Free VPN Built Into the Browser
Hedgehog Browser’s built-in VPN hides what you’re browsing from your ISP by fetching pages on your behalf via an obfuscated URL. Your ISP sees random-looking requests to a single domain; the actual site you’re visiting stays private. No subscription, no separate app, no account.
Your ISP knows every site you visit
Even with HTTPS, your ISP can see every domain you connect to via DNS lookups and SNI fields in the TLS handshake. UK ISPs are required by law to retain that data; in the US they sell it to advertisers; everywhere it’s used to throttle, profile, and sometimes block specific destinations.
Commercial VPNs (NordVPN, ExpressVPN, Mullvad) solve part of this — but they cost £5–£15 a month, require a separate app, and move the trust problem from your ISP to the VPN company. The VPN now sees every site you visit; you have to take their no-logs promise on faith.
URL obfuscation via the MITM
Hedgehog Browser includes a built-in MITM proxy. With VPN mode on, every page request gets rewritten before it leaves your device. Instead of your phone reaching out to bbc.co.uk or reddit.com, it sends a request to a single generic domain with a weakly-encrypted path token:
https://www.turbobrowser.co.uk/sdfskfjgsdknbdn32812.htmlOur proxy decodes the token, fetches the real page from bbc.co.uk or reddit.com on your behalf, and returns it via the same obfuscated URL. Your ISP’s DNS logs show only requests to turbobrowser.co.uk. Their DPI (deep packet inspection) sees only random-looking paths under one domain. The destination you’re browsing stays private.
This is meaningfully different from a commercial VPN because the entity that strips your ads and fetches your pages is the same entity — you’re already trusting the proxy with your traffic for ad-blocking. Adding URL-obfuscated transit doesn’t introduce a new trust party.
What the VPN gives you
- ISP cannot see which sites you visit — DNS logs show one domain
- DPI cannot fingerprint which app or site is being used — all traffic looks identical
- Bypass ISP-level domain blocks (court-ordered or otherwise)
- No subscription — ever — vs £60–£180/year for commercial alternatives
- No separate app or system-VPN profile — the protection is in the browser itself
- No account, no log-in, no tied-to-your-identity payment trail
- Combines with our ad-blocking, tracker-blocking, and data-saving — one proxy, multiple jobs
- Cached at the network edge — Cloudflare nodes sit inside most ISPs' peering arrangements, so pages load quickly even though the VPN adds a hop
What this is not
This is a browser VPN, not a system-level VPN. It protects the traffic that goes through Hedgehog; it does not protect what your phone’s other apps do (WhatsApp, banking, push notifications). For full-device protection a commercial VPN still has a role.
The URL-obfuscation is “weak” encryption — it’s designed to defeat ISP-grade DNS / DPI logging at scale, not a determined targeted attacker. If your threat model includes a state-level adversary specifically interested in your browsing, you need a stronger tool (Tor, professional VPN, secure enclave).
For everyone else — users who don’t want their ISP profiling them, who want to bypass court-ordered domain blocks, who don’t want to pay £10/month for the privilege — the built-in VPN works.