What Is a VPN Really Doing to Your Internet Traffic

If you have watched more than three YouTube videos in the past decade, chances are at least one of them was sponsored by a VPN provider. NordVPN, ExpressVPN, and that kind of thing

Most people have a vague idea what a VPN is. It's the thing that makes it look like you're browsing the internet from somewhere else, right? It is a privacy thing. Maybe. But it lets you watch Canadian Netflix and access blocked sites at your school or office, which might be all you need to hear.

In this article, we're going to break down what VPNs are actually doing, how they work under the hood, and whether they really deliver the privacy guarantees that their marketing departments pinky promise that they do.

Crash Course: TCP/IP

To truly understand what your VPN is doing for you, we need a quick crash course in TCP/IP. TCP/IP was introduced in the 1970s gained popularity and adoption throughout the 1980s as the new standard networking foundation for the modern internet.

TCP/IP is actually two protocols. The first, Transmission Control Protocol (TCP), is designed to allow computers to acknowledge and interpret the data they send to each other. This data can be anything: a request to update your OS, a transmitted photo, an email, or any other data being sent between computers. Almost all common internet protocols (HTTP, SMTP, FTP, etc.) are built on TCP.

Before transmitting data, TCP establishes a connection to the destination and keeps that connection active until the data transmission is complete. After creating a connection, TCP negotiates some communication standards with the receiver, like which port to use, and breaks data into smaller "packets" that can later be reassembled by the receiving system. TCP ensures that packets arrive intact and in the correct order so the receiver can properly reassemble the data, and solves issues like lost or corrupted packets by using sequence numbers, checksums, and that kind of stuff.

Basically, TCP makes sure the receiver gets the correct data. Its partner protocol, Internet Protocol (IP), controls where the data is sent. Each packet is given an IP address header that contains both the source and destination IP addresses. An IP address is a unique identifier assigned to an internet-connected device or network.

The IP address headers in each packet are read at every network hop, which is how the packet gets routed to its final destination. If the destination is a network instead of a specific device, the data is then routed to a specific device within that network by a separate process called Address Resolution Protocol, but that's a story for another time.

Together, TCP and IP control both where your data gets routed and ensure it arrives intact and exactly as you intended. Here's an annotated network packet, if you're into that kind of thing.

The Need for Network Security

For the security-minded readers out there, you might be wondering, “Hey, you didn’t mention encryption.” And that's because TCP and IP are not encrypted by default. They are designed to reliably move data from Point A to Point B, but any network hop that handles your packet can theoretically read or modify its contents. In the early days, this was not considered a catastrophic design flaw since the nascent internet mostly consisted of trustworthy universities and research institutions, but as the internet expanded, the lack of real network security became an obvious issue.

Security protocols were layered onto TCP/IP as the internet evolved. Two major approaches emerged in the 1990s: TLS and IPsec, both developed by the IETF.

Transport Layer Security (TLS), and its predecessor Secure Sockets Layer (SSL), is what secures most of the modern internet. If you have ever noticed the lock icon in your browser or the “HTTPS” prefix in a URL, that means you are using TLS. TLS sits above TCP in the networking architecture, meaning applications like web browsers encrypt data before handing it to TCP. Network hops can still read the TCP packets, but they can only see encrypted data, which is useless without the decryption keys (generated during a process called the TLS handshake, which is another story for another time).

IPsec encrypts the packets themselves, and is usually configured at the system level instead of per-connection. This means that it secures all traffic automatically, not just those applications that are using TLS. IPsec adds authentication, integrity checks, and encryption before packets are sent. Similar to TLS, IPsec defines standards for negotiating shared keys at the beginning of a connection. That negotiation happens through Internet Key Exchange (IKE) where they use a pre-shared key, certificate, or other credentials. IPsec operates in one of two modes:

• Transport Mode: Encrypts the payload of the packet, leaving the original IP header intact so routers can still read and route the packet normally.
• Tunnel Mode: Encrypts the entire original packet and wraps it inside a new packet with a new header. This hides the original source and destination.

Can We Talk About VPNs Now?

Right, right, right. With the networking primers out of the way, we can talk about what a VPN is actually doing. When you connect to a website without a VPN, your traffic looks like this:

Your Computer → Your ISP → Other Routing Infrastructure → Website

Everybody that handles a packet in that chain can see, at minimum, the IP address you are connecting from and where the traffic is headed. That means your ISP can keep tabs on which sites you visit, and any intermediate network can block or filter traffic as they see fit.

But when you are using a VPN, your traffic looks like this:

Your Computer VPN Client → Your ISP → VPN Server → Other Routing Infrastructure → Website

To do this, your local VPN client establishes an encrypted tunnel with a VPN server.

Historically, and still common in corporate environments, many VPNs used IPsec to create that tunnel. IPsec operates at the network layer of your device and encrypts IP packets directly within the operating system before they leave the machine.

However, many modern consumer VPN services may use different tunneling protocols, including:

• OpenVPN: A VPN protocol that uses TLS to encrypt traffic. Unlike IPsec, which operates directly at the network layer, OpenVPN typically creates a virtual network interface on your device. Your operating system routes all network traffic to that interface, and OpenVPN captures the full packets. Those packets are encrypted using session keys negotiated via TLS and then transported to the VPN server over UDP or TCP. Basically, OpenVPN protects traffic by tunneling entire IP packets inside a TLS secured connection rather than encrypting them natively within the kernel. Providers such as NordVPN have long supported OpenVPN because of its flexibility and reliability across different network environments.

• WireGuard: A new(ish) VPN protocol designed to be simpler and more efficient than both IPsec and OpenVPN. Like IPsec, WireGuard handles packets directly at the network layer, but makes several cryptographic and simplification improvements. Many consumer VPN providers now default to WireGuard or customized versions of it because it generally offers faster connection setup times and better performance while still encrypting entire packets before transmission. Used by providers like ExpressVPN.

Regardless of the protocol, the goal is the same. Your original IP packet is encrypted and encapsulated inside a new packet addressed to the VPN server. Your ISP (and anyone else) can see that you are communicating with a VPN server, but cannot see the final destination or the contents of your traffic.

When the encrypted traffic reaches the VPN server, the wrapper is decrypted and the original packet is forwarded. The destination website sees the VPN server’s IP address as the source, not yours.

Are VPNs More Private?

VPNs hide your traffic from your ISP and other network observers. Because your packets are encrypted inside the tunnel between your VPN client and the VPN server, your ISP cannot see the destinations you are trying to reach. The only person that can see your traffic definitively is the VPN provider.

But using a VPN does not make you truly anonymous, if that's what you're after. The VPN server must decrypt your traffic in order to forward it. That means the provider can see the destination IPs you connect to and the timing of your activity and all that good stuff. If the traffic is not using TLS/SSL, they could also see the contents. VPNs also don't protect you from the websites you visit, browser fingerprinting, tracking cookies, or that kind of thing.

But would a VPN log your activity and share it with a third party, if asked? Maybe. Maybe not. Many providers advertise “no logs” policies, but that ultimately comes down to their technical implementation, their jurisdiction, and whether they are compelled by law. So if you're interested in that, make sure to read the fine print on your VPN provider.

Are VPNs Legal?

They sure are. VPNs are standard in business and government environments to enable remote access to internal networks. This works by connecting to a company VPN server, and that server forwards traffic to an internal network that only accepts connections from trusted VPN endpoints.

In the United States, using a VPN is legal (for now...). However, some countries restrict or regulate VPN usage.

Accessing geo-locked content through a VPN is generally not a criminal offense in the US, but it may violate the terms of service of whatever application you are trying to get into.

And of course, using a VPN does not make illegal activity legal. If you're up to sketchy business on the internet, a VPN is not a get out of jail free card.

Conclusion

And now we have unmasked exactly what your VPN is doing.

Most VPNs simply encrypt your traffic, send it to a VPN server, and let that server forward it on your behalf. This protects your traffic from prying eyes along the way, except for the VPN provider itself, of course.