Follow us
All VPNs are chosen by the expert, but we may get a commission when you buy them via our links. Learn more

What is a VPN Tunnel and How Does It Work? Everything You Need To Know

Updated: January 3, 2022 By Dean Chester

VPN tunnel

Image source - Shutterstock

The internet is not free anymore – there are many restrictions, censorship, and lots of unjust regulations. Additionally, malicious people such as cybercriminals and other prying eyes after your data have made the internet a dangerous place.

To be safe and reclaim your online freedom, you need to protect your online connection, traffic, and activities. The best way you can do this is by using an encrypted VPN tunnel offered by VPNs.

In this article, you will learn what a VPN tunnel is, how it works, and various VPN tunneling protocols.

We’ll also explore:

  • The various VPN tunneling protocols
  • Split tunneling
  • Proprietary tunneling protocols

What is a VPN Tunnel?

A VPN tunnel is a private connection a VPN makes from your device to the VPN server over the internet. The tunnel is usually encrypted for security purposes, which ensures that no one outside the tunnel will be able to snoop or eavesdrop on your connection or your online traffic and activities.

What is VPN? Briefly about the main points.

What is a VPN Tunnel

Image source - pixabay.com

How does a VPN Tunnel Work?

A VPN tunnel involves the use of VPN tunneling protocols. These protocols facilitate the movement of data coupled with encryption techniques, and the combination makes the tunnel secure and prevents prying eyes from knowing what you are doing online.

On a VPN, the encryption keeps your connection and traffic safe. When your traffic reaches the VPN server, the server then hides your actual IP address such that entities on the internet will only see the server’s IP address. This helps hide your online identity and you also get the server’s geo-location thanks to the new IP address.

Top VPNs also pack other features and functionalities that ensure that your traffic always stays in the encrypted tunnel. These features include a private DNS server, leak protection, and a kill switch. These are all important as tunnel leaks make it possible for prying eyes, including your internet service provider, to see what you are doing online.

How About Split Tunneling?

Split tunneling is a VPN feature that allows you to select the traffic that will go into the VPN tunnel while the rest of your traffic goes to the internet via your usual connection. Normally, you get to select what apps or services are excluded from the VPN connection. The other common implementation is inverse split tunneling, where you select the apps that use the VPN connection.

Split tunneling is a nifty functionality with various benefits. By having two connections, you can access local content and devices while at the same time unblocking geo-restricted content or security sensitive apps such as torrent clients.

Note that split tunneling is not available on all VPNs

Types of VPN Tunneling Protocols

A VPN tunneling protocol outlines how data will be exchanged from your device to the VPN server and what encryption algorithms will be used. The protocols also influence the speed of the VPN connection.

Most VPN providers offer a set of protocols that offer a good balance of  speed and security. These include OpenVPN, IKEv2/IPsec, and WireGuard. Some like VyprVPN also offer their proprietary protocol, while others like NordVPN offer a modified version of the new WireGuard protocol.

Below are the common VPN tunneling protocols.

1. OpenVPN

OpenVPN is the gold standard of VPN tunneling protocols. The protocol is highly configurable and compatible with almost every platform, and its open-source nature makes it preferable among most VPN providers. Since it’s open-source, vulnerabilities are easily spotted and flaws quickly patched. This has led OpenVPN to offer excellent security, reliability, stability, and dependable speeds.

OpenVPN relies on the OpenSSL library for authentication and encryption, the library that also provides the SSL/TLS protocols. OpenVPN implements the highest encryption available on both the data and control channels. The regular setup includes AES 256 encryption, SHA-512 hash authentication, RSA-4096 handshake, HMAC authentication, and Perfect Forward Secrecy.

OpenVPN comes into variants, OpenVPN TCP and OpenVPN UDP. OpenVPN UDP offers the best speeds and runs on port 1194. OpenVPN TCP offers better reliability and runs on port 443. To overcome VPN blocking, both OpenVPN TCP and UDP can run on port 443. This port is rarely blocked as it can break the internet; it is used for HTTPS traffic.

Overall, OpenVPN is the most used VPN protocol due to its superb balance of speed and security.

2. IKEv2/IPsec

Also referred to as IKEv2, the Internet Key Exchange Version 2 is a protocol for securely exchanging keys (true to its name). The protocol is reliable and stable, and it quickly re-establishes dropped connections, which is its biggest plus. Through its mobility and multihoming Protocol, IKEv2 can handle network changes efficiently.

Due to the above, IKEv2 is preferred on smartphones (and supported natively) since they often switch between mobile networks to Wi-Fi internet connections. This protocol is rarely used alone because it doesn’t offer encryptions or authentications. It is usually paired with IPsec, which provides a secure channel with up to 256-bit encryption.

IKEv2 provides Perfect Forward Secrecy with the Diffie-Hellman key exchange scheme. The protocol is generally secure enough and faster than OpenVPN, but it is usually blocked by most firewalls. When OpenVPN is unavailable, you can use it.

3. WireGuard

This is the new protocol on the block, and it’s meant to replace OpenVPN. WireGuard is lightweight with just about 4000 lines of code, way lighter than the gold standard OpenVPN protocol, which is made up of about 70,000 lines of code. This makes WireGuard easy to review, identify vulnerabilities, and patch flaws. Most VPN providers are increasingly adopting WireGuard since it offers lightning speeds with maximum security.  Its ease of implementation almost makes it a great replacement for OpenVPN and IKEv2/IPsec.

WireGuard’s encryption setup relies on state-of-the-art cryptography, including ChaCha20, which has faster performance than AES and is also very secure. As a lightweight protocol with efficient encryption, WireGuard is also preferred for smartphones. It uses less battery juice and adapts well with the smaller smartphone processors.

To enhance their services, several VPN providers are now offering a modified WireGuard.

4. L2TP/IPsec

L2TP is a Layer 2 Tunneling Protocol that only creates a tunnel for exchanging data. Like IKEv2, L2TP must be paired with another protocol for authentication and encryption. The most suitable pairing protocol is IPsec, which offers up to 256-bit encryption. L2TP is an upgrade from the PPTP (Point-to-Point Tunneling Protocol) since it is much more secure.

This protocol uses double encapsulation, which makes it slower that modern protocols. It also uses fixed ports UDP 500 and 4500, making it easy to block. Due to its implementation, this protocol can be compromised easily and is not advisable to use it if there are other alternatives. Nonetheless, it offers great stability, and it is easy to set up on almost all networking devices.

5. SSTP

Also known as a stealth protocol, SSTP, Secure Socket Tunneling Protocol is a secure protocol developed by Microsoft. Like OpenVPN, SSTP also uses SSL/TLS encryptions among other ciphers to achieve the strongest possible encryption (256-bit). Although SSTP is susceptible to some attacks, it is secure and stable when implemented properly.

SSTP offers stealth because it uses port 443, the same port used by HTTPS traffic. Since this port is hardly blocked, traffic carried by SSTP easily passes through firewalls and other blockers, and this is it is often used to bypass the Great Firewall of China and other censors.

Nonetheless, since it is a Microsoft protocol, it is incompatible with most platforms. Also, few providers implement it on their VPNs.

6. PPTP

PPTP, or Point-to-Point Tunneling Protocol, is one of the oldest VPN tunneling protocols. As of today’s standards, PPTP is a weak protocol, but it still offers very high connection speeds due to a low overhead. The protocol is supported natively by almost all computing and networking devices, and it is also easy to set up.

Despite being very fast, PPTP uses port 1723, which is easy to block, and the protocol is also subject to many vulnerabilities and flaws. Its MS-CHAP authentication and RC4 cipher encryption are so insecure that the protocol was cracked in less than 24 hrs. Although many devices still offer it, you should never use this protocol if security and privacy are a priority for you.  

Proprietary Tunneling Protocols

Apart from the above protocols, most VPN providers nowadays offer their VPN tunneling protocols. These protocols are built from scratch or using the existing open-source protocols such as WireGuard.

Most providers claim that their protocols offer ultimate security, stability, reliability, and the highest possible speeds, but there’s no way to verify each of those claims. Others such as Chameleon by VyprVPN are meant to offer bypass stringent censorship, such as the Great Firewall of China, which is more practical.

Which is the Best Tunneling Protocol?

With all the protocols available, you can be spoilt for choice when looking for the best VPN protocol to use. Nonetheless, the best VPN tunneling protocol depends on your online needs. At the moment, you can use OpenVPN, IKEv2/IPsec, WireGuard, as well as the proprietary protocol offered by your VPN provider.

You can use OpenVPN for high levels of security and reliability, IKEV2 for reliability and mobile platforms, and WireGuard for speed and security. Essentially, all three protocols have proven to have a great balance of security, speed, reliability, and stability no matter the online task at hand.

Tech-savvy individuals can also experiment with the other protocols and tweak the ports to avoid firewalls. You should also pick a VPN provider that offers at least two of the three protocols. Reputable choices include NordVPN, Surfshark, CyberGhost, and ExpressVPN.

Wrap Up 

VPN tunneling is an underlying core concept that defines how VPNs work. With a reputable VPN, you can use the technology to reclaim your online freedom, secure your connection and protect your online privacy. Remember to choose a VPN that offers secure and fast protocols, and also consider a no-log policy, the server network, ability to unblock online content, compatibility, the simultaneous connections, and a money-back guarantee in case you are not satisfied with the product.

Senior Researcher
Dean Chester
Cybersecurity and online privacy expert and researcher. He's been published on OpenVPN, EC-Council Blog, DevSecOps, AT-T Business, SAP Community, etc. Dean has been testing VPNs for 8 years.

Leave a comment

click to select