Can a VPN hide you from your ISP? Here’s what they see

When you connect to the internet, there’s one party that always stands between you and everything you access online: your internet service provider (ISP). Whether it’s a mobile network, cable company, or broadband provider, your ISP is the gateway through which all your internet activity flows.

This isn’t just about delivering data; they own the infrastructure, handle your traffic, and, in many cases, provide additional services like email, domain hosting, and cloud storage.

Most people don’t think much about their ISP once the Wi-Fi is set up and running. But given that virtually all online activity passes through their systems, it raises a critical question: what exactly can your ISP see, and what happens to that visibility when you use a VPN?

This guide breaks down what ISPs can typically view without a VPN, how VPNs change the picture, and whether your ISP can detect or interfere with your VPN usage. No speculation; just clear, factual answers based on how ISPs operate and what tools they use.
Your ISP is the middleman for almost everything you do online. Every site you visit, video you stream, or app you open passes through their systems, and unless you’re using a VPN, they can see more than you might expect about your activity.

Starting with the positives, modern encryption standards have, in recent years, drastically improved the situation regarding privacy for regular internet users, so your search terms and the contents of your uploads and downloads are all obscured from your ISP, at least by HTTPS or even by more recent and even more secure tech such as DNS-over-HTTPS (DoH), which was introduced as a default setting by Firefox and Chrome in 2020.

However, search terms and your uploads/downloads are not the only pieces of information that need protection. Without a VPN, your ISP can still see:

• Some of the websites you visit
• Apps you use
• Metadata

Let’s take a look at each of these categories.

Websites you visit (browser traffic)

In many cases, your ISP can see the website you visit. Here’s how leaks happen and when.

Whenever you type a web address into a browser, a multi-step process takes place before you can actually see the requested web page load (even though this happens in milliseconds).

The first part of this process is called DNS resolution. DNS (Domain Name System) resolution is like looking up a phone number in a directory. When you enter a URL (like www.example.com), your device needs to find out the corresponding IP address of the server hosting that website so it knows where to send your request. This lookup typically happens by sending a DNS query to a DNS server. Unless you’ve configured your device or browser differently, this server is provided by your ISP.

If DNS-over-HTTPS is not used, the query is sent in plaintext, and your ISP can see every domain name you look up, even if the rest of your traffic is encrypted. (To be clear, they don’t see the exact pages you visit (like example.com/sensitive-topic), but they do see the domain (example.com). That alone can reveal a lot about your interests, habits, or intentions.)

But that’s not the only way your DNS query can leak. After DNS resolution, your device now knows the IP address of the server that hosts the website you want to visit. It uses that IP address to start a connection with the server. If the site uses HTTPS (which most modern sites do), the next step involves setting up a secure connection through something called a TLS handshake. (If it only uses HTTP, the matter is much worse for your privacy, but this is rare, and your browser will notify you about it.)

It’s important to know that, while the TLS handshake will eventually result in establishing a secure connection, its first part is unencrypted. Unless the website uses Encrypted Client Hello (and many websites don’t), this is another point in the whole process when the domain name you’re trying to reach can leak (your browser sends it to the server in plaintext).

To sum it up: unless your browser of choice supports DoH (likely) and the website you want to visit implements Encrypted Client Hello (less likely and difficult and impractical to check for each website), your ISP will be able to see which domains you’re visiting.

Apps you use (direct traffic)

The situation is even worse with apps. Whenever you use an app or, for example, play an online game, the ISP will see the IP address of the server you are connecting to and will be able to tell which service you’re using and who owns the server.

While this is also true for websites you visit, it’s particularly problematic for apps because app IPs are often more revealing than website IPs. This is because:

• They’re less likely to be shared.
• They often correspond to specific, branded services.
• App traffic runs continuously in the background, adding behavioral signals.

With a VPN, however, your ISP won’t see any of the servers you are connecting to, and instead, it will see that all your connections are going to the same server—the VPN server.

Metadata

Metadata (such as timestamps and session durations) is another thing your ISP will be able to see if you don’t use a VPN. Now, that might sound relatively harmless, but it’s actually anything but.

The metadata ISPs collect can potentially be:

• Sold
• Stolen
• Leaked
• Seized by authorities

In the U.S., for example, ISPs are allowed to sell your browsing history as long as it’s not directly linked to your name. And deanonymizing that data is often much easier than you’d think.

With enough resources (the amount that is not unreasonable for an ISP or a government entity to have), the collection of metadata also opens room for correlation attacks. The goal of this attack is not to decrypt your internet traffic, but instead to use the timestamps and size of one’s traffic to deanonymize a user.

How does all this work in practice? Let’s say you live outside of the U.S. You make an anonymous comment on Reddit or Twitter (U.S. companies with servers in the U.S.) that your government does not like. Depending on the situation, Twitter or Reddit may not respond to the request by your government or law enforcement (generally speaking, platforms will deny this request if it is not breaking any rules in their jurisdiction).

However, your ISP, which has all this valuable metadata, is always incorporated in your country so your government can take them to court and win the case. In many countries, ISPs are also state-owned or government-controlled companies, potentially making the path to your metadata even shorter. And once your government has all that metadata collected by your ISP, they can get an accurate read on the time of your post and a somewhat accurate range of what the size of the traffic should be within that timeframe. With access to all the metadata logs of everyone in the country, they can use it to systematically narrow it down to you.

How a VPN changes what your ISP sees

Using a VPN changes the way your data moves across the internet. Instead of connecting directly to websites and services, your traffic is encrypted and sent through a secure tunnel to a remote server. From there, it continues to its final destination.

This encryption blocks outsiders, including your ISP, from seeing what you’re doing. The websites you visit are no longer visible—just the VPN server you connect to. And the traffic time and volume metadata is less precise.

But not everything is invisible. Your IP address will remain visible to your ISP (and therefore your location). Some technical details about your connection may still be visible as well, and in most cases, your ISP will know you’re using a VPN.

Why should you hide your data from ISPs?

Internet providers have access to your entire online activity unless you take steps to protect it. That access can be used in ways that affect your speed, your privacy, and your freedom to browse.

• Bandwidth throttling: Some ISPs may slow down your connection depending on what you’re doing online. For example, they might reduce speeds during video streaming or large downloads. This can happen even if you’re within your plan’s data limits, especially during peak hours. Learn how a VPN can help prevent content-based throttling.
• Data sales: As mentioned, in many countries, ISPs are legally allowed to collect and sell details about your online activity. This can include websites you visit, searches you make, and how often you connect—information valuable to advertisers.
• Censorship: In some parts of the world, internet providers may block access to certain websites or services because of government rules or their own policies.

Recent changes in net neutrality rules in the U.S. may affect how much control ISPs have over your connection. Explore the concept of net neutrality and why it matters for your privacy and speed.

How does your ISP know you’re using a VPN?

Your ISP can usually recognize VPN usage based on specific traffic patterns. Encrypted data, non-standard ports, and known VPN server IPs are common signals. Some ISPs may use deep packet inspection to confirm that a VPN is in use, but they still can’t access the content or destination of your activity.

VPN IP addresses and ports

When you connect to a VPN, your ISP sees that your traffic is being sent to an external IP address, one that isn’t part of its network. If that IP address belongs to a known VPN provider, this can indicate that a VPN is in use.

VPN protocols often use specific ports to establish a connection. For example, some use port 1194 for OpenVPN or 51820 for WireGuard. If your ISP monitors these ports, it can detect the use of a VPN protocol, even though it still can’t see the content of the traffic.

These details, IP address and port, are visible because your internet connection begins with your ISP. But what happens after the data reaches the VPN server remains hidden. The ISP can’t trace where the traffic goes from there.

Deep packet inspection (DPI)

Some internet service providers use a technique called deep packet inspection to analyze traffic beyond basic headers. Instead of just seeing where the data is going, DPI looks at the structure of the data packets themselves.

Although the content of VPN traffic is encrypted and unreadable, DPI can sometimes detect that a VPN is in use by identifying patterns associated with specific protocols. For example, the way packets are grouped, their size, and the timing of transfers may differ from typical web browsing.

DPI does not reveal what websites you’re visiting or what data is being sent. It only allows an ISP to recognize that the traffic fits the profile of a VPN connection.

Do ISPs care if you use a VPN?

As we’ve seen above, ISPs can usually detect that you’re using a VPN through signs like encrypted traffic and the IP address you connect to, but whether they care depends on the context.

In regions with strict internet regulations, ISPs may be required to monitor or restrict VPN usage because it may interfere with mandated tracking or content control. Similarly, network admins might throttle or restrict VPNs on organizational networks to enforce internal rules.

Some ISPs collect user data for monetization, so they may view VPN use as a barrier to their business model.

Alternatives to VPNs that hide you from ISPs

Some tools beyond VPNs can also help prevent your ISP from seeing your online activity. Each has its own strengths and limitations in terms of usability, reliability, and anonymity.

Tor network

Tor routes your traffic through three volunteer-operated relays, adding multiple layers of encryption along the way. Each relay only knows the part of the route directly before and after it, keeping the full path hidden. This makes it difficult for your ISP to see where your traffic is going. However, Tor requires its own browser and is often too slow for anything beyond basic browsing.

Proxy servers

A proxy acts as an intermediary between your device and the websites you visit, replacing your IP address with its own. But unlike a VPN, proxies don’t encrypt your traffic. This means your ISP can still see most of your activity, including the sites you’re trying to reach.

Encrypted DNS

Normally, your DNS requests, like when you type a web address, are visible to your ISP. With encrypted DNS, those requests are hidden, making it harder for your provider to know which websites you’re trying to access. If you’re just using an encrypted DNS (without a VPN), this won’t encrypt your full internet traffic, but it can limit some of what your ISP sees.

DNS-over-HTTPS (DoH)

DNS-over-HTTPS encrypts your DNS queries and sends them over the same secure protocol used by websites (HTTPS). DoH is widely supported by modern browsers and DNS providers. However, like other encrypted DNS methods, it doesn’t hide the rest of your internet traffic—only your DNS lookups.

Encrypted Client Hello (ECH)

While DoH and other DNS encryption methods hide which websites you want to visit, your ISP can often still infer this from the TLS handshake, which, as we’ve mentioned above, occurs after the DNS resolution is complete and the client has connected to the website server’s IP address, but before any encrypted data (like a webpage) is exchanged.

Like domain resolution, the TLS handshake is a multi-step process, but what matters for us here is that its first step, called Client Hello (which basically tells the server, “Here’s what I support; can we agree on something to use for this connection?”) includes the name of the website you want to visit (SNI, or Server Name Indication) in plaintext. This is where Encrypted Client Hello (ECH) comes into play. It encrypts the SNI so that it can’t be read by your ISP.ECH became enabled by default in Firefox version 119 and Chrome version 117, both released in 2023. But since, unlike DoH and much like HTTPS, it also requires website owners to implement it, the adoption is relatively slow. It also requires the website to be hosted on a cloud content delivery network (CDN) to make the best use of its advantages, which is not feasible for all websites to accomplish.

Choosing the right VPN to stay hidden

If you want to keep your activity private, not every VPN will do the job. Here’s what to look for and why:

• No logs and independent privacy policy audits: Since the VPN of your choice will be able to see the information you’ve hidden from your ISP, it’s vital to choose a VPN you trust more than your ISP. A trustworthy VPN is a service that doesn’t store your browsing history, IP address, or session times and has third-party audit reports to prove it.
• Obfuscation: Some VPNs offer modes that make your connection look like regular web traffic, helping avoid blocks or filtering. With ExpressVPN, this feature is enabled by default, regardless of the server you connect to.
• Privacy and speed: More privacy features typically mean slower speeds. However, with ExpressVPN’s Lightway protocol, you don’t have to choose between privacy and speed, as it’s designed to deliver both. Lightway uses lightweight code and modern cryptographic standards to establish secure connections faster, maintain stability even on unreliable networks, and consume less battery on mobile devices—all without compromising your privacy.