While VPN connection can be useful when crossing any modern borders in the cyberspace, preserving and strengthening one’s privacy, there can also be other benefits that come along. A key thing that VPN does is to create a tunnel, sort of, across the cyberspace. This tunnel is built by using data encryption. At the one end of the tunnel, all incoming data is encrypted before sending to the other end. When packets arrive at the end of the tunnel, the VPN client application at the other end will decipher all the traffic and restore it to the form it was when sent. This “tunnel” could be thought to be like a Eurostar train into which cars, trucks and other vehicles can drive in and then travel under the sea to then surface at the other end. Anyone looking at the inside the tunnel would only see a train, not any individual vehicles or people inside. A VPN tunnel resembles this quite well since if someone would inspect the packets of the tunnel traveling across the cyberspace, all they could conclude is that there is a tunnel of some sort and something going on, but they had no practical means to say what kind of traffic that is.
This kind of traffic obfuscation is useful, but also prerequisite, for secure cyberspace, business and confidential services. Encrypted tunnels can be used to direct traffic from one network in the cyberspace, through other unknown and untrusted networks into a third network (like from one country to another). One of the very first uses of such tunneling mechanism was to let employees connect into a corporate network, then VPN services became popular means to increase the level of privacy and even anonymity in the cyberspace. As VPN services became popular and costs came down, citizens of the cyberspace started to use encrypted tunnels just for the sake of privacy — to “travel” in the cyberspace without ever having to board a plane. When using a VPN tunnel, a web service could be used like when residing in that country and the target application would think that the user comes from the country where the exit-node of the tunnel is located, not where the user actually clicks a button and types on their keyboard.
Obfuscation acts against manipulation
Apart from added security, as the traffic is “encapsulated” and obfuscated, there is one more specific benefit one can enjoy when using VPN tunneling to route traffic across the cyberspace. Some Internet service providers might employ mechanisms to prioritize some parts of the traffic they route, like giving priority for some type of content and let the type of traffic that they would consider less important to travel across slower segments of the network. This is called “traffic throttling”, and it used to be a quite big theme of discussion and argument some years ago. It even sparked some political ambitions on that, whether or not all traffic should be considered to be “equal” and treated as they are, e.g. Skype calls routed with same priority to movies, commercial services and others or if priority should be given to some types of traffic. Companies and private networks have long enjoyed the privilege to optimize their network and routes, for example, by differentiating the routing decision for traffic based on the type of it. However, when public internet service providers, like telecom companies, decide to limit bandwidth for certain type of traffic, like Skype calls, as they want to sell their own communications services instead, things become more complex.
With VPN tunneling solutions, one could effectively circumvent such prioritizing of traffic. As the traffic within the tunnel stays encrypted, any routers along the way trying to differentiate routing decisions based on the type of the content could not differentiate one traffic type from another and thus had only to treat the traffic as “encrypted” traffic, not knowing if that was web pages, voice calls, movies or what type of data. This type of traffic obfuscation, of course, acts as a powerful defense against such routing manipulation, bandwidth throttling, based on the type of traffic. An Internet service provider could, however, differentiate such tunneled data from other unencrypted content and apply lower priority for that then. In fact, some countries have been known to apply such logic, not necessarily for the reasons of bandwidth throttling, but to avoid tunnels crossing their “national firewall” in the first place.
Profiling encrypted data and deep-packet inspection
When it comes to cyberspace and routing its packets, one entity has for a long time been in somewhat conflict of interest: the nation-state. Traditionally the institutions of the nation-state have enjoyed sovereignty when it comes to the telecommunication networks, yet the extremely and obsessively global nature of the cyberspace has challenged that perception. While citizens of the cyberspace have preferred to employ VPN services in order to preserve their privacy, travel in the cyberspace and avoid bandwidth throttling, some authorities have continued to develop capabilities to dominate over such mechanisms. For an authority, it is by definition interesting to conclude on the type of traffic even when that was encrypted. Some authorities with enough resources and means might even aim to decrypt such content at will, in real-time.
Interestingly, an encrypted tunnel may expose some specific details of the traffic that it encloses. This kind of “traffic profiling” has been proved by researchers to be able to differentiate between web traffic for one web service over others, without even trying to decipher or decrypt the data. Just by creating a profile of the traffic timing, responses and frequencies of individual packets of the encrypted traffic, researchers have been able to conclude with practical certainty the type of traffic. A VPN tunnel is “by definition” vulnerable for such profiling and many entities have wanted to preserve their mandate to conduct such “deep-packet inspection” in order to exercise their authority in the cyberspace. At the same time, researchers and privacy enthusiast developers have employed specific efforts to further improve traffic obfuscation methods to avoid being profiled to such detail.