Mozilla has embedded a free, integrated VPN directly into Firefox with its version 149 update, removing the paywall that has long kept meaningful privacy protection out of reach for most ordinary users. The move marks a substantive shift in how browsers can function as privacy infrastructure, not just as windows to the web. For anyone who has balked at monthly VPN subscription fees, the feature arrives as a practical, if limited, alternative.
Why This Matters in the Broader Privacy Landscape
For years, the privacy tools market has operated on a straightforward premise: protection costs money. Reputable VPN services typically charge monthly or annual fees, and the free alternatives have carried a well-documented risk. Free VPNs without credible backing have, in numerous cases, monetized users' browsing data - the very thing a VPN is supposed to shield. The irony is sharp: seeking privacy through an unvetted free tool can expose users to more surveillance, not less.
Mozilla is positioning its offering differently. The company notes that its VPN technology has been independently audited by Cure53, a respected cybersecurity firm, and uses WireGuard - a modern, lean protocol with a strong security reputation compared to older alternatives. Mozilla has also addressed security issues identified over the product's history, which reflects a maintenance culture rather than a launch-and-abandon approach.
The free tier comes with a 50GB monthly data allowance. For browser-based use - reading articles, managing email, conducting research - that figure is genuinely generous. It is not the kind of artificial cap designed to push users toward a paid plan within days.
What the Feature Actually Protects - and What It Does Not
The critical limitation is one that casual users may not immediately grasp. The Firefox VPN encrypts and reroutes only traffic flowing through the browser itself. Any other application running on the same device - a messaging client, a cloud sync service, a system update process - remains entirely outside its protection. The device's overall network activity is not masked.
Jacob Kalvo, cybersecurity expert and CEO of Live Proxies, put it plainly: the tool "only protects browser traffic, not apps, system processes or other network activity," and that creates what he calls "a false sense of full protection for less technical users." That distinction matters enormously for anyone whose threat model extends beyond casual web browsing.
Kalvo describes Firefox's integrated VPN as "a controlled, limited-use product rather than a full privacy solution" - appropriate for everyday browsing, unsuitable for workflows involving sensitive data or operations requiring consistent, system-wide anonymity. For users who already pay for a standalone VPN, the Firefox feature adds little. For those who do not, it offers a meaningful, trust-backed layer of browser-level protection at no cost.
How It Compares to the Current Free VPN Market
The closest competitor in the free-tier space is Proton VPN's free service, which CNET currently identifies as the only free VPN it recommends outright. Proton's free plan is a full application - it covers all traffic on a device, not just browser activity. However, it restricts users from manually selecting servers and does not support simultaneous connections across multiple devices. Both products occupy distinct niches: Proton's free tier offers broader coverage with feature constraints; Firefox's offers narrower coverage with fewer configuration barriers.
The comparison underscores a wider point about how privacy tools are evolving. Rather than one product doing everything, users are increasingly working with layered protections - a browser-level shield here, an application-level tool there. Mozilla's integration fits naturally into that pattern for users who want a low-friction first layer without account creation or payment details.
The Limits of Browser-Native Privacy
Browser makers have been expanding their privacy capabilities for some time - blocking trackers, isolating cookies, resisting fingerprinting. A built-in VPN is a more aggressive step, moving from passive defense to active traffic rerouting. But the architecture of a browser-native VPN means it cannot, by design, replicate what a system-level VPN provides.
Users handling financial transactions, health data, or communications through dedicated apps will find no protection here from those channels. The distinction between "browser traffic" and "all network traffic" is not a technical footnote - it is the core of what any honest evaluation of this feature must communicate. Mozilla itself acknowledges the difference implicitly by maintaining a paid, full-featured VPN product alongside this free, browser-only version.
For someone who browses without any VPN at all, Firefox 149 now offers something real and audited, backed by an organization with a stated and tested commitment to user privacy. That is not nothing. It is, however, a starting point - not an endpoint.