Get Surfshark
  • Search
  • EN
  • Log in
  • Get Surfshark
  • Menu
Recommended by:
4.3 out of 5

A guide to VPN encryption

Secure your private data by encrypting it

  • AES-256 - VPN encryption adopted by the US government
  • No ways to decrypt a message encoded with AES-256
  • The best VPN protocols - IKEv2, OpenVPN & Shadowsocks

What is VPN encryption?

VPN encryption is a method to generate a key to encrypt digital data so that unauthorized parties can’t access it. You can use encryption to protect and secure files on your computer or the data you send and receive. VPN encryption secures the data between a VPN client and a VPN tunnel, barring anyone from exploiting it.
The process of VPN encryption depends on the encryption standard and the VPN software. Trusted VPN service providers rely on AES-256, Advanced Encryption Standard (sometimes also referred to as Rijndael algorithm), to encrypt all the data that goes through the network to and from your device. More about the AES standard later.

Defining encryption with a simple analogy

Let’s use an extremely simplified analogy. Imagine you and three of your friends create a coded language that can be understood only between four of you. The language might be in the form of signs, images, sounds, numbers, or something completely different. The most important part is that others cannot decode it when they hear you using it. The only way to decode it and turn it into an understandable language is with a specific decryption key that only you and your friends have, and that cannot be stolen from you.

But what if the process of creating a coded language and memorizing it was automated? That’s where encryption comes in. It does the job for you by encrypting the everyday language you speak and turning into code while it’s traveling to the recipient.

In this analogy, the recipient is your friend that you’re talking to. In a VPN world, the recipient could be – for example – a website you’re trying to access.

Neither you or the recipient have to understand the encryption code. Why? Because a VPN encrypts the information you put out and then decrypts it as soon as it reaches the recipient.

Why do you need VPN encryption?

Protect sensitive information

The VPN encryption algorithm makes sure your passwords, private messages, bank account details, and work emails are kept under wraps - even when you’re connected to unprotected Wi-Fi networks.

Hide from eavesdropping

As a VPN encrypts your data, ISPs, the government, hackers, and other third-party snoopers cannot eavesdrop on your browsing activity anymore.

How does VPN encryption work?

how does vpn encryption work



In its essence, VPN encryption is a cycle of turning the natural language into a code (encrypting data), then turning it back to natural language (decryption). For example, this is what happens when you’re trying to access Netflix:

  1. You send the request (in this case, accessing Netflix) to your VPN client.
  2. The VPN client receives your requests and connects to a VPN server by sending the data through the encrypted tunnel.
  3. As the server forwards your request to the internet (Netflix, in this case), the data is decrypted.
  4. Netflix accepts the request and sends it back to the server.
  5. The server then encrypts the data again and sends it to the VPN client.
  6. Finally, your VPN client decrypts the data and sends it back to you.

It’s a lengthy process, but in reality, it all happens in a second. Or even in a fraction of a second, depending on your internet speed.

VPN encryption in a nutshell

VPN encryption is a complex subject. However, it becomes much easier to understand when we look at the key components that make it work. There are four of them.

Asymmetric key exchange

First of all, you do a handshake (it’s an automatic communication between a VPN client and a VPN server) using the asymmetric key exchange. You use RSA (an algorithm used in modern computers to encrypt and decrypt messages) for it and create a secure, encrypted channel with four keys: a public one and a private one for you, and the same for the VPN server. It also makes sure that you’re communicating with the right server.

Symmetric key exchange

Then, you do a symmetric key exchange, which you use to achieve perfect forward secrecy. That means if your encrypted channel from the previous step was compromised, the symmetric key exchange makes sure your data stays secure. If somebody wanted to see it, they’d have to decrypt each session separately. You now create another key that you will use for the encryption algorithm.

Encryption algorithm

The encryption algorithm uses the symmetric key derived before. One such algorithm is AES-256-GCM. You now encrypt all your data with it.

Integrity algorithms

There are also integrity algorithms. Simply put, you use a mathematical hash function to scramble a part of the information that you’re sending. The receiving party can now check both this function and your private key. If we have a match, that means the information hasn’t been tampered with.

Surfshark uses top-level encryption

Surfshark VPN relies on AES-256, Advanced Encryption Standard (sometimes also referred to as Rijndael algorithm). AES has been adopted by the U. S. government and is the only publicly accessible cipher approved by the National Security Agency (NSA).

All you need to know about AES-256

AES-256-bit encryption is a widely declared standard because there are no known ways to decrypt a message encoded with it in a lifetime. AES is a symmetric-key encryption-algorithm – the same key is used for both encrypting and decrypting data.

While your plaintext data enters a VPN tunnel, AES encodes it into ciphertext and again decrypts it to be read by the intended recipient.

As a block cipher, AES applies different cryptographic keys to a block of data. The keys come in different sizes – 128, 192, and 256 bits, while the blocks are also measured in bits. Hence AES-256 produces 256 blocks of ciphertext from 256 blocks of plaintext.

The longer the key length, it takes a longer time to crack it. As a result, the more robust the encryption is.

Even for the fastest computer on Earth, it would take billions of years to brute force AES-256.

Finally, AES-256 is not only secure, but also much faster than, for instance, DES, or Data Encryption Standard, which was superseded by AES in 2002.

What VPN protocols Surfshark supports & why they are important

VPN protocols are tools that provide end-to-end encryption. They’re crucial to the data encryption process. Without protocols, there would be no VPN connections. Surfshark allows you to change VPN protocols at any time.

IKEv2 (Internet Key Exchange version 2)

IKEv2 is a fast favorite and very popular among mobile users. It’s advanced and works best when you’re connecting to a physically nearby server.


As the name suggests, OpenVPN is an open-source protocol - its code is open for security experts to work on and improve constantly. This protocol works best with long-distance servers and is favored by desktop operating system users.


This protocol was created specifically for bypassing the so-called The Great Firewall of China. For people outside of restrictive regimes, Shadowsocks is unnecessary. It’s better to go with either IKEv2 or OpenVPN.


WireGuard® is one of the hottest new protocols on the block. The brainchild of Jason A. Donenfeld, it’s aimed at power-saving and speed. It’s very sleek, too: while OpenVPN has 400,000 lines of code, WireGuard works with only 4,000, making it very easy to check for developers.

How to check if your VPN is encrypted?

You can test VPN encryption with Glasswire or Wireshark. Both of these tools are free to download and use.
Wireshark is more precise in testing VPN encryption because it checks individual data packets that are going in or out of your device. However, unless you’re very suspicious of a VPN you’re using, Glasswire should be perfectly enough.

Glasswire availability: and
Wireshark availability: and
Test VPN encryption with Glasswire

How to test if your VPN is encrypted using Glasswire

  1. Download Glasswire and follow the installation process
  2. Run the program
  3. Connect to a VPN of your choice
  4. Do something that generates traffic
  5. on the internet (like watching a video or download a file)
  6. Select Usage
  7. Go to Apps menu on the left
  8. Search for a VPN type you’re using (e.g., if If you’re connected to an OpenVPN, find OpenVPN Daemon) and click on it
  9. Verify the traffic type

Now you can inspect if the VPN is routing traffic securely.

Test VPN encryption with Wireshark

Test VPN encryption with Wireshark

  1. Download Wireshark and follow the installation process
  2. Run the program
  3. Choose network interface to capture: Wired (Ethernet) or wireless (Wi-Fi) and click on it
  4. Click on packets of data and inspect them

If the packets appear unreadable/gibberish and there’s nothing written in plain text, then it means your VPN is encrypted.

An example of encrypted data:


Are all VPNs encrypted?

No. There are a lot of free VPN services that claim they encrypt data, but in reality, they don’t offer security to their users at all. That’s because free VPNs can’t invest in complicated software engineering that results in strong encryption. When you don’t pay free VPN providers with money, you eventually pay them with your data.

How secure is VPN encryption?

The security of encryption depends on a VPN.

Most of the time, VPN providers highlight an encryption algorithm (e.g., AES-256-GCM) to showcase how secure the product is. However, if we were to talk in more specific terms, a VPN is composed of four integral parts: asymmetric key exchange, symmetric key exchange, encryption algorithm, and integrity algorithms. They’re all equally important for securing connections and encrypting data.

While an encryption algorithm is just one part of a VPN, it’s a good indicator of how reliable and strong a VPN is. AES-256 is an industry-leading standard for VPN encryption. It would take multiple lifetimes to crack it; thus, it’s fair to say that it’s as secure as a VPN can be today.

Is VPN end to end encryption?

No. A VPN provides encryption from your phone, computer, or any other device to the VPN server.

Does VPN encrypt all traffic?

Yes, when a VPN is connected to a VPN server, it encrypts all your internet traffic, including cellular data.

Is it possible to crack VPN encryption?

Generally, no. However, to be precise, we could say that cracking AES-256-bit encryption is possible in theory. In reality, it would take more than a lifetime.

Trust the gold standard of VPN encryption

Choose Surfshark