"SSH encrypts my connection, so I don't need a VPN." — a common refrain among developers. Not wrong, but not complete either.
SSH encrypts a specific connection. A VPN encrypts all traffic from your device. The scope of protection is different. While you SSH into a server from a cafe, your npm install downloads, API documentation browsing, and Slack messages all travel outside that encrypted tunnel.
This guide covers the specific scenarios where developers benefit from a VPN, and how to choose between self-hosted WireGuard, commercial VPN services, and Tailscale.
Why Developers Need a VPN
Developer network traffic carries more sensitive information than typical browsing.
- API keys and access tokens — they live in environment variables, but still appear in HTTP request headers
- git push/pull — repository names and branch names reveal project structure
- Package downloads —
npm install,pip install,docker pulldestinations expose your entire tech stack - Internal documentation — Confluence and Notion URLs leak team structure and feature roadmaps
HTTPS is widespread, but DNS queries (which domains you visit) are unencrypted by default. Your ISP or Wi-Fi administrator can see every service you use.
In the US, rules preventing ISPs from selling browsing history without user consent were repealed in 2017. Cases of ISPs using DNS hijacking to intercept search queries and sell the data to advertisers have been documented.
A VPN routes all of this through an encrypted tunnel, making your traffic invisible to third parties.
Real-World Use Cases
Geolocation Testing
CDN edge caching, i18n routing, region-locked content — verifying these requires requests from different countries. A VPN lets you switch your exit country and test locally instead of deploying staging environments in every region.
# Connect to a Japanese server and test CDN behavior
nordvpn connect japan
curl -I https://your-cdn.example.com/api/content
Development on Public Wi-Fi
Cafes, airports, co-working spaces. The risk on public Wi-Fi goes beyond eavesdropping.
- Evil twin attacks — a fake access point with the same name as the real one captures all traffic
- Session hijacking — unencrypted cookies are intercepted to take over login sessions
- DNS spoofing — forged DNS responses redirect you to phishing sites instead of legitimate ones
The server you are SSHing into is protected. But the browser, Slack, and package manager running alongside it are exposed. A VPN wraps everything in the tunnel.
Geo-Restricted Developer Tools
GitHub restricts access from Iran, Syria, and Crimea under US sanctions. China's Great Firewall makes connections unreliable. Many npm packages depend on GitHub-hosted binaries via node-gyp, so GitHub restrictions cascade to npm as well.
For developers traveling to these countries or collaborating with teams there, a VPN is a practical necessity.
Remote Work Security
Corporate VPN (for accessing internal resources) and personal VPN (for privacy from your ISP) are different tools.
Using a personal VPN on a corporate laptop may violate security policy. On the other hand, if you use a personal device for work, protecting your traffic is your own responsibility.
Do You Still Need a VPN If You Have SSH?
A common misconception among developers that is worth clearing up.
SSH vs VPN
| SSH | VPN | |
|---|---|---|
| Scope | Single connection (one session) | All device traffic |
| Layer | Application layer | Network layer |
| Use case | Remote shell access to servers | Encrypting all traffic |
| DNS protection | None | Yes |
| Browser traffic | Not protected | Protected |
An SSH tunnel (ssh -D for a SOCKS proxy) can route specific application traffic through a server. But protecting system-wide traffic requires a VPN.
Use Both
In practice, the answer is not "SSH or VPN" but "SSH and VPN."
- VPN — encrypts all device traffic, preventing eavesdropping on public networks
- SSH — inside the VPN tunnel, provides secure access to specific servers
Think of a VPN as a tunnel covering the entire road, and SSH as an armored vehicle driving inside it.
Self-Hosted WireGuard vs Commercial VPN vs Tailscale
Developers have three options. Each fits different scenarios.
Self-Hosted WireGuard
Install WireGuard on a VPS (Hetzner, Vultr, Linode, etc.) and run your own VPN server.
Best for:
- Remote access to your home network or VPS
- Dedicated IP (avoids shared-IP rate limiting)
- Keeping traffic data out of third-party hands
Trade-offs:
- Server maintenance and updates are your responsibility
- Single server means no geographic diversity
- Kill switch and DNS leak protection require manual configuration
# WireGuard server setup example (Ubuntu)
sudo apt install wireguard
wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
Commercial VPN (NordVPN, etc.)
A few dollars a month gets you servers in 100+ countries, Kill Switch, DNS leak protection, and post-quantum encryption.
Best for:
- Geolocation testing (need IPs in many countries)
- Daily protection on public Wi-Fi
- Zero configuration effort
Trade-offs:
- Shared IPs can trigger API rate limits set by other users' behavior
- Requires trusting the provider (check for independent no-logs audits)
Tailscale
A WireGuard-based mesh VPN. Devices connect directly to each other with end-to-end encryption, no central server in the data path.
Best for:
- Private networks across multiple devices
- NAT traversal to access home servers and VPS
- Sharing development resources across a team
Trade-offs:
- Does not anonymize your public IP (unlike traditional VPNs)
- Protecting traffic to external sites requires setting up an exit node separately
- Requires trusting Tailscale's coordination server
Comparing the Three
| Self-Hosted WireGuard | Commercial VPN | Tailscale | |
|---|---|---|---|
| Monthly cost | VPS cost (~$5) | $3-8 | Free to $5/user |
| Server count | Your VPS only | 100+ countries, 5,000+ | Device-to-device mesh |
| Setup effort | High | Near zero | Low |
| IP anonymization | VPS IP | Many exit IPs | None (exit node needed) |
| Kill switch | Build it yourself | Built-in | None |
| NAT traversal | Port forwarding needed | Not needed | Automatic |
VPN Services Compared for Developers
When evaluating commercial VPNs, developers should prioritize different criteria than general users.
What Developers Should Look For
- Linux CLI support — can you operate it from the terminal, not just a GUI?
- WireGuard support — faster and lower latency than OpenVPN
- No-logs audit — has the provider been independently audited?
- Simultaneous connections — can you protect your dev machine, test device, and server at the same time?
Service Comparison
| NordVPN | Mullvad | ProtonVPN | |
|---|---|---|---|
| Monthly (annual plan) | ~$4.99 | €5.00 (flat) | ~$3.99 |
| Linux CLI | Yes (open source) | Yes | Yes |
| Protocols | NordLynx, OpenVPN | WireGuard, OpenVPN | WireGuard, OpenVPN |
| Servers | 6,000+ (111 countries) | 700+ (49 countries) | 18,100+ (129 countries) |
| No-logs audit | Yes | Yes (RAM-only) | Yes (SOC 2) |
| Simultaneous devices | 10 | 5 | 10 |
| PQ encryption | Yes (ML-KEM) | No | No |
| Mesh feature | Meshnet | No | No |
| Free plan | No (30-day refund) | No | Yes (10 locations) |
NordVPN stands out for developers with its Linux CLI, post-quantum encryption, and Meshnet. Good balance of server count and geographic coverage.
Mullvad is privacy-first. No email required to sign up, and a 2023 police raid on their Swedish headquarters confirmed zero user data was stored.
ProtonVPN has the largest server network and offers a free tier. A good starting point if you want to try before committing.
For the technical details behind VPN protocols, see "VPN Protocols Compared: WireGuard vs OpenVPN vs IKEv2." For NordVPN Linux setup, see "NordVPN on Linux: CLI Commands, Post-Quantum Encryption, and Docker."
Wrapping Up
Choosing a VPN as a developer is not about finding the "best" one — it is about matching the tool to what you need to protect:
- Daily work on public Wi-Fi → Commercial VPN (NordVPN, Mullvad, etc.)
- Remote access to home network or VPS → Tailscale or self-hosted WireGuard
- Geolocation testing → Commercial VPN (need IPs in many countries)
- Team resource sharing → Tailscale
SSH alone is not enough. A VPN does not replace SSH — it complements it as an additional layer of protection.
Pick the combination that fits your workflow, set it up, and get back to writing code. That is the right way to use a VPN.
Related articles:
- NordVPN Review: Pricing, Security, and Performance Tested
- How to Use NordVPN: Setup, Settings, and Troubleshooting
- Is NordVPN Safe? A Technical Security Analysis
- VPN Protocols Compared: WireGuard vs OpenVPN vs IKEv2 Under the Hood
- NordVPN on Linux: CLI Commands, Post-Quantum Encryption, and Docker
- NordVPN vs ExpressVPN vs Surfshark: An Honest Comparison
- Are Free VPNs Safe? Real Incidents and How to Choose
Official resources:
- WireGuard — Official Site — self-hosted setup specifications
- Tailscale — Official Site — mesh VPN features and pricing
- NordVPN Linux — Linux client download