What is VPN encryption and how does it work?

VPN encryption (Virtual Private Network encryption) is extreme math nerd stuff that VPN protocols use to encrypt your data. And by “encrypt” we mean “turn it into gibberish nobody who intercepts the data can read.” Of course, the explanation is more technical than that, but I wrote this article to be as simple as possible to understand, so read on. 

Table of contents

    Encryption, simplified

    Encryption dates back to ancient times (Julius Caesar knew something about it) and appears as breakfast cereal toys that not even millennials remember seeing. Simply put, encryption is the science of turning normal text into a ciphertext nobody can read. 

    Well, nobody without the encryption key, that is. A person (or a device) who knows the exact procedure used in encrypting the text can do it in reverse, decrypting it. 

    For example, a simple ROT13 cipher just replaces a letter with one that’s 13 letters behind it in the alphabet. If you know that a page full of gibberish you’re holding is a ciphertext encrypted with a ROT13 cipher, you can decrypt by doing the necessary letter shifting. In this case, the encryption key would be “shift the letter 13 spaces in the alphabet.”

    Of course, we have computers these days – and computers are very good at brute-forcing ciphertext, cracking ROT13 easier-than-effortlessly. That’s why leading encryption protocols use AES-256 algorithms (more on them later!). But before we tackle that, we need to talk about the types of encryption.

    What types of encryption exist?

    When it comes to sorting encryption methods, the most basic distinction is the approach to the encryption key. Thus, symmetric key and asymmetric key encryption exist. 

    Symmetric key encryption

    Symmetric encryption is easy to explain. If Person A and Person B communicate via symmetric encryption, they use the same encryption key. ROT13 is an example of symmetric key encryption. 

    The approach is simple, and while the key can be as complex as you want, the complexity doesn’t matter. The important thing is that both parties have the same key. But therein lies the problem: how does Person A safely transfer the key to Person B?

    It’s fairly easy for, say, old-timey intelligence agencies: 

    1. Put the keys on a cipher pad;
    2. Chuck it into a suitcase;
    3. Lock it;
    4. Attach the suitcase to the wrist of a serious man via handcuffs;
    5. Put him on the next plane to Berlin. 

    But what if you’re a VPN user who needs to make an encrypted connection to a VPN server? Here, asymmetric encryption can help.

    Asymmetric encryption 

    Asymmetric encryption uses a lot of complicated math to create a pair of keys: a public key that can encrypt a message but not decrypt it and a private key that can decrypt anything encrypted with the public key. 

    So Person A can take their private key and send it to Person B via any available unsecured channel. Person B then uses it to encrypt the message, which person A can decrypt with their private key. Good job, double-oh-seven!

    These days, encryption protocols use both methods: they establish communication via asymmetric encryption and then use it to safely exchange keys used in symmetric encryption. This is what happens when AES-256 does its magic – let’s talk about it now. 

    All you need to know about AES-256

    All you need to know about AES-256

    AES(Advanced Encryption Standard)-256 encryption is a widely utilized standard because there are no known ways to decrypt a message encoded with it in a lifetime. It is trusted by the likes of NordVPN and Surfshark, as well as a majority of other big names in the VPN industry.

    As a block cipher, AES splits the data into blocks and applies different cryptographic keys to each. The keys come in different sizes – 128, 192, and 256 bits, while the blocks are also measured in bits. Hence AES-256 produces 256 blocks of ciphertext from 256 blocks of plaintext.

    The longer the encryption key, the longer it takes to crack it. And the longer it takes to crack, the more robust the encryption is. Even for the fastest computer on Earth, it would take billions of years to brute force AES-256.

    Finally, AES-256 is secure and much faster than, for instance, DES, or Data Encryption Standard, which AES superseded in 2002. 

    What does encryption do in a VPN? 

    Encryption is what puts “private” in Virtual Private Network. Allow me to demonstrate with an example of what happens when you try to use a VPN to access a geo-blocked website.

    1. You send the request (by going to the website) to your VPN client (app, browser extension, etc.);
    2. The VPN client receives your requests and establishes an encrypted VPN tunnel to the VPN server, which it uses to send encrypted data;
    3. As the server forwards your request to the internet (the website you’re trying to access in this case), the data is decrypted;
    4. The website accepts the request and sends it back to the server;
    5. The server then encrypts the data again and sends it to the VPN client;
    6. Finally, your VPN client decrypts the data and sends it back to you.

    It’s a complicated process, but with the processing power of today’s devices, it happens in moments. Now, let’s explain just the encryption part of the protocol. 

    How does VPN encryption work? 

    Computer nerds much smarter than I have developed ways to create secure channels over the insecure internet. For example, how does one exchange ciphers so that the VPN server knows how to decrypt your stuff over an open connection without losing it to hackers? 

    Step 1. Asymmetric key exchange
    Step 2: Symmetric key exchange
    First of all, you do a handshake (it’s an automatic communication between a VPN client and a VPN server) using the asymmetric key exchange. This uses some fairly complicated math to create two encryption keys: public and private. The public one can only encrypt data, not decrypt it, so it’s sent to the other party. They then use your supplied public key to encrypt data in a way only you can decrypt it. Thus, secure communication is established over an open channel.
    Then, you do a symmetric key exchange, which creates a new key that the encryption algorithm will use to transfer the actual data. At this point, you will have achieved perfect forward secrecy. That means if your encrypted channel from the previous step was compromised, the symmetric key exchange makes sure your data stays secure. If somebody wanted to see it, they’d have to decrypt each session separately.
    Step 3. Encryption algorithm
    Step 4. Integrity algorithms
    The encryption algorithm uses the symmetric key derived before. AES-256-GCM, which we mentioned earlier, is one of them. You now encrypt all your data with it.
    Integrity algorithms are utilized to check if anyone messed with the data in transit. Simply put, you use a mathematical hash function to scramble a part of the information that you’re sending. The receiving party can now check both this function and your private key. If we have a match, that means the information hasn’t been interfered with.

    And that’s it! All of this might sound complex, but it doesn’t require your interaction at all. You pressed the “Connect” button, and the app puts those VPN clients to work.

    What do VPN protocols have to do with encryption?

    A VPN protocol is a set of procedures that outline all the steps taken to create and maintain a  VPN connection – this includes encryption. However, there’s a bunch of VPN protocols around, and not all of them are as safe as you’d want them to be, mainly due to the obsolete encryption they use. 

    Currently, AES-256 is employed by every reputable VPN protocol under the sun. One of the main reasons you should never, ever use PPTP is that it uses 128-bit encryption. 

    Everyday use; putting a VPN on routers
    Mobile devices, short-range connections, everyday use
    Hottest new thing for everyday use
    Everyday use
    Actually a tunneling protocol; no reason to use it outside ancient technology
    A Microsoft tunneling protocol; for connecting Windows devices
    No reason to use as IKEv2 is better in every way

    Surfshark VPN uses IKEv2/IPsec, OpenVPN, and WireGuard with the AES-256-GCM algorithm, which is faster than just AES-256. 

    How to check if your VPN is encrypted

    You can test VPN encryption with Glasswire or Wireshark. Both of these tools are free to download and use.

    Wireshark is more precise in testing VPN encryption because it checks individual data packets that are going in or out of your device. However, unless you’re very suspicious of the VPN you’re using, Glasswire should be enough.

    Test VPN encryption with Glasswire

    1. Download Glasswire and follow the installation process;
    2. Run the program;
    3. Connect to a VPN of your choice;
    4. Do something that generates traffic on the internet (watch a video or download a file);
    5. Select Usage;
    6. Go to the Apps menu on the left;
    7. Search for the VPN type you’re using (e.g., if you’re connected to OpenVPN, find OpenVPN Daemon) and click on it;
    8. Verify the traffic type.

    Now you can inspect if the VPN is routing traffic securely.

    Test VPN encryption with Wireshark

    1. Download Wireshark and follow the installation process;
    2. Run the program;
    3. Choose the network to capture: Wired (Ethernet) or wireless (Wi-Fi) and click on it;
    4. Click on packets of data and inspect them.

    If the packets appear unreadable/gibberish and there’s nothing written in plain text, then it means your VPN is encrypted.

    An example of encrypted data:

    The takeaway: Get a VPN with strong encryption

    VPN encryption is a complex and technical subject. However, I hope you found my explanations, metaphors, and simplifications easy to follow. If I did my job well enough, you know a lot more about the exciting world of VPNs. What can you do with this information? Well, get a VPN with trustworthy encryption implementation to boost your privacy online and security when streaming your favorite content online. May I suggest Surfshark?

    Experience the power of AES-256-GCM encryption

    Get Surfshark


    Are all VPNs encrypted?

    All VPNs should be encrypted – otherwise, they wouldn’t be private. On the other hand, free VPNs are shady and can skip out on encryption. 

    Is VPN encryption end-to-end?

    No, the traffic is only encrypted between you and the VPN server. If the VPN server didn’t decrypt the data before forwarding it, the recipient wouldn’t be able to read it. 

    Does a VPN encrypt all of your data?

    Yes, if a VPN is running, it will encrypt any data you send over the internet. 

    What is the best VPN encryption?

    The best VPN encryption currently is AES-256. So for VPN, you want Wireguard or other protocols that the provider configured to work with it.