A VPN (Virtual Private Network) is an encrypted tunnel that carries our traffic between two points — usually our device and a remote server. To everyone else, the traffic looks like opaque encrypted bytes.
In simple language: a VPN wraps our packets in another packet, encrypts the inside, and sends it through the internet as if we were on a private network.
What a VPN Actually Does
Two main goals:
- Privacy / security — encrypt traffic so the local network (coffee shop Wi-Fi, ISP) can’t read it.
- Access — make our device appear as if it’s on a remote network (corporate LAN, home network, another country).
A side effect of #2: services see the VPN endpoint’s IP, not ours. That’s why VPNs are used for geo-bypass.
Tunneling — The Core Idea
The original packet becomes the payload of an outer packet:
Original (inner):
[ IP hdr (10.0.0.5 -> 10.0.0.99) | TCP | HTTP request ]
Wrapped + encrypted (outer):
[ IP hdr (203.0.113.5 -> 203.0.113.50) | UDP | encrypted{ inner } ]The inside is invisible until it reaches the other end of the tunnel, which decrypts and forwards.
Two Common Topologies
- Client-to-site (Remote Access VPN) — single device connects to a corporate/home network. Most consumer VPNs. (e.g. WireGuard on a laptop talking to a home server.)
- Site-to-site VPN — two networks (offices) join into one virtual network via a tunnel between their routers. Common with IPsec.
VPN Protocol Comparison
IPsec (in slightly more detail)
- Two modes: transport (encrypts payload only) and tunnel (encrypts whole packet, adds new IP header).
- Uses IKE (Internet Key Exchange) for negotiating keys.
- Standardized, supported everywhere — but config is famously fiddly.
OpenVPN
- Runs in user space over TCP or UDP (UDP preferred for performance).
- Uses TLS for the control channel and a separate channel for data.
- Battle-tested but heavier than WireGuard.
WireGuard
- ~4000 lines of code in the Linux kernel (vs OpenVPN’s hundreds of thousands).
- Pure UDP, fixed modern crypto suite (Curve25519, ChaCha20-Poly1305).
- Stateless from the network’s point of view — peers exchange tiny handshake every couple of minutes.
- Easy config: a public key, an endpoint, an allowed-IPs list per peer.
# wg0.conf — minimal WireGuard config
[Interface]
PrivateKey = <ours>
Address = 10.10.0.2/24
[Peer]
PublicKey = <theirs>
Endpoint = vpn.example.com:51820
AllowedIPs = 10.10.0.0/24, 0.0.0.0/0 # 0.0.0.0/0 = route everything through tunnel
PersistentKeepalive = 25Split Tunneling
Sometimes we don’t want all traffic going through the VPN — only specific subnets.
- Full tunnel —
AllowedIPs = 0.0.0.0/0: every packet goes through the VPN. - Split tunnel — only specified routes go through the VPN; the rest goes via the regular internet.
Split tunnels save bandwidth and keep latency low for non-corporate traffic, but they leak your real IP to anything that’s not in the corporate range. Security-strict orgs disable split tunneling.
What a VPN Doesn’t Hide
- The VPN endpoint sees everything you send through it. Trust matters — choose providers carefully.
- DNS leaks: if our DNS resolver isn’t routed through the tunnel, our queries reveal what we’re browsing.
- Browser fingerprinting, cookies, login state — VPN doesn’t help.
Modern Alternatives
- Tailscale / ZeroTier — mesh-style VPNs. Each device gets a stable IP in a virtual network; the control plane handles NAT traversal automatically.
- Cloudflare WARP — basically a free consumer VPN, used to be a CDN feature.
- Zero Trust Network Access (ZTNA) — replaces VPNs with per-app identity-based gates. The current corporate trend.
Interview Tip
If asked “how does a VPN work?” — three sentences cover it: tunneling (wrap one packet inside another), encryption (so anyone in the middle can’t read it), and routing (the VPN gateway forwards the inner packet to the real destination). Bonus: mention WireGuard as the modern default and split-tunneling as a common configuration.
Common Gotcha
A VPN does NOT make us anonymous — it just shifts trust from the ISP to the VPN provider. The provider can log just as much as the ISP could. Privacy comes from the provider’s policies (and audits), not from the technology.