What Is a VPN? A Complete Guide

A virtual private network — VPN — is a service that routes a device's internet traffic through an encrypted tunnel to a server operated by the provider. This guide explains how a VPN works at a technical level, what it can and cannot do for privacy and security, and how to evaluate the available options.

What a VPN Actually Does

A VPN application creates a network tunnel between a user's device and a remote server. All internet-bound traffic from the device is encapsulated, encrypted, and sent through this tunnel to the server, which then forwards the traffic to its destination on the public internet. Return traffic follows the reverse path.

Two practical changes follow from this arrangement. First, networks between the device and the VPN server — including local Wi-Fi, the internet service provider, and any transit networks — observe only encrypted traffic between the device and the VPN server. Second, the public internet sees requests originating from the VPN server's IP address rather than the device's real address.

A VPN, therefore, alters who can observe traffic and what address is visible to remote services. It does not, by itself, make a connection anonymous, nor does it eliminate all forms of tracking.

How a VPN Works

The core mechanism is encapsulation combined with encryption. When the VPN client is active, the operating system routes outgoing packets through a virtual network interface created by the VPN application. Each packet is wrapped inside a new packet — encapsulated — and encrypted using a session key negotiated when the connection was established.

Tunneling

Encapsulation means the original packet — including its destination address and payload — becomes the payload of an outer packet addressed to the VPN server. The outer packet travels over the public internet to the server, which decrypts the payload and forwards the original packet onward.

Encryption

Modern VPN protocols use authenticated encryption algorithms such as ChaCha20-Poly1305 or AES-GCM. The session keys are negotiated at connection time using key-exchange protocols built on public-key cryptography. This ensures that an observer in the middle of the connection cannot read the encapsulated traffic or modify it without detection.

Routing and DNS

Beyond encryption, the VPN application also reconfigures the operating system's routing table so that all traffic — or, in some configurations, only specific destinations — is sent through the tunnel. DNS queries are also typically routed through the VPN to prevent leaks to the local network.

Common Use Cases

VPNs serve several distinct purposes, and the appropriate provider configuration depends on which of these is the primary motivation.

• Privacy from local networks. Public Wi-Fi connections — coffee shops, hotels, airports — can expose unencrypted traffic to other users on the same network. A VPN eliminates this exposure because traffic is encrypted before it leaves the device.
• Privacy from internet service providers. ISPs can observe the destinations of unencrypted DNS lookups and the metadata of TLS connections. A VPN shifts this visibility from the ISP to the VPN provider.
• Geographic location selection. Some services restrict access based on the user's IP address. A VPN allows the user to appear to be connecting from the country where the VPN server is located.
• Network access for organizations. Corporate VPNs are used to allow remote workers to reach private internal services that are not exposed to the public internet.

Protocols in Modern VPNs

The protocol determines how the tunnel is established, which cryptographic algorithms are used, and how the connection behaves under packet loss or network changes. The protocols most commonly encountered in consumer VPN services are WireGuard, OpenVPN, and IKEv2/IPsec.

WireGuard is the most recent of the three. It uses a small set of modern cryptographic primitives, fits in roughly four thousand lines of code, and is integrated into the Linux kernel as well as most consumer operating systems. Its design favors simplicity, performance, and a small audit surface.

OpenVPN is older and considerably more flexible: it supports many cipher suites, transports, and configuration options. The flexibility comes at the cost of complexity. OpenVPN remains widely deployed, particularly in enterprise environments.

IKEv2/IPsec is built into iOS, macOS, and Windows. It performs well on mobile devices and handles network changes — for example, switching between Wi-Fi and cellular — gracefully.

A detailed comparison of the two most common consumer protocols is available in our WireGuard vs OpenVPN comparison.

VPN vs Proxy and Tor

VPNs are sometimes confused with proxies and with the Tor network. The mechanisms and threat models differ.

A proxy server forwards specific application traffic — most commonly HTTP — to a destination on behalf of the user. Proxies typically do not encrypt traffic by themselves, and they operate at the application level rather than the network level.

Tor is an anonymity network that routes traffic through three relays chosen from a volunteer-operated set, encrypting each hop separately. Tor provides anonymity against the network — no single relay can observe both the origin and the destination — but it is slower than a VPN and is unsuitable for high-throughput tasks.

A VPN provides encryption against the local network and changes the observable IP address, but it shifts trust to the VPN provider, who sees the user's real address and the destinations the user reaches.

Limitations to Understand

A VPN is one component of a broader privacy posture and should not be treated as a complete solution. Several important limitations apply.

The VPN provider is a new trust point. Where the ISP previously had visibility into connections, the VPN provider now has equivalent visibility. The credibility of the provider's no-logs policy and infrastructure design therefore becomes important. Our guide to no-logs VPN policies covers what such claims actually mean.

Endpoint security is unchanged. A VPN does not protect against malware running on the device, phishing attacks, compromised browser extensions, or tracking by applications that have already been granted access to the user's data.

Website-level tracking continues. A VPN changes the IP address visible to remote services but does not affect cookies, browser fingerprints, or accounts to which the user is signed in.

Choosing a Provider

When evaluating VPN services, several factors are worth examining.

• Protocol support. Modern providers should support WireGuard or IKEv2/IPsec. OpenVPN remains a reasonable choice for compatibility.
• Privacy policy and audit history. A short, specific privacy policy with independent audit results is more credible than marketing copy claiming “military-grade encryption” without further detail.
• Account requirements. Services that operate without user accounts retain less data and reduce the volume of information that could be exposed in the event of a breach.
• Kill switch implementation. A working kill switch prevents traffic exposure if the tunnel disconnects. Our overview of VPN kill switches explains how to verify that one is operating correctly.
• Jurisdiction. The country in which the provider is incorporated affects the legal regime under which it operates.

Snap VPN is built around several of these principles: a single protocol, no user accounts, a kill switch enabled by default, and a curated server network across three regions rather than dozens of underused locations. Detailed configuration steps are documented in the iPhone setup guide.