SmartAdvisorOnline

Checked for UK readers: 27 June 2026

Follow the packet from the device to the VPN server and onward

The app authenticates, negotiates keys, creates a virtual interface and routes selected traffic through encryption. The VPN server then forwards traffic to its destination using the server public IP.

UK practical context

AreaWhat it meansA good first step
ApplicationCreates normal web or app trafficHTTPS still protects the application layer
VPN interfaceSelects routes and encrypts packetsSplit tunnelling determines what is included
BT/Sky/Virgin/TalkTalk or mobile carrierCarries encrypted packets to the VPN serverCan observe timing, volume and server address
VPN serverDecrypts and forwards trafficProvider trust and logging matter
Destination serviceReceives traffic from the VPN exitAccounts and device signals remain visible

Where to start

  1. Authenticate through the official app.
  2. Complete the protocol handshake and server validation.
  3. Create routes for intended traffic.
  4. Send DNS through the intended path.
  5. Forward traffic from the VPN server to the destination.
  6. Rekey, reconnect and block fallback safely when conditions change.

Common questions

Why does a VPN change my IP?

Websites see the public address of the VPN server forwarding the connection.

Is all traffic encrypted forever?

It is encrypted between the device and VPN server; HTTPS and other application encryption protect the onward path.

Why can DNS still leak?

Operating-system, browser or router settings may send DNS outside the intended tunnel.

The details below are general guidance and may not fit every network or account. Follow UK law, network policy, account requirements and platform terms.

How a VPN works: encrypted tunnel, metadata shielding, and protocol stack visual
Updated: 20 June 2026 Test focus: tunnel logic + encryption Data: protocol visualisers + lab widgets By Denys Shchur

How a VPN works on UK broadband and mobile networks

July 2026 update: this guide now covers post-quantum key exchange, double encapsulation, NordLynx, WireGuard roaming, and Proton Stealth traffic disguise - because “a secure tunnel” is no longer enough as an explanation.
Short answer A VPN works by creating an encrypted tunnel between your device and a VPN server. Your original traffic is wrapped inside a second packet, protected with session keys, then sent through that tunnel. Websites see the VPN server’s IP instead of your own, while your ISP mostly sees encrypted traffic heading to a VPN endpoint. The result depends on protocol choice, DNS routing, kill switch behaviour, and whether your provider handles IPv6, metadata leaks, and future-ready key exchange properly.
Disclosure: We may earn affiliate commissions if you buy via our links. This helps fund testing and tool maintenance. See Disclosure.

This page is the foundation of the whole site, so it cannot stop at the old cartoon version of a VPN. If you already know the words tunnel, encryption, and IP change, the useful question is what those words actually mean in motion. Which packet gets wrapped? What does the server decrypt? What still leaks if DNS or IPv6 is wrong? Why does WireGuard vs NordLynx matter in practice? And why are modern providers talking about quantum-safe handshakes instead of just repeating “AES-256” like it ends the conversation?

To answer that honestly, we will walk through the real sequence: device → handshake → key exchange → encapsulation → VPN server → destination site. Along the way, we will compare this guide with What Is a VPN, VPN Encryption, VPN Protocols Comparison, DNS Leak Protection, VPN Kill Switch, VPN Security Basics, VPN Speed Test, and VPN Setup Guide. Those pages answer the side questions; this one shows the whole machine.

The 2026 encryption evolution

saying “a VPN uses AES-256” is not wrong, but it is incomplete. Strong providers now talk about how the session keys are negotiated, more than how the payload is encrypted after the tunnel is up.

Traditional VPN marketing used to stop at the cipher layer: AES-256, ChaCha20, military-grade, end of story. The real pressure point is the handshake. A modern tunnel first negotiates short-lived session keys, then uses those keys to encrypt data packets. That matters because an attacker can capture traffic today and try to decrypt it later. Post-quantum readiness has entered the VPN conversation. The issue is not that quantum computers are breaking your home Wi-Fi right now. The issue is “harvest now, decrypt later”: someone stores encrypted traffic now, hoping that a future breakthrough makes old key exchange easier to crack.

That is where providers like NordVPN and Proton frame their 2026 security story differently. NordVPN pushes the idea of a NordLynx stack that keeps overhead low while hardening key negotiation. Proton’s privacy-first positioning leans into Stealth and anti-censorship, but also into quantum-resistant upgrade paths for session establishment. The practical message is simple: payload encryption alone is not enough. You also need resilient key exchange, fast renegotiation, and sane defaults when networks change under you.

Tunnel path visualiser

Switch between three real-world protocol personalities and watch what changes inside the tunnel.

🔬 Tunnel path visualiser

The particles below represent traffic after the handshake. Different stacks optimize for different goals: low overhead, stealth, or fast network roaming.

ENCAPSULATED PACKET
Profile
Low-overhead encrypted tunnel
Header overhead
Minimal
What changes
Fast packet framing
Best use case
Speed + daily stability
NordLynx shows what people like about modern WireGuard-class design: less baggage, faster setup, and fewer bytes wasted in every packet. The tunnel feels quick before you even start a download.

Double encapsulation, step by step

Here is the technical core. Your original application packet exists first - for example, a browser request to a website. A VPN client does not magically replace that packet. Instead, it wraps the original packet inside a second transport structure, encrypts the payload, adds a new outer header, and sends the result to the VPN server. That is what people mean by encapsulation. The destination website never sees your original source IP because the outer packet is addressed to the VPN server first.

Double encapsulation: packet inside packet Original packet Inner IP header TCP / UDP details Payload VPN-wrapped packet Outer IP header → VPN server Protocol framing / tunnel metadata Encrypted inner packet The original packet is now hidden here VPN server 1) Reads outer header 2) Decrypts inner packet 3) Forwards original request 4) Replies back through tunnel The key idea: the outer packet gets your traffic to the VPN server; the inner packet remains protected until the server decrypts it.
Diagram 1 - Your website request is wrapped, encrypted, then carried to the VPN server inside a new packet.

The Metadata Mirror

Encryption protects content, but the useful question is what each observer can still infer. Here, many users finally understand why a VPN helps - and why it does not make you invisible.

🪞 The Metadata Mirror

Left: what a plain connection reveals. Right: what a tunnel collapses into a much smaller signal.

WITHOUT VPNobserver: ISP / hotspot
User visiting: yourbank.com
Location hint: Berlin
Device class: iPhone / mobile Safari
Action pattern: login + MFA page
DNS resolver: ISP controlled
WITH VPNobserver: ISP / hotspot
Encrypted packet stream → VPN endpoint 185.x.x.x
Destination site: unknown
Protocol profile: NordLynx / Stealth / WireGuard
DNS path: inside tunnel if configured correctly
Payload content: not readable here
A VPN reduces the amount of readable information available to your ISP or a hostile Wi-Fi network, but it does not erase every signal on the internet. Websites can still use cookies, account sessions, browser behaviour, and device fingerprints. This guide pairs naturally with DNS leak protection, kill switch, and security basics.

Protocol implementation examples

Partner Tech Stack 2026
Technology NordVPN Surfshark Proton VPN
Main engine NordLynx (fastest feel) WireGuard (universal) Stealth (anti-censorship focus)
2026 protection angle Post-quantum ready direction Dynamic MultiHop logic Secure Core + privacy-first routing
Special strength Threat Protection Pro NoBorders Mode Open source & audited
Typical July 2026 speed class 940+ Mbps 880+ Mbps 890+ Mbps

Post-quantum readiness explainer

The point of this widget is not to claim that consumer VPNs have already solved quantum cryptography forever. The point is to show the risk model shift. Old-school explanations focused on whether data is encrypted now. A 2026 explanation also asks whether the handshake will still look safe if captured traffic is stored for years.

🛡️ Post-quantum readiness explainer

Simulate the difference between weak legacy key exchange assumptions and quantum-aware tunnel upgrades.

Legacy model

Static or older handshake assumptions. Fine against many current threats, weaker against long-term “capture now, break later” thinking.

Status: waiting

NordLynx-style modern tunnel

Fast tunnel plus stronger handshake thinking and short-lived keys reduce the value of stored captures.

Status: waiting

Proton privacy-first path

Stealth, anti-censorship transport, and stronger key negotiation logic improve resilience where metadata and future decryption both matter.

Status: waiting

What the full flow looks like in real life

Once the handshake is complete, the tunnel behaves like a protected route. Your device sends wrapped packets to the VPN server, the server decrypts the inner request, then forwards it to the destination site using its own public IP. The reply comes back to the VPN server, gets wrapped again, and travels back through the tunnel to your device. Your browser thinks “the internet still works normally” while the network path underneath is completely different.

End-to-end VPN flow Your device App creates original packet VPN client Encrypts + wraps packet VPN server Decrypts + forwards request Website / app Sees VPN IP, not yours encrypted tunnel public internet side Outgoing request and incoming reply use the same tunnel logic in reverse, which is why session continuity matters so much on mobile networks.
Diagram 2 - The VPN server becomes the public-facing source of your request.

What a VPN does not do

A VPN is powerful, but it is not a magic invisibility cloak. It does not clean up a browser profile full of long-lived cookies. It does not automatically stop every tracker. It does not prevent you from logging into the same account with the same device fingerprints across multiple regions. It does not fix every captive portal or every unstable Wi-Fi network. And it does not help much if your tunnel is fine but your app is leaking through IPv6 or DNS.

Your practical checklist should always include a few boring but critical steps: confirm your public IP changed, confirm your DNS moved into the tunnel, confirm IPv6 is handled correctly, and keep a kill switch ready for drops. If you use a VPN mostly on hostile networks, compare this page with VPN for Public Wi-Fi. If you are still setting things up, use VPN Setup Guide after reading this one.

What a VPN hides vs. what still exists Usually hidden or reduced • Your home IP address • Packet content on local Wi-Fi • DNS requests, if DNS is routed correctly • Simple region checks based only on IP Still relevant • Cookies and account sessions • Browser or device fingerprinting • App-level GPS / time zone mismatch • Bad DNS / IPv6 configuration
Diagram 3 - A VPN changes the path and shields content, but it does not erase every tracking or identity signal.

A clean way to test your own tunnel

  1. Connect to a region you actually need instead of country-hopping at random.
  2. Check whether your public IP changed.
  3. Run the Leak Test Tool and verify DNS plus IPv6.
  4. Confirm the kill switch works by disconnecting the tunnel during an active page load.
  5. If performance feels off, compare against VPN Speed Test and protocol-specific pages like WireGuard vs NordLynx.
Marketing diagrams leave out most of the useful detail. A DNS test often shows that the tunnel is working and the fault sits in the routing around it.

So which implementation makes the most sense in 2026?

If you care most about speed plus sane defaults, NordVPN’s NordLynx story is still one of the easiest ways to understand how a modern VPN should feel: quick handshake, low packet overhead, and enough maturity to behave well across daily use. If you want broad value and lots of device coverage, Surfshark’s WireGuard-first simplicity is practical. If your main concern is censorship resistance and privacy posture, Proton’s Stealth and Secure Core framing makes sense. None of that changes the physics of tunnelling. It changes how well the provider implements the tunnel under real conditions.

FAQ

Does a VPN hide my traffic from websites too?
Websites still see your requests, but they see them arriving from the VPN server. They do not get your home IP from the network path itself, although they can still infer identity from cookies, accounts, and fingerprinting.

Why is DNS so important if the tunnel is encrypted?
Because a DNS leak can reveal what domains you request even while the main tunnel looks “connected”. DNS leak protection matters just as much as the protocol badge in the app.

Why can a VPN reconnect when I switch from Wi-Fi to 5G?
Modern protocols like WireGuard-class designs are good at fast roaming, which is why the session can recover faster when your network changes underneath you.

Is post-quantum protection already mandatory?
Not mandatory for every user, but increasingly relevant as providers harden their handshake logic against long-term capture-and-decrypt risks.

Author Denys Shchur

About the author

Denys Shchur writes practical VPN and privacy explainers with a strong bias toward real-world testing, leak verification, and configuration clarity.

Author page: About Denys Shchur

Updated on 27 June 2026. We refresh this guide as protocols, key exchange practices, and VPN app defaults evolve.

Last verified by SmartAdvisorOnline Lab:
Leak Test (IP / DNS / IPv6 / WebRTC)
Verification date:

Related guides

  1. Start withWhat is a VPN? A practical explanation for UK users
  2. Then readWhy use a VPN in the UK? Useful cases, limits and trust trade-offs
  3. Related caseVPN FAQ for UK users: clear answers about privacy, speed and legality