A VPN is one of the most misunderstood tools in the consumer privacy space. Marketing promises "military-grade encryption" and "complete anonymity." Neither claim is quite true — but VPNs do something genuinely useful, and understanding the mechanism makes you a far smarter user of one.
This article explains how the technology actually works under the hood, from the tunnel abstraction to the cipher suites, and honestly maps what a VPN conceals versus what it leaves fully visible.
The Tunnel: How VPN Traffic Is Wrapped
When you connect to a VPN, your device and the VPN server negotiate a shared session. From that point on, every packet your device sends is encapsulated — wrapped inside another packet addressed to the VPN server — before it leaves your machine.
Think of it as envelope-in-an-envelope mail. Your actual request (say, a GET to example.com) becomes the inner letter. The VPN software seals it inside an outer envelope addressed to the VPN server's IP. Your ISP, your router, and anyone watching the network path between you and the server only see the outer envelope. The destination, the content, and the protocol of the inner packet are hidden from them.
When the outer packet arrives at the VPN server, it is unwrapped. The server forwards the inner request on your behalf, receives the response, wraps it back up, and sends it back through the tunnel to your device.
This tunnel approach has two immediate consequences:
- Your public IP address changes. Websites and services you visit see the VPN server's IP, not yours.
- Your ISP can no longer read your traffic. It can only see that you are sending encrypted packets to a particular IP — the VPN server.
Encryption Protocols Explained
Not all VPN connections are equal. The protocol governing how the tunnel is established and how data is encrypted matters enormously.
OpenVPN has been the industry workhorse for over a decade. It uses TLS for the control channel (key exchange, authentication) and can use either TCP or UDP for the data channel. It supports AES-256-GCM by default on modern configurations, which is effectively unbreakable with current hardware. OpenVPN is open-source, widely audited, and configurable — but it can be slow and its distinctive traffic pattern is sometimes blocked by deep-packet inspection (DPI) firewalls.
WireGuard is the newer standard and has largely superseded OpenVPN for speed and simplicity. It is a lean ~4,000-line kernel module that uses ChaCha20-Poly1305 for symmetric encryption, Curve25519 for key exchange, and BLAKE2s for hashing. Because it lives in the kernel, context-switching overhead is minimal. Real-world benchmarks consistently show WireGuard delivering 2–4× higher throughput than OpenVPN on the same hardware. Its limitation: it stores client IP addresses in memory for the session's duration, which is a minor privacy concern that most providers address with periodic key rotation.
IKEv2/IPsec is common on mobile devices because it handles network changes (switching from Wi-Fi to mobile data) without dropping the session. It is fast and natively supported on iOS, macOS, and Windows without a third-party client. The downside is its complexity — the IPsec specification is sprawling, and misconfiguration risks are higher than with WireGuard.
L2TP/IPsec and PPTP are legacy protocols. PPTP has known weaknesses and should not be used. L2TP/IPsec is acceptable but slower and less elegant than modern alternatives. Avoid them unless forced by compatibility constraints.
A rule of thumb for protocol selection: use WireGuard if your provider offers it, OpenVPN as a fallback, IKEv2 on mobile.
What a VPN Actually Hides
With the mechanics clear, the honest scope of what a VPN conceals is:
From your ISP:
- The destination hostnames and IP addresses you connect to
- The full content of your HTTP/HTTPS requests and responses
- Your DNS queries (assuming the VPN handles DNS internally — more on that in a moment)
- The timing and size patterns that could reveal the type of traffic
From the websites you visit:
- Your real IP address and the location derived from it
- The identity of your ISP
- Any IP-based tracking that relies on your residential or mobile IP being consistent
From casual network observers (coffee shop Wi-Fi, your employer's router if you connect before authentication):
- Everything the ISP sees above, plus the fact that you are even using a VPN if the provider supports obfuscation/stealth modes
What a VPN Does NOT Hide
This is where VPN marketing becomes misleading.
Your DNS queries may still leak. If your device sends DNS requests outside the VPN tunnel — a condition called a DNS leak — your ISP can see every hostname you resolve. Most reputable VPN clients prevent this by routing DNS through the tunnel, but you should verify with a tool like Check My Setup or a dedicated DNS leak test. WebRTC can also expose your real IP in browsers even when connected to a VPN.
The VPN provider itself sees everything your ISP used to see. You are shifting trust, not eliminating it. The provider knows your real IP (you connected to them), the timestamps of your sessions, and the traffic volumes. If they keep logs, that data can be subpoenaed, breached, or sold. "No-logs" audits by third parties have become the baseline standard for reputable providers, but they are point-in-time snapshots, not continuous guarantees.
Your browser fingerprint is unchanged. Your screen resolution, installed fonts, WebGL renderer string, language settings, and dozens of other signals remain the same regardless of VPN use. Ad networks and trackers that use fingerprinting can still identify you across sessions.
Logged-in accounts identify you perfectly. If you access Google, Facebook, or any service you are logged into, those services know exactly who you are regardless of IP. The IP anonymity a VPN provides is irrelevant once you authenticate.
Deep packet inspection on the VPN server's network is possible by nation-state actors or hosting providers if the traffic is unencrypted at the destination. HTTPS encrypts the content after the VPN decapsulates it, but if you are visiting HTTP sites, the VPN server operator can read your traffic.
Choosing the Right VPN Protocol
The decision tree is straightforward:
- Need maximum throughput on desktop? Use WireGuard.
- Need to bypass DPI censorship? Use a VPN with obfuscation (Shadowsocks wrapper around OpenVPN, V2Ray, or proprietary stealth modes from providers like Mullvad or ExpressVPN).
- On iOS or Android, switching between Wi-Fi and mobile frequently? Use IKEv2, or WireGuard with a provider that implements persistent reconnect well.
- Using a legacy corporate gateway? L2TP/IPsec is probably what is required — accept the speed penalty.
- Targeting long-term privacy, not just IP masking? Combine WireGuard with a provider that accepts anonymous payment and has a published, independently verified no-logs policy.
One detail worth emphasizing: the cipher suite matters less than the implementation. AES-256 and ChaCha20 are both beyond brute-force attack with current technology. What breaks VPN security in practice is metadata leakage, log retention, poor key management, and provider jurisdiction — not theoretical weaknesses in modern cipher suites.
FAQ
Does a VPN make me completely anonymous online?
No. A VPN hides your IP address and prevents your ISP from reading your traffic, but it does not prevent fingerprinting, account-based tracking, or identification by the VPN provider itself. True anonymity requires a layered approach: VPN combined with the Tor network, a hardened browser, and rigorous operational security around accounts and logins.
Can my ISP tell I'm using a VPN?
Yes, almost certainly. Your ISP can see that you are sending a sustained stream of encrypted traffic to a commercial IP address. Most VPN provider IPs are publicly known or easily identified through reverse DNS and ASN lookups. What your ISP cannot see is what you are doing through the VPN. Some providers offer obfuscation that makes VPN traffic look like ordinary HTTPS, which helps in countries that block VPN protocols.
Is a VPN necessary if I only visit HTTPS sites?
HTTPS encrypts the content of your requests, but your ISP can still see the hostnames of every site you visit through DNS queries and the SNI field in the TLS handshake. A VPN prevents this. For most users on trusted networks (home internet, mobile data), HTTPS alone is probably sufficient. On untrusted networks (public Wi-Fi, hotel networks), adding a VPN is a sensible extra layer even if you only browse HTTPS sites.