How does a VPN technically hide my IP address from websites and ISPs?
Executive summary
A VPN hides a device’s real IP address by encrypting the device’s traffic and routing it through a remote VPN server that uses its own IP when talking to websites and services [1] [2]. That same encryption prevents the local network or ISP from reading destination sites or content, though the ISP still sees that a device is connected to a VPN server [3] [4].
1. How the tunnel and IP substitution actually work
When a VPN client connects, it establishes an encrypted “tunnel” between the device and a VPN server; all packets are encapsulated and sent through that channel to the server, which then forwards requests to the wider Internet using the server’s public IP address instead of the user’s original address [1] [5]. To external websites the requests appear to originate from the VPN server because the server rewrites the source IP to its own before issuing outbound connections, effectively “borrowing” a different IP for the user’s traffic [6] [7].
2. What the ISP sees and what it doesn’t
An ISP can see that a customer is transmitting encrypted packets to a specific VPN endpoint (IP and connection timing), but it cannot see the plaintext contents of those packets or the particular websites and pages visited when a properly configured VPN is used, because the traffic inside the tunnel is encrypted [3] [4]. In short: the ISP knows “someone is talking to a VPN server,” not “someone is visiting example.com” [5].
3. What websites and services see instead of the real IP
Websites, ad networks and online services typically see the public IP address of the VPN server and any metadata associated with that server (geolocation, ASN, shared-user activity), which hides the user’s device IP and general location but associates activity with the VPN provider’s address space [8] [9]. If the VPN uses shared IP pools, multiple customers appear under the same server IP, improving plausible deniability; if it issues unique IPs, the site still sees a non-device IP tied to the provider [1] [9].
4. Limitations: leaks, connection drops and protocol weaknesses
VPNs are not perfect cloaks — misconfiguration and technical gaps can leak a real IP via DNS, WebRTC, or an interrupted tunnel that reverts traffic to the default network; vendors and testers warn of DNS and WebRTC leaks and recommend kill switches because a dropped VPN can expose the true IP [10] [5]. Encryption also adds latency and can be fingerprinted or blocked by services that identify and reject known VPN IP ranges, so hiding an IP is contingent on correct setup and stable connection [10] [2].
5. Trust model and the party that can still see activity
A core trade-off is that a VPN replaces the ISP as the party capable of seeing destination sites and unencrypted traffic: the VPN provider — not the local ISP or Wi‑Fi operator — can observe or log metadata and, depending on the VPN’s policies and jurisdiction, may retain records [4] [8]. Security guides and vendors explicitly caution that users must trust the VPN operator’s logging practices and legal exposure, because hiding an IP from websites and ISPs does not eliminate a VPN provider’s visibility [4] [9].
6. Practical reality: what hiding an IP achieves and what it doesn't
Using a VPN reliably masks the device’s network address from websites and the local ISP while encrypting traffic between device and VPN server, which protects against local eavesdroppers and reveals a different public IP to remote services [11] [3]. It does not grant true anonymity: misconfigurations, provider logs, browser-level leaks, account logins, and higher-level tracking techniques can still link online behavior to an identity if additional precautions aren’t taken [5] [9].