How does a VPN work?


I’ve heard the tunnel explanation before, but it’s just not doing it for me. What’s going on with the packet and the addressing itself? Traffic still has to go to my ISP before it can get anywhere else, so how is the VPN able to obfuscate my IP address and location?

In: 4


You want to write a letter to your friend Jason.

So you write your letter, and put it in the envelope. You write Jason’s name on the outside. You give it to the post office. The post office reads the address, and delivers it to Jason.

But now all the guys at the post office can read the address. It’s right there in the open.

And if the police stop by, and demand to see today’s mail, they can see that you sent a letter to Jason too.


You hire a middleman. We’ll call him Pete.

You make your letter to Jason, and put it in the envelope, and put Jason’s name on it … BUT THEN you put that envelope in ANOTHER envelope, with Pete’s address.

You paid Pete to open the mail, and deliver the contents to whoever is on the inside envelope.

Now all the guys at the post office know you sent mail to Pete, but they have no idea you sent mail to Jason.

REPEAT this process: First a letter to addressed to Jason, inside a letter addressed to Pete, inside a letter addressed to Elizabeth … you can see how it becomes more and more difficult to know that you sent something to Jason.

BUT BEWARE. The fact that you sent mail at all, is still known. The fact that your return address is on the outermost envelope, is still known. Your ISP still knows that YOU sent “data”. And it knows you sent it to the the VPN! But that’s all it knows. It doesn’t know the final recipient, or the contents of the data.


There’s tons of tricks to obfuscate things further. Like, when Pete sends your letter on to Jason, he can make it look like it came from Pete, not from you. So Jason could be unaware it came from you. So Pete is doing more than just forwarding, he’s changing the “From” address on the outside of the envelope.

THIS IS VERY BASIC. I know people are going to point out some shortcomings from this explanation. But this is, after all, ELI5.

“Hey ISP, send this encrypted letter to VPN.” Your VPN then decrypts the letter, which contains the site address, and runs the send/receive request for you.

The part you might be confused about is how you and the VPN agree on a decryption key without the ISP figuring it out. The gist of it is:

1. Both you and the VPN randomly generate a private key, plug it into an algorithm to generate a corresponding public key, and share those public keys through the ISP.

2. This algorithm has a special property. When you combine your private key with your VPN’s public key (and vice versa: your VPN combines their private key with your public key), you’re both able to arrive at the same number. The ISP can’t get that number without knowing your private keys, making it a shared secret that you use as the decryption key.

VPN server is just an encrypted relay service for network traffic.

You have software (eg. web browser) on your computer that wants to communicate (eg. send HTTP request) over internet to another machine (eg. a web server). The browser assembles the TCP/IP** packets and tells the operating system to send it out over the network to the web server.

VPN client software will establish an encrypted network connection with a VPN server, and tell the OS to send all internet traffic (or in the case of a split tunnel, *some* traffic) via that connection instead (the VPN tunnel). This traffic is encrypted in a way only the VPN provider can decrypt (not your ISP), and wrapped in another layer of TCP/IP* packets that tell your ISP to send the traffic to the VPN server.***

The VPN server receives your traffic, decrypts the outer packet to reveal the original TCP/IP** packets (the HTTP request), which are then forwarded it to the original destination (the web server). Since the web server physically receives the traffic from the VPN server, that’s the IP address it communicates with, it doesn’t know your IP at all.

Same process works in reverse for the HTTP response from web server back to VPN, via your ISP to your machine.

*You can swap this for UDP/IP which some VPNs use instead

**You can swap this for basically any network protocol that the VPN service may support, eg. FTP, SMB, SMTP, SSH

***The TCP/IP (or UDP/IP) headers are what specify the source and destination IP address and port number, this is all that’s needed to route traffic