"SSH encrypts my connection, so I don't need a VPN." — a common refrain among developers. Not wrong, but not complete either.
SSH encrypts a specific connection. A VPN encrypts all traffic from your device. The scope of protection is different. While you SSH into a server from a cafe, your npm install downloads, API documentation browsing, and Slack messages all travel outside that encrypted tunnel.
This guide covers the specific scenarios where developers benefit from a VPN, and how to choose between self-hosted WireGuard, commercial VPN services, and Tailscale.
Why Developers Need a VPN
Developer network traffic carries more sensitive information than typical browsing.
- API keys and access tokens — they live in environment variables, but still appear in HTTP request headers
- git push/pull — repository names and branch names reveal project structure
- Package downloads —
npm install,pip install,docker pulldestinations expose your entire tech stack - Internal documentation — Confluence and Notion URLs leak team structure and feature roadmaps
HTTPS is widespread, but DNS queries (which domains you visit) are unencrypted by default. Your ISP or Wi-Fi administrator can see every service you use.
In the US, the FCC's Broadband Consumer Privacy rules were repealed in 2017, allowing ISPs to sell browsing history without user consent. ISPs including Comcast and CenturyLink have been caught using DNS hijacking to redirect queries to ad-laden pages for revenue.
A VPN routes all of this through an encrypted tunnel, making your traffic invisible to third parties.
Real-World Use Cases
Geolocation Testing
CDN edge caching, i18n routing, region-locked content — verifying these requires requests from different countries. A VPN lets you switch your exit country and test locally instead of deploying staging environments in every region.
# Connect to a Japanese server and test CDN behavior
nordvpn connect japan
curl -I https://your-cdn.example.com/api/content
Development on Public Wi-Fi
Cafes, airports, co-working spaces. The risk on public Wi-Fi goes beyond eavesdropping.
- Evil twin attacks — a fake access point with the same name as the real one captures all traffic
- Session hijacking — unencrypted cookies are intercepted to take over login sessions
- DNS spoofing — forged DNS responses redirect you to phishing sites instead of legitimate ones
The server you are SSHing into is protected. But the browser, Slack, and package manager running alongside it are exposed. A VPN wraps everything in the tunnel.
Geo-Restricted Developer Tools
GitHub restricts access from certain countries under US trade controls. While restrictions for Iran and Syria have been partially relaxed (GitHub obtained OFAC licenses to provide broader access), Crimea remains fully restricted, and private repositories and paid features like Copilot may still be unavailable. China's Great Firewall makes connections unreliable. Many npm packages depend on GitHub-hosted binaries via node-gyp, so GitHub restrictions cascade to npm as well.
For developers traveling to affected regions or collaborating with teams there, a VPN is a practical necessity.
Remote Work Security
Corporate VPN (for accessing internal resources) and personal VPN (for privacy from your ISP) are different tools.
Using a personal VPN on a corporate laptop may violate security policy. On the other hand, if you use a personal device for work, protecting your traffic is your own responsibility.
Do You Still Need a VPN If You Have SSH?
A common misconception among developers that is worth clearing up.
SSH vs VPN
| SSH | VPN | |
|---|---|---|
| Scope | Single connection (one session) | All device traffic |
| Layer | Application layer | Network layer |
| Use case | Remote shell access to servers | Encrypting all traffic |
| DNS protection | None | Yes |
| Browser traffic | Not protected | Protected |
An SSH tunnel (ssh -D for a SOCKS proxy) can route specific application traffic through a server. But protecting system-wide traffic requires a VPN.
Use Both
In practice, the answer is not "SSH or VPN" but "SSH and VPN."
- VPN — encrypts all device traffic, preventing eavesdropping on public networks
- SSH — inside the VPN tunnel, provides secure access to specific servers
Think of a VPN as a tunnel covering the entire road, and SSH as an armored vehicle driving inside it.
Self-Hosted WireGuard vs Commercial VPN vs Tailscale
Developers have three options. Each fits different scenarios.
Self-Hosted WireGuard
Install WireGuard on a VPS (Hetzner, Vultr, Linode, etc.) and run your own VPN server.
Best for:
- Remote access to your home network or VPS
- Dedicated IP (avoids shared-IP rate limiting)
- Keeping traffic data out of third-party hands
Trade-offs:
- Server maintenance and updates are your responsibility
- Single server means no geographic diversity
- Kill switch and DNS leak protection require manual configuration
# WireGuard server setup example (Ubuntu)
sudo apt install wireguard
wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
Commercial VPN (NordVPN, etc.)
A few dollars a month gets you servers in 100+ countries, Kill Switch, DNS leak protection, and post-quantum encryption.
Best for:
- Geolocation testing (need IPs in many countries)
- Daily protection on public Wi-Fi
- Zero configuration effort
Trade-offs:
- Shared IPs can trigger API rate limits set by other users' behavior
- Requires trusting the provider (check for independent no-logs audits)
Tailscale
A WireGuard-based mesh VPN built by Tailscale. Devices connect directly to each other with end-to-end encryption, no central server in the data path.
Best for:
- Private networks across multiple devices
- NAT traversal to access home servers and VPS
- Sharing development resources across a team
Trade-offs:
- Does not anonymize your public IP (unlike traditional VPNs)
- Protecting traffic to external sites requires setting up an exit node separately
- Requires trusting Tailscale's coordination server
Comparing the Three
| Self-Hosted WireGuard | Commercial VPN | Tailscale | |
|---|---|---|---|
| Monthly cost | VPS cost (~$5) | $3-8 | Free to $5/user |
| Server count | Your VPS only | 100+ countries, 5,000+ | Device-to-device mesh |
| Setup effort | High | Near zero | Low |
| IP anonymization | VPS IP | Many exit IPs | None (exit node needed) |
| Kill switch | Build it yourself | Built-in | None |
| NAT traversal | Port forwarding needed | Not needed | Automatic |
Among commercial VPNs, NordVPN stands out for developers with its Linux CLI support and WireGuard (NordLynx) implementation. It comes with a 30-day money-back guarantee.
VPN Services Compared for Developers
When evaluating commercial VPNs, developers should prioritize different criteria than general users.
What Developers Should Look For
- Linux CLI support — can you operate it from the terminal, not just a GUI?
- WireGuard support — faster and lower latency than OpenVPN
- No-logs audit — has the provider been independently audited?
- Simultaneous connections — can you protect your dev machine, test device, and server at the same time?
Service Comparison
| NordVPN | Mullvad | ProtonVPN | |
|---|---|---|---|
| Monthly (annual plan) | ~$4.99 | €5.00 (flat) | ~$3.99 |
| Linux CLI | Yes (open source) | Yes | Yes |
| Protocols | NordLynx, OpenVPN | WireGuard, OpenVPN | WireGuard, OpenVPN |
| Servers | 9,000+ (130+ countries) | 580+ (50 countries) | 18,100+ (129 countries) |
| No-logs audit | Yes | Yes (RAM-only) | Yes (SOC 2) |
| Simultaneous devices | 10 | 5 | 10 |
| PQ encryption | Yes (ML-KEM) | No | No |
| Mesh feature | Meshnet | No | No |
| Free plan | No (30-day refund) | No | Yes (10 locations) |
NordVPN stands out for developers with its Linux CLI, post-quantum encryption, and Meshnet. Good balance of server count and geographic coverage.
Mullvad is privacy-first. No email required to sign up, and a 2023 police raid on their Swedish headquarters confirmed zero user data was stored.
ProtonVPN has the largest server network and offers a free tier. A good starting point if you want to try before committing.
For the technical details behind VPN protocols, see "VPN Protocols Compared: WireGuard vs OpenVPN vs IKEv2." For NordVPN Linux setup, see "NordVPN on Linux: CLI Commands, Post-Quantum Encryption, and Docker."
The world's leading VPN — fast, secure, and easy to use
- 6,400+ servers across 111 countries
- NordLynx protocol (WireGuard-based)
- Threat Protection Pro (ads & malware blocking)
FAQ
Can SSH replace a VPN for developers?
No. SSH encrypts a single connection to a specific server, while a VPN encrypts all traffic from your device. DNS queries, package downloads, browser traffic, and Slack messages all travel outside an SSH tunnel. Use both together: VPN for system-wide encryption, SSH for server access inside that tunnel.
Is WireGuard better than OpenVPN for development work?
For most developers, yes. WireGuard has lower latency, faster handshakes, and a smaller codebase (~4,000 lines vs OpenVPN's ~100,000). The speed difference matters when you're running builds, pulling containers, or syncing large repos over VPN. OpenVPN remains relevant for legacy corporate environments that require it.
Can I use a VPN with Docker containers?
Yes, but it takes some configuration. By default, Docker containers use the host's network stack, so a VPN running on the host protects container traffic too. For per-container VPN routing, you can use Docker's --net=container: flag or a dedicated VPN container like gluetun. WireGuard's kernel-level integration makes it particularly efficient for containerized workflows.
Do VPNs slow down development workflows?
Modern WireGuard-based VPNs add minimal overhead — typically 5-15% throughput reduction and 1-3ms latency. For git push, npm install, or API calls, the difference is barely noticeable. Older OpenVPN connections can be slower. If latency matters (real-time debugging, live database queries), choose a VPN server geographically close to your target.
Should I use a VPN on my home network?
It depends on your threat model. A VPN on your home network prevents your ISP from logging your DNS queries and browsing history. If you work with sensitive client data or access production systems from home, the added encryption layer is worth it. For purely local development with no external calls, it's optional.
Is Tailscale a replacement for a traditional VPN?
Not exactly. Tailscale creates encrypted device-to-device connections but does not anonymize your public IP or protect traffic to external websites by default. You need to configure an exit node for that. Think of Tailscale as a private network overlay, and a traditional VPN as a public internet privacy tool. Many developers use both.
Wrapping Up
Choosing a VPN as a developer is not about finding the "best" one — it is about matching the tool to what you need to protect:
- Daily work on public Wi-Fi → Commercial VPN (NordVPN, Mullvad, etc.)
- Remote access to home network or VPS → Tailscale or self-hosted WireGuard
- Geolocation testing → Commercial VPN (need IPs in many countries)
- Team resource sharing → Tailscale
SSH alone is not enough. A VPN does not replace SSH — it complements it as an additional layer of protection.
Pick the combination that fits your workflow, set it up, and get back to writing code. That is the right way to use a VPN.
Related articles:
- NordVPN Review: Pricing, Security, and Performance Tested
- How to Use NordVPN: Setup, Settings, and Troubleshooting
- Is NordVPN Safe? A Technical Security Analysis
- VPN Protocols Compared: WireGuard vs OpenVPN vs IKEv2 Under the Hood
- NordVPN on Linux: CLI Commands, Post-Quantum Encryption, and Docker
- NordVPN vs ExpressVPN vs Surfshark: An Honest Comparison
- Are Free VPNs Safe? Real Incidents and How to Choose
Official resources:
- WireGuard — Official Site — self-hosted setup specifications
- Tailscale — Official Site — mesh VPN features and pricing
- NordVPN Linux — Linux client download