I’m trying to wrap my head around this concept. I understand what a VPN is, what it does, etc… But what I can’t seem to comprehend is how my traffic is encrypted and obscured from the view of my ISP, but yet, the very pathway to the VPN server begins with my WAN leaving my FiOS ONT.
Can someone break this out just a bit?
For this description I will talk about commercial VPNs, business VPNs operate in a slightly different manner. Read the bolded paragraphs for the TLDR.
The image that most vpn adverts give off is very misleading - resulting in many believing your traffic is funneled directly to the vpn servers, secure and privately, giving you complete protection from the internet and its “evils”.
You are right, as you pointed out, the traffic has to travel through your ISPs infrastructure to get to the vpn servers.
So how does it work? Usually your traffic travels to the ISP which is then routed to wherever you need. The ISP in this case can see exactly which domains you are connecting to via the dns queries - they cannot see the contents of the pages you are visiting due to TLS 128-bit encryption via the HTTPS protocol.
With a vpn, the traffic is first encrypted by the app or service present on the device, this encrypted traffic then travels to the ISP - who cannot read this encrypted traffic - then travels to the VPN servers. At the VPN servers, the encrypted traffic will then be decrypted, then routed to wherever you need.
Any vpn worth their salt would employ some form of traffic encryption, for example AES-256 bit encryption, or “military-grade” as some would like to boast about (however this is very standard).
Keep in mind the TLS encryption via the HTTPS protocols will be in place the entire time which means the VPN servers cannot see what the contents are either.
By having the VPN servers route the traffic, the public-facing ip address will be of the VPN servers, not your home ip address, keeping your home ip address obscured.
Useful for circumventing ip-based bans, geolocation content blocks on streaming services, hiding your ip from websites, etc. Keep in mind most ISPs employ dynamic ips which means your ip address changes every now and then.
This also ensures the VPN server’s ip address is the one shown in torrents and thus the VPN service provider is the one receiving (and ignoring) the copyright notices if a user was to engage in those kinds of activities.
However this is not a blanket solution for complete anonymity. With enough pressure and visibility, if investigation is somehow necessary due to the user’s activities, the vpn servers may be forced to give up logs or track the traffic. This is why picking a trusted vpn provider is essential.
Additionally, your ISP can see you are using a VPN due to where the traffic is being routed and its encrypted nature. This traffic can be correlated with vpn server traffic to de-anonymize a user if such investigations were required. If a vpn server does not maintain any logs then this cannot be possible.
Thus for day-to-day use, a VPN is only necessary if you’d wish to hide your home ip from the websites you are visiting, circumventing bans, or torrenting copyrighted materials. I’m not allowed to name specifics cause sub rules but just using a trusted DNS provider or using Firefox is enough to give you complete anonymity from your ISP (only) when web browsing.
Firefox has recently rolled out ECH (encrypted client hello) in v120 I’m pretty sure which serves to replace the necessity of having an encrypted DNS provider. Encrypting your DNS queries means that your ISP cannot see where you are visiting, and having HTTPS means that your ISP cannot see the contents of what you are sending/requesting either when web browsing.
A good vpn will always encrypt and route your dns queries through their servers as well.
The data leaving your PC is encrypted sent through your ISP who cannot decrypt your data, it’s then decrypted at the VPN server where it then goes out to the specific person it was meant for, comes back to the VPN where it’s then encrypted back to you through your ISP who still cannot see the contents of the data.
You used your Public IP to connect to the VPN, that’s all your ISP sees. Your ISP cannot see what the VPN does with your data you sent them.
Imagine writing a letter or sending a package, sealing it in an envelope or box, and mailing it off. Your postal carrier cannot see or read the contents of the mailed item because it was in a package/envelope.
Whatever you placed inside the package is your data to the VPN, the postal carrier is your ISP.
You have a point to point link with the VPN server. This uses a UDP data flow to achieve this. Traffic sources from your WAN IP and terminates at VPN. VPN then uses a method similar to your router at home to allow multiple devices to share your internet connection (NAT). The VPN server will see your public IP.
The UDP datagrams are encrypted before leaving your device.
Thank you so much for this detailed explanation! I have a very good grasp for this now, and actually, I just subscribed with a very popular swiss-based VPN provider from whom I also have email service, so I trust them. Thanks again - this was awesome!
By having the VPN servers route the traffic, the public-facing ip address will be of the VPN servers, not your home ip address, keeping your home ip address safe.
Very good explanation, although this one word (safe) serves to perpetuate the marketing misinformation that is so prevalent, and confusing to end users.
I would like to respectfully submit that “obscure” would be a much better way of stating this.
Other than that, great answer. Just sad that by this time tomorrow, someone will likely pose the same question. And the next day, and the next, and…
I completely agree, thanks for picking up on that. Edited my comment for better clarity using your suggestion.
Most people would direct these kinds of questions to the FAQ/wiki but I don’t like it and feel it’s lacking in information and depth in some areas, goes too much into depth in others, and also does not cover enough points such as how dns impacts privacy. Their wording such as “keeping you safe” in some lines also, like you said, “perpetuate the marketing misinformation that is so prevalent, and confusing to end user.”
Some of the stuff they say in the wiki like “(vpns help to) secure crypto assets and ensure safe online banking” is complete bs and does not help dispel the misinformation at all.
Other lines such as the very third one “In short - VPN creates a private “tunnel” from your device to the internet. By doing so, it hides your data through encryption” is also very very extremely misleading.