An explanation that grows more technical without necessitating the reading of a doctoral degree.
Using software that is not only inexpensive but also convenient and, in some cases, even free, virtual private networks (VPNs) can make your online life more private. You are able to utilize your virtual private network (VPN) to access streaming video from all over the world while concealing your IP address. Additionally, you can use your VPN to virtually sneak into a sporting event that is otherwise unavailable in your region.
However, while VPNs are widely available, there's a weird shortage of knowledge about what they truly perform behind the scenes. You may know that a VPN conceals your device using a proxy server to make it look like you're somewhere else, and maybe even that encryption is involved. But getting any more details can involve running a minefield of falsehoods.
That's a shame, because the underlying workings of a VPN aren't all that difficult to understand. You may not be able to develop one yourself without a degree in computer science, but with a little work, you can grasp exactly what it's doing on your computer. That's information you can use to select the ideal VPN for you, and make the most of it after you've got it.
What is a VPN?
To make sure nobody gets left behind, I'll start at the beginning. A VPN (virtual private network) is a technique of securely accessing a network, either a restricted network (like you could have at the office) or the internet as a whole. Initially, corporations set up VPNs so remote workers may work with secure files. While this still happens, the last 15 years have seen VPNs increasingly promoted to individuals, with Proton VPN, ExpressVPN and others witnessing enormous user growth.
Broadly, a VPN consists of two parts: the server, which relays requests to your selected destination, and the client, a piece of software that enables you interact with the server. You can find a fuller explanation here, but I'll utilize the two sections below to give you what you need to know right now.
One more caveat before that – there are numerous kinds of VPNs, including the remote-access VPNs and site-to-site VPNs often used by organizations. However, for this essay, I'll be discussing largely about the commercial VPN services provided to individuals for general security needs. Instead of a specialized network, these VPNs are designed to handle all of a user's traffic to any place on the internet.
What happens when you use a VPN?
First, you use the client to connect to a server - either the quickest one accessible or a particular location you need. Once you've connected, every request you send to the internet travels through the VPN server first. This communication between your device and the web is encrypted so it can't be traced back to you.
The VPN server decrypts your requests and passes them on. The destination then talks with the VPN server, which delivers the information back to you – after re-encrypting it so nobody tracks it home.
Since the VPN conducts everything on your behalf, it's your "mask" online. Your internet service provider (ISP) and third parties can see what's being done, but — so long as you’re not otherwise logged in or identifying yourself — nobody knows that it's you doing it. It's like having a friend order pizza for you so the restaurant doesn't hear you phoning for the third time this week (not that I speak from experience).
What's the point of utilizing a VPN?
Why add an extra step to the already hard process of getting online? The two primary reasons are keeping anonymity and shifting your virtual location. I've already described how a VPN keeps you anonymous. Among other things, this bans your ISP from selling your browser history to advertisers and shields activists who face government repercussions for what they do online.
Changing your virtual location is part of masking, but it can also be used to see the internet as it's visible in different countries. Streaming services are frequently confined to certain places, and practically all of them update the available content dependent on their licensing in each nation. You can even use a VPN in a country with a nationwide firewall, like China, to see restricted foreign information sources.
How does a VPN work? The entire technical explanation
Most online explanations stop after defining a VPN as an anonymous agent between you and the internet — but I wrote this post to go a little bit deeper. To grasp what a VPN is doing on a technical level, we'll need to discuss how the internet works, how the VPN knows where to deliver encrypted information and just what "encryption" actually is.
How the internet transports data
When you're not utilizing a VPN, internet traffic passes directly from your modem to your ISP, then on to your selected destination. The major technologies here are IP, which stands for Internet Protocol, and TCP, which stands for Transmission Control Protocol. They're generally coupled as TCP/IP.
You may have heard that every internet device has an IP address that identifies it to every other device. TCP/IP manages not just those names but how data passes between them. Here's how it works, step-by-step.
You click a link or enter a URL into your online browser.
Your computer sends a request to your modem, seeking to see the site associated with the URL. Your modem relays the request to your ISP.
Your ISP discovers a domain name server (DNS) that tells it which IP address is associated to the URL you asked to access. It then delivers the request to that IP address down the fastest available path, which will require being relayed across numerous nodes.
That IP address is connected with a server that houses the content you're looking for. Once it receives the request, it splits the data down into little packets of around 1 to 1.5 kilobytes.
These packets divide to find their own shortest paths back to your ISP, your modem and finally your web browser, which reassembles them.
You view a web page, likely little more than a second after you asked for it.
The outbound requests and inbound packets are crucial to understanding VPN function. A VPN intervenes during step 2 (when your modem contacts your ISP) and step 5 (when your ISP transmits the packets back to you). In the next section, I'll explain exactly what it performs during those processes.
How VPN tunneling protects data
You might have heard a VPN's activity labeled as "tunneling." That word alludes to a figurative tunnel being established between your device and the VPN. Data enters the tunnel when it's encrypted by the VPN client and exits when it's decoded by the VPN server. Between those two locations, encryption means nobody can view the true data. It's as though it's passing through an opaque tube.
While the tunnel is a useful metaphor, it may be best to think about VPN encryption as an encapsulation. Each packet of data delivered via VPN is "wrapped" in a second packet, which both encrypts the original packet and carries information for contacting the VPN server. However, none of these outer layers have the whole path – each merely knows enough to reach the next relay. In this approach, the genesis point (that's you) remains unseen.
The similar thing happens when the internet returns content to show you. Your ISP delivers the data to the VPN server, because, as far as it knows, that's where the request came from. The VPN then encrypts each packet and delivers them back to you for decryption and reassembly. It takes a little longer with the extra steps; that's why VPNs always slightly slow down your browsing speed, though the better ones don't do that by much (Surfshark is currently the fastest).
You learned in that last part that two protocols, IP and TCP (commonly combined as TCP/IP), are responsible for letting internet devices talk to one other, even if they've never linked before. In the same manner, a VPN protocol is essentially a shared language that helps VPNs encrypt, transfer and decrypt information. See the next section to learn how a VPN protocol works in detail.
How VPN protocols encrypt data
VPN protocols are the technology underpinning VPNs; every other aspect of your VPN is merely a technique of communicating with them. All protocols are designed to encrypt data packets and wrap them in a second layer that includes information on where to send them. The primary distinctions are the form of that second layer, the types of encryption employed and how the client makes its initial secure connection with the server.
It's incredibly typical for VPNs to advertise protocols with "bank-grade" or "military-grade" encryption. This is talking about the 256-bit Advanced Encryption Standard (AES-256), a symmetric encryption method, which is employed by financial organizations and the US government and military. AES-256 is undoubtedly some of the strongest available encryption, but it's only part of the tale. As a symmetric technique, it's not totally safe on its own, because the same keys are used to encrypt and decode it — and those keys can be stolen.
For that reason, most VPN protocols employ AES-256 (or a similarly powerful cipher like ChaCha20) to encrypt the data packets directly, then combine it with a broader suite of various encryption techniques. One of the most reliable and popular protocols, OpenVPN, employs the asymmetric TLS protocol to establish a secure link between client and server, then delivers packets encrypted using AES-256 across that channel, knowing the keys will be safe.
Explaining this may easily exceed the length of a book, although the essential premise isn't complex. In asymmetric encryption, a sender encrypts data with a unique key, then a recipient decodes it with a separate matched key. The keys are delivered by a trusted third party. In a move called a TLS handshake, the server and client communicate each other encrypted data. If either can decode the other's test data, they know they have a matching pair of keys, which demonstrates that both are the same client and server that acquired the keys from the trusted authority.
Why not just use asymmetric encryption for the data itself, if it's more secure? Mainly, protocols don't do this since it's a lot slower. Asymmetric encryption involves a lot of resource-heavy math that makes connections sluggish. That's why OpenVPN and others employ the asymmetric-to-symmetric two-step approach.
To recap, a VPN protocol is a complicated set of instructions and tools that regulate encryption and routing across VPN servers. Protocols still in use include OpenVPN, WireGuard, IKEv2, SSTP and L2TP. PPTP, one of the oldest protocols, is no longer considered secure. On top of these, VPNs typically construct their own proprietary protocols, such as ExpressVPN's Lightway.
Putting it all together
Now that we've hit all the pertinent facts, let's review that step-by-step from earlier, this time with a VPN in the mix. Here are the procedures, starting with establishing the VPN connection and concluding with anonymously accessing a website.
You launch your VPN client, choose a server location and connect. The VPN client and server authenticate each other with a TLS handshake.
The client and server exchange the symmetric keys they'll use to encrypt and decode packets for the life of this session (i.e. until you disconnect). Your VPN client tells you that it's built a secure tunnel.
You open your web browser and enter a URL. Your browser sends a request to access the content at that address.
The request travels to your VPN client, which encrypts it and adds an outer layer of information with directions to the VPN server.
The encrypted request reaches the VPN server, which decrypts it and transmits it to your ISP.
As typical, your ISP finds the IP address associated with the URL you typed and transmits your request along.
The destination server gets the request and transmits all the necessary packets of information back to your ISP, which transfers it to the VPN server.
The VPN server encrypts each packet and adds a header directing it to the VPN client.
The client decrypts the packets and transmits them to your web browser.
You see the web site you opened.
Because of the encrypted tunnel, the request arrives at the VPN server without any information about where it came from. Thus, the VPN doesn't actually encrypt your activities on the websites itself - for the most part, the HTTPS protocol does that. Instead, a VPN gives you a bogus name to put in the register, with no information that could be traced back to your real identity.
How to use this information
Now that you know how a VPN works on a technical level, you're better able to choose one for yourself. You can cut through marketing hype claims like:
"Military-grade encryption!" (It's the same algorithm everybody uses)
"Stay completely anonymous online!" (Plaintext you share on social media is not encrypted)
"Dodge ISP throttling!" (If your ISP is throttling you based on your IP address, this works – but if you're being slowed down due of your moment-to-moment activities, your identity doesn't matter)
A VPN is just one vital aspect of a complete cybersecurity meal. While masking your IP address, make sure to also use secure passwords, download updates immediately and remain aware for social engineering attempts.
