Your greatest security and privacy risk relates to data in transit, as it passes to and from your devices. In a coffeeshop, airport, or other public space using Wi-Fi, your information passes in the clear between your hardware and the network’s hub. You may not be sure how and whether the hotspot secures access to the wired side of its routers, either.

Even if you’re using a secure Wi-Fi network at home, work, or school—or even wired Ethernet—your bits still pass across a broadband modem and through intermediate points on the Internet before reaching the destination server and vice-versa. (Cellular networks are generally considered quite secure unless you are being either individually targeted or swept into a government-backed interception project.)

Cloak's no-nonsense friendly dialog makes it clear your Mac is connected—and your traffic is secure.

While most email servers offer secure connections, not all do and you might never have reconfigured your client to protect those sessions. (If not, you should!) Plain old FTP—not SFTP or FTP over SSL/TLS—sends a password in the clear, as well as all data. While financial, medical, ecommerce, and social-networking sites encrypt all or nearly all their Web sessions, most other sites don’t, leaving your behavior open to outside inspection.

Imagine the Internet as a series of pipes—seriously. And then imagine that you could thread your own thin, flexible, impenetrable stainless-steel pipe from your house through all the water mains to where the water comes. That’s a virtual private network (VPN). It’s a secure end-to-end tunnel between your device and some far-off destination.

How a VPN works

A VPN has two termination points, more or less like a secure connection to a website. One end is a VPN client on a piece of hardware under your control. The other is at a VPN server. Typically, when setting up the connection, you have a mechanism that lets you verify that the right security credentials are in place, which prevents a party from inserting itself between you and the server.

TunnelBear has an old-timey frame for information about your Mac's active connection.

Data traveling in the tunnel is encrypted and decrypted at each end. With proper, modern techniques, VPN traffic is essentially uncrackable. There are weakness, either accidental as with Microsoft’s early PPTP standard, or intentional, as with the NSA’s hidden efforts to reduce the quality of modern VPN standards. But these typically only affect you if you’re individually targeted by criminals or a government.

VPNs date back decades, and Apple natively supported standard VPN methods from early versions of Mac OS X and added robust support by iOS 5. They were originally deployed by corporations to allow remote workers a kind of safe extension of the security policies and firewall of the enterprise network everywhere they roamed. In many cases, the client software was free (built into Mac OS X, for instance), but the hardware required to run server software was the deterrent.

When you disconnect from TunnelBear's VPN in OS X, it roars!

This led to VPNs for hire, sometimes bundled into subscriptions to hotspot networks, where any individual could gain robust security. These often involved manual, tweaky configuration. You would have to enter a variety of details, and if any of them changed, you’d need to be alerted or check a website, and then reconfigure. It’s much easier today, so much so that those of you who thought the complexity was too annoying to manage should revisit.

These sorts of VPNs aren’t designed to protect you from government intrusion, malware, or large-scale criminal enterprises that target website vulnerabilities. Rather, they’re exclusively meant to secure the final mile: the most vulnerable piece of the path from you to your destination. Instead of terminating their servers inside a corporate firewall, they locate their systems in highly secure data centers. In fact, your path from them to Google, Facebook, and the like is very possibly over Ethernet within the same building or in one close by.

Easy-to-use options

I looked at two popular VPN services that have native OS X and iOS clients, and offer a single subscription to use both platforms: Cloak and TunnelBear. (TunnelBear also supports Windows and Android.) Both work under iOS 7 and 8 and OS X 10.9 and 10.10. TunnelBear reaches back through the mists of time to OS X 10.6.8 as well.

After installing iOS profiles, you can enable or disable Cloak and TunnelBear in Settings as well as through their native apps.

The two services try to remove as much complexity as possible, which means eliminating manual configuration both in iOS and OS X. OS X is simpler, because Apple doesn’t restrict access to the network innards required to set things up. In iOS, both companies use profiles, which let them (with your explicit permission) install their configuration details directly. You can then use their software to enable and disable connections, or use the iOS VPN controls in Settings > VPN.

The main difference between the two is that TunnelBear has friendly bear illustrations and animations, while Cloak is a bit more businesslike in appearance, if also friendly. TunnelBear in OS X lets you target specific websites for VPN use and has some privacy features that disable some popular forms of user tracking. Cloak (which Dan Moren reviewed here) lets you pick trusted Wi-Fi networks to bypass enabling a VPN, and opt to automatically connect on all others. The deciding factor might be your particular number of devices, data usage, and interest in bears.

Hey, where'd that bear go? It's tunneled from America to a server in the UK, and now this iOS device appears to be located in Jolly Old.

Cloak sells time-limited passes as iOS in-app purchases, and passes and recurring subscriptions from its website. Every account may be used with an unlimited numbers of devices by a single person across iOS and Mac OS X. The fees range from $4 for a week to $100 per year for nonrecurring passes, all with unlimited data. A monthly subscription costs $3 with 5GB of data included, and an unlimited monthly and yearly plan are $10 and $100, respectively. Cloak offers a free 30-day trial.

TunnelBear has a slightly different approach. In iOS, you can purchase nonrecurring passes that work only in iOS, not across platforms, from $3 (one month) to $30 (one year) with unlimited data. Via the website, you can sign up for a free plan that includes 500MB per month, or for unlimited data across up to three devices for $5 per month (recurring) or $50 per year (either recurring or for a single year).

The fees might seem high, but every VPN service is paying not just for servers and the overhead of staff and the like, but the bandwidth you consume: Every gigabyte you send through a VPN is one gigabyte inbound (which is often cheap or free) and one gigabyte outbound (about 5 to 10 cents per GB). Some users will consume 50GB a month; others a trickle.

Cloak can bypass automatically starting up a VPN network on Wi-Fi networks you mark as trusted.

There’s one more trick up the sleeve of VPNs: They can let you seem to be accessing a service from a country other than the one in which you currently occupy. This is useful to evade certain per-country licensing limitations on free and subscription online streaming and other services. Simply select a destination country in TunnelBear or Cloak, and when you connect, your VPN connects to a server at a data center in one of those lands.

The ethics of such workarounds can be problematic, but VPNs are so popular that Netflix reportedly has tens of millions of subscribers who live outside of regions in which they offer their paid streaming service. In that case, one is skirting licensing rules. More iffy is, perhaps, using BBC’s iPlayer, which streams programs free to UK residents who pay television licenses and taxes used to subsidize production. Eventually, all national licensing barriers will have to fall because of such absurdities, but consult your internal ethical compass.

While the amount of stuff you need to protect has shrunk enormously in the last few years, with Facebook and Twitter encrypting by default, and Google and others upping their game, a VPN still buys you peace of mind. No matter what a website or other service does, you’ve locked down the part of the Internet you can’t control happening physically around or near you.