It seems that the Internet, and Social Media (especially YouTube) is full of advertising for VPN's so you can somehow access the internet in a covert way, but what they don't tell you is that for most people a VPN does absolutely nothing except empty your wallet. VPN stands for Virtual Private Network, and VPN's have an important role when you want information encrypted between two endpoints. GEN Uses a highly secure VPN (Our SAS Service) built on Juniper Pulse Secure which enables our customers to connect to our Intranet and from there access their companies private networks. GEN SAS provides three important roles; (a) It authenticates the end user, (b) It encrypts all traffic from that end user to the Intranet, and (c) it provides for privilege enforcement so that some users can only access some resources from their company. End User VPN's such as HMA, NordVPN, SuperVPN, UltraVPN, SafeVPN, CyberGhost, ExpressVPN, IPVanish, SaferVPN, PrivateVPN, Hotspot Shield, StrongVPN and many more advertise that they have Unlimited Bandwidth, Zero Logging and a plethora of technical misnomers to entice the uninformed into parting with their hard earned cash for the promise of anonymity.
Will a VPN protect me?
That's very simple, as long as you don't use it on the same device you regularly use for internet access then possibly, but unlikely. To understand exactly why that is, let's first understand what the VPN is actually doing for you.
How a VPN works
When you access the internet, traffic from your devices (Pc's, tablet's, etc) goes to your router, the router has the job of forwarding your requests to the internet, and receiving data back from the internet and relaying them to your devices. Your router will appear on the Internet as one IP Address (usually) and this IP address will either be fixed (static) to will change from time to time (dynamic). Your ISP knows which IP address you are using at any point in time because your router 'authenticates' with the ISP when it first connects. From the ISP's point of view your router is assigned an address from its pool (either the same every time - Static, or a random one -Dynamic). Because your ISP knows which IP Address you are using at any one time, and because 'most' ISP's use traffic shaping then they can prioritise or delay traffic of certain types, as well as maintaining logs of what you access and when. As a Business ISP, we don't prioritise or delay anything but for the purpose of this article we're going to assume the majority of our audience could be domestic users.
A VPN establishes a software 'tunnel' between your device and a server on the internet managed by your chosen VPN provider. Now all traffic that is sent to the internet will instead be sent through this tunnel and the IP Address that originates your traffic will be the IP Address assigned to the VPN providers server. Likewise, traffic received for you will be routed back through the same software tunnel to your device. There is optional encryption of varying strength provided by a software VPN and different providers will use different methods and strengths.
Using a Browser via the VPN
Using an Application via a VPN
So you've decided that your never going to use a browser on your VPN and that's a great start, but you should know that on Windows, your operating system is communicating with Microsoft almost constantly, your antivirus product is communicating back to base constantly, even your keyboard driver could well be calling home to check its version etc. So your identity is being given away on an almost constant basis to a wide and varied range of companies. Stopping this is pretty much impossible with Windows and MacOS, but it is do-able on Linux with some effort.
Using email via a VPN
Using email requires two things to happen, firstly your device needs to connect to the mail server which stores your email. For our customers that server is probably mail.genzone.net, this server records the fact that you have logged on to your mailbox, and your current VPN's IP. For GEN this information is only kept for 36 hours after which time its purged, but the majority of other email providers such as Microsoft (office365, hotmail etc), Google (Gmail, GSuite etc), and many more will keep this information for considerably longer, and of course they will share it internally to connect your IP to your identity.
DNS is the Domain Name System and is used to convert a domain name, like www.gen.net.uk into an IP Address. When using a VPN, DNS Queries SHOULD be intercepted and handled over the tunnel by the remote server, but this is often not the case leaving DNS queries to be sent to your ISP. This allows your ISP to see every website your visiting, but not the actual content which will go over the VPN tunnel.
Using a VPN to bypass GeoIP
Some commercial services such as Video-on-Demand will check the country associated with your IP Address and reject those outside of coverage. In most cases, this occurs with USA networks such as HBO, SYFY, Discovery etc and using a VPN that will allow you to connect to a server in the USA may temporarily bypass this restriction, and assuming that is you have a billing address and bank account in the USA to setup the account. Even then the performance is often so poor that watching video on demand from the USA over a VPN is problematic even if it works at all and of course these companies are actively working to blacklist VPN Service IP's.
Google, Facebook, Twitter, and pretty much all commercial websites are actively working to add VPN servers to a list of IP's that are banned. Google for example rarely works from a VPN instead complaining that 'unusual traffic' has been received, and services like video-on-demand are also quick to blacklist VPN servers from their services. The company MaxMind commercialise a maintained list of VPN IP's with "Anonymizers can cause headaches for companies attempting to identify who is visiting their website. The GeoIP2 Anonymous IP database provides insight into your traffic by identifying IP addresses which are used as various forms of anonymizers".
How can I be covert online
There are certainly ways to do this, but it requires some discipline and structure. Firstly the Tor Project provides a complete package of browser and VPN that's free to use and very secure (I recommend you make a small donation to the project if you use it regularly). You must still ABSOLUTELY NOT login to any websites using this service or once again you're identified, but you are otherwise reasonably covert. Applications and your email client cannot use Tor so they will not give away your ID. (There are some situations where you can setup Tor to route all traffic but this is not the default configuration, requires some work, and is definitely NOT recommended).
Using a virtual machine, preferably linux, can provide you with a 'covert' presence since you will ONLY access the VPN via this virtual machine, and again providing you DO NOT login to any websites or use any applications on your virtual machine that are shared with your local machine.
Breaking the VPN
A VPN by default is point to point, which means that you will have a tunnel from your device to a remote server managed by a company. This presents an inherent weakness in your protection because by compromising the server you're connected to, both your identity and traffic can be exposed. VPN providers will tell you that there's zero logging, but that's rarely true because if there was no logging then how could they validate your credentials and respond to any support requests? Even without logging, many of these providers are buying traffic from an ISP who certainly does log and probably capture traffic. Should an agency require to identify the user then they would only need to compromise one physical endpoint server in order to do so and we know this has happened in the past.
Using a VPN service like many listed above will give you some limited protection providing you are using a virtual machine and NEVER use credentials to connect to any website unless those credentials were created specifically from your virtual machine and never used elsewhere. Its hard work and I'm not sure anyone going about their lawful business would want to put this much effort into being covert online. Servers operated by VPN providers are blacklisted constantly so never pay for your VPN service more than a month in advance or you could find it no longer works for the purpose you intended.
Anyone serious about operating covertly online should consider using (a) multiple VPN's traversing several Jurisdictions and (b) using burn-boxes to perform online activity. Both solutions, again providing you NEVER EVER use the same credentials to login or the same browser, email or applications in both your local and VPN/burn-box environments can give you covert protection but I must point out that it only takes one slip-up and you will be exposed and identifiable.