What is a VPN tunnel?

When you connect to the internet using a virtual private network (VPN), you establish a safe link for information to travel between your device and the World Wide Web. This link is called a VPN tunnel because it encrypts and encapsulates every piece of your data, making it indecipherable to anyone who doesn’t have a specific decryption key.

It’s almost like using a personal courier instead of public mailing services, except that this courier translates and delivers every letter to you in a language only you can understand. So even if someone steals or tries to read your mail – you have nothing to worry about!

Well, almost nothing. How secure your information is really depends on the encryption protocol your VPN uses, i.e., the language your courier used to translate those letters. 

There are different protocols with varying use cases and security levels – all of which we will explore below. But first, let’s delve a little deeper into the entire process and how you can establish a VPN tunnel for yourself.

How does a VPN tunnel work?

What is a VPN tunnel

When you click links or download files on any website, you’re basically sending information requests to get information in return. When unprotected, these data requests travel from your device to your internet service provider (ISP) before going into the Web and bringing back what you asked for.

This way, your ISP, the website, and anyone potentially snooping on your connection, can see and identify different parts of your information flow and later use or sell that data for additional gain.

To prevent this, a VPN establishes a secure connection through a VPN tunnel with one of its servers:

  • Step 1: You send a request to establish a VPN tunnel through your VPN client to one of its servers.
  • Step 2: Phase 1 is a negotiation stage between your device and the VPN server where they identify each other and verify what security measures to establish.
  • Step 3: Phase 2 adds a VPN tunnel that will actually be used to transport your data.
  • Step 4: Using the established tunnel, encrypted data travels to and from the internet that even your ISP can’t see it.
  • Step 5: After a set amount of time or information passes, the tunnel expires and is automatically terminated. If you still need to maintain a connection at this point, a new process will begin starting at Step 1.

While the process may seem rather complicated, it usually doesn’t take long to make your connection safer to the internet. The question then is just how safe the VPN tunnel actually is? The answer – it really depends on what tunneling protocol you’re using.

VPN protocols

While all VPN protocols aim to ensure the safe transport of data between different networks, not all of them were created equal. How secure your VPN tunnel is, depends on the strength of the VPN protocol it is using.

Truth is, there are very few good VPN protocols that are widely used today. However, while some were made with a more specific purpose in mind, many are simply outdated and easily exploitable. Here’s a list of some of the VPN protocols you are likely to encounter.


SSTP protocol
  • Can bypass firewalls
  • Compatible with high-end encryption algorithms
  • Decent negotiation and traffic checking
  • Easy to set up on Windows
  • Never been audited
  • Hard to set up on other OS than Windows
  • Requires excess bandwidth
  • Code is unavailable for VPN developers, causing potential privacy and security issues

Recommendation: Decent in theory, but not otherwise recommended.

The downside of SSTP is that it was created for Windows and can be otherwise configured to work on Linux, BSD and Mac OS. It was also never audited as the code is not openly available, resulting in development problems for VPN providers. In terms of speed, SSTP is not the best either as it can suffer from severe performance issues unless it has sufficient excess bandwidth to work with.Secure Socket Tunneling Protocol (SSTP) is a VPN tunnel created to transport information directly between two routers without any host or other networking in between. SSTP uses a Secure Sockets Layer (SSL) channel, which provides decent negotiation, encryption and traffic checking. It is a very safe protocol and it doesn’t use any fixed ports, making it easy for SSTP to bypass firewalls.


PPTP protocol
  • Really fast
  • Easy to set up
  • Incompatible with good encryption
  • Easily exploitable
  • Outdated and forgotten

Recommendation: Not recommended.

However, the protocol is often rendered obsolete. PPTP has abysmal security due to the absence of proper encryption methods as multiple government agencies and authorities like the NSA were able to crack the protocol with relative ease.

But PPTP’s simplicity also remains its saving grace as it still has situational use cases. To this day, PPTP is unmatched in terms of pure connection speed and ease of setting up. The tunneling protocol is still very useful for audio or video streaming or devices with slow and outdated processors.

That being said, PPTP is not recommended unless a secure connection is unnecessary for a particular case.


L2TP/IPsec protocols
  • Better security than PPTP, but still severely lacking
  • Relatively fast
  • Outdated
  • Does not encrypt by itself
  • Bad against firewalls
  • Weak authentication and integrity

Recommendation: Not recommended.

As PPTP’s successor, Layer 2 Tunneling Protocol (L2TP) looked to improve where its predecessor was lacking. L2TP is used together with the Internet Protocol Security suite (IPsec), which results in two layers of encapsulation and encryption, and is often used by Internet Service Providers (ISPs) to deliver parts of their services.

L2TP is also compatible with the AES 256-bit, an industry-leading security algorithm for data encryption. The layered approach to security makes L2TP relatively safe in theory, but it still pales against authentication and verification processes of IKEv2, OpenVPN and Wireguard. 

However, as a tunneling protocol with better security than its predecessor, it becomes lacking in terms of speed and flexibility. Because of its dual encryption process, data communication becomes much slower in return. L2TP also uses fixed ports and, more often than not, struggles to bypass firewalls, making this protocol’s users easier to be blocked by websites with better infrastructure.


Shadowsocks protocol
  • Good for bypassing censorship
  • Open-source and under constant development
  • Nearly impossible to detect
  • Relatively fast
  • Only good for bypassing censorship
  • Will only encrypt and hide your browser traffic

Recommendation: Recommended for bypassing censorships.

Shadowsocks is an open-source VPN encryption protocol specifically developed to bypass internet censorship restrictions. While not a proxy itself, Shadowsocks can divert internet traffic towards the user’s device using a third party socks5 proxy and a different language.

Initially, it was the best way to overcome the Great Chinese Firewall. However, its implementation is lacking, and it doesn’t play very nicely with the VPN service provider model.  


OpenVPN protocol
  • Very strong security
  • Good authentication and verification methodology
  • High-end encryption
  • Open-source
  • Average speed
  • Hard to set up manually

Recommendation: Highly recommended in most situations.

OpenVPN is an open-source multi-function VPN system for point-to-point or site-to-site connections for both client and server applications. OpenVPN also allows the involved peers to authenticate each other with pre-shared secret keys (PSK), credentials and certificates, resulting in a very safe and smooth two-way confirmation process once established.

OpenVPN is considered one of the safest and widely available  options for VPNs because it can be implemented as a protocol. It uses the AES 256-bit encryption algorithm and is easily accessible on multiple platforms like Windows, Mac, Android and iOS.

Since it is open-sourced, OpenVPN’s code has been examined through and through by cybersecurity experts and gurus who consistently check for any holes in the wall. The only real downsides with OpenVPN is its average speed and difficulty to set up manually without third-party software.


IKEv2 protocol
  • Very strong security
  • Fast speeds
  • High-end encryption
  • Good authentication and verification methodology
  • Speed depends on the device-server distance

Recommendation: Highly recommended, especially for mobile.

Internet Key Exchange version 2 (IKEv2) is a  protocol popular among mobile users due to its speed and security. It is set up together with the IPsec suite to establish security associations (SA) between peers, similar to OpenVPN’s pre-shared certificates.

IKEv2 is compatible with most high-end ciphers, including the AES 256-bit, and its connection is relatively simple to set up. IKEv2’s biggest strength lies in its exceptional speed when connecting to physically nearby servers.


Wireguard protocol
  • Very strong security
  • Only 4,000 lines of code
  • Open-source
  • High-end encryption
  • Exceptional speed
  • Stable connectivity and fast reconnection
  • User friendly
  • Still relatively new

Recommendation: Highly recommended.

As the newest VPN communication protocol/software application in town, WireGuard® aims for better power use and performance than both IPsec and OpenVPN while maintaining the same level of security. WireGuard* creates reliable point-to-point connections but only uses 4,000 lines of code in contrast to OpenVPN’s and IPsec’s 400,000 and 600,000 lines, respectively.

In turn, this allows for easier security audits while reducing the probability of disconnection and improving reconnection speeds if it happens. This difference is significant for anyone using VPN tunnels primarily for security purposes.

WireGuard is free, open-sourced, and compared to OpenVPN, comes as an application that is easy to install. It is also available as a separate protocol, allowing VPN providers to implement WireGuard in their services.

*WireGuard is a registered trademark of Jason A. Donenfeld.

Using different VPN protocols

With all the different protocols available, choosing one may seem like a daunting task. However, their differences are usually more tech-savvy and generally insignificant if all you want is to avoid data logging and stream some Netflix.

While browsing the internet on your desktop device or laptop, WireGuard and OpenVPN protocols are generally good choices regarding speed and security. Depending on your VPN server location and availability, IKEv2 may prove to be a better choice if you’re connected through mobile.

Overall, most VPN providers offer one or two of these depending on the situation. Surfshark, for example, provides all three of these VPN tunnel protocols as per our user’s requests. However, you don’t have to pick them or do anything manually if you don’t want to – Surfshark comes pre-configured to the best of your needs!

Switching protocols was never this easy!

30-day money-back guarantee

Get Surfshark