Wrap a private packet inside a public one so it can cross an untrusted network sealed and unread.
Imagine mailing a sealed letter inside a second, plain envelope. Anyone handling the outer envelope sees only the post office address — not the letter, not who it's really for. A VPN tunnel does the same to network packets.
Your real packet (private source, private destination, payload) is encapsulated: encrypted and placed inside a new outer packet addressed gateway-to-gateway. The public internet routes the outer packet; only the far gateway can open it, decapsulate, and forward the original onto the private network.
The tunnel endpoint (a client or gateway) takes each outgoing IP packet, encrypts it, and prepends a fresh outer header addressed to the peer endpoint's public IP. The encrypted original — header and all — becomes opaque payload. The peer reverses the process.
# Sending side — encapsulate
def tunnel_send(inner_packet, peer_pub_ip, session_key):
sealed = encrypt(inner_packet.bytes(), session_key) # whole packet, hidden
outer = IPPacket(
src = my_public_ip,
dst = peer_pub_ip, # gateway-to-gateway, not the real dst
proto = "ESP", # IPsec; or UDP for WireGuard/OpenVPN
payload = sealed,
)
send_over_internet(outer)
# Receiving side — decapsulate
def tunnel_recv(outer):
sealed = outer.payload
inner_bytes = decrypt(sealed, session_key) # may fail -> drop
inner = parse_ip(inner_bytes)
route_into_private_network(inner) # deliver to real dst
Because the real addresses live inside the encrypted payload, an observer on the public path learns only "gateway A is talking to gateway B" — never the inner conversation.
| Property | Effect |
|---|---|
| Per-packet overhead | +40–80 bytes of outer header + crypto trailer |
| Effective MTU | Drops (e.g. 1500 → ~1420); oversized packets fragment or stall |
| CPU | Encrypt/decrypt + MAC on every packet, both ends |
| Latency | One extra hop through each gateway plus crypto time |
A laptop at a coffee shop (10.0.0.7) opens an internal dashboard at 10.0.5.9. Its packet is encrypted and wrapped in an outer packet from the laptop's public IP to the office gateway's public IP. Across the café Wi-Fi and the open internet, every router sees only gateway-to-gateway traffic carrying ciphertext. At the office, the gateway decrypts, recovers the original 10.0.0.7 → 10.0.5.9 packet, and forwards it onto the LAN. The reply takes the mirror path home.
An eavesdropper sits on the public internet between the two gateways. What can they read?