What a “no-logs” VPN really means

Last month I was on airport Wi‑Fi, trying to push a quick git pull before boarding. The captive portal kept timing out, my phone was flipping between LTE and the terminal’s overloaded access points, and I did the thing everyone does: I hit “connect” in my VPN app and hoped for the best.

It worked. Mostly.

Then I wondered what I’d actually handed over during that messy minute: my real IP, my device details, my DNS requests, maybe even the exact time I connected. People throw “no logs” around like it’s a magic switch. It isn’t.

Logs are the whole game.

“No logs” isn’t a single promise

A VPN has two jobs: carry your traffic and route it out to the public internet. To do that, the service has to see some things, at least briefly. The real question is what gets written down, where, and for how long.

Most “no-logs” claims are really a bundle of smaller claims. Some are reasonable. Some are slippery.

Here’s the set of log types I care about when I’m evaluating a provider:

• Traffic logs: the content of what you do (URLs, DNS queries, payloads). If a provider stores this, you’re not buying privacy.
• Connection metadata: timestamps, source IP, assigned VPN IP, data transferred. This is the stuff that can still identify you, even if it’s not “content.”
• Device and account telemetry: app analytics, crash reports, device identifiers. It’s not always sinister, but it can be surprisingly revealing.
• Infrastructure logs: server health, kernel messages, DDoS mitigation events. These can exist without being tied to you, but sometimes they are.

Some vendors say “no traffic logs” and let you assume it includes connection metadata. Others say “no activity logs” and quietly keep IP-to-session mappings for “abuse prevention.” The words aren’t standardized, so you have to read like a skeptic.

Privacy is messy.

What a VPN must know (even if it doesn’t keep it)

A VPN can’t route packets from nowhere. Even with the best intentions, it will process some identifiers.

If you connect via WireGuard, the server needs to know which public key corresponds to which internal tunnel IP so it can encrypt replies back to you. With OpenVPN or IKEv2, there’s still a session, still a handshake, still some record of “a client exists right now.” That doesn’t automatically mean “logged.” It means “in memory at runtime.”

This is where marketing copy gets fuzzy, and where good engineering makes a difference.

The cleanest setup is when session state stays in RAM and dies when the process restarts, and when operational logs (CPU load, dropped packets, disk space) don’t include user identifiers. Plenty of providers try for that. Some even design around it with diskless or ephemeral servers. But even then, there are edge cases: abuse reports, DDoS attacks, rate limiting, fraud prevention. If a service supports port forwarding, that adds another mapping layer that can be handled carefully or handled lazily.

And yes, payment and signup can blow a hole in the whole story. If you pay with a card under your legal name, that’s a real-world identity tie. A strict “no logs” stance doesn’t erase billing records.

The parts users confuse with privacy

I keep seeing people treat three different ideas as the same thing:

1) hiding your browsing from your ISP, 2) hiding your home IP from the sites you visit, 3) being anonymous.

A VPN is good at the first two. The third is where people get hurt.

A VPN doesn’t stop browser fingerprinting. It doesn’t stop tracking pixels in your email client. It doesn’t stop apps from phoning home with an ad ID. And it definitely doesn’t stop you from logging into Google, Apple, or TikTok and handing over your identity willingly.

If you want anonymity, you’re looking at a different toolchain: Tor Browser, compartmentalized profiles, careful account hygiene, and a willingness to accept slower connections and more breakage. For some use cases, that’s worth it. For most day-to-day work, it’s too much friction.

The VPN sweet spot is simpler: don’t let random networks and your ISP get a clean view of your traffic, and don’t leak your home IP to every service you touch.

How to sanity-check “no logs” without becoming a lawyer

You don’t need to read a 40-page policy like it’s a contract review. You do need to look for a few tells.

First, look for specificity. A serious provider will say what they don’t collect and what they do collect, in plain language. “We do not store your source IP address” is meaningful. “We respect your privacy” is nothing.

Second, check whether the provider explains operational logging. Every network service has some level of monitoring. The question is whether those logs are aggregated (good), anonymized (sometimes good), or tied to account/session identifiers (bad).

Third, look for outside pressure points. Where is the company based, and what’s their process when they get a legal request? Jurisdiction isn’t a magic shield, but it changes what a company can be compelled to do.

Fourth, see if they’ve done anything that costs them money. Independent audits aren’t perfect, but they’re expensive and inconvenient, which makes them harder to fake casually. Warrant canaries and transparency reports can help too, as long as they’re kept current.

Read the fine print.

One practical trick: search the policy for “retain,” “third party,” “analytics,” “crash,” and “diagnostics.” If the app is bundling a pile of SDKs, “no logs” at the VPN tunnel level can still coexist with aggressive app telemetry.

Protocols and clients: the trade-offs show up fast

On my own devices, I default to WireGuard when I can. It’s quick to connect, handles roaming decently when your phone bounces between Wi‑Fi and mobile, and it’s not a battery hog compared to older stacks.

WireGuard runs over UDP. That’s great for speed, but on some hostile networks UDP gets throttled or blocked, and you’ll feel it as stalls, packet loss, or the classic “connected but nothing loads.” When I’m on hotel Wi‑Fi that looks like it was last upgraded in 2012, I sometimes have to switch.

A lot of people solve that with obfuscation layers or proxy-style protocols that mimic normal HTTPS on port 443. That’s where tools like V2RayNG, NekoBox, Hiddify, and Shadowrocket enter the chat, often using VLESS+REALITY or Shadowsocks-2022. Those aren’t “VPN protocols” in the traditional sense, but in practice they’re often used for the same goal: get traffic out reliably when networks are meddling.

The catch is complexity. More moving parts means more ways to misconfigure DNS, forget a kill switch, or leave split tunneling on when you didn’t mean to. And on mobile, heavy obfuscation can increase CPU wakeups, which shows up as battery drain and heat during long sessions.

If you’re the kind of person who tweaks OpenWrt at home, you can also push VPN at the router. That’s convenient, but it creates a single point of failure and can complicate device-level exceptions (smart TVs, consoles, banking apps that hate foreign IPs). I’ve done it. It’s nice until it’s annoying.

So what should “no logs” mean to you?

If I strip away the slogans, I want two things.

First: the provider shouldn’t be able to reconstruct what I did, where I went, or what I downloaded from stored records. That means no traffic logs, and it also means avoiding connection logs that tie my source IP to a session timestamp in a way that’s easy to query later.

Second: the app shouldn’t betray me quietly. If the tunnel drops, it needs a kill switch that actually blocks traffic on Windows and macOS, not just a UI toggle. If it claims private DNS, it shouldn’t leak requests to whatever resolver the network hands out. And if it collects diagnostics, it should be opt-in and clearly described.

There’s a middle ground where some minimal operational data exists, but it’s aggregated and short-lived. That’s normal. What I won’t accept is vague language plus a pile of “we may collect” clauses that cover everything.

Near the end of my own testing runs, when I want something straightforward for daily use and I’m not in the mood to babysit configs, I’ve pointed a couple friends at DuduVPN (their Telegram bot is https://t.me/duduvpnsbot) and told them to keep the kill switch on and run a DNS leak test once from a coffee shop.

If you do one thing after installing any VPN, switch networks mid-session (Wi‑Fi to LTE) and confirm your public IP doesn’t briefly flip back to your real one when the connection renegotiates.