What is VPN encryption and how does it work?

When talk turns to VPNs (virtual private networks), a mention of encryption is not far behind. However, as a right-thinking person with things to do, you might not understand what that means. Never fear! This blog article will give you everything you need to know about encryption.

What is VPN encryption?

VPN encryption is a process that makes the data going between your device and the VPN server unreadable to anyone else. It does so by using sophisticated math to turn information into ciphertext

Encryption, simplified 

Dating back to ancient times (Julius Caesar knew something about it) and appearing as breakfast cereal toys that not even millennials remember seeing, encryption is the science of turning normal text into a ciphertext nobody can read. 

Well, nobody without the encryption code, that is. A person (or a device) who knows the exact procedure used in encrypting the text can do it in reverse, decrypting it. 

For example, a simple ROT13 cipher just replaces a letter with one that’s 13 letters behind it in the alphabet. If you know that a page full of gibberish you’re holding is a ciphertext encrypted with a ROT13 cipher, you can decrypt by doing the necessary letter shifting.

How VPN encryption works?

Of course, computers are a lot more sophisticated than that, cracking ROT13 easier-than-effortlessly. That’s why leading encryption protocols use AES-256 algorithms

All you need to know about AES-256

AES-256 encryption is a widely declared standard because there are no known ways to decrypt a message encoded with it in a lifetime. 

As a block cipher, AES applies different cryptographic keys to a block of data. The keys come in different sizes – 128, 192, and 256 bits, while the blocks are also measured in bits. Hence AES-256 produces 256 blocks of ciphertext from 256 blocks of plaintext.

The longer the key length, the longer it takes to crack it. As a result, the more robust the encryption is.

Even for the fastest computer on Earth, it would take billions of years to brute force AES-256.

Finally, AES-256 is secure and much faster than, for instance, DES, or Data Encryption Standard, which AES superseded in 2002. 

Wait, how does this encryption thing play into VPNs?

Encryption is what puts “private” in VPN. Allow me to demonstrate with an example of what happens when you try to use a VPN to access a geo-blocked website.

  1. You send the request (by going to the website) to your VPN client (app, browser extension, etc.).
  2. The VPN client receives your requests and establishes an encrypted tunnel to the VPN server, which it uses to send encrypted data.
  3. As the server forwards your request to the internet (the website you’re trying to access in this case), the data is decrypted.
  4. The website accepts the request and sends it back to the server.
  5. The server then encrypts the data again and sends it to the VPN client.
  6. Finally, your VPN client decrypts the data and sends it back to you.

It’s a complicated process, but with the processing power of today’s devices, it happens in moments.

Now, if you read the above process carefully, you may have noticed that we didn’t explain how the encryption itself happens. 

How does VPN encryption work? 

Computer nerds much smarter than I have developed ways to create secure channels over the insecure internet. For example, how does one exchange ciphers so that the VPN server knows how to decrypt your stuff over an open connection without losing it to hackers? 

Step 1. Asymmetric key exchange
Step 2: Symmetric key exchange
First of all, you do a handshake (it’s an automatic communication between a VPN client and a VPN server) using the asymmetric key exchange. This uses some fairly complicated math to create two encryption keys: public and private. The public one can only encrypt data, not decrypt it, so it’s sent to the other party. They then use your supplied public key to encrypt data in a way only you can decrypt it. Thus a secure communication is established over an open channel.
Then, you do a symmetric key exchange, which creates a new key that the encryption algorithm will use to transfer the actual data. At this point, you will have achieved perfect forward secrecy. That means if your encrypted channel from the previous step was compromised, the symmetric key exchange makes sure your data stays secure. If somebody wanted to see it, they’d have to decrypt each session separately.
Step 3. Encryption algorithm
Step 4. Integrity algorithms
The encryption algorithm uses the symmetric key derived before. AES-256-GCM, which we mentioned earlier, is one of them. You now encrypt all your data with it.
To ensure that the communicating parties can determine whether the data had been tampered with, integrity algorithms are utilized. Simply put, you use a mathematical hash function to scramble a part of the information that you’re sending. The receiving party can now check both this function and your private key. If we have a match, that means the information hasn’t been interfered with.

And that’s it! All of this might sound complex, but it doesn’t require your interaction at all. You pressed the “Connect” button, and the app put those VPN clients to work.

What do VPN protocols have to do with encryption?

A VPN protocol is a set of procedures that determine all the steps taken to carry out the VPN work – this includes encryption. However, there’s a bunch of VPN protocols around, and not all of them are as safe as you’d want them to be, mainly due to the obsolete encryption they use. 

Currently, AES-256 is employed by every reputable VPN protocol under the sun. One of the main reasons you should never, ever use PPTP is that it uses 128-bit encryption. 

Protocol
Encryption
Use
OpenVPN
AES-256
Everyday use; putting a VPN on routers
IKEv2/IPSec
AES-256
Mobile devices, short-range connections, everyday use
WireGuard
AES-256
Hottest new thing for everyday use
SoftEther
AES-256
Everyday use
PPTP
128-bit
Actually a tunneling protocol; no reason to use it outside ancient technology
SSTP
AES-256
A Microsoft tunneling protocol; for connecting Windows devices
L2TP/IPsec
AES-256
No reason to use as IKEv2 is better in every way

Surfshark VPN uses IKEv2/IPsec, OpenVPN, and WireGuard with the AES-256-GCM algorithm, which is faster than just AES-256. 

How to check if your VPN is encrypted

You can test VPN encryption with Glasswire or Wireshark. Both of these tools are free to download and use.

Wireshark is more precise in testing VPN encryption because it checks individual data packets that are going in or out of your device. However, unless you’re very suspicious of the VPN you’re using, Glasswire should be enough.

Test VPN encryption with Glasswire

  1. Download Glasswire and follow the installation process
  2. Run the program
  3. Connect to a VPN of your choice
  4. Do something that generates traffic
  5. on the internet (watch a video or download a file)
  6. Select Usage
  7. Go to the Apps menu on the left
  8. Search for the VPN type you’re using (e.g., if you’re connected to OpenVPN, find OpenVPN Daemon) and click on it
  9. Verify the traffic type

Now you can inspect if the VPN is routing traffic securely.

Test VPN encryption with Wireshark

  1. Download Wireshark and follow the installation process
  2. Run the program
  3. Choose the network to capture: Wired (Ethernet) or wireless (Wi-Fi) and click on it
  4. Click on packets of data and inspect them

If the packets appear unreadable/gibberish and there’s nothing written in plain text, then it means your VPN is encrypted.

An example of encrypted data:

Answering the last questions

Are all VPNs encrypted?

They may say they are, but free VPNs might not be.

Is VPN encryption end-to-end?

No, the traffic is only encrypted between you and the VPN server.

Does a VPN encrypt all of your data?

Yes.

Get a VPN with strong encryption

So now you know a lot more about the exciting world of encryption. What can you do with this information? Why, get a VPN with trustworthy encryption implementation to boost your privacy online and security when streaming your favorite content online. May we suggest Surfshark?

Experience the power of AES-256-GCM encryption

Get Surfshark