How does a VPN work, and do you need one?

These days, VPNs are everywhere. Many workers rely on them to access their email and corporate files while they’re outside the office. Others use them to visit sites and watch content that isn’t normally available in their country. Or to better protect their internet traffic while they’re browsing the web on a public Wi-Fi network.

Using a VPN is usually quite straightforward: launch the client, click connect. But understanding how one works is trickier. Tunneling? Encapsulation? These terms are hardly commonplace, unless you’re an IT or security professional. Here, we’ll break down the basics and answer a common question: is it always necessary to use a VPN while connected to the internet?

The basics: How does a VPN work?

A VPN acts as a gatekeeper between your device and whatever you’re trying to interact with – it could be a public website like 1Password.com, a streaming service, or some files stored on your company’s private network.

Normally, when you ask for a site like 1Password.com, your internet service provider (ISP) takes that request and returns with the data necessary to load the page in your browser. But with a VPN, your request is routed through a VPN-controlled server before it reaches the place where the website is stored.

Consumer-focused VPN providers like ExpressVPN and NordVPN have servers scattered all over the world. That’s why someone in France can use a VPN to watch a show or movie that’s only available in the United States. The VPN tricks the streaming service into thinking the request came from one of its servers, rather than the person based in France.

A corporate VPN works in a slightly different way. It acts as a gatekeeper between your device and everything stored on your company’s private network. Instead of a site or streaming service, the final destination is a server or database that normally can’t be accessed unless you’re in the office.

At this point, you’re probably wondering: “Okay, but how does a VPN actually protect your privacy and the data you’re sending back and forth?” That’s where encapsulation and encryption come in.

Packets, tunneling, and Encapsulation

To understand VPNs, we have to talk about packets. When you send data over the internet, it’s broken down into blocks called packets. Each packet comes with a series of instructions, known as headers, that explain the source and destination, how they should be put back together, and more.

VPNs use “tunneling” to protect these morsels of data while they’re in transit. Each packet is placed inside another packet – a process called “encapsulation” – to mask what’s inside. It’s a bit like putting a colorful bag of sweets inside another bag with zero branding. Or a small suitcase inside of a larger one. In a sea of similar data packets, a cybercriminal won’t know what’s worth targeting.

But tunneling isn’t enough. VPNs also use encryption to protect the data itself. Every packet you send is encrypted before it leaves your device and then decrypted once it reaches the VPN’s servers. The same process is carried out in reverse. Data you’ve requested – whether that’s a site or company file – is encrypted by the VPN and finally decrypted once it reaches your device.

How does VPN encryption work?

VPNs leverage symmetric and asymmetric key encryption to protect your data from prying eyes.

A “key” is similar to a secret code. Imagine that you and a friend want to share secret notes in a cafe. You agree beforehand to scramble the messages with a “plus five” rule, meaning that every letter should be swapped for one five places later in the alphabet. (So “hello” would become “mjqqt,” and vice versa.)

In this example, you would be using symmetric encryption, because the same secret code or “key” is used to encrypt and decrypt each message.

Asymmetric encryption relies on public and private keys. You can think of these like interlocking puzzle pieces, or a mailbox outside your house that’s locked with a special key. Anyone can use your public key to encrypt a message, but only your private key – which, as the name implies, is private – can decrypt it.

The advantage of asymmetric encryption is that you never have to share your private key over the internet. It stays on your device, which makes it awfully difficult for a cybercriminal to steal.

VPNs use both symmetric and asymmetric encryption to protect your internet traffic. Why? Imagine that your data was protected with a single symmetric key. Whoever created the key would need to share it with the other party over the internet. And if a cybercriminal found it in transit, they could theoretically decrypt every data packet you sent.

VPN providers avoid this in two ways. First, they create a new symmetric key every time you connect to the VPN, or start a new “session.” That way, if a thief somehow obtained the key, it would only expose the data from that specific session. (This is sometimes known as Perfect Forward Secrecy.) In addition, the symmetric key is securely shared using asymmetric encryption. A similar key exchange takes place when you text someone on a secure messaging app.

VPN protocols

VPNs use frameworks called “protocols” to authenticate the connection. The most common protocols include:

• OpenVPN
• IKEv2 (Internet Key Exchange version 2)
• WireGuard
• Lightway
• SoftEther
• PPTP (Point-to-Point Tunneling Protocol)
• SSTP (Secure Socket Tunneling Protocol)
• L2TP (Layer 2 Tunneling Protocol)

Some VPN protocols are known for their speed, while others are focused on top-notch security. Both can be useful depending on what you’re doing. If you’re streaming a show, for example, you probably care more about the resolution of the video and making sure it doesn’t stutter. Whereas if you’re working on a project for work, you might not mind if it takes an extra minute to upload to your company’s server.

Many VPN companies accommodate for this by offering a few different protocols. Surfshark supports OpenVPN, IKEv2, and WireGuard, for example.

Should everyone use a VPN?

Not everyone. Yes, a VPN can be an effective way to protect your internet traffic. It’s also a clever workaround when you need to access geo-restricted content. But for some, a VPN could be unnecessary. You might have taken other precautions to protect yourself online, or simply want to prioritize the performance of your network connection.

For example, a corporate VPN might be suitable if your company has a mix of remote and office-based workers. But as the UK’s National Cyber Security Centre explains, the benefits of a VPN might be limited if you’ve already adopted a zero-trust model.

Zero trust is based on the “never trust, always verify” principle and uses a combination of technologies – typically single sign-on (SSO) and identity and access management (IAM) services – to verify employees and control the files, apps, and services they have access to. That allows companies of all sizes to protect their data without setting up and maintaining a complicated VPN.

Here’s how the U.S. National Institute of Standards and Technology (NIST) describes it: “Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”

Okay, but what about people who aren’t at work? Again, it’s a little complicated. As The New York Times reports, security on the web is slowly improving. More sites are adopting HTTPS, a web protocol that leverages a robust form of encryption called SSL or TLS. And that goes a long way towards making the web a more secure and privacy-respecting place.

But that doesn’t mean a VPN can’t be useful. Some websites still don’t support HTTPS, for example. And beyond the browser, it can be hard to tell which software is encrypting your data or relying on insecure protocols. A VPN can act as a safety net in these scenarios, protecting all of the traffic that your device is sending and receiving.

HTTPS also doesn’t help if you want to visit a website or stream a show that isn’t available in your region. So if you live in a country with large amounts of censorship, or just want to watch Hulu outside the U.S., a VPN is still your best bet.

The bottom line

A VPN is an important layer of protection that can greatly improve your online privacy. But sometimes you might not need that privacy. Or simply feel that the hit to your internet connection speeds isn’t worth it. When you turn on your PC or wake up your phone, take a moment to consider what you’ll be doing online and whether a VPN is appropriate. That way, you can make sure that you’re always striking the right balance and preserving your privacy when it matters the most.

Nick Summers

Content Marketing Manager