How VPNs Work

Keeping VPN Traffic in the Tunnel

Most VPNs rely on tunneling to create a private network that reaches across the internet. In our article "How does the internet work?" we describe how each data file is broken into a series of packets to be sent and received by computers connected to the internet. Tunneling is the process of placing an entire packet within another packet before it's transported over the internet. That outer packet protects the contents from public view and ensures that the packet moves within a virtual tunnel.

This layering of packets is called encapsulation. Computers or other network devices at both ends of the tunnel, called tunnel interfaces, can encapsulate outgoing packets and reopen incoming packets. Users (at one end of the tunnel) and IT personnel (at one or both ends of the tunnel) configure the tunnel interfaces they're responsible for to use a tunneling protocol. Also called an encapsulation protocol, a tunneling protocol is a standardized way to encapsulate packets [source: Microsoft]. Later in this article, you can read about the different tunneling protocols used by VPNs.

The purpose of the tunneling protocol is to add a layer of security that protects each packet on its journey over the internet. The packet is traveling with the same transport protocol it would have used without the tunnel; this protocol defines how each computer sends and receives data over its ISP. Each inner packet still maintains the passenger protocol, such as internet protocol (IP), which defines how it travels on the LANs at each end of the tunnel. (See the sidebar for more about how computers use common network protocols to communicate.) The tunneling protocol used for encapsulation adds a layer of security to protect the packet on its journey over the internet.

To better understand the relationships between protocols, think of tunneling as having a computer delivered to you by a shipping company. The vendor who is sending you the computer packs the computer (passenger protocol) in a box (tunneling protocol). Shippers then place that box on a shipping truck (transport protocol) at the vendor's warehouse (one tunnel interface). The truck (transport protocol) travels over the highways (internet) to your home (the other tunnel interface) and delivers the computer. You open the box (tunneling protocol) and remove the computer (passenger protocol).

Now that we've examined data in the tunnel, let's look at the equipment behind each interface.