How Does a VPN Work

Do you know how your everyday tools operate? For example, do you know how a Virtual Private Network works? Well, it’s as good a time as any to find that out. This article should answer all the questions you should have about Virtual Private Networks’ inner workings.

How a VPN Works in Short

When you connect to a VPN, the app establishes connection to a VPN server. In order to keep it private, a VPN uses protocols, which is a vital component to any Virtual Private Network. Once the connection is established, any data you send over the internet is encrypted (hidden) and your IP address is replaced by a VPN’s IP address.


VPNs were developed by businesses to allow remote users to access corporate networks. This usually meant connecting to a company server set up by the IT department and then using it to access, for example, shared spreadsheets. But it works a little bit differently when it comes to private networks you are most likely to use in everyday life.

How Surfshark and Other VPNs work

When you run a VPN app like Surfshark and click “connect,” the app establishes a connection to a VPN server. To keep this connection private, it uses VPN protocols, which contain such vital components like tunneling protocols and encryption.

How Surfshark and Other VPNs work

The VPN app will encrypt any data you send online. Whatever you do – browsing websites, chatting on a messenger app, or uploading cat pictures – all that data will turn into junk that nobody who intercepts it can read. This encrypted data is then transmitted to the VPN server.

The VPN server then decodes the data and forwards it to the destination. This also replaces your device’s IP address – the closest thing to a physical address online – with the server’s. Then the services and websites will think that you’re connecting from the server location. 

However, when the website is sending stuff back to you, it does not come decrypted to a VPN standard by default. Instead, the server now plays the role of a packaging and post forwarding service. The VPN server knows your IP, so it can send the freshly-encrypted data your way.  

Once it reaches your device, the app will decrypt it for you to use. And that’s how you achieve a greater degree of privacy online! Anyone snooping on your traffic only sees that you’re using a VPN (and cool VPNs can obfuscate even that), but not what you’re using it for. 

Yet you’re probably curious about several technical things we mentioned when describing the operations of VPN. Let’s look at them in greater detail.

How VPN Works: VPN and Tunneling Protocols

In the IT jargon, a protocol is a set of rules and procedures that make a process happen. For example, the aforementioned Internet Protocol defines how online devices communicate. And VPN protocols are used to set up private connections using the public internet.

How Surfshark and Other VPNs work

Here’s where things get confusing: a VPN protocol itself contains other protocols. The most important of those deal with tunneling and encryption. And even this is a simplification, as the lines can get very blurry. But let’s take it from the top.

Tunneling protocols work via encapsulation. It’s a method of wrapping data that needs to be transmitted in successive layers of transit information. Or, to put in more real-life terms, it’s wrapping your package several times, and writing all the important information (address, weight, etc.) on top of the packaging. 

This makes it possible to send stuff somewhere without having to read it every time you need to know the way. Thus, tunneling protocols encapsulate your data so that it wouldn’t be easily accessible in transit – just like you wouldn’t want postal workers rooting through your package at every step of the way.

Tunneling protocols are a key part of all VPN protocols. Granted, technology is always evolving, so there are multiple VPN and tunneling protocols in the world. Here are some of the most common: 

PPTP: the Point-to-Point Tunneling Protocol was developed by Microsoft and friends in 1999. It is so out of date, even Wikipedia calls it obsolete. 

L2TP: first proposed in 2005, Layer 2 Tunneling Protocol isn’t the most secure thing out there. It can still be found among the lower tier of VPNs. 

IKEv2: Internet Key Exchange isn’t a tunneling protocol by itself – it’s a protocol for exchanging encryption keys via the already-established IPsec protocol. Thus, it is sometimes referred to as IKEv2/IPsec, but since IPsec isn’t a new thing, it’s usually omitted. IKEv2 came about in 2010 and is a much improved, secure communication protocol than the previous version. Works wonders for mobile users.

OpenVPN: considered the classic among VPNprotocols, it has been in continuous development for 19 years now. As OpenVPN is open source, anyone can check its code for any malicious activities, making it very trustworthy. It is best utilized by desktop users.

Shadowsocks: Shadowsocks is considered weird even by the IT crowd. It’s more of a proxy than tunneling protocol, but it has to be – it was made to overcome the Great Chinese Firewall. As such, it’s best used for that purpose only – for everyday use, other protocols will provide a much smoother experience with no tradeoffs in security. 

Wireguard®: a VPN protocol so new, it’s less “still has that new car smell” and more “I’m just picking it up from the dealership.” It’s main selling point over IPsec and OpenVPN is better performance and lesser power consumption. Surfshark’s developers are very excited to be using it. 

So those are the protocols you’re most likely to meet in the world of VPNs. But tunneling protocols by themselves aren’t enough to protect your data. They don’t always come with encryption that, as you’ve learned, turns data into unreadable garbage. Additional measures are needed. That’s why a VPN protocol mashes tunneling protocols with some top of the line encryption (as well as some other things we’re abstracting away).

How VPN Works: Encryption

VPN Encryption transforms plaintext (normal text that humans can understand) into ciphertext (stuff that looks like junk unless you know the key for decoding it) by using some very smart algorithms to do the heavy lifting. And when encrypting your communications, there’s a lot of heavy lifting to do.

How VPN Works: Encryption

ROT13 is a simple substitution cipher that shifts every letter by 13 places in the alphabet (for example, “Hello” turns into “URYYB”). It’s the baby’s first encryption. 

By conservative estimates, AES-256 blows ROT13 out of the water, through the atmosphere, and leaves it at the bottom of a crater 3 kilometers deep in the Moon’s crust. The easiest thing to explain is that AES encryption using a 256-bit size key transforms the data 14 times before spitting out the result. 

There are other versions of AES – like AES-128, which uses a shorter key. But VPN developers like Surfshark consider its security level too weak. 

AES-256 is impractical, if not impossible, to crack with modern computing. In fact, it’s employed by the US government to encrypt top-secret data. When you’re using Surfshark, it’s used to encrypt your messages to your mom. OpenVPN is one of the many protocols employing this sort of encryption. 

But that’s not all!

There’s more than one way to implement AES-256 encryption. The newest hotness on the block is the AES-256-GCM version. The main upside of the GCM (Galois/Counter Mode) version is that it’s a lot faster as well as being harder to crack. Some slowdown when using VPN is unavoidable as part of the traffic is used to send materials needed for encryption – it’s called the encryption overhead.” The more efficient your encryption is, the lower the overhead, the faster everything works. 

Well, “everything” that’s just software. Remember: a VPN connection relies on a VPN server, and that’s an essential bit of infrastructure. 

But how does a server know how to decrypt the message?


So you know that a VPN client sends an encrypted message for the server to decrypt. But how does the server know how to do it? After all, if you sent the cipher key unencrypted, it could be stolen online!

It’s usually done via public key cryptography. There are several approaches to this (OpenVPN supports 10), but they all involve using super hard math to generate a pair of keys: public and private. The public key is the one that can be exchanged safely as it can only do one thing: encrypt data (via one-way functions and other hard math stuff). When a VPN client connects to a VPN server, they exchange their public keys. 

So when the VPN client encrypts data, it uses the server’s public key. That’s right – nobody uses their own keys to encrypt the data. This coded package is then sent to the server. The data is then deciphered by the server using its private key, which can decrypt things encrypted by their corresponding public key. It works the other way around when the server sends the message to the client. See, it seems so simple if you don’t get into the details or think about it too much!

How VPN Works: Servers

How VPN Works: Servers

The whole internet runs on servers: programs or devices that provide a service to a client (app or device). For VPNs, those are VPN servers! Once your VPN establishes a connection with the server, it:

  • decrypts your data for forwarding to the online destination
  • encrypts incoming data before sending it to you. 

This process involves changing your real IP address – which can be traced back to you – with the server’s. This means that:

  • in the logs of the website you visited, your visit is recorded with the server’s IP
  • when a website or service tries to look up your country, it only sees the server’s location. 

Each VPN provider has many servers scattered around the globe, with each location hosting a few of them. For example, Surfshark has more than 3200 servers in 65 countries around the world. And there are good reasons for these redundancies:

  • An individual server can only handle so much traffic. If a new TV series is premiering on Hulu and a horde of users from around the globe are connecting to the New York server to watch it, the server slows down. Having several servers in a single location spreads the load. 
  • Redundancy is essential when dealing with geo-blocked services.  Quite a few streaming companies like to block known VPN IP addresses. In those cases, having a server to fall back to is always a good option. 
  • It’s also good to have in case they experience technical issues. A server is down due to an electrical outage, rats, or asteroid impact? No problem, just switch to another..

But one of the most important features of the VPN server comes from the company ethos and not technical parameters: logs. Unlike your ISP, who is now deaf and blind due to encrypted tunneling, a VPN server can maintain your browsing sessions’ logs: 

  • IP address
  • Browsing history
  • Used bandwidth
  • Session information
  • Network traffic
  • Connection timestamps

A company has to decide not to store that data. It is tempting – especially to providers of free VPN – as that data can be sold to marketers and advertisers. Since this data getting out into  the world runs counter to the privacy concerns of VPN users, it is a bad thing. To avoid this, you should look out for VPN providers that offer:

  • A strict no-log policy: this means that the provider will not store your sensitive data.
  • Independent audit: talk is cheap, audits aren’t, and they can confirm that the provider is serious about not storing your data.
  • RAM-only servers: random-access memory (RAM) is the most widespread volatile memory (read: needs constant power to maintain) technology. A regular server could be seized and have the data extracted from its hard drives. A RAM-only server will lose any information as soon as the power goes out. 

If you find a VPN provider that offers all those things (like Surfshark does), you’ll have found a good one. But let’s talk about the things that these VPN technologies enable.

How Does VPN Work: What Good Does All This Technology Do

VPN technology was born because businesses needed a way to get branches and remote employees on the same networks. But that’s not why you’re here. You’re looking at VPN as a regular consumer, so here’s what it can do for you:

1. Bypass Geoblocking With VPN Servers

Connecting to the right VPN server will fool the service by using the server’s IP instead of yours. And you need to do that because Netflix libraries are different from country to country. Streaming services like Hulu and BBC iPlayer don’t work outside their parent nation. Even some YouTube videos won’t play where you are.

2. Defeat Censorship by Connecting With VPN

From schools and workplaces that limit your access to Soundcloud to countries like China that ban huge blocks of everyday websites, our internet isn’t as free as you’d think. Good thing a VPN can overcome many of the commonly employed tools of censorship to deliver you the news, videos, or entire websites.

3. Improve Safety on Public Wi-Fi

Whether you’re just going downtown for a coffee or traveling around the globe, you need to be protected on public Wi-Fi. Scammers, hackers, and other shady characters have many ways to steal your data on Wi-Fi. Don’t let them – get a VPN and encrypt your communications.

4. Keep your home safe from hackers 

It is a lot harder for a hacker to get you if a VPN hides your IP as well as encrypting your traffic. If you secure your home network with it, your smart devices – which are often insecure out of the box – are a lot more protected from outside interference.

These four are the just main great points for VPN use – there are many more benefits.

Now that you know how a VPN works and what it does, why not give Surfshark a spin?

Get Surfshark VPN - you already know how it works!

Download Surfshark

“WireGuard” is a registered trademark of Jason A. Donenfeld