VPN Best Practices?

As a best practice, I always use a VPN to access the internet (even though I utilize split tunneling and always keep one browser out of the VPN tunnel).
Therefore, I want to know if the entire system should be in the vpn tunnel or just the browser.

since you access the internet only through the browser, does it make any difference?

It depends on what you use VPN for. If to hide your IP address from the sites you visit in a browser, then it doesn’t make a difference. If to hide your traffic from your ISP, and you only care about browser, then it doesn’t make a difference too.
But If you also care how other programs on your device connect to the internet then you should route these programs through a VPN too if you want to hide this traffic from your ISP or your IP from the visited sites.


You might answer this question for yourself, why do you not use a VPN with one browser.

Like others have pointed out, it strongly depends what you want to do. VPNs mask your IP address, and simply using one is not going to do much. Regardless of your reason for wanting a VPN, remember that the best practices involve hygiene. Don’t use accounts created with a VPN without one. Ever. Ideally, don’t do the opposite either, but that might be fine

VPNs to avoid ISP spying

Use a custom DNS over https/tls server, preferably from a trustworthy provider such as Mullvad or Quad9. If you’re trying to protect your internet activity from your ISP, then you should be using it all the time. When you’re not using a VPN* your ISP can see the IP addresses you’ve visited, and in many cases the server name (through SNI as jonah pointed out).

VPNs to hide your IP from a service

If you’re using a VPN to hide your IP address from a service, then hygiene is the most important thing to maintain. Never log into an account made with your personal IP with the VPN, and never use an account made with the VPN without one. This is because this basically tells the website that both IP addresses are associated with the same account/person.

In this second case, having a split tunnel isn’t a bad idea, as long as you follow this rule. Second, if you’re hiding from the government or cops (you probably aren’t) then use a private VPN (like mullvad or ivpn), pay with monero, and consider using TOR instead.

That’s it (as usual feel free to correct me if I’m wrong)


I think you are misunderstanding how you interact with the internet.

The web browser is the primary but not the only way you access the internet (other common examples include: an email client, chat apps, voip, system updates, streaming apps, steam & gaming apps, anything that backs up to the cloud, )

Anecdotally, of the software I have open right now (6 apps in total) the only 2 not interacting with the internetare the terminal and file manager.

As to your broader question, its really a personal question, the answer will depend on your threat model and particularly on the scope of what you want to protect. For me personally I like the simplicity and the security of having the VPN cover everything in combination with firewall rules to prevent connections to IP addresses other than the VPN provider’s own IPs.

1 Like

To add on that, that’s basically the difference between the internet and the web. The web which is typically accessed using a web browser is an internet “application”.

If we compared the internet to an operating system then the web would be analogous to a program that runs on top of it.