Pick any 90-second explainer of a VPN and you’ll get the same metaphor: a tunnel. The metaphor is right, but it’s also where most articles stop. The interesting question isn’t whether your traffic is in a tunnel — it’s what the tunnel is built from, what it actually hides, and what it doesn’t. This is the long answer to what is a VPN, written for someone who wants to understand the thing rather than buy one.
What a VPN actually is
A VPN — Virtual Private Network — is an encrypted connection from your device to a server you trust, through which your traffic reaches the rest of the internet. Everything your apps send and receive passes through that server first. From the perspective of any network sitting between you and the server (your ISP, a café router, a national firewall), the traffic looks like an opaque, encrypted stream going to one destination: the VPN server. The actual sites and services you’re visiting are invisible to them.
Three things change when you connect through a VPN. First, the apparent source IP of your traffic becomes the VPN server’s IP address, not yours. Services you talk to see requests coming from the server, not from your device or home network. Second, the contents of your traffic — which domains you’re querying, which pages you’re loading — are encrypted between you and the server, so no one on the path can read them. Third, your DNS queries (the lookups that translate domain names into IP addresses) travel inside the VPN tunnel rather than going to your ISP’s resolver in plaintext.
What doesn’t change is worth being equally clear about. If you’re logged into a site, the site still knows who you are — your IP address is only one of many identifiers, and session cookies travel with your requests. Your browser fingerprint (the combination of screen size, installed fonts, language settings, and GPU rendering) is unchanged. And if the VPN server itself keeps logs, then your activity is visible to whoever runs that server and anyone who can compel records from them. The tunnel moves the trust boundary; it doesn’t eliminate it.
A proxy sits at the simpler end of this spectrum. It routes your HTTP traffic through a third-party server but does so at the application layer, often without encryption, and without redirecting DNS or non-HTTP protocols. A VPN operates at the network layer, so all traffic from all applications is routed through the tunnel. The comparison is explored in more detail in VPN vs Tor vs proxy — what actually changes.
The two halves of every VPN: encryption and transport
Every serious VPN architecture has two distinct layers, and conflating them is the source of most VPN marketing confusion.
The encryption layer is responsible for one thing: scrambling the bytes so that only the two endpoints (your device and the VPN server) can read them. Modern implementations use an authenticated handshake to agree on a shared secret without ever transmitting that secret on the wire, then use that secret to encrypt and verify every packet. ORION/VPN uses modern, AES-256-class encryption with an authenticated handshake — a design that provides mutual authentication and forward secrecy, meaning a captured session cannot be decrypted even if a key is later compromised. The symmetric encryption is fast on all hardware, including mobile devices, and its design offers no practical attack surface even when implemented in software. This is audited encryption, not a marketing claim.
The transport layer is responsible for a different thing: getting those encrypted bytes across the network efficiently. This is where the architecture decisions diverge significantly. UDP is the simplest choice — connectionless, low overhead, good for latency-sensitive workloads. A more modern transport runs over UDP as well but adds multiplexed streams, flow control, and an encrypted handshake — which means connections look exactly like the ordinary web traffic that makes up the majority of internet traffic today.
Why does the separation matter? Because older VPN designs — ones that bundle encryption and transport into a single fixed specification — are fingerprint-identifiable on the wire. A firewall or deep-packet inspector that knows what those handshakes look like can block them categorically, no matter what port you run the VPN on. When encryption and transport are separate concerns, you can swap the transport layer to something the network cannot distinguish from ordinary traffic, while keeping the same verified encryption underneath. The security properties don’t change; only the outer wrapper does.
What a VPN protects you from (and what it doesn’t)
A VPN is not a general-purpose security tool. It solves a specific set of problems, and claiming it solves more than that is a fast way to get people hurt.
| Threat | VPN helps? | Why |
|---|---|---|
| ISP logging which domains you visit | Yes | Traffic is encrypted before it reaches the ISP; DNS queries travel inside the tunnel |
| Operator surveillance on a managed network (corporate, school, café) | Yes | Same as ISP — the operator sees an encrypted stream, not your requests |
| Trackers correlating your IP address across sites | Partial | Your IP changes to the server’s; cookies, fingerprinting, and logged-in sessions still identify you |
| Geographic content blocks | Usually | The server’s IP determines what the destination service shows you |
| Network-level censorship (domains blocked by ISP) | Usually | DNS and HTTP-layer blocks are bypassed; protocol-level blocks require stealth transport (see below) |
| Malware already on your device | No | The tunnel doesn’t inspect content; malware communicates through the encrypted tunnel like anything else |
| Phishing attacks | No | The VPN has no visibility into whether a site is legitimate |
| Legally compelled provider logs | Depends | No-log claims are only as good as the audit and jurisdiction backing them |
| Targeted attacks on the destination service | No | A VPN protects your path to the server; it doesn’t protect the server itself |
The ISP surveillance case deserves a precise statement. Without a VPN, your ISP sees the IP addresses of every server you connect to, and for unencrypted HTTP, the full content of every request. For HTTPS connections, the ISP sees the IP address and the Server Name Indication (SNI) field — the domain name included in the connection’s opening handshake — which reveals the destination even though the content is encrypted. Inside a VPN tunnel, the ISP sees only the IP address of the VPN server, and nothing else. The domain you’re visiting is no longer visible to your ISP at all.
Internet censorship in 2026 has a detailed map of which countries apply which specific blocking techniques, and which of those techniques a VPN alone is sufficient to bypass.
The transport question: stealth versus speed
Here’s the problem that most VPN providers don’t explain clearly: a VPN that looks like a VPN is easy to block.
Every protocol has a fingerprint — a characteristic pattern of packet sizes, timing, the shape of its opening handshake bytes, and port numbers that network equipment can detect. Older VPN protocols each have a recognizable handshake. A network operator who wants to block VPNs categorically — a national firewall, a managed WiFi network, a mobile carrier — can do so accurately and automatically by matching these fingerprints, regardless of what port the VPN is running on. The packets don’t need to be decrypted; the shape of the traffic is enough.
The counter-strategy is to make VPN traffic look like something the network won’t block: ordinary website connections — the kind that already make up the majority of internet traffic. This kind of connection uses a well-known UDP port and produces traffic that looks statistically identical to loading a webpage. A firewall that blocks connections shaped this way on that port will also break large portions of the web for everyone, which gives it strong incentive not to.
But camouflage isn’t free. Dressing each packet to look exactly like an ordinary website connection’s first exchange — including the right header bytes, the domain name field, and the right timing properties — takes a small amount of extra processing. Typically a few microseconds per packet on modern hardware. For users on high-speed connections doing large transfers, a path without that camouflage overhead may deliver better throughput.
This is the stealth/speed split, and it’s not a theoretical concern. Deep packet inspection explained covers how DPI hardware makes these identification decisions at line rate.
The two transports at ORION/VPN: Horizon and Wind
ORION/VPN ships two transport modes, selectable per-connection, both running the same modern, AES-256-class authenticated encryption underneath.
Horizon is the stealth transport. Every packet is dressed to look like an ordinary website connection — to deep packet inspection, your VPN traffic and a normal browser session are indistinguishable at the wire level. The shape of the connection’s first packets, the domain name field, the timing, the port — all of it matches what an observer would expect to see from ordinary browsing. This makes Horizon viable in environments that actively fingerprint and block conventional VPN traffic: restrictive national networks, some corporate proxies, carrier networks in regions where VPN use is restricted or surveilled. The colour associated with Horizon across the UI is blue (#7e90ff). Think of it as the transport for networks that would prefer you didn’t connect.
Wind is the performance transport. It uses a native modern transport built for raw speed — without the camouflage overhead. Connections benefit from the transport’s native features: multiplexed streams, fast connection establishment, and built-in congestion control tuned for high-throughput workloads. Wind is the right choice when nothing is filtering your connection and you want maximum throughput for streaming, large downloads, or gaming. Its colour is gold (#e5b266).
The practical difference between them is situational, not absolute. On a home broadband connection with no filtering, Wind will typically deliver higher throughput and lower latency. On a mobile connection in a country that filters VPN traffic, Wind may not connect at all — while Horizon does. The encryption layer is identical in both cases, so the security properties are the same either way. You get the same protection regardless of which transport you choose; only the camouflage differs.
When you should not use a VPN
Three persistent myths about VPNs that cause real problems when people believe them:
“A VPN makes me anonymous.” No. It shifts who can see your traffic — from your ISP and every network between you and the destination, to the VPN provider. Your activity is still logged somewhere unless the provider has made an audited commitment not to. And anonymity requires more than hiding an IP address. Cookies, device fingerprints, account logins, and behavioral patterns can identify you precisely even through a VPN. Tor provides stronger anonymity by routing traffic through multiple independent nodes; a VPN provides privacy from network observers, which is a different and weaker property.
“A VPN protects me from malware.” No. The VPN encrypts the connection between your device and the server. Malware that’s already running on your device connects out through that same tunnel. A VPN has no mechanism to inspect the content of your connections for malicious code, any more than a telephone wire inspects what you say. Malware protection requires endpoint security (a real-time scanner or behavioral analysis tool), not a VPN.
“I need a VPN to keep my bank connection secure.” No. Your bank already uses an encrypted HTTPS connection — the same cryptographic protection that secures all modern web traffic. The connection between your browser and the bank is already encrypted end-to-end. Adding a VPN to that connection adds another encrypted layer, but it doesn’t meaningfully improve the security of the bank connection itself. Where a VPN actually helps with banking is if you’re on an untrusted network where someone might be intercepting connections before they leave the local network — which is a real but uncommon threat.
There are also scenarios where using a VPN makes things actively worse. Some banks flag logins from VPN IP addresses as suspicious and lock the account. Streaming services detect known VPN server IPs and display error pages. Sites with aggressive bot protection are more aggressive toward traffic from data-center IP ranges, which is where most VPN servers live. And if you’re using a service that provides location-specific features — local news, local business results, local emergency services — a VPN that changes your apparent location will give you the wrong region’s content.
Frequently asked questions
Is using a VPN legal?
In most countries, yes. VPNs are legal and widely used by businesses, journalists, researchers, and individuals for privacy and security. A smaller number of countries — Russia, China, Iran, Belarus among them — have regulations that restrict VPNs to approved providers, require providers to hand over logs, or ban personal VPN use outright. The legality of the VPN is separate from the legality of whatever you do through it; a VPN doesn’t provide legal immunity.
Does a VPN slow down my connection?
Yes, by a measurable but often small amount. The minimum overhead is the encryption processing time plus the additional network round trip to the VPN server. On a 2024-era device with a fast server geographically close to you, the encryption overhead is typically under 5 ms. The more significant factor is server distance: routing traffic from London through a server in Singapore adds roughly 170 ms of latency because physics doesn’t negotiate. Throughput losses are usually under 10% on a well-run server. A VPN that’s thousands of miles away and oversubscribed will feel slow; one that’s close and lightly loaded often isn’t noticeable.
Will a VPN hide my browsing from my ISP?
Yes, with the precision that matters. Your ISP will see that you’re sending traffic to a VPN server’s IP address, and the volume of data. They will not see which domains you’re visiting, which pages you’re loading, or the contents of your requests. DNS queries (which would otherwise reveal domain names in plaintext) are encrypted inside the tunnel and resolved by the VPN server’s resolver instead.
Can a VPN bypass geographic restrictions?
Usually. When you connect through a VPN server in another country, services you access see the server’s IP address and serve you the content available in that country. This works for most streaming geo-blocks, regional content licensing, and sports blackouts. It fails when the destination service actively detects and blocks known VPN server IP ranges — which Netflix, BBC iPlayer, and some banks do. How reliably any given VPN bypasses these blocks depends on how aggressively the provider rotates and refreshes its server IPs.
Does a VPN protect me on public WiFi?
Yes, and this is one of the clearer use cases. On an open WiFi network, anyone on the same network can passively observe unencrypted traffic and, with the right equipment, attempt to intercept or modify connections. A VPN encrypts all traffic from your device before it leaves over the WiFi link, so another user on the same network sees only encrypted packets going to the VPN server. Public WiFi privacy in 2026 covers specific attacks and what tools actually prevent them.
What’s the difference between a VPN and a proxy?
A proxy is an application-layer intermediary for one type of traffic — typically HTTP/HTTPS requests from your browser. It changes your apparent IP for web requests but doesn’t encrypt anything by default, doesn’t redirect DNS queries, and doesn’t affect traffic from other applications (email, apps, games). A VPN operates at the network layer and handles all traffic from all applications on the device. The routing is enforced by the operating system’s network stack, not by individual app configuration. The full comparison of VPN vs Tor vs proxy covers each model’s threat model and appropriate use cases.
Should I use a free VPN?
Almost always no. Running VPN infrastructure is expensive — servers, bandwidth, support, security audits. If the service is free, the cost is being paid somehow: advertising based on your traffic, selling connection data to data brokers, or using your device’s bandwidth for others. Some free VPNs have been caught doing exactly these things. There are legitimate free tiers — ORION/VPN’s free plan gives 10 GB/month — but the economics of unlimited free VPN service don’t work without a hidden revenue model. Are free VPNs safe? has a breakdown of documented cases and what to look for.
Can the VPN provider see what I do?
In principle, yes. The VPN server decrypts your traffic, forwards it to the destination, and receives the response. At that point of decryption, the provider could log your requests. Whether they actually do is a question of policy, jurisdiction, and audit. “No-log” claims are common and vary widely in what they actually mean — some providers are audited by independent firms against specific log retention claims; others are marketing copy with no verification. If this matters to your threat model, the provider’s jurisdiction, corporate structure, and audit history matter more than the privacy policy text.
Does my browser’s incognito mode work like a VPN?
No. Incognito mode prevents your browser from saving history, cookies, and form data on your local device. It does nothing to your network traffic — your ISP still sees the same requests, sites still see your IP address, and trackers still receive the same signals they do in a regular session. The only privacy benefit is local: other users of the same device won’t see your browsing history. It’s a useful tool for keeping sessions separate, not for privacy from network observers.
Do I need a VPN if I’m on HTTPS already?
HTTPS protects the content of your connection to a specific site — the server can’t be impersonated, and the payload is encrypted end-to-end. What it doesn’t hide is that you made a connection to that server at all, or the IP address you connected from. Your ISP sees your DNS queries and the destination endpoints even for fully HTTPS sites. A VPN adds the outer layer of encryption that hides this metadata — which domains you’re connecting to, at what times, in what volumes. The two protections are complementary, not redundant. Your browser’s HTTPS connection already encrypts what you send; a VPN encrypts the fact that you sent it.
ORION/VPN offers a free plan with 10 GB per month — enough for everyday privacy use without a subscription. For users who need to connect through environments that filter VPN traffic, Horizon transport makes your packets look like ordinary website connections on a standard port. For users who want maximum throughput on open networks, Wind transport skips the camouflage overhead and delivers raw speed. If you want to go deeper on how modern censorship infrastructure works and what it can and can’t detect, Internet censorship in 2026 and deep packet inspection explained are the next things to read.