We may earn affiliate commissions for the recommended products. Learn more.

What is a VPN tunnel and how does it work?


Although most people have vague understanding what is a VPN and how it's used, few can explain how it works. VPNs were something that was invented to more easily share data, so the terminology can get quite technical and quite confusing.

In this article, I’ll try my best to explain the central part of VPN setup – tunneling.

What is a VPN tunnel?

A VPN tunnel is an encrypted connection between your device and a VPN server. It's uncrackable without a cryptographic key, so neither hackers nor your Internet Service Provider (ISP) could gain access to the data. This protects users from attacks and hides what they're doing online.

Effectively, VPN tunnels are a private route to the internet via intermediary servers. That's why VPNs are popular among privacy-cautious individuals.

Stay secure with NordVPN
NordVPN is one of the most secure VPN services on the market. It offers all essential tunneling protocols, including the NordLynx that ensures your connection speed is fast and secure, and each tunnel is protected using advanced AES-256 encryption.
cybernews® score
4.9 /5

How does VPN tunneling work?

Generally speaking, VPN tunneling means simply using a VPN service. Therefore, the answer to "How does VPN tunneling work?" is virtually the same as to "How does a VPN work?".

what is a vpn tunnel diagram

And now here's what a VPN tunnel does:

  • Traffic encryption. Your data becomes protected from the third-parties.
  • Hiding your IP address. The VPN tunnel funnels your traffic through to a VPN server, hiding your IP. Without the IP, there's no way to tell your location.
  • Securing wifi hotspots. You no longer have to worry about your safety when using public wifi.

To make VPN tunneling work, first, you have to get a VPN service. Once you connect to the desired server, a VPN tunnel will be established. Without it, your ISP sees everything you do online, but this is impossible after you connect to a VPN server. That's because of the encryption and hidden IP address.

Most VPN services claim to have a strict no-logs policy, which means they don’t monitor and store personally identifiable information or online activity data. Having said all that, your best bet is to use a reputable VPN service that either has an independently-audited or no logs policy or one that's been tested in the wild.

VPN tunnel security - can it be hacked?

If VPN connection is so secure, is it actually possible to hack it? Unfortunately, yes - but that’s much less common than you think. You shouldn’t worry about that if you’re just a regular user, as hackers usually prey only on high-profit targets like million-dollar companies.

So, how can a VPN tunnel be hacked? Well, as breaking the encryption itself is virtually impossible (unless there’s a known vulnerability), the most common way is stealing the encryption key. This can be done in a lot of different ways, however, using a reputable VPN greatly minimizes the risk.

For example, VPNs like NordVPN use a 4096-bit DH (Diffie-Hellman) key cipher, which makes the key exchange in a VPN connection extremely secure.

How to test a VPN tunnel?

Checking your ping will help you know whether your VPN tunnel is working. You’ll need to check your ping twice: when you’re connected to a VPN and when you’re not. Then, simply comparing the results will let you see if the VPN connection was successful. So, here’s how you check your ping if you’re using Windows 10:

  1. Open Command Prompt
  2. Type in “ping 8.8.8.8” (8.8.8.8 is the public DNS of Google)
  3. Press Enter
  4. Wait for the results

The ping received with a VPN in use will be significantly higher than the one you get when disconnected from a VPN.

Types of VPN tunnel protocols

A tunneling protocol, or a VPN protocol, is software that allows securely sending and receiving data among two networks. Some may excel in speed but have lackluster security and vice versa.

At the moment of writing this article, the most popular tunnel protocols are OpenVPN, IKEv2/IPSec, and L2TP/IPSec. However, the next-gen WireGuard protocol is being implemented in many premium VPN services.

NordVPN tunneling protocols for Windows app

Below you will find a list of VPN tunneling protocols, ranked from best to worst. Don't forget that not all providers offer the same set of protocols, and even if they do, their availability will be different across desktop and mobile devices.

1. WireGuard

Security: Very high
Speed: Very high

WireGuard is hands-down the best tunnel protocol available right now. It offers unprecedented speed and security, using top-notch encryption. What's more, this open-source protocol is easy to implement and audit thanks to its lightweight code, consisting of only 4000 lines. That's a hundred times less than OpenVPN, the most popular protocol.

Built from the ground up, WireGuard is free from any disadvantages that come with an old framework. It's also free from the negative impact of network changes, making it a go-to choice for mobile users.

2. OpenVPN

Security: High
Speed: High

Released almost two decades ago, OpenVPN is still the most popular tunneling protocol. However, because of WireGuard, it's slowly losing its position for good. Despite that, you still get first-class security and fast speeds with this open-source VPN tunneling protocol.

You may encounter two versions of OpenVPN – TCP and UDP. The former is more stable and the latter offers a faster connection.

3. IKEv2/IPSec

Security: High
Speed: High

This combination of protocol rivals OpenVPN in terms of popularity, security, and speed. IKEv2 excels at maintaining your VPN connection whenever you switch from one network to another. Due to the native support, it's especially popular on iPhone and iPad devices.

4. L2TP/IPSec

Security: Medium
Speed: Medium

L2TP/IPSec is a soon-to-be-retired VPN tunneling protocol that you can still find in some services, especially those that have trouble implementing OpenVPN on iOS. I could have ranked its security as "high," but I can't ignore that it's been mentioned in Snowden's leaks. If what he says is true, then the NSA may have the tools to exploit L2TP/IPSec.

Just like IKEv2/IPSec, this one combines two protocols where one is responsible for encapsulating your traffic, and the user takes care of encryption.

5. SSTP

Security: High
Speed: Medium

When it comes to speed, the difference between SSTP and L2TP/IPSec is not that big. However, the reason why the former sits one place below is compatibility. SSTP was created by Microsoft and works on Windows only. What's more, there's always a chance that its creators have left some unlocked back doors in case the NSA comes calling. On the bright side, SSTP is great for bypassing The Great Firewall of China.

6. PPTP

Security: Poor
Speed: High

PPTP is an outdated VPN tunneling protocol that I don't recommend you use. Just like its younger brother SSTP, this one was developed by Microsoft back in the days of Windows 95. And unlike its younger brother, PPTP is available even without a VPN app on all major platforms, including Linux. Unfortunately, there's more than one widely-known security vulnerability that makes using PPTP risky.

VPN split tunneling

Split tunneling allows you to choose which websites or apps should use a VPN tunnel and which ones should stay outside. This feature is useful when you want to watch a show that's available in the US and read a local version of a news portal. Another example would be using your office's printer while torrenting securely with a VPN.

how split tunneling feature works

However, not all VPN providers offer this feature. Even if they do, the chances are that split tunneling is available on certain devices and operating systems only. Therefore, always check your options before committing long-term.


Thinking of trying out a VPN service? Read one of our VPN guides or reviews


FAQ

Comments

Dominique
prefix 3 years ago
love the way you guys did this it worked, thank you
Lola
prefix 3 years ago
Same here
Leave a Reply

Your email address will not be published. Required fields are markedmarked