What is a VPN Tunnel?
This page will attempt to describe very simply what a VPN tunnel is within the context of a VPN service designed to provide strong anonymity and privacy.
A VPN tunnel performs an operation known as data encapsulation. In order to understand what encapsulation is, let us attempt a simple analogy. If you were a political refugee living in another country and your location was confidential for your safety but you needed a way to communicate with some key people back in your country without them knowing where you were, how would you do it?
Well, one way would be to grab a blank postcard, write the message and the address of the person who the message is for on the postcard and then put the postcard into an envelope and post it to one of your trusted friends in your home country. When you friend receives the envelope, he opens it up and puts it in a local post box. The recipient of the postcard has no knowledge of where the postcard came from since the stamp is local.
The act of putting the postcard into the envelope with its own address is equivalent to encapsulation and when you do this with data on the Internet, you create a virtual private network tunnel or VPN tunnel. Although this would technically be a VPN, it's not actually very private until you encrypt the contents of the envelope. Without encryption, we could still achieve some level of anonymity but what if the final recipient was powerful enough and had friends in the post office? In this case the post office employee could see the stamp on the envelope before it reached your friend and leak your location.
To achieve a much higher level of anonymity and privacy, you need to encrypt the contents of the postcard inside the envelope so that only yourself and your friend can decode it. Now, if anyone intercepted the envelope en route to your friend and opened it they would have no idea who the postcard was addressed to nor would they understand the contents of the message. When your friend receives the envelope he would open it and decrypt the message and forward it to its final recipient. In the context of an anonymous VPN service, your friend would be the VPN service and the final recipient would be the website you are browsing. It is worth noting at this point that the message sent from your friend to the final recipient cannot be encrypted since the final recipient does not have the decryption key. Equally, when using a VPN service, the data sent from the VPN service to the destination website cannot be encrypted; however this does not affect your anonymity since your private IP address has been replaced with the address of the VPN service.
Whilst communicating with your friend, it's as if there is a secure tunnel between the two of you protecting the contents. This is why it is called a virtual tunnel or more commonly, a VPN tunnel.