VPN Basics — What VPNs Actually Do
A VPN (Virtual Private Network) creates an encrypted “tunnel” between two endpoints over a public network. Inside the tunnel, traffic looks like it’s on a private LAN — even though it’s actually crossing the internet. VPN advertising oversells the privacy benefits and undersells the real engineering uses.
What a VPN actually does
- Encrypts traffic between the two endpoints
- Encapsulates the original packets inside new packets (so internal IPs work over the internet)
- Authenticates both ends so an impostor can’t join
That’s it. A VPN does NOT make you anonymous to the destination — the VPN provider sees everything you do.
The two main use patterns
Site-to-site VPN
Permanently connects two networks (offices, data centers) via VPN tunnels. Devices in either network reach devices in the other as if they were on the same LAN.
Office A network (10.1.0.0/16)
│
└── VPN gateway A ─── encrypted tunnel ─── VPN gateway B
│
└── Office B network (10.2.0.0/16)
A device at 10.1.5.42 can reach 10.2.5.99 directly.Remote access VPN
Individual users (laptops, phones) connect to a corporate network from anywhere. Their device gets an IP in the corporate range; can reach internal resources.
Your laptop ──── encrypted tunnel ──── Corporate VPN server
│ │
gets IP 10.5.x.x in corp network │
│
└── Corporate intranetConsumer “VPN service”
What NordVPN, ExpressVPN, etc. sell. Routes ALL your internet traffic through their server before it reaches the destination.
Your laptop ──── tunnel ──── VPN provider's server ──── Internet
What it provides:
✓ Encrypts traffic from you to the VPN server (good on public Wi-Fi)
✓ Hides your real IP from destinations (they see VPN's IP)
✓ Lets you appear to be in another country (geo-bypass)
What it does NOT provide:
✗ Anonymity (the VPN provider knows everything you do)
✗ Protection from sites that fingerprint you
✗ Magic privacy (cookies, accounts, browser fingerprints still expose you)Common VPN protocols
| Protocol | Type | Notes |
|---|---|---|
| WireGuard | Modern | Simple, fast, in-kernel. Default choice today. |
| OpenVPN | Mature | Battle-tested, very flexible, slower than WireGuard |
| IPsec / IKEv2 | Standard | Common for site-to-site, baked into routers/firewalls |
| L2TP/IPsec | Older | Common in older corporate setups |
| SSTP | Microsoft | Tunnels through HTTPS, helps in restrictive networks |
| PPTP | Dead | Cryptographically broken, never use |
Split tunneling
Send only SPECIFIC traffic through the VPN, everything else goes direct.
# Example
Default route: regular internet
10.0.0.0/8 → through VPN (corporate network)
Result:
Browsing google.com → direct, fast, private to your ISP
SSH to internal server 10.5.42.99 → through VPN tunnelTrade-off: faster for general traffic, but a security risk if you wanted ALL your traffic protected by the VPN.
Common questions
“Does a VPN protect me on public Wi-Fi?”
Yes. Anyone sniffing the Wi-Fi sees only encrypted VPN traffic, not your actual content. This is the strongest argument for consumer VPNs.
“Does a VPN make me anonymous?”
No. The VPN provider can see everything (technically). They can be subpoenaed. Logs may exist regardless of “no logs” claims. Browser fingerprinting, cookies, and login state still identify you.
“Should I trust [VPN brand]?”
You’re shifting trust from your ISP to your VPN provider. Whether that’s an upgrade depends on which entity you trust more. Audit reports help, but ultimately it’s a trust call.
“Will a VPN slow me down?”
Yes — encryption overhead, longer route through the VPN server, possible bandwidth caps. Modern protocols (WireGuard) minimize this. Expect 10-30% throughput reduction.
What to learn next
WireGuard — the modern VPN protocol everyone is moving to. Up next.