The Ultimate Guide To VPN Encryption And How It Works

You are currently viewing The Ultimate Guide To VPN Encryption And How It Works

VPN Encryption is at the heart of any Virtual Private Network, a tool that made its way into the public eye in the late 90s. The VPN has gone from strength-to-strength and has become a cybersecurity cornerstone for many homes and organizations. VPNs are used by businesses globally, and enjoy healthy attention among consumers. VPNs aim to bolster user privacy, secure unreliable Wi-Fi, and in many cases circumvent geoblocking rules.

VPNs have a number of functions familiar with all users. VPN Encryption is perhaps its most well-known function. But all VPNs aren’t engineered the same, and depending on the protocols used, a VPN might have different functions, speeds, and vulnerabilities.

To classify VPN Encryption used, we must look at the type of encryption, the protocol, and the cipher. These things determine exactly how protection is formed. Each represents a different answer to the cybersecurity question.

We are all very familiar now with VPN marketing, and probably have a high-level understanding of how a VPN works. In this article, we aim to go ten-steps further – We wish to examine the underlying complexities of a VPN, and scrutinize all its moving parts to determine what works best in any given situation.


This encryption method differs from asymmetric encryption where a pair of keys – one public and one private – is used to encrypt and decrypt messages.


Symmetric encryption is a type of VPN encryption where one secret key is used to both encrypt and decrypt information. The bodies communicating via symmetric encryption exchange they key so it is used in the decryption process.

When using this type of VPN encryption, the information passed through is scrambled and appears as nonsensical information, and can only be understood by the party holding the secret key. Once the secret key is used on the scrambled data, the algorithm will perform a reverse of its actions, thus unscrambling the message and presenting itself in its original, readable form.

The secret key can be many things, such as a password, or a random string of letters and numbers. This random string must be generated using a randomness generator that is tested and accredited, such as FIPS 140-2. Industry standards such as these are used by banks and military when using randomness generators.

There are two types of symmetric encryption algorithms:

Block Algorithms – This is where set lengths of bits are encrypted of blocks of data using the secret key. As the data is being encrypted, the information is stored in memory as the system waits for complete blocks.

Stream Algorithms – The data is instead encrypted as streams instead of being retained in memory.

Symmetric encryption is the older of the two when it comes to VPN encryption, but despite its age, it is faster and more efficient. This can make it better suited to functions like VPNs. It is also used for bulk encryption, or cases in which a large amount of data needs to be encrypted, such as when someone works with a database.

Though not quite here yet, Quantum Computing represents a serious threat to both types of encryption. Symmetric encryption is due to fare better on the arrival of quantum systems.


Asymmetric key encryption is the companion to symmetric key encryption and is also known as public-key encryption. This type of VPN encryption uses a pair of keys – a public and private – to encrypt and decrypt data.

The public can can be used by any person to encrypt a message so it can only be decrypted by the intended recipient with their private key.

When a party wishes to send an encrypted message, they take the recipients public key from a public directory, and use it to encrypt the message. The recipet can then decrypt the message using their private key, also known as a secret key.

If the sender encrypts the message with their private key, the message can only be decrypted using the senders public key, hence authenticating the sender. These are automatic processes.

Various protocols rely on asymmetric cryptography, including the transport layer security (TLS) and secure sockets layer (SSL) protocols

Asymmetric encryption is also used often in software that needs to be secure over insecure internet, such as browsers.

Ultimately, asymmetric encryption is a slightly more secure type of VPN encryption than symmetric encryption. But is it not without flaws; asymmetric encryption is incredibly slow compared to symmetric, meaning that VPNs that use it move as a snails pace. For this reason, the majority of VPNs steer clear of asymmetric for their encryption, as it would greatly diminish customer speed when browsing the web.

It is a much more mathematically intense process than symmetric, and due to its nature of operations (That is, multiplying prime numbers), asymmetric encryption will be catastrophically disrupted with the advent of quantum computers.


Ciphers are key part to VPN Encryption. At their core, ciphers are simply a set of steps that can be followed to ensure encryption and decryption. The operation of a cipher depends on a key. Without knowledge of a key, decryption is difficult, and in most modern cases it is impossible.

Ciphers have a long history. One of the most simple and earliest known cipher is the Caesar Cipher, which was used by Julius Caeser to transmit messages to legionairres and other military personall over 2000 years ago. It is often used as a tool to explain the basis for how Ciphers work.

The caser cipher makes use of two alphabets, the ordinary alphabet (A-Z) and the cipher alphabet. First a message is written in the ordinary alphabet. Then the cipher is applied. The cipher, in this examples case, has a right shift of 1 place. This means that each letter if shifted one to the right.

For example, the word “HELLO” becomes “IFMMP”. When the reciever gets the message, they are given the key, which was that each letter has been shifted right once. So, they would then shift each letter in “IFMMP” back left once, giving the original, “HELLO”.

The number of shifts Caeser uses were larger and changed often. While this may seem like a simple cipher, it did indeed work, and went on to become the basis for ciphers used in wars like the American Civil War. These ciphers in turn were used as a basis for some of the more advanced ciphers we have today, so the original idea hasn’t change a great deal.

When looking at todays VPN encryption, we refer to a mixture of cipher and key-length, which denotes the amount of bits in a key. This is usually given in the name; Blowfish-128 has 128 bits for example. A longer key length means that the cipher needs a longer time to be breached in a brute force attack.

256 bits is the standard in banking and military use, and so is commonly found in VPNs. It would take billions of years to try every possible combination, so it is not pheasible to crack a 256 bit cipher.

Lets look at some popular ciphers from yesterday and today.

Triple DES (AKA 3Des)

Triple DES, or 3DES, is based on the Data Encryption Standard (DES)encryption algorithm was first published in 1975. It was a 56-bit key, which over time proved vulnerable to brute force attacks as computers became more advanced. In 1999 the lifetime was greatly extended by tripling the size of the cipher and encrypting data in 3 passes, which became known as 3DES.

In the 22 years since, 3DES has shown its age and has shown many vulnerabilities. However it is important to understand, given the fact it is used to decrypt legacy data, and that due to its 3 key usage, 3DES is still used in some VPNs.

With the advent of 3DES, the total bit count went from 56 to 168. This is far less than many compeititors, but it is still used for legacy tasks. The addition of 3 keys gives an extra layer of strength also.

3DES works in three steps, called Encrypt-Decrypt-Encrypt (EDE). It takes 3 keys, K1, K2, and K3. It encrypts the first block of data with K1, decrypting this with K2, and encrypting a final time with K3.

Though each key is made up of 56 bits, due to overlap, the strength of the key is really 112 bits.

As stated, 3DES is rarely used by VPNs, but it would be a mistake to say it has absolutely no place in VPN encryption.


Blowfish is a variable-length, symmetric 64-bit block cipher. It was designed in 1993 by Bruce Schneier. At the time of its creation, it provided a free and fast alternative to the aging DES and International Data Encryption Algorithm (IDEA) encryption algorithms.

Blowfish was much quicker than its peers, and because it was unpatended, it was whitelabeled by many companies.

As the years went by, Blowfish was succeeded by Twofish, which address the lower bit rate by raising the amount to 128 bits. Despite being lower than 256, Twofish has never been cracked, and parts of the algorithm is used in many encryption processes today.

Blowfish features 16 Feistel-like iterations, which each block operates on a 64-bit block thats split into two 32-bit words. It uses a single key to both encrypt and decrypt.

Blowfish features a 64-bit block size and takes a variable-length key, from 32 bits to 448 bits. It consists of 16 Feistel-like iterations, where each iteration operates on a 64-bit block that’s split into two 32-bit words. Blowfish uses a single encryption key to both encrypt and decrypt data.

Blowfish is still one of the fastest and most compact block ciphers in use today. It offers several advantages, including:

-Faster and more efficient than its peers of the day, and still faster than many modern ciphers
-Unpatened, hence it is free and can be whitelabeled
-Despite the complex initialization phase before encryption, the data encryption process is efficient on large microprocessors
-Provides extensive security for software and applications developed in Java
-Provides secure access for backup tools

Blowfish is used for many applications, especially bulk encryption. It’s also commonly found on mobile processors, and data backup applications. Blowfish is still used for many VPNs. Despite its age, there is a solid argument to be made around old ciphers like Blowfish as in all the time they’ve been around, they’ve never had vulnerabilities.


One of the most famous ciphers, the Rivest-Shamir-Adleman (RSA) cipher is a suite of cryptographic algorithms that are used for security services. It is used in many applications, and is an asymmetric cipher.

RSA was first theorised by on Rivest, Adi Shamir and Leonard Adleman of the Massachusetts Institute of Technology in 1977. However much of it wasn’t usable until 1997, when the public key algorithm invented by British mathematician Clifford Cocks was declassified.

With the RSA cipher, both public and private keys can encrypt a message. The opposite key used will be used to decrupt the message. This reason is why RSA has become so popular – It assures confidentiality, integrity, authenticity, and non-repudiation of electronic communications and data storage.

Many protocols, including SSH and OpenPGP, rely on the cipher for encryption and digital signatures. Browsers make heavy use of RSA, as do other applications that send and recieve messages over the internet.

The security of the cipher is derived from the difficulty of factory large numbers which are the product of two large prime numbers. Multiplcation here is easy, but determining the original prime numbers (called factoring) would take so long even using supercomputers that it is considered effectively impossible.

The public and private key generation algorithm is the most complex part of RSA cryptography. Two large prime numbers, p and q, are generated using the Rabin-Miller primality test algorithm. A modulus, n, is calculated by multiplying p and q. This number is used by both the public and private keys and provides the link between them. Its length, usually expressed in bits, is called the key length.

Encryption is directly tied to this key length. Doubling key length delivers an exponential security increase, but also an exponential hit on performance. RSA keys are usually 1024 or 2048 bits long, though the 1024 model is no longer considered secured. Governments have largely moved to 2048-bit minimum key length.

Encryption strength is directly tied to key size. Doubling key length can deliver an exponential increase in strength, although it does impair performance. RSA keys are typically 1024- or 2048-bits long, but experts believe that 1024-bit keys are no longer fully secure against all attacks. This is why the government and some industries are moving to a minimum key length of 2048-bits.

Being an asymmetric encryption, RSA is vulnerable to the advent of quantum computing, but is still trusted enough to be used in the backend of many corporate and government systems. With regards to VPN encryption, many VPNs do use RSA, but have moved to 2048-bits. This has caused an already slow cipher type to become even more sluggish. While it provides for an exceptionally secure experience, VPNs using 2048-bit encryption give the user an incredibly slow internet experience.


VPN Encryption

The Advanced Encryption Standard (AES) is considered the gold standard of encryption ciphers. It is a symmetric block cipher, and is used by the US Government, US Military, and nearly every financial institute in the world. AES is used in software and hardware globally, and is one of the foundational pillars of modern cybersecurity.

The development of AES was began in 1997 by the National Institute of Standards and Technology (NIST). The need for a new standard was present due to the failings of DES as it began to show its age.

NIST stated that the new algorithm would be “capable of protecting sensitive government information well into the 21st century.”. AES was created to be easy to implemented on hardware and software, as well as physically restricted environments such as a smart card.

Though AES was created for the US government, it was given free use in public or private, commercial or noncommercial programs that provide encryption services.

AES has three block ciphers: 128, 192, and 256 bit lengths.

When protecting classified information, data considered Top Secret requires either 192 or 256-bit length.

There are 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit keys. A round consists of several processing steps that include substitution, transposition and mixing of the input plaintext to transform it into the final output of ciphertext.

The AES encryption algorithm defines numerous transformations that are to be performed on data stored in an array. The first step of the cipher is to put the data into an array, after which the cipher transformations are repeated over multiple encryption rounds.

The first transformation in the AES encryption cipher is substitution of data using a substitution table. The second transformation shifts data rows. The third mixes columns. The last transformation is performed on each column using a different part of the encryption key. Longer keys need more rounds to complete.

In August 1999, NIST selected five algorithms for analysis as the next AES cipher: MARS, RC6, Rijndaelm Serpent, Twofish

Eventually, Rijndael was proposed as the basis for the algorithm, and AES was accepted by 2001. In 2002, it became standard for the federal governemtn. It is also included in the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 18033-3 standard, which specifies block ciphers for the purpose of data confidentiality.

It was also taken by the NSA to protect national security systems.

Because of its use by the US government, it became extremeley popular in the private sector, especially as an element of VPN encryption. It is without a doubt the most common choice when looking to setup VPN encryption.

There has always been a debate between AES-128 and AES-256. A 256 bit key is impossible to brute force given the amount of time it takes to crack. 128 takes less time, but we are still talking about billions of years here, so it is still impossible, just less so!

Despite that, the advent of Quantum Computing will prove a challenge for AES, though not as much a problem as it will be for RSA.

256-bit does require more processing power, thus where latency is a concern in small devices, 128-bit keys may be used.

Despite its security, keys must always be protected. It doesn’t matter how many bits a cipher has – If keys are exposed, a hacker can just leisurely walk into a system.


Within VPN Encryption, a protocol acts as a set of instructions on how your data behaves between your device and the VPN server. VPN providers rely on protocols to ensure a stable and secure connection.

Protocols vary greatly, and give benefits to VPN users based on the circumstance. Some protocols aim for privacy, while others aim for speed. Some VPN providers will even use a different protocol depending on the device being used.

When a protocol is used, your VPN encryption provider seperates your data in packets. Each packet is encrypted with a different key. They is only shared between the VPN server and client. The secondary protocol, or sub-protocol called an Encapsulation Header is used. This obsfucates information in the data packet, such as sender identity.

The most common VPN protocols used are OpenVPN and Internet Protocol Security (IPSEC)


SSL was used to secure network transaction, and was created by Netscape in the 90s. Its sucessors, the Transport Layer Security (TLS) protocol, was developed by the Internet Engineering Task Force (IETF) as a successor to SSL. The basic operations of the two is identical, but TLS offered improvements. TLS 1.0 is documented in RFC 2246. TLS 1.1, defined in RFC 4346, corrects some vulnerabilities in the earlier version.

Both were used to handle web transactions, but can be used to protect any type of network traffic that utilizes TCP at the transport layer.

The position of the twin protocols above TCP means data can traverse through firewalls used Network Address Translation (NAT). But an application must be specifically designed for SSL or TLS, since internal logic in the application must determine when to utilize the protocols or when to make calls to TCP directly. All commonly used browsers support both SSL and TLS. SSL VPN vendors provide support for other applications.

Connections are made secure by authentication of the inended enpoint the user is hoping to connect to. SSL and TLS use X.509 certificates along with public key encryption for authentication. These certs are issued by certificate authorities (CA).

Software is built with lists of CAs which can updates, and are used in all checks, as well as checking public and private keys.

SSL and TLS required years of careful development which relied on authetntication, encryption and MAC techiques. However they have been historicially siginificant protocols and they made e-commerce possible. They are still used in browsers, and in SSL VPNs.

The development of SSL and TLS relied upon years of careful development of authentication, encryption and MAC techniques, but they have made e-commerce possible. The fact that the protocols are implemented in browsers has also made SSL VPNs easy to use.


IKEv2 and its predesessor IKE, are part of IPsec, which is a suite of protocols and ciphers to ensure data transmission is secure. IPSec was created by the Internet Engineering Task Force (IETF) in order to provide security through authentication through encryption.

Before IKEv2, IKE defined an automate means of negotiation and authentication. IKE brought a lot to the IPSec table, including automatic negotiation and authentication, anti-replay services, certification authority support and the ability to change encryption keys during an IPsec session.

IKE uses User Datagram Protocol (UDP) packets. An IPsec stack intercepts the relevant IP packets, encrypting and decrypting as needed.

IKE uses two phases, phase 1 and phase 2.

In phase 1, an authenticated connection between the host and user is established using a preshared key or a digital certificate. The goal is to secure the communications that occur in phase 2. The Diffie-Hellman key exchange algorithm creates a secure authentication communication channel. This digital encryption method uses numbers raised to specific powers to produce decryption keys. The negotiation should result in session keys.

Phase 2 of IKE negotiates to secure the data that travels through IPsec, using the secure channel created in phase 1. The result is a minimum of two SAs that are unidirectional. Both parties also exchange proposals to determine which security parameter to use.

IKE came out in 1998, while its successor IKEv2 was released in 2014. It provided improvements across the board. Notably for VPN Encryption, it provided enhanced communication channels between devices using a VPN.

Among the improvements, some are:

-Less Bandwidth
-Less mathemtically mechanisms
-Needs just one initial exchange mechanism
-Supports mobile devices
-Supports the securing of Stream Control Transmission Protocol (SCTP) traffic
-Greater resistance to DDOS attacks
-Comes equipped with the built-in Network Address Translation (NAT)


Layer 2 Tunnelling Protocol (LT2P) is a proprietary Microsoft protocol that creates connections between the user device and other servers within the VPN. Like IKEv2, it is relient on and contributes to the IPsec suite. LT2P has many advantages, but some issues hold it back from being a true competitor with regards to VPN encryption.

L2TP doesn’t have any smart way to pass through firewalls, so once used in a VPN, can cause trouble to users trying to use a VPN and a firewall together.

The protocol encapsulates data twice – This is handy for some applications, but pays for it in a huge reduction of speed.

As mentioned, LT2P is used with IPSec. Many VPN providers have a difficult time navigating this relationship, and often are left to use pre-shared keys which can be downloaded by any. Those these are used for authentication and not decryption, a hacker could use this to imitate a VPN server.

LT2P is mostly seen on legacy devices that do not support modern protocols such as OpenVPN.


Secure Socket Tunnelling Protocol (SSTP) is another proprietary Microsoft-owend protcol. It is based on SSL 3.0, and supports AES-256. SSTP has most the advantages of OpenVPN, but is primarily used only for Windows.

SSTP users can rest easy knowing that it will be supported on many Microsoft devices, and customer support is also available. With that being said, its position as a corporate protocol may not sit easy with privacy-minded users.

This point is driven home by the fact SSTP is not open-source. As such, it is not possible to scrutinize by the general public in terms of discovering vulnerabilities or other security weaknesses. Microsoft has in the past cooperated with security institutions like the NSA, and some even suspect Microsoft of implementing backdoors for organizations like these.

While it has its advantages, the disadvantages are too egregious, and a VPN using STTP should be avoided.


WireGuard is a controversial protocol in the world of VPN Encryption. To some it is the new golden standard of protocols. Its a new kid on the block, having been developed in 2016 by Jason Donenfeld. Donenfeld looked to topple OpenVPN and IPSec from their protocol thrones.

Donenfelds arguments is that both these protocols are immensely complex, and implementation was “hard to get right”. IPSec itself was extremely bloated due to years of additions to its suite. For Donenfeld, it was clear that a radical break was needed and that he would need to develop a protocol from scratch.

WireGuard was presented in 2017 at NDSS. The design goals include a fixed, non-negotiable set of modern cryptographic primitives, high performance throughput as well as a small attack surface resulting from simplicity and limited decision-making.

WireGuard builds on a cryptographic framework named Noise. Noise was used as a foundational block for the Signal messaging service. Diffie-Hellman key exchange mechanism. It is not a protocol by itself, but rather guides designers in building new communication protocols securely with verified best practices. This includes protections such as perfect forward secrecy, identity hiding, mutual authentication and zero round trip encryption. The framework specifies a key exchange method using static and ephemeral keys, a message format, cryptographic functions and processing rules.

A key aspect of Noise is its simplicity and lack of flexibility when negotiating encryption between two parties. The authors note that pre-existing protocols can be verifiably secure, but become increasingly hard to use as complexity is added. The framework prescribes in internal state machine that only advances or aborts. There are no branches, negotiations or retries within it, which reduced the amount of unpredictable errors. The primary design goal of Noise is to make negotiations free of any decision-making.

To explain the innerworkings of WireGuard would be to speak in deeply mathematical terms, and so are beyond the scope of this article. However WireGuard has proved to be just as safe as OpenVPN, while being much simpler. One such example of its simplicity is the codeline count – OpenVPN has 600,000 lines of code, whereas WireGuard has 4,000.

For now, OpenVPN retains its throne as king of protocols, but WireGuard may very well become the most popular choice within the next decade, and many VPN providers offer it for use.


Point-to-Point Tunnelling Protocol (PTTP) is an older VPN Protocol, and was used for creating a VPN over a dial-up connection. It was created in 1999 by a team indepdent engineers who were funded by Microsoft.

PPTP is compatible with nearly everything, it doesn’t require software, and is extremely fast.

However PPTP has a huge drawback, which is extremely poor security for the modern era. It has been broken countless times. PPTP traffic is easy to obstruct and it can easily be blocked in by a firewall.

Despite these things, PPTP is occasionally used by VPN providers who promise little security at blazing fast speeds. The majority of providers will not carry it, and it generally isn’t recommended unless nothing else is available.


OpenVPN is without a doubt the leader when it comes to VPN protocols. It is a protocol but also a software, which uses secure point-to-point and site-to-site connections. Nearly all major VPN providers offer OpenVPN, making it the top dog in VPN Encryption.

OpenVPN was developed by James Yonan and released in 2001. It’s one of the only open-soruce VPN protocols that is accompanied by its own open-source application.

The protocol is responisble for handling client-server communications, and establishes a tunnel between client and software.

OpenVPN handles encryption and authentication, and also uses the OpenSSL extensively. OpenVPN has the option to use either UDP (User Datagram Protocol) or TCP (Transmission Control Protocol) to transmit data.

OpenVPN is best used over UDP, which it will always default to first. It will only attempt TCP if the UDP connection fails.

It uses a custom security protocol that bypass HTTP and NAT.

OpenVPN was the first protocol that championed open-source. Its code isn’t owned by just one entity, and third-parties can always inspect it and continuously improve it. This has lead to some VPN providers building on OpenVPN to build their own custom service, like SaferNet has done.

Open uses 256-bit OpenSSL encryption in most cases, however custom builds can use the AES, Camellia, 3DES, CAST-128, or Blowfish ciphers. It does not support L2TP, IPSec, or PPTP.

The protocol supports improvement login and authentication with the use of third-party plugins. To protect users from buffer overflow vulnerabilities in TLS/SSL implementations, DoS attacks, port scanning, and port flooding, OpenVPN relies on tls-auth for HMAC signature verification. OpenVPN is also programmed to drop privileges if necessary, and run in a chroot jail dedicated to CRL.

Unlike WireGuard, it runs in the user space rather than Kernel space.

OpenVPN has gone through several audits in its lifespan. An audit in 2017 did find two minor, non-security related bugs, which were fixed that day.

OpenVPN isn’t known for its user-friendly experience, and as such only the most experienced developers can implement the base version, and even more advanced programmars are needed to whitelabel it, as SaferNet has done.

It is available on nearly every operating system.

All in all, OpenVPN is the most popular for a reason. It offers the greatest balance of speed and security, and is truly best-in-class when it comes to protocols and VPN Encryption.

SaferNet: The First Name In VPN Encryption

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply