Short answer: A VPN, or virtual private network, creates an encrypted tunnel between your device and a VPN server. Websites and many online services then see the VPN server's public IP address instead of the public IP assigned by your ISP, mobile carrier, workplace, school, or local network.
That does not make you anonymous and it does not prove that every app is private. A VPN changes one important network signal: the visible public IP for traffic that actually goes through the VPN tunnel. Accounts, cookies, browser fingerprints, payment records, DNS behavior, WebRTC candidates, IPv6 routes, app telemetry, and the VPN provider itself can still matter.
Quick answer
- A VPN changes the public IP websites see. Traffic routed through the tunnel appears to come from the VPN exit server.
- VPN encryption protects traffic on the local path. It can reduce exposure on public Wi-Fi, ISP, workplace, or router segments, but HTTPS still matters.
- The VPN provider becomes a trust point. Your traffic leaves through the provider's network, so policies, jurisdiction, app behavior, and configuration still matter.
- Identity signals can survive the IP change. Login sessions, cookies, browser fingerprints, device IDs, payment data, and app accounts may still connect activity to you.
- Tests are snapshots. VPN, DNS, WebRTC, IPv6, and geolocation checks show observable signals for this browser and network state, not permanent proof of privacy.
What is a VPN?
A VPN is a network service that routes selected traffic through a tunnel to a remote server. In a typical consumer VPN setup, the VPN app creates a virtual network interface on the device, encrypts packets before they leave the device, and sends them to a VPN server. The VPN server decrypts the traffic and forwards it to the internet using the server's public IP address.
For a website, the request appears to come from the VPN server. The site may see the VPN server's IP, ASN, country, city estimate, and hosting or VPN-related network labels. It usually does not see the residential or mobile IP that your ISP assigned to your router or phone for that tunneled request.
The phrase "hide my IP" should be read carefully. A VPN can hide your original public IP from many destination websites for tunneled traffic. It does not hide the fact that a device is communicating with a VPN server from every network observer, and it does not remove other identity signals.
How a VPN changes the public IP address websites see
Without a VPN, a website receives a request from your current public IP address. That address may belong to your home ISP, mobile carrier, workplace, school, hotel, airport, or another network. With a VPN connected, the request normally goes through the VPN tunnel first. The VPN server then forwards the request to the website from its own public IP.
This creates a visible route change:
- Your device sends traffic into the VPN tunnel.
- The local network and ISP see traffic going to the VPN server, not the final website contents when the traffic is also encrypted.
- The VPN server forwards the request to the website.
- The website sees the VPN exit IP as the source of the request.
- The reply returns through the VPN server and then back through the tunnel to your device.
Many VPN services use shared exit IP addresses, where many customers appear behind the same public IP. That can reduce simple IP-based profiling, but it can also trigger captchas, account checks, fraud scoring, or streaming/location restrictions because shared VPN IPs are often recognized by services.
What VPN encryption protects
VPN encryption mainly protects traffic between your device and the VPN server. This is useful on networks you do not fully trust, such as public Wi-Fi, guest networks, hotel networks, airports, cafes, or networks where a router or hotspot operator could otherwise observe more local traffic metadata.
A VPN can help with:
- Local network exposure: people on the same Wi-Fi should not be able to read tunneled traffic contents just by watching the local network.
- ISP-level browsing visibility: the ISP usually sees the VPN server connection instead of individual destination domains for tunneled traffic, although DNS and app behavior can complicate this.
- Public IP replacement: websites often see the VPN server IP rather than the original ISP-assigned public IP.
- Network consistency: a remote worker or traveler can route traffic through a chosen region or corporate gateway when policy allows it.
VPN encryption is not a substitute for HTTPS. HTTPS still protects the connection between the browser and the destination site after traffic leaves the VPN server. If a site or app sends sensitive data without proper encryption, the VPN does not magically make the destination side trustworthy.
What a VPN does not hide
A VPN changes the network route, but it does not erase everything else a site or app can observe. If you log in to the same account before and after connecting a VPN, the service can usually connect both sessions to that account. If the browser has the same cookies, local storage, extensions, and fingerprintable settings, the IP change may be only one signal among many.
| Signal | What a VPN can change | What may remain visible |
|---|---|---|
| Public IP address | Usually replaces the source IP for tunneled traffic | VPN exit IP, ASN, country/city estimate, and provider reputation |
| Account logins | Does not remove account identity | Email, username, recovery phone, payment profile, and session history |
| Cookies and local storage | Does not clear browser state | Stored identifiers, login sessions, preferences, and tracking tokens |
| Browser fingerprint | Does not standardize browser APIs | Screen size, timezone, language, WebGL, canvas, fonts, and extension hints |
| Payment and device signals | Does not change billing identity or hardware identifiers | Card details, app IDs, device IDs, push tokens, and app telemetry |
| VPN provider visibility | Shifts trust away from the local network | Provider policies, server logs, payment relationship, and abuse controls |
This is why a VPN should be described as a privacy and routing tool, not an identity removal tool. It can reduce some exposure and shift trust, but it does not make a user anonymous by itself.
What your ISP can still see
When a VPN is connected, your ISP may no longer see the same destination-level pattern it would see without the VPN, especially when DNS also follows the VPN route and the destination traffic uses HTTPS. But the ISP can usually still see that your connection is sending traffic to a VPN server or to an endpoint that looks like one.
At a high level, an ISP may still observe:
- the VPN server IP or hostname contacted by your device;
- connection timing, duration, and data volume;
- whether the connection is active or idle;
- some network metadata needed to route the connection;
- traffic that bypasses the VPN because of split tunneling, app rules, captive portals, or connection drops.
Careful wording matters here. A VPN can reduce what the ISP sees about destination websites and traffic contents, but it does not make the ISP blind to the connection.
DNS, WebRTC, and IPv6 leaks in a VPN context
A VPN can appear to change your public IP while another browser or network signal still points somewhere unexpected. That is why VPN checks often include DNS, WebRTC, and IPv6 in addition to the visible public IP.
- DNS leak: domain lookups use a resolver outside the route you expected, such as ISP DNS while the VPN is connected. This can reveal domain-level activity to a resolver you did not intend to use.
- WebRTC leak: the browser exposes IP-like network candidates through WebRTC behavior. Modern browsers often mask local IPs, but WebRTC can still reveal useful network signals in some setups.
- IPv6 leak: IPv6 traffic or IPv6 DNS follows a different route from IPv4, often because the VPN tunnels IPv4 only, blocks IPv6, or handles IPv6 differently from the local network.
A clean result for one signal does not prove that every other route is clean. A visible VPN IP with ISP DNS is still a mismatch. A VPN-managed DNS result with visible IPv6 outside the tunnel is also a mismatch. Treat the result as a diagnostic snapshot of the current browser, app, VPN, router, and network state.
How to verify VPN behavior safely
Use a simple before-and-after workflow. The goal is not to prove perfect privacy. The goal is to compare the signals you can observe and look for mismatches that deserve attention.
- Start disconnected from the VPN and open What Is My IP. Note the visible public IP, ASN, approximate location, and whether IPv4 or IPv6 appears.
- Connect the VPN and wait for the VPN app to show a stable connection.
- Open What Is My IP again. The public IP should usually change to the VPN server or gateway you selected.
- Run VPN Leak Test to compare public IP, DNS, WebRTC, IPv6, and browser signals together.
- Run DNS Leak Test if the resolver owner, ASN, or country does not match the route you expected.
- Run WebRTC Leak Test to inspect browser candidate behavior that can differ from the visible public IP.
- Run IPv6 Leak Test if your device or ISP supports IPv6, or if the VPN provider documents special IPv6 behavior.
Only test networks and devices you own or are authorized to manage. Do not treat a VPN or a leak test as permission to bypass laws, platform rules, workplace policy, school policy, or account restrictions.
When VPN results can be misleading
VPN tests can look confusing even when nothing malicious is happening. Anycast DNS, provider resolver partners, split tunneling, browser-level DNS over HTTPS, captive portals, mobile handoffs, and extension behavior can all make results look inconsistent.
| Result | Possible meaning | What to check next |
|---|---|---|
| VPN IP appears, but DNS shows ISP | Possible DNS leak or browser/OS DNS override | Check VPN DNS settings, browser DoH, router DNS, and split tunneling |
| VPN IP appears, but IPv6 shows local ISP | VPN may not tunnel or block IPv6 | Use provider-recommended IPv6 handling and retest |
| WebRTC shows unexpected candidates | Browser network candidates may differ from visible IP | Review browser WebRTC settings and repeat in a clean profile |
| Location looks wrong but ASN matches VPN | Geolocation database may be stale or approximate | Compare ASN/provider, not only city labels |
| Only one app leaks | Split tunnel, app proxy, or per-app network setting | Test the exact browser/app you plan to use |
| Everything changes after reconnecting | VPN server, DNS, or route changed | Repeat the same checks after reconnects and network switches |
If the result does not match your goal, decide what you expected first. Some users intentionally use browser-level encrypted DNS. Some corporate VPNs intentionally route only work apps. Some VPNs block IPv6 instead of tunneling it. A mismatch is only meaningful when compared with the route you intended.
What to do if your real IP or leak signals still appear
Start with the simple causes before changing many settings at once. Disconnect and reconnect the VPN, confirm the selected server, and verify that the VPN app says the tunnel is active. Then check whether the browser, app, or operating system is allowed to bypass the tunnel.
- If the public IP did not change: reconnect the VPN, disable split tunneling for the browser, and test a second browser profile.
- If DNS points to the ISP: enable VPN DNS or leak protection, review browser DNS over HTTPS, and make sure router DNS is not forcing a local resolver.
- If WebRTC exposes unexpected candidates: compare results in another browser and review browser WebRTC privacy settings.
- If IPv6 appears outside the VPN: use a VPN that supports IPv6 correctly or use the provider's documented IPv6 blocking mode; avoid permanent IPv6 disablement as a default answer.
- If account checks still identify you: remember that logins, cookies, device identifiers, browser fingerprints, and payment records can remain even when the IP changes.
Change one thing at a time and retest. That makes it easier to tell whether the VPN app, browser, DNS setting, router, or network switch caused the mismatch.
What a VPN is good for, and where it has limits
A VPN is useful when the goal is to reduce local network exposure, change the public IP websites see, protect traffic on untrusted Wi-Fi, or route traffic through a chosen provider or organization. It can be part of a practical privacy setup.
It is not enough by itself when the goal is anonymity, malware protection, account separation, legal compliance, or full security. A safer setup also needs HTTPS, patched devices, strong account security, careful browser profiles, sensible extension choices, and realistic expectations about what network tests can show.
The practical answer to what is a VPN and how does it hide my IP is this: it moves your visible network exit to a VPN server for traffic that uses the tunnel. That can help, but the rest of your identity and browser environment still matters.
Frequently asked questions
Does a VPN hide my IP address from every website?
A VPN usually changes the public IP address that websites see for traffic routed through the VPN tunnel. It does not hide every identity signal, and apps, accounts, cookies, browser fingerprints, or split-tunneled traffic can still reveal useful information.
Can my ISP still see that I am using a VPN?
Usually, yes. Your ISP may see that your device connects to a VPN server, along with timing and data volume. A VPN can hide the contents of encrypted browsing from the local network, but it does not make the connection invisible.
Why does my real IP still show while using a VPN?
Your real IP may still appear if the VPN disconnected, split tunneling bypassed the VPN, the browser used another network path, IPv6 was not handled by the VPN, or WebRTC exposed browser network candidates. Retest after reconnecting and checking the VPN app settings.
Does a VPN stop DNS, WebRTC, or IPv6 leaks?
A well-configured VPN can reduce DNS, WebRTC, and IPv6 exposure, but it does not automatically fix every leak path. VPN app settings, browser behavior, operating-system DNS, router rules, and IPv6 support all affect the result.
Is a VPN enough to make me anonymous online?
No. A VPN can reduce IP-based exposure and shift network trust to the VPN provider, but it does not remove account logins, cookies, browser fingerprints, payments, device identifiers, malware, or unsafe behavior.
Sources and methodology
This FAQ was updated using MyIPScan editorial guardrails: no anonymity guarantees, no one-test privacy proof, no provider rankings, no fake lab claims, and clear separation between VPN routing, DNS, WebRTC, IPv6, browser fingerprinting, and account identity.
MyIPScan tools show observable browser and network signals. IP geolocation can be approximate, VPN/DNS/WebRTC/IPv6 checks are snapshots, and a single test does not prove full privacy or security.