How VPNs Work Technically — and What They Actually Protect

Not a Cloak of Invisibility

VPN services generated approximately $45 billion in global revenue in 2023, driven largely by marketing that promises near-complete online anonymity. The technical reality is more limited. A VPN does specific things well — it encrypts traffic between your device and a server, and it substitutes that server's IP address for yours when you connect to websites. It does not make you anonymous, cannot protect against browser fingerprinting or logged-in tracking, and does not prevent websites from identifying you if you're authenticated. Understanding what a VPN actually does requires looking at the cryptographic machinery underneath the marketing.

The Core Mechanism: Tunneling

A VPN creates an encrypted tunnel between your device and a VPN server. All network traffic is encapsulated inside this tunnel — meaning your internet service provider sees only an encrypted stream of data going to and from the VPN server's IP address, not the individual sites you visit or the content of your traffic.

The process for each packet works like this:

• Your device encrypts the original IP packet (including destination address and payload) using a session key negotiated during the VPN handshake.
• The encrypted payload is encapsulated in a new IP packet addressed to the VPN server.
• The VPN server receives the outer packet, decrypts the inner payload, reads the original destination, and forwards the request on your behalf.
• The response travels back through the tunnel in reverse, encrypted at the server and decrypted on your device.

The destination website sees the request originating from the VPN server's IP address, not yours. Your ISP sees only the encrypted tunnel traffic to the VPN server.

VPN Protocols Compared

Several protocols implement this tunneling differently, with distinct tradeoffs in speed, security, and compatibility.

WireGuard's Advantage

WireGuard, designed by Jason Donenfeld and released in 2018, represents a generational improvement over earlier protocols. Its ~4,000-line codebase compares favorably to OpenVPN's ~600,000 lines — a smaller codebase means fewer potential vulnerabilities and easier security auditing. WireGuard uses state-of-the-art cryptographic primitives: ChaCha20 for symmetric encryption, Poly1305 for message authentication, Curve25519 for key exchange, BLAKE2s for hashing, and SipHash24 for hashtable keys. On hardware without AES acceleration, WireGuard substantially outperforms OpenVPN in throughput benchmarks.

The Handshake: Establishing Keys

Before any traffic flows, a VPN protocol must negotiate session keys. WireGuard uses the Noise Protocol Framework with a handshake based on Diffie-Hellman key exchange. Both parties have static key pairs, and the handshake derives a shared secret that never traverses the network — only the public keys and encrypted handshake messages do. This provides forward secrecy: compromising long-term keys does not expose past session traffic, because each session derives unique ephemeral keys.

The handshake completes in a single round trip (one message each direction), versus OpenVPN's multi-message TLS handshake. This makes WireGuard especially fast to reconnect after network changes — relevant for mobile devices constantly switching between Wi-Fi and cellular.

What VPNs Protect Against

• ISP traffic inspection: Your ISP cannot read the content of your traffic or see which sites you visit. They see only a connection to the VPN server.
• Local network eavesdropping: On public Wi-Fi, passive packet capture by other users on the network cannot read your traffic.
• IP-based geolocation: Services that restrict content by IP address (streaming libraries, regional pricing) see the VPN server's location instead of yours.
• Network-level censorship: Some VPN protocols can evade firewall-based blocking, though sophisticated deep packet inspection can still detect and block VPN traffic.

What VPNs Do Not Protect Against

The limitations are significant and frequently misrepresented in marketing materials.

• Browser fingerprinting: Your combination of browser, OS, screen resolution, fonts, and installed plugins creates a near-unique fingerprint that persists across IP changes.
• Logged-in account tracking: When you're signed into Google, Facebook, or any service, that service tracks your activity regardless of your IP address.
• DNS leaks: Misconfigured VPN clients sometimes send DNS queries outside the tunnel, revealing browsing patterns to your ISP even when traffic is tunneled.
• VPN provider logs: Your traffic is visible to the VPN provider. Claims of no-logs policies vary in verifiability — some providers have been caught logging despite such claims.
• Malware: A VPN does nothing to stop malicious software already running on your device.

Corporate VPNs vs. Consumer VPNs

The original use case for VPNs was enterprise remote access — allowing employees to connect to internal corporate networks securely from outside the office. This use case remains entirely valid. When a corporate VPN is used, remote workers' traffic to internal resources routes through the company's network perimeter, subject to enterprise security monitoring and access controls.

Consumer VPN services are legitimate tools for specific purposes — circumventing geographic content restrictions, protecting traffic on untrusted networks, and adding one layer of privacy from ISPs. They are not anonymization tools. Tor, which routes traffic through three independently operated nodes with onion encryption at each layer, provides substantially stronger anonymity for users who need it, at the cost of much slower speeds. A VPN is best understood as a privacy tool with defined scope — not a comprehensive security solution.