The metaphor explained
Imagine you're driving from home to a friend's house, and you want nobody to see your car along the way. A "tunnel" metaphor works like this: you put your car inside a much larger truck, the truck drives across the city, and at the other end you take your car back out and drive the last stretch. Observers along the route see "a truck", not "your specific car going to your specific destination".
VPN tunneling does the same thing to network packets. Your original packet (e.g., "GET /index.html from example.com") is the car. The VPN wraps it in a new outer packet (the truck) addressed to the VPN server. Observers see "encrypted truck traffic" between you and the VPN server. They don't see the original packet inside.
What "encapsulation" actually does
In technical terms, encapsulation means: take an original IP packet, treat its entire contents (including the destination address) as the payload of a new, outer IP packet. The outer packet's header points to the VPN server. The inner packet's header points to wherever you actually wanted to go.
The structure looks roughly like:
[ Outer IP header: src=YOU, dst=VPN_SERVER ]
[ Outer transport header (UDP for WireGuard) ]
[ Encrypted blob containing: ]
[ Inner IP header: src=YOU, dst=example.com ]
[ Inner transport header (TCP, UDP, etc.) ]
[ The actual application data ]
Anyone observing the wire sees only the outer header (you ↔ VPN server) and the encrypted blob. The inner header (destination = example.com) is hidden inside the encryption. The VPN server is the only place where the outer wrapper is removed and the inner packet emerges.
Transport protocols: UDP vs TCP for tunnels
VPNs run on top of one of the standard internet transport protocols. Two options:
UDP tunnels
UDP (User Datagram Protocol) is connectionless — packets are fire-and-forget, no built-in retransmission, no flow control. For VPNs, this is good: lower overhead, lower latency, and the application protocols inside the tunnel handle their own reliability if they need it (TCP-over-UDP works fine).
WireGuard uses UDP exclusively. Default OpenVPN setups use UDP. ChaCha20-Poly1305 (the WireGuard cipher) is designed to handle out-of-order delivery, which UDP can cause.
TCP tunnels
TCP (Transmission Control Protocol) is connection-oriented — packets are acknowledged, retransmitted if lost, and delivered in order. This adds overhead and can cause "TCP-over-TCP meltdown" when used as a tunnel transport for TCP traffic (both layers try to handle congestion and end up fighting each other).
OpenVPN supports TCP mode primarily for one reason: getting through restrictive networks. Many firewalls block UDP entirely or only allow TCP over port 443 (HTTPS). OpenVPN- over-TCP-443 looks like regular HTTPS web browsing to a firewall and almost always gets through.
ClownVPN auto-falls-back to OpenVPN-over-TCP-443 if WireGuard can't establish a connection — covers about 99% of restrictive networks.
Tunnel modes: full-tunnel vs split-tunnel
Once a tunnel is established, the VPN client has to decide which traffic to send through it. Two main modes:
Full-tunnel mode (default)
All traffic from your device goes through the tunnel. Every app, every system service, every DNS query. This is the default for most consumer VPNs because it's the safest — no accidentally leaving some traffic outside the tunnel.
Split-tunnel mode (optional)
Only specific traffic goes through the tunnel; everything else uses your regular connection. You configure which apps (or which IPs) to tunnel and which to leave direct.
Use cases: keep your banking app outside the tunnel so it sees your real IP and doesn't trigger fraud alerts; keep your Chromecast direct so it can find devices on your local network; route only sensitive traffic through the VPN to save battery on a mobile device.
ClownVPN supports per-app split tunneling on Android. Details: /features/split-tunneling/.
What happens when the tunnel breaks
Tunnels are software constructs that depend on network conditions. They can drop for many reasons:
- WiFi → cellular handoff resets your IP, breaking the existing tunnel session.
- VPN server restarts (maintenance, software updates).
- Sudden packet loss (cell signal goes weak) corrupts the session beyond recovery.
- Your phone enters deep sleep, kills the network connection, and the tunnel times out.
When this happens, the VPN client either reconnects transparently (preferred) or leaves your traffic stranded. A kill switch ensures stranded traffic doesn't fall back to your unencrypted connection — it blocks all traffic until the tunnel is re-established.
Obfuscation: the tunnel-over-tunnel trick
In countries that actively block VPN traffic (China, Russia, Iran), even encrypted UDP/TCP tunnels are detectable and blocked. Some VPN providers add an "obfuscation" layer that disguises the VPN tunnel as something else — typically HTTPS web browsing.
Obfuscation modes wrap the encrypted VPN tunnel in another layer that mimics TLS handshakes and HTTPS traffic patterns. From the outside, it looks like the user is making lots of requests to a single HTTPS endpoint. Slower than pure VPN, but it gets through restrictive networks.
ClownVPN doesn't ship obfuscation. Our positioning is security/privacy in jurisdictions where VPNs are legal — we don't market or support circumventing national-level blocks. If that's your need, NordVPN, ExpressVPN, and Mullvad all ship obfuscation modes.