How VPN Encryption Works

Security is hard. It's hard to implement, hard to break, and hard to understand. Let’s dive in to the world of encryption and VPNs and get a better understanding of how encryption can and can’t protect you.

A brief history of encryption on the Web

In the beginning the Internet was wide open. It was easy to sniff the data flowing over a network, read people’s emails, instant messages, web browsing, etc. Online banking was one of the first mainstream applications for encryption, but more and more websites adopted encryption as the technology went mainstream. Now the HTTPS URL (indicating that encryption is used) has become the de-facto standard on the web.

The two pieces: Encryption and Trust

Internet security is a puzzle with two pieces: Encryption, and Trust.


Encryption is a technique for scrambling data in such a way that it can only be de-scrambled by an authorized recipient.


To communicate securely, you need to trust that the person at the other end of the communication is who they claim to be. The concept of Trust is central to the integrity of secure communication.

illustration 1


A criminal wants to steal people’s bank passwords. He creates a fake login page for the bank (let’s call it Sun Bank) and puts it on the web. He might even spoof the domain name so that when you go to, you end up at the fake website. You enter your login and password, and now the criminal has that information and can go to your bank and log in as you. Fortunately for us, HTTPS works to prevent this by employing a concept called the Chain of Trust.

illustration 2

The chain of trust works like this: your web browser has a list of certificate authorities who are implicitly trusted to verify the identities of web servers. To operate a secure website, a webmaster must request a certificate for their server from one of these authorities. This certificate includes an assurance from the authority that you are who you claim to be, as well as a public key which is used to validate identity.

Tip: You can click the lock icon next to the URL in your browser to see the chain of trust for that website.

When trust fails

At some point in your web-browsing life, you've probably seen an error like “Expired Certificate” or “Couldn’t establish a secure connection.” These are certificate errors and they mean that the website you’re talking to is not fully trusted. This can be due to things like an expired certificate or a domain name mismatch.

Encryption and VPN

A VPN is an encrypted tunnel from one endpoint to another. Historically, VPNs were used so that remote workers could connect to a company’s secure network and access things like company file servers and websites. Today, VPNs are often used to provide general Internet access in services like NetShade.

A VPN uses encryption in much the same way as HTTPS. The user and the VPN server present identity certificates to one another, and verify them. An encrypted data tunnel is then negotiated between the end-user’s machine and the VPN server. All the user’s Internet traffic is routed through this tunnel to the VPN provider, and from there the provider routes your traffic to the Internet. This middle-man approach has the effect of hiding your IP address and assuring that your data is encrypted.

illustration 3

Different VPN backends

There are a number of types of VPN connection, and different software implementations of each. NetShade uses two of the more popular ones: OpenVPN and IPSec.


OpenVPN is a very popular VPN. In terms of programming, it was designed and written in a more high-level way than IPSec, operating more as an attachment to your computer’s network plumbing rather than a rework of the plumbing system itself. It's a large open source codebase, portable, and widely-used.
OpenVPN is the backend in NetShade for Mac.

IPSec family

IPSec is the old standard VPN technology, backed heavily by network giants like Cisco and Juniper. It can be more difficult to set up than others, but its strong corporate presence means it’s well-supported across platforms.
IPSec/IKEv2 is the backend in NetShade for iOS.

The protection you get from a VPN

In 2023, much of the encryption provided by a VPN is redundant since HTTPS is standard. Still, VPN provides a lot of protection by removing IP addresses from the tracking equation. By having all your traffic flow through a single VPN IP address, the addresses of the sites you visit are not visible. This gives your ISP or WiFi provider less of a window into you. Additionally, the sites you visit have far less ability to track you because they can’t find your real IP address.
Use Private / Incognito windows in your browser for extra protection against tracking.

How VPN Connections get Blocked

There’s always been an arms race between the VPNs and the blockers. As blockers get more creative, the VPNs respond. The old style IP-based blocking remains in force, but it’s now augmented by a new, smarter type of blocking called DPI.

Who blocks VPNs, and why?

Governments, streaming services, community websites, online games, and others block VPNs from time to time. The reasons for blocking a VPN are diverse, ranging from a government that wants to control its people’s information, to a blog site that’s fighting spam, to a streaming service with advertisers to please.

Blocking methods

The cat-and-mouse game of IP blocking continues.

The old way: IP-based blocking

This is the oldest and most basic way to block VPNs. If somebody wants to block VPNs, the simplest way to do this is to keep a list of known VPN servers and block all their IP addresses. NetShade’s relatively small size has at times been an advantage here. Our servers sometimes fly “under the radar” because they’re not doing mega-volume.

The new way: Content-based blocking

A few years ago, some providers started getting more clever about how to block VPN. Egypt abruptly switched on Deep Packet Inspection around 2017, whereas other Internet-restrictive nations had been rolling it out gradually over the past decade.

With DPI, an access provider actually inspects the content of the packets that flow across their network, not simply the origin and destination. They can sniff out an OpenVPN handshake and block the connection before it completes.

NetShade’s way around Deep Packet Inspection

We implemented a unique approach to circumvent blocking with the release of NetShade 8.

Dynamic wrapping of VPN tunnels

NetShade 8 is able to wrap its VPN tunnels inside a second layer of encryption. This happens dynamically, as-needed, and is transparent to the user.

Here’s how it works. You select a VPN server in NetShade on your Mac, and NetShade tries to open an OpenVPN connection. If the connection fails, NetShade assumes that it may be blocked by Deep Packet Inspection. NetShade then tries “Plan B,” wrapping the connection inside a second layer of encryption using stunnel. Although this layer of encryption is mostly redundant from a security standpoint (and its overhead is undesirable,) it does have the effect of scrambling the recognizable OpenVPN handshake. This layering of technologies is transparent to the user, and happens behind-the-scenes without the end user being aware of it.

The Internet is ever-evolving, and so the content blocking arms race continues.

Internet Security in 2023

The past decade brought sweeping changes to Internet security. The typical Internet user is better protected today than 10 years ago, but the hacker is better equipped too.

Let’s take a look at where things stand today, and reflect a bit on how we got here.

Are people spying on my Internet traffic?

Nowadays, probably not. VPN providers sometimes try to scare people into thinking that unless they use a VPN, their traffic is open for all to see. That’s not the case anymore. Secure websites are the norm in 2023, which means your traffic is encrypted by default on most sites. That’s good for everybody.

Do I still need a VPN?

The encryption provided by a VPN isn’t as useful as it once was, but the anonymity can still be very valuable.

If you don’t fully trust the other parties in your Internet activities, i.e. the servers and companies running the websites you visit, then you should use a VPN. A VPN is the most effective way to prevent the sites you visit from seeing who you are and profiling your Internet activity. For these sites, it’s also a good idea to use the Private Window feature in Safari, or Incognito Window in Chrome to limit cookie-based tracking.

On the other hand, if you have complete trust in the other side of your connection (your bank might be an example of a website you can fully trust,) then a VPN is not necessary. In fact, using the wrong VPN can be more hazardous than not using one at all when accessing sensitive information.

Need to know: You give your VPN provider a ton of data.

This is the part of the security equation that often gets overlooked. It’s important to understand that when you use a VPN, you’re giving the VPN provider access to a comprehensive record of your Internet activity. Only your ISP can log more data about you than your VPN provider.

If the VPN is free or “lifetime”, then you are probably the product.

Data is valuable. Tech companies have built empires solely on data they harvest from users. VPNs, especially the large ones, are sitting on a potential gold mine of user data. For this reason it’s important to make a judgement about how much trust to place in your VPN provider. This includes evaluating their stated policies as well as making a value judgement as to their trustworthiness. Where are they incorporated? How long have they been in business? How transparent are they? How do they pay for their server and infrastructure costs? Do they keep user access logs?

If you can’t trust your VPN, you’re better off not using it.

There have been incidents of well-known VPN services who turned out to be bad guys. The Internet can be a sketchy place, so it’s not too surprising that some of these providers are up to no good.

What about iCloud+ Private Relay?

Apple introduced their own “not a VPN” solution called Private Relay. iCloud+ subscribers can use Private Relay on their Mac and iOS devices (only in Safari), and thwart trackers and marketers by routing traffic through a series of two relay IP addresses. The cool thing about this technique is that it ensures neither of the two relay servers has enough information to tie your activity to your identity. Unlike a VPN, Private Relay does not proxy all your traffic, nor does it add encryption.

Private Relay is a good idea, and Apple is a rare example of a big tech company that respects their users. If you use Safari and are already an iCloud+ subscriber I think it makes sense to use Private Relay as an “always-on” thing, and use a VPN for added security and protection when desired.

Thanks for reading.

I’ll do infrequent write-ups like this on security topics in the future. I’ll try to keep them light on marketing and heavy on information. If you found this interesting, I hope you’ll stay subscribed and read some future posts.