VPN Security Guide: Encryption, Protocols, and Safe Habits
Key points
- A VPN protects data in transit between your device and the server; that is its whole job.
- AES-256-GCM and ChaCha20-Poly1305 are both strong; use a modern VPN protocol and avoid PPTP.
- Enable the kill switch and auto-connect, then test them instead of assuming they work.
- Phishing, malware, and weak passwords are outside a VPN's reach; updates and two-factor authentication cover those.
On this page
VPN ads talk about security in vague, dramatic terms. The reality is more specific and more useful. A VPN secures one thing: the path your data takes between your device and the VPN server. Done well, that closes off a whole class of network attacks.
But security is a chain, and the network path is one link. Your protocol settings, your app configuration, and your own habits make up the rest. A perfectly encrypted tunnel does not help if your password is "sunshine123" and you reuse it everywhere.
This guide walks the whole chain: how the encryption works, which settings matter, what a VPN will never protect you from, and the habits that close the gap.
What VPN Security Actually Covers
When your VPN is connected, everything your device sends is encrypted before it leaves. Anyone positioned on the path, the Wi-Fi owner, your internet provider, a stranger on the same hotel network, sees scrambled data going to one server. They cannot read it, and they cannot quietly modify it, because modern ciphers detect tampering as well as block reading.
That is the protection in full: confidentiality and integrity for data in transit, plus an IP address swap. It is genuinely valuable, especially on networks you do not control. The nuances of that situation are covered in our piece on staying safe on public Wi-Fi.
Notice what is missing from that list: your device itself, your accounts, and your judgment. A VPN guards the road, not the houses at either end. Keeping that boundary in mind will save you from the most common security mistake, which is assuming one tool covers everything.
Encryption: The Engine
Ciphers
The day-to-day scrambling is done by a symmetric cipher. The two you will see are AES-256-GCM, the long-standing standard used across banking and government, and ChaCha20-Poly1305, a newer design that is very fast on phones. Cryptographers consider both strong. There is no known practical way to break either one by force, and the difference between them in practice is speed on your hardware, not safety.
Handshakes and forward secrecy
Before any data flows, your device and the server perform a handshake: a public-key exchange that lets both sides compute the same session key without ever transmitting it. Good implementations rotate these keys during long sessions. That gives you forward secrecy, meaning a key exposed today could not unlock traffic captured last month.
Picking a Secure Protocol
The protocol bundles all these decisions together. Stick to a modern, well reviewed protocol like the one vpn.now uses or OpenVPN. Both are open source, heavily reviewed, and free of known practical breaks. The protocol vpn.now uses earns trust through a tiny codebase that auditors can actually read in full. OpenVPN earns it through two decades of surviving real-world attacks.
What you should avoid is the old generation. PPTP is broken and has been for years. L2TP/IPsec with preshared keys is dated and easy to misconfigure. If an app offers them, leave them alone. For help choosing between the modern options, our protocol comparison guide breaks down speed, compatibility, and design philosophy.
Settings Worth Turning On
Kill switch
Tunnels drop sometimes. Wi-Fi blips, laptops sleep, networks change. Without a kill switch, your device falls back to the open network and keeps transmitting as if nothing happened. A kill switch blocks all traffic until the tunnel is back. Our kill switch explainer covers how to enable and test it on each platform.
Auto-connect on untrusted networks
Security that depends on remembering is security that fails. Set the app to connect automatically on any network you have not marked as trusted, and the protection stops being optional.
Split tunneling, with care
Split tunneling lets chosen apps bypass the VPN. It is handy for things like a printer or a banking app that dislikes VPN addresses, but every excluded app is unprotected. Use a short list and review it occasionally. Our guide to split tunneling trade-offs goes through sensible setups.
Tip: after setting up a kill switch, test it once. Connect the VPN, disable your Wi-Fi for ten seconds, re-enable it, and confirm no traffic flowed in between. A tested setting is worth ten assumed ones.
What a VPN Will Not Stop
This table is the part of VPN security most marketing leaves out:
| Threat | Does a VPN help? | What actually helps |
|---|---|---|
| Phishing emails and fake login pages | No | Caution, a password manager, two-factor authentication |
| Malware and infected downloads | No | System updates, careful downloads, reputable software |
| Password reuse and account takeover | No | Unique passwords and two-factor authentication |
| Tracking via cookies and accounts | Slightly | Browser privacy settings, signing out |
| Snooping on your network traffic | Yes | This is the job a VPN does well |
A VPN is one strong layer against one kind of threat. Treat any product that claims more as a red flag.
Habits That Complete the Chain
The cheapest security upgrades are behavioral. Keep your operating system, browser, and VPN app updated, because most real attacks exploit known bugs that patches already fixed. Use a password manager so every account gets a long unique password. Turn on two-factor authentication for email first, since email resets everything else.
Protect the VPN account itself the same way. It is a security product, so treat its password and your subscription email as sensitive. And judge your provider's own security posture: how servers are run, how keys are handled, and how incidents would be disclosed. We document our infrastructure choices on our security practices page so you can evaluate rather than guess.
Common Mistakes to Avoid
A few patterns come up again and again in support conversations, and all of them are easy to fix:
- Treating the VPN as a force field. People relax their guard with the tunnel on and click links they would normally question. The VPN changed nothing about that risk.
- Leaving the kill switch off after testing. If you turned it off to troubleshoot something, set a reminder to turn it back on.
- Excluding a browser through split tunneling and forgetting. Months later, your main browsing has been outside the tunnel the whole time. Review the exclusion list whenever you update the app.
- Running an ancient app version. Updates carry security fixes. An outdated VPN client is the one piece of this system you fully control, so let it update itself.
- Using one password everywhere, including the VPN account. One leaked database elsewhere then opens your security tool too.
Using a VPN safely on a shared or family computer
When more than one person uses the same computer, a VPN only solves part of the problem. vpn.now protects the network connection, but it does not separate what one person does from what the next person sees. If your sister opens the browser after you, she may land in your saved logins, your history, and your downloads. The VPN cannot hide those things from someone sitting at the same machine.
The first habit is simple: do not stay signed in to your vpn.now account on a computer other people use. That account controls your connections and your settings. Anyone left signed in can change them. Sign out when you step away, and sign back in when you need it.
The next step is to keep people apart at the level of the computer itself, not just the browser. A few things help here:
- Set up a separate operating-system user account for each person, so browsing, downloads, and saved passwords stay in their own space.
- Avoid sharing one browser profile, since saved logins and history carry over to whoever opens it next.
- On a child's device, turn on auto-connect so the VPN starts on its own, and lock the settings so protection is not switched off by accident.
The honest point is that a shared machine moves a lot of the work onto you. Account separation and sign-out habits matter as much as the VPN itself. vpn.now guards the path your traffic takes across the network, but keeping users apart on one computer is a job the computer's own accounts do best.
Summary
VPN security in a few lines:
- A VPN encrypts data in transit between your device and the server, and that is the protection it offers.
- AES-256-GCM and ChaCha20-Poly1305 are both strong. Protocol choice is about fit, not broken versus safe.
- Use a modern protocol like the one vpn.now uses or OpenVPN. Avoid PPTP and other legacy protocols entirely.
- A kill switch and auto-connect turn good intentions into reliable protection.
- Split tunneling removes protection from excluded apps, so keep the list short.
- Phishing, malware, and weak passwords are outside a VPN's reach. Updates, a password manager, and two-factor authentication cover that ground.
