I get asked that question often when discussing VPNs – and it’s a good question. While there may be a limited set of circumstances in which you may need to turn it off, my answer is that yes, you should keep your VPN on whenever you can.

We’ll get into the ins and outs of that position, but first, let’s provide a bird’s-eye view of what VPNs actually do.

What do VPNs do?

VPNs – and by VPN, I mean a trustworthy VPN – enhances your online privacy. This is an important distinction because, in recent years, the number of what I like to call “small & shady” VPN providers that cropped up is staggering. Most of them are not trustworthy. They tend to support obsolete protocols and collect truckloads of data on their users – defeating the point of using a VPN in the first place. On the other hand, a trustworthy VPN provider puts forth a clear no-logging policy, collects only the data necessary to fulfill its services, and focuses on providing privacy-preserving tools like kill switches and tracker blockers. Being an established player in the industry with a good reputation also helps.

VPNs enhance your online privacy by creating an encrypted tunnel between your device (smartphone, tablet, laptop, etc.) and the VPN server you selected. All traffic from your device is sent to the server through the encrypted tunnel from that point on. It is then decrypted by the server and forwarded to the website or service you requested. The response is sent back to the server, which delivers it back to you through the encrypted tunnel. The encryption makes your online activities much harder to track. But that’s not all.

The request came from the VPN server, not your device, as far as the website or service is concerned. So the website or service will assume your IP address is that of the VPN server. This already affords you some extra privacy. But online, your location is tied to your IP address. So as far as the website or service is concerned, your location appears to be the location of the VPN server, affording you some extra privacy.

You may have noticed that while I answered “yes” to the question, it’s somewhat tempered by my statement that you should keep it on whenever you can. That’s because there will be some situations where you may need to turn it off. I’d be inclined to minimize those situations, but they do exist.

Always-on VPNs for business

The advent of cloud services, such as Microsoft 365, Google Drive, and Salesforce presents a problem for businesses when most system security packages focus on defending a single site. Always-on VPNs provide a solution to this problem because, connecting each site and remote user through a central, cloud-based hub hosted by the VPN provider creates a secure virtual network across the internet.

Applying VPNs to sites and leaving them on all the time reconceptualizes the corporate network and makes it a flexible system that can easily extend worldwide. Perimeter 81 uses always-on VPNs as part of its corporate security solution. These are available in a site-to-site format and for individuals. A Zero Trust Access (ZTA) service in the package lets you add in access rights management to the VPN system, so the VPN app presents a menu of applications that the user can access rather than a list of VPN server locations.

Let’s start by looking at the benefits of an always-on VPN.

Benefits of an always-on VPN

Actual private browsing

Most web browsers today provide what they call “private browsing.” It may sound as if it enables you to browse the web anonymously, but it doesn’t. What it actually does is delete your web history and cookies once you close your browser. Your ISP can still see everything you’re doing online. That doesn’t mean it isn’t a nice tool, as long as you understand what it does.

But if you want to browse the web privately, a VPN will allow you to do that. As I mentioned above, a VPN will swap out your IP address and location to that of the VPN server. And the encrypted tunnel will make your activities much harder to snoop on by third parties. Also, most VPN providers supply their users with shared IP addresses. This mixes the traffic of all users of a given VPN server together and has the benefit of making it much harder to correlate specific traffic to an individual user, enhancing every user’s privacy.

However, if you want to remain anonymous while browsing the web over VPN, make sure not to log in to any online services, like your email or Facebook. As soon as you do that, VPN or not, you will be identified and will no longer be anonymous. Also, bear in mind that the cookies stored on your system could also be used to identify you even if you don’t log in to any services. So it’s best to use both a VPN and private browsing in your browser.

Here’s a small tip if you want to log into your services using a VPN: find a server in the same geographic region as your actual location and always use that server when logging into services tied to your real identity. That way, you can still benefit from the VPN’s encryption even though you won’t be anonymous.

Thwart location tracking

As mentioned above, when you connect to a VPN server, your IP address appears to be that of the VPN server you’re connected to. And your IP address is used to approximate your physical location. That means that if you connect to a French server from the United States, any websites you connect to will “see” you as being located in France, not the U.S. And you’ll benefit from location privacy even if you log in to different services. However, remember that insofar as VPN server IP addresses are public, the service you log into may deduce that you’re using a VPN and that your actual location is likely different.

Stay secure on public WiFi

Many businesses today provide free WiFi to their customers. Nice. But many of these are unencrypted, are vulnerable to Man-in-the-middle attacks, and could be used for malware distribution, to name a few caveats. Some of these free WiFi networks could also be malicious, such as rogue networks set up to emulate a legitimate network nearby (for example, Hotel_WiFi – legitimate network, vs. Hotel_WIFI – rogue network) in the hope that unsuspecting users don’t notice the difference and connect to the rogue network. As soon as you do, the operator of the rogue network can see everything you do online.

Access the open web in restrictive jurisdictions

Some countries have restrictive policies regarding internet access and actively block access to certain websites. China comes to mind with its Great Firewall, but there are others. Using a VPN may allow you to bypass these blockades because, once connected to a VPN server located in another, less-restricted jurisdiction, your traffic will be coming from the VPN server’s IP address, which is tied to its location rather than yours.

I phrased this section carefully – stating that a VPN may allow you to bypass the restrictions. I used the word “may” because the challenge will be actually connecting to the VPN server from the restrictive location. The countries that filter or restrict the internet have recently started blocking VPNs as well – or at least, non-State-sanctioned VPNs (which defeat the purpose of using a VPN). Some VPN providers will supply obfuscation tools for just that reason, which may help establish the connection.

My colleague, Paul Bischoff, wrote a comprehensive article in which he tests multiple VPN providers to see if they work in China – recommended reading.

Bypass filtering firewalls

Many organizations, from schools to businesses to government agencies, set up filtering firewalls on their networks for security reasons. So unless you manage to bypass the firewall, your internet access will be restricted. But a VPN could do just that. Once you’ve connected to a VPN server, your traffic is no longer bound by the firewall rules – your requests come from the VPN server now.

However, bear in mind that it may be challenging to connect to a VPN server. The network administrator may have blocked specific ports used by VPNs or certain VPN server IP addresses. If it’s blocking VPN server IP addresses and your VPN provider is included, you might be out of luck. If the firewall is blocking common VPN ports (such as 1194 for OpenVPN), you could try initiating the VPN connection over a different port. Many VPN providers allow their users to connect over a set of predefined ports rather than just one.

A common trick used to bypass restrictive firewalls is to use the OpenVPN protocol in TCP mode over port 443. OpenVPN can run in UDP or TCP mode. UDP is the default and is typically much faster than TCP because it lacks the verification and error correction that TCP uses. UDP sends the packets through the tunnel and hopes for the best without checking anything. When you use OpenVPN in TCP mode over port 443, your traffic looks just like regular HTTPS traffic, making it much harder to filter and bypassing the firewall.

Access content not available in your region

Some websites restrict content by geographic region. The most common example of this would be streaming sites, which have different content libraries per region. However, streaming sites have become a bit of an outlier in this category recently, and accessing these sites over VPN has become quite the challenge. I’ll be discussing accessing streaming sites over VPN lower down. For now, I’d like to omit streaming sites from this category.

Because using a VPN swaps out your device’s IP address for that of the VPN server and that your location on the internet is derived from your IP address, using a VPN makes you appear to be in a different geographic region and will typically enable you to access the geo-restricted resources (barring streaming sites) despite you not actually being in the location in question. So, things like certain web stores that only display their content to users with a local public IP address will be available to you.

Avoid bandwidth throttling

Some ISPs privilege certain types of traffic on their network. They achieve this by throttling (artificially slowing down) other types of traffic, typically P2P traffic and video streams. When you connect to a VPN, your ISP will see that connection. But afterward, it’s cut out of the loop. Once the VPN connection is initiated, your ISP will only see gibberish being sent between you and the VPN server due to the encryption. Because of that, your ISP cannot know what you’re doing online – the VPN hides your traffic from your ISP. If your ISP doesn’t know what type of traffic you’re generating, it can’t throttle it either.

Hence you can get a performance boost by using a VPN and enhanced privacy and independence from your ISP.

Note that a VPN won’t help if your bandwidth is being throttled due to hitting your internet plan’s data cap.

Stay secure even when using HTTP

While this may not be as relevant today as it was just a few years ago, I still felt it was worth mentioning. Typically, when you access the internet, you access it over one of two ports: port 80 or port 443. The main difference is that port 443 is encrypted using SSL (HTTPS), while port 80 is not (HTTP).

Most of the internet, in recent years, has moved to HTTPS, but there are still some websites (usually smaller ones) that use HTTP. And even on sites that do use HTTPS, some resources can be loaded over HTTP, and some sections of those websites may not be using HTTPS. A VPN’s encryption will keep your traffic secure regardless of whether a site uses HTTP or HTTPS. Again, while this may not be critical today, it affords you some peace of mind and is another good reason to keep your VPN on.

Stay safe by blocking ads, trackers, and malware *

Did you notice the little asterisk next to the word ‘malware’? It’s not a typo – it’s there for a reason. And it’s that not all VPNs provide nuisance and malware blockers.

Ads, trackers, and of course, malware funnel as much of your personal information as they can, can slow down your device, increase your consumed bandwidth, and, in the case of malware, can download and install viruses, trojans, and all that good stuff. Using a VPN that provides a blocker can significantly enhance your privacy and keep your device safe from malware – another compelling reason to use a VPN (that offers a blocker).

Pitfalls of an always-on VPN

So those are some of the top reasons I keep my VPN on all the time. But there are some pitfalls too. And I want to address streaming sites and VPNs here as well.

Speed hit

The biggest drawback to using a VPN is going to be speed. A VPN – any VPN – adds overhead to your connection, which translates into slowdowns. It takes time to encrypt outgoing data, decrypt incoming data, and route it all through the VPN server. If you’re using a high-quality VPN provider, chances are the speed hit won’t be critical, but it’ll be there – count on it.

So if you’re doing something online where speed is more critical than privacy, you may want to turn your VPN off until you’re done with that task.

CAPTCHAs and additional verification

Using a VPN might also cause you to see more CAPTCHAs than you’d like. As their name (Completely Automated Public Turing test to tell Computers and Humans Apart) implies, a CAPTCHA is a challenge-response test used to determine whether or not the user is human – you’ve seen them before, right?

Using a VPN may increase the frequency of CAPTCHAs and other verification mechanisms as you browse the web. This can happen for a few reasons, but it’s typically tied to suspicious behavior from the web server’s perspective. So it could be because the web server recognizes your public IP address as belonging to a VPN provider and wants to make sure it’s dealing with an actual human being. Or it could be because the service in question is trying to prevent unauthorized access to your account as it sees you logging in from various locations. Whatever the case, this can be a pitfall to using an always-on VPN.

Streaming

Finally, we get to streaming. Just a few years ago, accessing geo-restricted streaming libraries was pretty trivial. All you needed to do was connect to a VPN server located in that region and voilà, instant access to streaming content not available in your location.

However, streaming sites have begun cracking down on that practice in recent years, and streaming over VPN isn’t so easy anymore. While some providers claim to provide access, there may be a lot of trial and error involved – you may need to switch servers repeatedly until you find one that works. Larger and more established VPN providers are typically better equipped to provide access, but access cannot be guaranteed. Because of this, you may want to turn off your VPN when streaming as it won’t provide any benefits.

Some providers, like NordVPN, ExpressVPN, and Surfshark, manage to grant fairly consistent access, so it’s still possible, but only with a handful of VPN providers.

Conclusion

So there you have it. We looked at the pros and cons of having an always-on VPN. And I believe the pros outweigh the cons, as long as you’re into privacy and security, of course. But the internet is an increasingly hostile place, with no shortage of bad guys wanting a piece of your personal information. In that context, using a VPN feels like nothing more than common sense (I actually feel naked going on the internet without a VPN).

Still, each one of us has our own set of priorities and should make our own decisions. I just hope that this post can help others decide whether they want to keep their VPN on all the time or even if they want to use a VPN at all (I think they should).

Stay safe (and secure).