Think of a VPN as a postal P.O. box for internet traffic. Your device sends everything through an encrypted tunnel to the VPN server; the server forwards it to its destination. Any site you visit records the server's address and apparent location, not yours the EFF describes this substitution directly (EFF, late 2025). The rerouting is real. The invisibility isn't.

That substitution changes who can see your traffic, not whether anyone can. It moves that visibility from your ISP or local network operator over to your VPN provider. The trade only makes sense when your provider is more trustworthy than the network you're on. If it isn't, the cost is direct: the EFF warns that a disreputable service may deliberately collect the personal data you're trying to protect, meaning a poorly chosen VPN can expose more than using none at all (EFF, late 2025). Provider choice isn't a footnote; it's the precondition for any of the following use cases to hold.

The EFF's guidance on evaluating specific services is worth consulting before committing to a provider. The core concern is simple: a VPN shifts visibility from your ISP or local network to the VPN company. Whether that's an improvement depends entirely on which company you've chosen.

This is the classic use case, and it remains the most clear-cut. The EFF notes that corporations have long deployed VPNs to let employees reach internal systems from outside the office network (EFF, two years ago). The mechanism is the whole point: the destination system accepts connections only from authorized IP ranges, and the VPN makes your traffic appear to originate from one of them.

Remote workers accessing company intranets from hotels, students reaching university library databases restricted to campus addresses, researchers using institution-gated tools while traveling in every case, the destination checks your network origin before granting access. A VPN resolves that precisely. What it doesn't do is protect your device against other threats on the hotel or campus network itself. That's a separate problem, addressed next.

Coffee shops, airports, hotels, university guest networks: you have no visibility into how these networks are configured or who else is on them. The EFF has specifically recommended VPN use in coffee shops, universities, and similar shared environments, because the encrypted tunnel between your device and the VPN server limits what a passive observer on the same network can read (EFF, two years ago). Research on public Wi-Fi risks identifies VPNs alongside other security tools as measures that can "help reduce" these exposures not eliminate them (IJRITCC, 2024).

The qualification matters. In 2024, security researchers at Leviathan Security demonstrated that a malicious actor on your local network could abuse DHCP configuration specifically, a feature called Option 121 to push some traffic outside the VPN tunnel without breaking the connection or alerting the user. The EFF drew the boundary clearly: "there's a big difference between protecting your data in transit and protecting against all LAN attacks" VPNs were never designed for the latter (EFF, two years ago).

On public Wi-Fi, a VPN pairs well with protections that are free and work alongside it: HTTPS-by-default browsing, encrypted DNS, and end-to-end encrypted messaging apps each close different gaps that a VPN alone leaves open. Use it as one layer, not the whole stack.

Two distinct scenarios share the same mechanism but serve different needs.

The geo-block scenario has real-world documentation. When Florida's age-verification law took effect on January 1, 2025 that date matters because the block was immediate Pornhub chose to cut off all Florida users rather than comply. Google Trends data captured an immediate spike in VPN searches from Florida, because a connection routed through a server outside the state looked identical to any other out-of-state connection (EFF, early last year). The same pattern has played out elsewhere: the EFF observed that over the past few years, whenever a jurisdiction passes an access-restricting mandate, VPN usage surges among affected residents (EFF, late last year).

The technical reason this works also explains why legislative attempts to prevent it have run into problems. Websites cannot tell whether a VPN connection originated in Milwaukee, Michigan, or Mumbai the server address is what they see, as the EFF explains directly (EFF, late 2025). When Wisconsin legislators proposed requiring sites to block "VPN users from Wisconsin," they were demanding something the technology cannot deliver. Any site trying to comply faced the same impossible choice: block all VPN users everywhere, or risk liability in one state. After significant public pushback, Wisconsin removed the VPN-ban provision from the legislation early this year (EFF, updated earlier this year). Michigan has proposed similar legislation that did not advance, and UK officials have called VPNs "a loophole that needs closing," according to EFF reporting from late last year.

One limit worth naming upfront: as age-verification enforcement mechanisms grow more sophisticated, the EFF notes that VPNs may become less reliable at bypassing these restrictions over time (EFF, late 2025).

The elevated-risk scenario is for users whose network origin isn't a general privacy concern it's an operational one. Journalists protecting source confidentiality, people in unsafe domestic situations who don't want their location visible to someone monitoring their network, researchers accessing sensitive material professionally: their shared problem is that the IP address and approximate location their connection broadcasts is itself sensitive information. The EFF identified this population explicitly when describing who is harmed when VPN access is restricted: journalists, abuse survivors, students, businesses, and people who simply want privacy (EFF, late 2025). Substituting a server's IP for a home address reduces a concrete, identifiable exposure.

The limit applies here too. A VPN changes your network origin; it doesn't anonymize you. Cookies, fingerprinting, and account authentication all continue to work around it, so this protection is narrower than it might appear. For threat models requiring genuine anonymity, Tor remains the right instrument.

The decision is straightforward once the mechanism is clear. Run a VPN when you need to appear on a specific authorized network, when you're on infrastructure you don't control and want to limit passive monitoring, or when your IP address and apparent location are themselves sensitive. These are routing and location problems. A VPN solves routing and location problems.

Turn it off or don't bother starting when the problem is something else. Malware gets through a VPN. Phishing gets through a VPN. Cookie tracking, browser fingerprinting, and account-based surveillance all get through a VPN. A VPN doesn't touch any of them.

For readers who want to evaluate specific providers rather than take marketing claims at face value, the EFF's VPN guide is the most reliable public starting point. The central question is simple: does this company see your traffic, and can you trust it more than the network you're on? If the answer to the second part is no, you've traded one exposure for another.