A VPN creates an encrypted tunnel between your device and a server operated by a VPN provider. Everything you do online travels through that tunnel. Here is what that actually means.
6 min read
What happens when you connect
You click connect
Your device and the VPN server agree on a shared secret key. Nobody watching the network can read this handshake.
A tunnel opens
Every request you send gets wrapped in encryption before it leaves your device. Your ISP sees noise, not destinations.
The server speaks for you
The VPN server decrypts your request, forwards it to the website, and receives the response on your behalf. The site sees the server's IP, not yours.
The response comes back encrypted
The server wraps the reply in the same encryption and sends it back through the tunnel. Only your device can unwrap it.
VPN stands for Virtual Private Network. The name describes the mechanism: a private, encrypted connection that runs on top of a public network, in most cases the internet.
The technology was originally developed for corporate use. Employees working remotely needed a way to access internal company resources as if they were physically in the office. An encrypted tunnel over the public internet solved that problem. The underlying standards, particularly the IPsec protocol family, were formalised by the IETF in the late 1990s.1
Consumer VPNs use the same basic principle, but for a different goal. Instead of connecting a remote employee to a corporate network, they connect an individual user to an exit server, routing all their internet traffic through that server. The practical effect is that your ISP sees one encrypted connection going to the VPN server. The sites you visit see traffic coming from the VPN server's IP address, not yours.
When you connect to a VPN, your device and the VPN server establish an encrypted channel before any of your actual traffic travels. Modern consumer VPNs typically use one of three protocols to build this channel: WireGuard, IKEv2, or OpenVPN. Each handles the key exchange and encryption differently, but the result is the same: data flowing between your device and the server is encrypted in transit.2
Your device wraps each data packet inside an encrypted envelope addressed to the VPN server. The server unwraps it, reads the original destination, and forwards it on your behalf. The response comes back to the server, gets re-encrypted, and is sent back to your device.
This wrapping and unwrapping adds a small amount of latency. How much depends on the protocol, the server location, and the encryption method. WireGuard is generally the fastest because its codebase is small enough to run efficiently in the kernel rather than in userspace. The difference in practice is rarely noticeable for everyday browsing.
Without a VPN, your ISP sees your DNS queries, the IP addresses you connect to, the timestamps of every connection, and in some cases the content of unencrypted traffic. They are your default DNS resolver and they route all your packets. Even with HTTPS, they see which domains you visit because the DNS lookup happens before the encrypted session begins.
With a VPN, they see one persistent encrypted connection going to the VPN server's IP address. They cannot read the contents, they cannot see the DNS queries inside the tunnel, and they cannot see which sites you are actually visiting. What they can still see is that you are using a VPN, when you connected, and how much data you transferred.
The full breakdown of what is and is not visible to your ISP is covered in the What your ISP can see article. The DNS piece specifically is covered in What is DNS.
Every website you visit can see the IP address of the device connecting to them. Without a VPN, that is your real IP, which can be used to estimate your approximate location and identify your ISP.
With a VPN, the site sees the IP address of the VPN server instead. Many users share the same exit server, so the IP alone tells the site nothing specific about you. Your real IP is not in the connection.
This is also how VPNs are used to access content that is restricted by geography. If the VPN server is in a country where the content is available, the site sees a connection from that country. The VPN does not change how you are identified by services you are logged into — Google, Netflix, and your bank still know your account regardless of IP.
A VPN is not anonymity. It moves trust from your ISP to your VPN provider.3 If the VPN provider keeps logs of your activity, you are in a comparable position to having an ISP that logs. The no-logs claim and whether it has been independently verified is one of the most important things to check before choosing a provider.
A VPN does not protect you from malware, phishing, or sites that track you through login sessions, cookies, or browser fingerprinting. It does not make you invisible to services you are already signed into. It does not prevent your device from being compromised.
It also does not always protect your DNS if configured poorly. A VPN that leaks DNS queries sends those lookups outside the tunnel to your ISP's resolver, defeating part of the purpose. This is covered in the DNS leaks article.
On a public network — a coffee shop, hotel, airport — you have no control over the infrastructure. A VPN ensures your traffic is encrypted before it leaves your device, regardless of what the network operator is doing. This is the clearest, most consistent use case.
At home, the question is whether you trust your ISP with your browsing history. In most countries ISPs can use traffic data for profiling and sell aggregated data to brokers. A VPN removes them from the picture as an observer of your browsing destinations and DNS queries.
Beyond privacy, VPNs are used for accessing geographically restricted content, bypassing network-level censorship, and in some cases reducing bandwidth throttling that ISPs apply to specific services.
The protocol matters. WireGuard, IKEv2, and OpenVPN are the three worth using. Avoid any provider still offering PPTP or L2TP without IPsec. The VPN protocols article covers the history and trade-offs in detail.
A verified no-logs policy is more meaningful than a claimed one. Look for independent audits by named firms, with published reports. The no-logs VPN article explains what an audit actually covers and what to look for in a privacy policy.
Where the company is incorporated affects which governments can compel it to produce data. This is covered in the VPN jurisdiction article.
BuycatVPN supports WireGuard, IKEv2, and OpenVPN with DNS leak protection active on every platform, and operates under a no-logs policy independently certified by KPMG.4
Foundation document for IPsec, the protocol family underlying most early VPN implementations.
Defines TLS 1.3, the encryption standard used in modern VPN and HTTPS connections.
Practical guidance from the Electronic Frontier Foundation on evaluating VPN providers.
Technical overview of VPN architecture, tunneling, and encryption.
Early framework document defining the structure and goals of IP-based VPN systems.
More in Foundations
