Back to all articles
VPNSecurityEncryptionTunneling

VPNs: How Virtual Private Networks Actually Work Under the Hood

Elena RostovaJuly 18, 2024

If you listen to tech podcasts or watch YouTube, you've probably heard a dozen advertisements for VPNs (Virtual Private Networks). The marketing makes them sound like magic cloaks of invisibility that hide you from hackers and governments.

While they do provide significant privacy benefits, they aren't magic. A VPN is a specific, well-understood networking technology that relies on two core concepts: Tunneling and Encryption.

To understand how a VPN works, we first have to understand the problem it solves.

The Public Internet Problem

Imagine you are sitting in a coffee shop in Paris. You want to connect to your corporate intranet in New York to download a highly confidential financial report.

If you just connect directly over the public internet, your data packet has to bounce through the coffee shop's WiFi router, a local French ISP, several massive oceanic fiber optic relays, an American ISP, and finally your corporate firewall.

At *any* of those hops, a malicious actor (or just a nosy ISP) could intercept your packet, read the unencrypted IP headers to see exactly who you are talking to, and if the data itself isn't perfectly encrypted, read the confidential report.

Worse, your corporate firewall is explicitly configured to block all incoming connections from random public IP addresses to protect the intranet. Your request from Paris will be instantly dropped.

The Solution: Tunneling

A VPN solves this by creating a Tunnel.

When you turn on a VPN client on your laptop, the software creates a virtual network interface card (a fake, software-only network adapter) on your computer.

Instead of sending the data packet out your real WiFi adapter towards the corporate server, your operating system routes the packet into this virtual adapter.

The VPN software takes your entire original packet—including its original source IP, destination IP, and the confidential data—and wraps it inside a *brand new* packet. This process is called Encapsulation.

This new outer packet has:

  • **Source IP:** Your Paris coffee shop public IP.
  • **Destination IP:** The public IP address of the VPN Server sitting at the edge of the New York office.

    • The coffee shop router and the global internet routers only look at the outer envelope. They have no idea what the inner packet contains. They just route the traffic to the VPN server in New York.

    The Solution: Encryption

    Tunneling alone isn't enough. If the outer packet was intercepted, a hacker could just strip it off and read the inner packet.

    This is where encryption comes in. Before the VPN software encapsulates the original packet, it scrambles it using strong encryption algorithms (like AES-256) negotiated via protocols like IPsec, OpenVPN, or WireGuard.

    Now, even if someone intercepts the packet on the oceanic cable, all they see is a completely randomized string of gibberish traveling between a coffee shop in Paris and a server in New York. They cannot see what website you are actually visiting, and they cannot read the data.

    The Unboxing (Decapsulation)

    When the packet arrives at the VPN server in New York, the server performs the reverse process.

    1. It strips off the outer envelope.

    2. It uses its cryptographic key to decrypt the inner packet.

    3. It looks at the inner packet, which reveals the true destination: the internal corporate intranet server.

    Because the VPN server is sitting *inside* the corporate network, it is trusted. It forwards the packet to the internal server.

    When the internal server replies, it sends the data to the VPN server. The VPN server encrypts the reply, wraps it in a new envelope destined for the Paris coffee shop, and fires it back across the internet.

    Commercial VPNs vs Corporate VPNs

    The exact same underlying technology powers both Corporate VPNs and Commercial VPNs (like NordVPN or ExpressVPN), but they are used for different purposes.

  • **Corporate VPNs** exist to grant you access to a private, restricted network (the office intranet) from the outside world.
  • **Commercial VPNs** exist to grant you privacy on the public internet.

    • When you use a Commercial VPN, the "internal network" you are connecting to is actually just another router that dumps you right back out onto the public internet.

    Why do this? Two reasons:

    1. Hiding from your Local ISP: The coffee shop (or your home ISP) only sees an encrypted stream of data going to a VPN server. They cannot see that you are actually browsing Wikipedia or watching Netflix.

    2. Location Spoofing: Because the VPN server is the device that ultimately requests the webpage from Netflix, Netflix sees the IP address of the VPN server, not your real IP address. If you connect to a VPN server in Japan, Netflix assumes you are physically in Japan and serves you Japanese content.

    The Illusion of Perfect Anonymity

    While VPNs protect your data in transit, they are not a silver bullet for anonymity.

    When you use a commercial VPN, you are simply shifting your trust from your local ISP to the VPN provider. The VPN provider can see absolutely everything you do. If they keep logs, and law enforcement subpoenas them, your entire browsing history can be exposed. Furthermore, sophisticated tracking cookies and browser fingerprinting can often identify you regardless of what IP address you are using.

    A VPN is a powerful tool for encrypting data across untrusted networks and manipulating routing via tunneling, but it is just one layer in a comprehensive security strategy.