Beginner’s Guide: How a VPN Works

A virtual private network — better known as a VPN – is a networking concept that provides security and privacy on the internet. VPN technology has been around since the late 1990s, and its main usage was for business networks. However, the consumer market for VPNs has taken off in the last 12 years, and many people are becoming aware of the benefits of VPN services for personal use.

This guide will explain how a VPN works and why you should use one. The functionality of a VPN is threaded deeply into how devices communicate across networks and over the internet. So, to understand how VPNs work, you will need to know a little networking terminology.

What is a VPN?

The original purpose of a VPN was to include a remote computer in a business network. The internet was available back in 1996 when the concept of VPNs was first raised. However, typical transmissions had no encryption, and the lack of security on the medium made it unacceptable for businesses.

Businesses wanted an economically viable way to connect a guarded cable to that remote computer. Businesses were already able to get a private leased line between two sites. However, that concept was expensive, and that cost could not be justified to connect to just one computer.

The key concept of a VPN is that internet transmissions should have the same degree of privacy as traffic on cables of a private network contained within a secure office building.

One of the motivations for developing VPNs was that even a dedicated cable between sites was not secure – anyone tracing the cable could tap it and read off all of the data that passed along it. Confounding wire tappers required encryption.

The procedures of a VPN go further than blocking snoopers by encrypting data. Another level of work needs to be performed to fully protect the privacy of traffic that travels across the internet.

How the internet works

Data travels across the internet in segments. This prevents one long transmission stream from keeping hold of the cable and locking everyone out. So, a chunk of person A’s data gets sent, followed by a chunk of Person B’s, then a chunk from Person C, then the next chunk of Person A, and so on.

The cables of the internet are linked together by routers. When you subscribe to the internet, you pay an internet service provider (ISP). Your traffic travels over the telephone network to the ISP’s offices, where it gets put through a router. That router will have connections to a number of other routers. Each of those neighboring routers will be connected to several others. By linking together many routers, the whole world gets connected together.  

So, a data stream that leaves your computer gets broken into chunks and sent to your ISP. However, how does the ISP’s router know which of the neighboring routers to forward those chunks to? The answer lies with the Internet Protocol (IP). This is the strategy document that gives the Internet its name.

The two most important features of the Internet Protocol are the definition of an addressing system and the design of a structure that carries each chunk of data.

The addresses on the Internet are called IP addresses. The destination address of the chunk of data needs to be associated with that segment. The structure this requirement necessitates is called a packet, which has a data payload with a header on the front. The headers include the source and destination IP address of the packet. Routers read the headers of packets in order to know where to send them.

Security and privacy

Data security on the internet involves encrypting the data payload of packets so no one can read its contents. This level of protection is not good enough for businesses that want privacy. This is because the information in packet headers can be useful to snoopers. Secure connections leave the headers in plain text. Anyone reading those headers knows the sends and the destination of the packets.

Each router makes its own decision over which neighbor to send a packet to next, which means that there is no fixed path between two computers in the world. This random routing provides a form of procedural security because there is no single point on the internet that someone can tap to get access to the data of a specific company or individual. However, two points in any path are fixed – the router of the ISP for the sender and the router of the ISP for the receiver.

Internet service providers have made good use of their ability to read all incoming and outgoing packets, and they now routinely block access to many websites around the world. In most cases, these controls are government mandated.

You might have heard that places such as China and Iran have tight controls over internet access but don’t think your country has unrestricted access to the World Wide Web. All governments in supposed “free” countries secretly order ISPs to block access to thousands of websites without having to pass any explicit law.

In order to impose these controls, the ISP reads the destination address in the header of packets and doesn’t pass on those packets to websites it doesn’t like. Another problem with IP address disclosure is that governments – including those of the USA, Canada, the UK, France, and Germany- have laws that force ISPs to record every transaction they process. This logs the source and destination address of an internet connection and a time stamp.

The recording of all internet connections is a major legal issue, and it is referred to as a logging policy, which we will cover a little later.

A Web server can detect the source of a connection request or a request for content. This is because the IP addresses used on the internet have to be unique. When connected to the internet, your device is identified by an IP address that no one else in the world is using. To enforce this uniqueness, the distribution of IP addresses is controlled centrally by an organization called the Internet Assigned Numbers Authority (IANA).

IP addresses are sold to ISPs, and their ownership is registered. The ISP allocates one of its IP addresses to a customer at the point that the person connects to the internet. ISPs are also required to record that allocation and store those records. This is how a Web server can trace the source to an actual physical address.

Web servers have connection logs, which are held in files. Anyone that looks at those connection logs can see who has connected to the site.

The technical actions of VPN connections might seem a little quirky to some, but their unique operating methods protect the privacy of online activities.

As government and ISPs around the world increased their snooping of private online activity, the obscure procedures of VPN technology became very useful for private individuals. So, now VPNs are used extensively by the consumer market. You are now more likely to need the privacy of a VPN than a big corporation.

How a VPN works

Your Web browser and other internet-connected services on your device, such as chat apps, send their data to the network card for access to your internet connection. This processes the data into packets and puts the destination IP address for the packet and the device’s own IP address on the front of that data.

A VPN connection is forged by two services: a VPN client and a VPN server. The VPN client is implemented by a VPN app, which you download onto your device when you sign up with a VPN provider.

Step one

The VPN client intercepts all internet traffic between the point where it is formed into a packet and when it is sent out of the device. The VPN system cloaks the source and destination addresses by encrypting the packet entirely – not just the data payload.

Encrypting the header of a packet creates a problem because all of the routers on the internet need to read the destination address within. It isn’t possible to structure an encryption system so routers can decrypt the headers to read the destination address. So, encryption effectively means that the packet cannot travel anywhere.

To provide routers with an address, the VPN client places the entire packet into the data payload of another packet and addresses that outer packet to the VPN server. This process is called encapsulation.

Step two

The VPN client lets the network card send the encapsulated packet out. The packet passes through the ISP and passes from router to router to the VPN server.

Step three

The VPN server extracts and decrypts the inner packet and then sends it to the internet. The destination address in this original packet will get it to its intended target.

The VPN performs an address-switching function. A server will always reply to the source IP address that is written into the header of a packet it receives. So, the VPN server puts its own IP address in the source address field of the packet.

Step four

As far as the remote server is concerned, it is communicating with the VPN server. It has no way of detecting that there is another device behind the VPN server. The requested content is sent back to the VPN server.

Step five

The VPN server switches addresses back, so its own address in the destination address field of the response is changed to that of the customer that originated the request that this packet replies to. This packet is encrypted and encapsulated and sent back to your device.

Step six

The VPN client intercepts the incoming packet, extracts the inner packet, and decrypts it. This then goes to the network access processing system of your device.

Step seven

The network interface of your device delivers the data from the packet to the application that created the original request. So, the application involved in the connection does not know that the connection has been diverted through an intermediate server.

VPN packet content handling

The communication between the VPN server and the Web server involves the original packets sent out by your device. If the data in that packet was unencrypted in the original packet, it will travel from the VPN server to the Web server in that state.

If the data payload in the packet was encrypted before it reached the VPN client, that content encryption endures from your device to the Web server. In short, the VPN server does not access the contents of the data payload or alter it. The VPN client and server actions are concerned with encrypting packets as a block.

So, a transmission can involve several layers of protection. However, the path from the VPN server to the remote server is conducted under the conditions defined by your device. The only influence that the VPN has on that final stretch is address switching.

Public Wi-Fi networks

Public Wi-Fi hotspots present a security risk. When your device connects to the network, the encryption enforcement for transmitting your data is dictated by the wireless access point.

Hackers know a trick to create a fake Wi-Fi hotspot on any mobile device or laptop. This will also connect to the real hotspot in the location and pass data back and forth between your device and the access point, so your Web surfing will go ahead as normal. However, the hacker will control the encryption on the connection and so will be able to steal your data.

VPN encryption is enforced from the client on your device all the way through to the VPN server. So, when the hacker removes the wireless encryption, all that is revealed is the impenetrable VPN encryption.  

The VPN tunnel

The link between the VPN client on your device and the VPN server is called a “tunnel.” This describes the conceptual purpose of a VPN service, which is to obscure the actual final destination of a connection.

The ISP will log the destinations of the packets that leave your device. However, these IP addresses are for the VPN service.

Once the VPN client has established a connection to a VPN server, your device can contact many different Web servers within the protection of that secure tunnel.

There are a number of benefits to preventing your ISP from seeing your online activity. One is variable service. ISPs have been known to reduce the quality of service that it offers for specific types of traffic, especially video streams. Comcast is one of the worst ISPs for this activity. In the early days of Netflix, the provider was discovered reducing the bandwidth on Netflix connections. More recently, Comcast is suspected of reducing the speed of YouTube connections. This practice is known as throttling and is very difficult to prove.

Another type of traffic that needs protection against ISP detection is P2P file sharing. Torrenting to get copyrighted entertainment without paying is illegal, and ISPs implement interference to block the activity. VPNs make it impossible to spot the type of traffic that is being passed.

The tunnel provides the privacy of a virtual private network.

VPN location switching

Consumer VPN services offer a list of VPN server locations. That business requirement for identity masking has proved to be an unexpected attraction for the general public. This is because of the growth of streaming services and how the entertainment industry is organized.

The producers of entertainment sell the broadcast rights per territory. A major reason for market segmentation along national boundaries lies with censorship – a scene in a movie that is acceptable in the USA might not be acceptable in India. So, although a movie might be released globally, it is actually a different product in each country because of editing.

When TV stations put their content on their websites, they needed to control access to those videos to keep in compliance with the media rights they paid for. Thanks to the traceability of IP addresses to a physical location, access controls were very easy to implement.

When a video server receives a request, it first checks on the origin of that demand by looking at the source IP address in the packet header. If that location is in the right country, the server sends back the code for the video stream. The server sends a blocking message if the request comes from a different country. VPNs unblock location restrictions on streaming sites.

On opening the VPN app, you are able to select a VPN server location. This list gives you options over which country to channel your internet traffic – some VPNs go down to the city level. You will get the IP address and location of the VPN server you choose.

You will be blocked if you want to access the BBC iPlayer from outside of the UK. However, if you use a VPN and select a server in the UK, you will get in. Similarly, you can only access Hulu from within the USA. However, if you are traveling, you can still watch the service from other countries by selecting a VPN server in the USA.

Netflix, Amazon Prime Video, and Disney+ are special exceptions. A subscriber in one country is allowed to access the service even when outside of the country of subscription. However, thanks to media rights rules, you will get the library for the country you are in, not the country you are from. With a VPN, you can browse the library of any country in these multi-national streaming services.

Network address translation

The original purpose of VPNs was to enable a remote device to be included in a local network. IP addresses on a network only have to be unique within that system. Typically, all networks use the same IP address range, so they can’t be used on the internet – they are unique within the network but duplicated elsewhere.

The complication of local addresses in connections with the outside world is resolved by network address translation (NAT). VPNs use this system to switch the IP address that represents each VPN user.

VPNs use two types of NAT: one is straightforward address substitution, and the other is port address translation (PAT).

VPN servers that use NAT have a pool of IP addresses, and they allocate one to a user at the start of each session. When that user closes the connection, the address goes back into the pool for use by another customer. The relationship between a user’s real IP address and the temporary address allocated by the VPN is written into a NAT table. When a reply comes in from a remote server, the VPN system looks at the IP address in the header, looks that up in the table, and gets the real IP address linked to it. This goes into the outer packet for transport back to the user.

With port address translation, the VPN server has just one IP address. There is a secondary addressing system on the internet called a port number. Well-known protocols, such as FTP (file transfers), POP3 (email), and HTTP (Web pages), each have a port number allocated to them. However, the range of available ports extends into the tens of thousands, and higher numbers haven’t been allocated.

A PAT system allocates a port number offset to each customer, making sure the ranges that will be used do not overlap. The PAT table records this offset. For example, if a customer is assigned an offset of 10000 when a packet comes in from that user with port number 22, the VPN server changes the IP address in the packet header to its own and changes the port number to 10022. The VPN receives lots of responses back from many remote servers. One of these has port number 10022. Taking away the well-known port of 22, the VPN server discovers the IP address of the customer that the reply needs to be sent.

VPN activity logging

A VPN service must ensure that none of its clients’ activity data is disclosed.

The mandatory logging of ISPs can be countered by VPNs. However, that discretion can be completely undone if a VPN keeps logs.

When a customer disconnects from the VPN service, the relevant entry in the NAT table is deleted. However, if that record is written out to a file, together with a timestamp for the start and end of the session, then an activity log will be created.

Governments require ISPs to retain activity logs because it leaves a paper trail for law enforcement agencies and copyright lawyers. Anyone tracking internet usage from a server to an individual will lose the trail at a VPN server. If the activity logs of the VPN are available. The investigator can get a court order and force the VPN to hand them over. This completes the path right back to the user.

When you look into VPN services, you will notice that they all boast about their no-logs policy. However, many VPN providers lie. If a VPN service genuinely doesn’t keep activity logs, then there is nothing for the authorities to seize. This is why it is important to check the logging policy of a VPN before subscribing.

VPN protocols

The procedures that VPNs implement are laid down in a set of guidelines called a protocol. There are many VPN protocols available, and some are better than others. Here are some of the protocols that you might encounter.

• PPTP – The Point-to-Point Tunneling Protocol was the very first VPN system that was released in 1996. This system is now considered outdated, and its creator, Microsoft, recommends not to use it because more secure VPN systems are available.
• OpenVPN – This open-source system is the most widely-used VPN protocol in commercial services. It includes using OpenSSL for session establishment, but the encrypted tunnel is formed by a second encryption cipher.
• SSL – The Secure Socket Layer is at the heart of the protection method for secure websites: HTTPS. The original SSL system was discovered to have a security weakness and was replaced by a more secure protocol called Transport Layer Security (TLS), but the system is still known as SSL.
• SSTP – The Secure Socket Tunneling Protocol uses SSL to create and maintain the tunnel. Other VPNs that use SSL only deploy the protocol for session establishment and then switch to a different system for the tunnel.
• IPsec – IP Security was created by Cisco Systems, and it is very fast at creating an encrypted connection. The protocol operates as part of the packet-forming process, which makes it very efficient. As it doesn’t trigger until the last minute, this protocol can’t negotiate an encryption cipher. Thus, it is always used in conjunction with L2TP or IKEv2.
• L2TP – The Layer 2 Tunneling Protocol creates a tunnel but doesn’t implement encryption. For this reason, the service is always paired with IPsec, which provides encryption – you will see this combination written as L2TP/IPsec.  
• IKEv2 – Internet Key Exchange version 2 is a very efficient encryption key negotiation method. It is always used in combination with IPsec. IKEv2/IPsec is the preferred VPN package for mobile devices because it places less load on device batteries than other options.
• WireGuard – This is another open-source protocol, and it is new. WireGuard is highly regarded; it uses SSL for session establishment and is very similar to OpenVPN but has much less code and so it is faster and uses less power.

Types of VPNs

The original purpose of VPNs was to protect the internet connections of companies. This requirement created two types of VPN systems. Consumer VPNs are a little more complicated and create a third category. So there are three types of VPNs:

• Remote access VPNs: The remote access VPN is the scenario that enables individual remote devices to securely plug into an office network. Although this VPN service has an app on the device to open connections, the other end of the tunnel is usually fixed and not open to selection by the user.
• Site-to-site VPNs: Site-to-site VPNs offer secure connections between networks. This cheap alternative to a leased line gave early VPN services their marketing edge.
• Consumer VPN services: Consumer VPN services are the type of system we review. These VPNs offer a choice of locations and are useful for breaking through the geographical location-blocking systems on streaming services.

Benefits of a VPN

Here is a summary of the useful services that VPNs offer:

• Prevents ISPs from tracking user activity
• Prevents ISPs from blocking access to websites
• Protects traffic on Wi-Fi hotspots
• Removes the risk of torrenting
• Unblocks regional restrictions on streaming services
• Prevents ISP throttling

Recommended VPNs

Our top pick!

• Always evades internet control in the PRC
• Keeps ahead of the Netflix VPN detection algorithm
• Benchmark tests show excellent speed

Check best price

• More US city locations than its rivals
• Includes malware protection
• No-logs policy

Check best price

• Smart DNS service, understands the technology
• Comprehensive security add-on package.
• No data throughput limits and has a no-logs policy

Check best price

What to look for in a VPN

Hundreds of VPN services are available, but many are not good. Look for the following features:

Apps for your devices

One of the first things to ensure is that a VPN has apps for all of the operating systems of the devices that you possess; typically, a consumer VPN service will have apps for:

• Windows
• macOS
• Linux
• Mobile devices: Android and iOS (iPhone, iPad, iPod Touch)

Of those systems, the one that has the least availability is Linux.

Simultaneous connection count

Some VPN services allow you to run VPN connections on an unlimited number of devices simultaneously, while others only allow one device to be connected at a time. This is termed a “simultaneous connection allowance.” Typically, VPN packages off six or seven.

Strong encryption

Consumer VPNs don’t always get into the technical details of their services, so it can take some digging to discover their encryption ciphers. The best options are AES encryption or the tunnel with an encryption key length of 256 bits, this will be written as AES-256. Session establishment encryption is usually implemented with the RSA cipher. The top key length for this system is 4096 bits, but many reputable VPNs use a 2048-bit key. RSA with a 1024-bit key can be cracked.

No logs policy

You need to make sure that the VPN keeps no logs at all. You might have to dig into the Terms of Service and Privacy Policy to ensure that their no-logs claims are actually implemented.

Kill switch

This mechanism in the app prevents any internet activity from your device if the VPN tunnel is not active.

Ad and tracker blocker

This is a nice extra feature that many VPN services now include, especially in their browser extensions. Free VPNs don’t have these features; in fact, many will actually track your activity and inject ads into the Web pages that you access.

Unblocks Netflix

The ability to dodge the location blocks of streaming services is often expressed as “will unblock Netflix.” This is because Netflix used to have the most comprehensive VPN detection systems in the business. Nowadays, ABC.com in the USA and Channel 4 in the UK have much tougher blocks; however, if a VPN admits that it can’t get into Netflix, move on.

How to set up a VPN

The easiest way to use a VPN is to subscribe to a service that provides a VPN app. With these systems, the setup process is simple:

1. Click on a download link in the VPN site for your operating system to start the download.
2. Click on the downloaded file to open the installer.
3. Let the installer unpack the app and put an icon on your Home screen.
4. Click on the VPN icon to open the app.
5. Sign in with your VPN credentials.
6. Select a server location.
7. Press the VPN app On button.

It is possible to install a VPN manually, but it is quite complicated.

Install a VPN on Windows

1. Open the Start menu and select Settings  > Network & Internet  > VPN > Add a VPN connection.
2. Enter the following information in the Add a VPN connection screen
3. VPN provider: Windows (built-in)
4. Connection name:  make up your own name for the connection
5. Server name or address:  enter the address for the VPN server
6. VPN type: this will be the protocol used by the VPN
7. Type of sign-in info: choose from the dropdown list (will probably be username and password)
8. Username: your VPN service username
9. Password: your VPN service password
10. Click on Save.

When you want to connect to this VPN, select it from the list of available networks.

Install a VPN on a Mac

1. On the Apple menu, select System Preferences, then Network
2. Click the Add button, click on Interface, then select VPN
3. Click on VPN Type and enter the protocol
4. Enter a name for the VPN
5. Click on Create
6. Enter the server address and the account name for the VPN
7. Click Authentication Settings and the type of authentication for your VPN
8. Click Apply
9. Click on OK
10. Select Show VPN status in the menu bar to use the VPN status icon for connection control

Install a VPN on Android

Each version of Android has a different menu structure, so your device might not work in exactly the same way as described below.

1. Open the Settings system of your device
2. Select Network and Internet
3. Select VPN – you might need to tap on Advanced to reveal this option
4. Click the Add symbol at the top of the VPN page
5. Enter the following details in the Edit VPN profile screen:
6. Name: make up a name
7. Type: select from the list – the following options will change depending on the protocol that you select
8. Server address: enter the address for your chosen VPN server
9. Username: your VPN service username
10. Password: your VPN service password
11. Tap on Save

The Always-on VPN option will keep the VPN active all the time. This option isn’t possible with PPTP, and for all other options, you can only access it if you check the Show advanced options box and enter DNS information.

Install a VPN on an iPhone

For a typical iOS VPN setup, here are the details of creating a VPN profile on an iPhone.

1. Open the Settings menu
2. Select General
3. Select VPN
4. Select Add VPN Configuration
5. In the Add Configuration screen, enter the following:
6. Type: Select from IKEv2, IPsec, or L2TP
7. Description: write a description
8. Server: enter the VPN server address
9. Remote ID: This is a key value that you need to get from your VPN provider
10. Local ID: leave blank
11. User Authentication: select the authentication system
12. Username: enter your VPN service username
13. Password: enter your VPN service password
14. Proxy: Leave as Off
15. Tap on Done in the top left of the screen

FAQs