VPN tunnel service protocol

Wrap a private packet inside a public one so it can cross an untrusted network sealed and unread.

The idea

Imagine mailing a sealed letter inside a second, plain envelope. Anyone handling the outer envelope sees only the post office address — not the letter, not who it's really for. A VPN tunnel does the same to network packets.

Your real packet (private source, private destination, payload) is encapsulated: encrypted and placed inside a new outer packet addressed gateway-to-gateway. The public internet routes the outer packet; only the far gateway can open it, decapsulate, and forward the original onto the private network.

Press play to follow one packet from the laptop, through the tunnel, to the private server.

How it works

The tunnel endpoint (a client or gateway) takes each outgoing IP packet, encrypts it, and prepends a fresh outer header addressed to the peer endpoint's public IP. The encrypted original — header and all — becomes opaque payload. The peer reverses the process.

# Sending side — encapsulate
def tunnel_send(inner_packet, peer_pub_ip, session_key):
    sealed = encrypt(inner_packet.bytes(), session_key)   # whole packet, hidden
    outer = IPPacket(
        src = my_public_ip,
        dst = peer_pub_ip,          # gateway-to-gateway, not the real dst
        proto = "ESP",              # IPsec; or UDP for WireGuard/OpenVPN
        payload = sealed,
    )
    send_over_internet(outer)

# Receiving side — decapsulate
def tunnel_recv(outer):
    sealed = outer.payload
    inner_bytes = decrypt(sealed, session_key)            # may fail -> drop
    inner = parse_ip(inner_bytes)
    route_into_private_network(inner)                     # deliver to real dst

Because the real addresses live inside the encrypted payload, an observer on the public path learns only "gateway A is talking to gateway B" — never the inner conversation.

Cost

PropertyEffect
Per-packet overhead+40–80 bytes of outer header + crypto trailer
Effective MTUDrops (e.g. 1500 → ~1420); oversized packets fragment or stall
CPUEncrypt/decrypt + MAC on every packet, both ends
LatencyOne extra hop through each gateway plus crypto time

Watch out for

Worked example

A laptop at a coffee shop (10.0.0.7) opens an internal dashboard at 10.0.5.9. Its packet is encrypted and wrapped in an outer packet from the laptop's public IP to the office gateway's public IP. Across the café Wi-Fi and the open internet, every router sees only gateway-to-gateway traffic carrying ciphertext. At the office, the gateway decrypts, recovers the original 10.0.0.7 → 10.0.5.9 packet, and forwards it onto the LAN. The reply takes the mirror path home.

Check yourself

An eavesdropper sits on the public internet between the two gateways. What can they read?