What a VPN actually is

Topic: Networking basics

A VPN is an encrypted tunnel between endpoints so traffic appears to come from the tunnel exit. It provides confidentiality, integrity, and often a different IP or network path. Use when you need private access to a remote network or to carry traffic over untrusted networks; do not rely on it alone for anonymity. This guide is conceptual only; no vendor config.

Intent: Decision

Quick answer

  • VPN: encrypted tunnel between two endpoints; traffic is encapsulated and sent over another network; at the exit it is decapsulated and appears from the tunnel endpoint. Provides confidentiality and often a different source IP or path.
  • Common use cases: remote access to internal resources (client VPN), site-to-site links between offices or clouds, and carrying traffic over untrusted Wi-Fi. Not a substitute for application-level security or guaranteed anonymity.
  • When not to use: simple HTTPS to a public service (already encrypted), local LAN access only, or when the real need is DNS or firewall policy; choose the right tool for the problem.

Steps

  1. Define the tunnel

    A VPN creates a logical link (tunnel) over an existing network. Data is encrypted (and often authenticated), encapsulated in packets, sent to the peer, decapsulated and decrypted. To the destination, traffic appears to come from the tunnel exit, not the original client.

  2. Understand what it gives you

    Confidentiality (e.g. over untrusted Wi-Fi), integrity, and often a different IP or route. It does not by itself provide end-to-end application security (use TLS for that) or strong anonymity; the VPN provider or exit can see traffic.

  3. When to use or skip

    Use for remote access to private resources, site-to-site connectivity, or carrying traffic over untrusted networks. Skip when the traffic is already protected (e.g. HTTPS to a public API) or when the problem is DNS, routing, or firewall policy rather than a tunnel.

Summary

A VPN is an encrypted tunnel between two endpoints. Traffic is encapsulated and sent over another network; at the exit it is decapsulated and appears from the tunnel endpoint. It provides confidentiality and often a different IP or path. Use it for remote access to private networks or for carrying traffic over untrusted networks; do not rely on it alone for anonymity, and skip it when the real need is something else (e.g. DNS or firewall).

Prerequisites

None.

Steps

Step 1: Define the tunnel

A VPN creates a logical link over an existing network. Data is encrypted and encapsulated, sent to the peer, then decapsulated and decrypted. To the destination, traffic appears to come from the tunnel exit.

Step 2: Understand what it gives you

You get confidentiality (e.g. over untrusted Wi-Fi), integrity, and often a different source IP or route. It does not replace application-level security (use TLS) or guarantee anonymity; the VPN provider or exit can see traffic.

Step 3: When to use or skip

Use for remote access to private resources, site-to-site links, or carrying traffic over untrusted networks. Skip when traffic is already protected (e.g. HTTPS) or when the problem is DNS, routing, or firewall policy.

Verification

You can explain what a VPN tunnel is, what security it provides, and when it is or is not the right tool.

Troubleshooting

Expecting anonymity — VPN changes path and exit IP; it does not by itself provide strong anonymity; the exit or provider can log or inspect.

Wrong tool — If the issue is name resolution or access control, fix DNS or firewall instead of adding a VPN.

Next steps

Continue to