Network Tunnel
Protocol Encapsulation
A communication channel formed by wrapping one network protocol inside another — allowing traffic to cross incompatible networks, bypass firewalls, or travel through an encrypted private path. Tunnelling is the foundation of VPNs, data centre overlays, and IPv6 transition mechanisms.
Tunnelling works by encapsulation: the original packet (the payload) is wrapped in a new outer packet with headers appropriate for the transit network. Routers in the middle only see the outer headers and forward the packet normally — they're unaware of the inner payload. At the tunnel endpoint, the outer headers are stripped and the original packet is delivered. This allows private IP addresses to traverse the public internet (VPN), Layer 2 frames to cross Layer 3 networks (VXLAN), or IPv6 packets to cross IPv4 networks (6in4).
Common tunnel types
| Protocol | Encapsulation | Encrypted | Use case |
|---|---|---|---|
| GRE | IP in IP + GRE header | No | Router-to-router, multicast transport |
| IPsec | IP in IP + ESP/AH | Yes (AES) | Site-to-site VPN, remote access VPN |
| WireGuard | UDP encapsulation | Yes (ChaCha20) | Modern VPN, fast and simple |
| OpenVPN | TLS over UDP/TCP | Yes (TLS) | Remote access VPN, firewall-friendly |
| VXLAN | Ethernet in UDP | No (optional) | Data centre overlay, VM mobility |
| SSH tunnel | TCP port in SSH | Yes (AES) | Port forwarding, SOCKS proxy |
| 6in4 / Teredo | IPv6 in IPv4 | No | IPv6 over IPv4-only networks |
Tunnel overhead and MTU
Every tunnel adds header bytes to each packet, reducing the effective payload size. A standard Ethernet MTU is 1500 bytes. WireGuard adds ~60 bytes of overhead, leaving ~1420 bytes for inner packets. If the inner packet is 1500 bytes, it must be fragmented — which adds latency and CPU load. Solutions: configure the tunnel interface MTU to match the reduced size (e.g., ip link set wg0 mtu 1420), or enable Path MTU Discovery (PMTUD) so endpoints negotiate smaller packet sizes automatically. Fragmentation issues are a common cause of intermittent tunnel connectivity problems where large transfers fail but small ones succeed.
Frequently Asked Questions
What is the difference between a VPN and a tunnel?
A tunnel is the general mechanism — encapsulation of one protocol inside another. A VPN is a tunnel with encryption and authentication added. GRE and VXLAN are tunnels without encryption. IPsec, WireGuard, and OpenVPN are VPNs (tunnels + encryption). Every VPN uses a tunnel; not every tunnel is a VPN.
Does a tunnel slow down internet speed?
Marginally. Encapsulation adds 24–70 bytes per packet (reducing effective MTU) and encryption adds CPU load (negligible with AES-NI hardware). The real performance factor is the tunnel endpoint's bandwidth and geographic distance. A nearby, well-connected VPN server has minimal speed impact; a distant or congested one degrades throughput significantly.
What is a split tunnel VPN?
Only some traffic goes through the VPN tunnel — typically corporate resources — while public internet traffic goes directly. Reduces VPN server load and improves browsing speed. Trade-off: split-tunnelled traffic bypasses VPN encryption and doesn't appear to originate from the corporate network.