allowing you to access the educational content your mom warned you about.

This is the core functionality of most VPN providers, which achieves the following:

  1. Masks your IP from the destination website
  2. Masks your browsing activity from your Internet Service Provider

Since you still have to use an ISP to connect to the Internet, and VPN servers exist on the Internet, your ISP still sees you connecting to a mysterious IP and sending all traffic there. They don't know the contents of those packets, or what underlying protocols are being used, but they know the total amount of data (bytes) you send and receive to/from the VPN server IP which can be used to execute traffic correlation attacks.

On public Wi-Fi networks, your ISP is whoever operates that network – or rather, their Internet service provider – but the scenario is the same.

Isn't everything already encrypted?

The big brains out there may be thinking: Everything online already uses HTTPS/TLS, so your ISP can't see what you're browsing anyway, rendering point #2 meaningless. Yes, but no.

When you browse websites or use other encrypted protocols like DNS-over-HTTPS, IMAP+SSL (receiving email), SMTP+SSL (sending email), your ISP cannot see the contents of the data you're transmitting.

For example, when you search for "moist platypus goes wild at the zoo" or email a private picture of your prickly privates to your boss as a classy way of quitting, that information remains private. At least as far as your ISP is concerned.

However, your ISP still knows that you connected to Google, or that you sent those classy pictures via a specific mail server, at a specific time. Some call this information "metadata". For the Hebrew speakers out there, "meta-data" does not mean dead-data, it is very much alive and can be used to reveal a lot about your online habits.

Even if all you do is use a browser with a DNS-over-HTTPS resolver, the SNI is still in plaintext, which is just as "good" as DNS query logging – if one is inclined to capture your browsing history. EncryptedClientHello (ECH) attempts to fix this gap, but it's not widely used or supported, and is unlikely to get any meaningful usage this decade or the next (see IPv6 adoption timeline).

When you use a VPN, your ISP cannot tell the difference between the protocols being used, nor can they peek into previously unencrypted data like DNS queries or SNI - but your VPN provider can.

IP (on) Logs

Most people think that their IP is some kind of magical identifier of their device. If you use IPv6 that's actually very true, but for 80% of the Internet's traffic, IPv4 is the game – and the stadium is at capacity. Unless you're a hipster with a dedicated IP, you're probably behind NAT sharing an IP with anywhere from a handful to tens of thousands of people at any given moment - depending on how IP-rich your ISP is.

But that doesn't matter, because all providers keep detailed logs on which user was assigned which IP at any given moment. So when you SWAT your neighbor from a VOIP line, thinking you're all good because you're sharing an IP with lots of other people (a.k.a. your activity is "lost in the crowd"), you might additionally want to consider loosening your buttcheeks to get them ready for prison.

ISPs also frequently record netflows, which are basically records of the exact IPs you connected to at any given moment. Again, the contents of most of those connections is encrypted, but their existence and exact timings are not. It's going to be very likely that it was a single subscriber that connected to that specific server at that specific time. Say hello to Bubba in Cell Block D!

Your IP is small (part of the picture)

Let's say you got your VPN and connected to a server. Congrats, everyone on the Internet (except your ISP and VPN provider) now sees a different IP thats associated with your online activities.

If you believe your favorite YouTuber when they say you're 100% anonymous and your privacy is fully protected by military grade encryption when you use a VPN – you also have to remember that they make their living reacting to people eating silica gel packets and are completely wrong about almost everything in general, and this in particular. But anyway, let's keep going and define privacy and anonymity.

  • Anonymity - nobody online knows who you are (but know what you do)
  • Privacy - nobody online knows what you do (but know who you are)

Being truly anonymous online is very difficult and also completely impractical for most people. Yes, a VPN is mandatory to be anonymous but it's a very small piece of the puzzle.

When it comes to privacy, a traditional VPN plays an even smaller role, to a point where it's virtually irrelevant. Given that random websites you visit and apps you use do not know who uses which IP, and since IPs are usually shared between many people, they have to use other sources to identify you, which include but are not limited to:

  • Headers your browser supplies on every request
  • Data stores in cookies and local storage
  • Device fingerprint

Using these methods (and a whole lot of Javascript or APIs), tracking companies make tens of billions of dollars every year correlating your online activities, invading your privacy, and selling your info to companies that, in turn, sell you things you do not need. Your IP address plays only plays a minor role in this, because whether you connect to a VPN or not, your browser still supplies the same headers, the same cookies, and has the same fingerprint. The fact that your IP address has changed makes no difference to these companies. They can and will be able to track and correlate your activity regardless of you using a VPN.

We know what you're thinking, "So is all hope lost and you don't really need a VPN?" Not exactly, and we'll get to that in a bit, but first....

How to roll your own VPN

You may have heard impressively-neck-bearded dudes online tell you that you shouldn't pay for a VPN and spend $5 on a cheap VPS to make your own instead. That way you don't have to trust no stinking 3rd party company with your data. You can do that, it will look something like this:

  • Provision a VPS – Rent a server from a low-cost provider (Hetzner, Vultr, DigitalOcean, etc.) with at least 1 vCPU and 1GB RAM. Choose a Linux distro like Debian or Ubuntu.
  • Access and update it – Connect over SSH, then update the OS and kernel packages so WireGuard modules are available. On older distros, you may need to enable backports or build from source.
  • Install WireGuard – Add the appropriate repositories and install the wireguard-tools package. Verify the kernel supports it.
  • Generate keys – Create a private/public keypair for the server. Repeat for every client you plan to connect. Each client will need its own unique keypair.
  • Configure the server – Create a WireGuard interface configuration (wg0.conf) defining the server’s private key, a private subnet (e.g. 10.0.0.0/24), and a listen port (commonly UDP/42069). Add each client’s public key and assigned internal IP.
  • Enable routing/NAT – Allow IPv4 forwarding in sysctl, then set up NAT masquerade rules in iptables so client traffic is translated and routed out via the VPS’s main interface. Persist these rules so they survive reboots.
  • Start the service – Bring up the WireGuard interface with wg-quick and enable it on boot. Check logs to confirm peers are connecting.
  • Configure clients – On each device, create a matching config with its private key, internal VPN IP, DNS resolver of your choice, and the server’s public key and endpoint (IP:port).
  • Maintain it – Keep the VPS patched, rotate keys if necessary, manage configs for each client, and monitor logs for dropped peers or errors. Any mistake in key management, firewall rules, or system updates can take the whole thing offline.

"It's so simple, anyone can do it!" - said the guy with a large beard who hasn't seen the sun in 12 years. Yes, you could use shortcuts like Algo or Streisand to make this a bit easier, but making difficult things a bit easier still means they are hard.

Or you can just run this script on an fresh Ubuntu 24 VM and it will setup a WireGuard server, configure the firewall, and generate some configs for you to use. Works end-to-end, requiring zero input from you. Easy. Okay, easier. Much, much, easier.

i-am-vpn
Use at own risk - this is entirely AI generated (but works on Ubuntu 24)
i-am-vpn.sh
4 KB
download-circle

Congrats, you now have your very own VPN server! You can also install Pi-Hole or AdGuard Home on it, and block ads, trackers, porn, or whatever you want. This can help improve your level of online privacy, since blocking trackers prevents companies from harvesting your data in the first place.

Why you should not 'roll your own' VPN

Yes, a VPN provider is telling you not to setup your own VPN and pay for one instead, shocking, right? But let's say you do all of the above, and have your private VPN server all ready to go. There are several issues that you will not be able to overcome.

You are the the only user

One of the biggest advantages of using a commercial VPN is getting lost in the crowd. When you 'roll your own' VPN, you are the only person connecting to it, and therefore, all your Internet activity is trivially linked to you, and you only.

Your cloud provider knows who you are

You gave your name, address and billing info to the hosting provider. They know exactly who you are. A subpoena, or simply a fake legal request from a custom email domain and basic 1 page website that looks like it belongs to a law firm, is all that's needed for your personal info to be provided to a 3rd party. Yes, it's really that easy.

Your cloud provider has extensive logs

Cloud providers keep extensive ingress and egress logs, and have the ability to snapshot your VPS's memory at anytime. Since you're the only user, all your activity is recorded and available to anyone who can fool the provider into handing over your personal data.

Enjoy blocks and CAPTCHAs?

Most cloud providers have IP ranges that are blacklisted on many different websites so prepare to get bombarded with block pages and CAPTCHAs when you visit them, rendering your VPN highly inconvenient/annoying to use.

Different IP != Privacy

Simply changing your IP address does virtually nothing for your privacy, unless your sole use case is downloading Linux ISOs from your favorite torrent tracker. If that is your use case, you will quickly find out that most hosting providers don't share your enthusiasm for file sharing, and will terminate your account rather quickly. Or hand over your personal info to a DMCA bot. Then you will start getting very unpleasant emails and phone calls from the legal department of a major movie studio - sorry, I meant your favorite Linux distro maintainer.

So to recap, if you roll your own VPN:

  1. ❌ You gain no privacy (unless you deploy and use other tools)
  2. ❌ You are not anonymous
  3. ❌ You will have bad time browsing many sites
  4. ✅ You can tell people at parties that you run your own VPN server

Why you should probably use a commercial VPN

VPNs are not for everyone, but if you are a person who values privacy and want to reduce your online footprint, or live in a country where access to information is restricted - here are some reasons why you should use some commercial VPNs.

Get lost in the crowd

One of the biggest advantages of using a commercial VPN service is the fact that you are not the sole user of an IP address (unless you use a dedicated IP). This works kinda like NAT, where dozens or even hundreds of people can use a single IP address at the same time. Since VPN providers in privacy friendly jurisdictions are not legally required to keep logs of IP assignments (ISPs are required for that), activity cannot be traced to a single person.

What about those logs?

"What's preventing a VPN from logging all my activity and storing it?" you may be asking. Well, in truth, nothing. You'd never know if they did, and no audit can prove otherwise. Sure, you may have heard about "no logging audits" conducted by various VPN providers that "prove" that they don't keep logs (Windscribe included), but in reality this may not be the case. Audits are conducted on a single non-production server that's meant to be configured like a production server, but there's no way to know if it actually is. Are all the servers in the fleet configured the same way? Probably. Shh, trust me bro.

So that's it then, we're out of options? Well, not exactly. What you CAN count on (no audit required) is that VPNs are run by filthy capitalist pig-dogs who want to make money to fund their premium cocaine habits and put premium gas into their premium Lambos. What does this have to do with logs? Well, keeping extensive logs is not cheap, and the most affordable option, by far, is not to collect them in the first place (there's no legal reason to do so either).

Beyond the tunnel

Hopefully it's clear by now that simply changing your IP address provides you with virtually no extra privacy or anonymity, so then what does? A quality VPN service (if you can even call it that) does a lot more than just let you connect to a VPN server and change your IP, it's the extra features that will impact privacy the most. These features can include:

  1. The ability to block resolution of certain domain names, namely ones associated with ads & tracking companies. If you cannot connect to a tracker, you cannot leak your tracking cookies to it.
  2. Fingerprint masking - some VPNs offer special tools (namely browser extensions) that can help you randomize your browser's fingerprint, making it nearly impossible to correlate your "VPN connected" web activity with your normal browsing. Some other techniques that can be used are:
    1. Changing the user agent
    2. Changing the time and language settings of your browser
    3. Spoofing GeoIP APIs that bypass VPNs entirely
    4. Messing with other browser settings
  3. Traffic masking techniques - when you use a VPN, your data is encrypted between your computer and the VPN server, and is invisible to prying eyes. However the amount of data you transfer is not, which can be used to execute a traffic correlation attack. Some good VPNs let you circumvent that correlation.

Most commercial VPNs don't do any of this, so enjoy the snake oil you got for a "good price" (that renews yearly at 3x the price you signed up for). Some quality VPNs that actually respect your privacy check most (or all) of these boxes. Which ones? Well, you're never gonna guess...

Conclusion

Stop wasting your time trying to run your own VPN, or paying for snake oil solutions that don't do anything for you. Consider trying Windscribe, it's pretty good. If you hate us for some reason, you can try IVPN or Mullvad, they're pretty alright in our books, too.