Do You Use It? VPN Use Is Widespread

I suspect this might be due to it being a business account, as they were pushing “Security Edge” – a business IT security product – when I ordered the service. I told them I didn’t want it, so they agreed not to provision it on my line, but then they did it anyway. When I then asked them to turn it off, they said they couldn’t.

They said in no uncertain terms that I could not do that and that they would cancel the service if I tried. The “Security Edge” antifeatures were mostly or entirely implemented in the modem/router.

The redirect occurred at a very low level in the protocol. I had a Pi-Hole and I could reconfigure the DNS server addresses on all my 50+ servers however I wanted (by name or IPv4 or IPv6 numerical address), but the requests still got silently redirected to Comcast DNS servers. That’s how they fell afoul of state net neutrality laws. But you could set up DNS however you wanted and never get any error messages, it’s just that the DNS requests went to the wrong servers. It caused me problems because (0) I was still doing security research at the time, and I started noticing that a lot of phishing landing page domains simply did not resolve for me, even though they were still being used in the wild, (1) I was running a mail server that used paid IP blocklist lookups that failed because the requests didn’t come from my IP addresses, (2) I’m a fan of DNS Toys which, of course, wouldn’t work at all from any system on my Comcast network, and (3) I maintained several remote DNS servers that did special resolution for internal corporate domains as well as geographically-determined resolution. It was when I started looking at those servers’ logs that I realized that, even using telnet to send requests directly to my own servers, those packets never actually arrived at my servers.

I’m wondering if you have any idea why people (other than those required by their employers) are using VPNs, given they provide little in the way of additional security and privacy, other than hiding DNS lookups. I understand the 52% who are using a VPN to bypass access restrictions. It’s the other half of the users I don’t understand. Are there a large number of users who falsely believe a VPN provides a level of additional security it doesn’t provide?

Somehow surprised that NordVPN is popular, but then again I have a subscription of my own and they frequently run deep discounts. And, sure, they’re useful for avoiding the odd geoblock or politically-motivated block of somewhere I want to go. This is not often, but it’s handy to have around.

Cloudflare 1.1.1.1/Warp wasn’t mentioned, but I use that one for my remote-access needs in addition to their SSO-protected reverse web proxy for home access with the Cloudflare Teams offering, which is the bundle of services that allow you to use the VPN to access your own resources through the tunnel that connects those resources to Cloudflare’s network. If you just want to protect your DNS queries, and that’s often all you want, then this would seem to be a great free option for always-on use; you can also easily go in and out of Warp mode on non-home/office Wi-Fi networks to send all your traffic to a local Cloudflare datacentre automatically and thereby have protection against trivial Wi-Fi snooping on public networks that you may visit, and this is also free for a limited amount of data, but which still makes it worthwhile if you travel to open hotspots infrequently and just need to protect your browsing history more comprehensively than DNS. Because I am using Cloudflare in split tunnel mode, only my home LAN goes through Warp, so I don’t use TLS on my home services that are behind my router, and I can always rely on the app to funnel my DNS queries to my home DNS server where I can handle them for my home LAN, as well as get around any blocking the network itself is doing on UDP/TCP port 53 (this is done on a lot of public networks merely to gather profiling data).

I am sympathetic to the criticisms of VPN marketing, but these services do have uses, and their existence isn’t a conspiracy. Just educate people about when they are or aren’t useful and make sensible choices for yourself about whether you need one. In general, I think using them for blocking avoidance, remote access, and trivial risk mitigation on open Wi-Fi networks have legitimacy.

Yes, I should have mentioned that. In fact, if you assume that nearly all traffic is encrypted, turning on iCloud Private Relay would at least anonymize all the remaining unencrypted traffic, meaning that using a VPN for security would be even less necessary.

I can’t quite parse what that overview says about DNS to know if it protects all DNS lookups or only those for traffic it’s routing.

Yeah, sorry. I’m having trouble wrapping my head around what 1.1.1.1/Warp really is, but it doesn’t seem to be a full VPN, even as it’s playing in the space.

As I understand it, 1.1.1.1 is just an alternative public DNS resolver that doesn’t log your lookups, thus keeping them away from your ISP.

From what I’ve seen in research, Warp is a VPN-like system that utilizes a customized WireGuard protocol to encrypt your traffic to Cloudflare’s edge network, making it more of a secure, encrypted proxy. It doesn’t hide your IP address from websites, allow location changes, or anonymize traffic like a VPN would.

It’s undoubtedly confusing. It delivers some of what consumer VPNs offer, much like Apple’s private Relay, but it’s intended less for privacy and location-hopping (which are accidents, if they happen at all) and more for securing and speeding up traffic on the first mile, essentially treating the client’s network as a dumb transmission medium and letting you use Cloudflare’s network for routing, as you say, not unlike a proxy.

When you use the 1.1.1.1 app, you can operate it in one of two basic modes: DoH and Warp.

In DoH mode, you just use it for DNS resolution: your DNS queries are encrypted with DoH, which keeps your DNS traffic private between you and Cloudflare, and because it looks like HTTPS traffic, it often works where other, standard DNS servers won’t work (or are being passively monitored) because DNS traffic is being redirected or blocked by the network.

In Warp mode, you forward some or all of your traffic to Cloudflare’s edge, which protects all of that traffic between you and Cloudflare. Cloudflare doesn’t intend that you should use it for privacy, but as a side-effect, your traffic comes from another IP address indicating your location (definitely true for the consumer version, I’m less clear on the Teams edition, however I’d expect there Cloudflare would make it possible to filter based on that information). Because Cloudflare operates a massive network, sometimes it works to your advantage to use Warp, because Cloudflare’s own interior routing is superior to that of the “best-effort” public Internet. More often than not, though, it just adds measurable latency and, if your connection is fast enough, it possibly limits your throughput as well. However, that first hop being encrypted is just the ticket if you’re on a Wi-Fi network, or any network where protocol-specific throttling/shaping/blocking is being done. And if you use Cloudflare Teams, you can hook up your own networks and web apps to their infrastructure, and reach it through the same Warp tunnel.

So yes, it doesn’t tick all the boxes for a commercial VPN, but I’d say it’s very useful in that, for most consumers, it’s essentially a more full-featured (and still free) version of iCloud Private Relay (which itself actually uses Cloudflare as one of its transit partners) that protects all your apps and devices.

NordVPN (26%): The most popular choice was NordVPN, which features a welcome option to disable itself on trusted networks.

I decided to give this service look and while the link loads with no issue in Safari, Chrome 137.0.7151.69 has concerns with the Nord site.

Screenshot 2025-06-07 at 9.06.36 PM1432×1692 283 KB

I use Private Internet Access (PIA). I have used PIA since 2013.
I did not reveal which VPN I use in this post

since I wanted to look into the mistrust because of Kape. Since then, I found this audit: Private Internet Access No Logs Policy Reviewed by Independent Firm
I am very happy with PIA. My latest project was to set up firewalld on RedHat 9 running on VMware on a Mac mini to block all but Norwegian IPs. My Apache web server logged a lot of traffic from all over the world. Before I started the project I used PIA on my MacBook Pro to access my web server via PIA from China, US, Germany, UK, and Brazil. My web server serves only me and a few friends in Norway. After I had implemented the block I did the same test with PIA. All requests were successfully blocked.