How VPNs Work: Tunneling, Encryption, and When to Use One

1.6 Billion People Use a VPN — Many Do Not Understand What It Actually Does

Global VPN usage has exploded over the last decade. A 2023 GlobalWebIndex report found that 31% of internet users worldwide used a VPN in the previous month. Yet the technology is widely misunderstood. VPNs are marketed as shields of complete online anonymity — which overstates their capability significantly. Understanding what VPNs genuinely protect against, what they do not, and how the underlying technology works leads to dramatically better security decisions than relying on vendor marketing.

The Core Mechanism: Tunneling and Encryption

Without a VPN, your internet traffic flows from your device, through your internet service provider (ISP), and to the destination server. Your ISP can see every domain you visit and can log that data. Websites see your real IP address. If you are on public Wi-Fi, other users on the same network may be able to intercept unencrypted traffic.

A VPN creates an encrypted tunnel between your device and a VPN server operated by the VPN provider. All of your internet traffic is routed through this tunnel and exits from the VPN server's IP address. From the destination website's perspective, the request originates from the VPN server — not from you.

• Your ISP sees: That you connected to a VPN server; the volume of data transmitted; nothing about the contents or destinations
• The destination website sees: The VPN server's IP address; your browser and device characteristics (fingerprinting still works)
• The VPN provider sees: All of your traffic — this is why choosing a trustworthy provider with a verified no-logs policy matters

VPN Protocols: The Technical Foundation

WireGuard, released in 2019 and merged into the Linux kernel in 2020, has become the preferred protocol for most modern VPN providers. Its codebase is approximately 4,000 lines compared to OpenVPN's 70,000+ lines — significantly less attack surface and dramatically faster performance. Most major providers (Mullvad, NordVPN, ExpressVPN, ProtonVPN) now offer WireGuard by default.

Encryption: What AES-256 and ChaCha20 Actually Mean

VPNs encrypt your traffic using symmetric encryption algorithms. The two dominant standards are AES-256-GCM (used by OpenVPN and IKEv2) and ChaCha20-Poly1305 (used by WireGuard). Both are considered computationally infeasible to brute-force with current and foreseeable quantum computing technology. The difference is performance on devices without hardware AES acceleration — ChaCha20 runs faster on mobile CPUs and low-power devices without dedicated AES hardware.

The connection is established through a handshake using asymmetric encryption (typically Curve25519 for WireGuard, RSA-4096 or ECDH for OpenVPN). This handshake negotiates the symmetric session key that encrypts all subsequent traffic. Perfect forward secrecy ensures that even if the long-term key is somehow compromised in the future, past session keys cannot be recovered.

Legitimate Use Cases for VPNs

• Public Wi-Fi protection: Coffee shops, airports, hotels — unencrypted networks where your traffic could be intercepted. HTTPS already protects most web browsing, but a VPN adds protection for all traffic including DNS queries.
• ISP tracking prevention: Your ISP cannot see which sites you visit or sell that browsing data to data brokers when a VPN is active.
• Geographic content access: Streaming libraries, regional news sites, and services restricted by geography.
• Bypassing censorship: In countries that restrict access to certain websites, VPNs can circumvent these blocks (where legal).
• Business remote access: Corporate VPNs allow employees to securely access internal company resources over the public internet.

What VPNs Do Not Protect Against

Choosing a VPN Provider

The trust model of a VPN means you are replacing ISP visibility with VPN provider visibility. Provider selection therefore matters significantly. Key criteria include.

• No-logs policy audited by an independent third party (Mullvad, ProtonVPN, and others have undergone independent audits)
• Jurisdiction: Providers in Switzerland, Iceland, or Panama face fewer data retention requirements than those in the US, UK, or EU under GDPR
• Open-source client code that security researchers can audit
• Kill switch: Blocks all internet traffic if the VPN connection drops, preventing accidental IP exposure
• RAM-only servers: All server data is erased on restart, making seizure of physical servers less damaging

Free VPNs require particular scrutiny. Many free VPN services generate revenue by logging and selling user browsing data — the precise privacy violation users sought to prevent. Established paid providers with audited no-logs policies are the appropriate choice for genuine privacy protection.