Fexyn
Fexyn
All posts

VPN myths debunked: 15 things people get wrong

Fexyn Team··16 min read
vpn mythsvpn basicsprivacyhonestyeducation

VPN marketing has been polluting the conversation for fifteen years. Anonymous browsing. Military-grade encryption. Hacker protection. More servers than the competitor. Most of these claims are at best half-true and at worst flatly wrong, and they keep getting repeated because they sell subscriptions.

We sell subscriptions too. We are also tired of the noise. Below are fifteen VPN myths people still believe in 2026, with what is actually true, where the myth came from, and what you should do with the information.

1. "A VPN makes you anonymous"

False. A VPN hides your IP address from the websites you visit. That is a useful, narrow thing. It does not make you anonymous.

If you log into Gmail through a VPN, Google still knows you are you. If you pay for the VPN with your credit card, the VPN provider knows who you are. If your browser ships a unique fingerprint (it does), trackers can re-identify you across sessions even with a fresh IP. If you write the same way on every forum, stylometry catches you.

Genuine anonymity requires Tor, threat-modeling, separate identities, and operational security that nobody achieves accidentally. A commercial VPN is privacy infrastructure, not an anonymity tool. Anyone selling it as the latter is lying.

2. "A VPN protects you from hackers"

Mostly false. A VPN encrypts the network path between you and the VPN server. That blocks one specific class of attack: a network operator, attacker on the local Wi-Fi, or ISP reading your traffic.

It does nothing against:

  • Phishing emails. The link goes to the attacker regardless of which IP you connect from.
  • Malware. A VPN does not scan files or stop you from running a Trojan.
  • Account takeover from a leaked password. The attacker logs in as you.
  • Browser exploits. The exploit runs in your browser, encrypted or not.
  • Social engineering. The phone call still gets through.

A VPN is one layer of a defense stack. Calling it "hacker protection" is the kind of marketing copy that makes security people grind their teeth.

3. "Free VPNs are just as good"

Mostly false, with a narrow exception. The unspoken rule of free internet services is that if you are not paying, you are the product. Free VPNs have a long history of:

  • Selling user browsing data to advertisers and data brokers.
  • Injecting ads into web pages by intercepting unencrypted traffic.
  • Operating as residential proxy networks where free users' IPs are rented out to other parties (the 2018 Hola incident is the canonical case).
  • Logging connection data despite "no-logs" claims.
  • Quietly going out of business and exposing user data in the cleanup.

The exception: legitimate free tiers from companies whose paid product subsidises the free one. Windscribe gives 10 GB per month on a real product. ProtonVPN's free tier has unlimited bandwidth on three locations with reduced speeds. These are honest loss-leaders. They are not as fast or feature-complete as paid tiers, but they are not actively harmful.

If a VPN is free with no paid version anywhere on the site, assume the worst.

4. "More servers means a better VPN"

False as commonly stated. The "5,400+ servers" or "10,000+ servers" numbers in VPN marketing are mostly vanity metrics. Several reasons:

  • Many "servers" are virtual machines on shared hardware. One physical box can host fifty advertised "servers" in different countries.
  • Many entries are the same physical box with multiple IP addresses. NordVPN advertising 5,400+ servers across 60 countries does not mean 5,400 physical machines.
  • A handful of well-provisioned exits in the regions you actually use beats a thousand congested exits everywhere else.

What matters: the exit servers in the countries you connect to or from, the bandwidth available per user on those servers, and the routing path between you and the exit. Fexyn runs four exits today (Frankfurt, Helsinki, Cyprus, Ashburn). That is small. We are honest about it. If you need a low-latency Singapore exit we are not the right choice. The number printed on a competitor's homepage is not what makes their Singapore exit better than ours: their actual hardware in Singapore is.

5. "Military-grade encryption"

Meaningless marketing. There is no such thing as "military-grade" AES. AES-256 is AES-256. The same algorithm protects your VPN tunnel, your iMessage chats, and the encrypted volumes on a Pentagon laptop.

Calling AES-256 "military-grade" is like calling tap water "astronaut-grade hydrogen-oxygen compound." Technically not wrong, completely uninformative, sold as if it means something.

What actually varies between VPNs is the cryptographic protocol around the cipher (WireGuard's Noise framework versus OpenVPN's TLS handshake), the key exchange mechanism, the authentication scheme, and how the implementation handles edge cases like key rotation and replay protection. These are real engineering choices. None of them are summarised by the phrase "military-grade."

6. "VPNs slow your internet down a lot"

Out of date. This was largely true in the OpenVPN-on-poorly-tuned-hardware era of 2014. It is much less true with modern protocols on well-provisioned servers.

Real numbers in 2026: WireGuard typically loses under 5% of throughput on a nearby exit with a healthy connection. VLESS Reality (our Stealth protocol) loses 5-10% because of the TLS overhead it uses for censorship resistance. OpenVPN loses 10-25% depending on cipher and tunnel MTU.

Slowdown happens when the exit is far away (physics: light is slow at internet scale), when the exit is congested (provider problem), or when your ISP throttles VPN-shaped traffic (some do). For most users on most exits, the speed impact is unnoticeable for browsing, video calls, and 4K streaming. We have a longer write-up at does a VPN slow down your internet that walks through measurements.

7. "VPNs are only for illegal activity"

False, and dated. The modal VPN user in 2026 is a person streaming a show that is geo-blocked in their country, a remote worker on hotel Wi-Fi, a journalist or activist in a censorship-heavy region, a gamer dodging ISP throttling, or someone who watched one too many documentaries about data brokers.

Surveys from VPN industry bodies put the legitimate-use share well above 90%. The "VPN equals piracy" framing is mostly leftover from VPN marketing in the 2010s aimed at torrent users, plus the predictable take from network operators who do not like users hiding their traffic.

For what it is worth, our take on whether VPNs are legal where you live is: yes in most countries, restricted in a handful of authoritarian states, and using one to commit a crime is still a crime regardless.

8. "My ISP doesn't track me"

False in most jurisdictions. ISPs in the US sell browsing data to advertisers (this has been legal at the federal level since the 2017 repeal of FCC privacy rules). UK ISPs are required to retain connection metadata for 12 months under the Investigatory Powers Act. Australian ISPs retain for two years. Russian ISPs implement deep packet inspection at scale. Most EU ISPs retain at least connection records under member-state implementations of the data retention rules.

Your ISP knows every domain you resolve via their DNS, every TLS SNI you send, every IP you connect to, when you connected, how long you stayed, and how much data you transferred. Whether they sell it, retain it, hand it over to law enforcement, or just analyse it for capacity planning depends on the ISP and the country. Assuming they do not is wishful thinking.

9. "All VPN protocols are basically the same"

False. WireGuard, OpenVPN, and VLESS Reality solve fundamentally different problems.

  • WireGuard is a minimal, fast, modern UDP protocol. About 4,000 lines of kernel code. Fast handshake, low overhead, easy to audit. Trivially fingerprintable and blocked in censored networks. Best when speed matters and the network is friendly.
  • OpenVPN is a 20-year-old protocol that runs over UDP or TCP, uses TLS for the handshake, and is heavyweight by modern standards. Wider compatibility, more configuration complexity. Reasonably hard to fingerprint when run in TCP mode on port 443 with TLS-Crypt, but DPI systems still catch it most of the time.
  • VLESS Reality is a censorship-resistance protocol designed to look indistinguishable from a real TLS connection to a major site (Apple, Microsoft, Google). It mimics the TLS 1.3 handshake of the cover site so closely that DPI systems cannot tell whether the traffic is going to that site or to the VPN. It is what works in China, Iran, and Russia in 2026.

We branded these Bolt (WireGuard), Secure (OpenVPN), and Stealth (VLESS Reality) in the desktop client because the technical names are not user-friendly. Same protocols. Different threat models. Pick based on the network you are on, not on a generic "best protocol" claim. See VPN protocols compared for the detailed take.

10. "I have nothing to hide, so I do not need a VPN"

Weak reasoning. The same logic says you do not need curtains, do not need an envelope around your tax return, do not need a password on your email. We all draw privacy lines somewhere. The question is where, not whether.

Privacy is the default state of well-designed systems, not a guilty admission. You encrypt your laptop disk because you do not want a thief reading it, not because you are hiding crime. You close the bathroom door for the same reason. A VPN is the same kind of thing for the network layer. The "nothing to hide" framing is a category error: it confuses "I am not committing a crime" with "I do not value privacy."

If you genuinely do not value privacy on the network layer, that is fine. Plenty of people do not. The argument should be "I do not value this kind of privacy" rather than "people who value it must be hiding something."

11. "A VPN protects everything you do online"

False. A VPN hides your network-layer metadata from your ISP and the destination's network. It does not protect:

  • Logged-in identity. Your Google account is still your Google account.
  • Cookies and trackers. A VPN changes your IP. Your cookies still identify you to the ad network.
  • Browser fingerprinting. Canvas fingerprint, WebGL fingerprint, font list, screen dimensions, timezone (if you do not change it), audio context fingerprint. Trackers re-identify you across sessions.
  • DNS unless properly configured. A misconfigured client leaks DNS to your ISP even with the tunnel up. We have a piece on DNS leaks.
  • WebRTC. Browsers can leak your real local IP through WebRTC unless blocked. See WebRTC leaks.
  • Active malware on your device. Already inside the trust boundary.

A VPN moves the trust boundary from your ISP to your VPN provider. That is a useful change. It is not a force field.

12. "Tor is better than a VPN"

False as stated. Tor and VPNs solve different problems. Tor is built for anonymity from your ISP, your local network, and the exit node, at the cost of speed and many web services blocking exit IPs. VPNs are built for general privacy and unblocking, at the cost of trusting one provider.

Use Tor when:

  • You are a journalist, activist, or researcher with a real adversary and need to break the link between you and the destination.
  • The destination explicitly supports onion services.
  • Speed does not matter.

Use a VPN when:

  • You want to watch geo-blocked content.
  • You are on hotel Wi-Fi.
  • You need a stable, fast, low-latency connection that streaming services and banks accept.
  • You want to hide metadata from your ISP without breaking everything else.

You can also chain them (Tor over VPN, VPN over Tor) for specific threat models, but most people do not need that. The framing of "X is better than Y" only makes sense relative to a goal. Pick the tool for the job.

13. "All commercial VPNs secretly log your traffic"

False as a generalisation. The truth is messier: some VPNs have been independently audited and have stood up to legal subpoenas without producing user data, some have been caught logging despite claiming otherwise, and most are unverified one way or the other.

Verified examples:

  • Mullvad has been audited multiple times, accepts cash payments, and famously had nothing to hand over when raided by Swedish police in 2023.
  • ProtonVPN publishes audit reports and a transparency report. The 2019 Riseup case showed they did log a single user when ordered to by Swiss courts (which is what their privacy policy disclosed all along).
  • PureVPN was caught in 2017 providing logs to the FBI in the Lin case despite a "no-logs" marketing line. They updated their policy and have been audited since, but the original marketing was a lie.

We do not yet have an independent third-party audit. We are planning one in 2026 and will publish the report in full when it lands. Until that happens, take our claims with the same skepticism you should apply to any provider that has not been audited yet.

14. "Browser-built-in VPNs are all you need"

Mostly false. Browser features marketed as VPNs (Brave's VPN, Opera's free VPN, Edge's "secure network") have caveats:

  • Browser scope only. They protect traffic that goes through that browser. Other apps (your email client, your Steam launcher, your background backup tool, your VoIP) leak normally.
  • Often a proxy, not a VPN. Opera's free "VPN" has historically been an HTTPS proxy, which is not the same thing. It does not encrypt the way a VPN tunnel does, and it does not necessarily block DNS leaks.
  • Limited locations and speeds. Useful for casual unblocking, not as a primary privacy tool.

If you only browse and you do nothing else online, a browser VPN is a real thing. For most people, it covers a third of their network footprint and gives a false sense of full coverage. A real system-level VPN is a different category.

15. "Kill switch is an optional feature"

False. A kill switch is the difference between a VPN that fails closed (no traffic leaks during a tunnel drop) and a VPN that fails open (your real IP and traffic leak for several seconds while reconnect happens).

Tunnels drop. Network changes (Wi-Fi to Ethernet, sleeping a laptop, switching networks) routinely break VPN tunnels. Servers occasionally fail. ISPs sometimes glitch. Without a kill switch, your real IP appears on the destination's logs during the drop. Your DNS queries go to your ISP. Your live video call connects unencrypted for the seconds it takes the client to detect the drop and reconnect.

A kernel-level kill switch (WFP filters on Windows, pf on macOS, nftables on Linux) blocks all non-VPN traffic at the OS level, so even if the VPN client crashes the firewall rules persist. An application-level kill switch is better than nothing but has detection latency.

We have a deeper piece on how kill switches actually work and what happens when your VPN disconnects. Either way: do not buy a VPN without one. If your current provider does not have one or does not enable it by default, that is a meaningful gap.

What to do with this

Most VPN myths exist because they sell subscriptions. The healthier framing is: a VPN is a specific tool for specific jobs. It hides your network metadata from your ISP, encrypts traffic on hostile networks, lets you appear to come from another country, and resists censorship if the protocol is right. That is a real, useful set of capabilities.

It is not anonymity. It is not hacker protection in the broad sense. It is not magic.

If you are choosing a provider, our how to choose a VPN walkthrough is the place to start. If you are still deciding whether you need one at all, do I actually need a VPN is a more honest take than most listicles.

We offer a 7-day free trial because the only way to know whether a VPN earns its place in your life is to use it. Sign up, run it on the networks you actually use, see if it helps. Cancel within seven days if it does not. That is a fair deal.

VPN myths debunked: 15 things people get wrong | Fexyn VPN