← All articles  ·  VPN  ·  14 min read  ·  Updated 2026-05-16

How Does a VPN Actually Work? Tunnels, Encryption, and Why It Hides Your IP

Most explanations of VPNs stop at "it encrypts your traffic." That misses what is actually interesting: a VPN is a small piece of network plumbing that re-routes every packet your device sends, wraps each one in a sealed envelope, and ships them to a server that opens and forwards them on your behalf. This article walks through the mechanism, the three dominant protocols, and the things a VPN demonstrably does not do.

The core mechanism: encapsulation

Normally, when your laptop fetches example.com, your operating system builds an IP packet with a source (your IP) and a destination (the server's IP), and hands it to your router, which forwards it upstream. Your ISP sees the source, the destination, and (without TLS) the content. With HTTPS, the content is encrypted but the metadata is still visible.

A VPN inserts an extra step. Your device runs a VPN client, which:

1. Builds the original packet to example.com as usual.
2. Encrypts that whole packet (header included).
3. Wraps it inside a new packet addressed to the VPN server.
4. Sends that outer packet over the normal internet.
5. The VPN server unwraps, decrypts, and forwards the original packet to example.com, swapping the source IP to its own.
6. The reply comes back to the VPN server, which encrypts and tunnels it back to you.

This is called encapsulation. From your ISP's perspective, you sent one big encrypted blob to a server in (say) Amsterdam. From example.com's perspective, the request came from Amsterdam. Your real IP and the destination are decoupled.

The three dominant protocols in 2026

WireGuard

WireGuard is the modern default. Written by Jason Donenfeld and merged into the Linux kernel in 2020, it has roughly 1/25th the code of OpenVPN, which makes it easier to audit. It uses fixed modern cryptography (Curve25519, ChaCha20-Poly1305, BLAKE2s) rather than negotiating between options. The smaller surface area is a security feature in itself. The trade-off is that the protocol assigns static IPs by default, which providers paper over with custom client code.

OpenVPN

The mature workhorse. Configurable to a fault, runs on UDP for speed or TCP for getting through firewalls, supports a wide range of ciphers, and has been deployed for two decades. Slower than WireGuard but still the right choice when you need to traverse restrictive firewalls (it can look like normal HTTPS on port 443).

IKEv2/IPsec

The favorite for mobile devices. IKEv2's MOBIKE extension reconnects gracefully when you switch between Wi-Fi and cellular, which the others handle poorly. Built into iOS, macOS, and Windows natively, so it can run without a separate client. Specified in RFC 7296.

The deprecated ones

PPTP is broken; do not use it. L2TP/IPsec is slow and limited. Some providers still list them for compatibility with old devices; the safe rule in 2026 is to prefer WireGuard, fall back to OpenVPN, and use IKEv2 on mobile.

What encryption does (and does not) do

Modern VPN protocols use authenticated encryption (AES-256-GCM or ChaCha20-Poly1305) that is effectively unbreakable with current technology. The encryption ensures that:

• An observer on the path cannot read packet contents.
• An observer cannot tamper with packets without detection.
• The destinations of your traffic (beyond the VPN server) are hidden from your ISP.

It does not ensure that:

• The VPN provider cannot see your traffic. They can; they are the other end of the tunnel.
• The websites you visit cannot identify you through cookies, accounts, or fingerprints.
• Your DNS queries are necessarily routed through the tunnel; misconfiguration causes leaks. See DNS leak explained.
• WebRTC will not reveal your real IP in the browser. See WebRTC leak explained.

The kill switch

A kill switch is a firewall rule that blocks all traffic if the VPN tunnel drops. Without it, when the tunnel fails for a few seconds (Wi-Fi handoff, server reboot, ISP hiccup), your device falls back to the normal route and sends a few packets directly, leaking your real IP. Good clients ship a system-level kill switch that the OS enforces; weaker ones implement it only at the app level, which misses background services.

What "no-logs" means, and why it is often a lie

"No-logs" is the marketing claim almost every consumer VPN makes. What it should mean: the provider keeps no record of which user connected when, from which IP, to which destination. In practice the term covers a spectrum:

• Genuine no-logs: provider does not write connection or activity logs. Verified by independent audit and ideally a real-world legal challenge (Mullvad and IVPN have both publicly demonstrated they had nothing to hand over to investigators).
• "Aggregated logs": connection counts, bandwidth used, server load. These are usually fine and do not identify individuals.
• "Diagnostic logs": temporary connection records "for service quality." Often kept longer than claimed.
• Outright lying: providers caught in past investigations producing detailed user records despite "no-logs" claims.

The reliable signal is an independent audit by a credible firm (Cure53, Securitum, Deloitte) plus the provider's jurisdiction. Providers in countries with mandatory data retention (India after 2022, Australia, UK) are structurally constrained no matter what they advertise.

Trust shifts, it does not disappear

Without a VPN, your ISP can see every site you visit. With a VPN, your VPN provider can. You have not removed the observer, you have replaced it. That is a real privacy improvement if and only if:

1. You trust the VPN provider more than your ISP.
2. The provider's incentives are aligned with privacy (paid subscription, not advertising or data brokerage).
3. The provider's jurisdiction allows them to honor their no-logs claim.
4. The technical implementation does not leak.

This is a meaningful improvement against many threats (mass ISP surveillance, public Wi-Fi snooping, geographic restrictions) and meaningless against others (a targeted investigation, your Google account, browser fingerprinting). For more on what an IP exposes, see what does my IP say about me, and can someone find me with my IP.

What a VPN does not do

A clear list of things people expect from VPNs that VPNs do not deliver:

• Anonymize you on logged-in services. If you sign into Gmail through a VPN, Gmail knows it is you.
• Prevent browser fingerprinting. Canvas, font, and timezone fingerprints survive any IP change.
• Stop malware. The VPN forwards whatever you download, encrypted or not.
• Hide you from your employer's monitoring software. A VPN inside the employer's managed laptop is a curiosity, not a privacy tool.
• Make you anonymous on Tor-level threats. Tor exists for that; a VPN is one hop, Tor is three.
• Bypass two-factor authentication on accounts. The IP change can actually trigger 2FA more often.

Where the IP change matters

Despite all the limits above, a VPN's IP swap is genuinely useful. It changes what IP geolocation services report (covered in geolocation API comparison), it bypasses simple geo-blocking, it hides your IP from servers that log them, and it protects against passive surveillance on public Wi-Fi. To verify what IP a destination is seeing after you connect, the simplest check is the homepage IP tool. To shop for alternatives or different methods entirely, see 9 ways to hide your IP and how to hide your IP address.

Bottom line

A VPN is encryption plus encapsulation plus an exit server. The result is that observers between you and the VPN cannot see what you do, and observers between the VPN and the destination cannot see who you are. The provider sits in the middle and sees everything, which is why provider choice matters more than protocol choice. Use WireGuard when you can, OpenVPN when you must, IKEv2 on mobile. Pick a provider with an independent audit, in a jurisdiction without mandatory logging. Verify your setup with leak tests. Then remember that the IP hiding is one layer of privacy, not the whole stack.