Many of us use a VPN to protect ourselves online. To hide our IP address, to bypass geo-blocks, to encrypt our traffic — and maybe most importantly, to stay anonymous. But a lot of people forget to ask the most basic question: Is your VPN really secure? Or does it just feel that way?

Traffic and DNS – often overlooked

When you’re browsing, your traffic is usually encrypted with HTTPS. That gives a decent level of security — especially if the TLS version is up to date. But what about everything outside the browser?

A lot of apps and background services send data too, and they don’t use HTTPS. This is where the VPN is supposed to step in. But does it actually secure everything? What about your DNS traffic? Are your DNS requests still going to your ISP’s servers, where they can be logged or monitored? DNS leaks are still common — and most people don’t notice.

Test yourself – what are you leaking?

Before you get too confident, try running a few tests. There are websites that show exactly what you’re exposing — even with a VPN turned on:

• https://ipleak.net

• https://browserleaks.com

• https://dnsleaktest.com

• https://www.doileak.com

These will show you your IP, your DNS servers, WebRTC leaks, IPv6 activity, and a bunch of fingerprinting data from your browser. You might be surprised how much slips through.

Just because it worked once doesn’t mean it still does

Here’s the key: you need to test regularly. Just because everything looked fine last year doesn’t mean it still is.

Browsers and VPN clients update all the time. A new version might change default settings, open new ports, or silently re-enable WebRTC. Something that was secure can become insecure overnight — even if you didn’t touch anything.

The same goes for your operating system. A Windows or macOS update can mess with network routing, DNS priorities, or how your virtual machines handle traffic. It’s worth making regular checks part of your routine.

VPN ≠ anonymity

Sure, a VPN hides your IP. But that doesn’t mean you’re anonymous. Your VPN provider still knows who you are. If their privacy policy is vague and they’re based in a country that’s happy to hand over user data, you’re just trusting someone else with your info.

Where is your VPN based?

The location of your VPN provider actually matters. Some countries have strict surveillance laws and force companies to hand over user data, even without notifying the user.

Don’t expect true anonymity from a provider based in the US, UK, or Australia, for example — countries known for broad government access to data. Even a “no-logs” policy can fall apart if the law says otherwise.

Providers like Proton (based in Switzerland) still have a good reputation for transparency and security. But things change — companies get bought, policies shift, and trust can erode. It’s worth keeping an eye on.

Your browser matters – and they’re not all the same

Brave has become popular among privacy-conscious users. It blocks ads and trackers by default, and it even includes a Tor-powered tab for extra private browsing (though it’s not the same as using the real Tor Browser).

If you’re looking for something more focused on anonymity and minimizing fingerprinting, check out Mullvad Browser. It’s built on the Tor Browser, but without the Tor network, and it’s designed to make you blend in and leak as little data as possible. Combine that with a solid VPN and you’re in decent shape.

Using a VM? Don’t assume you’re covered

A classic mistake: running a VPN on your host machine and assuming your virtual machine (VM) is protected too. Not necessarily. VMs often have their own network interface and separate routing. Just because the host is connected through a VPN doesn’t mean the VM traffic is.

If you’re not sure the host system guarantees anonymity, it’s better to install and run the VPN inside the VM itself. That way, the traffic you care about is directly protected from the inside out.

And if anonymity and security are truly critical — let’s say you’re researching sensitive topics or sharing something you want completely detached from your identity — consider deleting the VM after use. Better yet, use systems like Tails or Whonix, which are specifically built to leave no trace and route all traffic through Tor by default.

So what should you actually do?

1. Test your VPN — and test it often. Sites like ipleak.net are a good start.

2. Check for DNS and WebRTC leaks. A VPN isn’t much use if those are leaking.

3. Pay attention to your VPN’s location and ownership. It matters.

4. Use a privacy-focused browser. Brave and Mullvad Browser are solid options — Arc, not so much.

5. Think through your full setup. VPN on your host, but what about your VM? What about apps outside the browser? Your phone?

Using a VPN shouldn’t be about a little padlock icon in your browser. It should be about understanding your own traffic. Do you know where your data goes when you hit Enter?