What is a Virtual Private Network (VPN) and what it can do for you

I have seen some confusion related to what a Virtual Private Network (VPN) can do for you, and when you should use it. Let’s see if we can get this sorted out as it is not terribly difficult.

You will need to understand a few concepts related to computer networking. I suggest that you read my previous article on Fundamental computer network connection concepts. I am quite convinced that anyone can follow and understand this!

I will talk about VPN in relation to “home networks”. I am not going to go into additional scenarios related to work or other advanced VPN scenarios.

What is this VPN thing, anyway?

I’ll borrow an illustration from my previous article. If a simple networking connection can be illustrated like so:

Consider the VPN as a “tunnel” or a “conduit” that you can build around the data flow connection from user device to some destination on the Internet. The VPN creates a “pipeline" between two points for network traffic to pass though. Think of it like a virtual “sleeve” around the data flow connection between two points:

The idea of the “sleeve” is just an illustration; computers use encryption to isolate data traffic.

The originating device and the target device agree on how to establish an encrypted connection for the data flowing between them, and then data goes through that encrypted connection.

It is important to realize that this does not mean that data cannot go through many different devices and networks from user devices to Internet destinations. A VPN tunnel can go through many devices between where it originates to where it ends. All the devices in between, starting with your ISP (Internet Service Provider) can still handle sending and receiving the information, but it will be encrypted (not visible) to intermediate devices. Something like the following:

VPN client vs. VPN server

Two concepts that we need to understand are VPN clients and VPN servers.

VPN clients – are what creates the VPN connection. This can be an application (like a web browser), a device (like a phone or a PC) or a piece of network equipment (like an internet router).

VPN servers – are where the VPN connection goes to. This is where the connection ends. From there, the connection can continue to a different device on the Internet, but the VPN server is typically where VPN connections end (and data can continue without VPN from that point on).

To illustrate this, here is a connection between client and VPN server where the last part of the data flow is not using the VPN tunnel:

This is what almost always happens when we use a VPN. The VPN tunnel will exist between the client and the server, but the VPN server is not actually the place where we get the data from. The user wants to connect to www.amazon.com. A VPN connection from the phone to the VPN server on the Internet can be established and then that VPN server will send the VPN client’s requests to www.amazon.com servers, on behalf of the phone user. Data between the VPN server and Amazon servers do not need to be protected by VPN.

Wait, what? Why would you do this?

Ah yes, why would we do this at all? It seems to just complicate things, doesn’t it? ?? There are a few reasons that people use VPN for:

• Access to geographically locked content. Let’s say that you want to connect to a streaming service that is on one continent, which is not available on yours (due to licensing restrictions). Connecting to a VPN server on the continent that allows access could help.
• Protecting content on unknown networks. Let’s say that you are connected to a grocery store network and need to check your bank account from your phone. You have no idea who else is on that store network and might want to try to learn about your connection or device while you are connected. While you should not connect to suspicious networks at all, using a VPN on a network that you do not fully trust provides a level of protection to the data traffic between the client (on the network) and server (outside it).
• Adding a level of privacy protection to your network activities. As mentioned in my article on fundamental network concepts, each device on a network will be assigned a unique address. If your device uses a VPN, the network address your request will be coming from will be the address of the VPN server and NOT your device (or your home) address!

Without a VPN, both the network name resolution and data transfer would expose your home network address to destinations on the Internet (they must know where to return the network traffic):

If you use a VPN, the network address that will be visible is the address of your VPN server, because before the server, network traffic is encrypted inside of the VPN tunnel:

So, Internet destinations will receive the data from the VPN server and send it back to that VPN server. The VPN server will then send that information to your VPN client through a tunnel. Internet destinations do not know your real device or home address if the traffic goes through the VPN.

Note that the VPN server will still know about your home’s Internet address (it must be able to send the data to your home network). That is a different story (and why different VPN providers are said to provide different levels of privacy).

Different VPN clients (app, device, router)

There are different clients that can build a VPN connection. For example:

Application-level VPN – let’s say a web browser. In this case, the data that you use in the web browser would be protected by VPN, but data by some other application on the device would not. Various web browsers have VPNs of different capabilities built in, for example Microsoft Edge, Opera, Firefox etc. Other browsers like Chrome might need an addition (extension) to provide VPN capability:

The device (operating system) VPN – this would be a VPN client installed on your PC or your phone. If the device is connected to the VPN, all (or at least most) of the traffic from this device, no matter which application is used, would go through the VPN tunnel:

Router VPN – if your home Internet router has the capability to build a VPN connection, all of the traffic originating inside of your home network would be protected by VPN (or, alternatively, specific devices that are configured to use the VPN on your home network). Obviously, this is a most comprehensive approach, as it would cover multiple devices and all apps they use:

Are there downsides?

Yup, there are definitely downsides to VPN use. Here are some:

• Internet destinations might not “trust” VPN servers and could block your connection attempts. Just as ordinary people can use a VPN to help protect their privacy, so could the threat actors doing illegal attacks on sites and services. VPN servers therefore can have “bad reputation” on the Internet, and some sites (like banking or shopping) might block you when you use a VPN.
• There is overhead / internet speed loss. Because a client and server do an extra layer of encryption to protect the traffic, traffic will flow slower as it requires more computing power.
• VPN servers might not be available in all locations, requiring your connection to go from let’s say Austin, to Seattle (where the server is) and then to its destination in Chicago, additionally decreasing your network speed.
• You are adding more complexity to your network traffic; if the VPN server goes down, you either lose the VPN “tunnel” or have no connection (depending on configuration). More steps, more chances for failure.

Summary

There are some good reasons why you’d want to use VPN for some network traffic, and some really good reasons why it might not be useful for other situations. Overall, VPN is there to protect data in transit between VPN client and VPN server. VPNs do nothing to help stop other threats like issues on your home network, viruses or other malware or compromised devices on the network. Like anything else, VPNs are tools that can be very useful in specific situations but are useless against other types of threats!

Stay safe!