What is a VPN? How VPNs Work — CompTIA Network+ & Security+ Guide (2026)

⚡ What is a VPN?

A VPN (Virtual Private Network) creates an encrypted tunnel between a device and a network over the public internet, making traffic appear to originate from the VPN endpoint rather than the user's actual location. It provides confidentiality, integrity, and authentication for traffic that would otherwise travel unprotected. On both Network+ and Security+ exams, VPNs are tested heavily — especially tunneling protocols, types, and split tunneling.

How a VPN works

Without a VPN, your traffic travels from your device to its destination in a way that your ISP, network administrators, and potentially attackers on the same network can see. A VPN changes this by wrapping your traffic in an encrypted tunnel to a VPN server — everything between you and that server is encrypted and unreadable to outside observers.

💻

Your device

Encrypts traffic before sending

Original packet wrapped inside encrypted tunnel

🔒

Encrypted tunnel

Travels over public internet

ISP sees encrypted data only — destination hidden

🖥️

VPN server

Decrypts and forwards traffic

Request appears to come from VPN server's IP

🌐

Destination

Receives request normally

Sees VPN server IP, not your device's IP

The key concept here is tunneling — encapsulating one network protocol inside another. The original packet becomes the payload inside an outer encrypted packet. This is why VPNs can traverse the public internet securely.

Types of VPN

👤

Remote Access VPN

Client-to-Site

An individual user connects to a corporate network from a remote location. The VPN client on their device establishes a tunnel to the VPN concentrator at the office.

→ Most common type. Used for remote workers.

🏢

Site-to-Site VPN

Network-to-Network

Two entire networks are connected through a persistent VPN tunnel — typically two office locations. No VPN client needed on individual devices; the routers handle it.

→ Connecting branch offices to HQ securely.

🌍

SSL/TLS VPN

Browser-Based

Uses standard HTTPS (port 443) to create the tunnel — works through a web browser without a dedicated client. Harder to block since port 443 is almost always open.

→ Easy to deploy, works through firewalls.

🔐

IPsec VPN

Network Layer

Operates at Layer 3 (Network layer) of the OSI model. Provides strong encryption and authentication. Standard for site-to-site VPNs and enterprise remote access.

→ Most common for enterprise and site-to-site.

VPN tunneling protocols — the exam table

Protocol	Port / Layer	Encryption	Status	Key facts
IPsec	Layer 3 (IP)	AES, 3DES	Current	Two modes: Transport (encrypts payload only) and Tunnel (encrypts entire packet). Uses AH and ESP protocols.
OpenVPN	UDP 1194 / TCP 443	TLS / AES	Current	Open-source, highly configurable. Can run on port 443 to bypass firewalls. Widely used in enterprise and consumer VPNs.
WireGuard	UDP 51820	ChaCha20	Current	Modern, lean protocol with significantly less code than OpenVPN/IPsec. Fast and increasingly adopted.
L2TP/IPsec	UDP 1701, 500, 4500	IPsec (AES)	Legacy	L2TP provides the tunnel, IPsec provides encryption — neither provides security alone. Common on older enterprise systems.
SSTP	TCP 443	TLS	Legacy	Microsoft proprietary. Uses HTTPS port so passes through most firewalls. Windows-only natively.
PPTP	TCP 1723	MPPE (weak)	Deprecated	Old Microsoft protocol. Encryption is broken — known vulnerabilities. Appears on exam as an example of weak/insecure VPN. Do not use.

⚡ PPTP on the exam

PPTP appears frequently on Security+ as the answer to "which VPN protocol is considered insecure?" Its encryption (MPPE) has known weaknesses and it should never be used on modern networks. If a question asks which VPN protocol to avoid or replace, PPTP is the answer.

Contrast with IPsec and OpenVPN — both are considered secure and current standards.

IPsec modes and components — Security+ detail

IPsec is the most heavily tested VPN technology on both Network+ and Security+. You need to know its two modes and two core protocols:

IPsec — modes and protocols

Transport Mode
  Encrypts only the payload (data portion) of each IP packet
  Original IP header preserved — source and destination IPs visible
  Used for end-to-end encryption between two hosts

Tunnel Mode
  Encrypts the entire original IP packet (header + payload)
  New outer IP header added with VPN endpoint addresses
  Used for gateway-to-gateway (site-to-site) VPNs

AH — Authentication Header
  Provides integrity and authentication — no encryption
  Verifies the packet hasn't been tampered with

ESP — Encapsulating Security Payload
  Provides encryption + integrity + authentication
  Most commonly used — does everything AH does plus encryption

Split tunneling

Split tunneling determines whether all of a user's traffic goes through the VPN, or only traffic destined for the corporate network.

Full Tunneling

All traffic through VPN

All internet traffic routed through VPN server

Company can monitor and filter all traffic

Higher bandwidth load on VPN infrastructure

More secure — no traffic escapes the tunnel

Slower for user — all traffic hairpins through VPN

Split Tunneling

Only corporate traffic through VPN

Corporate traffic → VPN tunnel

Internet traffic → direct to ISP (not through VPN)

Reduces VPN bandwidth load significantly

Faster browsing for users

Security risk — internet traffic unmonitored by IT

⚡ Split tunneling exam angle

The Security+ exam frequently frames split tunneling as a security risk. The concern is that a remote employee's device connects to both the corporate VPN and the public internet simultaneously — if the device is compromised, an attacker could potentially use it as a pivot point into the corporate network.

Exam question pattern: "Which VPN configuration poses the greatest security risk?" → Split tunneling.

Key VPN terms

VPN vocabulary — Network+ and Security+ exam

VPN Concentrator   → Dedicated hardware/software that manages VPN connections at scale
Tunnel             → The encrypted path through which encapsulated packets travel
Encapsulation      → Wrapping one packet inside another to traverse a network
IKE / IKEv2        → Internet Key Exchange — negotiates IPsec security associations (SAs)
Security Association→ Agreement on encryption algorithms and keys between VPN peers
Always-on VPN      → Device maintains VPN connection automatically, even before login
Clientless VPN     → Browser-based SSL VPN — no client software required
Split DNS          → Corporate DNS queries go through VPN; public DNS queries go direct

Exam scenarios

💬 "Which VPN protocol is considered insecure and should be replaced?" → PPTP

💬 "A remote employee needs to access the corporate network securely. Which VPN type should be deployed?" → Remote access (client-to-site) VPN

💬 "Two branch offices need to be connected securely over the internet. Which VPN type is most appropriate?" → Site-to-site VPN

💬 "Which IPsec mode encrypts the entire IP packet including the original header?" → Tunnel mode

💬 "Which IPsec protocol provides encryption in addition to authentication and integrity?" → ESP (Encapsulating Security Payload)

💬 "A VPN configuration where only corporate traffic goes through the VPN tunnel is called ___" → Split tunneling

💬 "Which VPN configuration poses the greatest security risk for remote workers?" → Split tunneling

💬 "An organization needs a VPN that works through restrictive firewalls without special ports. Which protocol should they use?" → SSL/TLS VPN or OpenVPN on port 443

💬 "Which protocol is responsible for negotiating IPsec security associations?" → IKE / IKEv2

Ready to sit Network+ or Security+?

See the study guides and practice exams worth your time for both certifications.

See Study Resources →

What is a VPN?