We all know that VPNs are an excellent way to hide what you do online from your ISP (Internet Service Provider). But you have to wonder - what does your ISP see when you use a VPN?
There's a lot of misinformation about this topic online, so we have put this quick guide together to offer a clear answer.
So, What Does Your ISP See When You Use a VPN?
Do they still see everything you do? Or do they just stare at a blank screen?
Well, both scenarios are exaggerations and not true. In reality, your ISP will see a bit of information about your browsing when you are connected to a VPN. After all, you'll have to go through their network before connecting to a VPN.
However, what they can monitor won't be enough to violate your privacy. Here's a list of the kinds of things they'll see:
- Your real IP address. Your ISP can see it because you go through their network when you connect to the VPN server. Also, they're the ones who assign it to you in the first place. For more information, check out this link.
- The IP address of the VPN server you're using. That's it, though. They won't see what other IP addresses your device communicates with when connected to the server.
- The encrypted data stream that represents your Web traffic. It'll just look like gibberish to them.
- The VPN protocol you are using. They can guess it because they see what port it's using. For example, IKEv2 uses UDP ports 500 and 4500, and OpenVPN uses UDP port 1194 by default.
- The exact time when you connect to the VPN server.
- How much data you exchange with the VPN server.
What Is Your ISP Able to See When You Don't Use a VPN?
A lot of stuff. You need to understand that all your data packets go through your ISP, and they can analyze their contents if they're unencrypted. They can also spy on your DNS queries (the connection requests you send to websites) since they go through their DNS server.
And you're not safe even if you exclusively use HTTPS websites. In theory, HTTPS should only allow your ISP to see the website name. But they can actually monitor network traffic and use information like the size, timing, and destination of data packets to identify unique page visits or guess the contents of your traffic.
What does that mean exactly? Simply put, without a VPN, your ISP can see the following:
- What websites you connect to.
- What Web pages you browse, and how much time you spend on them.
- Anything you type on unencrypted websites.
- What files you download from or upload on unencrypted websites.
- Pretty much your whole browsing and search history.
"Okay, but what if I use incognito mode?"
It's really not the same thing. We already have an article regarding incognito vs. VPN, but the main idea is that incognito mode will only delete cookies and browsing history. It won't hide your traffic from your ISP at all.
VPN or No VPN - Which One Is Best for Your Privacy?
It might seem like your ISP sees a lot of data when you use a VPN, but that's not the case at all. Sure, the list of information they get on your connection seems a bit long, but they can't do anything with it. Once you are connected to a VPN server, your ISP will have no idea what you do on the Internet.
On the other hand, if you don't use a VPN, your ISP will get to monitor all your online browsing. Maybe they will even share that data with advertisers for a profit, or they'll use it to serve you ads instead.
All in all, if you value your privacy, you should always use a VPN when you go online.
Can ISPs Monitor VPN Traffic?
No, they can't do that because VPNs use end-to-end encryption to mask your traffic. If your ISP tries to spy on it, they'll just see a string of random characters.
However, your ISP can detect VPN traffic.
Besides looking for port numbers, your ISP can use DPI (Deep Packet Inspection) to spot VPN traffic. Simply put, DPI helps ISPs analyze your data packets to the point where they can detect VPN traffic patterns. They have an especially easy time with OpenVPN since the protocol has a unique signature.
Also, your ISP can easily tell if you're using a VPN server by checking the client sessions on their network. They'll just have to look for the one with no DNS queries. Remember that your device isn't asking to translate an IP address to a website name when you connect to a VPN server.
Can You Hide VPN Traffic From Your ISP?
Yes, you actually can - by using a VPN that offers obfuscation. That feature goes by many names (stealth mode, camouflage, cloaking), but it does the same thing in all cases - it hides your VPN traffic.
Long story short, VPN obfuscation removes metadata from your data packets and adds more encryption to make VPN traffic look like regular HTTPS traffic.
If you'd like to find out more about it, check out our in-depth article about VPN obfuscation. You'll also find a list of the best-obfuscated VPNs in the guide.
Can ISPs Compromise VPN Traffic in Any Way?
Typically, they can't. The only way they would be able to do that is if they had access to your device or the VPN provider's servers.
So, ISPs cracking VPN encryption is just a myth - except in one country. In Kazakhstan, the government actually forced ISPs to have their users install government-issued certificates on their devices. They allow government agencies to intercept user traffic and decrypt it. Yes, even HTTPS traffic.
What Happens If Your ISP Blocks the VPN Server's IP Address?
If they can see it, they can block it, right?
Well, yes. And if they do that, you won't be able to connect to the VPN server anymore.
Usually, they wouldn't have any reason to do that unless the law forces them to do it, or they're scared their customers use VPNs to anonymously torrent movies, games, and TV shows - which, needless to say, is illegal.
How Do ISPs Block VPN Server IP Addresses?
Basically, they will use a firewall to apply inbound and outbound traffic rules to your IP address (the one your ISP assigns to you). These rules will say you can't access the VPN server's IP address on the network anymore.
And if your ISP doesn't want to have the staff keep their eye on VPN server IP addresses, they could use a VPN IP blacklist. Some online lists of VPN and datacenter IPs are free to use, like this one, for example. The good news is that those lists don't generally get frequent updates.
The only way to bypass firewall rules like that would be to use an anonymous proxy or a different VPN to hide your IP address. But using a VPN or proxy to unblock a VPN is a bit pointless.
That's why you should always use a VPN with tons of servers. When there are hundreds or thousands of them, you don't need to worry about your ISP blocking them all. Also, IP blacklists can't keep up with them either. If you need help finding such a service, check out our guide on VPNs with the most servers.
WARNING - VPN Leaks Let Your ISP See More Than They Should!
If your VPN suffers a leak, your ISP will be able to monitor some (if not all) of your digital footprints. It depends on how severe the leak is, like whether the VPN leaks your IP address, your entire traffic, or your DNS queries. Whichever the case, things won't look good for your privacy.
Here is a quick overview of what kinds of VPN leaks can happen:
- DNS leaks - This is when your DNS queries leak out of the VPN tunnel. Basically, they go through your ISP's DNS server instead of the VPN's server. So, your ISP can see what websites you browse on the Internet, even if you use a VPN.
- IP leaks - They cause your IP address to leak outside the encrypted tunnel. There are two kinds: IPv4 leaks and IPv6 leaks. IPv4 leaks are the most common ones because not a lot of VPNs support or block IPv6 traffic.
- WebRTC Leaks - These leaks occur when the WebRTC functionality within web browsers takes precedence over the VPN tunnel, causing your IP address to leak.
- Traffic leaks - These happen when your VPN connection goes down. Even if it's only for a few seconds, your IP address and traffic become exposed, and your ISP can monitor your online browsing.
To avoid these kinds of leaks, you need to use a VPN that offers leak protection and a Kill Switch (a feature that shuts down your web access when the VPN connection goes down). Some of the best options include NordVPN, ExpressVPN, CyberGhost, Surfshark, and VyprVPN.
So what does your ISP see when you use a VPN?
Not much. Just your IP and the VPN server's IP address, when you connect to it, how much data you exchange with it, the encrypted traffic, and what VPN protocol you are using. Overall, nothing that can put your privacy at risk.
Just make sure you pick a reliable VPN. If it suffers leaks, your ISP could see more than you'd be comfortable with.
And if you happen to know more about other types of data that ISPs can see when people use VPNs, let us know in the comments below or on social media.