Our pick of the best VPNs are NordVPN and ExpressVPN.
So what’s a VPN tunnel?
When you browse websites without a VPN, the data that’s sent from your router via your ISP to the website is visible to anyone that can hack into the connection. However, that’s not to say all the data is readable. When you use a website with HTTPS, the information is encrypted so a hacker can’t read it. This is important when you’re using online banking or making a purchase: you don’t want your address and financial details to fall into the wrong hands. Of course, not every site uses HTTPS and not all information sent via HTTPS is encrypted. For example, it’s still possible for someone to see that you’ve visited a particular website, even if your credit card details are encrypted. This is where VPNs come in. Technically a VPN doesn’t mean the data is encrypted, it means it is encapsulated. This is why it’s called a VPN tunnel: the connection between your computer and the VPN server is essentially a tunnel which protects the data being transmitted within it from being accessed by anyone else. It’s a bit like a tunnel for cars: the concrete tunnel itself protects the cars driving through it from the water or earth above crashing down. Most – if not all – VPN services also encrypt the data that’s sent through the tunnel, offering a second layer of protection. Currently, most VPN services favour the OpenVPN protocol which – as the name suggests – is open source. It means that the code is publicly available and can be checked for security flaws. However, this protocol isn’t available on every device and typically can only be used if the VPN service offers an app for the operating system your device runs. NordVPN recently announced it would stop supporting the outdated L2TP/IPSec and PPTP protocols which are now considered insecure.
Does a VPN tunnel mean the data is always encrypted?
Once the data reaches the VPN server, which could be in a different country, it is decrypted and sent onto the intended recipient, which could be a website or an email server – or something else.
The reason the data can’t remain encrypted for the whole journey is that the final recipient doesn’t have the means to decrypt it. The VPN server acts as a middle man and obfuscates the origin of the data so that final recipient has no idea where (or who) it has come from. However, this doesn’t mean you can’t have end-to-end encryption. You simply need to use a service which does this already. And if the data you’re sending is already encrypted (such as an email from one Gmail account to another) then the VPN adds a second layer of encryption which is removed when the data is forwarded on from the VPN server.
Related articles for further reading
All security news Best antivirus software for Windows (plus free options) Best antivirus deals How to hide your IP address What is a VPN and why you need one How to use a VPN How to speed up a VPN Best VPN services (plus free options) Best VPN deals
Jim has been testing and reviewing products for over 20 years. His main beats include VPN services and antivirus. He also covers smart home tech, mesh Wi-Fi and electric bikes.