Firefox 149 Gets a Free Built-In VPN. Here's What It Cannot Protect.
Mozilla announced a free proxy VPN in Firefox 149, launching March 24. It hides your IP address. It does not stop cloud file tools from receiving, storing, and processing your documents.
VaultTools · March 20, 2026
Photo by Domenico Loia on Unsplash
Table of Contents
- What Mozilla announced
- What the Firefox VPN actually does
- What a VPN cannot protect
- The file content problem
- What actually keeps your files private
- Sources
What Mozilla Announced
On March 18, 2026, Mozilla announced that Firefox 149 will ship with a free built-in VPN proxy, rolling out on March 24. No extension required. No separate subscription. Users in the United States, France, Germany, and the United Kingdom get 50GB of free monthly data at launch.
The feature routes browser traffic through a proxy server, masking the user’s IP address and location from the sites they visit. Mozilla is positioning it as a privacy-first alternative to the ad-supported “free VPN” extensions that dominate browser extension stores, most of which log user activity or sell browsing data.
Firefox 149 also includes a rebranded “Smart Window” AI assistant (formerly “AI Window”), Split View for side-by-side browsing, and Tab Notes. The VPN is the headline.
What the Firefox VPN Actually Does
The feature is a proxy, not a full VPN in the traditional sense. It intercepts browser traffic and forwards it through Mozilla’s servers, replacing the user’s real IP address with one from the proxy pool. Websites see the proxy IP, not the user’s home or office address.
This matters for several legitimate privacy use cases: hiding your location from ad networks, preventing sites from correlating your browsing sessions to a fixed IP, and blocking certain forms of device fingerprinting that rely on IP-based geolocation.
It is opt-in, browser-only, and does not affect traffic from other applications on the same device.
What a VPN Cannot Protect
Coverage stops at the browser’s network layer. Any other application running on the same machine (email client, desktop app, operating system services) continues to use the user’s real IP address. This is a standard limitation of browser-proxy implementations versus full system VPNs.
More relevant to file privacy: a VPN, whether proxy-based or full-stack, does not encrypt or conceal the content of what you send. It routes your traffic through a different server. But if that traffic is a file upload to a cloud service, the cloud service still receives the file in full. The VPN tunnel ends at the destination server. The server that processed your document can read it, store it, log it, and do with it whatever its terms of service permit.
Your IP address was hidden. Your document was not.
The File Content Problem
When a user uploads a PDF to compress it, an image to resize it, or a spreadsheet to convert it, the privacy threat is not that the service knows their IP address. It is that the service now holds the file.
Cloud-based file tools receive the document, process it server-side, and return the result. In between, the file exists on infrastructure the user does not control. Retention policies vary. Terms of service vary. Security practices vary. In February 2026, researchers found 16 zero-day vulnerabilities in two major cloud PDF platforms alone.
A VPN routes traffic to that same destination through a different IP. The file still arrives, the server still processes it, and the document still sits on someone else’s infrastructure. The VPN changes who can see where the request originated. It does not change what happens after.
What Actually Keeps Your Files Private
The only architecture that keeps file content private is one where the file never leaves the device. Browser-based tools that process documents using WebAssembly run the entire operation inside the browser tab. The file is read from the user’s disk, processed locally, and written back. No server receives it.
Firefox 149’s built-in VPN and browser-based file processing are complementary, not alternatives. The VPN handles network-level IP privacy. Local processing handles file-content privacy. Neither substitutes for the other.
Mozilla’s announcement is a meaningful step: it brings meaningful IP masking to mainstream Firefox users who would not otherwise configure privacy tools. But for anyone whose concern is the content of their files, the relevant privacy boundary is not the network layer. It is whether the file ever left the device at all.
Sources
- Mozilla Firefox to Get Free Built-In VPN, AI Tools and More (Business Standard)
- Mozilla to Launch Free Built-In VPN in Upcoming Firefox 149 (Cyber Insider)
- Firefox Is Getting a Free Built-In VPN on March 24. It’s Useful, But Here’s What It Can’t Do (Gizmodo)
- Mozilla’s VPN Is Free, Limited, and Not Really a VPN (Boing Boing)
- Firefox Is Getting a Free Built-In VPN (Help Net Security)
- More Reasons to Love Firefox: What’s New Now, and What’s Coming Soon (Mozilla Blog)
- A Free, Built-In VPN Is Coming to Firefox (Tom’s Guide)
- Firefox Update Brings Built-In VPN, Split View, and More User Controls (gHacks)