← All Posts
OpSec

Your VPN Isn't a Silver Bullet — The Real Privacy Stack

27 December 2024 7 min read by birenk

Every few weeks someone on a security forum posts asking which VPN to use for "complete anonymity online." Every time, well-meaning replies point them toward various commercial VPN providers, and the conversation ends there. This frustrates me, because it skips the most important question: what are you actually trying to protect against?

Privacy is a threat model problem, not a product problem. A VPN is one control — a useful one in specific contexts — but it doesn't address most of the ways your activity is actually tracked, correlated, and de-anonymised. This post breaks down what a VPN does and doesn't protect against, and what a realistic privacy stack looks like for different threat models in 2025.

What a VPN Actually Does

A VPN tunnels your traffic to a server operated by a third party and routes it from there. This achieves a few things:

  • Hides your traffic from your ISP. Your ISP sees encrypted traffic to the VPN endpoint, not the sites you visit. Under the UK's Investigatory Powers Act, ISPs are required to retain connection records — a VPN prevents those records from being meaningful.
  • Masks your IP address from destination servers. The website sees the VPN's IP, not yours. Useful for region-locking, less meaningful for sophisticated tracking.
  • Protects against passive network interception. On untrusted networks (hotel WiFi, coffee shops), a VPN prevents trivial MITM attacks.

That's it. Notice what's not on the list.

What a VPN Doesn't Protect Against

Browser fingerprinting

Modern browsers expose a huge amount of identifying information: user agent, installed fonts, screen resolution, timezone, WebGL renderer strings, canvas fingerprint, audio context output. Combine these and you get a fingerprint that's often unique to a single device. Your IP address is now irrelevant for tracking — the fingerprint follows you regardless of which VPN exit node you're using.

Cookies and account login

If you're logged into Google, Facebook, or any other platform, they track everything you do across their services and partner sites — regardless of your IP. A VPN does nothing about first-party or third-party cookies.

DNS leaks

Many VPN configurations — particularly on Windows — will leak DNS queries outside the tunnel through the system resolver. This means your ISP (or anyone watching) can see which domains you're looking up even while the VPN is active. Always test for DNS leaks on any VPN setup.

Traffic correlation attacks

If an adversary can observe both ends of the VPN tunnel — your traffic entering the VPN server and traffic exiting toward a destination — they can use timing and volume analysis to correlate the two. This is a real concern for nation-state-level adversaries and is one of the reasons Tor (with its multi-hop design) exists.

VPN provider logging

You've just moved trust from your ISP to your VPN provider. "No-log" claims are common and largely unverifiable without independent audits. Several "no-log" VPN providers have been compelled by court orders and subsequently handed over user data that they claimed not to store. Trust, but verify — or don't trust at all.

Building a Realistic Privacy Stack

The right stack depends on your threat model. Here's how I think about it across three levels:

Level 1: Baseline privacy (most people)

Against: ISP surveillance, ad tracking, passive data collection

  • Browser: Firefox with uBlock Origin in medium mode. Blocks most tracking scripts and ads without breaking most sites.
  • DNS: Encrypted DNS over HTTPS (DoH) or DNS over TLS (DoT) to a resolver you control or trust. Quad9 or NextDNS are reasonable choices. Self-hosting Unbound or Pi-hole with DoT upstream is better.
  • VPN: A reputable, audited provider — Mullvad or ProtonVPN are the current standard. Pay with Monero or cash for the account if the payment method matters to your threat model.
  • Email: ProtonMail or Tutanota. Not because the cryptography protects you from the provider, but because their business model isn't built on harvesting your data.

Level 2: Strong privacy (journalists, activists, security researchers)

Against: targeted tracking, correlation, some OSINT

  • Browser: Firefox with arkenfox/user.js configuration, or Mullvad Browser (based on Tor Browser's fingerprint normalisation without the Tor network). Compartmentalise browsing by context — different profiles or browsers for different identities.
  • DNS: DoH inside the VPN tunnel, with the VPN's own resolver, so external DNS queries are never visible.
  • VPN + Tor: Route Tor through a VPN (not VPN through Tor, which creates different problems). This prevents your ISP from seeing you connect to the Tor network and prevents Tor exit nodes from seeing your real IP.
  • Compartmentalisation: Separate devices or VMs for different personas. Whonix in VirtualBox is a practical setup — all traffic is forced through Tor at the OS level, making DNS leaks and application-layer bypass significantly harder.
  • Communications: Signal for messaging. Matrix/Element for group communication with a self-hosted server.

Level 3: High-threat OpSec (this is rare, know your threat model)

Against: sophisticated adversaries, operational security failures, physical surveillance

  • Air-gapped or Tails OS: Tails runs from a USB, leaves no trace on the host machine, and routes all traffic over Tor. Use for high-sensitivity operations only — it has usability trade-offs that make it impractical as a daily driver.
  • Hardware separation: Never mix operational hardware with personal hardware. Buy devices with cash. No accounts tied to real identity.
  • Physical OpSec: CCTV, mobile phone location data, and hardware serial numbers are real attack vectors at this level. These are out of scope for most people but worth understanding.

Common Mistakes

  • Using the same browser profile across contexts. Cookies and cached fingerprints will link your "anonymous" activity to your regular browsing if they share a profile.
  • Trusting "privacy mode." Incognito/private browsing doesn't prevent fingerprinting, doesn't hide your IP, and doesn't prevent employer or ISP visibility. It only prevents local history storage.
  • Logging into accounts over Tor or VPN. If you log into your real Gmail while using a VPN, the VPN is irrelevant for that session. Google now knows exactly who you are.
  • Neglecting the endpoints. A compromised device or browser extension undermines every network-level control. Endpoint hygiene is part of your privacy stack.

The Bottom Line

Privacy is a practice, not a product. A VPN is a useful component of that practice when used appropriately, but it doesn't — and can't — provide the anonymity that its marketing often implies. Understanding what you're trying to protect against, and stacking controls that actually address those threats, is the only way to build something that holds up.

Start with your threat model. Everything else flows from that.