Lesson 02: The Importance of VPNs in Tradecraft

Estimated read time: ~5 minutes • Last updated: September 4, 2025

Anonymity Networking OPSEC

Learning Objectives

  • Explain what VPNs are and how they function (encryption, tunneling, exit IP).
  • Identify scenarios where VPNs are critical to OPSEC.
  • Recognize limits: trust model, leaks, and identity correlation.
  • Apply robust VPN usage with verification checks and identity separation.

A Virtual Private Network (VPN) encrypts traffic between your device and a remote server, masking your real IP and shielding your activities from local observers. In tradecraft, VPNs are a foundational layer—but they aren’t invisibility cloaks.

How VPNs Work

  1. Encryption: Your client encrypts packets before they leave the device.
  2. Tunnel: Packets traverse a secure tunnel to the VPN server.
  3. Exit point: The server forwards decrypted traffic; targets see the VPN’s IP, not yours.
Tradecraft mindset: Treat the VPN provider as a single point of trust. Select providers with proven no-logs policies and jurisdictions aligned to your risk model.

When VPNs Are Essential

  • Hostile networks: public Wi-Fi, hotels, cafés, conference networks.
  • IP masking: disconnecting your home/office IP from operational activity.
  • Geo/censorship bypass: regaining access to region-restricted content and tools.
  • Consistency in ops: ensuring all activity presents from a stable foreign footprint.

Limits & Pitfalls

  • Provider trust: if they log, they can expose you. Prefer audited, court-tested no-logs claims.
  • Leak vectors: DNS, IPv6, WebRTC can bypass tunnels without proper client/browser settings.
  • Identity correlation: logging into personal accounts over a VPN still links activity to you.
  • One lapse problem: a single non-VPN session can burn an entire operation.

Real-World Context

In the 2015 PSN case, investigators linked actions to home IPs when attackers failed to anonymize consistently. Reference: The Guardian.

Hardening Your Setup

  • Auto-connect + kill switch: block all traffic if the tunnel drops.
  • Disable/handle IPv6: ensure your client routes IPv6 or disable it to prevent leaks.
  • Verify DNS: use extended tests at dnsleaktest.com.
  • Segregate identities: dedicated browser profiles or containers for operational work.
  • Multi-hop / rotating egress: raise the bar for correlation (balanced against reliability).

Exercise

  1. Connect to a foreign VPN server; confirm new IP via “what is my IP.”
  2. Run an extended DNS leak test and capture results.
  3. Test WebRTC leak in your browser settings or via a test page.
  4. Document mitigations (kill switch, IPv6 handling, profile separation).

Deliverable: 8–12 line ops note with screenshots and mitigations.

Key Takeaways

  • VPNs mask IPs and encrypt traffic but don’t erase identity mistakes.
  • Leak testing and kill switches convert habit into protection.
  • Provider choice and jurisdiction matter to your threat model.
  • Never mix personal and operational identities—ever.

OPSEC Reminder: A VPN is a layer. Pair it with identity segregation, hardened browsers, and disciplined procedures.