Orion/VPN
EN RU
Download app
◇ Education 9 min read

How VPN encryption actually works (in plain English)

AES-256, tunnels, no-log policies — without the math. A clear, jargon-free explanation of what really happens when you flip on a VPN. Try Orion/VPN free with 10 GB.

Lena Kepler Privacy & encryption editor

You press a button. A little icon turns green. Your traffic, the marketing copy promises, is now “encrypted.” But what does that actually mean? What just changed about the data leaving your laptop, and what does it actually protect you from?

This is how VPN encryption works in plain English — no math, no acronym soup, just the moving parts you’d want a friend to explain to you. We’ll cover what is VPN encryption, what AES-256 is doing inside the VPN tunnel, and where its protection ends. By the end you’ll know exactly what you bought.

The 30-second version

A VPN takes everything your device sends to the internet, scrambles it with a key only your device and the VPN server know, and ships it through a private connection — the encrypted tunnel — to that server. The server unscrambles it, sends it on to the website you wanted, takes the reply, scrambles it again, and sends it back. To anyone watching the wire — your coffee shop’s Wi-Fi, your internet provider, the airport network — your traffic looks like meaningless noise headed to one address. They can’t see what sites you’re visiting. They can’t read your messages. They can see only that you’re talking to a VPN, and nothing about what you’re saying.

That’s the whole picture. The rest is detail.

What happens before VPN — the open mail metaphor

Imagine the internet as a postal system that runs on postcards. Every time your laptop wants something — a webpage, a video, a chat message — it writes a postcard. That postcard has the destination address on the front and the message on the back, and it has to pass through several sorting offices on its way: your router, your internet provider, possibly your government’s filtering equipment, the destination’s hosting provider, and so on.

Anyone handling that postcard can read it. They can read the address. They can read the message. They can also keep a copy if they want, and many do — your internet provider absolutely keeps a record of which addresses your postcards went to, even if they don’t always read the back.

Modern websites do put part of the message in a sealed envelope (that’s what the little padlock in your browser is). But the address on the front is still visible. So your provider always knows you visited a particular site, even if they don’t know exactly which page or what you typed there. And on a public Wi-Fi network, anyone with basic tools can watch the addresses fly by — and a lot more besides if some of those postcards aren’t sealed.

This is the default. Open mail. Travels through many hands. Each one can look. If you’ve ever wondered why you need a VPN at all, this is it: the default state of the internet is “everyone in the path can see who you’re talking to.”

What a VPN actually does — the locked envelope

Here’s the change. When you press connect, your device and the VPN server perform a quick handshake — a few milliseconds of back-and-forth where they agree on a secret key that nobody else in the world has. Not your provider, not the coffee shop, not anyone watching. Just your device and that one server.

From that moment on, every postcard your device wants to send gets put inside a locked metal box first. The box has the VPN server’s address on it — and only that address. The original postcard, with the real destination and the real message, is sealed inside. The lock is the encryption. The key, the one you and the server agreed on, is the only thing that opens it.

The lock material in modern VPNs is AES-256. AES is the encryption standard that banks, militaries, and governments use to protect their most sensitive data; the 256 is the size of the key. To put numbers on it: there are more possible AES-256 keys than there are atoms in the observable universe, by a wide margin. Nobody is guessing it. Nobody is brute-forcing it on a laptop, on a server farm, or on the entire planet’s combined computing power running for the age of the universe. When people say AES-256 is unbreakable for practical purposes, they mean it.

So your traffic now flows like this: your device locks the postcard, ships the locked box to the VPN server, the server unlocks it, reads the real address, and forwards the original postcard onward. Replies come back the same way in reverse. The path between your device and the VPN server is the VPN tunnel — encrypted traffic, end to end, with the lock holding the whole way.

What can your provider see now? They see locked boxes leaving your device. They see the boxes are addressed to the VPN. They cannot see what’s inside. They cannot see the real destination. They cannot see the message. The locked envelope replaces the open postcard, and the entire route from you to the VPN is now a private connection.

What “no logs” really adds

Here’s a subtle point that trips up a lot of people. Encryption protects the message in transit. It does not, by itself, protect you against the messenger.

Think about it: the VPN server has to unlock your boxes. That’s its job. That means for a fraction of a second, on that one server, your real destinations are visible — to the VPN itself. If the VPN keeps a record of “this customer visited these addresses at these times,” then in a meaningful sense the VPN now knows things your internet provider used to know. You haven’t bought privacy. You’ve changed who has the file on you.

This is why a no-logs policy is the second pillar, right next to encryption. A real no-logs VPN never writes that information down in the first place. The traffic comes in, gets unlocked, gets forwarded, the response comes back, gets locked again, gets sent home — and nothing about it is stored. Subpoenas, hacks, government requests: there’s no file to hand over because there’s no file.

If you want the long version of how this works in practice, no-log VPN explained walks through what a real no-logs setup looks like and what to watch for in the marketing copy. The short version: encryption + no logs is the combination. Either alone leaves a hole.

What encryption doesn’t protect against

Every honest article about VPNs has to include this section, and most don’t. So here it is. AES-256 is genuinely strong. The VPN tunnel is genuinely private. But there are things encryption flatly does not do, and you should know them.

Encryption does not log you out of your accounts. If you log into a website with your real name and email, that website knows it’s you. The VPN hid your traffic on the way there, but you handed over your identity at the door. The site can still profile what you do once you’re logged in.

Encryption does not stop tracking that lives on the site itself. Cookies, browser fingerprinting, the analytics scripts on every page — those operate inside the postcard. Your VPN scrambled the envelope, but once the site unwraps it, all that machinery still runs. A VPN is not a substitute for blocking trackers in your browser.

Encryption does not stop malware. If you download a malicious file through a VPN, it’s still malicious when it arrives. The tunnel doesn’t inspect the contents.

Encryption does not anonymize your payment details. If you bought something with your real credit card, the merchant has your name. The VPN hid the route. It didn’t change who you are.

The honest framing: a VPN protects who’s in the path between you and the internet — your provider, the network, anyone watching the wire — from knowing where you’re going and what you’re saying. It doesn’t protect you from the destinations themselves, and it doesn’t protect you from yourself. Those need different tools.

How to verify the encryption is real

Marketing pages all say “military-grade encryption.” How do you tell the real ones from the theatre?

Look for a modern protocol. A VPN uses what’s called a protocol — the rulebook for how the tunnel is built and maintained. Modern protocols are fast, lean, and widely scrutinized by security researchers. Older ones are slow, bloated, and have known weak points. A serious VPN names its protocol clearly and explains what it does. A vague “advanced encryption technology” with no specifics is a red flag.

Look for open standards. The encryption itself should be based on open, well-known standards, not a “proprietary algorithm we invented.” AES-256 is open. Anyone can study it. The math has been beaten on by the entire planet for decades and survived. “Custom encryption” almost always means weak encryption.

Look for an explanation. A trustworthy VPN can explain how the tunnel is built, what protects the keys, and what the no-logs guarantee actually covers — in writing, on their site, without hand-waving. If their answer is just “trust us, it’s secure,” they have not told you anything.

Look at the protocol options. A VPN that offers a single mode is making one tradeoff for everyone. A VPN that lets you choose — speed-first or stealth-first, depending on the network you’re on — is treating you like an adult. We’ve written about that tradeoff in stealth vs speed VPN protocol if you want to see how it plays out.

Two modes, one principle

Orion/VPN ships two transport modes: Horizon, tuned for speed on cooperative networks, and Wind, tuned for stealth on hostile ones. The encryption underneath both is the same — modern, open, AES-256-class, with a clean handshake and forward-secret keys so a key compromise tomorrow can’t unlock the traffic you sent today.

The reason two modes exist is that the rest of the world isn’t uniform. A home connection in Berlin needs different traits than a hotel network in Istanbul or a mobile data link inside a country that filters aggressively. Same lock, different envelope shapes. The lock is the part that matters; the envelope is just how it travels.

Wrap

VPN encryption is genuinely strong, and you don’t need a math degree to trust it. The picture is simple: your traffic gets sealed before it leaves your device, travels the route as meaningless noise, and gets opened only at the VPN server, where a no-logs policy makes sure no record of it survives. AES-256 inside the tunnel is the lock. The encrypted tunnel is the path. The no-logs policy is the promise that nobody saved a copy.

That’s how VPN encryption works. Not magic, not theatre — just a small set of well-understood pieces, used carefully. If you want to feel the difference yourself, Orion/VPN gives you 10 GB free every month, no card, no commitment. Connect once and watch your traffic vanish from the network you’re on. That’s the encryption doing its job.

Try Orion/VPN free
10 GB on us. macOS app available now. Both protocols, every region, no card required.
Download for macOS → See plans →
◇ Education 9 min read

No-log VPN: what it really means and how to verify

"No logs" gets thrown around a lot. Here's what a real no-log VPN means, what to check before you trust one, and how Orion/VPN is built so we can't read your traffic.

Read article →
◇ Use case 8 min read

Stealth vs speed: how to choose a VPN protocol

When to pick a stealth VPN protocol vs a speed-first one — and why Orion/VPN gives you both (Horizon and Wind), with 10 GB free to test them on your network.

Read article →
◇ Guide 12 min read

Why you need a VPN in 2026 (even if you're not a journalist)

ISP tracking, public Wi-Fi, censorship, geo-blocks, work-from-anywhere. Eight everyday reasons a VPN matters in 2026 — plus 10 GB free to try Orion/VPN now.

Read article →