VPNs are not for security

TL;DR

VPNs provide a privacy advantage if you don’t trust the local network or internet connection. But they do not provide a security advantage unless combined with a filtering technology. Plus they may create a privacy concern, if the VPN provider is using their service to collect data on their customer’s traffic.

Background

The Old Threat

Back in the olden days (let’s arbitrarily say before 2015), browsing to a website didn’t always use encryption - it was plain old HTTP without the trailing ‘S’ or the nice little padlock in the address bar. In that case, someone running an untrusted Wi-Fi network could capture all the traffic, and because it was unencrypted, read everything going back and forth between users and remote websites. An attacker could easily run a spoof Wi-Fi network in a cafe, hotel or airport, and hoover up loads of user data.

But these are the days of ubiquitous encryption - most modern browsers warn about HTTP, and will default to the HTTPS version of a site. Plus all the other traffic coming out of your laptop or phone is using the same or similar encryption. That means that the same malicious attacker can still see what your device is talking to - be it a website or some other service with an address they can look up and attribute, but all the content is private and encrypted. So the worst case is some loss of privacy, but not loss of security.

Ye Olde Enterprise VPN

Things were a little different within big companies. A traditional corporate VPN was used to connect your computer into the office network, as part of a now old fashioned model of keeping all company devices inside the safe office network. That meant you could access the other services running inside the office, like the old file share or accounting platform. Typically it would have been an enterprise VPN product that had an always-on user client, and often a VPN server (appliance) running in the office. The kind of device that nowadays you’ll most likely hear about because of a new zero-day vulnerability.

What about VPNs now, in the 2020s?

VPNs do seem to be increasingly popular, although the typical use-cases have shifted. Using a VPN to bypass local restrictions on certain platforms may now be the most common use case - from the ‘good’ justification of bypassing local restrictions implemented by authoritarian regimes, ’neutral’ country switching to get a different range of streaming programs, to ‘bad’ attempts to bypass local enforcement of age restrictions for pornography. I’m using apostrophes to represent the general acceptability there.

Actual Security Benefits

VPNs could be good for security, if they are also providing a DNS service that does some kind of filtering of malicious content. This in the case for ProtonVPN and their Netshield offering, for example. NordVPN seems to have something similar, although their website isn’t clear that it’s a DNS filtering solution.

It’s worth pointing out that you don’t need a VPN to do this - there are free options like Cloudflare’s family service on 1.1.1.2. You can specify the default DNS provider on all user devices, and on most routers ¹.

It’s also worth pointing out the potential problem with such services: by pushing all of your traffic through a VPN service, you are guaranteeing that the service provider can see what sites and services you are using (but again, not the content of your traffic). That would clearly be a reduction in privacy, but thankfully most of the big services trumpet being a “no-log” service.

It’s not just me

I’m not alone in this opinion. One prominent example of consensus is from the relatively new Hacklore project, which is an admirable collective initiative to stop the spreading of common security misconceptions. On VPNs, Hacklore says:

VPNs can hide your IP address from the local network, but they’ll still see any unencrypted traffic that your apps or operating system transmit. For most people, the encryption built into your apps already provides strong protection. VPNs make sense only for specific use cases, like bypassing local censorship or connecting securely to a work network. Users of Apple products should consider using iCloud Private Relay service which is built into iPhones, iPads, and Macs, and which costs less than many commercial VPN services.

I didn’t know about iCloud Private Relay, so that’s a good tip.

Advice for Geeks

If you want an actual recommendation: I’ve used ProtonVPN in the past, and its easy to use and reasonably priced. But you don’t have to pay for a subscription for a VPN product; It’s hard to argue with setting up PiHole on a Raspberry Pi, which if setup as the default DNS provider blocks lots of advertising content for all devices on the local network, and also using that Pi as an exit node on a personal Tailscale network. That lets you connect your devices up, use the Pihole for DNS out of the house, and functions as a VPN back to home. Plus the same setup can use Mullvad as an exit node, if you want a personal VPN that terminates somewhere other than home. You can do all this for almost free; it’ll just be the cost of buying and running a Pi.

If you need more than a personal setup, for relatively low running costs you can run a Wireguard VPN service in the cloud.

Notes