How a VPN works (and why you should care)

The best VPNs can make your online life more private with software that's convenient and cheap — sometimes even free. While keeping your IP address invisible, you can use your VPN to explore streaming content from all over the world or (virtually) sneak into a sports event that's not available in your area.

However, while VPNs are widely available, there's a strange dearth of information on what they actually do behind the scenes. You may know that a VPN masks your device with a proxy server to make it look like you're somewhere else, and maybe even that encryption is involved. But finding any more details can mean running a gauntlet of misinformation.

That's a shame, because the inner workings of a VPN aren't all that difficult to understand. You may not be able to build one yourself without a degree in computer science, but with a little work, you can understand exactly what it's doing on your computer. That's information you can use to select the right VPN for you, and make the most of it once you've got it.

What is a VPN?

To make sure nobody gets left behind, I'll start from the beginning. A VPN (virtual private network) is a method of securely accessing a network, either a closed network (like you might have at the office) or the internet as a whole. Initially, organizations set up VPNs so remote workers can work with secure files. While this still happens, the last 15 years have seen VPNs increasingly marketed to individuals, with Proton VPN, ExpressVPN and others seeing massive user growth.

Broadly, a VPN consists of two parts: the server, which forwards requests to your chosen destination, and the client, a piece of software that lets you interact with the server. You can find a longer explanation here, but I'll use the two sections below to tell you what you need to know right now.

One more note before that — there are multiple kinds of VPNs, including the remote-access VPNs and site-to-site VPNs commonly used by workplaces. However, for this article, I'll be talking mainly about the commercial VPN services sold to individuals for general security needs. Instead of a specific network, these VPNs are designed to handle all of a user's traffic to any point on the internet.

What happens when you use a VPN?

First, you use the client to connect to a server — either the fastest one available or a particular location you need. Once you've connected, every request you send to the internet goes through the VPN server first. This communication between your device and the web is encrypted so it can't be traced back to you.

The VPN server decrypts your requests and sends them on. The destination then communicates with the VPN server, which relays the information back to you — after re-encrypting it so nobody follows it home.

Since the VPN does everything on your behalf, it's your "mask" online. Your internet service provider (ISP) and third parties can see what's being done, but — so long as you’re not otherwise logged in or identifying yourself — nobody knows that it's you doing it. It's like having a friend order pizza for you so the pizzeria doesn't hear you calling for the third time this week (not that I speak from experience).

What's the point of using a VPN?

Why add an extra step to the already complex process of getting online? The two biggest reasons are maintaining anonymity and changing your virtual location. I've already explained how a VPN keeps you anonymous. Among other things, this prevents your ISP from selling your browsing history to advertisers and protects activists who face government repercussions for what they do online.

Changing your virtual location is part of masking, but it can also be used to see the internet as it's visible in other countries. Streaming services are frequently limited to certain places, and almost all of them change the available content based on their licenses in each nation. You can also use a VPN in a country with a nationwide firewall, like China, to see forbidden outside information sources.

How does a VPN work? The full technical explanation

Most online explanations stop after defining a VPN as an anonymous agent between you and the internet — but I wrote this article to go a little bit deeper. To understand what a VPN is doing on a technical level, we'll need to cover how the internet works, how the VPN knows where to send encrypted information and just what "encryption" actually is.

How the internet transmits data

When you're not using a VPN, internet traffic goes directly from your modem to your ISP, then on to your chosen destination. The key technologies here are IP, which stands for Internet Protocol, and TCP, which stands for Transmission Control Protocol. They're usually combined as TCP/IP.

You may have heard that every online device has an IP address that identifies it to every other device. TCP/IP governs not just those names but how data moves between them. Here's how it works, step-by-step.

1. You click a link or enter a URL into your web browser.

2. Your computer sends a request to your modem, asking to see the page associated with the URL. Your modem forwards the request to your ISP.

3. Your ISP finds a domain name server (DNS) that tells it which IP address is connected to the URL you asked to see. It then sends the request to that IP address along the fastest available route, which will involve being relayed between several nodes.

4. That IP address is connected with a server that holds the content you're looking for. Once it receives the request, it breaks the data down into small packets of about 1 to 1.5 kilobytes.

5. These packets separate to find their own fastest routes back to your ISP, your modem and finally your web browser, which reassembles them.

6. You see a web page, likely no more than a second after you asked for it.

The outgoing requests and inbound packets are key to understanding VPN function. A VPN intervenes during step 2 (when your modem contacts your ISP) and step 5 (when your ISP sends the packets back to you). In the next section, I'll explain exactly what it does during those steps.

How VPN tunneling protects data

You might have heard a VPN's activities described as "tunneling." That term refers to a figurative tunnel being created between your device and the VPN. Data enters the tunnel when it's encrypted by the VPN client and exits when it's decrypted by the VPN server. Between those two points, encryption means nobody can see the true data. It's as though it's traveling through an opaque tunnel.

While the tunnel is a useful metaphor, it may be better to think of VPN encryption as an encapsulation. Each packet of data sent via VPN is "wrapped" in a second packet, which both encrypts the original packet and contains information for reaching the VPN server. However, none of these outer layers have the complete path — each just knows enough to reach the next relay. In this way, the origin point (that's you) remains invisible.

The same thing happens when the internet returns content to show you. Your ISP sends the data to the VPN server, because, as far as it knows, that's where the request came from. The VPN then encrypts each packet and sends them back to you for decryption and reassembly. It takes a little longer with the extra steps; that's why VPNs always slightly slow down your browsing speed, though the best ones don't do that by much (Surfshark is currently the fastest).

You learned in that last section that two protocols, IP and TCP (usually combined as TCP/IP), are responsible for letting online devices talk to each other, even if they've never connected before. In the same way, a VPN protocol is like a shared language that lets VPNs encrypt, move and decrypt information. See the next section to learn how a VPN protocol works in detail.

How VPN protocols encrypt data

VPN protocols are the technology behind VPNs; every other feature of your VPN is just a method of interacting with them. All protocols are designed to encrypt data packets and wrap them in a second layer that includes information on where to send them. The main differences are the shape of that second layer, the types of encryption used and how the client establishes its initial secure connection with the server.

It's extremely common for VPNs to advertise protocols with "bank-grade" or "military-grade" encryption. This is talking about the 256-bit Advanced Encryption Standard (AES-256), a symmetric encryption algorithm, which is used by financial institutions and the US government and military. AES-256 is indeed some of the strongest available encryption, but it's only part of the story. As a symmetric algorithm, it's not fully secure on its own, because the same keys are used to encrypt and decrypt it — and those keys can be stolen.

For that reason, most VPN protocols use AES-256 (or a similarly strong cipher like ChaCha20) to encrypt the data packets themselves, then combine it with a larger suite of multiple encryption algorithms. One of the most reliable and popular protocols, OpenVPN, uses the asymmetric TLS protocol to establish a secure relationship between client and server, then transmits packets encrypted with AES-256 across that channel, knowing the keys will be safe.

Explaining this could easily reach the length of a book, but the basic principle isn't complicated. In asymmetric encryption, a sender encodes data with a unique key, then a recipient decodes it with a different paired key. The keys are provided by a trusted third party. In a maneuver called a TLS handshake, the server and client send each other encrypted data. If each can decode the other's test data, they know they have a matched pair of keys, which proves that both are the same client and server that got the keys from the trusted authority.

Why not just use asymmetric encryption for the data itself, if it's more secure? Mainly, protocols don't do this because it's a lot slower. Asymmetric encryption requires a lot of resource-heavy math that makes connections drag. That's why OpenVPN and others use the asymmetric-to-symmetric two-step instead.

To summarize, a VPN protocol is a complex set of instructions and tools that control encryption and routing via VPN servers. Protocols still in use include OpenVPN, WireGuard, IKEv2, SSTP and L2TP. PPTP, one of the oldest protocols, is no longer considered secure. On top of these, VPNs often build their own proprietary protocols, such as ExpressVPN's Lightway.

Putting it all together

Now that we've hit all the relevant information, let's revisit that step-by-step from earlier, this time with a VPN in the mix. Here are the steps, starting with establishing the VPN connection and ending with anonymously viewing a website.

1. You open your VPN client, choose a server location and connect. The VPN client and server authenticate each other with a TLS handshake.

2. The client and server exchange the symmetric keys they'll use to encrypt and decrypt packets for the duration of this session (i.e. until you disconnect). Your VPN client tells you that it's established a secure tunnel.

3. You open your web browser and enter a URL. Your browser sends a request to view the content at that address.

4. The request goes to your VPN client, which encrypts it and adds an outer layer of information with directions to the VPN server.

5. The encrypted request reaches the VPN server, which decrypts it and forwards it to your ISP.

6. As normal, your ISP finds the IP address associated with the URL you entered and forwards your request along.

7. The destination server receives the request and sends all the necessary packets of information back to your ISP, which forwards it to the VPN server.

8. The VPN server encrypts each packet and adds a header directing it to the VPN client.

9. The client decrypts the packets and forwards them to your web browser.

10. You see the web page you opened.

Because of the encrypted tunnel, the request arrives at the VPN server without any information on where it came from. Thus, the VPN doesn't actually encrypt your activity on the websites themselves — for the most part, the HTTPS protocol does that. Instead, a VPN gives you a false name to put in the register, with no information that could be traced back to your real identity.

How to use this information

Now that you know how a VPN works on a technical level, you're better equipped to choose one for yourself. You can cut through marketing hype statements like:

• "Military-grade encryption!" (It's the same algorithm everybody uses)

• "Stay completely anonymous online!" (Plaintext you post on social media is not encrypted)

• "Dodge ISP throttling!" (If your ISP is throttling you based on your IP address, this works — but if you're being slowed down because of your moment-to-moment activity, your identity doesn't matter)

A VPN is just one important part of a complete cybersecurity breakfast. While hiding your IP address, make sure to also use strong passwords, download updates immediately and remain alert for social engineering tactics.

This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/vpn/how-a-vpn-works-and-why-you-should-care-143000250.html?src=rss