How VPN Encryption Works

Security is hard. It's hard to implement, hard to break, and hard to understand. Let’s dive in to the world of encryption and VPNs and get a better understanding of how encryption can and can’t protect you.

A brief history of encryption on the Web

In the beginning the Internet was wide open. It was easy to sniff the data flowing over a network, read people’s emails, instant messages, web browsing, etc. Online banking was one of the first mainstream applications for encryption, but more and more websites adopted encryption as the technology went mainstream. Now the HTTPS URL (indicating that encryption is used) has become the de-facto standard on the web.

The two pieces: Encryption and Trust

Internet security is a puzzle with two pieces: Encryption, and Trust.


Encryption is a technique for scrambling data in such a way that it can only be de-scrambled by an authorized recipient.


To communicate securely, you need to trust that the person at the other end of the communication is who they claim to be. The concept of Trust is central to the integrity of secure communication.

illustration 1


A criminal wants to steal people’s bank passwords. He creates a fake login page for the bank (let’s call it Sun Bank) and puts it on the web. He might even spoof the domain name so that when you go to, you end up at the fake website. You enter your login and password, and now the criminal has that information and can go to your bank and log in as you. Fortunately for us, HTTPS works to prevent this by employing a concept called the Chain of Trust.

illustration 2

The chain of trust works like this: your web browser has a list of certificate authorities who are implicitly trusted to verify the identities of web servers. To operate a secure website, a webmaster must request a certificate for their server from one of these authorities. This certificate includes an assurance from the authority that you are who you claim to be, as well as a public key which is used to validate identity.

Tip: You can click the lock icon next to the URL in your browser to see the chain of trust for that website.

When trust fails

At some point in your web-browsing life, you've probably seen an error like “Expired Certificate” or “Couldn’t establish a secure connection.” These are certificate errors and they mean that the website you’re talking to is not fully trusted. This can be due to things like an expired certificate or a domain name mismatch.

Encryption and VPN

A VPN is an encrypted tunnel from one endpoint to another. Historically, VPNs were used so that remote workers could connect to a company’s secure network and access things like company file servers and websites. Today, VPNs are often used to provide general Internet access in services like NetShade.

A VPN uses encryption in much the same way as HTTPS. The user and the VPN server present identity certificates to one another, and verify them. An encrypted data tunnel is then negotiated between the end-user’s machine and the VPN server. All the user’s Internet traffic is routed through this tunnel to the VPN provider, and from there the provider routes your traffic to the Internet. This middle-man approach has the effect of hiding your IP address and assuring that your data is encrypted.

illustration 3

Different VPN backends

There are a number of types of VPN connection, and different software implementations of each. NetShade uses two of the more popular ones: OpenVPN and IPSec.


OpenVPN is a very popular VPN. In terms of programming, it was designed and written in a more high-level way than IPSec, operating more as an attachment to your computer’s network plumbing rather than a rework of the plumbing system itself. It's a large open source codebase, portable, and widely-used.
OpenVPN is the backend in NetShade for Mac.

IPSec family

IPSec is the old standard VPN technology, backed heavily by network giants like Cisco and Juniper. It can be more difficult to set up than others, but its strong corporate presence means it’s well-supported across platforms.
IPSec/IKEv2 is the backend in NetShade for iOS.

The protection you get from a VPN

In 2023, much of the encryption provided by a VPN is redundant since HTTPS is standard. Still, VPN provides a lot of protection by removing IP addresses from the tracking equation. By having all your traffic flow through a single VPN IP address, the addresses of the sites you visit are not visible. This gives your ISP or WiFi provider less of a window into you. Additionally, the sites you visit have far less ability to track you because they can’t find your real IP address.
Use Private / Incognito windows in your browser for extra protection against tracking.