Blog/March 4, 2026·7 min read

ISP vs VPN: What Actually Changes (And What Doesn't)

A VPN shifts who can see your traffic: your ISP is out, the VPN provider is in. Sometimes that's an improvement. Sometimes it's a lateral move. Here's what actually changes, what doesn't, and how to verify your VPN is doing what you think it is.

TL;DR

→A VPN hides your browsing from your ISP but the VPN provider can now see it instead.
→Your ISP only sees encrypted traffic to a VPN server. It can't see what you do inside the tunnel.
→DNS leaks and WebRTC leaks can expose your real activity even with a VPN active.
→A VPN is only as private as its provider's logging policy. Most are unverified.

The Comparison Table

Signal	No VPN	With VPN	Who sees it instead
Your real IP	ISP + every website	ISP sees VPN IP only	VPN provider + websites see VPN IP
DNS queries	ISP DNS resolver	VPN's DNS resolver	VPN provider (unless DoH)
Sites you visit (domain/IP)	ISP	ISP sees only VPN server	VPN provider
Page content (HTTPS)	Nobody (encrypted)	Nobody (encrypted)	—
Traffic volume + timing	ISP	ISP sees VPN tunnel volume	VPN provider sees all
WebRTC real IP	Your ISP IP (normal)	Your real ISP IP (LEAK)	Any website you visit
DNS leaks	ISP DNS (expected)	Your real ISP DNS (LEAK)	Your ISP

What a VPN Actually Does

A VPN creates an encrypted tunnel between your device and a VPN server. All traffic is routed through that server before reaching the internet. Your ISP sees:

→Encrypted data going to one IP address (the VPN server)
→The volume and timing of that encrypted traffic
→Nothing about what is inside the tunnel

Your ISP does not see which sites you visit, your DNS queries, or your real browsing activity. The VPN provider's server sees all of it instead. They are now in the same position your ISP was in before.

The Trust Shift Problem

Using a VPN is a trust decision, not a privacy guarantee. You are choosing to trust the VPN provider instead of your ISP. Whether that is an improvement depends on:

Does the VPN have a verified no-logs policy?

Mullvad and ProtonVPN have undergone independent audits. Many VPNs claim no-logs but have never been audited. When VPN providers have been subpoenaed, several have provided logs they claimed not to keep.

Is the VPN provider in a favourable jurisdiction?

VPNs based in 5/9/14-Eyes countries may be compelled to log and hand over data. Mullvad (Sweden, EU) and ProtonVPN (Switzerland) are generally considered better choices here.

Is the VPN provider ad-supported or selling data?

Free VPNs almost always monetise by selling usage data. This is worse than your ISP. Avoid free VPNs for any serious privacy use.

VPN Leaks: When the VPN Doesn't Actually Protect You

DNS Leaks

A DNS leak is when your device sends DNS queries outside the VPN tunnel, going to your ISP's resolver instead of the VPN's. This exposes your browsing to your ISP even though the traffic goes through the VPN. It happens due to OS-level DNS settings, split tunnelling misconfiguration, or Windows DNS Smart Multi-Homed Name Resolution.

Test for DNS leaks at dnsleaktest.com. It uses a dedicated DNS server to check which resolver is actually handling your queries.

WebRTC Leaks

WebRTC uses STUN to discover your public IP for peer-to-peer connections. In many configurations, the STUN request goes directly from your network interface, outside the VPN tunnel. Any website that initiates a WebRTC connection can collect your real ISP-assigned IP address, even if you're connected to a VPN.

Fix: disable WebRTC in Firefox (media.peerconnection.enabled = false in about:config), or use uBlock Origin's WebRTC leak prevention in Chrome/Edge. Most good VPN clients also include a WebRTC leak prevention option.

How to Verify Your VPN Is Working

Check your IP

Visit a plain IP checker (e.g. https://ip.me) with VPN off and on. The IP should change to the VPN server's IP. If it doesn't change, the tunnel is not routing your traffic.

Check for DNS leaks

Visit dnsleaktest.com with VPN active. The resolvers shown should belong to the VPN provider or a privacy DNS, not your ISP.

Check for WebRTC leaks

Run our free test at ismyispspying.com/test. If you're on a VPN and the test shows a WebRTC finding, your real IP is leaking through WebRTC.

Check for IPv6 leaks

Some VPNs only tunnel IPv4 traffic. If your device has an IPv6 address and the VPN doesn't handle it, you may leak your real identity via IPv6. A full IP checker will show both.

Which VPN Should You Use?

We recommend Mullvad first because they have no account system (you pay with a random account number, no email required), have been independently audited, and accept cash and cryptocurrency. They have no affiliate program; we recommend them on merit alone.

See our full recommendations after running your test →

← What your ISP can see All posts →