A VPN encrypts your connection. It doesn’t make you invisible — but it makes you a lot less easy. Start with the device, then the VPN. In that order.
A VPN on a compromised device is a false sense of security. Lock down the laptop first.
Laptop Security Fundamentals
Windows:
- Use a strong password for your Windows account — not a PIN, not no password
- Enable Windows Hello (fingerprint or face) as a secondary method, not as the only method
- Enable BitLocker disk encryption: Control Panel → System and Security → BitLocker Drive Encryption → Turn On
- Require password on wake from sleep: Settings → Accounts → Sign-in Options → Require sign-in → Every time
- Auto-lock: Set screen to lock after 5 minutes of inactivity
macOS:
- FileVault: System Settings → Privacy & Security → FileVault — full disk encryption, turn it on
- Firewall: System Settings → Network → Firewall — enable it (it’s off by default, which is a strange choice by Apple)
- Gatekeeper: Already on by default. Verify under Privacy & Security — it prevents unsigned apps from running
- Lock screen: System Settings → Lock Screen — set to require password after 1 minute of inactivity
Linux:
- LUKS: Full disk encryption — set up during installation on most distros. If you didn’t enable it at install time, it’s painful to add later. Worth a reinstall if you’re serious about it
- Firewall:
sudo ufw enable— that’s it. UFW (Uncomplicated Firewall) does what it says on the tin - Screen lock: Configure in your DE settings. GNOME: Settings → Privacy → Screen Lock. KDE: System Settings → Screen Locking
- Secure Boot: Enable in BIOS if your distro supports it — Ubuntu and Fedora handle it well. Arch users, you already know what you’re doing
Strong Password Tips:
- Minimum 12 characters
- Mix of uppercase, lowercase, numbers, and symbols
- Do not use: names, birthdays, dictionary words, repeated characters
- Use a password manager (see the Password Managers section) — you only need to remember one master password
- Never reuse passwords across sites — if it’s easy to remember, it’s easy for them too
Do I Actually Need a VPN?
Honest answer: it depends.
When a VPN matters:
- Public WiFi (cafes, airports, hotels) — yes. Meaningful protection. You don’t know who else is on that network or what the router is doing
- Your ISP sells browsing data — yes. Many US ISPs do this. A VPN keeps them out of your business
- Geo-restricted content — yes, but that’s convenience, not security. Be honest with yourself about why you’re getting one
When a VPN is marginal:
- Home WiFi with a trustworthy ISP — for everyday browsing, the benefit is slim. HTTPS already encrypts the content of your traffic. Your ISP can see which sites you visit but not what you do on them
What a VPN does NOT do:
- Make you anonymous — you’re shifting trust, not eliminating it
- Protect you from phishing — you’ll click the same bad link with or without a VPN
- Secure a compromised device — malware on your machine doesn’t care about your encrypted tunnel
- Stop browser fingerprinting or cookie tracking
Bottom line: A VPN is a useful tool, not magic. Use it when the situation calls for it. Don’t pay $12/month because a YouTuber told you the internet is scary.
What Is a VPN?
A VPN (Virtual Private Network) creates an encrypted tunnel between your device and the internet. Your ISP, network administrators, and anyone on the same network see only encrypted traffic going to your VPN server — not the sites you visit.
What a VPN does:
- Encrypts your internet traffic on public WiFi
- Masks your IP address from websites you visit
- Prevents your ISP from seeing which sites you visit
- Allows access to geo-restricted content
You are moving trust from your ISP to your VPN provider. Choose one you trust. Use providers with verified, independently audited no-log policies.
VPN Protocols
Not all VPN tunnels are built the same. Here’s what matters:
- WireGuard: Fastest, modern, lightweight codebase. Recommended for most people. If your provider supports it, use it
- OpenVPN: Tried and tested over two decades. Slightly slower than WireGuard but widely supported and well-understood
- IKEv2: Good for mobile — handles network switching well (WiFi to cellular and back). Less common on desktop
Most providers default to WireGuard now. If yours doesn’t, switch to it manually in the app settings.
A Word About Free VPNs
If you’re not paying for the product, you are the product. This applies to a lot of things on the internet, but it applies especially to VPNs — because a VPN sees everything.
Free VPNs have been caught:
- Harvesting and selling user browsing data
- Injecting ads and tracking cookies into your traffic
- Selling your bandwidth as a residential proxy (your IP gets used by strangers)
- Mining cryptocurrency on your device
The exception: Proton VPN’s free tier is legitimate. It’s funded by paid users, has no ads, and is run by the same people who built ProtonMail. Limited server selection and speeds, but it’s honest.
If you can’t afford a paid VPN, use Proton VPN Free. Do not use a random free VPN from the app store.
Mullvad VPN
Mullvad is widely considered the most privacy-focused VPN available. It’s built for people who want privacy and nothing else.
What makes Mullvad different:
- No email to sign up — you get a random account number. That’s your identity. No name, no email, nothing
- Accepts cash by mail — put money in an envelope, mail it to Sweden. Maximum anonymity. They also take cryptocurrency
- Based in Sweden — strong privacy jurisdiction, no mandatory data retention for VPN providers
- Open-source clients, independently audited
- Supports WireGuard and OpenVPN
- Verified no-log policy — confirmed by third-party audits
- $5/month flat — no annual discounts, no multi-year deals. They don’t want your commitment data either
Kill Switch:
Path: Mullvad → Settings → Kill Switch
- Enable — blocks all traffic if the VPN drops. Mullvad actually enables this by default, which tells you something about their priorities
Tradeoffs:
- Fewer servers than NordVPN or Surfshark
- No streaming optimization features — if you want to unblock Netflix libraries, Mullvad isn’t trying to help you with that
- No flashy extras like breach monitoring or alternative IDs
Best for: People who want maximum privacy and don’t care about geo-unblocking Netflix. If privacy is the actual reason you’re getting a VPN, Mullvad is the answer.
NordVPN
Quick Connect:
- Open NordVPN → Quick Connect — automatically connects to the fastest server
- For specific countries: click the map or use the country list
Threat Protection:
Path: NordVPN → Settings → Threat Protection
- Enable Threat Protection — blocks malicious websites, ads, and trackers
- Set to Threat Protection Lite for DNS-level blocking if performance is a concern
Meshnet:
Path: NordVPN → Meshnet
- Creates a private encrypted network between your own devices
- Use for secure file sharing between devices without going through the open internet
Dark Web Monitor:
Path: NordVPN → Settings → Dark Web Monitor
- Enable — alerts you if your email address appears in known data breaches
Kill Switch:
Path: NordVPN → Settings → Kill Switch
- Enable Kill Switch — blocks all internet traffic if the VPN connection drops
- Prevents accidental exposure if the VPN disconnects unexpectedly
- Internet Kill Switch: Blocks all traffic — App Kill Switch: Only blocks specified apps
Kill Switch is the most important VPN setting most people never enable. Turn it on.
Surfshark
Note: Surfshark merged with Nord Security in 2022. Surfshark and NordVPN are now owned by the same parent company. If you’re choosing between them for redundancy or diversity — they’re the same company. Keep that in mind.
Alert (Breach Monitoring):
Path: Surfshark → Alert
- Enable Surfshark Alert — monitors your email address for data breaches and alerts you
Alternative ID:
Path: Surfshark → Alternative ID
- Generates a disposable email address and identity for online registrations
- Reduces exposure when signing up for services you don’t fully trust
Kill Switch:
Path: Surfshark → Settings → VPN Settings → Kill Switch
- Enable — same function as NordVPN’s Kill Switch; prevents traffic exposure on VPN drop
Antivirus:
Path: Surfshark → Antivirus (available on paid plans)
- Real-time malware scanning integrated with the VPN client
Proton VPN
NetShield (Ad and Malware Blocker):
Path: Proton VPN → Settings → NetShield
- Enable NetShield — DNS-level blocking of ads, trackers, and malware domains
- Set to “Block malware, ads, and trackers”
Kill Switch:
Path: Proton VPN → Settings → Kill Switch
- Enable — blocks all internet access if VPN disconnects
- Permanent Kill Switch: Blocks internet even when VPN is off — for maximum security
Why Proton VPN for privacy-focused folks:
- Based in Switzerland — under Swiss privacy law, not subject to US or EU data retention requirements
- Open source — code is publicly audited
- Verified no-log policy — independently audited
VPN Comparison
| Feature | Mullvad | NordVPN | Surfshark | Proton VPN |
|---|---|---|---|---|
| No-log policy | Yes (audited) | Yes (audited) | Yes (audited) | Yes (audited) |
| Kill Switch | Yes (on by default) | Yes | Yes | Yes |
| Ad/tracker blocking | DNS blocking | Threat Protection | CleanWeb | NetShield |
| Breach monitoring | — | Dark Web Monitor | Alert | — |
| Open source | Yes | Partial | No | Yes |
| Jurisdiction | Sweden | Panama | Netherlands* | Switzerland |
| Simultaneous devices | 5 | 6 | Unlimited | 10 (paid) |
| Anonymous signup | Yes (no email) | No | No | No |
| Price | $5/mo flat | ~$3–12/mo | ~$2–13/mo | Free–$10/mo |
| Default protocol | WireGuard | WireGuard | WireGuard | WireGuard |
*Surfshark and NordVPN are both owned by Nord Security as of 2022.
Encrypt your disk. Turn on your VPN’s Kill Switch. These are the two settings that most people skip and most people shouldn’t. Do them in that order — and pick your VPN based on why you actually need one.