A VPN, or Virtual Private Network, works by extending and internal, private network over a larger, public space. When a VPN is active, a device from outside of the physical location of the private network is assigned an IP address as though it were within the network. VPN's are often used on corporate networks in order to allow employees who are working remotely to be able to access the employer network without having to be physically connected to the network. This would allow the employee to access network-shared documents, internal servers, etc. For example, an employee on their home wi-fi that is signed into an office VPN with a network-connected printer should theoretically be able to turn on their corporate VPN and then be able to queue the document on the office printer and pick it up when they head into the office.
Though not its original purpose, the VPN has two important side-effects:
When your computer is connected to a VPN, all of the information sent through the VPN is encrypted between your computer and the VPN server. This means that anyone intercepting packets along the way would find the packets encrypted. While the encryption will be of varying strength and could theoretically be broken, this should be enough to ward off the Coffee Shop Hacker and make him turn towards easier targets on the network.
Encrypted packets also stop your ISP from seeing your browsing habits. This is because using a VPN means that the VPN server acts as a middleman for all of the packets sent to and from your computer. If you sign onto Facebook, your computer does not send the request directly to Facebook: it sends the information (encrypted) to the VPN server, which then sends the request to Facebook, and returns Facebook's reply back to your computer over the VPN tunnel.
Without a VPN, your ISP (Internet Service Provider) would see every domain on the web you connect to, and any cleartext data that is sent their way. With a VPN turned on, however, your ISP would see your computer sending data to the VPN server, but they wouldn't be able to see what is being sent.
Finally, because the query appears to come from the IP address of the VPN server rather than the IP of the user's home wi-fi, VPN's can be used to bypass georestrictions. VPN's are very popular in countries where Netflix is not offered, for instance. By using a VPN with a US-based server to sign into Netflix, the user appears to be in the US, and Netflix will allow the user to access US-locked media.
Finding the "perfect" VPN is incredibly difficult, if not impossible. All that establishing a private VPN really requires is a remote server and a protocol to establish the secure tunnel from your device to the server. You could even setup your own on a private AWS server if you so desired. The relative ease of setup has inspired many companies to create low-cost VPN solutions as demand has soared. Unfortunately, the lack of standards and accountability limits our ability to objectively rate VPN providers and the integrity of their offerings. The following URL is an independently-maintained list of various VPN providers and their supported features:VPN Comparison Chart
The above is not the be-all-end-all resource. But thus far, it's the best we've got. You can also check out some of the recommendations at Privacy Tools.
At the bare minimum, any VPN service that you purchase should provide the minimum guarantees:
All information is sent and received on the internet by exchanging packets between the website's server and the end-user's laptop. Unless the site is using HTTPS, these packets are transmitted in plaintext. With freely available traffic analysis software (such as the ubiquitous Wireshark), it is trivial to intercept or inspect a packet in transit that is being sent on your network. This is known as "packet sniffing". If the contents of those packets are opened, a third party within your network can see exactly which websites you're visiting, what queries you're sending to your favorite search engine, and what you're posting on your blog. Website credentials, like your username and password, can be captured, too.
It is generally assumed that no one is going to be on your home wifi except for you, your family, and any visiting friends that you might have given the wifi password. On a public wifi at a Starbucks, however, you have no idea who else is currently logged in to the network. The risk extends to any publicly-accessible network: a library, an airport, a university dorm's wifi, etc.
This is a fundamental problem with VPN's: you don't. When you decide to run your traffic through a VPN, you are essentially putting a middleman between yourself and your traffic's destination. The VPN provider functions as a courier: you put your packets in the courier's care so that no on else will intercept them, but you are intrinsically trusting the VPN provider not to look at the packets, either. If the VPN provider is not trustworthy, this may be no better than running without one. It is up to you to find a VPN provider that you are willing to trust. Even though virtually every VPN provider will claim that they will not inspect your data, it is difficult for them to prove it. VPN providers may enact certain policies to increase that trust, such as a strict no-logging policy. Unfortunately, getting a VPN provider to "prove" that they don't keep any logs is easier said than done.
Using a VPN constantly will depend on what you are trying to achieve. If you're only trying to protect yourself from malicious eavesdroppers at a coffee shop or airport wifi, then you can safely turn off the VPN when you're at home. On the other hand, if your concern is stopping your ISP from spying on your activity, or from sites you visit on the internet knowing your true IP, then using a VPN at all times would be more beneficial.
No. VPN's were not designed for anonymity. The fact that the real IP Address is masked is more of a byproduct than the true purpose. It is still possible to build a 'profile' of you based on the websites you visit, even if you visit them through a VPN. They will still have a record of the VPN's IP address visiting the website. For example, if you sign onto your Facebook using a VPN server based in Germany, Facebook still has a record of you visiting the website--you just did so under a German IP Address. If that same IP Address were then used to send an anonymous e-mail to a school calling in a bomb threat, the authorities would still have sufficient evidence to tie you to the bomb threat, even though you used a VPN. True anonymity is very, very difficult: if that is your end-goal, you would be well-advised to use something like Tor in addition to a VPN.
Certain websites like Facebook, Gmail, Paypal, etc. have various safeguards that are built-in to try to prevent people from logging in with compromised credentials. Essentially, when you log into Facebook, it keeps track of the IP Address from where you logged in and a rough geolocation corresponding to that IP Address. It uses this to build a profile of 'you' and where you've previously logged in. By doing so, it has a built-in early warning system that can trigger if an IP Address from halfway across the world suddenly logs in using your credentials. For instance, if you have a five-year history of logging into your Facebook exclusively from the georegion around Chicago, and suddenly your account is accessed from an IP Address in India, Facebook will assume that you have been hacked and send you an alert. Facebook has no way of knowing whether that IP is a foreign entity or you logging in through a VPN. And so if you start using a VPN to change your external IP from your hometown of Chicago to a server in the Bahamas, Facebook would similarly trigger an alert when it starts to see you logging in from the Bahamas. This is not necessarily a bad thing, provided you know why it's happening.