What is a VPN? The Complete Beginner’s Guide
So you’ve decided to take an extra step towards ensuring your privacy online. Congratulations! While having a VPN isn’t really a life-changing experience, it can certainly help keep your life on track by protecting you from the more unsavory elements floating around in the Internet.
This guide will take you through everything you need to know about VPNs, from the complete basics, to slightly more complicated discussions like VPN protocols. Before you navigate away from this page, you should already have all the know-how you need to put any VPN service you choose to good use.
The Internet: a history of security flaws
When the Internet was first created, it was made as a sort of redundancy that allows devices and networks to communicate with each other even in the case of devastating nuclear attacks. By creating a decentralized network, the Internet can survive even when one (or several) of its servers are taken out.
Because the Internet was created as a sort of backup, privacy wasn’t really on the mind of those who developed it. In fact, as early as 1973, Robert Metcalfe (who also invented the ubiquitous Ethernet connection) warned that the Internet was too easy to tap into. Among the first people to hack Internet connections were high school students. Later in 1978, the designers of the TCP/IP protocol (the networking backbone the Internet used) thought of baking encryption right into the connections. Their ideas, however, were vetoed by none other than the National Security Agency, who wanted to make sure there was a way it can enter the network whenever it wanted to.
It’s no exaggeration, with all these, to say that the Internet you are using now was built to be hackable — and aside from state actors, there are several bad elements raring to exploit those weaknesses to get at your data.
VPNs should be a modern-day standard
What if the designers of TCP/IP had their way? Then this article — no, this whole website — wouldn’t exist. VPNs wouldn’t exist, since they would be automatically integrated into your connections. But that’s not the way history turned out, and today VPNs exist to be the privacy add-on everyone should have for their connections.
VPN means Virtual Private Network. It’s virtual, because it’s simulated by the VPN server. Essentially, VPNs work by routing your Internet activity from your device towards the VPN server, and then from the VPN server towards the sites you are connecting to. This is like a tunnel (which is why using a VPN is also referred to as “tunneling”) that shields your data stream as it goes from point A to point B. The VPN server (and its app) encrypts your data the whole way, preventing prying eyes from knowing what sites you are visiting, and what data is being transferred to and from those sites. No one can read this encrypted data, even if they manage to intercept it. It only gets decrypted once it reaches your device.
With a (good) VPN connection active, no one — not even your ISP or the NSA — is able to snoop into your online activity. No one can watch your network to see what credentials you are using for your banking apps. No one can record your browsing data and sell it to marketers. No one can see which content you are viewing, copyrighted or not. No one can see the content of your emails and your chats.
Without a VPN, all of these are easily available to anyone with the right set of tools!
Can’t proxy servers protect me?
Proxies are meant for one thing only — for spoofing your IP address, so that you appear to be accessing a site from one point when you’re actually doing it from another. A VPN does that too, and so much more.
Others also use proxies to sneak around geographical restrictions, and even site restrictions created by companies and schools. This may work because all Internet content is served through the proxy server that acts as an intermediary between the user and the destination site. But this is a really weak protection because your data stream is completely visible at all points of the connection! Any prying eye, from your ISP to your company/school IT, can easily see what you’re up to. It’s like stealing something and holding it up high above your head as you walk away from the crime scene. It just won’t do.
What a VPN does for you
Here is a short list of the possibilities a VPN can unlock for you, depending on how you decide to use it.
It disguises your location. By routing your traffic through the VPN server, a VPN service can disguise your IP and make it look like you’re accessing websites from another location. This happens because the destination website only reads the location from the VPN server your data is routed through.
For example, you’re located in the US, but would like to spoof your location to read like you’re from England. All you have to do is connect to a VPN server in that country, and all sites you visit will see the connection coming from England instead of the United States.
This is very useful for getting around geographical restrictions, such as those imposed by streaming sites (I’m looking at you, Netflix). This is also vital for security, as you can trick any unwanted snoopers into making the wrong browsing profile out of your habits.
It makes your data “opaque”. A good analogy for VPNs is a large, opaque hose connecting two points. You don’t know what’s really travelling in that length of sturdy plastic. Is it water? Champagne? Orange juice? Just air?
Using a VPN can keep unwanted elements equally confused when trying to figure out your data. You Internet Service Provider, for example, wouldn’t know if you’re using a streaming site or not, and hence they can’t throttle your Internet speeds. Hackers won’t know what kind of data you’re sending to and fro in a public WiFi hotspot, so you’re safe even if you have to make emergency financial transactions on the go. Governments and media companies won’t know what content you’re accessing or downloading online, preventing them from taking oppressive actions.
It gives a host of other useful features. A good part of the VPN reviews in this site will focus on the various extra features that VPNs have. While a stable, reliable, and secure connection is the bread and butter of all VPN services, the top tiers duke it out by adding as many features as possible — and these can make all the difference.
If you need extra protection for extra-secure online transactions, some VPNs offer dedicated IP addresses.You can also take advantage of built-in ad blockers and malware protection, so even the things you download can’t harm your device. Almost all VPN providers also allow for multiple simultaneous connections across a wide variety of platforms, so you can access the same level of protection wherever, whenever.
How to use a VPN
When the regular Internet Joe reads all these wonderful things a VPN can do, the first thing he’ll probably think is “this sounds too complicated for me.” And there was indeed a time when using a VPN is too complicated for the non-tech oriented person.
But today? All it takes is to subscribe to a VPN service, download and install the VPN app, and launch it before going online. It’s not really much different from watching Netflix or accessing some other online service! Props to VPN services for making something so complicated so easy and accessible.
If you want a detailed breakdown of what happens when you use a VPN service, read on. If not, you can skip ahead for some more juicy VPN tips.
- The first thing that happens when you launch a VPN app is the creation of the encrypted tunnel, which leads from your computer to the VPN server. At this phase, your device stops communicating with any other server over the Internet, and focuses everything on the VPN server. This process will create a pair of secret “keys”, one on the server and one on your device, which will then be used to encrypt and decrypt data. Thankfully these keys don’t get lost, unlike car and home keys.
- Once your VPN tunnel is established, it’s time to get data flowing. Normally, any data you send out is chopped up into fine bits called “packets”, that are sent over the Internet. When a VPN is in play, these packets are encapsulated in another packet, which is then encrypted. Think of it as the difference between sending a letter in an envelope, versus sending it in a sealed metal tube. While ordinary packets can be read when someone taps into your connection, encapsulated and encrypted packets are just gibberish once intercepted.
- As soon as the packets arrive at the VPN server, the latter uses the keys it generated earlier to unscramble the data stream and understand the instructions you had sent out. These instructions then get sent out to its destination, this time using only the VPN’s IP address and information. This way, the receiving website can’t link you and your location with the request.
- The receiving website then sends a reply, which will get sent into the VPN server and back into the tunnel. Before getting sent from the server back to you, the data is again encapsulated, and encrypted. The data will be decrypted only once it reaches your computer, using the keys generated at the beginning of the process. This way, no one can read them on the way back — no one knows what’s going on between you and the Internet.
The best VPN services use an encryption standard called AES 256-bit. This is military-grade encryption, and is the same one used by such high-level organizations as banks. The “256” here refers to the key size, or the number of possible combinations to decrypt it. Computing this (2^256) yields an absurdly large number, which is just plain overkill! Trying to brute-force this using a supercomputer would take years, and using a regular computer it can take a lifetime. And remember that your data is protected per packet, meaning successfully cracking one packet wouldn’t yield any useful data at all. This is the level of awesome security that a VPN offers, applicable whether you’re sending confidential information across borders or just sending cat GIFs via a chat app.
VPN Protocols: What do they mean?
If you read through that last section, congratulations! You’re one step ahead of most people who use VPNs in understanding the innards of the system.
Now, here’s another technical discussion that may interest you. Most VPN providers don’t flaunt exactly how they create secure connections between your device and their servers, though you can find this information in their detailed documents. As it turns out, there are several such methods of creating a secure tunnel, called “protocols”. Here’s a quick rundown of the existing (and up-and-coming) protocols.
WireGuard. Let’s start with the rising star. Many consider WireGuard to be the most secure VPN protocol ever, and the foundation of next-level online security. Aside from offering unparalleled security it is also incredibly light, implemented with only a fraction of the code it takes to implement OpenVPN (one of the most famous and widespread protocols). Unfortunately, it’s not yet completely developed, hence most VPN providers don’t offer it yet. The protocol is still under very active development for now, and it’s good to keep it in mind for future developments.
The few VPN providers who currently offer WireGuard have logged massive performance leaps, at the cost of some stability thanks to the work-in-progress state of the protocol. There is, however, one major drawback to WireGuard. Remember how VPN servers create a tunnel between you and your device to work? Normally, this entails dynamically assigning an IP address to you each time you connect. WireGuard doesn’t have this capability, however, and you need to be connected to a static IP address. This means your IP address needs to be stored in the VPN servers so the latter will know how to connect you. This is a privacy flaw that, while it does not yet have any real-world implications, can be exploited down the road.
OpenVPN. If you’ve been wading in the VPN waters for some time, you’re sure to have heard of OpenVPN. This is the industry standard, the golden boy that WireGuard strives to replace. Being open-source (like WireGuard) means it’s easy to audit the protocol, and experts can attest to its security. It is also regularly updated.
OpenVPN is known for being highly configurable, and its already impressive base security offering can be further improved. It is also possible to tweak the protocol to focus on speed, at the cost of some security. It is even possible to change the way it runs, thus changing some characteristics of its security. For example, OpenVPN is best run on the UDP protocol for maximum security. But running it on a TCP protocol (port 443) will mask your VPN connection as an HTTPS connection, thus preventing censors from knowing you are using a VPN.
This protocol got its name from its open-source nature. In the world of software, open-source means anyone can take the code apart and inspect it for vulnerability flaws. Anyone can also edit the software and create their own versions, or submit their own contributions which will then be checked by the software’s community of developers. This open-source nature is also among the reasons why the OpenVPN protocol is so highly-prized among security enthusiasts.
IKEv2 (plus IPsec). IKE stands for Internet Key Exchange, and as the name says it is the second version of this protocol. IKEv2 is closed-source software, in contrast with OpenVPN. Don’t look down on it though — it was jointly developed by two tech behemoths Microsoft and Cisco. The goal was to create a simple tunneling protocol that can be applied to multiple scenarios.
Because of this goal, IKEv2 is only made to tunnel your data from point A to point B — it does not encrypt that data by default. However, IKEv2 is light and flexible enough that it pairs perfectly with IPsec (stands for IP Security) and it turns into a powerful and secure protocol.
Like IKEv2, IPsec is just half of the equation and cannot stand as a VPN protocol alone. Instead, it’s actually a collection of protocols meant to ensure the integrity and confidentiality of data across IP networks.
Since Microsoft is one of IKEv2/IPsec’s developers, you’ll find the protocol natively supported by Windows 7 onwards. It is also available on iOS and Blackberry, with various open-source iterations of the code available for Linux and Android. Support isn’t native for these open-source versions, however, so you’ll likely need a different program to access them.
One of the big advantages of IKEv2 is its stability and its auto-start feature. The latter means that if the VPN connection gets interrupted by an external factor (say, a power or Internet outage), the secured connection automatically resumes when you go back online. This means there’s no risk of forgetting to re-connect your VPN and thus put your data at risk.
Its Microsoft pedigree is, however, considered one of its biggest weaknesses. Microsoft has not been known for being big privacy supporters, with its Windows products being huge privacy snoops. While no privacy weakness has yet to be found, IKEv2 has not been as extensively audited as OpenVPN and some believe there might be a Windows backdoor there somewhere.
L2TP. This stands for Layer 2 Tunneling Protocol, which is also a simple tunneling protocol similar to IKEv2. Like the latter, it also needs to partner up with IPsec in order to become a full-fledged VPN protocol.
L2TP can be paired with two types of encryption algorithms — AES and 3DES. AES is the only remaining secure one, and 3DES has been pushed out of the VPN world thanks to a history of collision attacks. In case your VPN provider still offers 3DES, think twice about going for that service!
L2TP is known for being faster than the gold standard OpenVPN, while providing great security by encapsulating your data in two encrypted packets. There are a lot of downsides with the protocol, though, not the least of which is its usability only in a limited number of ports. A censor such as a company can easily block those ports, preventing any use at all of L2TP.
The biggest weakness, however, is the claim by notorious privacy whistleblower Edward Snowden that the NSA has successfully cracked the L2TP protocol. No one has come forward to verify this, but Snowden’s claims have great weight. If this is true, then any VPN that uses L2TP should be kept at most for non-crucial usage, such as regular browsing. If you’re doing something that you wouldn’t want anyone at all to see (especially not the government), use a different protocol or VPN service altogether.
On the bright side, L2TP is compatible with all platforms and is fairly easy to set up, supporting its use for more casual online activities.
PPTP. This made history as one of the very first VPN protocols that became publicly available, back in 1999. Its easy setup and painless usage has made it the favorite of many companies that rely on it to provide VPN access for their employees. Unlike the VPN usage we have so far discussed, such corporate connections are meant to allow employees access to secure company servers and resources instead of protecting them from external attacks when out in the online wild.
This limited application should tell you something is up — the protocol has long-since been cracked, and some reports say that it only took 2 days to break through. It’s worth noting that Microsoft was also at the head of the team that developed PPTP, and the protocol even uses the proprietary Microsoft Point-to-Point Encryption (MPPE). While Microsoft was able to issue a quick patch to cover its weaknesses, the software company has basically abandoned it in favor of L2TP.
There’s another big weakness with PPTP — block port 1723 and it won’t work. Couple this with historically slow performance on unsteady connections, and you get a protocol that should never be used except when you’re forced to (i.e., if that’s the only way to connect to company resources while working from home).
SSTP. In between PPTP and L2TP, Microsoft worked on another VPN protocol, the SSTP. It stands for Secure Socket Tunneling Protocol. This one is more widespread, and is markedly better than its predecessor, though many still cast doubting glances upon it thanks solely to its pedigree.
SSTP first made its debut with Windows Vista, and it has been present in all Windows versions since then. It offers great integration with Windows, and it’s also very easy to set up. It has no big weakness, and it is even a good protocol for use in instances when censors are trying to block your connections.
Aside from the Microsoft connection, the only big weakness of SSTP is its vulnerability to POODLE attacks. While any piece of home technology may as well be toys in the face of a rampaging fur baby, we’re talking here about exploits that target weaknesses in the SSL 3.0 security layer that SSTP uses. Because of this, SSTP has been deprecated for security-related usage, and just like PPTP should no longer be used.
In our reviews, we rank VPN providers partly based on the level of security that their chosen protocols provide. You’ll find that the top services have either started implementing WireGuard in their services, or have created very good OpenVPN implementations. Security, after all, is still the main goal of having a VPN subscription.
What about this thing called “Tor”? If you’ve been searching for online security tips, you might have heard about something called “Tor” that can be used with VPNs for even better online security. Tor (acronym for The Onion Router) is a completely different beast, however. It’s not a protocol like IPsec that pairs with other protocols to protect your data.
In the simplest sense, Tor is accessed via a downloaded client called the Tor Browser (a heavily modified version of Firefox, which is an open-source software in itself). Using the Tor Browser allows you access to the Tor Network, which is a distributed set of “nodes”. Think of the browser as a portal to these nodes. Once you’re in, the network bounces your connection through a series of nodes before it reaches the destination site, making it extremely hard for onlookers to follow your path.
Tor browsing has its own set of drawbacks (one of which is a huge impact on your internet speed), but it can indeed increase your level of online security and anonymity by pairing it with a VPN service. Since Tor already impacts your connection speed greatly, it’s best to choose a fast VPN subscription if you’re going this way. Launch the VPN client before bouncing your data through Tor nodes, for best results. This technique works perfectly if you’re in an area that blocks the Tor network, since then your ISP won’t know it’s the network your data is headed towards.
How do I choose the perfect VPN provider?
Our reviews offer a comprehensive and unbiased review of many VPN services. You may wish to conduct your own reviews, however, considering that each user has his own personal preference and use case.
If you’d like a copy of the metrics we use for ranking VPNs, you can view the guide right here! You can keep and share this handy doc anywhere you are, so you can access it whenever you feel the need to test new VPN subscriptions.