If you’re a frequent guest on the Internet, you might have heard the abbreviation “VPN.” Often online forum dwellers suggest these three letters as an online privacy solution, an unblocker, and much more.
But what exactly is a VPN and how does it work? That’s a topic we’re going to address here. Hopefully, after this short read, you’ll be familiar with how a VPN works and how it can be useful in your day-to-day activities.
What is a VPN?
VPN stands for Virtual Private Network. In everyday use, the term usually defines one of these two things:
- A service that uses a VPN tunneling protocol to redirect the user’s traffic through a remote server
- A networking tool to extend a private network over your public connection
What does this mean?
Well, VPNs were originally created for businesses to remotely access a company’s intranet. This allows employees to use sensitive company resources and applications from any location securely.
This is the “real” meaning of the term, but it’s certainly not what most people have in mind when they talk about VPNs.
Nowadays, “VPN” is usually synonymous with “VPN service” – a B2C service offering a complete subscription-based package. This sort of VPN is commonly used to bypass censorship, access blocked content, or simply increase online privacy.
These services offer VPN apps that create an encrypted “tunnel,” sending your data through a remote VPN server and onto the destination server (e.g., Amazon’s server if you’re visiting amazon.com). In addition to their apps, these providers are selling their infrastructure, often containing thousands of servers across many countries.
Our article primarily focuses on VPN services.
How does a VPN work?
Let’s imagine you want to visit the Amazon website. You type the URL (https://amazon.com) into the address bar of your browser and press Enter. The Amazon homepage loads and you can do your Christmas shopping. Here’s what that looks like in a somewhat more technical sense:
- Your browser contacts a Domain Name Server (DNS) assigned by your ISP, asking it to translate the website domain into an IP address.
- Knowing the Amazon server’s IP address, your device can now send a request and retrieve the website.
- Your ISP routes your request to the Amazon server and returns a response.
Albeit a gross simplification, this is essentially how any connection works if you’re not using a VPN. In this example, your connection will be encrypted, because Amazon uses TLS/SSL (HTTPS). However, if you visit an insecure website that doesn’t have TLS, your data would not be encrypted.
Encryption aside, this type of session is not very private because:
- By sending a DNS request to your ISP, you are telling your ISP that you want to visit Amazon.com
- Further communication through your ISP tells them what you’re looking up on Amazon
- Amazon also knows your IP address and can therefore determine your location as well as, potentially, your identity
VPNs are essentially a combination of network infrastructure such as VPN servers, and VPN software. Simply put, you need a remote server and a VPN tunneling protocol (or VPN client app) to establish the connection. So if you want to visit Amazon using a VPN, here’s how that would work:
- Firstly, you would connect to a VPN server in a country of your choosing, e.g., the UK.
- The VPN app uses a tunneling protocol to create an encrypted connection to the VPN server
- You type amazon.com into the address bar and click Enter. Yet this time, the DNS query is resolved by the VPN, denying your ISP knowledge of what you’re doing
- The VPN establishes a connection between their server and the Amazon.com server
- Traffic goes from you to the VPN server, then to Amazon’s server, and back
Why are VPNs good for privacy?
Connecting to the internet via a remote VPN server does several things:
- It hides your IP address (and thus your location and identity) from the website or online service you’re using. In our above example, Amazon would see the VPN server IP address rather than your own
- Additionally, it prevents your ISP and, by extension, your government from knowing what you’re doing online – your ISP can see you’re connecting to the VPN server IP, but nothing beyond that point
- It encrypts your data, protecting your privacy and security if someone intercepts it. This is particularly relevant if you’re using public wifi and visiting insecure websites, which don’t encrypt the connection via TLS/SSL
Your browsing history can get you in a lot of trouble in certain situations. For example, imagine you’re in China and visiting a political forum where users are expressing anti-government views. Or perhaps you’re visiting a porn site as a citizen of Saudi Arabia.
Without a VPN, your ISP knows everything you’re doing on the internet. In countries with strict internet controls, ISP data is often freely available to government agencies.
VPNs’ ability to redirect and encrypt traffic has made them a favorite tool for anyone seeking online security, anonymity, or simply trying to unblock censor and restricted content.
What is VPN encryption?
The popularity of TLS/SSL (HTTPS) on the web means that most of your browsing is encrypted. Sadly, many other online activities, such as torrenting, remain in plaintext. And even when it comes to browsing, not all websites have implemented TLS, which leaves dangerous security gaps. That’s where VPN comes in.
Encryption secures a VPN tunnel – the one that goes from your device to the VPN service provider’s server. It means that the connection between your device and the VPN provider’s server is behind a lock.
VPN encrypts all of your internet traffic, including your browser, torrent, messaging app traffic, or whatever else you may be doing on the internet. Therefore, your connection will be encrypted, even if you’re visiting an insecure website.
Although encryption slows your connection down a little, it does not interfere with your ability to connect to the Internet. It just makes it impossible for someone to reveal network exchanges.
Most top VPN services rely on the Advanced Encryption Standard (AES) cipher to seal the data that goes through – the same type of encryption that financial and government institutions use.
How does VPN encryption work?
Encryption is persistent when you establish a connection to a VPN server. Your data between your device and the VPN server is encrypted. It’s deciphered only at the endpoints: when the data reaches your device and leaves a VPN server.
VPNs use three types of cryptography: symmetric encryption, asymmetric encryption, and hashing. Here’s how VPN encryption works:
- When you connect to a VPN server, the connection performs a “handshake” between a VPN client and a VPN server. During this step, hashing is used to authenticate that the user is interacting with a real VPN server, and asymmetric encryption is used to exchange symmetric encryption keys. A few popular examples of asymmetric (or public key) protocols used at this stage are RSA or Diffie-Hellman.
- Once the handshake is successful, symmetric encryption is used to encrypt all data passing between the user and the VPN server. The most common symmetric encryption cipher used by VPNs is AES (specifically, AES-256).
Since AES is the most popular data encryption cipher used by VPNs, let’s take a look at this cipher in more detail.
What is AES-256?
AES-256 stands for Advanced Encryption Standard using 256-bit integers to process data. It is a symmetric key encryption algorithm for encryption and decryption. Generally, it’s considered the gold standard of modern encryption. VPNs use it to create a safe tunnel for your private data exchanges.
You might see weaker AES standards like AES-128. This simply implies that the cryptographic key is shorter and easier (although still virtually impossible) to “brute force.” As a rule of thumb, the longer the encryption key, the more potential combinations, which would take longer to crack. It’s the same principle as using a longer password means it’s harder to guess.
On the flip side, a longer encryption key means slower connections because the encryption and decryption take longer.
In the wild, you will most often find three variations of AES: AES-128, AES-192, and AES-256. Additionally, you may encounter different modes of operation, such as AES-256-GCM or AES-256-CBC, but that’s a story for another time.
Not all tunneling protocols support this kind of encryption. For example, PPTP uses the much weaker MPPE cipher, whereas the new WireGuard protocol primarily uses ChaCha20.
What does a VPN server do?
VPN servers are at the heart of any VPN service – they forward your internet traffic to the destination server and return the response to you.
The top providers have hundreds or even thousands of servers scattered across the globe. This is important not only to ensure good performance but also because choosing the VPN server’s country amounts to choosing your virtual location. The websites you connect to will assume you’re based in the VPN server’s country.
If you’re not connecting through a VPN server, the owner of any website you visit will know your IP address. You may want to avoid this due to 2 basic reasons:
- Access. You will get different versions of websites based on your location. In some cases, this might mean worse prices for the same goods; in others, it may mean different content or no access at all.
Depending on the provider may collect data about you, such as your IP address, session time, the websites you’re visiting, etc. This is something to avoid, which is why it’s crucial to choose a VPN service with a no-logging policy. Some providers even go so far as to use diskless, RAM-only servers, which are technologically incapable of storing lots of data.
The primary function of a VPN protocol or tunneling protocol is to establish a safe tunnel between your device and the VPN server. When a VPN connects to a VPN server, it creates a tunnel to send data. The protocol used to create this connection determines how your data is sent through the network.
There are quite a lot of options there. Some protocols are more secure, some are faster, some are better on mobile devices or older PCs, some are better at bypassing stringent firewalls, and some are just outdated.
Here are the most common that you could find in most VPN clients.
Common VPN protocols
Most VPN protocols were not developed by VPN service providers, who merely implemented the technology in their apps.
IKEv2 – stands for Internet Key Exchange version 2. It mainly handles request and response confirmations. Usually, for authentication IPSec is used in conjunction (IKEv2/IPSec).
This is very efficient on an unreliable connection. IKEv2 effectively reestablishes after a connection loss. It’s also one of the fastest, most used tunneling protocols on mobile devices because it can easily switch between wireless to cellular and back.
OpenVPN – by far the most common tunneling protocol on desktop apps. This is an open-source protocol based on OpenSSL. It comes in two types: TCP and UDP.
- UDP is the User Datagram Protocol. It is much faster because it doesn’t allow the recipient to resend data requests. This means less verification of data integrity, which allows for more rapid exchanges, hence better speeds.
- TCP is the Transmission Control Protocol. It allows multiple data verifications, so the processing time may be slower, limiting your internet speed. Use UDP on the networks you can trust, while TCP will be better on public Wi-Fi hotspots.
L2TP/IPSec – On its own, L2TP doesn’t provide any encryption. Its job is request and response confirmations. Encryption enters the arena with IPSec, which is often used in conjunction.
There are many discussions about whether this protocol is secure because it was co-developed with the NSA. The Edward Snowden leaks seemed to imply that the NSA may have backdoors to access L2TP/IPSec traffic.
WireGuard – the next-gen of tunneling protocols. It uses fewer lines of code, making it easier to audit, and squeezes the most out of your device’s processing power. It’s ideal for mobile devices and slower computers, has up-do-date encryption built-in, and offers reliable connections.
WireGuard gives the best performance of any current VPN tunneling protocol.
SSTP – Secure Socket Tunneling Protocol. Created by Microsoft, this protocol is not exclusive to Windows and provides a high level of encryption.
While SSTP is very capable, there are concerns that Microsoft may have backdoors to access SSTP traffic.
PPTP – Point to Point Tunneling Protocol. Developed in the late ’90s and the first to become widely available.
This protocol relies on outdated encryption, which has become vulnerable to brute force attacks as computing power grew. As such, few VPN service providers currently offer this protocol.
Proprietary VPN protocols
Some VPN service providers have developed their own tunneling protocols. These are exclusive protocols that you’ll find only in the suites of specific VPN service providers.
Catapult Hydra – developed for the Hotspot Shield VPN service. The company claims that this protocol allows the service to achieve much better connection speeds than using standard tunneling protocols. Whether due to Catapult Hydra or other reasons, Hotspot Shield has always been among the fastest VPNs.
NordLynx – only available on NordVPN. NordLynx is a modified version of WireGuard, solving potential security issues while keeping the performance intact.
Lightway – only available on ExpressVPN. It uses an open-source implementation of Transport Layer Security (TLS), wolfSSL. Its goal is to be as lightweight as possible, aiming for ease of maintenance and high performance.
How does a VPN client work?
A VPN client (or VPN app) is the software on your device that communicates with a VPN server, establishing the connection and encrypting data.
Your VPN app is where you control your VPN experience: which server to connect to, which tunneling protocol to use, which features to activate, etc. Most great VPN service providers have apps for Windows, macOS, Android, iOS, Linux, Amazon Fire TV, and more.
With that said, you can use a VPN without a custom VPN app. All major platforms offer VPN functionality in some form – you can set up a VPN connection through your networking settings on Windows, for example.
You can also set it up on your wifi router following instructions on your VPN provider’s website. As a matter of fact, this is the only way you’ll be able to use a VPN with devices that don’t support VPN, such as gaming consoles or some smart TVs.
What does a VPN do?
Now you know what a VPN is and how it works, but what is it good for, specifically? Well, as it turns out, VPNs can improve your online experience in a number of ways. Here’s how.
Hide your online activities
If you live in an oppressive regime, the government could use your internet history against you. If you’re connecting directly, your ISP knows every domain you visit. Using a VPN helps you avoid such surveillance – all your ISP will see is you connecting to the VPN. In some cases, they won’t even know that much.
Even if you’re living in a democracy, there are reasons why you may want to hide your online activities. A prime example is torrenting – downloading copyrighted materials can lead to legal problems, which is why many torrenters use VPNs to hide their IP address.
You may have also heard that your private data is the hottest product nowadays. When you have a lot of data on someone, you can make accurate prediction models. For example, it makes much more sense for businesses that sell smart dog collars to target the people who have dogs. This leads to ISPs selling browsing data – not a fun prospect for privacy.
Defeat government censorship
You may have noticed that sometimes your ISP blocks particular sites or online services. This practice is especially prevalent in countries with strict Internet censorship. Waiting for a revolution that will overthrow the regime can take a while. With a VPN, you’re connecting through another country that doesn’t have such blocks in place. It means that you can freely use the Internet wherever you are.
Countries like China have advanced measures like traffic analyzers to determine whether you’re using a VPN. Still, many VPN service providers have traffic scrambling tools in place to solve the issue.
Make the most of your subscriptions
You might have heard that Netflix libraries aren’t all made equal. You pay more for your Netflix subscription in Switzerland but get a smaller library of movies and TV series than users in the US. It doesn’t sound right.
To solve this, many people use a VPN because it lets you watch Netflix from anywhere, as if you’re located somewhere else – just choose a VPN server in that country. This enables you to remove limits from the content libraries of the services you have subscribed for.
Since many entertainment platforms are moving to subscription-based models with third-party copyright holders licensing content based on region, expect more of this in the future.
Gives more flexibility with online purchases
One of the most known lifehacks is that it’s best to buy plane tickets and buy hotel reservations in Incognito Mode. Albeit VPN doesn’t do the same thing, it will prevent you from falling prey to price discrimination – the practice of charging a different price for the same goods or services depending on your location.
Many retailers are guilty of price discrimination, and there’s a good chance that your next purchase will be cheaper if you’re using a VPN. Plus, if you’re abroad and want to order something for when you get back home, the VPN might be the only way to access the local webpage version.
Bypass ISP bandwidth throttling
Bandwidth throttling is a deliberate way for ISPs to slow down your connection. ISPs in various countries have been guilty of this, especially for P2P traffic – torrenting large files at high speed can be heavy on the internet infrastructure, and throttling is their way of solving it.
Using a VPN, you can hide the nature of your traffic, making it harder to pinpoint you and impose download speed limits. This is one of those rare situations where a VPN can actually increase your connection speed.
Provide safety from hackers
VPN may not be the first tool that comes to mind when you think about security. Yet in some situations, using a VPN can save you from hackers.
This is particularly true if you’re using unsecured public wifi – something we all resort to in cafes or airports. In these settings, a crafty hacker could set themselves up between you and the router, intercepting your traffic in what is known as a man-in-the-middle attack. A VPN stops such a situation in its tracks simply because any intercepted traffic would be encrypted and useless.
Your IP address could also be useful to hackers for various ends. For one thing, it can reveal your location, which could take someone a long way towards doxxing or DDoSing you. And it would also let a hacker start scanning your router’s open ports to check whether there are exploitable vulnerabilities.
The key takeaway is this: you don’t want your IP ending up in the wrong hands. Yet, when seeding torrent files or joining a Discord message board, your IP is literally out in the open. A VPN gives you a throwaway IP address for when you’re connected, saving you from all such situations.
There are no perfect cybersecurity products, and using a VPN is associated with some risks:
- Some VPN services are still using old and outdated protocols with known vulnerabilities. That is why most leading providers have phased out the Point-to-Point Tunneling Protocol (PPTP).
- Insecure VPN services could let a hacker impersonate a VPN server, intercepting your data.
- If you’re using a VPN and their server goes down, most likely, you’re still browsing the web but now with your real IP address showing. Top VPNs offer kill switch features to disable your internet connection when the VPN drops.
- When a VPN service is free, more often than not, it means that it’s selling your data. Think about it: the maintenance of server fleets cost money. Hence, when the service is free, the money has to come from somewhere. In many cases, the VPN is collecting your data and selling it off to third parties.
- Free mobile VPNs are particularly problematic. For example, there have been reports about most top VPNs on Google Play being owned by Chinese companies. Considering what we know about China, that could mean all kinds of sensitive information is going straight to the Chinese government.
- Even some good VPNs have been caught logging user data and giving it over to the authorities when asked. That’s why a no-logs VPN is what you want.
And as always, a lot can go wrong if you skip critical patches. Maintenance and good cyber-hygiene are paramount, whether you’re using a VPN or something else.
Can you be tracked with a VPN?
Don’t think that VPN single-handedly solves all your privacy problems. If you’re logged in to your Google account or you’re logging into various services with your Facebook login, VPN can’t help you. Google and Facebook will know exactly which sites you’ve visited.
Additionally, the modern internet is rife with browser-based tracking technologies – cookies fingerprinting scripts, and other nefarious stuff. These can still threaten your anonymity even if your VPN is on.
To limit the risk, you should stay away from social media accounts when using a VPN. Also, you should use addons that block intrusive tracking scripts. uBlock Origin, Ghostery, and NoScript are just a few such tools.
Checklist for choosing a secure VPN provider
VPN services are not made equal. Some of them have more features, better security measures. Others have completed third-party audits that add credibility to their transparency claims. When choosing a VPN service, you’re making a conscious decision to trust a company with your data. The least you could do is invest time in some research.
Here are a few things to look out for:
Even if you’re just looking for a VPN to unblock Netflix, the service’s reputation is essential. Your privacy is important and you should never trade it.
Unfortunately, it can be challenging to know what VPN services are up to behind closed doors. Yet if a VPN provider has been caught red-handed giving away user data or bending the truth about their services – that’s a good way to know which VPN not to choose.
Where a VPN operates from matters. Some countries require VPNs to collect user data whereas others have harsh copyright laws. As a user of such a VPN, you run the risk of letting your data get into the wrong hands.
The Edward Snowden leaks shed light on the scope of surveillance around the globe. If you think that living outside of the US makes you safe against the NSA and you’ll have nothing to worry about, think again. The surveillance alliance known colloquially as the 14-Eyes shares intelligence data on each other’s citizens. And they’re not even the worst of the bunch.
#3 Anonymous payment options
You are as anonymous as your method of payment. Paying with a credit card leaves records not only on your banking statement but in the company’s accounting logs. It never hurts to check if your chosen service supports payments via cryptocurrency, prepaid cards, or other options. As a rule of thumb, the less personal information you provide, the better the service is for your privacy.
#4 Technical specifications
Encryption, reliable tunneling protocols, leak protection, a kill switch – all of these are necessary for a secure VPN. The provider can be very transparent, but if they don’t have the tech to provide privacy and security, you’re going to have a bad time.
Alternatives to VPN
There are other tools out there that offer similar solutions. Which VPN alternatives work for you depends on what functionality you need. If you need to quickly unblock some site, it might not make much sense to pay for a top-notch VPN server. Even when a VPN is an appropriate solution, you might have identical results using other options.
You can find workarounds to various problems by using VPN alternatives. Here are some of them and what they’re good for.
The Tor browser is an open-source browser and a network that offers anonymity by directing your traffic through a network of volunteer nodes. The traffic is encrypted, so no one along its journey can view it. To reach the desired website, your connection jumps through several of these nodes (also called relays or simply “servers”), making tracking your activities difficult.
In some senses, Tor is a free alternative to VPN networks, but it has downsides. Firstly, these nodes your traffic goes through are often just servers hosted on volunteer users’ PCs. That, plus the fact your connection goes through at least 3 nodes chosen randomly, means the speed can never compare to a top-tier VPN.
Additionally, Tor has potential security issues. An experiment in 2007 showed how compromised exit nodes could be used to intercept traffic. Having enough of these nodes on the network may even lead to deanonymization. Tor is continuously monitoring all their compromised relays and blacklisting them, but they can’t realistically keep them all at bay. That’s one of the built-in risks.
A proxy allows you to do the same thing as a VPN – appear as though you’re connecting from a different location. Proxy services work by connecting you to the internet through an intermediate server. They’re great if you want to access some website at school, for example.
The critical difference is that most types of proxies don’t use encryption, meaning they’re not as secure. Additionally, unlike VPNs, proxies work at the app level – you can set a SOCKS proxy up on your browser or torrent client, but they won’t protect any apps you use that don’t have a proxy set up.
Some VPNs include proxy services as part of the package.
Read more: Proxy vs. VPN
These tools integrate VPN functionalities within a browser so that you could surf the web without being tracked. For example, the Aloha browser even uses VPN tunneling protocols like IKEv2 and IPSec.
The downside is that a VPN browser only protects your browser traffic. Everything else that leaves your computer can be seen and traced back to you.
The VPN-related dictionary can be hard to understand for the uninitiated. Here are some of the terms you may encounter when looking for a VPN or using one.
Dedicated IP (static IP)
Each time you connect to a VPN server, you will get a different IP address. These IPs are shared among many users and they are known as dynamic IP addresses.
There are benefits to having a shared IP address. For one thing, this makes it a lot harder to link you to your online activities. However you need your IP address to stay the same whenever you connect for some things to work.
To solve the issue, some VPN service providers offer dedicated IP addresses for an additional fee.
DNS leak protection
A DNS leak is a situation that occurs when your traffic goes through a VPN server, but your ISP’s DNS still resolves your DNS queries. This is primarily due to issues with the Windows operating system.
Some VPNs have features built into their apps to prevent this from happening.
If you get disconnected from a VPN server, your device will try to reconnect via your regular connection. That means the website you’re visiting now knows your real IP, while your ISP knows what website you’re on.
The kill switch is a feature that solves this type of leak by “killing” your internet if the VPN drops.
This phrase usually describes AES-256, the industry standard data encryption cipher.
Multi-hop (double VPN)
The multi-hop or double VPN feature lets you connect through 2 or more VPN servers instead of 1. It significantly increases security at the cost of performance.
No log policy
A “no log”, “no logs”, or “no logging” policy is the VPN provider’s promise not to store any data associated with your online activities.
In reality, it’s often a “some logs” or “no activity logs” policy, as VPNs may keep track of timestamps of when you connect to a VPN server and other anonymous data.
In recent years, top VPN services have been asking third-party companies to audit their no log policies. Short of legal incidents that prove VPNs’ claims, these audits are the closest users have to proof.
A VPN subscription usually lets you use the service on several devices at once. This lets you install the VPN on all your smart devices or share a subscription among friends and family.
The number of simultaneous connections can range from zero to unlimited.
You may want to use a VPN for some online activities, while at the same time not using it for others. For example, suppose you use online banking. In that case, your VPN connection may trigger security measures put in place to protect users against suspicious logins.
For cases like these, VPNs offer the split tunneling feature. On your VPN app, you can specify which websites or apps can bypass the encrypted tunnel and connect directly. That way, you can stay protected with a VPN when it counts, but route your Steam game downloads through your ISP to make them faster.
Aside from the regular tunneling protocols, you may also find something called Shadowsocks. It stands in a league of its own – as an open-source encryption protocol project for proxies.
First developed to defeat the Great Firewall of China, it disguises your traffic to seem like a regular HTTPS exchange. This makes it harder to detect (and block) than looking for OpenVPN usage signs.
Stealth mode (obfuscated servers)
This feature has many names and different implementations, but the idea is similar to Shadowsocks. Stealth mode is used to scramble regular VPN traffic, making it difficult to detect even by advanced methods like Deep Packet Inspection (DPI).
Tor over VPN (onion over VPN)
Several VPNs offer an integration with the Tor network for maximum security. This puts so many layers between you and the destination server that finding out what you’re doing is practically impossible. However, your connection speed will suffer significantly.
Are VPNs legal?
It depends on the country, but VPNs are legal in most of the world. The bad reputation comes from the fact that they may be used by criminals and scammers to conceal their identities. Hence, connecting to a VPN server is legal, but doing so to commit a crime is illegal.
Can VPN steal my data?
Theoretically, yes. With that said, many top VPNs operate under no-logging policies, meaning they don’t collect your data.
How much does a VPN cost?
The best VPN providers’ prices depend on the duration of your subscription. If you subscribe for more extended periods, you pay less per month.
On average, a monthly VPN subscription is between $5-12; an annual subscription is between $3-8/month, and the price drops lower with longer subscriptions.
Can a VPN see my passwords?
That would be possible only in cases when a website uses HTTP. However, most reputable institutions use HTTPS, which encrypts your data, thus stealing your password would be impossible.
How does a VPN increase your security?
VPN protection is twofold: first of all, it hides your real IP address. Second, it hides the IP address of the website or service you’re using from your ISP. Finally, it secures your connection to a VPN server using encryption. These measures combined make VPN one of the best cybersecurity and privacy tools at your disposal.