What Is a VPN and How Does It Really Work? No Hype, Just Facts

VPN ads are everywhere. YouTube pre-rolls, podcast sponsorships, browser pop-ups. They promise to make you anonymous online, protect you from hackers, let you watch shows from other countries, and apparently protect you from every possible digital threat while you sip coffee at an airport. They are, it's fair to say, somewhat over-marketed.

But underneath the hype, VPNs are actually a genuinely useful technology with a clear and specific set of things they do well. The key is understanding what they actually do, not what the ads imply. Let's start from the beginning.

What VPN Stands For

VPN stands for Virtual Private Network. Every word in that name is meaningful:

Virtual: The "private network" created by a VPN doesn't exist as a physical network of cables and switches. It's a virtual network created through software, running on top of the existing public internet.

Private: Traffic on this virtual network is encrypted and isolated from the public internet traffic flowing around it. Others on the same physical network can't read your data.

Network: It is, functionally, a network — with IP addresses, routing, and all the usual networking behavior — just built virtually.

The original purpose of VPNs was completely unrelated to the consumer privacy use case you see advertised today. VPNs were invented for corporate remote access.

The Original Problem VPNs Solved

Imagine a company with offices in New York, London, and Tokyo. They have internal servers with sensitive data — HR systems, financial records, internal tools. These servers are on the company's private internal network, protected by firewalls. Employees at the New York office can access them freely because they're on the same network. But what about employees working from home? Or traveling?

The naive solution is to open the internal servers up to the internet. But then anyone on the internet could potentially access them. Bad idea.

VPNs solved this elegantly. An employee working from home installs a VPN client. They authenticate with the company's VPN server. A virtual tunnel is established between the employee's home machine and the company network. All traffic from the employee's machine is encrypted, sent through the tunnel to the VPN server at the company, and then forwarded onto the private internal network. From the perspective of the internal network, the employee is effectively sitting inside the office.

This is still the primary use case for VPNs in corporate settings. When your company's IT department tells you to connect to VPN before accessing internal resources, this is what you're doing.

How a VPN Actually Works: The Technical Details

Let's trace what happens to your internet traffic without a VPN, and then with a VPN.

Without a VPN:

1. You type `example.com` into your browser.

2. A DNS query goes to your ISP's DNS server asking for the IP address.

3. Your browser sends a request to `example.com`'s IP address.

4. The request travels through your ISP's network.

5. At every hop, intermediate routers can see the source IP (your public IP), destination IP, and (if the site is HTTP, not HTTPS) the actual content.

6. The response comes back the same way.

Your ISP knows every site you visit. Anyone monitoring traffic on your network can see where it's going. Your public IP address reveals your rough geographic location and is visible to every server you connect to.

With a VPN:

1. You connect to a VPN server. Your VPN client authenticates and establishes an encrypted tunnel to the VPN server.

2. You type `example.com` into your browser.

3. Your device's DNS query goes through the VPN tunnel to the VPN server's DNS resolver.

4. Your browser sends its request through the encrypted tunnel to the VPN server.

5. The VPN server makes the actual request to `example.com` on your behalf, using its own IP address and location.

6. The response comes back to the VPN server, which sends it through the encrypted tunnel to your device.

From your ISP's perspective, all they see is encrypted traffic going to one IP address (the VPN server). They don't know what sites you're visiting.

From `example.com`'s perspective, the request came from the VPN server's IP address and location — not from your actual location. The website doesn't see your real IP address.

VPN Protocols: The Tunneling Technology

Different VPN implementations use different protocols to create and secure the tunnel. The main ones you'll encounter:

OpenVPN: A mature, open-source protocol that's been around since 2001. Very widely trusted and audited by security researchers. Uses TLS for encryption. Can run on either TCP or UDP. Slightly slower to connect than newer protocols.

WireGuard: A newer protocol (2019) that's far simpler in design — only about 4,000 lines of code versus OpenVPN's hundreds of thousands. This simplicity makes it easier to audit and less likely to contain bugs. It's also significantly faster and more efficient than older protocols. Most modern VPN providers have adopted WireGuard.

IKEv2/IPSec: A combination of the IKEv2 key exchange protocol and IPSec encryption. Excellent for mobile devices because it handles network switching gracefully (moving between WiFi and cellular doesn't drop the VPN connection). Many corporate VPNs use this.

L2TP/IPSec: Older, widely supported, but slower than alternatives. No longer recommended for new deployments.

PPTP: A very old protocol that's been broken for years. Avoid it entirely.

What a VPN Actually Protects You From

Here's where we need to be precise and push back on some of the marketing claims.

What a VPN genuinely helps with:

Public WiFi snooping: On an unsecured public WiFi network, someone on the same network could potentially intercept your unencrypted traffic. A VPN encrypts all your traffic, making this interception useless. This is one of the most legitimate consumer use cases.

ISP tracking: In many countries, ISPs can legally log and sell data about your browsing habits. A VPN prevents your ISP from seeing what sites you visit, since all they see is encrypted traffic to the VPN server.

Geographic restrictions: Streaming services like Netflix have different libraries in different countries due to licensing agreements. Since the streaming service only sees the VPN server's location, you can connect to a VPN server in another country and access that country's library. (Note: streaming services increasingly try to detect and block VPN IP addresses.)

Hiding your IP from websites: Useful for privacy from trackers and for accessing content that's blocked in your region.

Basic protection when using HTTP sites: Since HTTPS has become nearly universal, this use case is largely obsolete, but a VPN adds encryption even on HTTP sites.

What a VPN does NOT protect you from:

Malware and viruses: A VPN is not an antivirus. If you download malware, the VPN doesn't stop it from running. The ads that suggest VPNs protect you from "hackers" are misleading you. A VPN encrypts your traffic in transit; it doesn't scan for malicious software.

Complete anonymity: You're not anonymous with a VPN. The VPN provider knows your real IP address and can see your traffic (even if they claim they don't log it — more on this shortly). Websites can also track you through cookies, browser fingerprinting, and login accounts regardless of your IP address.

Phishing attacks: A VPN doesn't stop you from visiting a fake website and entering your credentials. Social engineering attacks work regardless of VPN usage.

Your own data being shared: If you're logged into a service, that service knows who you are regardless of your IP address.

The Trust Problem: Who Runs the VPN?

This is the most important issue that VPN marketing glosses over. When you use a VPN, you're shifting your trust. Without a VPN, you trust your ISP not to snoop on your traffic. With a VPN, you're instead trusting the VPN provider.

The VPN provider sees all the traffic you're trying to hide from your ISP. If the VPN provider logs that traffic, sells it, or is compelled by law to hand it over to authorities, your privacy is gone. You've just replaced one potentially untrustworthy party with another.

Many VPN providers claim to have a "no-logs" policy — they don't keep records of your activity. Some of these claims have been verified through third-party audits or have been tested when providers have received law enforcement requests and had nothing to hand over. Others are purely marketing claims with no verification.

Evaluating VPN providers requires looking at:

Free VPN services are particularly problematic. Running VPN infrastructure is expensive. If you're not paying, the service is likely monetizing your data in some way — potentially the very browsing data you're trying to protect.

Setting Up a VPN

For consumers, the easiest option is a commercial VPN service. Popular options that have generally positive reputations in the security community include Mullvad, ProtonVPN, and IVPN. These are not endorsements — do your own research — but these names come up repeatedly in security researcher discussions.

For corporate/personal technical use, you can self-host a VPN using software like WireGuard on a cloud server. This way, you're the VPN provider and you trust only yourself. Services like Tailscale and Algo make this much more accessible even for non-experts.

The Honest Assessment

VPNs are useful, legitimate tools for specific privacy and access use cases. They're most valuable on public WiFi, for circumventing ISP monitoring, and for geographic content access. They're less useful for the sweeping "protect you from all hackers and be completely anonymous" claims in the advertisements.

The most important thing to understand: a VPN moves your trust from your ISP to your VPN provider. That's only a win if your VPN provider is more trustworthy than your ISP — and that's a question worth investigating carefully before handing over your traffic.

Used thoughtfully, with a reputable provider and realistic expectations, a VPN is a valuable addition to a privacy-conscious internet user's toolkit. Used naively, based on flashy ad promises, it might just change who's watching you without actually making you any safer.