Skip to main content
Explainer · privacy

What is a VPN and how does it work?

A VPN is an encrypted tunnel between your device and a server run by the VPN provider. The server relays your traffic to the wider internet, so the sites you visit see the server's IP instead of yours. That's the whole trick — but the details of how the tunnel works, and what it does and doesn't protect, are where most of the confusion lives.

What a VPN actually is

VPN stands for virtual private network. The name comes from its original corporate use: giving a remote worker a secure connection into an office network as if their laptop were plugged in there. Consumer VPNs repurpose that same technology for privacy and to change the apparent origin of your traffic.

Mechanically, a VPN does two things at once. First, it builds an encrypted tunnel between an app on your device (the VPN client) and a server operated by the VPN provider. Second, that server acts as a relay: it takes your traffic out of the tunnel, forwards it to whatever service you asked for, and sends the reply back through the tunnel to you. Because the request comes from the VPN server, the destination sees the server's IP address, not the one your ISP gave you.

How the tunnel works, step by step

Walk a single web request through the system:

  1. Your client encrypts the packet. Before anything leaves your device, the VPN client wraps your outgoing packet — destination address, data, and all — inside an encrypted envelope. The only readable part is the outer header, which is addressed to the VPN server's IP.
  2. Your ISP forwards an opaque blob. The encrypted packet travels across your local network and through your ISP exactly like any other traffic. But your ISP can no longer see where you are ultimately going or what you are sending. All it sees is a stream of encrypted packets flowing to one address: the VPN endpoint. It can tell you are using a VPN and how much data you move, but not the contents.
  3. The VPN server decrypts and forwards. The packet arrives at the VPN server, which unwraps the envelope, reads the real destination, and sends the request out to the internet under its own IP address. The reply comes back to the server first.
  4. The reply is re-encrypted and returned. The server wraps the response in the tunnel again and sends it back to your client, which decrypts it and hands the data to your browser. From the browser's point of view, nothing unusual happened.

The upshot: the leg your ISP and local network can watch is fully encrypted, and the leg the destination can watch appears to originate from the VPN server. You haven't made your traffic invisible — you've relocated who can see what.

The common protocols, and how they honestly differ

The tunnel needs a set of rules for how to negotiate keys, encrypt data, and keep the connection alive. That rule set is the protocol. A handful dominate, and they are not interchangeable.

WireGuard — modern, fast, lean

The newest mainstream option and, for most people, the best default. WireGuard runs on a small codebase (a few thousand lines, versus hundreds of thousands for older stacks), which makes it easier to audit and generally faster, with lower latency and quicker reconnects. Its one wrinkle is that it was designed around fixed device addresses, so providers add their own layer to rotate addresses for privacy. If your app offers it, WireGuard is usually the pick.

OpenVPN — mature and flexible

For years the de facto standard for consumer VPNs: battle-tested, extensively audited, and highly configurable. It can run over TCP on port 443, which makes its traffic resemble ordinary HTTPS and helps it slip through restrictive firewalls that block other protocols. It is heavier and typically a bit slower than WireGuard, but its flexibility keeps it relevant.

IKEv2/IPsec — great on mobile and roaming

IKEv2 (paired with the IPsec suite) is the quiet workhorse on phones. Its standout feature is how gracefully it handles a changing network: walk out of Wi-Fi range and your phone switches to cellular, and IKEv2 re-establishes the tunnel almost instantly instead of dropping. It is fast, stable, and natively supported on iOS, Android, and Windows.

PPTP and L2TP — legacy, and one to avoid

PPTP is insecure and should not be used. Its encryption has been broken for many years and is considered trivial to defeat; treat any “free VPN” that only offers PPTP as offering no meaningful protection at all. L2TP is a tunneling protocol with no encryption of its own, so it is paired with IPsec (L2TP/IPsec); it works but is slower and has largely been superseded by the three options above. If you have a real choice, reach for WireGuard, OpenVPN, or IKEv2.

What a VPN genuinely protects

What a VPN does not do

This is where marketing tends to overpromise. A VPN is a narrow tool, and understanding its limits is the whole point.

The logging and trust question

Because the provider can see your destinations, everything hinges on what it does with that visibility. Many services advertise a “no-logs” policy, meaning they claim not to record which sites you visit or which IPs you were assigned. The honest framing is that this is a promise, not a technical guarantee you can verify from the outside. Independent audits or claims tested in court are stronger signals than a marketing badge, but they still require you to trust the operator and its jurisdiction. The right question is never “is the encryption strong?” — it almost always is — but “do I trust this company with the visibility my ISP used to have?”

Leaks: the ways your real IP escapes the tunnel

A VPN only protects you if all your traffic actually goes through the tunnel. Several common failure modes let your real IP slip out even while the VPN shows as connected. These are worth testing rather than assuming.

If you want to change your apparent IP as an end in itself rather than build an encrypted tunnel, the broader menu of options — including proxies and Tor — is covered in how to hide your IP address.

The short version

A VPN encrypts everything between your device and a server you've chosen, then relays your traffic so the outside world sees the server. That protects you from your ISP and from snoops on the local network, and it hides your IP from the sites you visit. It does not make you anonymous, it does not stop fingerprinting or cookies, and it hands the visibility your ISP had to the VPN provider. Seen clearly as a tool that moves trust rather than erasing it, a VPN is useful — sold as an anonymity cloak, it will let you down.

Related reading

Frequently asked questions

Does a VPN make you anonymous?

No. A VPN hides your IP address from the websites you visit and encrypts your traffic against your local network and ISP, but it does not make you anonymous. Websites can still identify you through cookies, logged-in accounts, and browser fingerprinting, and your VPN provider can see the traffic your ISP used to. A VPN moves trust from your ISP to the VPN operator — it does not remove the need to trust someone.

Which VPN protocol should I use?

For most people WireGuard is the best default: it is fast, has a small modern codebase, and reconnects quickly. OpenVPN is a mature, flexible alternative that is good at getting through restrictive networks. IKEv2/IPsec is excellent on phones because it survives switching between Wi-Fi and cellular. Avoid PPTP entirely — its encryption has been broken for years and it should be considered insecure.

Can my VPN provider see my traffic?

Yes. The VPN server decrypts your traffic in order to forward it, so the provider is in the same position your ISP was: it can see which sites you connect to, and for unencrypted (plain HTTP) connections it can see the contents. HTTPS still protects the contents of most traffic, but the provider can always see the destinations. This is why the provider's logging policy and trustworthiness matter more than any marketing claim about encryption strength.