Why is a VPN "like a tunnel?"

I’m pretty techy just not on the network side (which I’ve never really liked), and I’m sick and tired of hearing the cliche of “a VPN is like a tunnel.”

Why? how is it a tunnel? because it connects directly to wherever it has to connect w/out going through DNS servers?

Can anyone explain in technical terms?

thanks!

Edit: Oh wow, thanks for all the brilliant answers! never had a question answered so quickly and thoroughly!

Your encrypted VPN traffic is inside normal tcp packets. Because your traffic is inside, it is drawn in a way that resembles a tunnel.

not a fan of the “tunnel” analogies, because physically you are still connected to your ISP, your traffic still goes to through your ISP, and they see the data. think of your online activities as cargo that’s being moved around with an open-back pickup truck vs a van. the cop directing traffic (ISP) at the intersection won’t know what’s inside your van. but it nows where your van is going.

let me see if i can break it down. normally you are connected like this:

connection: you---->ISP----->http website
data:       food--->food---->food

so the ISP sees what your sending. now if you connect to a secure website, ones that are https instead of http

connection: you---->ISP---->https website

they send you back a “certificate”, “hey instead of talking in English, translate it to Spanish, and then type it backwards”

certificate:you<----------- https website

you use that certificate to change your message to match what the https told you

connection: you---->ISP----->https website
data:       adimoc->adimoc-->adimoc(unbackward it)comida(change to english)food

so while your ISP sees it. since they’re the ones that have to deliver it. they can’t tell what it is. that’s a simplified version of it.

so with HTTPS, the website your going to sets the encryption. not all sites support https. what about other connections (ftps and all the other stuff)? that’s where VPN does it’s magic. when you connect to a VPN.

connection: you------->ISP------->vpn
data:       3#@%@#$--->3#@%@#$--->3#@%@#$ = send me data from www.freeXXX.com

so now instead of trusting your ISP, your trusting the VPN.

if your VPN is located in germany, www.freeXXX.com see’s someone in germany wants to see a page and sends that back.


edit: someone asked asked about schools blocking websites and using VPN to bypass.

 connection: you----->school/work router----->ISP----->http website
 data:       freeXXX->checking list: NO!

the school or work server is checking where your going. if you try to access a black listed blocked site, it’ll be like “NAAAAAAAA gtfo out of here.” but if the VPN address isn’t blocked, you can connect fine.

 connection: you---->school/work router----->ISP----->vpn
 data:       3#@%$-->checking list: OK------>3#@%$--->3#@%$ = send me data from www.freeXXX.com

school/work thinks your connecting to the address of the VPN server. if it’s not blacklisted, it’ll connect you to it. if the school/work IT guy is incompetent, they won’t have all the VPN’s listed.

you have a router at home right? most routers have settings to blacklist specific websites. so it kinda works like that.

VPN is like a tunnel because all the traffic goes through a tunnel when you connect to it! When you go through a tunnel in your real life people outside the tunnel can’t see what you’re doing in that tunnel, only the people who handle the tunnel have the ability to see what you’re doing if they’re interested in doing so via putting cameras and stuff… in the world of vpn you can say by stealing your browsing data which have gone through that tunnel and selling it to third party which some VPN providers do and some don’t :slight_smile:

A car (or other vehicle) is able to enter the tunnel at one end and exit out of the other without the dirt/water/whatever else that is being held back by the tunnel walls messing up the integrity of the vehicle. When the vehicle exits the tunnel, anyone observing the vehicle would only be able to see where the car came out from, not where it started at.

The tunnel analogy really only helps to illustrate the origin/destination nature of IP traffic as well as the way that the vehicle’s (traffic’s) origin is hidden from endpoint observers.

In reality, any of the data packets could be intercepted anywhere along the route. What makes VPNs secure is that the traffic is encrypted, so that even if some or all of the packets are intercepted, the encrypted data payload is unintelligible by any node except the one at the end of the tunnel with the exact key that allows them to decrypt the traffic.

Ever tried entering a tunnel other than from either end of it? It doesn’t work because of the concrete walls. Same with a VPN. The data is encrypted at one end and decrypted at the other.

*normal IP packets. IP consists of TCP and UDP, among others

Its actually most of the time UDP for OpenVPN and ESP i think it is for IPSec. (IPSec is black magic to me tbh even tho i should know more about it.)

so how does VPN bypass blocked websites in the network (in schools and other public wifis)

Excellent, this explanation made me finally understand it, thanks a bunch lost12, haha, funny, I’m also English/Spanish bilingual, hence my username

The tunnel analogy is appropriate. It’s not relative to a physical tunnel but a tunnel interface.

Except the tunnels were in reality dug by bears. And when you connect the signal echoes through the tunnel.

from my earlier example

 connection: you---->school/work router----->ISP----->http website

the school or work server is checking where your going. if you try to access a black listed blocked site, it’ll be like “NAAAAAAAA gtfo out of here.” but if the VPN address isn’t blocked, you can connect fine.

 connection: you---->school/work router----->ISP----->vpn

because the school/work thinks your connecting to the address of the VPN server. it doesn’t know it’s a VPN. it’s just another address it connected you to. if the school/work IT guy is imcompatent, they don’t have all the VPN’s listed.

my place of work is VERY strict. the computers are locked pretty tight. we can’t go to any email sites, or any websites out of the US. our internet settings is blocked out so you can’t change anything. i remember a couple of years ago, they emailed everyone who got chrome installed on the users local app folder, about having unauthorzed programs installed and it will be removed.

edit: you have a router at home right? most routers have settings to blacklist specific websites. so it kinda works like that.

Because they ban based off of retarded criteria

I would give this an upvote if it were 3 years ago maybe

Sometimes the bears poop huge logs.