What Is a VPN? The Encrypted Tunnel That Lets Your PC Pretend It’s in the Office ── Encapsulation, Full vs. Split Tunnels, and How Company VPNs Differ from VPN Apps

“Connect to the VPN before opening any internal systems” ── that button you click every morning of every work-from-home day, exactly as instructed. Could you explain what it actually does? If any of these sound familiar, read on.

• You click “Connect VPN” every morning, but you have no idea what it’s doing
• You were told to “use the VPN” on coffee-shop Wi-Fi, but never got told why
• You’re not sure whether the “VPN apps” from YouTube ads and your company’s VPN are even the same thing
• The moment you connect to the VPN, the whole internet somehow feels slower

A VPN (Virtual Private Network) is, in one sentence, a private line your company could never physically run to your house ── built virtually, in software. But that one sentence doesn’t explain why encryption is always part of the story, why there are several kinds of VPN, or what a VPN can and cannot do.

This article stays completely out of setup instructions and walks through:

• The two problems a VPN solves (§1)
• Tunneling and encapsulation ── an envelope inside an envelope (§2)
• Encryption and authentication ── what those few seconds after the connect button really are (§3)
• The kinds of VPN ── three different things sharing one name (§4)
• Full tunnel vs. split tunnel (§5)
• What a VPN cannot do (§6)

── taking the shortest path through the logic of how it works, and nothing else.

Your question	Section
What does it actually do?	§1 / §2
What are those few seconds after I click connect?	§3
Is my company’s VPN the same as a VPN app?	§4
Why does everything get slower on the VPN?	§5
Does a VPN make me safe and anonymous?	§6

1. The two problems a VPN solves

Before getting into the mechanics, let’s start with what the tool was invented to fix. A VPN solves two problems of very different natures.

1-1. Problem A: Your traffic can be snooped on along the way

When you connect to a company system from home or a coffee shop, your data travels through your home ISP, public Wi-Fi, carrier equipment ── a long stretch of infrastructure that neither you nor your company controls. If anyone along that stretch has bad intentions, your traffic is exposed to snooping and tampering. Public Wi-Fi in particular is, as we saw in the firewall article, a place where total strangers share a network with you.

1-2. Problem B: Internal servers are simply unreachable from outside

The other problem comes before security even enters the picture. Internal file servers and business systems usually only have private IP addresses (the “address inside the house” from the IP address article). Those internal addresses sit behind NAT, the translation desk, and cannot be named as a destination from the internet side ── so forget snooping: from outside, your packets physically cannot get there. And in front of all that stands a firewall, turning away inbound traffic as a matter of policy.

Problem A ── snooped on along the way

 Home PC ──→ public Wi-Fi ──→ carrier ──→ ... ──→ office
              └──── stretch neither you nor your company controls ────┘
                    one bad actor anywhere = snooping, tampering


Problem B ── internal servers are unreachable from outside

 Home PC ──→ internet ──→ ✕ firewall ("inbound traffic: no, by default")
                          ✕ NAT ("internal addresses can't be targeted from outside")
                                └─ and behind it all: the internal server (192.168.x.x)

1-3. One tool, both problems

A VPN solves both at once: it encrypts all your traffic to fix Problem A, and “virtually wires” your machine into the company network to fix Problem B. The next sections take the two mechanisms one at a time.

2. Tunneling and encapsulation ── an envelope inside an envelope

2-1. Ordinary traffic travels as postcards

Data flowing through a network (packets) is, by analogy, a postcard. Destination and sender are written where every device along the route can read them. Each device reads the address and relays the card onward. That’s the internet working exactly as designed ── but flip it around, and it means anyone along the route can read the address.

2-2. Encapsulation ── the postcard goes inside an envelope

This is where the VPN changes the game. Instead of sending the postcard as-is, it puts the whole postcard inside an envelope and writes a different address on the outside. This is called encapsulation (wrapping one packet inside another).

Encapsulation ── an envelope inside an envelope

 The original postcard:  [To: internal server | Contents: work data]
                              ↓ encrypted, into the envelope
 The envelope:           [To: company VPN gateway | Contents: ●●●●●●●● (unreadable)]

 What the route sees:
   "an envelope addressed to the company VPN gateway" ── and nothing else

Two things matter here.

• The contents (the original postcard) are encrypted ── without the key, they cannot be read
• The outside of the envelope carries exactly one address: the company’s VPN gateway. Which internal server the postcard inside is addressed to ── or what the data even is ── is invisible from the route

This dedicated passage of flowing envelopes is what we call, by visual metaphor, a tunnel. The word tempts you to imagine a private physical line ── but the envelopes are actually traveling over the ordinary public internet. Driving on a public road, yet nobody can see inside: that’s what lets it behave like a private line. This is exactly what “Virtual Private” means.

2-3. Opened at the office ── what “pretending to be in the office” really is

When the envelope reaches the company’s VPN gateway, the gateway unlocks it, takes out the postcard, and releases it straight into the internal network. To an internal server, that postcard looks like any ordinary packet that originated inside the office. Your PC may be sitting in your living room, but your traffic departs from an internal address ── that’s the entire trick behind “acting as if you’d plugged into an Ethernet jack at the office.” Replies make the same trip in reverse, sealed into envelopes and carried back home.

3. Encryption and authentication ── the envelope’s lock, and the doorman at the entrance

3-1. Encryption ── an envelope that won’t open without the key

What protects the envelope’s contents is encryption. The data is transformed using keys known only to your machine and the company’s VPN gateway; to any third party without the key, it’s meaningless noise. Even if someone plucks an envelope off the route, the contents stay sealed. VPNs are often categorized by their encryption scheme (IPsec, TLS-based, WireGuard, and so on), but the structure ── “carried in a locked envelope” ── is the same in every one of them.

3-2. Authentication ── the doorman at the tunnel entrance

The other pillar is authentication. The tunnel entrance is an entrance to the company network ── so unless the gateway first confirms that the person sending envelopes is actually an employee, no amount of strong encryption means anything. The current standard combines ID and password with a device certificate and multi-factor authentication on your phone.

Those few seconds of waiting after you click “Connect VPN”? That’s when identity verification and the exchange of encryption keys take place. Those seconds are the doorman and the locksmith doing their jobs at the tunnel entrance.

4. The kinds of VPN ── three different things sharing one name

The things called “VPN” split into three distinct tools, depending on where the two ends of the tunnel sit. Most of the confusion dissolves once you make this distinction.

4-1. Remote-access VPN ── connecting a person to a company

This is everything we’ve described so far: a tunnel between an individual PC and the company network. The work-from-home “Connect VPN” button is this kind. One end of the tunnel is your PC; the other is the company’s VPN gateway.

4-2. Site-to-site VPN ── connecting an office to an office

This kind runs a permanent tunnel between two office locations. The routers of, say, the New York office and the Denver office are joined by a tunnel, and the two sites behave as one internal network. Employees never click anything ── the tunnel is always up at the edge of each site, and users not noticing it exists is the normal state for this kind of VPN.

4-3. Consumer VPN services ── connecting a person to a VPN provider

The “VPN apps” from the ads are this kind. One end of the tunnel is your PC ── but the other end is a VPN provider’s server, not any company of yours. It gets you into no internal network. Its purposes are two: ① encrypt the stretch nearest to you (public Wi-Fi and the like), and ② swap your apparent address for the location of the provider’s server.

	Remote-access VPN	Site-to-site VPN	Consumer VPN service
Ends of the tunnel	Your PC ↔ company	Office ↔ office	Your PC ↔ VPN provider
Main purpose	Reach internal systems from outside	Merge sites into one network	Encrypt the route, change the exit
What you do	Click connect	Nothing (always on)	Toggle the app
Gets you inside a company?	Yes	(invisible to employees)	No

5. Full tunnel vs. split tunnel ── what goes into the tunnel

5-1. Wrap everything, or only what’s bound for the office?

Remote-access VPNs face one big design fork: of all the traffic leaving your PC, how much goes into the tunnel?

Full tunnel ── every packet goes into an envelope
  Home PC ━━━ tunnel ━━━→ office ──→ internal systems
                            └──→ internet (web, video ── everything exits via the office)

Split tunnel ── only office-bound packets get the envelope
  Home PC ━━━ tunnel ━━━→ office ──→ internal systems
      └─────────────────→ internet (web goes straight from home)

• Full tunnel: office-bound or internet-bound, everything is enveloped and routed out through the company. The company can inspect and log all traffic at its own exit ── management is centralized. The cost: even plain web browsing detours through the office
• Split tunnel: only traffic bound for internal systems enters the tunnel; everything else leaves straight from home. The detour disappears and things feel snappy ── in exchange, traffic the company cannot see comes into existence

5-2. Neither one is “correct”

There is no single right answer here, because the choice is a question of company policy: what must be protected, and what must be auditable. Industries with strict information controls lean full tunnel; organizations that prize responsiveness and bandwidth costs lean split. Which one your company picked largely decides how fast working from home feels ── if “connecting to the VPN slows down the whole internet” sounds like your life, that’s almost certainly the full-tunnel detour. The slowdown’s cause-and-effect is diagrammed in §4 of “Why is the office network so slow?”.

6. What a VPN cannot do ── four items against overconfidence

A VPN is a powerful tool, but “I’m on the VPN, so I’m safe” is a dangerous level of trust. Here is what it cannot do, stated plainly.

6-1. It does not stop malware

A VPN carries the envelope’s contents ── it takes no interest in whether those contents are safe. A malicious download gets wrapped in the same encrypted envelope and delivered with the same courtesy. Antivirus is its own job, handled by its own tools.

6-2. It does not hide what you do at the destination

A VPN hides “the route” ── nothing more. The website or service you connect to sees everything you do after logging in, exactly as it always would. Past the tunnel exit, it’s just the regular internet.

6-3. On a company VPN, your activity becomes more visible, not less

On a remote-access VPN (especially full tunnel), all your traffic passes through the company’s exit. From the administrators’ side, your traffic isn’t hidden at all ── it’s visible and logged just as it would be at your desk in the office. This isn’t about surveillance; it’s that the machinery protecting company assets and data is designed to work that way.

6-4. The VPN gateway itself becomes a target

The VPN entrance is one of the few doors a company leaves open to the outside. The logic from the firewall article ── every open door is attack surface ── applies here in full, and exploiting VPN appliance vulnerabilities has become a staple route for breaking into companies. A VPN is a piece of defense equipment that, left unpatched, turns into the biggest weakness.

Summary ── the essence in 4 lines

1. A VPN solves two problems at once ── “snooped on along the way” and “unreachable from outside” ── with encryption plus virtual wiring
2. The core mechanism is encapsulation: the postcard goes inside an encrypted envelope addressed to the company, traveling the public road (the internet). Because the company opens it, your PC gets to “pretend it’s in the office”
3. “VPN” names three different things, split by where the tunnel ends sit (person↔company / site↔site / person↔provider). A consumer VPN service is not an anonymity tool ── it’s a relocation of trust
4. Full tunnel vs. split tunnel is a speed-versus-control trade-off. And a VPN stops no malware while its own gateway draws attacks ── it is not an all-purpose shield

Addresses and NAT live in What is an IP address?, defense against inbound traffic in What happens without a firewall?, and the truth behind VPN-flavored slowness in Why is the office network so slow?. Together with this article, the full picture of “connecting to the office from outside” joins into a single map.

FAQ

Q1. Does using a VPN make me anonymous?

A. No. On a company VPN, administrators see your traffic just as they would at the office (§6-3). On a consumer VPN service, the provider at the tunnel exit sees every destination ── and any site you log into obviously knows who you are. The only thing a VPN changes is whether third parties along the route can see you. It is not an anonymity tool (see the pitfall in §4).

Q2. If I only visit HTTPS sites, do I still need a VPN?

A. They protect different scopes. HTTPS protects the contents of one conversation between your browser and one site ── it doesn’t hide which site you’re connecting to, and it does nothing for apps that don’t use it. A VPN wraps all traffic leaving your PC, destinations included (the Tip in §1). And Problem B ── getting inside the company network (§1-2) ── is something HTTPS cannot solve at all.

Q3. While I’m on the company VPN, can the company see my personal traffic?

A. On a full tunnel, structurally yes ── everything passes through the company’s exit, so it’s visible if anyone chooses to look (§5, §6-3). On a split tunnel, non-office traffic never touches the company. Which design you’re on, and what actually gets logged, is company policy ── check the rules if it matters to you. The safe assumption: traffic on a work PC is visible, period.

Q4. Are free VPN apps safe to use?

A. Be cautious. As §4 showed, a consumer VPN service is a relocation of trust ── the provider sees the destination of all your traffic. If the service is free, you have to ask what’s covering the operating costs: ads, analysis or sale of traffic data, or something else. You may end up handing the very information you wanted to protect to one company, voluntarily.

Q5. Why does the internet slow down while I’m on the VPN?

A. Two main causes. ① On a full tunnel, even plain web browsing takes the physical detour “home → office → site → office → home” (§5). ② On top of the fixed cost of encapsulation and encryption, when remote workers pile onto one VPN gateway, the device’s own processing power clogs. For the full “map of slowness” across a company network, this article lets you work backward from symptoms.