A VPN app on a smartphone.

If you’re shopping for a VPN, you’ll have seen how services boast about having the best encryption and how important it is that you secure your connection using cryptography. But how do VPNs encrypt your connection, and are there different types of encryption to choose from?

VPN Tunnels

To explain how VPNs encrypt your connection, we need to first look at so-called VPN tunnels. Normally, when you visit a site, you connect to a server operated by your internet service provider (ISP), which redirects you to the site you want to visit.

When you use a VPN, you’re rerouting your connection: instead of going from the ISP’s server to the site, you first go through a server operated by your VPN provider. This gives you a new IP address, which comes in handy for a number of reasons, but the VPN also performs another neat trick: it encrypts the connection from your ISP to the VPN server in what’s called a tunnel.

A VPN tunnel is an encrypted connection that prevents anybody else, including your ISP and the site you’re visiting, from tracking you. (The ISP won’t be able to see the websites you’re visiting, and the websites you’re visiting won’t be able to see your real IP address.) “Tunnel” is actually a great name for it as it works more or less like it would if you were driving down a road. While in the open, anybody can see what you’re doing and where you’re going, but once you enter a tunnel, your whereabouts are anybody’s guess.

Of course, VPN tunnels aren’t made with bricks and mortar; instead, they’re created by so-called VPN protocols, which we’ll look at next.

VPN Protocols

To establish a VPN tunnel, you need to use a VPN protocol, which is a piece of software that determines how a VPN talks to other machines on the network. A protocol can do a lot of different things, but most importantly, it contains information about what encryption is used and how traffic is routed through the server.

As such, VPN protocols are very important, as they can determine the speed and security of your connection. There are a lot of different VPN protocols to choose from, but the best allrounder is one called OpenVPN. It generally offers decent speeds while staying secure, which is of course the main reason why many people get a VPN.

Interestingly enough, VPN protocols generally will give you the option of what type of encryption will be used in your tunnel, which is what we’ll look at next.


VPNs keep your connections secure through encryption, which is a way to make messages unreadable by scrambling them to nonsense. To unscramble them, you need a key, a piece of code that serves as the “lock” for the scramble. This key, usually a mathematical formula called an algorithm, is also known as a cipher.

How it works with VPNs is that your connection is encrypted when you connect to the internet—the start of the tunnel, so to speak. Once it arrives at the other end, at the VPN’s server, it gets decrypted and sent along to the site you’re visiting. The result is that the site sees the VPN’s server IP address, and your ISP sees a stream of scrambled information.

Types of Encryption

To ensure that information stays safe, you need to use a good type of encryption: not all are created equal. As a result, many VPN providers will boast that they offer “military-grade” encryption, which is just a fancy way of saying that they use the same encryption algorithm as the military.

The most commonly used encryption is the advanced encryption standard, or AES for short, which comes in several variants. Each variant uses a different number of bits to encrypt its key—longer offers more security. The most secure is AES-256, which means it uses a key of 256 bits and would take your laptop until the heat death of the universe to crack; this article goes over some of the math.

You could also opt for using a lighter version like AES-128 which is still pretty secure; for most people, most of the time it won’t matter that much. AES isn’t the only standard, either; it’s just the most recognized. You could also use an algorithm called Blowfish; either way, your connection is secure.

Protecting the Key

Well, it’s secure except for one issue: the key itself also needs to be protected. To do so, it’s usually secured using TLS, or transport layer security. This technology is common across the internet and used in all kinds of technology, from cloud storage to HTTPS, a protocol you’re using right now to read this web page.

Without TLS, an encrypted message would simply ask the server where it’s arriving for the key to decrypt itself. In that system, it’s very easy for a third party to sneak in and intercept the key delivery, meaning they could decrypt the message for themselves. TLS prevents this by forcing every message to be queried by a third server which can give the go-ahead to decrypt the message.

We know it’s all very involved, but the upshot is that no intruder can crack the ciphers of a VPN tunnel. If you’re using a VPN and they take security seriously, there’s almost no way in which your connection can be cracked from the outside.

The Best VPN Services of 2023

Best Overall VPN
Private Internet Access
Best Budget VPN
Private Internet Access
Best VPN for Windows
Best Free VPN
Proton VPN
Best VPN for iPhone
Proton VPN
Best VPN for Android
Best VPN for Streaming
Best VPN for Gaming
Best VPN for Torrenting
Best VPN for China
Mullvad VPN
Best VPN for Privacy
Mullvad VPN
Profile Photo for Fergus O'Sullivan Fergus O'Sullivan
Fergus is a freelance writer for How-To Geek. He has seven years of tech reporting and reviewing under his belt for a number of publications, including GameCrate and Cloudwards. He's written more articles and reviews about cybersecurity and cloud-based software than he can keep track of---and knows his way around Linux and hardware, too.
Read Full Bio »