A VPN has an encrypted connection between you and them. Your ISP can see that you are connected to the VPN and can tell that you are downloading lots of data, but it cannot tell what that data is, or even what type of data it is.

In ELI5 terms, normal web traffic is like if you hand the your ISP a piece of paper that say "Please give this to youtube: Please show me video dQw4w9WgXcQ" and then youtube hands your ISP a piece of paper that says "Please give this to StupidRobots: Here's the video."

A VPN service gives you an envelope that you can put the piece of paper into, so you're handing the ISP an envelope with "Please give this to my VPN" and then your the VPN hands your ISP an envelope that says "Please give this to stupidrobots."

They can see *that* you are making a request and getting a response, but they can't see *what* the request or response is. They can tell how big the response is, but they can't tell if it's a video, a videogame, or the Q3 TPS reports.

Somewhat related, there's also TOR (the onion router) which you might have heard about in conjuction with the "deep web." It acts something like a VPN but instead of just one envelope there's dozens, maybe hundreds, all nested together.

So you hand the first one to your ISP and it says "Please give this to TOR1" and then TOR1 gets it and opens it and finds another envelope that says "Please give this to TOR2" and then TOR2 gets it and there's another envelope that says "Please give this to TOR3." At this point TOR1 knows it came from you, TOR2 only knows that it came from TOR1 and that it's going to TOR3. It has no idea where it came from or where it's ultimately going. Eventually your request reaches the server you were trying to talk to in the first place and the whole process happens in reverse, with your data bouncing from router to router with most of them having absolutely no idea where the data came from or where it's actually going, or what it is.

Let’s say your ISP watches you from the outside of your house and knows where you are going, but it can’t hear you (your ‘voice’ is encrypted)

Instead of you going out and buying weed, you ask your friend (VPN) to go get some and bring it back to your house.

All your ISP knows is that you talked to your friend and they came back into your house with something, but they don’t know what that something was (it’s encrypted).

There are lots of good answers here as to what a VPN is doing. But they don't address the real issue.

First off, you ISP isn't watching what files you download, VPN or not. It doesn't care, that's not its job.

What's really happening when you download the Guardians of the Galaxy 3 torrent is that your IP address is also being shown to everybody else who is connected to that torrent. In that group of connections it's very possible that a Disney computer or somebody working for them is also connected to that torrent and now they have your IP address and a record of you downloading that file. It's very easy for them connect your IP address to your ISP so they send a letter to the ISPs of everybody they see connected and then your ISP sends you a letter saying that you've been caught by Disney.

The most important thing a VPN does it hide you from Disney. The agents of the mouse will see an IP address downloading the file but because of the VPN they have no way to connect it to who the actual person is.

Imagine the internet like sending a letter and your ISP is like a postman.

Your computer writes a request to a site and gives it to your ISP to deliver. Your ISP needs to know who you are talking to in order to deliver it.

With VPN you still wrote the same request, but you put it inside another letter that you address to the VPN provider. Your VPN gets the letter takes out the one inside and sends it from his connection. After he gets a reply he puts it in a letter and sends it to you.

Your ISP in this case sees that you are just exchanging letters with this one address, but you could be exchanging them with any number of people.

But this obviously means that now your VPN provider knows who you are talking with.

The thing is in general your ISP doesn't give a shit what you are doing as long as you don't get caught. When people get in trouble for illegal files it's because they are usually using bit torrent that lists your IP address for anyone in the swarm to see. Companies interested in stopping pirates will monitor these swarms and find the IP address of anyone using them to download files and then see which ISP owns that part of the IP range and contact them and say x address has been illegally downloading these files. If your ISP doesn't get this message they won't really give a shit. A VPN when torrenting doesn't give them your IP it gives them the VPN server IP instead and if the anti piracy company goes to complain to the VPN company they will just ignore it. Whether your ISP can see what you are doing or not doesn't really factor into it in this case.

Think about your ISP like the Post Office. They could read all your mail if they wanted to because they handle all of it.

Now imagine you think the Post Office is reading your mail but you have something you want to keep secret with a friend, and you don't even want the post office to know you sent it to your friend.

So your friends make a system where you write your letter using a secret code then send it to someone else. That someone else personally delivers your letter to the friend.

The post office can see you're sending a letter to the "someone else". If they open the mail they only see the secret code. The post office can't see what the "someone else" does with the letter after they get it. Therefore this system protects you from the post office knowing what you're doing.

But, obviously, "someone else" knows what you're doing. Presumably you trust them more.

A VPN is like a "someone else" on the internet. The reason people trust them more is they get paid to keep the traffic a secret, whereas the ISP is trying to make money selling information about traffic.

Imagine your ISP is like your mailman. Even if you write your letters in code, they can still see the destination and return address on them. They know who you're writing letters to, how often, and how long the letters are.

But you don't even want them to know that, so you start putting the real envelope in another envelope, and you send that outer envelope to your friend in another city. He opens it and then mails the real envelope, which will have his address as the return address. When he gets a response, he doesn't open it, but just puts it in another envelope and mails it back to you.

This is a VPN. It wraps all your traffic and sends it to another destination that unwraps it and then it carries on. It prevents your ISP from seeing where your internet traffic is coming from or going to, and instead they just see it all going to the VPN.

It's like slipping a smaller tube (VPN) into the larger tube (ISP). The smaller tube is coded where the larger tube can't read what's in the smaller tube. The smaller tube extends to an application local to your computer, not at the larger tube ( the network provider level).

Let's say your parents (ISP) said you can't go to a certain store (website). Now say they built that store inside a mall (VPN). Now you just tell your parents that you went to the mall. They can't tell if you did or did not go to the prohibited store and nobody at the mall is going to tell on you.

Let's say you're in bed and want some cookies, so you ask you mum but she says no because it's too late. You shouldn't eat cookies past bed time. It's bad for your tummy.

So instead, you write "cookies please!" On some paper and put it in a little treasure chest only you and your big bro have keys to. You ask mum to give the box to your big brother, and later on she comes back and gives it back to you (a bit heavier!)

Internet communications are packaged into bite-sized pieces called packets. Each packet contains information about where it comes from, where it is supposed to go, how to handle it, how it connects to other packets, and the main part, the information your program is sending.

Imagine it as an envelope with a letter inside. The letter has a recipient address, return address, and postage. The past office cancels the stamp, and maybe prints bar codes or other delivery instructions, and away we go.

Now, you, as an agent of espionage, wish to obscure your letter. So you encourage the envelope in a second envelope that you address to a trusted handler. The handler acts as a go-between, re-mailing your letter upon receipt to the real intended recipient. Your inner letter also gets its return address changed to the handler, so that any reply to you is also indirect, via the handler.

Finally, even if someone intercepts the letter on the way to the handler, you want to still protect yourself, so you obscure the content of the letter by encrypting it. Now your local post office can't snoop. Of course, if the ultimate recipient isn't in on your scheme they couldn't read it either, so your handler decrypts the message before resending it (and encrypts all replies it gets before forwarding them on to you).

The letter is the packet. The local post office is your ISP. The handler is your VPN company. The recipient is whatever website or other place on the internet that you visit or communicate with.

Close. You sort of have it just a little bit wrong. A VPN is like an anonymous courier service. It’ll pick something up from somewhere and deliver it to somewhere else. All the steps inbetween are generic. How it gets there is supposedly anonymous. Like how VPN say they do not have logs etc. The mechanism for this is just a SSL type tunnel like you have for browsers to your bank etc. because it’s encrypted in this secret tunnel there is now way to know what is in the tunnel. Contrast this to the alternative where your ISP or whatever knows where the source you specifically wanted is.

Writing on the back of a postcard is visible for all the intermediate mail carriers to see. Putting the postcard into an envelope will mask the contents from the postman and his friends. A VPN is the same, everybody sees where the packets are going and coming from, but their contents are enveloped.

Imagine you and I want to send messages to each other, but we're in separate places. We devise a plan to exchange messages by writing them down on paper, giving them to the mail clerk, and telling them to carry the message to the other person.

We simply wrote the messages down on paper, so the mail clerk can read the message and knows who they're delivering it to.

What if we don't want the mail clerk reading our messages? Well, we devise a scheme where we encode our messages in such a way that only you and I can decode them. The mail carrier still knows who the message is going to, but can't read the messages. On the internet, this is called encryption. When you see "HTTPS" in the address, or a little lock in the address bar, that's encryption.

But what if we don't want the mail clerk to read the messages *or* know who they're going to? In addition to encoding the messages, we have the mail clerk carry the letters to a single office. That office then uses a separate mail carrier to relay the message on to the recipient. This way, the mail carrier doesn't know the contents of the message nor the recipient.

That last scheme is basically how VPNs work. In this analogy, the mail clerk is your ISP. VPNs include both encryption and a single point through which all your traffic flows.

When you download an illegal file, your isn't actually the one snooping on you. What's actually happening is that the owner of the intellectual property participates in the file sharing network. They make a note of all the people who connect to the tracker to download the copyrighted file. They collect lists of IP addresses, then they look up which ISP those IP addresses belong to. They notice the ISP that intellectual property is being illegally shared on their network. The ISP then sends you a copyright "strike" notice.

In this situation, the VPN protects you because the connection to the tracker appears to come from the VPN, not your home ISP. So the copyright notices go to the VPN provider. The VPN provider is typically located in a country that doesn't respect copyright. Effectively ending the enforcement process.

Your mom doesn't want you to have ice cream, "not in this house!" she says. You install a pipe that goes from your bedroom to your friend's bedroom next door. You tell your friend what ice cream you want and they send you the ice cream through the pipe. You eat the ice cream and your mother only knows that you have a pipe going to your friend's room.

The pipe is the VPN and ice cream is a YouTube video not available in your country.

because 100% of encrypted data goes the vpn, and none of that is understandable by the isp. not the url, the data, nothing

and do the server of the website you're accessing, it looks like a lot of data coming from vpn-provider. there's no way to know that it's you or someone else on the other side (except for browser cookies, that sort of thing)

the IP address just shows "vpn-usa in texas" and all the vpn users show as coming from there. not from your actual town

With VPN your ISP can see you are talking to a VPN server, but nothing else. Without VPN, you ISP can see that you are talking to certain services, like news sites, tiktok, facebook or reddit. Without https your ISP can see everything that happens between you and the service you are using but because almost all services use encryption nowadays, it is rare.

VPN/Tor services aren't really needed for anything else than hiding the services you are using from your ISP. You can still be fingerprinted when using VPN or Tor.

You're a 5 yr old with one super power. Nobody can look in your bags.

You (PC) have $2 and want to buy some candy from the store (ISP). You don't want your parents, friends, or the store (Gov't/World/ISP) to know you are buying anything, nor what you buy. You get a kid (VPN) from the neighborhood who has a no snitching policy* and have him go in the store to buy your candy, and make sure he puts it in a black grocery bag. He gives you the bag of candy and your parents or other friends can never see what's in the bag.

*Be careful. The kid still knows what you bought. Many of these kids still get to snitching when parents get to asking questions.

It normally looks like this:

PC > ISP > SERVICE > ISP > PC

A VPN looks like this:

PC > ISP > VPN > SERVICE > VPN > ISP > PC

ISP is cut off from every service between the two VPN hops in the middle. The service could be Facebook, it could be a movie, or anything else, and the ISP never knows the difference because the traffic is encrypted. They know you are talking to your VPN, but they can’t translate it.

Imagine you have a magical tunnel, just like the ones you see in playgrounds or slides. But this tunnel is super special because it keeps you safe and invisible while you play with your toys and games.

Now, when you use the internet on your tablet or computer, your information, like the games you play and the things you search for, usually travels through regular tunnels. But sometimes, you might want to keep your information secret and safe from bad people who might want to peek at it. That's where a VPN comes in!

A VPN is like a big, invisible blanket that wraps around your tablet or computer. When you turn on the VPN, it creates a secret tunnel that connects your device to a special, secret place far, far away. Imagine it like a hidden clubhouse where only you and your friends can go.

So, when you use the VPN, all your internet stuff, like your games and pictures, travel through this secret tunnel to that special clubhouse. And because it's a secret tunnel, nobody can see what you're doing or what games you're playing. It's like having a magical cloak of invisibility!

As a VPN engineer, I can say that a VPN encrypts your connection so that the specific contents are not visible to your ISP.

If I mail a package to you, the post office can see that I sent you a package.

If I mail all my packages to a friend and the friend rewraps the package and sends it to you, the post office has no idea if the package you receive is from me, my friend, or someone else that the friend does this for.

That’s basically how a VPN works.

They can see the traffic, but they can't see what it is because it's encrypted, and they can't see where you're connecting to beyond the other end of the VPN tunnel. All they see is a bunch of encrypted traffic between you and the other end of the VPN tunnel.

There was a whitepaper or something where, by analyzing packet sequences and sizes, they could identify exactly what movie you're streaming from netflix or whatever, but that's more forensic than an ISP is likely to be.

Imagine your ISP can see every website address you request (since they can).

But now instead of going to a bunch of different websites, you ONLY go to the VPN. Now all your ISP knows is that your traffic goes to a VPN address.

It's like how the mail carrier knows all the mail you get. So instead of getting individual pieces of mail, you get your mail delivered somewhere else, repacked into a box that just says "VPN" on the outside. They know you get boxes, but they don't open them. So they have no idea that you have 8 subscriptions to cat fancy.

you are in a room full of people, you whisper something in your friends ear and he goes out of room with the message

isp can see that ypu connected with your friend but cant hear you and cannot see what your friend does next

We used to run in open field to get berries from other side of mountain. Hawk saw us running and kill Ooga. Now we run through cave so hawk can not see us running to berries

So today just as you can have a secure connection to say Amazon and go to their HTTPS site, the traffic between you both is secure, well rather than Amazon being a shop if it sold vpn services you would make a secure connection to Amazon and then join the internet from their while Amazon could see what you do your ISP provider and anyone on your local network will only see you going to Amazon.

In effect it makes a tunnel from your computer (or browser) and pops you out on a destination normally mixed with many other users, the tunnel providers often say they don’t keep logs.

If you send a letter to me, the delivery person (ISP) will see your message. Now if you put the letter in an envelope, the delivery person can’t see your message anymore, just that you are sending me *something*, which is not illegal

>because your isp can see that you downloaded a movie illegally or something

No. Doesn't work like that. Especially not the "or something".

>In my mind it goes source > VPN > ISP > PC but then the ISP still sees the illegal file going to your PC.

Do you do online banking? Don't you think online banking would be super unsecure if your ISP could see all you do with your bank?

Without VPN:

You shout everything from your window to your neighbour and everyone listening can hear you.

With VPN:

You call them on a secured line and you're both talking inside an insulated room.