Top10VPN is editorially independent. We may earn commissions if you buy a VPN via our links.

How Does a VPN Work?

JP Jones is our CTO. He has over 25 years of software engineering and networking experience, and oversees all technical aspects of our VPN testing process.

Fact-checked by Simon Migliano

Our Verdict

VPN software establishes an encrypted virtual tunnel between your device and a remote server in a location of your choice. This creates a secure connection between you and the public internet, hiding your IP address, disguising your location, and protecting your web activity from outside monitoring.

Header image for VPN keeps disconnecting

A virtual private network (VPN) service works by encrypting your internet connection and re-routing your data through a remote VPN server. This makes it a valuable tool for protecting your internet privacy, security, and freedom.

In this guide, we explain exactly how VPN software works to hide your public IP address and encrypt your internet connection.

Summary: How A Virtual Private Network (VPN) Works

Here’s what happens to your web traffic when you use a VPN:

  1. You download, install and open the VPN app on your computer, smartphone, or TV.
  2. In the VPN app, you connect to a VPN server in a location of your choice.
  3. When you visit a website or use another application, the VPN software on your device encrypts the connection request using an encryption cipher. This makes the location and content of your request unintelligible to anyone looking at it.
  4. The connection data is sent to your chosen VPN server, where it is decrypted.
  5. The VPN server connects to the website and sends your connection request on your behalf. The website then sends the requested information back to the VPN server.
  6. This information is encrypted by the VPN server and forwarded back to your device.
  7. Your VPN app decrypts the information and the requested website or service responds to your request.

By following the process above, VPN software lets you mask your IP address from the websites you’re visiting and hide your online activity from your ISP, WiFi administrator, or anyone else monitoring your connection.

Diagram explaining how VPN services encrypt and reroute web traffic.

Though all VPN software is somewhat similar, this process applies specifically to personal or “consumer” VPN services.

To learn how remote access and site-to-site VPNs work, head over to our VPN types guide. If you’re more interested in what you can do with a VPN, read our guide on what VPNs are used for, instead.

Why Trust Us?

We’re fully independent and have been reviewing VPNs since 2016. Our advice is based on our own testing results and is unaffected by financial incentives. Learn who we are and how we test VPNs.

VPNs Tested65
Total Hours of Testing30,000+
Combined Years of Experience50+

How Does a VPN Hide Your IP Address?

SUMMARY: VPN services act as an intermediary between your device and the internet. When you browse the internet with a VPN, the websites you visit see the IP address of the VPN server you’re connected to, rather than your original public IP address.

When you browse the web without a VPN, your connection travels straight from your device to the server hosting the website or service you want.

In order to send the relevant content back to you, this web server needs to know your IP address.

Your IP address is essentially your passport on the internet. It is a unique identifier that tells other computers where to send information if they want it to reach you.

Use our ‘What Is My IP’ checker tool to find your public IP address.

Your IP address has a lot of personal information associated with it. It reveals your geographic location, and can be used to create an overall picture of your online activity.

For these reasons, many people use a VPN to hide their IP address.

When you browse the web with a VPN turned on, your connection always travels to a remote VPN server before it goes to the web server that hosts your desired website or service.

When the web server sends information back to you, it sends it to the VPN server which then forwards it onto you. That means the websites you visit never come into contact with your true IP address.

diagram showing how a VPN hides your IP address from the website you visit

The websites you visit only see a connection request coming from a VPN server. They then send information to that VPN server.

EXPERT ADVICE: Good VPN services have servers in dozens of locations. You can trick websites into thinking you’re located in a different country by connecting to a VPN server there. This is how people use VPNs to change their region on Netflix and other streaming services.

How Do VPNs Encrypt and Secure Your Data?

SUMMARY: VPN services use encryption ciphers and connection protocols to convert your web traffic into unintelligible code. This prevents your ISP, the government, and any other third parties from viewing the contents of your browsing activity. A secure VPN shouldn’t use anything weaker than the AES-256 cipher to encrypt your data.

Encryption is the process of changing normal plaintext data into a secret code only intelligible to someone who knows how to decrypt it.

The purpose of encryption is to stop unwanted individuals from being able to read your messages.

VPNs use encryption to hide the details of your browsing activity as it travels between your device and the VPN server.

Using a VPN prevents ISPs, governments, WiFi administrators, hackers, and any snooping third-parties from spying on your connection.

But how does it actually work? How does a VPN encrypt and secure your data?

In the rest of this section, we’ll take a closer look at the different components and processes that make up VPN encryption, starting with the VPN Tunnel.

What Is a VPN Tunnel?

A ‘VPN tunnel’ is a common way of describing what happens when you set up a VPN connection. In simple terms, it’s the encrypted communication between your device and the VPN server.

This communication is referred to as a tunnel because your original traffic is encrypted and wrapped in a layer of unencrypted traffic.

It’s like taking an envelope with a written letter inside, and putting it inside a second envelope with a new address on. Your actual message becomes completely hidden from the outside world – as if it was inside of a tunnel.

This process is known as encapsulation, and is performed by dedicated tunneling protocols.

Encryption Ciphers

The Private Internet Access app, showing how you can customize your VPN encryption settings.

To convert your online activity into an unintelligible code, VPNs need to use an encryption cipher.

A cipher is just an algorithm (i.e. a set of rules) that encrypts and decrypts data.

EXAMPLE: A very simple cipher might encrypt your data using the rule ‘swap every letter in the message with the letter that precedes it in the alphabet’. So, privacy would become oqhuzbx.

Ciphers are usually paired with a specific key-length. Generally, the longer the key length the more secure the encryption is. For example, AES-256 is considered more secure than AES-128.

The most commonly used ciphers in VPN services are:

Advanced Encryption Standard (AES)

The Advanced Encryption Standard (AES) is one of the safest ciphers available. It is the gold standard for online encryption protocols, and is widely used in the VPN industry.

AES was established by the US National Institute of Standards and Technology (NIST) in 2001, and is also sometimes known as the Rijndael algorithm. It is designed to handle larger files than other ciphers, such as Blowfish, due to its increased block size.

AES is usually available in 128-bit and 256-bit key-lengths. While AES-128 is still considered secure, we know that organisations like the NSA efforts are always trying to undermine encryption standards. As such, AES-256 is preferred as it’s likely to offer much greater protection.

When you read about ‘military-grade’ or ‘bank-grade’ encryption on a VPN service’s website, it generally refers to the use of AES-256. The US government uses AES-256 encryption to secure its own sensitive data, and it’s something we look for when testing and reviewing VPNs.

Blowfish

Blowfish is a cipher designed by American cryptographer Bruce Schneier in 1993. It used to be the default cipher used in most VPN connections, but has now been largely replaced by AES-256.

You’ll typically see Blowfish used with a 128-bit key length, although it can range from 32 bits to 448 bits.

There are some weaknesses with Blowfish. Most well-known is its vulnerability to a cryptographic attack known as a ‘birthday attack’. For this reason, Blowfish should only be used as a fallback to AES-256.

ChaCha20

Published in 2008 by Daniel Bernstein, ChaCha20 is a reasonably new VPN encryption cipher. Despite this, it is becoming increasingly popular as it is the only cipher compatible with the popular WireGuard protocol.

Like AES, ChaCha20 takes a 256-bit key length, which is considered very secure. Reports also suggest that ChaCha20 is up to three times faster than AES.

There are currently no known vulnerabilities with ChaCha20, and it offers a welcome alternative to AES as encryption technologies look to take on the challenge of quantum computing in the not-too-distant future.

Camellia

Camellia is a cipher that is very similar to AES in terms of security and speed. Even using the smaller key length option (128 bits), it is thought to be infeasible to break with a brute-force attack given current technology. There are no known successful attacks that effectively weaken the Camellia cipher.

The main difference between Camellia and AES is that it is not certified by NIST, the US organization that created AES.

While there is certainly an argument for using a cipher that is not associated with the US government, Camellia is rarely available in VPN software, nor has it been as thoroughly tested as AES.

VPN Protocols

VPN protocols are the rules and processes that your device follows in order to establish a secure connection with the VPN server.

In other words, the VPN protocol determines how the VPN tunnel is formed, while the encryption cipher is used to encrypt the data that flows through that tunnel.

Depending on the protocol in use, a VPN will have different speeds, capabilities, and vulnerabilities. Most services will let you choose which protocol you’d like to use within the app settings.

There are several VPN protocols available, but not all of them are safe to use. Here’s a quick overview of the most common ones:

  • OpenVPN: Open-source, extremely secure, and compatible with almost all VPN-capable devices.
  • WireGuard: Blisteringly fast and very efficient, but yet to gain the trust of everyone in the VPN industry due to its recent release.
  • IKEv2/IPsec: A closed-source protocol that is excellent for mobile VPN users, but is suspected of being compromised by the NSA.
  • SoftEther: Not supported by many VPN services, but is fast, secure, and great for bypassing censorship.
  • L2TP/IPsec: A slower protocol that is also suspected of being hacked by the NSA.
  • SSTP: Deals with firewalls well, but is closed-source and potentially vulnerable to man-in-the-middle attacks.
  • PPTP: Outdated, insecure, and should be avoided at all costs.

LEARN MORE: For a more in-depth look at the different types of VPN protocol, and to learn which one is best, read our dedicated VPN protocols guide.

VPN Handshakes

In addition to protocols and ciphers, VPNs also use processes known as handshakes and hash authentications to further secure and authenticate your connection.

A handshake refers to the initial connection between two computers. It’s a greeting in which both parties authenticate one another and the rules for communication are established.

During a VPN Handshake, the VPN client (i.e. your device) establishes an initial connection with the VPN server.

This connection is then used to securely share an encryption key between client and server. This key is what is used to encrypt and decrypt the data at either end of the VPN tunnel for your entire browsing session.

diagram showing the step-by-step process of a VPN handshake between VPN client and VPN server

VPN handshakes tend to use the RSA (Rivest-Shamir-Adleman) algorithm. RSA has been the basis for internet security for the last two decades.

While there is not yet hard evidence of RSA-1024 being cracked, it is generally considered a security risk given the processing power available today.

RSA-2048 is a far more secure alternative and comes with relatively little computational slowdown. As such, most VPN services have moved away from using RSA-1024.

You should only trust VPN services that use RSA-2048 or RSA-4096.

Although the handshake process works well and generates secure encryption, every session that is generated is possible to decrypt with the private key used in the RSA handshake. In this sense, it is like a ‘master key’.

If the master key were ever to be compromised, it could be used to decrypt every secure session on that VPN server, past or present. An attacker could hack into the VPN server and gain access to all data flowing through the VPN tunnel.

To avoid that, we recommend using VPN services that are set-up with Perfect Forward Secrecy.

Perfect Forward Secrecy

illustration of a VPN client and VPN server in separate rooms both generate the same temporary key to encrypt their session

Perfect Forward Secrecy is a protocol feature which utilizes either the Diffie-Hellman (DH) or the Elliptic Curve Diffie-Hellman (ECDH) key-exchange algorithm in order to generate temporary session keys.

Perfect Forward Secrecy ensures that the encryption key is never exchanged across the connection.

Instead, both the VPN server and the VPN client independently generate the key themselves using the DH or ECDH algorithm.

It is a mathematically complex process, but Perfect Forward Secrecy essentially removes the threat of a single private key that, if compromised, exposes every secure session ever hosted on the server.

Instead, the keys are temporary. This means they can only ever reveal one specific session, and nothing more.

It should be noted that RSA alone cannot provide Perfect Forward Secrecy. DH or ECDH must be included in RSA’s cipher suite for it to be implemented.

ECDH can actually be used on its own – instead of RSA – to generate a secure VPN handshake with Perfect Forward Secrecy. However, be wary of VPN services using DH alone, as it is vulnerable to being cracked. This is not an issue when used with RSA.

The two VPN protocols we always recommend to our readers – OpenVPN and WireGuard – both support Perfect Forward Secrecy.

Hash Authentication

Secure Hash Algorithms (SHA) are used to authenticate the integrity of transmitted data and client-server connections. They ensure that information has not been altered in transit between source and destination.

SHAs work by editing source data using what is known as a hash function. The original source message is run through an algorithm and the result is a fixed-length string of characters that looks nothing like the original. This is known as the “hash value”.

It is a one way function – you cannot run a de-hash process to determine the original message from the hash value.

Hashing is useful because changing just one character of the input source data will totally change the hash value that is output from the hash function.

A VPN client will run the data received from the server, combined with the secret key, through a hash function agreed during the VPN handshake.

If the hash value the client generates differs from the hash value in the message, the data will be discarded as the message has been tampered with.

SHA hash authentication prevents man-in-the-middle attacks as it is able to detect any tampering with a valid certificate.

Without it a hacker could impersonate a legitimate VPN server and trick you into connecting to an unsafe one, where your activity could be monitored.

To ensure maximum security, we recommend using VPN services that use SHA-2 or higher. SHA-1 has proven weaknesses that can compromise security.