VPN Technology: How Virtual Private Networks Encrypt Your Traffic
VPNs encrypt internet traffic and mask IP addresses by routing connections through remote servers. Learn how VPN protocols work, their uses, and their real limitations.
Routing Through a Secure Tunnel
When a device connects to the internet normally, its traffic flows from the device through the local network, through an ISP (Internet Service Provider), and to the destination server. At each hop, network administrators, ISPs, and governments can observe metadata — and in unencrypted connections, content. A Virtual Private Network (VPN) intercepts this traffic flow and routes it through an encrypted tunnel to a VPN server, which then forwards it to the internet. The destination server sees the VPN server's IP address, not the user's. The ISP sees encrypted traffic going to the VPN server, not the destination. This redirection and encryption are the two fundamental effects of a VPN.
VPN technology emerged in the mid-1990s, initially for secure corporate remote access. The Point-to-Point Tunneling Protocol (PPTP) was one of the earliest implementations, developed by a consortium including Microsoft in 1996. Corporate use — connecting remote employees to internal company networks — remained the primary use case for decades before consumer VPN services popularized the technology for privacy and geo-unblocking purposes.
How VPNs Work: The Tunnel Concept
A VPN creates an encrypted "tunnel" between the client device and the VPN server. All network traffic — regardless of application or protocol — is encapsulated inside this tunnel. The process:
- The VPN client establishes a connection to the VPN server, authenticating with credentials or certificates
- The client and server negotiate encryption keys using a key exchange protocol (typically based on asymmetric cryptography)
- All outgoing traffic from the device is encrypted by the VPN client and sent to the VPN server, regardless of its ultimate destination
- The VPN server decrypts the traffic and forwards it to the intended destination
- Return traffic arrives at the VPN server, is encrypted, and sent back through the tunnel to the client, where the VPN client decrypts it
The device's operating system routing table is modified so that all traffic routes through the VPN tunnel rather than the default gateway. This is called a "full tunnel" configuration; "split tunnel" configurations only route specific traffic (e.g., company network resources) through the VPN while sending other traffic directly to the internet.
VPN Protocols Compared
| Protocol | Released | Security | Speed | Notes |
|---|---|---|---|---|
| PPTP | 1996 | Critically weak — multiple vulnerabilities; should never be used | Fast | Deprecated; NSA reportedly able to decrypt PPTP traffic |
| L2TP/IPSec | 1999 | Moderate — secure if implemented correctly; double encapsulation reduces performance | Moderate | Some concerns about NSA weakening; UDP port 500 often blocked by firewalls |
| OpenVPN | 2001 | Strong — open source; uses TLS/SSL; extensively audited | Moderate | Industry standard; TCP and UDP modes; widely supported |
| IKEv2/IPSec | 2005 | Strong — fast reconnection; MOBIKE supports network changes | Fast | Excellent for mobile; supports reconnecting when switching networks |
| WireGuard | 2019 | Strong — modern cryptography (ChaCha20, Poly1305, Curve25519); 4,000 lines of code vs. OpenVPN's 70,000+ | Very fast | Small codebase reduces attack surface; now mainstream; included in Linux kernel 5.6 |
WireGuard has rapidly become the preferred protocol for new VPN deployments. Its small, auditable codebase, modern cryptographic primitives, and significantly higher performance than OpenVPN have made it the default for many commercial VPN services and corporate deployments. It was merged into the Linux kernel in March 2020.
What a VPN Does — and Does Not — Protect
VPN marketing frequently overstates protections. Understanding what VPNs actually provide requires distinguishing between the tunnel itself and the endpoints.
- VPNs do protect: Traffic from ISP surveillance; traffic on untrusted public Wi-Fi networks; IP address from destination websites; DNS queries from local network observers (when using VPN's DNS servers)
- VPNs do not protect: Activity from the VPN provider itself (who now sees all traffic); tracking by browser fingerprinting, cookies, and logged-in accounts; malware or phishing attacks; traffic after it leaves the VPN server (the VPN server-to-destination leg); DNS leaks if VPN client is misconfigured
Corporate VPNs vs. Consumer VPNs
Corporate remote access VPNs and consumer privacy VPNs serve different purposes with different threat models.
| Aspect | Corporate VPN | Consumer VPN |
|---|---|---|
| Primary purpose | Secure access to internal company resources | Privacy from ISP, IP masking, geo-unblocking |
| Trust relationship | Company controls and audits VPN server | User trusts third-party VPN provider |
| Traffic destination | Routes to company intranet; split tunnel common | Routes to public internet; full tunnel common |
| Authentication | Corporate credentials; often MFA required | Username/password; VPN-specific credentials |
| Logging policy | Company typically logs all activity for compliance | Varies widely; "no-log" claims should be verified by audits |
VPN Provider Trust and No-Log Claims
The fundamental challenge with consumer VPNs is that they require trusting the VPN provider with all traffic. A provider claiming a "no-log" policy cannot be verified without independent audits and, ideally, confirmation through legal proceedings. Several notable cases have tested these claims:
- HideMyAss (now HMA VPN) provided connection logs to the FBI in 2011 that contributed to the conviction of LulzSec member Cody Kretsinger — despite marketing claims of privacy
- ExpressVPN and NordVPN both claim and have had their no-log policies confirmed through external audits and (in NordVPN's case) a server seizure in which no useful data was found
- IPVanish provided user connection data to the U.S. Department of Homeland Security in 2016 despite claiming to keep no logs
Jurisdiction matters. VPN providers registered in countries with strong data protection laws and no mandatory data retention requirements offer stronger theoretical protections. The practical protection of a no-log policy is only as reliable as the provider's actual implementation and the jurisdiction's legal environment.
Related Articles
cybersecurity
Endpoint Detection and Response (EDR): How Modern Threat Defense Works
An encyclopedic guide to Endpoint Detection and Response covering real-time monitoring, behavioral analysis, threat hunting, and how EDR platforms differ from traditional antivirus solutions.
10 min read
cybersecurity
How Antivirus Software Works: Detection Methods and Protection
Understand how antivirus software works, including signature-based detection, heuristic analysis, behavioral monitoring, and real-time protection mechanisms.
8 min read
cybersecurity
How Blockchain Consensus Mechanisms Validate Transactions
Blockchain networks use Proof of Work, Proof of Stake, and other consensus mechanisms to validate transactions without central authority. Compare their tradeoffs and energy costs.
9 min read
cybersecurity
How Cloud Security Misconfigurations Happen and How to Prevent Them
Misconfiguration is the leading cause of cloud data breaches. Learn how S3 buckets get exposed, IAM policies fail, and what the Shared Responsibility Model means for your security.
9 min read