A VPN, or Virtual Private Network, encrypts all of the data sent to and from your device and routes it through an intermediary server that stands between you and the internet. The encrypted connection between your device and the VPN server is often referred to as a “tunnel”. No third-parties, such as your ISP, government, or local IT administrator, can see the contents of your data or its destination while the VPN is active.
We’ll discuss how VPN tunneling works in this article, including encryption, protocols, and why tunneling is necessary for security and privacy.
What is VPN tunneling?
When you first connect to a VPN, your device and the VPN server perform a handshake and exchange encryption keys. This ensures that only the VPN server can decrypt data sent from your device and, conversely, only your device can decrypt data sent from the VPN server.
Once the connection is established, your device and the server can securely transmit data back and forth through the “tunnel”. Data is encrypted with the key before it ever leaves your device. When it reaches the VPN server, it is decrypted, then forwarded to the final destination—a website, app, streaming service, etc.
Data coming from the internet goes through the same process in reverse: data is sent from the app or website to the VPN server. The VPN server encrypts the data and sends it to your device, where it’s decrypted with the key.
The “tunnel” analogy comes from the VPN’s encryption. Data can go back and forth between the tunnel, but there are only two endpoints—your device and the VPN server—where data is encrypted and decrypted.
What to look for when choosing a VPN
How you plan on using the VPN determines which tunneling features will best serve you. VPN tunneling can be used for a number of purposes:
- Unblocking streaming sites from abroad: The VPN tunnel should have fast speed and a stable connection. No leaks that could give away your real IP address.
- Accessing the web from China: The VPN tunnel needs to be both inconspicuous and secure. Obfuscation is often used to hide VPN tunnels going in and out of China to bypass the Great Firewall. This also applies in other countries where VPNs are blocked like the UAE and Iran.
- Securing public wi-fi: The tunnel should be secure with no leaks. A kill switch can help keep this tunnel secure.
- Torrenting: Security and speed are both paramount here. The VPN should have a kill switch, no leaks, and preferably split tunneling.
- Private web browsing: Strong encryption in the VPN tunnel, combined with a no-logs policy and your browser’s incognito or private browsing mode, enables you to surf the web privately and anonymously.
Split tunneling
Split tunneling is a VPN feature that allows you to choose which data goes through the encrypted VPN tunnel and which uses a direct, unencrypted connection.
A few VPN apps offer split tunneling that allows you to choose which apps use the VPN and which do not. Although whitelisting which apps use the VPN is the most common type of split tunneling, it can also be done by device (at a router level), ports used, or type of traffic.
Split tunneling is useful in situations where only certain activities need to be protected by the VPN. While torrenting, for example, you can set your torrenting app to use the VPN while your web browser uses a normal internet connection.
See also: Best VPNs for split tunneling
What are VPN tunneling protocols
A VPN tunneling protocol sets the rules for how your device and the VPN server communicate. Not all protocols are equal, and they each have their advantages and disadvantages. You can often choose between protocols in your VPN app settings.
Here are some of the most common VPN tunneling protocols in use today:
- OpenVPN: an open-source protocol that offers strong security and medium speed, and usually requires a third-party app to use. This is the most popular protocol among consumer VPN apps. Uses SSL encryption.
- Wireguard: a newer open-source protocol with fast speeds and decent security, though users’ IP addresses are stored on the server by default. Uses ChaCha20 encryption and usually requires a third-party app. You can find out more in our Best VPNs with Wireguard article.
- IKEv2: A medium-speed protocol that’s great at quickly reconnecting after losing signal, which makes it ideal for mobile users. Uses IPSec encryption. Support comes built into many newer devices.
- L2TP: A medium-speed protocol that comes built into many popular operating systems like Windows, MacOS, iOS, and Android. Uses IPSec encryption.
- SSTP: Similar to L2TP but exclusive to Microsoft systems, such as Windows
- PPTP: A fast but insecure protocol that shouldn’t be used due to known security vulnerabilities.
Many VPN apps have multiple protocols available to choose from. Some even have their own proprietary protocols, often based on those above. NordVPN’s NordLynx, ExpressVPN’s Lightway, VyprVPN’s Chameleon, and Hotspot Shield’s Hydra Catapult are all examples of proprietary VPN protocols.
Best VPNs that use tunneling
Some VPNs have faster or more secure tunnels than others. Comparitech tests and reviews dozens of VPNs to find out which ones will best protect your data while delivering high speeds and access to region-locked content around the world.
Here are our top picks for VPNs with the most secure tunneling:
1. NordVPN
Apps Available:
- PC
- Mac
- IOS
- Android
- Linux
- FireTV
Website: www.NordVPN.com
Money-back guarantee: 30 DAYS
NordVPN operates a huge network of servers around the world and is the fastest VPN we’ve tested. It works in China, unblocks Netflix and many other streaming services, and uses leak-proof encryption. You can connect up to six devices at once, with apps available for Windows, MacOS, iOS, and Android, Fire TV, and Linux. Live chat support is available 24/7 on the website.
Supported tunneling protocols include NordLynx (Wireguard), OpenVPN, and IKEv2. Split tunneling is not supported, but an app-specific kill switch will cut selected programs off from the internet if the VPN connection drops for any reason.
Pros:
- Fastest VPN
- No logs
- Strong encryption
- Unblocks lots of streaming sites
- 24/7 live support
Cons:
- iOS app might not work in China
- Android app has no kill switch
Our score:
BEST FOR TUNNELING:NordVPN is the fastest VPN around and boasts excellent security. Try it risk-free with a 30-day money-back guarantee.
Read our full NordVPN review.
2. Surfshark
Apps Available:
- PC
- Mac
- IOS
- Android
- Linux
Website: www.Surfshark.com
Money-back guarantee: 30 DAYS
Surfshark is a budget-friendly provider that doesn’t skimp on speed or privacy. It’s great for unblocking region-locked content like Netflix, Amazon Prime, BBC iPlayer, and Hulu. You can connect an unlimited number of devices at once, which makes this a great deal for a family or group of housemates.
Surfshark supports the following protocols: IKEv2, OpenVPN, Wireguard, and Shadowsocks.
Apps are available for Windows, MacOS, iOS, Fire TV, and Linux.
Pros:
- Unlimited connections
- Unblocks streaming sites well
- No logs
- Strong encryption
Cons:
- Average speed
- Smaller number of servers
BUDGET CHOICE:Surfshark is a great unblocker with unlimited connections on a single plan. Try it out with a 30-day money-back guarantee.
Read our full Surfshark review.
3. ExpressVPN
Apps Available:
- PC
- Mac
- IOS
- Android
- Linux
Website: www.ExpressVPN.com
Money-back guarantee: 30 DAYS
ExpressVPN is a premium service with rock-solid apps and fast performance. It’s great for unblocking region-locked streaming services like Netflix, BBC iPlayer, Hulu, and Prime Video. The apps for Windows, MacOS, iOS, Android, Fire TV, Linux, and certain wi-fi routers are all leak proof and use the strongest available encryption. When it comes to security, ExpressVPN is at the front of the pack.
Supported protocols include Lightway (ExpressVPN’s proprietary protocol), OpenVPN, L2TP, and IKEv2. Split tunneling allows you to choose which apps use the VPN and which use a direct, unencrypted connection.
ExpressVPN reliably bypasses China’s Great Firewall. You can connect up to five devices at a time. Live chat support is available 24/7.
Pros:
- Extremely secure
- Easy to use
- Unblocks most streaming services
- Huge server network
Cons:
- On the pricier side
- Average speed
Our score:
SECURE TUNNEL:ExpressVPN is a privacy-first VPN It works with a wide range of devices and offers an all-around excellent service. Comes with a 30-day money-back guarantee.
Read our full ExpressVPN review.
4. CyberGhost
Apps Available:
- PC
- Mac
- IOS
- Android
- Linux
Website: www.Cyberghost.com
Money-back guarantee: 45 DAYS
CyberGhost is an easy-to-use VPN that makes unblocking streaming services and securing your web browsing simple. Users can choose the streaming service they want to unblock right from the app instead of guessing at which server to use. CyberGhost uses strong encryption and keeps no logs of its users activity or other identifying information.
CyberGhost supports the Wireguard, OpenVPN, IKEv2, L2TP, and PPTP protocols. You can connect up to seven devices at once on Windows, MacOS, iOS, Android, Fire TV, and Linux.
Pros:
- Easy to use
- Good security
- No logs
- Unblocks tons of streaming services
Cons:
- Doesn’t work reliably from China or UAE
Our score:
EASY VPN TUNNEL:CyberGhost packs great security, speeds, and unblocking into user-friendly apps. It comes with a 45-day money-back guarantee.
Read our full CyberGhost review.
5. IPVanish
Apps Available:
- PC
- Mac
- IOS
- Android
- Linux
Website: www.IPVanish.com
Money-back guarantee: 30 DAYS
IPVanish has long been a favorite among torrenters and Kodi users. It unblocks Netflix and a few other streaming services, but it’s not a region-unblocking powerhouse like others on this list. Instead, IPVanish is all about security. You can even change your IP address at set intervals and enable obfuscation to avoid detection.
Like Surfshark, IPVanish lets you connect as many devices as you want on a single plan. Apps are available for Windows, MacOS, iOS, Android, and Fire TV.
IPVanish protocols consist of IKEv2, OpenVPN, L2TP, IPSec, and PPTP.
Pros:
- Strong security
- No logs
- Good for torrenting
Cons:
- Not the fastest
- Can’t unblock as many streaming services
SECURE TUNNEl:IPVanish is a solid VPN if you want to maximize privacy and security on all the devices in your house. It’s backed by a 30-day money-back guarantee.
Read our full IPVanish review.