What Are VPN Tunnels?

How encapsulation and encryption keep your data safe

VPN network graphic

Vladimir Obradovic/Getty Images

Virtual private network (VPN) technology is based on the concept of tunneling. Just like a water pipe contains the liquid flowing inside of it, a VPN tunnel insulates and encapsulates internet traffic — usually with some type of encryption — in order to create a private 'tunnel' of data as it flows inside an unsecured network.

As your internet traffic flows inside the VPN tunnel, it provides a secure, private connection between your computer and a different computer or server at another site. When paired with strong encryption, tunneling makes it extremely difficult for your data to viewed or hacked by outside entities.

How Does VPN Tunneling Work?

It helps to think of VPN tunneling as a two-fold process of data encapsulation and data encryption.

  • Data encapsulation: Encapsulation is the process of 'wrapping' an internet data packet inside of another packet. You can think of this as the outer tunnel structure, like putting a letter inside of an envelope for sending.
  • Data encryption: However, just having a tunnel isn't enough. Encryption scrambles and locks the contents of the letter, i.e. your data, so that it can't be open and read by anyone except the intended receiver.

While a VPN tunnel can be created without encryption, VPN tunnels are not generally considered secure unless they're protected with some type of encryption. This is why you'll often hear VPNs described as an encrypted connection.

A Quick Overview of VPN Encryption Protocols

Several encryption protocols have been created specifically for use with VPN tunnels. The most common types of VPN encryption protocols include IPSec, PPTP, L2TP, OpenVPN, IKEv2, SSTP, and OpenVPN.

IPsec (Internet Protocol Security)

IPsec is suite of security protocols used to authenticate and encrypt data over VPN networks. It includes protocols (i.e. instructions) for establishing a mutual connection between two computers and the exchange of cryptographic keys. The keys encrypt and 'lock' the data, so only the computers involved in the exchange can unlock and view the data.

IPSec is used as a complete VPN protocol solution on its own, or as an encryption protocol within PPTP, L2TP, and IKEv2.

PPTP (Point-to-Point Tunneling Protocol)

The PPTP protocol was developed by Microsoft and has been a standard since the late '90s. It relies on a TCP control channel and Generic Routing Encapsulation (GRE) to work. That said, PPTP is no longer considered secure. For example, the NSA can crack PPTP encryption. PPTP has been superseded by safer protocols, and is considered obsolete today.

L2TP (Layer Two Tunneling Protocol)

The Layer 2 Tunneling Protocol is owned by Cisco and is considered to be a better version of PPTP. As a tunneling protocol only, it doesn't provide any encryption of its own. This is why it's often paired with IPSec (which does). The combination of these two protocols is often referred to as L2TP/IPsec, a protocol which supports up to 256-bit encryption and the 3DES algorithm.

IKEv2 (Internet Key Exchange version 2)

The IKEv2 is a security association protocol developed by Microsoft and Cisco used to set up an authenticated and encrypted association between two computers. IKEv2 is often paired with the IPsec security suite and is referred to as IKEv2/IPsec. Together, it provides up to 256-bit encryption and robust cryptographic keys.

SSTP (Secure Socket Tunneling Protocol)

SSTP is a protocol standard owned by Microsoft that works with Windows, Linux, and MacOS. However, you'll primarily find it used with Windows platforms. It's considered to be a stable and highly-secure VPN protocol that uses the SSL (Secure Socket Layer) 3.0 standard.


OpenVPN is an open-source protocol supported by all the major operating systems in use today (Mac, Windows, and Linux) as well as Android and iOS. It also supports lesser-known platforms, including OpenBSD, FreeBSD, NetBSD, and Solaris. It features up to 256-bit encryption via OpenSSL, a robust, commercial-grade, full-featured toolkit for the Transport Layer Security (TLS).

Which VPN Tunneling Protocol Is Best?

OpenVPN, with its strong encryption and ability to dodge firewalls, is considered the gold standard for VPNs today. It's one of the best choices for a personal VPN and will work on virtually any platform. L2TP/IPSec, IKEv2/IPSec, SSTP are also good options if you're after strong encryption, but may only be available on certain platforms.

Single vs Multi-Protocol VPN Providers

If you're looking for a VPN service, keep in mind that VPN providers fall into either the single or multi-protocol VPN category.

  • Single protocol VPNs offer only one type of protocol, usually the OpenVPN protocol.
  • Multi-protocol providers may support all of the above protocols, offering VPN services for both personal users and businesses.

Both types of VPN providers offer benefits that can help conceal your internet movements, and some offer encryption and other benefits.