How to Choose and Set Up a VPN That Actually Works
A practical guide to picking a VPN, choosing the right protocol, and configuring it properly for real privacy. No brand names, just what matters.
Back to Blog
Most people install a VPN and think they’ve gone invisible. Like some kind of digital invisibility cloak. Click connect, see the little lock icon, boom - totally anonymous, right?
Not even close. A VPN is a tool, and like any tool, it’s only useful if you set it up properly and understand what it actually does. A badly configured VPN gives you nothing but a false sense of security. And that’s worse than no VPN at all, because at least without one you know you’re exposed.
This guide covers what a VPN really does, how to pick one that isn’t a scam, which protocol to use, and how to plug the privacy leaks most people never think about.
What a VPN Actually Does (and What It Doesn’t)
Need a refresher? Here’s our simple explanation of what a VPN is. Short version: a VPN creates an encrypted tunnel between your device and a server somewhere else. Your ISP can’t see what you’re doing, and websites see the VPN server’s IP instead of yours.
Now, what it doesn’t do:
It doesn’t make you anonymous. Log into Google through a VPN and Google still knows who you are. A VPN hides your IP address, not your identity.
It doesn’t protect you from phishing or malware. Click a fake banking link and the VPN will happily encrypt that traffic straight to the attacker. It protects the pipe, not what flows through it.
It doesn’t hide you from your VPN provider. You’re shifting trust from your ISP to your VPN provider. Instead of your ISP seeing everything, your VPN provider could. That’s why choosing the right one matters.
So what is it good for? Stopping your ISP from logging your browsing data. Protecting yourself on public WiFi. Bypassing geo-restrictions. Genuinely useful - just don’t expect miracles.
How to Pick a VPN Provider (Without Getting Scammed)
The VPN market is a mess. Fake reviews, aggressive marketing, and “top 10 VPN” sites that are secretly owned by VPN companies. Here’s what actually matters.
No-logs policy - but verify it. Every provider claims no logs. It’s on every landing page. The question is whether they can prove it. Look for ones that back it up with independent security audits by reputable firms. An audit means a third party actually examined their infrastructure and confirmed they aren’t storing user data. Even better: some providers run servers entirely in RAM, so everything is wiped on reboot. No hard drives means no data to seize.
Open-source clients. If the app is open-source, anyone can look at the code and verify it does what the company claims. No hidden tracking, no secret logging. Closed-source apps are a black box. Not automatically bad, but open-source is a strong trust signal.
Avoid free VPNs. If you’re not paying, you’re the product. Free VPNs have been caught injecting ads into browsing, installing trackers, and even selling bandwidth from your device to third parties. The thing you’re trying to avoid is literally their business model.
Anonymous payment. The best providers accept crypto, cash, or gift cards. If privacy is the goal, paying with a credit card linked to your name kind of defeats the purpose. Not necessary for everyone - if you just want protection on coffee shop WiFi, paying normally is fine.
Server ownership. Does the provider actually own their servers or rent from data centers? Owning physical hardware means full control. Renting adds another party in the chain who could potentially access the infrastructure or respond to legal requests.
Jurisdiction: Pick the Right Country
The country where your VPN provider is registered determines what laws apply to your data.
The Five Eyes alliance (US, UK, Canada, Australia, New Zealand) is a surveillance partnership that shares intelligence data freely. If your VPN provider is based in one of these countries, a court order in any of them could potentially force data disclosure. Then there’s the Nine Eyes (add Denmark, France, Netherlands, Norway) and Fourteen Eyes (add Germany, Belgium, Italy, Spain, Sweden). The further you go, the looser the cooperation, but it exists.
Does this mean you should never use a VPN based in these countries? Not necessarily. A truly no-logs provider has nothing to hand over regardless of jurisdiction. But all else being equal, look for providers in privacy-friendly countries like Switzerland, Iceland, Panama, or Romania - places with strong privacy laws and no Eyes alliance membership.
One important distinction people often confuse: where the provider is registered (legal jurisdiction) vs. where the server you connect to is located. The provider’s jurisdiction determines what legal requests they must comply with. The server location determines where your traffic appears to come from. If you have to prioritize, the provider’s jurisdiction matters more - that’s where legal pressure gets applied.
VPN Protocols: Which One to Use
The protocol determines your encryption, speed, and actual security level.
| Protocol | Speed | Security | Verdict |
|---|---|---|---|
| WireGuard | Fast | Strong | Recommended |
| OpenVPN | Medium | Strong | Solid fallback |
| IKEv2/IPsec | Fast | Good | Good for mobile |
| L2TP/IPsec | Slow | Decent | Outdated |
| PPTP | Fast | Weak | Avoid |
WireGuard is the clear winner. About 4,000 lines of code vs. OpenVPN’s 100,000+. Fewer lines means fewer bugs, easier auditing, and modern cryptography (ChaCha20, Curve25519). It’s faster, reconnects instantly on mobile, and uses less battery. If your provider supports it, use it.
OpenVPN is the reliable fallback - battle-tested, widely supported, solid with AES-256. Just slower and heavier.
IKEv2 handles network switching well, making it solid for mobile. Built into iOS, macOS, and Windows.
Everything else? Skip it. PPTP has known vulnerabilities from the early 2000s. If your provider still offers it, that’s a red flag.
The Ultimate Move: Your Own WireGuard Server
Here’s the thing about commercial VPN providers: you’re still trusting someone else with your traffic. Even the best ones. You read their privacy policy, check their audit reports, and hope for the best.
Want to eliminate that trust problem entirely? Run your own VPN server.
Rent a small VPS in a privacy-friendly country, install WireGuard, connect your devices. Your traffic goes through an encrypted tunnel to a server only you control. No middleman, no logging policies to worry about. WireGuard’s minimal design means the config is just a few lines, not pages of options.
The trade-off: with a commercial VPN, your traffic blends with thousands of users on the same IP. With your own server, you’re the only user. For ISP privacy and public WiFi protection, that’s fine. For crowd anonymity, a commercial provider or Tor works better.
Kill Switch: Your Safety Net
VPN connections drop sometimes. Your WiFi hiccups, the server restarts, your phone switches networks. And the moment your VPN drops, traffic goes straight through your regular connection with your real IP exposed. Even a few seconds is enough for DNS queries and background traffic to leak.
A kill switch blocks all internet traffic the moment the VPN disconnects. Nothing gets in or out until it reconnects. Think of it as a dead man’s switch for your privacy.
Find this setting in your VPN app and turn it on. Some call it “network lock” or “always-on VPN.” You can also set it up at the OS level with firewall rules - more reliable since it works even if the VPN app crashes.
Test it. Connect to your VPN, then deliberately disconnect it. If you can still browse, your kill switch isn’t working.
Split Tunneling: Route Only What You Need
Routing everything through a VPN slows things down and can break local services or trigger blocks from streaming platforms. Split tunneling lets you choose what goes through the VPN and what goes direct.
Some practical examples: send browsing and messaging through the VPN but let video streaming go direct. Route work apps through VPN but let personal browsing go direct. Most VPN apps support per-app routing (pick which apps use the VPN - simpler) or per-address routing (specify which destinations go through the VPN - more granular).
The security trade-off is obvious: anything you exclude from the VPN isn’t protected by it. Think about what actually needs protection. When in doubt, route everything and only exclude things that cause problems.
DNS: The Privacy Leak Nobody Talks About
You could have the best VPN and still leak your entire browsing history through DNS. DNS translates website names into IP addresses, and by default those queries often go to your ISP’s servers - unencrypted, fully logged.
Many VPN apps handle this automatically by routing DNS through the tunnel. But not all of them do, and misconfigurations are common. If your DNS queries leak outside the tunnel, your ISP can see every website you visit even though the rest of your traffic is encrypted.
Fix it with encrypted DNS. Two main options: DNS over HTTPS (DoH) sends queries over regular HTTPS connections, making it hard to block because it looks like normal web traffic. DNS over TLS (DoT) uses a dedicated encrypted connection - slightly faster but easier to identify and block. Either is infinitely better than plain DNS.
Don’t use your ISP’s DNS. Pick a privacy-focused DNS provider that doesn’t log queries and supports encrypted DNS. Check our DNS recommendations for specific suggestions.
Test for leaks. After connecting your VPN, search “DNS leak test” and run one. These tools show you which DNS servers are handling your queries. If you see your ISP’s servers listed while connected, you have a leak. Fix your DNS configuration before doing anything else.
Extra Tips
Check for IP leaks. After connecting, search “what is my IP” in a search engine. If you see your real IP, something is wrong. Also test for WebRTC leaks - some browsers leak your real IP through WebRTC even with a VPN active.
Handle IPv6. Many VPNs only tunnel IPv4 traffic. If your device also uses IPv6 (most modern ones do), that traffic might bypass the VPN entirely. Make sure your VPN supports IPv6 tunneling, or disable IPv6 on your device while connected.
Don’t forget your phone. Your phone leaks as much data as your computer - maybe more, with all the apps constantly phoning home. iPhone users, check our security hardening guide.
Be consistent with your identity. If your goal is anonymity, don’t log into accounts that identify you while on the VPN. The moment you sign into Gmail, Google knows who you are regardless of your IP.
For serious anonymity, consider Tor. A VPN gives privacy from your ISP and local network. If you need actual anonymity - like journalists or activists need - Tor is a different tool for a different threat model.
Strong authentication still matters. A VPN protects your connection, not your accounts. Use proper login security everywhere.
Bottom Line
Your action plan:
- Pick a provider with a verified no-logs policy, privacy-friendly jurisdiction, open-source apps, and independent audits
- Use WireGuard - faster, simpler, and more secure than the alternatives
- Enable the kill switch so traffic never leaks when the VPN drops
- Set up encrypted DNS and test for leaks
- Configure split tunneling to balance privacy with performance
- Test everything - IP leaks, DNS leaks, IPv6, kill switch
Or go the extra mile: skip commercial providers and host your own WireGuard server. Full control, zero trust required.
A VPN won’t make you invisible. But a properly configured one will make you a much harder target. And in a world where everyone wants your data, that’s what matters.
For specific provider recommendations, check our resources page.