VPN Guide for Beginners: What It Does and When to Use One

How a VPN Actually Works (Not How YouTube Tells You)

A Virtual Private Network encrypts the connection between your device and a remote server. That is the entire concept. When you turn on a VPN, your internet traffic gets wrapped in encryption before it leaves your phone or laptop. It travels to the VPN provider's server, gets unwrapped there, and then continues on to whatever website or service you were trying to reach. The website sees the VPN server's IP address, not yours. Your internet service provider sees encrypted traffic going to the VPN server, but cannot read what is inside it or see which websites you are visiting.

Two things change when a VPN is active. First, anyone between you and the VPN server (your ISP, the person running the coffee shop Wi-Fi, someone snooping on a public network) can no longer read your traffic. Second, the websites you visit cannot easily connect your activity to your real IP address or your physical location.

That is it. That is what a VPN does.

Now, if you have watched any YouTube video in the past four years, you have probably heard a very different story. VPN sponsors on YouTube would have you believe that turning on a VPN makes you invisible online, prevents all hacking, protects you from every cyber threat known to humanity, and probably also makes your hair shinier. I am exaggerating, but not by much. The typical sponsored segment goes something like: "hackers are stealing your data right now, but with [VPN brand], you can browse with complete safety." No, that is not how it works.

A VPN does not make you anonymous. Your VPN provider itself can see your traffic. You have not eliminated surveillance; you have moved it from your ISP to your VPN company. If the VPN provider logs your activity and hands it over when asked, or sells it to data brokers, you have gained nothing. If the VPN provider is genuinely trustworthy and keeps no logs, you have gained something meaningful but limited.

A VPN does not protect you from malware. If you download a dodgy APK from a random website, the VPN will happily encrypt that malware as it travels to your device. It does not inspect the content of your traffic for threats. It encrypts the pipe; it does not care what flows through it.

A VPN does not stop tracking by companies whose services you are logged into. If you are signed into Google and browsing with a VPN active, Google still knows it is you. Same for Facebook, Amazon, and every other service where you have an account and are logged in. The VPN hides your IP address from them, but your login session tells them exactly who you are. Tracking cookies, browser fingerprints, and logged-in sessions all work the same way with or without a VPN.

A VPN will not speed up your internet. Actually, it will slow it down. Your traffic is taking an extra hop through the VPN server, and the encryption and decryption process takes time. On a modern connection with a good provider, the slowdown might be 10 to 20 percent. On a slower mobile connection, it is more noticeable. Anyone who tells you a VPN can make your internet faster is either confused or lying. There is one narrow exception: if your ISP is throttling specific types of traffic (like video streaming) and the VPN prevents them from identifying that traffic, you might see better speeds for that specific use case. But that is ISP throttling being bypassed, not the VPN making anything faster.

A VPN does not protect you from phishing. If someone sends you a convincing fake email pretending to be from your bank and you click the link and type in your password, the VPN will not stop you. It encrypted the connection beautifully while you handed your credentials to a scammer.

I bring all of this up because the gap between what VPN companies claim in their advertising and what a VPN actually does is enormous. The product is useful for specific situations. But it is not a magic shield, and the marketing around it has been misleading for years.

Three Situations Where a VPN Genuinely Helps

So if a VPN is not the all-purpose security tool that YouTube sponsors pretend it is, when is it actually useful? There are three scenarios where I think a VPN provides real, tangible benefit.

Public Wi-Fi. This is the classic case and it is still valid. When you connect to Wi-Fi at an airport, a railway station, a hotel, or a coffee shop, you are sharing a network with strangers. On an improperly configured network, someone with basic tools can observe unencrypted traffic from other devices on the same network. Now, most websites use HTTPS these days, which already encrypts the connection between your browser and the website. But not all apps on your phone use HTTPS for every request. Some background services, some older apps, some poorly built apps send data in the clear. A VPN catches all of that, because it encrypts everything leaving your device, regardless of whether the app or website is using HTTPS. If you connect to public Wi-Fi regularly, running a VPN while connected is a sensible precaution.

ISP surveillance. Your internet service provider can see every domain you visit. They cannot read the content of HTTPS connections, but they can see that you visited a particular website at a particular time. In India, ISPs are subject to government data retention requirements and can be compelled to hand over browsing records. If you do not want your ISP building a complete record of every website you visit, a VPN breaks that visibility. Your ISP sees encrypted traffic going to a VPN server. That is all. For people who care about this, and more people should, a VPN is one of the few practical tools available.

Accessing region-restricted content or services. Some content and services are only available in certain countries. A VPN lets you connect through a server in another country and access those services. I am not going to pretend this is purely about "privacy." People use VPNs to access streaming libraries from other regions, to use services not available in India, and to get around content blocks. The legality of this depends on the service's terms of use and the specific content, but from a technical standpoint, it works.

Outside of these three situations, a VPN on your home broadband connection adds a modest layer of privacy by hiding your browsing from your ISP. Whether that is worth the small speed reduction and the monthly cost depends on how much you value that specific protection. For everyday browsing at home on a trusted network, it is a nice-to-have, not a need-to-have.

Free VPNs and Why Most Are Worse Than Nothing

Running VPN servers costs real money. Bandwidth, hardware, network infrastructure, engineering talent to maintain it all. When a VPN app on the Play Store is completely free, has no paid tier, and shows no obvious way of generating revenue, you should be asking a very specific question: who is paying for this?

The answer, in most cases, is you. With your data.

A study by CSIRO (the Commonwealth Scientific and Industrial Research Organisation) examined 283 Android VPN apps and found that 38 percent contained some form of malware or adware. Thirty-eight percent. More than one in three. Separate investigations over the years have found free VPN apps logging browsing history and selling it to advertising networks, injecting their own ads into web pages you visit, and in the case of Hola VPN, selling users' idle bandwidth so that other people's traffic was routed through your device. You were, without knowing it, an exit node for someone else's internet activity.

Think about what a VPN is. You are routing all of your internet traffic through someone else's server. If that someone else is untrustworthy, you have taken your traffic away from your ISP (which is at least regulated and has a reputation to maintain) and given it to a random company in a jurisdiction you cannot identify, with a privacy policy nobody has read, operated by people you will never be able to hold accountable. That is not an improvement. That is worse.

There are, of course, free VPN tiers from trustworthy companies. ProtonVPN, Windscribe, and a small number of other providers offer limited free plans funded by their paying subscribers. The difference is that these companies have a clear business model: paying customers fund the service, and the free tier exists to let people try the product before committing money. The encryption and privacy policy are identical to the paid plans. The limitations are on speed and server choice, not on how your data is treated.

ProtonVPN's free plan is unusual because it has no data cap. You can use it all month without hitting a limit. Free servers are available in three countries (the United States, the Netherlands, and Japan) and speeds are reduced compared to paid servers, but for occasional use on public Wi-Fi, it is more than enough. Windscribe gives you 10 GB per month on the free tier, across servers in more than ten countries, plus their built-in tracker-blocker called ROBERT. Ten gigabytes goes faster than you think if you stream video, but for regular browsing, it lasts a reasonable while.

If you need a free VPN, use one of these. If the free VPN you are considering is not from a company with a transparent paid business model, delete it.

ProtonVPN, Mullvad, and Windscribe: The Ones Worth Using

I am going to be specific about three providers because I have either used them myself or have enough trust in their track record to recommend them. I have no affiliate relationship with any of these companies. Nobody is paying me to say this.

ProtonVPN is run by the Swiss company behind ProtonMail. Switzerland has strong privacy laws and is outside the Five Eyes and Fourteen Eyes intelligence-sharing alliances. The free tier has no data cap, which I already mentioned. The paid plan, Proton VPN Plus, costs about 350 rupees per month when billed annually, which is roughly 4,200 rupees a year. For that, you get access to servers in over 90 countries, faster connection speeds, their NetShield ad-and-tracker blocker, Secure Core (which routes your traffic through two VPN servers instead of one for extra protection), and support for the WireGuard protocol.

Securitum, a European security firm, performed an independent audit of ProtonVPN's no-logs claim in 2022 and confirmed that the company was not storing identifiable user data. Proton has also published transparency reports showing government data requests they have received and what they were able to hand over (the answer is usually nothing, because they do not have the data). The apps are open-source, meaning the code is available for public review.

Mullvad is the most privacy-focused VPN I am aware of. You do not need an email address to create an account. The sign-up process generates a random account number, and that is your identity with the service. You can pay by mailing cash in an envelope, by cryptocurrency, or by card. The service costs a flat 5 euros per month, roughly 450 rupees, with no discounts for longer commitments. In April 2023, Swedish police showed up at Mullvad's offices with a search warrant. They left empty-handed because Mullvad had no customer data to give them. The company published a blog post about the incident the same day. Mozilla chose Mullvad's infrastructure to power Mozilla VPN, which says something about the level of trust the technical community places in them.

The downside of Mullvad is that it has no free tier and the apps are functional but not flashy. The server network is smaller than ProtonVPN's. If you want a VPN that works reliably, keeps nothing about you, and does not try to sell you a two-year plan at a "discount," Mullvad is it.

Windscribe comes from a Canadian company. The free plan gives you 10 GB per month, and the paid plan costs about 350 rupees monthly on annual billing. What sets Windscribe apart is the a-la-carte pricing model: if you only need access to servers in one or two countries, you can buy just those locations for less than the full plan. This is useful for people who only want a VPN to appear to be in a specific country and do not need worldwide access. ROBERT, their built-in blocker, handles ads, trackers, and malware domains at the DNS level, which means it works across all apps on your device, not just the browser.

A quick word about NordVPN and ExpressVPN, since these are the names most people have heard thanks to YouTube sponsorships. Both are now owned by Kape Technologies, a company previously known as Crossrider, which had a documented history in the adware and browser-extension-injection business before rebranding. Both NordVPN and ExpressVPN work fine technically. The encryption is standard AES-256, the apps are polished, the server networks are large. The concern is not about whether the software works; it is about whether you trust the company behind it. The "military-grade encryption" marketing they love to use is technically accurate (AES-256 is used by military organisations), but the phrasing is designed to make you feel more protected than a VPN alone can actually make you.

Speed differences between these providers are real but smaller than you might expect. On a 100 Mbps Jio Fiber or Airtel Xstream connection using WireGuard protocol, you can expect roughly 80 to 90 Mbps through ProtonVPN or Mullvad. WireGuard is measurably faster than the older OpenVPN protocol, often by 30 to 40 percent in throughput tests. If your VPN app defaults to OpenVPN, switching to WireGuard in the settings is the single easiest way to improve performance. Server distance matters too: an Indian user connecting to Singapore will get lower latency than connecting to the United States. For general privacy use, pick the nearest server.

VPNs and Indian Law: The Confusing Part

Using a VPN in India is legal. There is no law that prohibits individuals from using VPN software. Millions of Indians use VPNs for work, for privacy, for accessing content while travelling abroad. Corporate VPNs are a standard part of remote work infrastructure across the IT industry. Nothing about running a VPN on your personal device puts you on the wrong side of any statute.

Using a VPN to do something that is already illegal does not change the legality of that act. The VPN provides technical privacy, not legal immunity. If an activity is illegal without a VPN, it is equally illegal with one.

Where things get complicated is the CERT-In directive from April 2022. CERT-In (the Indian Computer Emergency Response Team, which operates under the Ministry of Electronics and Information Technology) issued a direction requiring VPN providers operating servers on Indian soil to maintain detailed logs of their users for a rolling period of five years. The required logs include subscriber names, validated physical and IP addresses, email addresses, time stamps, and usage patterns. This applies to VPN providers, cloud service providers, and data centres operating within India.

The response from privacy-focused VPN companies was swift and predictable. ProtonVPN, Mullvad, Windscribe, ExpressVPN, Surfshark, and several others pulled their physical servers out of India entirely. If there is no server hardware on Indian soil, the CERT-In directive does not apply to the provider. Indian users of these services now connect to servers located outside the country, most commonly in Singapore, the Netherlands, or Japan. Latency is slightly higher, but the connection still works perfectly well for everyday use. This is completely legal for the end user.

Some providers took a different approach. NordVPN and Surfshark set up what they call "virtual servers" for India. The user gets an Indian IP address, which is useful for accessing Indian services while abroad, but the physical server hardware sits in another country. The traffic routes through a foreign machine, so the CERT-In logging requirement does not apply. Whether Indian regulators view this arrangement as compliant or as a workaround they intend to close is not clear yet.

The broader regulatory picture is still developing. The Digital Personal Data Protection Act (DPDPA) was passed by Parliament in 2023, and the rules for its full implementation are being finalised. The Act deals primarily with how companies handle personal data, but its intersection with VPN usage and encrypted communications has not been fully tested. There have been occasional statements from government officials suggesting that stronger regulation of VPNs and encrypted messaging is being considered, but no concrete legislation has followed those statements so far.

For the average individual user in India right now, using a VPN is unrestricted, common, and draws no legal attention. India ranks among the top five countries globally for VPN downloads, according to data published by Atlas VPN. The demand is driven by a mix of privacy concerns, workplace requirements, and content access. Whether the regulatory stance shifts in the coming years is an open question nobody can answer with certainty.

The VPN market in India sits at an interesting point. Demand is high, regulation is uncertain, and most of the popular options are from companies based in countries India has no data-sharing agreement with. Whether that is a good thing or a bad thing depends on who you ask.