Do You Use It? VPN Use Is Widespread

I travelled from Norway to Montana in October some years ago to fish. I was leaving Rock Creek and heading to Clark Canyon Reservoir. My goal was to fish in the Beaverhead River. As I was driving on Interstate 15, a snow-storm (this is what we call it in Norway, maybe it is called something else in US?) met me. I saw big trailers and cars that had turned over and lay by the side of the road.
Large signs declared that Monida Pass was closed. I wasn’t sure if this affected me, so I stopped to check. Googling “Montana traffic reports” led me to https://www.mdt.mt.gov/travinfo/detailed.aspx
I was met with this.

Screenshot 2025-05-26 at 23.09.121418×524 49.3 KB

One interesting thing is that this is becoming less important over time, thanks to so many corporate services being provided as cloud services.

At my first few jobs, my employers ran all their servers. If I wanted to access anything from home, there was no choice but to go in via a VPN. Or in the oldest case, dial-up login to a corporate modem pool.

But my current employer uses a lot of cloud-based services from a variety of vendors. Access requires authentication by corporate servers (which are also cloud-accessible), so most of what I need to do can be done without a VPN - I just need to have the required credentials (passwords, certificates, 2FA hardware) to log in. So although I still have and occasionally use VPN access, it’s not nearly as much as was the case 20 years ago.

I suspect this is going to be common for a lot of large corporations, since moving IT resources off-site to cloud services has been popular for quite some time now.

I use a vpn when I use someone else’s internet access to read my email.
Are you saying that that is not necessary if my email addresses are smtp protected?

It depends on how you’re reading it.

• If you’re reading mail via the mail provider’s web interface, then it is encrypted if it is using HTTPS URLs.
• If you’re reading mail via an app on your own computer/device, you need to make sure the IMAP/SMTP/POP connections are configured to use SSL/TLS. If not, then they will not be encrypted, which is bad, even on your own personal Internet access.
• If you’re reading mail on someone else’s computer, then that has potential problems beyond the network’s encryption, including:
  • If you create an account on the computer’s mail app, you need to be able to completely delete it when you’re done. If the computer has an automatic backup system (e.g. Time Machine), that may be easier said than done.
  • There may be malware present, which could record screens and keystrokes.

Without knowing the specific details, it’s impossible to be certain, but if your network connections (web, IMAP, POP, SMTP) are all using encrypted transports (HTTPS, SSL/TLS, etc.) then it is unlikely that a VPN will give you any additional security.

But if your network connections are not encrypted (which is always bad, no matter whose network it may be), then a good VPN will provide a layer of encryption, protecting the data moving between you and the VPN server.

But it won’t (and can’t) protect data moving between the VPN provider’s network and the destination server. Which could also be snooped, and could expose critical data if your apps are not using encrypted transports (like HTTPS and SSL/TLS) in addition to the VPN.

Oddly, we have several SaaS applications where we’ve implemented restrictions that they can only be used from trusted egress IP addresses (i.e., from one of our on-prem locations, or on the employer VPN). This is more to avoid the potential for threat actors to actively attack these systems, as traffic not matching a known source address is immediately dropped.
So, it’s “fun” for me - I’ll be working and all of a sudden realize I can’t get to something, and it’s because I didn’t enable the VPN that morning.

My work VPN is Global Protect. But personally, I was using ExpressVPN until Kape took over, then I switched to NordVPN (as there was a deal at the time).
One thing about the top four listed here (NordVPN, Proton, Express, Mullvad and also Surfshark) are they are trusted zero log vpn providers. This means they’ve been researched and checked against court cases that they have no logs of your browsing, connections or amount of data transmitted/received. I know it sounds nefarious, but in light of current political climate, leaving no traces for DHS, PRC and others is considered wise.

There are only 2 reasons to use a VPN:

a) Location shifting. You want to pretend to be located in a different country so you can access country specify restricted web services (such as streaming some BBC shows, watching your favorite sports team, or similar).

b) You work for a company that requires VPN access in order to access the company’s internal network. In this case the company will specify and provide the VPN client, along with connection details.

Don’t use VPN services:

I’m surprised iCloud Private Relay doesn’t even get a mention - esp in this audience, I’d wager it is included in a service you’re already paying for (iCloud subscription) and offers unique privacy guarantees ‘by design’ - Neither Apple nor the 3rd party access proxy can see the entire tunnel to connect the dots on who’s connecting where.

Perhaps still under-appreciated, its a technical marvel: About iCloud Private Relay - Apple Support

I only use 1.1.1.1 and iCloud Private Relay. Used to use Mullvad which is stable and fast.

Talking about Mullvad, they have many ads on bus and billboard in the UK and I wonder why they can spend a lot on ad.

3. Your ISP requires you to use their DNS, so they can inject targeted ads based on the sites you visit.

Is this still going on? I read about ad-injecting DNS years ago, when it was apparently the way some “free” dial-up services paid their bills, but I haven’t read anything about it since then.

FWIW, I’ve used Comcast and Verizon and they have no such restrictions. I have manually configured my systems for third-party DNS servers for many years. Today, I run my own on a Raspberry Pi, which resolves everything, starting from the IANA root servers and working down from there.

Ach, just forgot. iCloud Private Relay isn’t a VPN, but it provides some similar privacy protection through its double-relay approach. And it works only in Safari.

Egad, I had Comcast Business Internet from about 2021-2024 and so many things kept breaking. I finally discovered that Comcast were silently redirecting all TCP and UDP traffic to port 53 (DNS) to their own miserable DNS servers “because… SECURITY!” and that this feature could not be disabled. The redirection actually happened in the cable modem, so it was extremely difficult to route around it. This was still happening as late as August 2024 when I was finally able to say goodbye and good-riddance to Comcast.

At some point, they finally (after being threatened with violations of California’s net neutrality law) issued a modem firmware update that enabled a well-hidden switch to turn off their “Security Edge” antifeature which was the root of the problem, but it would still silently turn back on from time to time (presumably with modem firmware updates).

Interesting. I’ve had Comcast/XFinity residential service, in Northern Virginia, since 2014 and it has mostly just worked.

Of note:

• I am using my own cable modem and router. I stopped renting theirs after the first month, after I was certain that the line was working.

  Today, I’m using an Arris SB6190 cable modem, a Linksys MR8300 router and a few VHW01v1 Velop mesh nodes. I didn’t have any problem setting up any of it for use with my Comcast service.

• I have had no problem setting my hosts to Google DNS, back when that was of interest to me. Today, my Raspberry Pi running Bind provides my DNS, and has no problem accessing the root servers or any other server it needs to access in order to resolve names.

  I did encounter all kinds of poor DNS performance before I switched away, but I never encountered any roadblock when switching.

• In addition to DNS, that Raspberry Pi also acts as a DHCP server for my LAN, so my devices are all given my own DNS address and not Comcast’s.

I wonder if this is a difference between residential and business service. Or a regional thing. Or maybe a “feature” of leasing equipment.

When I saw NordVPN coming in high on the list it struck me as odd as it seemed I’d associated it with having been hacked and wondered why the (far more advanced than I) TBTalkers would favor it.
But I searched online for ‘nordvpn hacked’ and only came up with something from 2018-19 in which the company indicated it was a rather minimal event ie no credentials taken, traffic monitored etc.
Was there a more recent hack and/or are NordVPNers satisfied it’s safe to use?

Not that this is a terribly important distinction, but this didn’t sound right, so I checked. As it turns out, iCloud Private Relay also works in apps for non-encrypted traffic. I imagine, though, that most app traffic is encrypted. Well, it should be, anyway.

As a result, Private Relay protects all web browsing in Safari and unencrypted activity in apps, adding both privacy and security benefits.

Allison Sheridan of Podfeet/Nosillcast fame did a deep-dive analysis on this a while ago for her decision, as most sites that do “best VPN” lists are typically unreliable paid placements:

She (and I) chose PIA, for what it’s worth. It seems to work fine, and offers most features wanted/expected including split-tunnelling which is useful.

Have things changed with PIA since May 2022 to change our decision, I wonder? It’s very affordable at just $79 for 40-months ($1.975/mth) I recently renewed at.

That explains this:

image940×1058 119 KB

If you turn it back on here (Settings, Apple Account, iCloud, Private Relay), then you can’t turn it back off here. To turn it off for Safari, you do so here (Safari, Settings, Privacy Tab):

image1672×730 144 KB

The Transparency Project reports: TTP - Apple Offers Apps With Ties to Chinese Military":

"Millions of Americans [presumably even more non-Americans—MLS] have downloaded apps that secretly route their internet traffic through Chinese companies, according to an investigation by the Tech Transparency Project (TTP), including several that were recently owned by a sanctioned firm with links to China’s military.

“TTP’s investigation found that one in five of the top 100 free virtual private networks in the U.S. App Store during 2024 were surreptitiously owned by Chinese companies, which are obliged to hand over their users’ browsing data to the Chinese government under the country’s national security laws. Several of the apps traced back to Qihoo 360, a firm declared by the Defense Department to be a “Chinese Military Company.” Qihoo did not respond to questions about its app-related holdings."

I suspect this might be due to it being a business account, as they were pushing “Security Edge” – a business IT security product – when I ordered the service. I told them I didn’t want it, so they agreed not to provision it on my line, but then they did it anyway. When I then asked them to turn it off, they said they couldn’t.

They said in no uncertain terms that I could not do that and that they would cancel the service if I tried. The “Security Edge” antifeatures were mostly or entirely implemented in the modem/router.

The redirect occurred at a very low level in the protocol. I had a Pi-Hole and I could reconfigure the DNS server addresses on all my 50+ servers however I wanted (by name or IPv4 or IPv6 numerical address), but the requests still got silently redirected to Comcast DNS servers. That’s how they fell afoul of state net neutrality laws. But you could set up DNS however you wanted and never get any error messages, it’s just that the DNS requests went to the wrong servers. It caused me problems because (0) I was still doing security research at the time, and I started noticing that a lot of phishing landing page domains simply did not resolve for me, even though they were still being used in the wild, (1) I was running a mail server that used paid IP blocklist lookups that failed because the requests didn’t come from my IP addresses, (2) I’m a fan of DNS Toys which, of course, wouldn’t work at all from any system on my Comcast network, and (3) I maintained several remote DNS servers that did special resolution for internal corporate domains as well as geographically-determined resolution. It was when I started looking at those servers’ logs that I realized that, even using telnet to send requests directly to my own servers, those packets never actually arrived at my servers.

I’m wondering if you have any idea why people (other than those required by their employers) are using VPNs, given they provide little in the way of additional security and privacy, other than hiding DNS lookups. I understand the 52% who are using a VPN to bypass access restrictions. It’s the other half of the users I don’t understand. Are there a large number of users who falsely believe a VPN provides a level of additional security it doesn’t provide?

Somehow surprised that NordVPN is popular, but then again I have a subscription of my own and they frequently run deep discounts. And, sure, they’re useful for avoiding the odd geoblock or politically-motivated block of somewhere I want to go. This is not often, but it’s handy to have around.

Cloudflare 1.1.1.1/Warp wasn’t mentioned, but I use that one for my remote-access needs in addition to their SSO-protected reverse web proxy for home access with the Cloudflare Teams offering, which is the bundle of services that allow you to use the VPN to access your own resources through the tunnel that connects those resources to Cloudflare’s network. If you just want to protect your DNS queries, and that’s often all you want, then this would seem to be a great free option for always-on use; you can also easily go in and out of Warp mode on non-home/office Wi-Fi networks to send all your traffic to a local Cloudflare datacentre automatically and thereby have protection against trivial Wi-Fi snooping on public networks that you may visit, and this is also free for a limited amount of data, but which still makes it worthwhile if you travel to open hotspots infrequently and just need to protect your browsing history more comprehensively than DNS. Because I am using Cloudflare in split tunnel mode, only my home LAN goes through Warp, so I don’t use TLS on my home services that are behind my router, and I can always rely on the app to funnel my DNS queries to my home DNS server where I can handle them for my home LAN, as well as get around any blocking the network itself is doing on UDP/TCP port 53 (this is done on a lot of public networks merely to gather profiling data).

I am sympathetic to the criticisms of VPN marketing, but these services do have uses, and their existence isn’t a conspiracy. Just educate people about when they are or aren’t useful and make sensible choices for yourself about whether you need one. In general, I think using them for blocking avoidance, remote access, and trivial risk mitigation on open Wi-Fi networks have legitimacy.

Yes, I should have mentioned that. In fact, if you assume that nearly all traffic is encrypted, turning on iCloud Private Relay would at least anonymize all the remaining unencrypted traffic, meaning that using a VPN for security would be even less necessary.

I can’t quite parse what that overview says about DNS to know if it protects all DNS lookups or only those for traffic it’s routing.

Yeah, sorry. I’m having trouble wrapping my head around what 1.1.1.1/Warp really is, but it doesn’t seem to be a full VPN, even as it’s playing in the space.

As I understand it, 1.1.1.1 is just an alternative public DNS resolver that doesn’t log your lookups, thus keeping them away from your ISP.

From what I’ve seen in research, Warp is a VPN-like system that utilizes a customized WireGuard protocol to encrypt your traffic to Cloudflare’s edge network, making it more of a secure, encrypted proxy. It doesn’t hide your IP address from websites, allow location changes, or anonymize traffic like a VPN would.

It’s undoubtedly confusing. It delivers some of what consumer VPNs offer, much like Apple’s private Relay, but it’s intended less for privacy and location-hopping (which are accidents, if they happen at all) and more for securing and speeding up traffic on the first mile, essentially treating the client’s network as a dumb transmission medium and letting you use Cloudflare’s network for routing, as you say, not unlike a proxy.

When you use the 1.1.1.1 app, you can operate it in one of two basic modes: DoH and Warp.

In DoH mode, you just use it for DNS resolution: your DNS queries are encrypted with DoH, which keeps your DNS traffic private between you and Cloudflare, and because it looks like HTTPS traffic, it often works where other, standard DNS servers won’t work (or are being passively monitored) because DNS traffic is being redirected or blocked by the network.

In Warp mode, you forward some or all of your traffic to Cloudflare’s edge, which protects all of that traffic between you and Cloudflare. Cloudflare doesn’t intend that you should use it for privacy, but as a side-effect, your traffic comes from another IP address indicating your location (definitely true for the consumer version, I’m less clear on the Teams edition, however I’d expect there Cloudflare would make it possible to filter based on that information). Because Cloudflare operates a massive network, sometimes it works to your advantage to use Warp, because Cloudflare’s own interior routing is superior to that of the “best-effort” public Internet. More often than not, though, it just adds measurable latency and, if your connection is fast enough, it possibly limits your throughput as well. However, that first hop being encrypted is just the ticket if you’re on a Wi-Fi network, or any network where protocol-specific throttling/shaping/blocking is being done. And if you use Cloudflare Teams, you can hook up your own networks and web apps to their infrastructure, and reach it through the same Warp tunnel.

So yes, it doesn’t tick all the boxes for a commercial VPN, but I’d say it’s very useful in that, for most consumers, it’s essentially a more full-featured (and still free) version of iCloud Private Relay (which itself actually uses Cloudflare as one of its transit partners) that protects all your apps and devices.

NordVPN (26%): The most popular choice was NordVPN, which features a welcome option to disable itself on trusted networks.

I decided to give this service look and while the link loads with no issue in Safari, Chrome 137.0.7151.69 has concerns with the Nord site.

Screenshot 2025-06-07 at 9.06.36 PM1432×1692 283 KB

I use Private Internet Access (PIA). I have used PIA since 2013.
I did not reveal which VPN I use in this post

since I wanted to look into the mistrust because of Kape. Since then, I found this audit: Private Internet Access No Logs Policy Reviewed by Independent Firm
I am very happy with PIA. My latest project was to set up firewalld on RedHat 9 running on VMware on a Mac mini to block all but Norwegian IPs. My Apache web server logged a lot of traffic from all over the world. Before I started the project I used PIA on my MacBook Pro to access my web server via PIA from China, US, Germany, UK, and Brazil. My web server serves only me and a few friends in Norway. After I had implemented the block I did the same test with PIA. All requests were successfully blocked.