What is a VPN? The no-BS guide
A VPN is a service that wraps your internet traffic in an encrypted tunnel and forwards it through a server you choose. Your ISP sees an encrypted stream to that server. Websites see the server's IP, not yours. That is the whole product. Everything else marketed around VPNs is either a knock-on effect of those two facts or, frankly, hype.
This guide is the version we wish someone had given us when we first looked into VPNs. What changes when you turn one on, what does not change, when a VPN actually helps you, and when you are paying for nothing.
What a VPN actually does
When your VPN is off, your laptop talks directly to your ISP's network. The ISP routes your packets to whichever server you are visiting. The ISP sees the destination IPs and the domain names you look up. Sites you visit see your real IP address. Public Wi-Fi operators see the same.
Turn the VPN on and three things change.
Your traffic gets encrypted between your device and the VPN server. Your ISP can no longer read what you are sending. They see encrypted bytes flowing to one IP address: the VPN server. They cannot tell whether you are watching YouTube, downloading email, or reading Wikipedia.
Your DNS lookups go through the same tunnel. Domain name resolution (the step that turns example.com into an IP address) happens at the VPN provider's resolver instead of your ISP's. Your ISP no longer sees the list of domains you are visiting. The VPN provider does, which is part of why "no-logs" is the most important question you can ask a VPN.
Sites see the VPN server's IP, not yours. Whatever you visit gets a connection from the VPN exit IP. They cannot derive your home IP from that connection. They can still fingerprint your browser, identify your account if you log in, and read your cookies — those are not network-layer concerns.
That is the entire mechanism. Encryption between you and the server, DNS through the tunnel, traffic exits with a different IP. Nothing more.
What a VPN does NOT do
This is where most marketing collapses, so we will be specific.
A VPN does not make you anonymous. It moves the trust boundary, it does not erase one. Without a VPN, your ISP sees your activity. With a VPN, the VPN provider sees the same activity (minus content, since traffic to HTTPS sites is encrypted end-to-end). You have replaced one party with another. Whether that is an upgrade depends entirely on whether the VPN provider keeps logs and whether you trust them more than your ISP.
When you log into Gmail, Gmail still knows it is you. When Google's tracking pixels fire on the next site you visit, the tracking still works. It relies on your account, your browser fingerprint, and cookies, not your IP. A VPN cannot decouple your account from your browser.
A VPN does not protect you from phishing. If you click a malicious link and type your password into a fake login page, the VPN faithfully encrypts and forwards that password to the attacker. Tunneling does not inspect content. It does not know what is malicious.
A VPN does not make you cookie-immune or fingerprint-immune. Browser cookies persist across IP changes. Fingerprinting (canvas, fonts, screen resolution, hardware quirks) ignores network identity entirely. Connecting through a VPN does not reset the cookies your browser already accepted, and it does not shuffle the unique combination of attributes your browser advertises to every site.
A VPN does not stop ads, malware, or trackers by default. Some VPN providers bundle a DNS-based blocker. That feature is independent of the VPN itself; you can run a DNS blocker without a VPN, and you can run a VPN without a DNS blocker. Do not buy a VPN expecting an ad blocker.
A VPN does not encrypt traffic past the exit server. From the VPN server to the destination site, your packets travel the regular internet. If the destination site uses HTTPS (most of the web does in 2026), that leg is already encrypted by TLS. If it does not, your traffic exits the VPN and travels in the clear to the destination — same as it would without a VPN.
The mental model: a VPN is a private courier between you and a forwarding office. The courier ride is sealed. Once your mail leaves the forwarding office, it goes through the regular postal system. Whether the recipient ends up reading it depends on the recipient and the envelope, not the courier.
What a VPN is genuinely useful for
Three things, with honest caveats.
Privacy from your ISP and network operator. This is the strongest case. ISPs in many countries (US, UK, Australia, several EU members) can collect or are required to retain browsing metadata. Hotel and airport Wi-Fi operators often log everything that passes through. If you do not want your ISP building a profile of every domain you visit, a VPN moves that visibility off your ISP and onto the VPN provider, which makes the provider's logging policy the deciding factor. A no-logs provider is meaningfully more private than a US ISP for typical browsing. A logging provider in the same country as your ISP is, mathematically, no upgrade.
Geo-bypass for legitimate use cases. Streaming a service you pay for while travelling. Reading a news site that blocks your country. Accessing your home country's banking site from abroad. Downloading software that the publisher has region-restricted. These work because sites use IP geolocation; connect through a server in the target region and the site treats you as if you were there. We support 4 exit regions today: Frankfurt (DE), Helsinki (FI), Cyprus (CY), and Ashburn (US-VA). That covers EU-Central, EU-North, EU-South, and US-East. We do not pretend to have the 60-country global mesh that bigger providers advertise on their landing pages.
Security on untrusted networks. Coffee-shop Wi-Fi, hotel networks, conference Wi-Fi, airports. Even with HTTPS protecting the content of your sessions, a hostile network operator can still see which domains you connect to via Server Name Indication (SNI), and historically could downgrade or intercept connections that did not use HTTPS strictly. A VPN reduces the network operator's visibility to "encrypted bytes going to one server." For travellers and remote workers on rotating networks, this is a real benefit.
There are smaller use cases: bypassing rate-limiting on certain sites, evading IP-based bans, P2P traffic that some ISPs throttle. They are real but secondary.
How protocols differ
A VPN protocol is the specific cryptographic conversation your client has with the VPN server. The choice of protocol affects speed, reliability on hostile networks, and how detectable the connection is. Three are worth knowing.
WireGuard. The fastest protocol in production use. Minimal handshake, modern ciphers (ChaCha20-Poly1305 for traffic, X25519 for key exchange), and a kernel-friendly design. Connect time under a second on a warm path. Uses UDP. Easy to identify as VPN traffic if a network operator inspects packet sizes and timing, which is fine on most networks but gets flagged on a few. Fexyn ships WireGuard as our default protocol and brands it Bolt.
OpenVPN. The compatibility veteran. Older, slower, and chunkier than WireGuard, but it has been deployed for two decades and runs on networks where newer protocols stumble. Supports both UDP (faster) and TCP (more reliable on flaky networks). TLS-based handshake, configurable ciphers (AES-256-GCM is the modern default). Useful as a fallback when WireGuard is blocked or when you specifically need TCP transport. We brand it Secure.
VLESS Reality. A censorship-resistant protocol from the XRay project. Built around mimicking real TLS 1.3 to a real website (the "SNI" target). Network operators inspecting traffic see what looks like a TLS handshake to a popular legitimate site. Slower to set up than WireGuard and more sensitive to configuration, but it survives in environments where WireGuard and OpenVPN are blocked outright. We brand it Stealth and use the Vision flow (xtls-rprx-vision) for traffic.
You do not need to choose manually. A good client picks the right protocol for your network and falls back automatically when one fails. Fexyn's rotation engine starts with WireGuard for speed, falls back to VLESS Reality for hostile networks, and uses OpenVPN as the last-resort compatibility layer.
Trust model: you are replacing your ISP with someone else
This is the part that VPN marketing does not love.
Without a VPN: your ISP sees the metadata of your activity (domains, timestamps, bandwidth patterns). Your ISP is required by law in many jurisdictions to retain that data for some period and produce it on legal request.
With a VPN: your ISP sees an encrypted tunnel. The VPN provider sees the metadata your ISP used to see. Whether that is an upgrade depends on three questions.
Does the VPN provider keep logs that could identify you? If yes, you have not improved anything; you have just moved the data to a different company. If no, and this is verifiable, you have meaningfully reduced who can build a profile of your activity.
What is the provider's incentive structure? Free VPNs have to make money somewhere. Several have been caught logging and selling browsing data. Paid VPNs make money from subscriptions, which is less corrupting but not auditable.
Is the no-logs claim externally verified? A handful of providers have published audits from firms like Cure53, Deloitte, KPMG, or PricewaterhouseCoopers. Most have not. Fexyn has not yet; we are planning a third-party audit for 2026. Until that report is public, our no-logs posture is operational and stated, not externally verified. We say this on the record because the alternative is misleading you.
The honest version of the VPN value prop is: "we are a different party than your ISP, with a different business model and (ideally) a different jurisdiction. If you trust us more than them, the swap is an upgrade." That is real, but it is narrower than "anonymity."
When you don't need a VPN
VPN marketing tends to assume you should be running one 24/7. That is overkill for plenty of people. Skip the VPN when:
You are on a network you trust and not doing anything geo-restricted. Your home network, your office network, a friend's house. The network operator is you or someone you trust; HTTPS protects the content of your sessions; the marginal privacy gain is small. Many people leave their VPN off at home and only switch it on when they travel.
You are visiting only HTTPS sites and do not care about the metadata. TLS already encrypts the content of every connection to a modern website. Your ISP can see the domain (via SNI and DNS), but not what you read on it. If you do not consider the domain list itself sensitive, a VPN adds little.
You have no geo-bypass need. If your streaming services work from your country and the news sites you read are not region-locked, the geo-routing benefit is zero.
You need maximum bandwidth or lowest latency. A VPN adds a hop and an encryption step. The overhead is small (5-15% on WireGuard, more on OpenVPN) but real. Online gaming on a server far from a VPN exit will feel worse with the VPN on. Large file transfers are slightly slower.
You are using a VPN to evade tracking by services you log into. This does not work. Google knows it is you because you typed your Google password. Amazon knows it is you because you logged into Amazon. The VPN is invisible to the application layer.
A reasonable default for most people: VPN on for travel and untrusted networks, on if you want to consistently hide browsing metadata from your ISP, off otherwise. Some people run it always; that is a personal-threat-model decision, not a technical requirement.
What to actually evaluate when picking one
If you have decided you want a VPN, the questions that matter:
Logging policy and audit status. Read the privacy policy. Look for connection logs, traffic logs, and DNS logs to be explicitly absent. Look for an audit. If neither exists, downgrade your trust accordingly.
Jurisdiction. Five Eyes / Nine Eyes / Fourteen Eyes membership matters as a secondary factor after logging. A no-logs provider in the US is more private than a logging provider in Switzerland. We have a separate post on jurisdiction; the short version is that logging is the question, jurisdiction is the modifier.
Server count and locations relevant to you. "5,000 servers in 90 countries" is mostly marketing. What matters is whether the locations you actually need (your country, the streaming region you want, a low-latency exit for travel) are covered. Fewer high-quality servers beats many low-quality ones.
Kill switch and DNS leak protection. If your VPN drops, does your real IP leak? A kill switch blocks all traffic when the tunnel drops. DNS leak protection routes every DNS query through the tunnel. Both should be standard.
Refund window. Most reputable VPNs offer a 7-day to 30-day refund. Use it. The marketing copy is unreliable; testing on your actual networks is reliable. Fexyn offers a 7-day free trial: sign up, test on your real connection, decide.
Pricing. Real VPN infrastructure costs money. A "free" VPN is monetising you somehow, almost always through your data. Paid tiers vary widely; the differences in feature sets are often smaller than the differences in price. Our tiers run $9.99 (monthly) down to $2.99 (multi-year) and are listed transparently on the pricing page.
The bottom line
A VPN is a useful, narrow tool. It encrypts your traffic between you and a server, lets you appear to be browsing from somewhere else, and protects you on networks you do not trust. It does not anonymise you, it does not stop trackers, it does not block phishing, and it does not replace common sense.
If those three benefits (ISP privacy, geo-bypass, untrusted-network security) line up with your actual needs, a VPN is worth running. If they do not, you are paying for a feature you do not use. Either is fine. The right choice depends on what you are actually doing online.
FAQ
No. It replaces your ISP's visibility with the VPN provider's visibility, and changes the IP that websites see. Your account logins, browser fingerprint, and cookies still identify you to services that already know who you are. Anonymity requires a different toolset (Tor, compartmentalised accounts, hardened browsers).
They can see that you are connected to a VPN server (the IP address of the server, the encrypted bytes going back and forth, and the bandwidth pattern). They cannot see which sites you visit, which domains you look up, or what data is in those connections. Whether they can identify which VPN you are using depends on the protocol — WireGuard and OpenVPN are easily identifiable as VPN traffic; VLESS Reality is designed to look like normal HTTPS.
Probably not, unless you specifically want to keep browsing metadata from your ISP, you need to bypass a geo-restriction, or you have a privacy threat model that includes your home ISP. Most people run a VPN on travel networks and switch it off at home.
Treat free VPNs with serious skepticism. Operating VPN servers costs money. If you are not paying, you are usually the product, through ad injection, browsing-data resale, or worse. Several free VPNs have been caught logging and selling user data. Some are run by entities you would not trust if you knew who they were. The free tier of a paid provider with audited business practices is a different category.
A little. WireGuard adds about 5-10% overhead on most connections. OpenVPN adds 15-25%. Distance to the VPN server adds latency proportional to the distance. For typical browsing, streaming, and video calls, the overhead is invisible. For competitive gaming or massive file transfers, it is noticeable.
Yes, with caveats. Streaming services actively try to detect and block VPN exit IPs. Some VPNs invest heavily in unblocking work; others do not. The provider's track record on the specific service you want to use is the relevant signal. Test the refund window before committing.
Yes. HTTPS encrypts traffic end-to-end between your browser and the website. The VPN encrypts traffic between you and the VPN server. Past the VPN exit, your traffic is on the regular internet. Without HTTPS, the VPN provider and any network between the VPN exit and the site can read your traffic. Modern browsers default to HTTPS for almost everything; verify the padlock for sensitive pages.
A VPN tunnels all traffic from your device through an encrypted connection at the OS level. A proxy usually routes traffic for one application (typically a browser) and may not encrypt at all. Proxies are simpler and faster; VPNs cover more of your system and add real encryption.
Yes, by anything that does not rely on your IP. Cookies, account logins, browser fingerprinting, and behavioural signals all track you regardless of VPN status. The IP-based tracking layer changes; the rest does not.
Default to WireGuard (Bolt) for speed. Use VLESS Reality (Stealth) on networks that block VPNs (some workplaces, some countries, some ISPs). Use OpenVPN (Secure) when older infrastructure or specific compatibility issues require it. Fexyn picks automatically and falls back when one fails.