What a Tunnel Provides
A VPN wraps traffic in an encrypted tunnel so it can cross an untrusted network as if it traveled over a private link. Each packet is encrypted and authenticated, then carried inside an outer packet to the tunnel endpoint, which unwraps it.
This gives three things on the hostile segment:
- Confidentiality, so observers cannot read the inner traffic.
- Integrity, so tampering is detected.
- Endpoint authentication, so each side knows who it talks to.
Limits to Keep in Mind
A VPN protects traffic only between the tunnel endpoints. Once a packet exits the far end, it travels in whatever form the next hop uses. A VPN is not a substitute for end to end TLS, and it does not make a compromised device safe.
Treat a VPN as a way to move the trust boundary, not as blanket protection. Use modern protocols, authenticate both endpoints, and avoid trusting the inner network just because the tunnel terminated there.
Key idea
A VPN tunnel encrypts and authenticates traffic between two endpoints so it can safely cross a hostile network, but protection ends where the tunnel ends, so it complements rather than replaces end to end encryption.