What is a VPN? Peeking Under the Hood of the Virtual Private Network

If you listen to any podcast or watch any YouTube channel, you have undoubtedly been aggressively marketed to by a VPN company. The ads make bold claims: "Military-grade encryption!" "Become invisible to hackers!" "Hide your location!"

But strip away the flashy marketing, and a VPN—a Virtual Private Network—is actually a very specific, deeply technical networking tool that was originally invented for a completely different purpose than hiding your Netflix viewing habits.

To understand what a VPN really is, we have to look under the hood at exactly how it manipulates the OSI model and your routing tables.

The Original Purpose: The Corporate Tunnel

Let's go back to the late 1990s. You work for a massive corporation headquartered in New York. The company has highly secure, internal servers holding sensitive financial data. These servers are on a private internal network (`10.0.0.x`). They are absolutely not connected to the public internet, meaning you can only access them if your computer is physically plugged into a wall port inside the New York office.

Now, you are sent on a business trip to a hotel in London. You need to access the financial server. But you are connected to the hotel's public WiFi.

How can the IT department allow you to access the private internal servers in New York, across the hostile, public internet, without exposing those servers to hackers?

The answer is the Virtual Private Network.

A VPN creates a secure, encrypted "tunnel" through the chaotic public internet, directly connecting your laptop in London to the corporate firewall in New York. Once the tunnel is established, your laptop acts as if a massive, invisible Ethernet cable was run across the Atlantic Ocean and plugged directly into the New York office switch.

How the Tunnel Actually Works: Encapsulation

Let's look at the exact mechanics of how a VPN achieves this magic. It uses a technique called Encapsulation.

1. You run the VPN client software on your laptop in London. You type in your credentials and click "Connect."

2. The software establishes an encrypted, authenticated connection to the VPN Server sitting on the edge of the New York network.

3. The VPN Server in New York assigns your laptop a new, internal IP address (e.g., `10.0.0.55`).

Now, you want to send a request to the internal financial server (`10.0.0.100`).

Your laptop creates a standard IP packet. The Source IP is `10.0.0.55`. The Destination IP is `10.0.0.100`. The payload is your request.

If your laptop sent this packet out to the hotel WiFi router, the router would drop it immediately. A private `10.x.x.x` address cannot be routed on the public internet.

This is where the VPN software steps in. Before the packet leaves your laptop, the VPN software grabs it.

It encrypts the entire packet—the payload, the source IP, and the destination IP. It turns it into an unreadable block of ciphertext.

Then, the VPN software creates a *brand new* IP packet. It places the encrypted block inside as the payload.

It sets the new Source IP to your hotel's public IP address. It sets the new Destination IP to the public IP address of the New York VPN Server.

This new packet is routed across the public internet perfectly normally. Anyone intercepting it (like a hacker on the hotel WiFi, or your ISP) just sees an encrypted blob of data moving between London and a server in New York. They cannot see that the data inside is actually destined for `10.0.0.100`.

When the packet arrives at the New York VPN Server, the server rips off the outer envelope. It decrypts the payload. The original, inner packet (`Source: 10.0.0.55, Destination: 10.0.0.100`) emerges unharmed.

The VPN server then injects this inner packet into the internal corporate network. The financial server receives it, processes it, and replies. The return trip happens in exactly the same encapsulated reverse order.

Commercial VPNs: Shifting the Trust

This corporate "tunneling" is the original and purest form of a VPN. But what about the commercial VPNs (like NordVPN, ExpressVPN, or Private Internet Access) that consumers use today?

The underlying technology (Encapsulation and Encryption) is exactly the same. The difference is the destination and the purpose.

When you connect to a commercial VPN, you are not tunneling into a private corporate network to access hidden servers. You are tunneling into a massive server farm owned by the VPN company, for the sole purpose of immediately exiting back out to the public internet.

Why do this? Two reasons:

1. Bypassing Local Spying: If you are at a coffee shop, the owner of the WiFi can see every website you visit (they see the DNS requests and the destination IP addresses). If you use a VPN, all the coffee shop router sees is a single, continuous stream of encrypted garbage data flowing to a single IP address (the VPN server). You have hidden your traffic from your local network and your ISP.

2. Hiding Your IP Address: When you finally access `google.com` or `netflix.com`, the request comes from the VPN server's IP address, not your home IP address. To Netflix, it looks like you are sitting in whatever city the VPN server is located in. This is how people bypass geo-blocking to watch shows available in other countries.

The Big Marketing Lie

VPN companies market themselves as a panacea for online privacy. This is misleading.

A commercial VPN does not make you anonymous. It simply shifts who you are trusting.

Without a VPN, your Internet Service Provider (Comcast, AT&T, etc.) can see all the IP addresses you visit, but the websites you visit see your real IP address.

With a VPN, your ISP sees nothing but an encrypted tunnel. But the VPN provider can now see every single IP address you visit. And the websites you visit see the VPN's IP address.

If the VPN company logs your traffic, or if they are compelled by a government to monitor you, your privacy is completely compromised. You are placing 100% of your trust in a random corporate entity instead of your ISP.

Furthermore, a VPN does not protect you from tracking cookies, browser fingerprinting, or malware. If you log into your personal Facebook account while connected to a VPN in Switzerland, Facebook still knows exactly who you are.

Summary

A VPN is a brilliant feat of network engineering. By encrypting packets and wrapping them inside other packets, it creates a private tunnel through public infrastructure. It is essential for corporate security and excellent for bypassing local network restrictions. But it is not a magic invisibility cloak.