What “no-logs” really means when you’re using a VPN

I was on airport Wi‑Fi, trying to push a hotfix.

My bank app popped a “new device” warning, Slack started rate-limiting me, and the captive portal kept reappearing like a bad prank. That’s the moment most people remember they care about privacy.

“No-logs VPN” is the label everyone reaches for. It sounds absolute. It isn’t.

The “no-logs” screenshot everyone posts

If you’ve ever shopped for a VPN, you’ve seen the same promise copy-pasted: we don’t log anything. Then you open the fine print and the language gets mushy fast.

When a provider says “no logs,” they might mean one narrow thing: they don’t keep a record of the sites you visit (sometimes called activity logs). That’s good, but it’s only part of what matters.

A VPN service can collect a bunch of other data without writing down “user X visited example.com.” Common buckets look like this:

• Traffic/activity logs: domains, URLs, DNS queries, content (the scary stuff).
• Connection metadata: timestamps, bandwidth totals, the VPN server you used, your source IP, your app version.
• Account and payment records: email address, transaction identifiers, support tickets.

That’s one of the annoying parts: marketing tends to talk about the first bucket, while the privacy risk often lives in the second.

Metadata is still a fingerprint. If a provider stores “connected at 09:12 UTC from IP A to server B, used 6.2 GB,” it doesn’t take a genius (or a subpoena) to line that up with other logs elsewhere.

Also, “no-logs” is not a protocol feature. WireGuard, OpenVPN, IKEv2, VLESS+REALITY, Shadowsocks-2022, these are transport choices. Logging is a business choice.

Logs you can’t avoid (and the ones you shouldn’t accept)

A VPN server has to do some work to function: accept a connection, authenticate you, route packets, reply. Some state exists in memory while you’re connected. That isn’t the same thing as writing durable logs to disk.

Privacy is a chain.

In practice, the questions I ask are boring:

Does the provider store your source IP?

Do they keep connection timestamps?

Do they record DNS queries (or do they run their own DNS inside the tunnel)?

If a VPN claims “no-logs” but keeps source IP + timestamps, that’s not nothing. That’s enough to build a timeline. If they say they keep it “for abuse prevention,” I get it, but I want to know how long, where it’s stored, and whether it’s tied to my account.

On the other side, some data is hard to avoid in normal operations:

• Payment trail: even if you pay with a card, someone will have a receipt somewhere.
• Support messages: if you paste connection details into a ticket, you just created a log.

That second one bites people. I keep seeing screenshots in support chats that include public IPs, device names, sometimes even full VLESS links. Don’t do that.

“But I’m using a VPN, why can the app still see me?”

Because the VPN isn’t invisibility. It’s a different network path.

A VPN primarily changes who can observe your traffic between you and the internet. Your ISP sees you talking to a VPN server (often just an IP and lots of encrypted packets). The destination website sees the VPN server’s IP instead of your home IP. That’s the deal.

What doesn’t change:

• Websites can still track you via cookies, device fingerprinting, logged-in accounts, and app identifiers.
• If your DNS leaks outside the tunnel, your DNS resolver can still learn what you’re looking up.
• If an app has location permissions, it can just read GPS and ignore your nice new IP.

This is why “no-logs” matters. If the VPN becomes your new ISP, you want to be picky about what it records.

And you should assume some services will treat VPN exit IPs differently. Banks, streaming apps, and some email providers use IP reputation aggressively. A clean provider that rotates IPs responsibly and handles abuse well usually has fewer day-to-day headaches.

The leaks that show up on real devices

Most privacy failures I troubleshoot aren’t spy-movie stuff. They’re configuration mistakes.

On iOS, a lot of people use Shadowrocket for VLESS or Shadowsocks setups, or they rely on the built-in IKEv2/WireGuard clients. On Android, V2RayNG, NekoBox, and Hiddify are common. On desktops, you’ve got native WireGuard on macOS/Windows or an OpenVPN client when you’re stuck with older configs. Routers (OpenWrt) add another layer of “did I route it all?”

Here are the issues I run into most:

DNS that escapes the tunnel. Some clients will happily connect but still let the OS resolve DNS through the local network if the tunnel DNS isn’t set. That means the coffee shop’s resolver (or your ISP’s) can still log the domains you ask for.

IPv6 surprises. If your VPN only handles IPv4 and your device prefers IPv6, you can leak traffic outside the tunnel. Good clients either tunnel IPv6 or disable it cleanly.

Split tunneling you forgot you enabled. It’s handy, until a “trusted” app keeps using your normal network. On Android especially, per-app rules get out of date fast.

Captive portals and flapping networks. Mobile networks drop packets. Wi‑Fi roams. If your VPN doesn’t reconnect quickly, traffic can spill during the gap. WireGuard is usually good at recovering, but you still want a kill switch (and you want to test it).

Battery matters too. Always-on VPN with aggressive reconnect can chew through power on a phone, especially on spotty 5G where packet loss triggers handshakes more often than you’d expect. If you’re troubleshooting weird drain, try a WireGuard profile first and compare.

If you want the provider’s take on features like kill switch behavior, DNS handling, and supported platforms, I’d rather read a straight list than vague promises. The DuduVPN features page is the kind of reference I look for when I’m checking whether a service matches my setup.

How I sanity-check a “no-logs” claim in ten minutes

I don’t have special access. I just read what they publish and then try to break my own setup.

I start with policy language, but I’m hunting for specifics: do they say “we do not store source IP addresses,” do they define retention windows, do they separate operational metrics from user-identifiable records.

Then I do the practical checks:

1) Connect the VPN on one device.

2) Confirm your public IP changes.

3) Run a DNS leak test and an IPv6 test.

4) Toggle airplane mode a few times and watch reconnection behavior.

If the client or config can’t keep DNS inside the tunnel, the no-logs policy isn’t your biggest problem.

One more thing: pay attention to protocol choices in censorship-heavy networks. WireGuard over UDP is fast and stable in normal conditions, but it can be easy to fingerprint and block. VLESS+REALITY is popular because it blends into ordinary TLS traffic on port 443, though setup can be fussier and some clients lag behind on updates. Shadowsocks-2022 is still a workhorse for getting through restrictive networks, but you’ll want a client that’s actively maintained.

If any of those terms feel like alphabet soup, that’s fine. A decent provider should explain what they support and why, without turning it into a philosophy lecture. If you’re stuck on basic questions like “does this work on OpenWrt” or “can I use it with Shadowrocket,” I’d check the DuduVPN FAQ before you buy.

What you should expect a VPN to remember about you

Even in a best-case world, a VPN account is still an account. If you want privacy, aim for minimizing linkable data.

Use an email address you don’t reuse everywhere. Don’t paste full config URIs into random places. Keep your device names boring (yes, “Johns-iPhone-15-Pro” ends up in logs sometimes, even if a provider swears they don’t log traffic).

And be realistic: if you log into Google, Meta, or your bank through the tunnel, those services still know it’s you. The VPN isn’t for hiding from them. It’s for reducing what the network in between can collect, and for controlling where your traffic exits.

Price can be a signal too, mostly because running infrastructure costs money and corners get cut somewhere. I usually skim the DuduVPN pricing page to see what a plan includes (device limits, duration options) and whether it lines up with how I actually use a VPN day to day.

Near the end of the decision, I look for the simple stuff: clear policies, current clients, and support that can answer a direct question without hand-waving.

If you want a service that’s straightforward about privacy and doesn’t make setup a weekend project, I’d start with DuduVPN and use the Telegram bot to get a working config quickly.

After you connect, run a DNS leak test once on each device and save the screenshot.