Tunneling Mechanics
A VPN works by encapsulating traffic inside another protocol. When your device sends a packet to a website, the VPN client intercepts it, wraps it inside an encrypted outer packet addressed to the VPN server, and sends it through your normal internet connection. The VPN server decrypts the outer packet, extracts the original inner packet, and forwards it to the internet on your behalf. Replies follow the reverse path: the server encrypts them, sends them through the tunnel, and your VPN client decrypts and delivers them to the originating application.
The inner packet is completely hidden from your ISP — they see only encrypted traffic flowing to the VPN server's IP address. The destination website sees the VPN server's IP, not yours. The VPN provider sees both ends, which is why provider jurisdiction, logging policy, and infrastructure trust matter as much as the encryption itself.
VPN Protocols Compared
| Protocol | Transport | Encryption | Key exchange | Notes |
|---|---|---|---|---|
| WireGuard | UDP | ChaCha20-Poly1305 | Curve25519 | Modern, fast, minimal codebase (~4,000 lines); always-on design; built into Linux kernel |
| OpenVPN UDP | UDP | AES-256-GCM or ChaCha20 | TLS with certificates | Mature, widely supported; UDP mode is faster; large codebase increases attack surface |
| OpenVPN TCP | TCP | AES-256-GCM or ChaCha20 | TLS with certificates | Works through strict firewalls; TCP-over-TCP causes performance issues on lossy links |
| IKEv2/IPsec | UDP 500/4500 | AES-256-GCM | IKEv2 with certificates or PSK | Excellent mobile roaming (MOBIKE); native on iOS, macOS, Windows; fast reconnection |
| L2TP/IPsec | UDP | AES or 3DES via IPsec | IPsec with PSK or certificates | Widely supported legacy protocol; double encapsulation adds overhead; being phased out |
| PPTP | TCP 1723 | MPPE (RC4-based) | MS-CHAPv2 | Deprecated; MS-CHAPv2 is cryptographically broken; should not be used |
WireGuard Architecture
WireGuard deserves specific attention because it differs significantly from older protocols. It operates exclusively over UDP, uses Curve25519 for key exchange, and encrypts data with ChaCha20-Poly1305. Its codebase is roughly 4,000 lines — compared to OpenVPN's hundreds of thousands — making it far easier to audit for security vulnerabilities. WireGuard uses a cryptokey routing model: each peer is identified by a public key, and the routing table maps public keys to allowed IP ranges. There are no certificates to manage and no negotiation phase for session parameters. WireGuard is built into the Linux kernel from version 5.6 and is the default protocol for many consumer VPN services due to its speed and simplicity.
Split Tunneling
Split tunneling allows some traffic to go through the VPN tunnel while other traffic exits directly through the normal internet connection. A corporate VPN might route only traffic destined for internal company subnets through the tunnel while leaving all other browsing direct, reducing load on the VPN server and keeping internet traffic on the fastest path. Consumer VPN apps may offer app-based split tunneling (specific applications bypass the VPN) or IP-based split tunneling (specific destinations bypass the VPN). The risk of split tunneling is that a misconfigured policy can inadvertently expose traffic the user intended to protect.
DNS Inside a VPN
DNS handling is one of the most important and often overlooked aspects of VPN configuration. When a VPN is active, DNS queries should also travel through the tunnel and be resolved by a DNS server that does not log or filter against the user's interests. If the VPN client routes web traffic through the tunnel but leaves DNS queries going to the ISP's resolver, the ISP cannot see the page contents but can still see every domain the device looks up — a significant privacy gap. Most consumer VPN clients automatically redirect DNS through the tunnel and use the VPN provider's resolver. In split-tunnel configurations, DNS routing requires additional care to ensure each traffic path uses an appropriate resolver.
Kill Switch
A kill switch blocks all internet traffic if the VPN tunnel unexpectedly drops. Without it, the device falls back to its normal unprotected connection, exposing the real IP address and unencrypted traffic for as long as the tunnel is down — which could be seconds during a reconnect or longer during a network change. Most consumer VPN apps implement a kill switch using firewall rules that drop all non-VPN traffic unless the tunnel is active. System-level kill switches (implemented in the OS firewall) are more reliable than app-level ones, which stop working if the VPN app crashes.
VPN Server Selection
Choosing which VPN server to connect to involves several practical considerations:
- Proximity: A nearby server reduces the added latency of the VPN detour. Connecting to a server in the same country typically adds 5–20 ms compared to potentially hundreds of milliseconds for a distant server.
- Jurisdiction: The server's physical location determines which laws apply to any data retained by the provider. Some users choose servers in countries with strong privacy laws or no data retention requirements.
- Load: An overloaded server reduces throughput. Most consumer VPN apps show server load or recommend the least congested option.
- Purpose: Accessing geo-restricted content requires a server in the target country. Security on an untrusted network requires only a server you trust, regardless of location.
What VPN Providers Can See
A VPN replaces ISP visibility with VPN provider visibility. The provider can see your real IP address, the timing and volume of your traffic, and the IP addresses you connect to after the tunnel (unless those connections are themselves encrypted). A provider with a strict no-logs policy and regular independent audits provides stronger assurance, but the provider's infrastructure and jurisdiction remain a point of trust. Self-hosted VPN servers (on a personal VPS) eliminate the shared-provider trust issue but introduce server administration responsibility and make the exit IP uniquely identifiable.
Frequently Asked Questions
What does a VPN do?
A VPN encrypts traffic between your device and a VPN server, then routes selected traffic through that server. Websites see the VPN server's IP address rather than your normal public IP. The ISP sees only encrypted traffic to the VPN server.
Does a VPN hide traffic from the ISP?
A VPN hides the contents and final destinations of tunneled traffic from the ISP, but the ISP can still see that you are connected to a VPN server and how much data is moving.
Why can a VPN slow internet speed?
A VPN adds encryption overhead, routes traffic through an additional server, reduces the effective MTU, and depends on the VPN server's capacity and location. A nearby, lightly loaded server using WireGuard typically adds minimal overhead on a fast broadband connection.