A VPN is a shield that helps surf the web freely and safely, avoid local content restrictions, and protect sensitive data from third parties. For users this technology is a must cause when it’s on, it means it’s safe to go online.
If you take a closer look at existing VPN services, you’ll see that the tech behind it consists of multiple different mechanisms, and each adds another layer for online safety. Not all are mandatory, and not all are simultaneously used by VPN services. However, most of the major players use some kind of combination of these protection technologies to ensure safety for their users.
Let’s take a closer look at more important aspects.
Table of contents
Your presence on the web for the outside spectator is your IP address. It produces the digital tail, the footprint by which all your activity, search history, related accounts, and posts could be tracked & tied to your physical location. The first and most important thing that a VPN does is replace your IP address with the VPN servers. From this moment and on your search activity can’t be traced to you, but only to the VPN server.
The next step is to ensure that your web presence is not unique (i.e. can’t be traced based on the specific time you were surfing the web and known VPN server address). For this purpose, all major VPN players use shared IPs. It simply means that many people are using the same server (and IP address) at the same time, which results in all on-coming traffic being mixed and each particular user becomes unrecognisable.
Besides hiding a user’s IP address and mixing traffic, there is another key thing that is considered essential for VPN safety today. And it’s traffic encryption. Encrypted traffic between VPN servers and the user’s desktop or mobile phone is completely safe and secure which means that it can’t be intercepted and read by any third parties with special spy software (like Wi-Fi Interceptor).
In fact, there are several encryption technologies used by VPN providers to protect user’s privacy. Symmetric encryption (the oldest technology) is used to protect data in transit, while AES and Blowfish are the two most known standards of this kind.
Another kind of public encryption can provide key distribution for data channel encryption. Basically, it’s the solution to the vulnerability of the key transmission problem as the key used to decrypt a message in this particular method is different from the key used to encrypt it in the first place.
Finally, hashing is used to confirm data integrity. Secure Hash Algorithm is actually a part of TLS procedures and is included in the OpenSSL library used by VPNs (which has its own peculiarities).
Today’s ultimate standard of encryption is the best exemplar of symmetric encryption, AES-256 (Advanced Encryption Standard with 256-bit keys; there are also slightly “weaker” versions with keys of 128 or 192 long). This standard of military-grade encryption is used by all the major VPN providers as it is considered to be unbreakable.
This additional level of protection is sometimes applied to VPN providers’ servers. While it’s easy for users to bypass geoblocks and avoid censorship by using a VPN, it’s not that easy for the VPN itself especially if it’s banned in a certain country, like China or UAE. In fact, the very use of a VPN can be extremely dangerous from the POV of local law (and it is strongly considered to be careful if you choose to use a VPN in such locations). Obfuscated servers simply allow using a VPN while hiding the fact that you are doing it, helping to avoid the third parties that monitor your traffic.
This is another measure taken to make sure that third-party-tracing is more difficult and, sometimes, to improve the quality of the service. When virtual server locations are used, the VPN server you are connecting to is not actually physically located in the country which is “assigned” to it. The benefit here is the ability to route traffic through a country with a better connection while disguising the actual location of the server.
This is used to rout just a certain kind of traffic through a VPN. It is very helpful when you want to access foreign and local internet services simultaneously or carefully manage your bandwidth. By the way, this is exactly what technically happens if you are using a plug-in VPN for a web browser instead of a standalone app: only the browser part of your traffic is encrypted. However, split tunneling allows you to do this separation consciously and choose which part of the traffic needs to go through the VPN.
VPN Security Protocols
There are many kinds of protocols used by VPN services to implement the encryption between a user’s desktop or mobile phone and the VPN servers. Some of these are somewhat standards in the VPN industry, based on decades-long technology, which is considered the most secure and stable (like OpenVPN or IKEv2 in conjunction with IPSec).
There are also many proprietal and experimental protocols developed by major VPN providers, with a focus on more speed or safety.
Given that the degree of traffic protection directly depends on VPN protocols. So here comes the question: how to choose a good one? Some VPNs allow to switch between protocols in a single click, but still, the average user can be easily confused by this number of options. Well, research is the only sure way to understand which VPN protocol will suit you the best. But objectively speaking, the following things need to be calculated and compared: encryption strength, ciphers, also hash authentication, and the resistance to hacking.
OpenVPN is considered to be one of the most secure VPN protocols and is commonly used by top VPN services. So, if you don’t know how to choose a protocol, just go with the standard one. According to the VPNMentor study of the five most common protocols (not the proprietary ones), OpenVPN is the best choice, while, for example, IKEv2/IPSec is the best for mobile use. So, while choosing a VPN service based on protocols use is reasonable, you should be careful with custom-made protocols and do some preliminary studying before making a decision.
This feature provides an additional layer of safety and can actually seriously slows down the connection but provides an indecipherable degree of traffic security. Most commonly known as “multi-hop”, this kind of VPN connection uses hard two-level encryption across two or more servers, rerouting traffic back to the internet just after this process.
This can really damage the connection speed (just imagine what happens to your disguised traffic, flying and dispersing around the globe) but it pays off: even if a VPN server is somehow compromised, it is still impossible to trace the user.
For a regular user, it could be an “overkill” of his resources, and the simple VPN, skilfully tuned for one’s own needs would be more than enough. However, for the God-tier level of privacy and security, this is a great measure.
DNS Leak Protection
Major VPN players have services that can check if your VPN fails to protect your device’s DNS queries. If this is the occasion, even with a VPN tunnel concealing your traffic, third-parties will still be able to monitor your web activity. DNS leaks can happen if the VPN is manually configured (and configured wrong), or, for example, if their router (or the public Wi-Fi router) was hacked. In the latter case, the user’s device is “tricked” into sending DNS traffic outside the concealed safe zone of the VPN tunnel. DNS leaks are worth checking because if they persist it makes the very usage of VPN pointless.