A complete guide to VPN tunneling

A VPN, or Virtual Private Network, encrypts all of the data sent to and from your device and routes it through an intermediary server that stands between you and the internet. The encrypted connection between your device and the VPN server is often referred to as a “tunnel”. No third parties, such as your ISP, government, or local IT administrator, can see the contents of your data or its destination while the VPN is active.

We’ll discuss how VPN tunneling works in this article, including encryption, protocols, and why tunneling is necessary for security and privacy.

What is VPN tunneling?

When you first connect to a VPN, your device and the VPN server perform a handshake and exchange encryption keys. This ensures that only the VPN server can decrypt data sent from your device and, conversely, only your device can decrypt data sent from the VPN server.

 

Once the connection is established, your device and the server can securely transmit data back and forth through the “tunnel”. Data is encrypted with the key before it ever leaves your device. When it reaches the VPN server, it is decrypted, then forwarded to the final destination—a website, app, streaming service, etc.

Data coming from the internet goes through the same process in reverse: data is sent from the app or website to the VPN server. The VPN server encrypts the data and sends it to your device, where it’s decrypted with the key.

The “tunnel” analogy comes from the VPN’s encryption. Data can go back and forth between the tunnel, but there are only two endpoints—your device and the VPN server—where data is encrypted and decrypted.

What to look for when choosing a VPN

How you plan on using the VPN determines which tunneling features will best serve you. VPN tunneling can be used for a number of purposes:

• Unblocking streaming sites from abroad: The VPN tunnel should have fast speed and a stable connection. No leaks that could give away your real IP address.
• Accessing the web from China: The VPN tunnel needs to be both inconspicuous and secure. Obfuscation is often used to hide VPN tunnels going in and out of China to bypass the Great Firewall. This also applies in other countries where VPNs are blocked like the UAE and Iran.
• Securing public wi-fi: The tunnel should be secure with no leaks. A kill switch can help keep this tunnel secure.
• Torrenting: Security and speed are both paramount here. The VPN should have a kill switch, no leaks, and preferably split tunneling.
• Private web browsing: Strong encryption in the VPN tunnel, combined with a no-logs policy and your browser’s incognito or private browsing mode, enables you to surf the web privately and anonymously.

Split tunneling

Split tunneling is a VPN feature that allows you to choose which data goes through the encrypted VPN tunnel and which uses a direct, unencrypted connection.

A few VPN apps offer split tunneling that allows you to choose which apps use the VPN and which do not. Although whitelisting which apps use the VPN is the most common type of split tunneling, it can also be done by device (at a router level), ports used, or type of traffic.

Split tunneling is useful in situations where only certain activities need to be protected by the VPN. While torrenting, for example, you can set your torrenting app to use the VPN while your web browser uses a normal internet connection.

See also: Best VPNs for split tunneling

What are VPN tunneling protocols

A VPN tunneling protocol sets the rules for how your device and the VPN server communicate. Not all protocols are equal, and they each have their advantages and disadvantages. You can often choose between protocols in your VPN app settings.

Here are some of the most common VPN tunneling protocols in use today:

• OpenVPN: an open-source protocol that offers strong security and medium speed, and usually requires a third-party app to use. This is the most popular protocol among consumer VPN apps. Uses SSL encryption.
• WireGuard: a newer open-source protocol with fast speeds and decent security, though users’ IP addresses are stored on the server by default. Uses ChaCha20 encryption and usually requires a third-party app. You can find out more in our Best VPNs with Wireguard article.
• IKEv2: A medium-speed protocol that’s great at quickly reconnecting after losing signal, which makes it ideal for mobile users. Uses IPSec encryption. Support comes built into many newer devices.
• L2TP: A medium-speed protocol that comes built into many popular operating systems like Windows, macOS, iOS, and Android. Uses IPSec encryption.
• SSTP: Similar to L2TP but exclusive to Microsoft systems, such as Windows
• PPTP: A fast but insecure protocol that shouldn’t be used due to known security vulnerabilities.

Many VPN apps have multiple protocols available to choose from. Some even have their own proprietary protocols, often based on those above. NordVPN’s NordLynx, ExpressVPN’s Lightway, VyprVPN’s Chameleon, and Hotspot Shield’s Hydra Catapult are all examples of proprietary VPN protocols.

Best VPNs that use tunneling

Some VPNs have faster or more secure tunnels than others. Comparitech tests and reviews dozens of VPNs to find out which ones will best protect your data while delivering high speeds and access to region-locked content around the world.

Here are short summaries of each VPN so you can make a quick decision:

1. NordVPN Top VPN for tunneling. This provider offers secure tunneling, using several protocols, including its own NordLynx protocol. Has more than 8,000 servers located around the globe. Fast with unlimited bandwidth.
   TIP In our testing we found that the cheapest NordVPN plan (Standard) works perfectly for Tunneling.
2. Surfshark Best budget-priced VPN. The provider uses WireGuard to keep its users’ online travel hidden, has servers in 100+ countries, runs its servers from RAM, and provides access to content around the globe, including over 30 Netflix libraries.
3. Total VPN Top-notch VPN services and more. Uses WireGuard, as well as its own customer Hydra protocol. This provider also offers antivirus protection. Fast, well-protected connections open access to blocked content.
4. Proton VPN Well-known for its privacy-centric services. In addition to offering the WireGuard protocol, Proton also offers its own Stealth protocol. The company offers an array of privacy-centric services and apps.
5. ExpressVPN Premium VPN protection. This provider uses a custom “Lightway” protocol, providing secure and fast connections. Has 3,000+ servers in 100+ countries. 
6. IPVanish Fast, well-encrypted connections. IPVanish includes WireGuard and OpenVPN among its tunneling options. Offers fast connections from more than 3,100 servers. Connect as many devices as you like at once.
7. CyberGhost Good VPN for first-time users. Uses the reliable WireGuard protocol for top-notch protection. Has a large server network of thousands of servers. Fast speeds for streaming and other popular online pastimes.

TIP In our testing we found that the cheapest NordVPN plan (Standard) works perfectly for Tunneling.

Here are our top picks for VPNs with the most secure tunneling:

1. NordVPN

Nov 2025

NordVPN is our top recommended VPN for split tunneling. This veteran provider operates a huge network of servers around the world and is the fastest VPN we’ve tested. It works in China, unblocks Netflix and many other streaming services, and uses leak-proof encryption.

You can connect up to 10 devices at once, with apps available for Windows, macOS, iOS, Android, Android TV, Apple TV, Fire TV, and Linux. Chrome, Edge, and Firefox browser extensions are also available, as is compatibility with select routers.

Live chat support is available 24/7 on the website.

Supported tunneling protocols include NordLynx (WireGuard), OpenVPN, and IKEv2. Split tunneling is not supported, but an app-specific kill switch will cut selected programs off from the internet if the VPN connection drops for any reason.

BEST FOR TUNNELING:NordVPN is the fastest VPN around and boasts excellent security. Try it risk-free with a 30-day money-back guarantee.

Read our full NordVPN review.

---

2. Surfshark

Surfshark is a budget-friendly provider that doesn’t skimp on speed or privacy. It’s great for unblocking region-locked content like Netflix, Amazon Prime, BBC iPlayer, and Hulu. You can connect an unlimited number of devices at once, which makes this a great deal for a family or group of housemates.

Surfshark supports the following protocols: IKEv2, OpenVPN, WireGuard, and Shadowsocks.

Apps are available for Linux, Windows, macOS, iOS, iPadOS, Apple TV, Android, Android TV, and Amazon Fire TV devices. Extensions are available for the Chrome, Edge, or Firefox browser platforms. Surfshark can also be manually set up on several wireless router models.

BUDGET CHOICE:Surfshark is a great unblocker with unlimited connections on a single plan. Try it out with a 30-day money-back guarantee.

Read our full Surfshark review.

---

3. Total VPN

Total VPN keeps your online travels incognito by using a tunnel of 256-bit encryption, kill switch protection, and other privacy and security measures. The provider’s custom connection protocol, Hydra, is designed for top-notch performance while also hiding your online activities. 

Fast, well-protected connections make the provider an excellent way to enhance and protect your favorite online pastimes. Total also offers antivirus protection.

Total VPN allows users to simultaneously connect up to five devices to the provider’s servers, and provides native app support for macOS, iOS, Windows, and Android devices. At the time of this writing, support for Linux, browsers, and routers is unavailable.

ALL AROUND ONLINE PROTECTION:Total VPN provides comprehensive online security and privacy protection, as well as virus protection. The provider’s custom Hydra protocol offers top-notch protection and fast connections. A 30-day money-back guarantee is available for extended subscription plans.

Read our Total VPN review.

---

4. Proton VPN

Proton VPN provides reliable, encrypted access to geo-blocked content and services, while also offering several other privacy-centric apps and services, including private cloud storage, encrypted emails, a private AI assistant, and much more.

The WireGuard protocol, along with DNS and IPv6 leak protection, and a kill switch option all combine to keep your online travels incognito. ProtonVPN never saves any user logs on its servers.

ProtonVPN app support includes offerings for the Android, iOS, iPadOS, Windows, Mac, Chromebook, Linux, Android TV, Apple TV, and Amazon Fire TV device platforms, as well as browser extensions for the Chrome and Firefox platforms. The VPN can also be configured to work with select routers able to configured as an OpenVPN or WireGuard VPN client.

Users can simultaneously connect up to 10 devices to the ProtonVPN server network.

PRIVACY AND MORE:Proton VPN offers comprehensive VPN protection and it also offers other privacy and security-enhancing apps and services. The VPN provides fast, encrypted connections to content around the globe. Offers a 30-day money-back guarantee.

Read our comprehensive Proton VPN review.

---

5. ExpressVPN

ExpressVPN is a premium service with rock-solid apps and fast performance. It’s great for unblocking region-locked streaming services like Netflix, BBC iPlayer, Hulu, and Prime Video.

The apps for macOS, Windows, iOS, iPadOS, Apple TV, Android, Android TV, Linux devices, and certain wi-fi routers are all leak-proof and use the strongest available encryption. Chrome browser extensions are also available. When it comes to security, ExpressVPN is at the front of the pack.

Supported protocols include Lightway (ExpressVPN’s proprietary protocol), OpenVPN, L2TP, and IKEv2. Split tunneling allows you to choose which apps use the VPN and which use a direct, unencrypted connection.

ExpressVPN reliably bypasses China’s Great Firewall. You can connect up to five devices at a time. Live chat support is available 24/7.

SECURE TUNNEL:ExpressVPN is a privacy-first VPN It works with a wide range of devices and offers an all-around excellent service. Comes with a 30-day money-back guarantee.

Read our full ExpressVPN review.

---

6. IPVanish

IPVanish has long been a favorite among torrenters and Kodi users. It unblocks Netflix and a few other streaming services, but it’s not a region-unblocking powerhouse like others on this list. Instead, IPVanish is all about security. You can even change your IP address at set intervals and enable obfuscation to avoid detection.

Like Surfshark, IPVanish lets you connect as many devices as you want on a single plan. Apps are available for macOS, iOS, iPadOS, Chrome OS, Windows, Amazon Fire TV, Apple TV, Android, and Android TV devices. IPVanish can be manually set up on Linux devices and wifi routers.

IPVanish protocols consist of WireGuard, IKEv2, OpenVPN, L2TP, IPSec, and PPTP.

SECURE TUNNELING:IPVanish is a solid VPN if you want to maximize privacy and security on all the devices in your house. It’s backed by a 30-day money-back guarantee.

Read our full IPVanish review.

---

7. CyberGhost

CyberGhost is an easy-to-use VPN that makes unblocking streaming services and securing your web browsing simple. Users can choose the streaming service they want to unblock right from the app instead of guessing at which server to use. CyberGhost uses strong encryption and keeps no logs of its users activity or other identifying information.

CyberGhost supports the WireGuard, OpenVPN, IKEv2, L2TP, and PPTP protocols. You can connect up to seven devices at once on Linux, Windows, macOS, iOS, iPadOS, Amazon Fire TV, Android, and Android TV devices. Chrome and Firefox browser extensions are also available, and the service can be manually configured on select routers.

EASY VPN TUNNEL:CyberGhost packs great security, speeds, and unblocking into user-friendly apps. It comes with a 45-day money-back guarantee.

Read our full CyberGhost review.

---

Related: The differences between a split tunnel and full tunnel VPN