Disclosure: Top10VPN is editorially independent. We may earn commissions if you buy a VPN through links on our site.

How Does a VPN Work? VPN Encryption & Tunneling Explained

JP Jones - CTO @ Top10VPN

JP is our CTO. He has over 25 years of software engineering and networking experience, and oversees all technical aspects of our VPN testing process. Read full bio

VPN software establishes an encrypted virtual tunnel between your device and a remote VPN server. This creates a secure connection between you and the public internet, hiding your IP address, disguising your location, and protecting your web activity from external monitoring.

how a virtual private network (VPN) works

VPN software routes your web traffic to a remote server through an encrypted tunnel.

Virtual private networks (VPN) are valuable tools for protecting your online privacy, security, and freedom.

In this guide, we’ll explain exactly how VPN software works to hide your public IP address and encrypt your internet connection. If you’re more interested in what you can do with a VPN, read our guide on what VPNs are used for.

We’ll start with an overall summary of how VPNs work, then cover in detail how VPNs are able to hide your IP address and spoof your location.

After that, we’ll introduce VPN encryption and explain how it works.

For information on how to set up a VPN, read our step-by-step installation guides.

Quick Summary: How VPNs Work

A VPN works by encrypting your connection and re-routing it through a remote VPN server.

Here’s what happens to your web traffic when you use a VPN:

  1. You download, install and turn on the VPN app on your computer, smartphone, or TV.
  2. In your browser, you type in a website to access (e.g. example.com).
  3. The VPN software on your device encrypts the connection request. This makes the location and content of your request unintelligible to anyone looking at it.
  4. Your connection data is sent to your chosen VPN server, where it is decrypted.
  5. The VPN server connects to the website on your behalf, and the website sends your requested information back to the VPN server.
  6. This information is encrypted by the VPN server and forwarded to your device.
  7. Your VPN app decrypts the information and the requested website appears in your browser.

By following this process, a VPN allows you to hide your IP address from the websites you’re visiting and hide your online activity from your ISP, WiFi administrator, government or anyone else trying to monitor your connection.

What Is a VPN Tunnel?

A ‘VPN tunnel’ is a common way of describing what happens when you set up a VPN connection. It refers to the encrypted communication between your device and the VPN server.

This communication takes on the appearance of a tunnel because your original traffic is encrypted and wrapped in a layer of unencrypted traffic.

It is like taking an envelope with a written letter inside, and putting it inside a second envelope with a new address on. Your actual message becomes completely hidden from the outside world – as if it was inside of a tunnel.

This process is known as encapsulation and is performed by dedicated tunneling protocols. You can read more about these in the VPN encryption section below, or in our full VPN protocols guide.

How Does a VPN Hide Your IP Address?

When you browse the web without a VPN, your connection travels straight from your device to the server that hosts the website or service you want.

In order to send the relevant content back to you, this web server needs to know your IP address.

Your IP address is essentially your passport on the internet. It is a unique identifier that tells other computers where to send information if they want it to reach you. Use our IP checker tool to see your own IP address.

Your IP address has a lot of personal information associated with it. It reveals your geographic location and can be used to create an overall picture of your online activity.

For these reasons, many people choose to hide their IP address using a VPN.

When you browse the web with a VPN turned on, your connection always travels to a remote VPN server before it goes to the web server that hosts your desired website or service.

When the web server sends information back to you, it sends it to the VPN server which then forwards it onto you. That means the websites you visit never come into contact with your true IP address.

diagram showing how a VPN hides your IP address from the website you visit

The websites you visit only see a connection request coming from a VPN server. They then send information to that VPN server.

SUMMARY: VPNs act as an intermediary between your device and the internet. When you browse the internet with a VPN, the websites you visit see the IP address of the VPN server you’re connected to, rather than your original public IP address.

EXPERT TIP: Good VPN services offer servers in lots of locations. You can trick websites into thinking you’re located in a different country by connecting to a VPN server there. This is how people use VPNs to unblock ‘hidden’ content on streaming services like Netflix.

How Do VPNs Encrypt and Secure Your Data?

Encryption is the process of changing normal plaintext data into a secret code that is only intelligible to someone who knows how to decrypt it. The purpose of encryption is to stop unwanted individuals from being able to read your messages.

VPNs use encryption to hide the details of your browsing activity as it travels between your device and the VPN server. This prevents ISPs, governments, WiFi administrators, hackers, and any snooping third-parties from spying on your connection.

But how does it actually work? How does a VPN encrypt and secure your data?

In the rest of this section, we’ll take a closer look at the different components and processes that make up VPN encryption, starting with encryption ciphers.

Encryption Ciphers

A screenshot from the Private Internet Access app, showing how you can customize your VPN encryption settings.

To convert your online activity into an unintelligible code, VPNs need to use an encryption cipher.

A cipher is just an algorithm (i.e. a set of rules) that encrypts and decrypts data.

EXAMPLE: A very simple cipher might encrypt your data using the rule ‘swap every letter in the message with the letter that precedes it in the alphabet’. So, privacy would become oqhuzbx.

Ciphers are usually paired with a specific key-length. Generally, the longer the key length the more secure the encryption is. For example, AES-256 is considered more secure than AES-128.

The most commonly used ciphers in VPN services are:

1Advanced Encryption Standard (AES)

The Advanced Encryption Standard (AES) is one of the safest ciphers available. It is the gold standard for online encryption protocols, and is widely used in the VPN industry.

AES was established by the US National Institute of Standards and Technology (NIST) in 2001, and is also sometimes known as the Rijndael algorithm. It is designed to handle larger files than other ciphers, such as Blowfish, due to its increased block size.

AES is usually available in 128-bit and 256-bit key-lengths. While AES-128 is still considered secure, we know that organisations like the NSA efforts are always trying to undermine encryption standards. As such, AES-256 is preferred as it’s likely to offer much greater protection.

When you read about ‘military-grade’ or ‘bank-grade’ encryption on a VPN service’s website, it generally refers to the use of AES-256. The US government uses AES-256 encryption to secure its own sensitive data, and it’s something we look for when testing and reviewing VPNs.

2Blowfish

Blowfish is a cipher designed by American cryptographer Bruce Schneier in 1993. It used to be the default cipher used in most VPN connections, but has now been largely replaced by AES-256.

You’ll typically see Blowfish used with a 128-bit key length, although it can range from 32 bits to 448 bits.

There are some weaknesses with Blowfish. Most well-known is its vulnerability to a cryptographic attack known as a ‘birthday attack’. For this reason, Blowfish should only be used as a fallback to AES-256.

3ChaCha20

Published in 2008 by Daniel Bernstein, ChaCha20 is a reasonably new VPN encryption cipher. Despite this, it is becoming increasingly popular as it is the only cipher compatible with the emerging WireGuard protocol.

Like AES, ChaCha20 takes a 256-bit key length, which is considered very secure. Reports also suggest that ChaCha20 is up to three times faster than AES.

There are currently no known vulnerabilities with ChaCha20, and it offers a welcome alternative to AES as encryption technologies look to take on the challenge of quantum computing in the not-too-distant future.

4Camellia

Camellia is a cipher that is very similar to AES in terms of security and speed. Even using the smaller key length option (128 bits), it is thought to be infeasible to break with a brute-force attack given current technology. There are no known successful attacks that effectively weaken the Camellia cipher.

The main difference between Camellia and AES is that it is not certified by NIST, the US organization that created AES.

While there is certainly an argument for using a cipher that is not associated with the US government, Camellia is rarely available in VPN software, nor has it been as thoroughly tested as AES.

SUMMARY: A VPN shouldn’t be using anything less than the AES-256 cipher to encrypt your data. ChaCha20 and Camellia are secure alternatives, but your VPN should at least offer you the choice of AES.

VPN Protocols

VPN protocols are the rules and processes that your device follows in order to establish a secure connection with the VPN server.

In other words, the VPN protocol determines how the VPN tunnel is formed, while the encryption cipher is used to encrypt the data that flows through that tunnel.

Depending on the protocol in use, a VPN will have different speeds, capabilities, and vulnerabilities. Most services will let you choose which protocol you’d like to use within the app settings.

There are several VPN protocols available, but not all of them are safe to use. Here’s a quick overview of the most common ones:

  • OpenVPN: Open-source, extremely secure, and compatible with almost all VPN-capable devices.
  • WireGuard: Blisteringly fast and very efficient, but yet to gain the trust of everyone in the VPN industry due to its recent release.
  • IKEv2/IPsec: A closed-source protocol that is excellent for mobile VPN users, but is suspected of being compromised by the NSA.
  • SoftEther: Not supported by many VPN services, but is fast, secure, and great for bypassing censorship.
  • L2TP/IPsec: A slower protocol that is also suspected of being hacked by the NSA.
  • SSTP: Deals with firewalls well, but is closed-source and potentially vulnerable to man-in-the-middle attacks.
  • PPTP: Outdated, insecure, and should be avoided at all costs.

LEARN MORE: For a more in-depth look at the different types of VPN protocol, and to learn which one is best, read our full VPN protocols guide.

VPN Handshakes

In addition to protocols and ciphers, VPNs also use processes known as handshakes and hash authentications to further secure and authenticate your connection.

A handshake refers to the initial connection between two computers. It’s a greeting in which both parties authenticate one another and the rules for communication are established.

During a VPN Handshake, the VPN client (i.e. your device) establishes an initial connection with the VPN server.

This connection is then used to securely share an encryption key between client and server. This key is what is used to encrypt and decrypt the data at either end of the VPN tunnel for your entire browsing session.

diagram showing the step-by-step process of a VPN handshake between VPN client and VPN server

VPN handshakes tend to use the RSA (Rivest-Shamir-Adleman) algorithm. RSA has been the basis for internet security for the last two decades.

While there is not yet hard evidence of RSA-1024 being cracked, it is generally considered a security risk given the processing power available today.

RSA-2048 is a far more secure alternative and comes with relatively little computational slowdown. As such, most VPN services have moved away from using RSA-1024.

You should only trust VPN services that use RSA-2048 or RSA-4096.

Although the handshake process works well and generates secure encryption, every session that is generated is possible to decrypt with the private key used in the RSA handshake. In this sense, it is like a ‘master key’.

If the master key were ever to be compromised, it could be used to decrypt every secure session on that VPN server, past or present. An attacker could then gain access to all data flowing through the VPN tunnel.

To avoid that, we recommend using VPN services that are set-up with Perfect Forward Secrecy.

Perfect Forward Secrecy

illustration of a VPN client and VPN server in separate rooms both generate the same temporary key to encrypt their session

Perfect Forward Secrecy is a protocol feature which utilizes either the Diffie-Hellman (DH) or the Elliptic Curve Diffie-Hellman (ECDH) key-exchange algorithm in order to generate temporary session keys.

Perfect Forward Secrecy ensures that the encryption key is never exchanged across the connection.

Instead, both the VPN server and the VPN client independently generate the key themselves using the DH or ECDH algorithm.

It is a mathematically complex process, but Perfect Forward Secrecy essentially removes the threat of a single private key that, if compromised, exposes every secure session ever hosted on the server.

Instead, the keys are temporary. This means they can only ever reveal one specific session, and nothing more.

It should be noted that RSA alone cannot provide Perfect Forward Secrecy. DH or ECDH must be included in RSA’s cipher suite for it to be implemented.

ECDH can actually be used on its own – instead of RSA – to generate a secure VPN handshake with Perfect Forward Secrecy. However, be wary of VPN services using DH alone, as it is vulnerable to being cracked. This is not an issue when used with RSA.

Our top three recommended VPN protocols – OpenVPN, WireGuard, and IKEv2 – all support Perfect Forward Secrecy.

Hash Authentication

Secure Hash Algorithms (SHA) are used to authenticate the integrity of transmitted data and client-server connections. They ensure that information has not been altered in transit between source and destination.

SHAs work by editing source data using what is known as a hash function. The original source message is run through an algorithm and the result is a fixed-length string of characters that looks nothing like the original. This is known as the “hash value”.

It is a one way function – you cannot run a de-hash process to determine the original message from the hash value.

Hashing is useful because changing just one character of the input source data will totally change the hash value that is output from the hash function.

A VPN client will run the data received from the server, combined with the secret key, through a hash function agreed during the VPN handshake.

If the hash value the client generates differs from the hash value in the message, the data will be discarded as the message has been tampered with.

SHA hash authentication prevents man-in-the-middle attacks as it is able to detect any tampering with a valid certificate.

Without it a hacker could impersonate a legitimate VPN server and trick you into connecting to an unsafe one, where your activity could be monitored.

To ensure maximum security, we recommend using VPN services that use SHA-2 or higher. SHA-1 has proven weaknesses that can compromise security.

About the Author


  • JP Jones - CTO @ Top10VPN

    JP Jones

    JP is our CTO. He has over 25 years of software engineering and networking experience, and oversees all technical aspects of our VPN testing process. Read full bio