top of page

What are VPN's?

A Virtual Private Network (VPN) is a technology that creates a secure, encrypted connection–often called a tunnel–between your device and a remote server over the internet. This allows your data to travel safely across public or shared networks, as if you were directly connected to a private network. By encrypting your traffic and masking your IP address, VPNs help defend against cybercriminals, surveillance, and unwanted data collection. Even if your internet traffic is intercepted, the encryption ensures it remains unreadable.

Figure 1 - VPN Functionality.jpg

Figure 1. Illustration of how a VPN functions, showing encrypted traffic flow to enhance data security and protect user privacy over public networks.

VPNs are commonly used by
individuals & organizations to:

Protect

Protect sensitive data when using unsecured networks (like public Wi-Fi).

Access

Access restricted content, such as streaming services or websites blocked in certain countries.

Prevent

Prevent tracking by websites, advertisers, and even internet service providers (ISPs).

Secure

Secure remote work, allowing employees to safely access files, apps, and resources from outside the office.

Tunnelling

We can think of an IP tunnel as a virtual point-to-point link between a pair of nodes that are actually separated by an arbitrary number of networks. The virtual link is created within the router at the entrance to the tunnel by providing it with the IP address of the router at the far end of the tunnel. Whenever the router at the entrance of the tunnel wants to send a packet over this virtual link, it encapsulates the packet inside an IP datagram. The destination address in the IP header is the address of the router at the far end of the tunnel, while the source address is that of the encapsulating router.

Figure 2 - Tunneling.jpg

Figure 2.  A tunnel through an internetwork. 18.5.0.1 is the address of R2 that can be reached from R1 across the internetwork.

How does VPN tunneling work?

Step 1: Initiation of the VPN connection

A user must select a VPN service and connect their device to the chosen VPN server

Step 2: Establishment of an encrypted tunnel

The VPN application on the user’s device generates an encrypted channel. This encryption shields the internet traffic from unauthorized access as it moves through the user’s internet connection to the VPN server.

Step 3: Encryption of data

The data transmitted through the tunnel is encrypted using a specific protocol, transforming the information into a coded format known as “ciphertext.” This encrypted data is undecipherable to anyone without the proper decryption keys.

Step 4: Decryption at the VPN server

The VPN server receives the encrypted data and uses keys to decrypt it. Once decrypted, the data can continue to its intended destination on the internet.

Step 5: Return of data to the user’s device

Data sent from the internet back to the user also passes through the encrypted tunnel, ensuring privacy and security in both directions.

What is VPN Split Tunneling?

VPN split tunneling is a feature that allows a user to route some internet traffic through a secure VPN, while other traffic accesses the internet directly, bypassing the VPN. This method permits the division of network traffic into two streams. One stream is encrypted and routed through a VPN tunnel, and the other connects to the internet. This is particularly useful when simultaneous access to resources in both private and public networks is required.​

Advantages of Split Tunneling

The advantage of split tunneling is its efficiency. By only directing necessary traffic through the VPN, it can conserve bandwidth and improve speed for the activities that do not require encryption. For instance, an employee could access their company's internal documents through the VPN while streaming music directly via their local internet connection, which does not require VPN security.

Risks of Split Tunneling

However, there are potential risks. The traffic that does not use the VPN is unencrypted, making it potentially vulnerable to threats like data interception. While split tunneling can optimize network performance, it must be implemented judiciously to maintain security where it is most needed. This function is contingent on the VPN service provider's support and may vary across different devices and operating systems.

Tunnelling Protocols

Tunneling protocols are the core technologies that make VPNs (Virtual Private Networks) possible. They define how data is packaged, transmitted, and routed securely between your device and the VPN server across public networks like the internet.

unnamed.png

Open VPN

  • Secure, flexible, widely supported.

  •  open-source protocol

  •   strong encryption &  the ability to work across multiple operating systems.

  • highly regarded for flexibility and security strength, employing AES 256-bit encryption.

  • While Open VPN allows for significant customization, it requires more complex setup procedures, which can be mitigated by using configuration software.

How-to-Setup-L2TP-VPN.png

L2TP/IPsec

(Layer 2 Tunneling Protocol with IPsec)

  • L2TP/IPSec is a combination of two protocols: L2 TP to create the tunnel and IPSec for data encryption and secure communications.

  • Still used, especially in legacy systems or some corporate environments.

  • Note: L2TP itself does not provide encryption–IPsec adds that layer.

unnamed (1).png

WireGuard

  • Modern, fast, lean codebase; increasingly preferred.

  • WireGuard is a modern VPN protocol praised for its minimalistic design and high performance.

  • With state-of-the-art encryption, it is both secure and fast.

  • WireGuard's lightweight nature makes it easy to implement and audit, contributing to its growing popularity, especially in mobile applications.
     

unnamed (2).png

SSTP

(Secure Socket Tunneling Protocol)

  • SSTP utilizes SSL 3.o for secure data passage through the tunnel. It is known for robust encryption capabilities. SSTP does not depend on fixed ports. Consequently, one of its distinctive benefits is the ability to bypass firewalls. The protocol's limitation lies in its platform exclusivity, as it does not support non-Windows systems.

  • Microsoft-developed, integrates well with Windows. Uses SSL over HTTPS (TCP 443).

  • Less open and auditable than OpenVPN or WireGuard.

download_edited_edited.png

IKEv2/IPsec

  • Stable, mobile-friendly, especially good for reconnecting.

  • IKEv, in combination with IPSec, delivers a secure, efficient VPN experience.

  • It is recognized for its ability to reestablish a VPN connection swiftly when switching networks, making it a suitable choice for mobile devices.

  • Native support on certain platforms, like iOS, adds to its appeal, though the setup can be intricate on non-native platforms.
    Stable, mobile-friendly, especially good for reconnecting.
     

Setup-PPTP-VPN.png

PPTP

(Point-to-Point Tunneling Protocol)

  • PPTP facilitates the creation of a private network across the internet, enabling secure data transfer. This protocol encapsulates data packets. Ease of setup is a key advantage, requiring minimal configuration. The encryption PPTP offers is not as strong as newer protocols, making it susceptible to security breaches. 

  • PPTP has been deprecated due to weak encryption (MS-CHAPv2) and known vulnerabilities–not recommended for secure use.

Encrypting IP Tunnels

At a technical level, VPNs rely on IP tunneling, which establishes a virtual point-to-point link between two network nodes, even if they're separated by many intermediary networks. The user's data is encapsulated inside a new IP packet, with the destination address set to the VPN server. Crucially, VPNs add encryption and authentication to this process, ensuring that even if the traffic is intercepted, its contents remain unreadable. By masking the user's IP address and encrypting all transmitted data, VPNs protect against eavesdropping, ISP tracking, and certain forms of censorship or surveillance.

How Encryption Works in VPNs

When you connect to a VPN, your data needs to be protected as it travels across the internet. This protection is provided by a combination of encryption algorithms that handle: 

  • Confidentiality - ensuring data is unreadable to outsiders

  • Integrity - ensuring data has not been altered

  • Authentication - verifying you’re talking to the real VPN server and user

  • Key exchange - safely sharing secret encryption keys

Encryption Techniques

  • AES-256 

    • What it does: Encrypts your data so only the VPN server can read it.

    • Strength: Considered military-grade encryption, virtually unbreakable by brute force.

    • How it's used: Common in OpenVPN and IKEv2/IPsec protocols.

    • Why it matters: Fast, stable, and time-tested. AES-256 is the gold standard for securing data in transit.

  • ChaCha20-Poly1305

    • What it does: Encrypts data (ChaCha20) and checks its integrity (Poly1305).

    • Why it's popular: Faster than AES on mobile and lower-powered devices. Resistant to side-channel attacks.

    • Where it's used: Default cipher in WireGuard, Google's QUIC, and even TLS 1.3 on some platforms.

    • Why it matters: Designed for speed and modern cryptographic security.

  • SHA-2 / SHA-3 (Secure Hash Algorithm)

    • What they do: Create a unique fingerprint (hash) of the data to confirm it hasn't been tampered with.

    • Use case: Message authentication and verifying data integrity.

    • Where they're used: SHA-2 is common in OpenVPN and IKEv2/IPsec; SHA-3 is newer but more secure.

    • Why it matters: Prevents attackers from injecting or modifying packets unnoticed.

  • Elliptic-Curve Diffie-Hellman (ECDH)

    • What it does: Enables two parties (like your device and a VPN server) to securely generate a shared secret key, even if someone is watching.

    • Elliptic curve:  newer, faster, and more secure than older key exchange methods.

    • Where it's used: Key exchange in WireGuard, modern OpenVPN, and TLS 1.3.

    • Why it matters: Provides Perfect Forward Secrecy (PFS)-even if a key is compromised in the future, past sessions remain secure.

  • RSA / Diffie-Hellman (DH)

    • What they do: Traditional algorithms used for key exchange (RSA) and shared secret generation (DH).

    • Limitations:

      • RSA is computationally heavy and less secure at smaller key sizes.

      • DH (non-elliptic-curve) is more vulnerable to attacks if not implemented carefully.

    • Still in use: Common in older OpenVPN and IPsec setups, but being replaced by ECDH.

    • Why it matters: While outdated, understanding them is important for auditing older VPN implementations. It is not recommended for implementation. 

Comparing VPN Protocols

The table below highlights several commonly used VPN protocols, the encryption methods they rely on, and key notes about each. Protocols like WireGuard and OpenVPN are widely recommended today for their strong security and performance. Others, like L2TP/IPsec and SSTP, may still be in use for compatibility but are less ideal for new deployments. PPTP is included for historical context but is considered outdated and insecure. Understanding these differences helps users make informed decisions about privacy and security.

Figure 3 - VPN Protocol Comparison Table.jpg

Figure 3.  VPN Protocol Comparison Table

bottom of page