VPN tunnel

You probably know by now that VPNs (Virtual Private Networks) are essential to staying safe on the web. However, how they work and what they do exactly can still seem a little murky to the average person. Today we’ll dive deeper into how they operate and explore VPN tunnels. What they are, how they work, and the different types you may encounter.

Table of contents

    What is a VPN tunnel?

    When you connect to the internet using a VPN, you establish a safe link for information to travel between your device and the World Wide Web. This link is called a VPN tunnel – it encrypts and encapsulates every piece of your data, making it indecipherable to anyone who doesn’t have a specific decryption key.

    It’s almost like using a personal courier instead of the public mailing services, except that this courier translates and delivers every letter to you in a language only you understand. So even if someone steals or tries to read your mail – you have nothing to worry about!

    Well, almost nothing. How secure your information really is, depends on the encryption protocol your VPN uses, i.e., the language your courier used to translate those letters. 

    There are different protocols with varying use cases and security levels – all of which we will explore below. But first, let’s take a closer look at the entire process and how you can establish a VPN tunnel for yourself.

    How does a VPN tunnel work?

    How does a VPN tunnel work?

    When you click links or download files on any website, you’re sending information requests to get information in return. When unprotected, these data requests travel from your device to your internet service provider (ISP) before going into the web and bringing back what you asked for.

    This way, your ISP, the website, and anyone potentially snooping on your connection, can see and identify different parts of your information flow and later use or sell that data for additional gain.

    To prevent this, a VPN establishes a secure connection through a VPN tunnel with one of its servers:

    • Step 1: You send a request to establish a VPN tunnel through your VPN client to one of its servers;
    • Step 2: Phase 1 is a negotiation stage between your device and the VPN server, where they identify each other and verify what security measures to establish;
    • Step 3: Phase 2 adds a VPN tunnel that will transport your data;
    • Step 4: Through the established tunnel, encrypted data travels to and from the internet that even your ISP can’t see;
    • Step 5: After a set amount of time or information passes, the tunnel expires and is automatically terminated. If you still need to maintain a connection, a new process will begin from Step 1.

    While the process may seem somewhat complicated, it usually doesn’t take long to make your internet connection safer. The question, then, is just how safe the VPN tunnel actually is. And the answer – depends on what tunneling protocol you’re using.

    VPN protocols

    While all VPN protocols aim to ensure safe data transport between different networks, not all of them were created equal – internet protocol security depends on the strength of the VPN protocol it uses.

    The truth is, there aren’t that many good VPN protocols we widely use today, but here are the main ones you will likely encounter.


    Can bypass firewalls
    Never been audited
    Compatible with high-end encryption algorithms
    Hard to set up on any other OS than Windows
    Decent negotiation and traffic checking
    Requires excess bandwidth
    Easy to set up on Windows
    Code is unavailable for the VPN developers, causing potential privacy and security issues

    Recommendation: Decent in theory, but not otherwise recommended.

    Secure Socket Tunneling Protocol (SSTP) is a VPN tunnel created to transport information directly between two routers without any host or other networking. SSTP uses a Secure Sockets Layer (SSL) channel, which provides decent negotiation, encryption, and traffic checking. It is a very safe protocol and doesn’t use fixed ports, making it easy for SSTP to bypass firewalls.

    The downside of SSTP is that although it can be configured to work on Linux, BSD, and Mac OS, it was created for Windows. It was also never audited as the code is not openly available, resulting in development problems for the VPN providers. In terms of speed, SSTP is not the best either, as it can suffer from severe performance issues unless it has sufficient excess bandwidth to work with.


    Really fast
    Incompatible with good encryption
    Easy to set up
    Easily exploitable
    Outdated and forgotten

    Recommendation: Not recommended.

    The protocol is often rendered obsolete. PPTP (Point-to-Point Tunneling Protocol) has abysmal security due to the absence of proper encryption methods, as multiple government agencies and authorities like the NSA cracked the protocol with relative ease.

    But PPTP’s simplicity remains its saving grace as it still has situational use cases. To this day, PPTP is unmatched in terms of pure connection speed and ease of setting up. The tunneling protocol is still very useful for audio or video streaming or devices with slow and outdated processors.

    That being said, PPTP is not recommended unless a secure connection is unnecessary in a particular case.


    Better security than PPTP but still severely lacking
    Relatively fast
    Does not encrypt by itself
    Bad against firewalls
    Weak authentication and integrity

    Recommendation: Not recommended.

    As PPTP’s successor, the Layer 2 Tunneling Protocol (L2TP) looked to improve where its predecessor lacked. L2TP is used with the Internet Protocol Security suite (IPsec), resulting in two layers of encapsulation and encryption. Internet Service Providers (ISPs) often use it to deliver parts of their services.

    L2TP is also compatible with the AES 256-bit, an industry-leading security algorithm for data encryption. The layered approach to security makes L2TP relatively safe, but it still pales against the authentication and verification processes of IKEv2, OpenVPN, and Wireguard.

    However, as a tunneling protocol with better security than its predecessor, it lacks speed and flexibility. Because of its dual encryption process, data communication becomes much slower in return. L2TP also uses fixed ports and, more often than not, struggles to bypass firewalls, meaning websites with better infrastructure can easily block this protocol’s users.


    Good for bypassing censorship
    Only good for bypassing censorship
    Open-source and under constant development
    Will only encrypt and hide your browser traffic
    Nearly impossible to detect
    Relatively fast

    Recommendation: Recommended for bypassing censorships.

    Shadowsocks is an open-source VPN encryption protocol developed to bypass internet censorship restrictions. While not a proxy, Shadowsocks can divert internet traffic towards the user’s device using a third-party socks5 proxy and a different language.

    Initially, it was the best way to overcome the Great Chinese Firewall. However, its implementation is lacking and doesn’t play very nicely with the VPN service provider model.  


    VPN Tunnel
    Robust security
    Average speed
    Good authentication and verification methodology
    Hard to set up manually
    High-end encryption

    Recommendation: Highly recommended in most situations.

    OpenVPN is an open-source multi-function VPN system for point-to-point or site-to-site connections for both client and server applications. OpenVPN also allows the involved peers to authenticate each other with pre-shared secret keys (PSK), credentials, and certificates, resulting in a very safe and smooth two-way confirmation process.

    OpenVPN is one of the safest and most widely available VPN options because it can be implemented as a protocol. It uses the AES 256-bit encryption algorithm and is easily accessible on multiple platforms like Windows, Mac, Android, and iOS.

    Since it is open-sourced, OpenVPN’s code has been examined through and through by cybersecurity experts and gurus. The only real downsides to OpenVPN are its average speed and difficulty to set up manually without third-party software.


    Robust security
    Speed depends on the device-server distance
    Fast speeds
    High-end encryption
    Good authentication and verification methodology

    Recommendation: Highly recommended, especially for mobile.

    Internet Key Exchange version 2 (IKEv2) is a  protocol popular among mobile users due to its speed and security. It is set up with the IPsec suite to establish security associations (SA) between peers, similar to OpenVPN’s pre-shared certificates.

    IKEv2 is compatible with most high-end ciphers, including the AES 256-bit, and its connection is relatively simple to set up. IKEv2’s biggest strength lies in its exceptional speed when connecting to physically nearby servers.


    Robust security
    Still relatively new
    Only 4,000 lines of code
    High-end encryption
    Exceptional speed
    Stable connectivity and fast reconnection
    User friendly

    Recommendation: Highly recommended.

    As the newest VPN communication protocol/software application in town, WireGuard® aims for better power use and performance than IPsec and OpenVPN while maintaining the same level of security. WireGuard* creates reliable point-to-point connections but only uses 4,000 lines of code in contrast to OpenVPN and IPsec’s 400,000 and 600,000 lines, respectively.

    In turn, this allows for easier security audits while reducing the probability of disconnection and improving reconnection speeds if it happens. This difference is significant for anyone using VPN tunnels, primarily for security purposes.

    WireGuard is free, open-sourced, and, compared to OpenVPN, it comes as an easy-to-install application. It is also available as a separate protocol, allowing VPN providers to implement WireGuard in their services.

    *WireGuard is a registered trademark of Jason A. Donenfeld.

    As you can see, some VPN tunneling protocols have a more specific purpose in mind, while others are simply outdated and easily exploitable. Choose wisely! And, speaking of choices, there is another tunneling option we’d like to cover before we conclude – split tunneling. 

    What is a split tunnel VPN?

    Split tunnel VPN (Bypasser on Surfshark) is a feature that allows you to choose what communication goes through a VPN tunnel. This is great if you only want to protect one app. Or protect everything but. For example, you can set it up so that everything except your bank app runs through a VPN. That way, everything is protected, and your bank will not block any transactions from another country. 

    VPN split tunneling pros and cons

    Secure private information
    Not everything is protected
    There’s always data that needs encrypting. If you want to turn the VPN off for any reason, split tunneling allows you to do that without compromising the most sensitive files.
    Perhaps the only con of split tunneling is the very thing it was created for. If you decide to exclude some apps, you are exposing them to threats as they do not benefit from encryption.
    Use different IP addresses
    Sometimes changing your IP address isn’t ideal. If you’re banking or streaming, you may want to use your real IP address to avoid violating any terms of service. That’s where split tunneling is your best friend.
    Access home devices
    Most wireless home devices work by connecting to the same network as your main device. This can be a problem as VPNs make it appear the device is using a different network. With split tunneling, you can use wireless devices without turning your VPN on and off.
    Exclude data-heavy apps
    Encryption can slow your device down. Usually, the drop isn’t so significant that you would notice it. Still, when using data-heavy apps, this can be really annoying. Split tunneling will allow you to exclude them, save your speed, and protect everything else.

    To conclude: using different VPN protocols

    With all the different VPN tunneling protocols available, choosing one may seem daunting. However, their differences are usually more tech-savvy and generally insignificant if all you want is to avoid data logging and stream some Netflix.

    While browsing the internet on your desktop device or laptop, WireGuard and OpenVPN protocols are generally good choices regarding speed and security. Depending on your VPN server location and availability, IKEv2 may be better if you’re connected through mobile.

    Overall, most VPN providers offer one or two of these, depending on the situation. Surfshark, for example, provides all three VPN tunnel protocols (as per our user’s requests.) However, you don’t have to pick them or do anything manually if you don’t want to – Surfshark comes pre-configured to the best of your needs!

    Switching protocols was never this easy!

    30-day money-back guarantee

    Get Surfshark


    What is a full tunnel VPN?

    It’s a VPN that covers everything on your device. It’s the one you’re most likely using. Turn it on, and everything on the device is protected – no extra steps. 

    What is the best VPN tunnel?

    When we talk about the best VPN tunnel, we mean the tunnel protocol. And the best protocol is WireGuard. Now, that doesn’t mean every other protocol is lesser. Or that they won’t work better for you. Since protocols depend a lot on the network, the best protocol for you might be a different one. 

    How to use split tunneling?

    Surfshark makes it easy for you with Bypasser. Turn on the feature in your app settings, select the app or website you want to exclude (or vice versa), and you’re done.