A VPN is a curtain, not a shield
A VPN hides your IP address. That is all. If you log into Google, use the same browser, accept cookies — those services know exactly who you are. The curtain does not help if you open the door yourself.
A VPN is a curtain, not a shield
The VPN industry is one of the most aggressively marketed sectors in tech. Every YouTube sponsor, every podcast advertisement — VPN providers claim you are “fully protected”, “anonymous” and “safe” when you use their product.
That is not accurate.
A VPN does one thing: it hides your IP address from the websites you visit, and hides which websites you visit from your internet provider. That is useful in the right context. But it does not solve most of the privacy problems people actually have — and the industry does not tell you that.
What actually happens when you turn on a VPN
Without a VPN, your connection looks like this:
You → Internet provider (sees everything) → Website (sees your IP)With a VPN:
You → VPN server → Website (sees VPN server IP)
↑
VPN provider (sees everything your provider would otherwise see)The only thing that changed: who sees your traffic. Your provider now only sees that you are connecting to a VPN server. The website sees the IP address of the VPN server instead of yours.
But someone still sees everything. You have shifted trust from your provider to the VPN provider. Whether that provider is worthy of that trust is a separate question.
Being logged in = being identified
This is where most people’s reasoning breaks down.
If you turn on your VPN and then log into Google, Google knows who you are. Not because Google sees your IP address — it cannot see that any more. But Google knows who you are because you entered your username and password. You identified yourself.
IP address is one of a hundred ways large services recognise you. When you are logged in, IP address is completely irrelevant. Your account is your identity.
The same applies to:
- Facebook, Instagram, WhatsApp (all Meta)
- Your email provider
- Your bank
- Your online shopping account
- Every service where you have created an account
A VPN changes nothing about this. You have hung a curtain in front of your window, but you are standing in front of the window waving.
Browser fingerprinting: identity without an IP
Even when you are not logged in anywhere, you are visible.
Every browser leaks a set of characteristics that together form a near-unique fingerprint:
- Screen resolution and colour depth
- Installed fonts
- Timezone and language
- Graphics card (via WebGL rendering)
- Browser version and extensions
- Whether you have a touchscreen
- How your cursor moves (on some sites)
This is called browser fingerprinting, and it works without cookies and without an IP address. An advertising network that has once linked your fingerprint to your identity (via a login moment, somewhere), can recognise you on every site that network serves — with or without a VPN.
coveryourtracks.eff.org shows how unique your browser currently looks.
Cookies: the most obvious tracker
Accept a cookie banner on a news site? That site stores a cookie in your browser. That cookie has a unique ID. The next time you visit that site — with or without a VPN, from whatever IP address — the site recognises you via that cookie.
Tracking cookies from advertising networks (Google Ads, Meta Pixel, and dozens of others) are shared between sites. One cookie can follow you across thousands of websites.
A VPN does nothing about this. Changing your IP address while carrying the same cookie is like wearing a hat while wearing a name badge on your chest.
VPN IP ranges are publicly known
The IP addresses of VPN servers are not secret. Companies like MaxMind maintain extensive databases linking IP addresses to providers, regions and types (data centre vs. consumer vs. VPN).
Many services use these databases. They see your VPN IP and know: this is a VPN server, probably in Amsterdam, from provider X. They cannot see who you are, but they know you are using a VPN.
Some services block VPN addresses entirely. Netflix does this. Certain banking apps do this. You simply cannot get through, regardless of which provider you use.
DNS leaks: when the curtain has a hole
A DNS leak is a situation where your VPN is active but your DNS requests — the lookups that translate domain names to IP addresses — still go through your regular internet provider.
That means: your provider does not see your traffic, but they do see every domain name you query. That is almost the same thing.
On GrapheneOS this is less of a problem because DNS is correctly configured through the built-in WireGuard configuration. On Windows or a standard router it is a real risk if the VPN software is not properly set up.
Check via dnsleaktest.com whether your DNS requests go through the VPN tunnel.
What a VPN is actually useful for
None of this means a VPN is worthless. It means you should use it correctly.
Good reasons to use a VPN:
Public Wi-Fi. In a café, hotel or at an airport, you do not know who manages the network. A VPN encrypts your traffic between your device and the VPN server — the network owner sees nothing usable.
You do not trust your provider. Providers in the Netherlands may not sell traffic data (GDPR), but they can technically see it. If you want to blind your provider, a VPN works for that.
Geo-blocking. Content only available in certain countries is accessible via a server in that country. This works, provided the service does not block VPN IP ranges.
Hiding your IP from a specific service. If you are creating a new account with a service and do not want your IP address in their database, a VPN helps. As long as you do not identify yourself further through that account.
Bad reasons to use a VPN:
- “I use Google but then privately” — that does not work
- “I want to be anonymous on social media” — that does not work as long as you are logged in
- “I want to be protected against hackers” — a VPN barely does anything for this
- “I want to download safely” — a VPN hides who you are, not what you are doing if you get caught
What real anonymity actually requires
Anonymity is much harder than turning on a VPN. It requires:
- A clean browser that does not leak fingerprinting information (Firefox with uBlock Origin and resistFingerprinting, or Tor Browser)
- Not logging into existing accounts from the anonymous session
- Not carrying over cookies from other sessions
- A VPN or Tor for IP anonymity
- Disciplined identity separation — never using your real name, email or phone number in the anonymous context
GrapheneOS makes this easier through the profiles system: you create a separate profile without Google accounts, install a clean browser there, and keep that profile strictly separated from your daily use. See our guide on GrapheneOS profiles.
The honest summary
A VPN is a curtain. It blocks the outside view of your IP address, and it blocks your provider’s view of which sites you visit.
But if you give away your identity yourself — by logging in, accepting cookies, using the same browser, or simply doing what most people do on the internet — that curtain does not help.
Buy a VPN if you want to blind your provider, use public Wi-Fi, or bypass geo-blocking. Do not buy it thinking it “handles” your privacy. Privacy is not handled by one product.
See also:
- Which VPN should you choose? — Mullvad, ProtonVPN and others compared