Return to protonvpn.com Facebook   Twitter   Reddit   Instagram   Mastodon   ProtonMail

How does a VPN work?

Posted on November 4th, 2020 by in Privacy & Security.

An illustration of examining a VPN.

 

A virtual private network (VPN) provides privacy and a host of other benefits when connecting to the internet. Our blog post What is a VPN? explains what this technology does and some reasons you might find it useful to install your own VPN on your device. 

In this article, we will go deeper and explain the more technical aspects of how a VPN works in a way that’s easy for anyone to understand.

We’ll start with some internet basics and then talk about how a VPN fits into the picture, followed by a question-and-answer section at the end.

How the internet works (without a VPN)

Your internet service provider (ISP) connects your device to the internet, so all data between your device and the servers (e.g., websites) you connect to on the internet flows through your ISP’s servers. Each device on the internet is assigned a unique number known as an IP address.

When you type a website’s URL into your browser’s address bar, your browser will send a request known as a DNS query to your ISP, asking for the correct computer-friendly IP address that you wish to connect to.

DNS is similar to a big telephone directory that maps URLs like “protonvpn.com” to their corresponding IP addresses. Once your browser has obtained the correct IP address from your ISP, it will initiate a connection with the website (or other internet resource).

A diagram of how the internet works without a VPN.

What your ISP can see

Your ISP (such as Verizon, Vodafone, or Comcast) knows the IP address of the router you are using and whose account it belongs to. It also knows which websites you have visited because just about every ISP in the world logs the DNS queries they process (together with a timestamp of when you make the query).

Even if your ISP doesn’t perform the DNS lookup (for example, if you manually typed in the IP address or used a third-party DNS service), it can still see the DNS request because these usually are not encrypted.

In recent years there has been a growth in third-party DNS services that do, in fact, encrypt DNS queries made to them. This is good, but your ISP can see which website you visit anyway, thanks to the fact that even if the DNS query is encrypted, the IP destination information required to correctly route your data isn’t.

HTTPS is an encryption protocol that secures the connection between a website and your device. Thanks in large part to the heroic efforts of the Let’s Encrypt campaign, the use of HTTPS has increasingly become the norm, rather than the exception it was just a few short years ago. 

A screenshot of the padlock you see when the site you are visiting is HTTPS-encrypted.
A closed padlock in your browser’s URL bar indicates that HTTPS is being used.

Without HTTPS, your ISP can see everything you do on a website. This includes the individual pages you visit, any payment details you enter, and any form data that you submit. HTTPS prevents this. Even when HTTPS is used, though, your ISP can still see and log which websites you visit (just not what you do on them).

And what your ISP can see, so can your government.

What websites can see

Websites can see the last IP address in the chain of connections between your device and the webserver. Without a VPN, this is the unique IP address that your ISP has assigned to your router.  

Websites routinely log this information, together with timestamps, frequency, and duration of visits, in order to understand how the website is being used and how it is performing. Should the police need to identify a particular user of that website, it’s a simple matter of asking the ISP to identify the customer it has assigned that IP address to. 

Identifying an individual in this way is, of course, quite unusual. It may even sometimes require legal coercion, although most ISPs are happy to voluntarily cooperate with legitimate law enforcement requests.

Even without uniquely identifying you by your IP address, however, your IP address always tells websites which country you are in, and probably even in which city. This is thanks to the fact that ISPs usually assign IP addresses to home users in the same geographical vicinity in blocks, and databases of where these blocks of IPs have been assigned are publicly available. 

In short, the internet was not built for privacy, so you should not expect any when using it as is.

With a VPN

When you use a VPN app on your device, it establishes an encrypted connection to a VPN server. This connection is made over the internet (so you still need your ISP), and is often referred to as a “VPN tunnel.”

This VPN server handles all DNS queries and acts as an intermediary that sits between your device and the internet, routing your data to the correct destinations. 

An illustration of how a VPN works.

What your ISP can see

Your ISP can see that you are connected to an IP address belonging to a server. It won’t automatically know this is a VPN server, but it wouldn’t take Sherlock Holmes to figure it out, since it is the only IP address you appear to be connecting to. 

What it can’t see are any websites or other internet resources that you connect to through the VPN server. This is because the VPN server handles DNS queries and routes your data to the correct IP address. 

You ISP also can’t see the contents of your data (including IP destination data and DNS lookup requests) because all data traveling between your device and the VPN server is encrypted. 

So when using a VPN, your ISP can’t see which websites you visit, and it can’t see the contents of your data (even when HTTPS is not used). The same is true of WiFi hackers, public WiFi router operators, or anyone else who might normally be able to see your data as it travels between your device and its destination.

What websites see

When using a VPN, the last IP address in the chain of connections between your device and the webserver is that of the VPN server. The VPN server, therefore, shields your real IP address from websites you visit, which will only be able to see the IP address of the VPN server.

In addition to its clear privacy benefits, this feature of a VPN is useful spoofing your geographic location, since you appear to access the internet from wherever the VPN server is located. 

What the VPN server sees

In many ways, the VPN provider takes over the role of your ISP. It handles DNS queries and can monitor the IP addresses you visit.

Although the connection between your device and the VPN server is encrypted by the VPN, the connection between the VPN server and the websites you visit is not. This means that (like your ISP normally can), the VPN server can view the content of traffic that is not protected by HTTPS. 

It is, therefore, of critical importance to choose a VPN service that is trustworthy and secure. 

How ProtonVPN ensures privacy and transparency

At Proton, our commitment to users’ privacy is well known. ProtonVPN and ProtonMail, the largest encrypted provider in the world, are trusted by journalists and activists in the field, and we have taken a number of steps to strengthen your security and privacy:

  • Unlike most ISPs, we keep no logs that can compromise your privacy. A timestamp is kept of your last successful login attempt, but this is not connected to the IP address you connect from or to any activity while using our service. 
  • Our apps are all fully audited and open source, so anyone can check them.
  • We are based in Switzerland, a country with no ties to the USA-led Five Eyes mass surveillance alliance, and which has among the strongest data privacy laws in the world.
  • We use only the most secure VPN protocols, with strong encryption and forward secrecy
  • We offer a specially hardened Secure Core VPN service for those who need it.
  • Our apps offer DNS leak protection to ensure DNS lookups are handled exclusively by Proton. IPv6 leak protection ensures no data is ever routed outside the VPN tunnel.

FAQ

What is encryption?

Encryption is a mathematical process that converts data into illegible characters so that no one without the correct key can access it. It is the cornerstone of keeping your data safe on the internet. ProtonVPN uses only the strongest encryption suites; please see our post on strong encryption for more information. 

What is AES-256?

AES is a symmetric key encryption cipher used to secure large chunks of data at rest. AES-256 is AES implemented with a 256-bit key size, which is its strongest setting. 

AES is approved by NIST, and the US government secures its top secret data with AES-256. This has led many VPN services that use AES-256 to describe their encryption in terms such as “military grade.” AES-256 is, indeed, very secure, but it is only one of the components required to ensure a VPN connection is secure.  

What is an encryption tunnel or a VPN tunnel?

A VPN encrypts your data as it travels between your device and the VPN server, thus preventing anyone who would otherwise be able to access the data (such as your ISP or public router operator) from seeing its contents.

An illustration of how a VPN's encrypted tunnel works.

Individual “packets” of data are encrypted on your device and then decrypted on the VPN server. The tunnel analogy is a useful way to think about this encrypted connection.

What is a VPN protocol?

A VPN protocol is the set of instructions used to establish a secure connection between two computers (your device and the VPN server). Various VPN protocols exist, but ProtonVPN supports OpenVPN and IKEv2 (with support for WireGuard to come).

OpenVPN –  A battle-tested VPN protocol that is still widely regarded as the last word when it comes to VPN security.

IKEv2 – A more modern VPN protocol that is fast while also considered by experts to be very secure.

L2TP/IPsec – Although believed compromised by the NSA, under most circumstances, this protocol is still considered secure. It has, however, been superseded by the superior IKEv2.

PPTP – A highly insecure protocol that some providers continue to support for compatibility reasons. 

WireGuard – A very new VPN protocol that, while fast and secure (at least in theory), is still experimental. ProtonVPN is watching the development of WireGuard (now out of beta phase on Linux) with great interest and has helped to fund its development.

Learn more about VPN protocols.

Will a VPN slow my internet down?

Yes, but not too much. Encrypting and decrypting your data requires processing power, which, in theory, can slow down your internet connection. In practice, even low-end modern smartphones can handle VPN encryption with no noticeable slowdown.

A bigger issue is how far your data travels. Connecting to a VPN server adds another “leg” to its journey, which inevitably slows it down. This is particularly true if the VPN server you connect to is located on the other side of the world from you. 

If you connect to a VPN server fairly nearby, however, (for example, anywhere in Europe if you are based in Europe), then it is unlikely you will notice any slowdown. In addition to this, our unique VPN Accelerator technology can increase speeds by over 400% under certain conditions and is particularly effective at mitigating speed loss when connecting to geographically distant servers.

Learn more about VPN Accelerator

Another factor to consider is the “server load” of the VPN server you are using. That is, how many people are using it at the same time as you and thus making demands on its resources. 

This is the only reason that our free servers, which can get a little busy during peak times, do not always allow the speeds that are available when using our Basic and Plus servers, which tend to be less busy.  

What is IPv6 leak protection?

Every device connected to the internet is assigned a unique number to identify it. The huge expansion of the internet in recent years, however, means that numbers assigned using the old IPv4 system are running out. Fast. 

IPv6 fixes this problem by using 128-bit web addresses, making some 2^128 (around 340 billion billion billion billion) new numbers available, which should keep us going for quite some time. 

All modern operating systems support IPv6, but most of the internet still uses IPv4. As a hybrid compromise solution to this problem, your device will send connection requests to websites you visit using both their IPv4 and IPv6 addresses.

If the website supports IPv6 then it will accept the IPv6 connection. If it only supports IPv4 then it won’t even be aware of the IPv6 connection attempt and will initiate an IPv4 connection.

Many VPN apps from other VPN services are also IPv4 only, and thus only route IPv4 connections through the VPN tunnel. When an IPv6 connection is established, the VPN app is not aware of it, and the connection is thus routed by your OS outside the VPN tunnel.

An illustration of how IPv6 leaks work.

The website you have connected to can therefore see your real IPv6 address, even though you are using a VPN. This is an IPv6 leak.

ProtonVPN applications block all IPv6 traffic by default to ensure this does not happen. This has no effect on our internet experience. 

What is DNS leak protection?

When using a VPN, DNS queries are supposed to go through the VPN tunnel so that only the VPN service can see and resolve them. A DNS leak occurs when a DNS request is somehow routed outside the VPN tunnel so that it can be seen by (and usually also resolved by) your ISP.
 
There are a number of reasons this can happen, and while Windows tends to be the worst offender, it can happen on any platform. DNS leak protection solves the problem by using firewall rules to ensure no traffic can leave your device outside the VPN tunnel.

You can follow us on social media to stay up to date on the latest ProtonVPN releases:

Twitter Facebook | Reddit | Instagram

To get a free ProtonMail encrypted email account, visit protonmail.com.

Douglas has worked for many years as a technology writer in the cyberprivacy and cybersecurity sector. He is now very pleased to work for a company with a mission that he passionately believes in.

Post Comment

7 comments

  1. Al

    Excellent article that, in explaining things in such a clear way, allows regular internet users to appreciate what is technically going on when using a VPN. This means we can make informed decisions with confidence about how we use the internet which, in this day and age, is a gift beyond measure! Thank you Douglas and thank you ProtonVPN!

  2. Andrew Goodenough

    Great service!
    Only downside seems to be with services such as Twitter, who now push stuff at me not only in English, but languages I don’t understand (German, Dutch?) although my profiles always ask for English only. This is even though I usually use UK VPNs – I occasionally use others. If there is any way to get ‘English only’ please advise – non English tweets/posts/websites are pointless and a waste of the senders time and money as far as I am concerned.
    But overall, I feel so much SAFER!
    Thanks, ASG

  3. NS nat D

    this doesnt work for nintendo switch nat. better search for another solution

  4. Proton can not be beaten when it comes to security

    Proton can not be beaten when it comes to security. Keep up the amazing work proton👌👏

  5. Richie Koch

    Thanks!

  6. Dimon Unix Shell

    It would be nice to have 2-4 servers in Russia for Steam, Rutracker, online shops that block non-Russian IPs and some streaming services. Because now I must use 2 VPNs – ProtonVPN for 99% of all my traffic and NoNameVPN with Russian servers for Steam (or Gaben will ban my account). I also think it would be nice to add 1-2 torrent servers in RU zone – special for Rutracker. :-)

  7. Dimon Unix Shell

    Thanks from Russia! ProtonVPN is the GREATEST VPN ever. :-)
    P.S. Roskomnadzor sucks. :D

Leave a Reply to Proton can not be beaten when it comes to security Cancel reply

Your email address will not be published. Required fields are marked *

Secure your internet

Get ProtonVPN

For customer support inquiries, please submit the following form for the fastest response:
Support Form

For all other inquiries:
contact@protonvpn.com


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org

xsBNBFiYeeIBCACpwuYcTsACyjQaqY3tOUonokamGZf3VDuLvcA9nQnu4vlB
n1RFFUJa5Pmf2yZ9EjJFSldTl5lreE3tFf53CcZ9wKa1R6aMnN/0VqURJho0
ZTqevQlCvuJ9kKHkDck3Em0/1WWnhDJgabp+fOa5HAHoAvcNy5gVPuexTT/N
wp6QcfB7w+qFhf73s0bcSn5RC+FAYlQxZVFhFtA7/7LthBVatDJrYLYP9XJd
zOZqz9AX0XZwKal25RcVeGHkNKgloo0bTgro4D88MR7saqXFHTRhy3+Wss7c
uqrh0uIkVmqtadoK/rAbqOyFXQ2DlvSMVrEMLUvwlZbC0taqcKDfNA+FABEB
AAHNLWNvbnRhY3RAcHJvdG9udnBuLmNvbSA8Y29udGFjdEBwcm90b252cG4u
Y29tPsLAfwQQAQgAKQUCWJh54wYLCQcIAwIJEN4dfnhhw11TBBUIAgoDFgIB
AhkBAhsDAh4BAAoJEN4dfnhhw11T6PwIAKgIHTUaEcCFQ5WfmwGpdhRgFe7H
gnHR8UOFPrRKnbCOQgTVPGwCFt8UVFhEgbmtroThU89DpxFSYUOD6nZ2k1X3
X4Q9OsItFUUuhPtLJrkz5ghtZLmsAH/edTRbVU1Ew1E8KbylLFI1J5yId7zR
GdnaTXv/E7P3po5X/b08TFAhXSyYYUbMeQuthbJajtpFygr53lm47cOWa4N8
udqLhmpheaQj04DuqYXOGC08JQn+XbHzhFl5Yvlt9Idk8+7c2UJ0qgWKQ5ZV
mquRAw5HDCQM5OqF1MoImDxOH+tK3PUlvFDsLZ1WPEOHK/EN12sPBx0x1R04
fcPTPdbMwgISGM3OwE0EWJh54gEIALqhrLUpvarPc0nkuHpyJC/MsrIDPLuV
qMc49tgjgDBsyIKJFEP9qCnkSOEixaFi+nTljUSpkHGR+PvEGecmcOdW6djN
QGxon/nwBT9d8HbtxJesaEIzwRAxmqQW9MqNq4UsfNQ0VvUYqV9wEbYfdDT/
jZfz9N0hjFELF1sg3UPcCRijhf162bp+rLQdO9vWVUbOdMQvsM/kyUJ6JMXR
xUtyKC05ddxii2SMr4XUW45ostPbxJybOF5oSZpEb1EIlrTLLPAe/498XlBW
hpRAPe+9ZfNs7drMvUEFnnOXahrXAuaaZpyaS/XBaloqSb1+v2AkUep3dbSF
PaRtbXRMS+kAEQEAAcLAaAQYAQgAEwUCWJh54wkQ3h1+eGHDXVMCGwwACgkQ
3h1+eGHDXVMZ4Qf4hu5N8/uYNDqJMFRIWSCpPGxmyIVXGARG4hgR8gwPZY9K
fReAUndX3uODBNIgZU7I3YntawU1DlP6GpP6yyR/8lfUMNCAXPDmd+zTFYIJ
UDHD8sw2GRrFVzFOKUpAapWFOI4XjSMP2UiK4HgrpUjAhe1wSaa7nEjtAuYT
zFx1QSuQD1iYcOF/FAm7EuhBIfWITjYAobGM6gonPbp3IPHM52rUbulllcdV
vCLs+blcyiVCGZlNcmlg3eibAJJL19TQLqT2DbQvQ/SyVBJGjoT+y4TTRtmZ
cebEjt2KJcc4x2lzPq3z2KJNyJTOTMB+aYD9Ma9IObDds+M/+5XDWi7f
=ueTT
-----END PGP PUBLIC KEY BLOCK-----

You can also Tweet to us:
@ProtonVPN