Ever get hit with the “why on earth is my upload pegged?” panic and immediately side-eye your VPN? Yeah. Been there. It feels like the simplest explanation is also the creepiest one.
So let’s cut straight through it.
If you’re using a mainstream VPN like Proton VPN, your home internet is not supposed to be used to route other customers’ traffic. Your device is the client. Proton’s servers are the exit.
The whole “your connection becomes someone else’s exit node” thing is tied to peer-to-peer VPNs, not reputable, centralized VPN services.
But words like routing, alternative routing, and Smart Routing can sound like a magician’s misdirection. So… what are they actually saying?
Key takeaways
- With a normal VPN setup, Proton included, your traffic exits through the VPN provider’s servers, not through other people’s home connections.
- Proton does say a VPN “takes over routing your internet connection.” They mean your browsing gets sent to the VPN server first, not strangers are being funneled through your laptop.
- Peer-to-peer VPNs are the ones where your device can become an exit node. Hola got hammered for this model and for selling user bandwidth via Luminati, plus abuse reports including activity tied to DDoS.
- Proton’s Alternative routing is an anti-censorship fallback. It may pass through third-party infrastructure to reach Proton, but your data stays encrypted. It’s not “people using your internet.”
- Proton’s Smart Routing is about virtual server locations. Proton says those servers are still on its own bare metal, so again, not your bandwidth being loaned out.
What “routing” means in Proton VPN, and most VPNs
Proton’s wording is pretty direct. A VPN “takes over routing your internet connection” so the VPN can see what your ISP would otherwise see, at least in terms of network metadata. The part people trip on is the direction of travel.
Here’s the usual flow:
- Your device builds an encrypted tunnel to a VPN server.
- By default, your traffic goes through that tunnel unless you set up split tunneling.
- The VPN server forwards your traffic out to the public internet.
Proton also points out the HTTPS reality. Your VPN, and your ISP, can usually see the domain you connect to, but not the specific pages or form data when HTTPS is in play.
Source: https://protonvpn.com/blog/can-vpn-see-internet-activity
UDP vs TCP doesn’t change what’s protected
This one pops up a lot, including in Proton’s subreddit. OpenVPN over UDP vs TCP is about transport behavior, not some slider that decides how much of your browsing gets protected. Once you’re connected, everything routes through the VPN unless you intentionally configure exceptions.
Source: https://www.reddit.com/r/ProtonVPN/comments/lx89vr/what_proportion_of_my_traffic_is_routed_through/
When your internet actually can be used for other users: P2P VPN exit nodes
If you mean “other people browsing through my home IP,” you’re talking about the peer-to-peer VPN model.
Hola is the example security folks keep dragging back into the spotlight, and for good reason. It was criticized for running as a P2P network, having users “act as exit-nodes,” and selling user bandwidth through Luminati. There were also abuse reports, including ones tied to DDoS activity.
Kaspersky puts it in plain, uncomfortable terms. In a P2P VPN, “other people browse the web through your internet connection,” and to a website it looks like it’s you. That’s the nightmare fuel, because the mess traces back to your IP.
Source: https://www.kaspersky.com/blog/misadventures-with-hola-service-or-a-lot-of-strings-attached/4048/
ZDNET covered the same controversy around pooling free users’ resources and selling access.
Source: https://www.zdnet.com/article/hola-vpn-still-riddled-with-security-flaws-researchers-claim/
And just to be crystal clear, this is not how Proton VPN describes its architecture. Proton documents and markets a centralized VPN service running on its own server infrastructure, not a user-powered exit network.
Proton “Alternative routing” vs “your internet being used by VPN providers”
“Alternative routing” is a phrase that sounds like it should come with a warning label. The idea is simpler than it looks.
Proton’s Alternative routing is an anti-censorship feature. It changes how your app reaches Proton when Proton is blocked.
What Proton says about it:
- It “routes network connections to Proton servers differently” to get around blocking.
- It may use “third-party infrastructure and networks we do not control.” They name examples like Amazon, Cloudflare, Google.
- Those third parties can’t see your actual data because it stays encrypted, but they can see your IP and that you’re connecting to Proton.
So yes, “routing” is happening here, but in the path-selection sense. Not the “random users are chewing through my upload” sense.
Source: https://proton.me/blog/anti-censorship-alternative-routing
Proton “Smart Routing” vs “your internet being used by VPN providers”
Smart Routing gets misread too, mostly because the name sounds like traffic is bouncing all over the place.
Proton’s Smart Routing is about giving you a VPN endpoint appears to be in a certain country while the server is physically hosted somewhere else.
Proton says Smart Routing servers:
- behave like other Proton servers
- are “run on our own bare metal servers”
- are used to avoid legal and censorship constraints in some regions, with India as an example
Still not your connection acting like infrastructure.
Source: https://protonvpn.com/support/how-smart-routing-works
How to check if your internet is being used as an exit node (Linux-friendly)
If you’re uneasy, don’t argue with vibes. Grab data.
1) Look for unexpected listening services
If your machine is being used as a proxy or exit node, you’ll often see odd things listening for inbound connections.
sudo ss -tulpn
sudo lsof -i -P -n | head -n 50What you’re watching for. Random processes listening on public interfaces like So.So.So.0 or ::, especially on ports you don’t recognize.
2) Watch outbound connections and bandwidth
Upload spiking while you’re “doing nothing” is the classic red flag. Don’t guess what’s leaving the box. Look.
sudo apt install -y iftop vnstat tcpdump
sudo iftop -i eth0
vnstat -l -i eth0Quick packet-level sanity check:
sudo tcpdump -i eth0 -n 'tcp or udp' -c 200If you see steady high-volume flows to lots of unrelated destinations, that’s weird. A normal VPN session usually looks like heavy traffic mostly between you and the VPN server IP, plus whatever local LAN noise you’ve got.
3) Confirm where your VPN tunnel terminates
Check your default route and the tunnel interface.
ip route
ip addrWireGuard usually shows wg0. OpenVPN often shows tun0. The heavy traffic should be going through that tunnel interface to a Proton server IP, not turning your host into a public relay.
4) Proton settings can look “off” but are usually fine
A couple things can make connection behavior look unusual without meaning you’re being used as an exit node.
- Alternative routing can change connection paths when censorship is in play.
- Smart Routing and virtual locations can make your IP appear in a country where the server isn’t physically located.
If your worry is broader than Proton and more about general home-network hygiene, honestly, that’s usually the right instinct. I’d lock down the basics too. I wrote about router-side risks here. Router security: your Wi‑Fi password isn’t enough.
Suggested diagram (optional but helpful)
If you add an image, keep it simple.
- Alt text: “VPN routing diagram showing device encrypted tunnel to Proton VPN server, then traffic exits to the internet; no peer device acts as an exit node.”
So… should you worry about Proton routing other users through you?
If what you’re asking is, “Is Proton using my internet to route other people’s traffic?” the practical answer is no. That’s a P2P VPN concern, and Proton VPN is documented as a centralized service. Proton’s docs also describe features like Alternative routing, which is anti-censorship path selection, and Smart Routing, which is virtual locations on Proton-controlled servers.
But if your upload still looks wrong, run the checks. If you find a real listener or proxy you didn’t install, that’s less “VPN provider conspiracy” and more “something on my box or network is compromised.” Different problem. Fixable problem.
If you run the Linux commands and see something suspicious, drop the output in the comments after sanitizing it. I’m happy to help you read what you’re looking at.
Sources
- Proton VPN — Can my VPN see my internet activity? https.//protonvpn.com/blog/can-vpn-see-internet-activity
- Proton — Introducing alternative routing to prevent censorship of Proton apps https.//proton.me/blog/anti-censorship-alternative-routing
- Proton VPN Support — What is Smart Routing? https.//protonvpn.com/support/how-smart-routing-works
- Reddit (ProtonVPN community) — What proportion of my traffic is routed through my VPN… https.//www.reddit.com/r/ProtonVPN/comments/lx89vr/what_proportion_of_my_traffic_is_routed_through/
- Kaspersky — Misadventures with Hola service, or A lot of strings attached https://www.kaspersky.com/blog/misadventures-with-hola-service-or-a-lot-of-strings-attached/4048/
- ZDNET — Hola VPN still riddled with security holes, researchers claim https://www.zdnet.com/article/hola-vpn-still-riddled-with-security-flaws-researchers-claim/