What Is a Virtual Private Network? VPN Server Guide
In February 2025, the US Department of Justice fined the crypto exchange OKX more than $500 million for AML and KYC failures. Seven months later OKX disclosed it had closed 14,000+ accounts in a single month for geolocation fraud. CoinDesk reported in November 2024 that Bybit, Bitget and OKX together had roughly one million US monthly active users, most arriving via VPN. None of those users thought they were doing anything risky. They were running the same off-the-shelf consumer VPN their employer used to protect Slack on hotel Wi-Fi. The product was the same. The legal context wasn't.
A virtual private network used to be one thing. In 2026 it is at least three, and the right one depends on what you are trying to do.
What Is a Virtual Private Network in Plain Terms?
A virtual private network is a service that does two jobs at once. Most explainers conflate them.
The first job is re-routing. Instead of your laptop connecting to a website directly through your home internet service provider, the connection runs through a VPN server somewhere else, then on to the website. The site sees the VPN server's IP address; your ISP sees a connection but cannot read internet traffic past it. That is the privacy half.
The second job is VPN encryption. Inside the VPN tunnel, traffic is wrapped in cryptography: ChaCha20-Poly1305 if you are running WireGuard, AES-256 if you are running OpenVPN, the most widely used open-source VPN. Anyone who intercepts a packet between you and the VPN server gets noise. That is the security half.
Two things follow that most marketing copy ignores. First, your ISP still sees that you are using a VPN; it just can't see what is inside. Second, somebody on the other end of the tunnel, the VPN service itself, can see everything your ISP used to. Trust doesn't disappear when you connect to a VPN. It moves.
How a VPN Works: Server Networks, Tunnels, IP Hop
Imagine a packet leaving your laptop in Brooklyn while you are connected to a VPN server in Frankfurt. The packet first hits a piece of software called the VPN client. The client wraps it in an outer packet using a tunneling protocol, encrypts the inside, and addresses the outside to the Frankfurt server. Your home router and your ISP route this outer packet across the public internet — they cannot read what's inside, only where it is going.
The Frankfurt server unwraps the packet, decrypts it, reads the original destination, say a news site in London, and forwards it on. The news site replies to Frankfurt; Frankfurt re-encrypts; Brooklyn unwraps. Round trip done. To the news site, you are visibly browsing from Germany.
Each "server" here is a real machine in a real data center, not a cloud abstraction. Data centers can be raided, subpoenaed, or simply badly run. Higher-end providers respond by running RAM-only servers: the operating system loads into memory at boot and writes nothing to disk, so a physical seizure yields a powered-off paperweight. NordVPN converted its fleet to RAM-only after the 2018 Finland datacenter incident, and Mullvad has run RAM-only since 2020.
The tunneling protocol decides how the wrapping happens. Wikipedia's history lists IPSec arriving in 1996, TLS/SSL adapted for tunneling and SSL VPN in 1999, OpenVPN in 2001, and WireGuard in 2015. An IPsec VPN remains the standard for site-to-site VPNs that connect one office to another over a public network. WireGuard was merged into the Linux kernel in 2020 with version 5.6, dramatically faster on Linux servers than any predecessor, which explains why almost every consumer VPN now builds on top of it. NordLynx and Lightway are proprietary forks with patched session handling.
VPN Protocols: WireGuard, OpenVPN, IKEv2 Compared
WireGuard won. The interesting question is why OpenVPN still ships, and the short answer is firewalls.
Independent benchmarks reported by ZhuqueVPN in 2025 measured WireGuard averaging 892 Mbps download with about 5.6% bandwidth overhead. OpenVPN on the same hardware averaged 702 Mbps with 25.7% overhead. Latency told the same story — 8.2 ms added by WireGuard versus 22.7 ms by OpenVPN. WireGuard is roughly 57% faster end to end, and its codebase is small enough — fewer than 4,000 lines — that independent auditors have actually read all of it.
OpenVPN is older, slower, and twenty times the size. But it can run over TCP on port 443, the same port HTTPS uses. That makes it indistinguishable, at the network layer, from regular web traffic, and therefore unblockable by most corporate firewalls and many national-level filters. WireGuard runs UDP-only by default; aggressive filtering can shut it down. Providers solve this with proprietary obfuscation layers, but if you are tunneling out of a hotel network in a country that doesn't approve of VPNs, OpenVPN-TCP is still the protocol you reach for.
IKEv2/IPsec is the third option and dominates mobile. Its trick is mobility — when an iPhone hops from Wi-Fi to cellular, IKEv2 can reattach the session in under a second without forcing the user to reconnect. WireGuard cannot, at least not without a vendor-side hack. That is why most native iOS VPN clients still ship IKEv2 as the default.
| Protocol | Avg throughput | Latency added | Bandwidth overhead | Best for |
|---|---|---|---|---|
| WireGuard | 892 Mbps | 8.2 ms | 5.6% | Default for desktop, fast home connections |
| IKEv2/IPsec | 815 Mbps | ~14 ms | ~12% | Mobile (Wi-Fi/cellular handoff) |
| OpenVPN | 702 Mbps | 22.7 ms | 25.7% | Restrictive networks, port 443 fallback |
| PPTP | obsolete | low | low | Do not use — encryption broken |
Source: ZhuqueVPN 2025 benchmark; provider published numbers.
Types of VPN Use: Mobile VPN, Site-to-Site, Remote
The word "VPN" covers three products that rarely overlap. Confusing them is how people end up paying for the wrong one.
A remote access VPN connects one user to one corporate network. The laptop dials into the company VPN gateway, runs through a quick VPN session, and gets an IP address inside the office network as if it were physically there. This is the kind your IT department gives you. An SSL VPN, which runs inside a browser without a separate VPN client, is a sub-type.
A site-to-site VPN connects one office to another. There is no per-user client; the encryption happens at the routers on each end, and every device on a network behind those routers sees the other office as a local network. Site-to-site VPNs are used by multinationals to glue together data centers across regions, often via VPN appliances from vendors like Cisco or Fortinet, with network protocols built around IPsec.
A consumer VPN connects one user to a server that forwards out to the open internet. The corporate VPN your employer issues will not let you watch BBC iPlayer; the Surfshark account you use to watch BBC iPlayer will not get you into your company's intranet. People who use VPNs at work and at home are usually paying for two separate products. A mobile VPN is a fourth category in marketing copy but technically just a consumer or remote access VPN with better roaming, usually IKEv2-based.
Benefits of Using a VPN, and Where It Stops Working
A VPN does four things well. Most listicles inflate the rest.
The first real benefit is online privacy from your ISP. After the US Congress repealed the FCC's broadband privacy rules in 2017, ISPs in many states have been free to package and sell DNS query logs. A secure VPN with enhanced privacy moves all of that network traffic out of the ISP's view. Your ISP knows you are connected to NordVPN. It cannot tell whether you are reading the Financial Times or shopping for running shoes.
The second is hostile-network protection. Hotel Wi-Fi, airport lounges, conference centers, café networks; any of them can be passively sniffed or run by an attacker who set up an SSID called "Marriott Free WiFi" without being part of Marriott. Use a VPN to encrypt every packet before it leaves the laptop, and the local network goes opaque. Connecting to a public Wi-Fi network without one is the original use case the technology was built to fix.
The third is geo-bypass. The website thinks you are wherever the VPN server is. Useful for streaming catalogs, regional pricing comparison, blocked-news access, and, increasingly with consequences, for crypto exchanges that have walled off your country.
The fourth is remote work. Most corporate VPNs exist for exactly this — granting authenticated employees encrypted access to internal systems from outside the office.
What a VPN does not do: it does not block malware, it does not block phishing, it does not anonymize you against websites that fingerprint your browser, and it does not make illegal activity legal. Security.org's 2025 consumer survey put usage at 60% privacy, 57% security, 23% streaming, 21% hide-from-ISP, and 59.3% work-related; categories overlap because most people use one VPN for several jobs.
Crypto Use Case: Why VPNs and Exchanges Now Collide
This is the section listicles avoid. For most of the last decade, switching on a VPN to log into a crypto exchange that didn't service your country was treated as a low-risk grey-area workaround. That period is over.
In February 2025 OKX paid more than $500 million in DOJ penalties to settle AML and KYC charges centered on US users it should never have onboarded. In September 2025 alone, OKX disclosed closing 14,000+ accounts for geolocation fraud, meaning the user's KYC documents and actual access location did not match. Binance now blocks withdrawals when a VPN connection is detected without matching residency documents on file. Bybit and Bitget have tightened similar checks across 2025.
The DOJ has now demonstrated, with a half-billion-dollar settlement, that the exchange is on the hook regardless of how the user got there. The rational response from any exchange is permanent account closure plus fund freeze on detection.
If you are using a VPN to access a financial service that has explicitly blocked your jurisdiction, treat the legal exposure the same way you would treat any other unlicensed financial activity. The detection technology is no longer naive. Exchanges cross-reference IP location against KYC documents, payment-rail metadata, and behavioral patterns. A clean-IP residential proxy is not a fix; it is evidence of intent if discovered.
For everything else crypto-adjacent, protecting a wallet's connection on hotel Wi-Fi, hiding which on-chain dashboard you visit from your ISP, or preventing a home address from leaking via WebRTC during a call, a VPN is still a useful tool. It just is not a regulatory cloak.
Choose the Right VPN: 2026 Buyer Checklist
Five questions actually matter when picking a VPN. Three marketing claims don't.
Start with the audit. "We don't keep logs" is meaningless without an external auditor signing off. NordVPN cleared its sixth no-log audit, by Deloitte under the ISAE 3000 standard, in February 2026. ExpressVPN passed its third by KPMG in June 2025. Proton VPN completed its fourth by Securitum in September 2025. Surfshark's most recent was Deloitte in June 2025. Mullvad runs Cure53 infrastructure audits. Anything older than 18 months should be a warning.
Jurisdiction matters next. Where the company is incorporated decides which government can compel data, and whether the compulsion can be issued under a gag order. Mullvad operates from Sweden, Proton from Switzerland, ExpressVPN from the British Virgin Islands, NordVPN from Panama. Five Eyes and Fourteen Eyes members can compel disclosure under foreign-intelligence sharing agreements.
Look for RAM-only servers and a tested kill switch. The kill switch cuts internet access the instant the VPN tunnel drops, so traffic never leaks through your real IP. Both features should be defaults, not paid add-ons.
Check protocol support. WireGuard or a derived protocol (NordLynx, Lightway) should be the default; OpenVPN for restrictive networks; IKEv2 for mobile. Reputable VPN apps expose all three so users can choose by server location and need.
Finally, watch the price. Long-term plans range from Mullvad's flat €5/month, the same price since 2009, no email required, accepting cash and Monero, through NordVPN's discounted ~$1.78/month two-year plan, Surfshark's ~$2.99 long-term, Proton VPN's $4 to $8 paid tiers, up to ExpressVPN's $12.99 monthly. The renewal price is what matters, not the introductory rate.
| Provider | Long-term price | Jurisdiction | Audits (latest) | Server count |
|---|---|---|---|---|
| NordVPN | ~$1.78/mo | Panama | 6 (Deloitte, Feb 2026) | 4,500+ / 100+ ctry |
| Surfshark | ~$2.99/mo | Netherlands | 2 (Deloitte, June 2025) | 17,500 / 127 loc |
| Proton VPN | $4–8/mo | Switzerland | 4 (Securitum, Sept 2025) | 3,000+ undisclosed |
| ExpressVPN | $12.99/mo basic | BVI | 3 (KPMG, June 2025) | undisclosed |
| Mullvad | €5/mo flat | Sweden | Cure53 infrastructure audits | 700+ / ~40 ctry |
Marketing claims that don't matter: "military-grade encryption" (everybody uses AES-256, the term is meaningless), unlimited bandwidth (table stakes), and raw server counts in the abstract. What matters is whether servers are RAM-only and where they sit.
Free VPNs and the Other Privacy Cliff
A free VPN inverts the entire premise of the product. Bandwidth and servers cost real money; if you are not paying for them, somebody else is, and that somebody is paying for your data.
Top10VPN's 2024 audit of 100 free Android VPN apps found that nearly 90% leaked data of some kind, ranging from DNS queries to full session metadata. A 2024 industry study cited by The Privacy Report found that 38% contained outright malware or active data harvesting code. Australia's ACCC concluded in 2023 that 75% of free VPNs shared user data with third parties. Kaspersky reported a 2.5x quarter-over-quarter spike in malicious apps disguised as free VPNs in Q3 2024. The Urban VPN Proxy app was caught in 2025 quietly harvesting AI chat conversations from users who had given it network access on the assumption it was just routing packets.
There are exceptions. Proton VPN's free tier and Windscribe's free tier are funded by upsell into paid plans and have been audited. They are slower and rate-limited, but they are not selling your traffic. Anything else marketed as "100% free unlimited VPN", particularly in the Google Play and App Store top-100, should be treated as adversarial software.
Where Using a VPN Is Restricted or Illegal in 2026
Using a VPN is fully legal in the United States, the UK, Canada, Australia, the EU, and most of Latin America. It is restricted, criminalized, or government-monopolized in a smaller and growing list of states.
Five countries operate outright bans: North Korea, Belarus, Oman, Turkmenistan, and Iraq. Four require government-approved providers only: China, Russia, Iran, and Myanmar. Iran passed a Feb 2024 law tightening this further. Russia removed more than 100 VPN apps from app stores during 2025. Turkey, the UAE, Egypt, and Vietnam fall into a "discouraged but not always prosecuted" category where the state can act when it wants to.
India is the unusual case. The country is a democracy, VPN use is legal, but the June 2022 CERT-In directive requires VPN providers to retain user identity, IP, and session data for five years and surrender it on request. ExpressVPN, NordVPN, Surfshark, and others responded by removing their physical servers from India and substituting "virtual India" servers hosted abroad. The end-user experience is mostly unchanged; the legal exposure is materially different.
Bottom line: When a VPN Earns Its $5 a Month
For travel, hostile networks, and ISP-side privacy, a paid audited VPN is worth a few dollars a month. For corporate work-from-anywhere, it is non-negotiable infrastructure. For regional Netflix walls, it is a low-stakes win.
For routing around financial enforcement, crypto exchanges, payment platforms, banks, the cost has crept up faster than the price tag. A VPN is a privacy and security tool. It has never been a regulatory escape hatch, and in 2026 the people enforcing the rules can prove it.
