not a fan of the “tunnel” analogies, because physically you are still connected to your ISP, your traffic still goes to through your ISP, and they see the data. think of your online activities as cargo that’s being moved around with an open-back pickup truck vs a van. the cop directing traffic (ISP) at the intersection won’t know what’s inside your van. but it nows where your van is going.
let me see if i can break it down. normally you are connected like this:
connection: you---->ISP----->http website
data: food--->food---->food
so the ISP sees what your sending. now if you connect to a secure website, ones that are https instead of http
connection: you---->ISP---->https website
they send you back a “certificate”, “hey instead of talking in English, translate it to Spanish, and then type it backwards”
certificate:you<----------- https website
you use that certificate to change your message to match what the https told you
connection: you---->ISP----->https website
data: adimoc->adimoc-->adimoc(unbackward it)comida(change to english)food
so while your ISP sees it. since they’re the ones that have to deliver it. they can’t tell what it is. that’s a simplified version of it.
so with HTTPS, the website your going to sets the encryption. not all sites support https. what about other connections (ftps and all the other stuff)? that’s where VPN does it’s magic. when you connect to a VPN.
connection: you------->ISP------->vpn
data: 3#@%@#$--->3#@%@#$--->3#@%@#$ = send me data from www.freeXXX.com
so now instead of trusting your ISP, your trusting the VPN.
if your VPN is located in germany, www.freeXXX.com see’s someone in germany wants to see a page and sends that back.
edit: someone asked asked about schools blocking websites and using VPN to bypass.
connection: you----->school/work router----->ISP----->http website
data: freeXXX->checking list: NO!
the school or work server is checking where your going. if you try to access a black listed blocked site, it’ll be like “NAAAAAAAA gtfo out of here.” but if the VPN address isn’t blocked, you can connect fine.
connection: you---->school/work router----->ISP----->vpn
data: 3#@%$-->checking list: OK------>3#@%$--->3#@%$ = send me data from www.freeXXX.com
school/work thinks your connecting to the address of the VPN server. if it’s not blacklisted, it’ll connect you to it. if the school/work IT guy is incompetent, they won’t have all the VPN’s listed.
you have a router at home right? most routers have settings to blacklist specific websites. so it kinda works like that.