On this page
You click connect. Then what?
Who this is for
You use a work VPN every day, you click connect and somehow your IP changes and internal apps start working, but you have no idea what just happened on your machine. This pulls back the curtain.
This is a client (remote-access) VPN: one laptop joining a private network from afar. Different from a site-to-site VPN, which joins two whole networks. The trick is that your laptop grows a second, virtual network card that lives inside an encrypted tunnel.
A client VPN gives your laptop a second network adapter that exists only inside an encrypted tunnel to your company. Once it is up, the OS quietly decides which traffic goes through it.
See it
Connect the VPN and watch the virtual adapter come up, the route change, and the website's view of your IP flip. Then switch between full and split tunnel, and change where you're going, to see how the routing decision picks the path.
Client VPN, live
Tunnel adapter (tun0)
down
Active route
0.0.0.0/0 → en0 (normal Wi-Fi)
The website sees you as
86.92.40.12 (your ISP)
Your laptop
real IP 86.92.40.12
Public website
e.g. a news site
Connect, then toggle full vs split tunnel and the destination. Watch tun0, the active route, and what the website sees.
What actually happens when you click connect
- 1
You authenticate
The client proves who you are to the VPN gateway, often a certificate plus MFA, not just a password.
- 2
A virtual adapter appears
The client creates a software network interface (tun0). The gateway hands it an IP from the company range, say 10.8.0.7. Your real Wi-Fi adapter and IP are still there, untouched.
- 3
Your routing table is rewritten
This is the magic step. The OS routing table decides where each packet goes. The client adds routes so traffic is sent to tun0 instead of straight out the Wi-Fi card.
- 4
Traffic is encrypted and tunnelled
Packets headed for tun0 are encrypted (WireGuard, IPsec, or TLS) and wrapped inside ordinary packets sent to the gateway. Anyone in between sees only noise.
- 5
The gateway forwards on your behalf
It decrypts your traffic and sends it to the destination using its own IP (NAT). Replies come back to the gateway, back through the tunnel, to your laptop.
- 6
DNS often gets pushed too
The gateway usually hands you internal DNS servers, so private names like wiki.internal resolve, which they never would on the open internet.
How your IP "changes" (it doesn't, really)
You don't lose your real IP. You gain a virtual one inside the tunnel, and to the outside world you appear as the gateway's IP, because the gateway is the one actually making the request on your behalf. Three different addresses are in play at once:
| Address | What it is |
|---|---|
| Your real IP (86.92.x.x) | Given by your home or cafe Wi-Fi. Still there, still used to reach the gateway itself. |
| Your tunnel IP (10.8.0.7) | Assigned by the company to your virtual adapter. How internal systems see you. |
| What a website sees (203.0.113.9) | The gateway's public IP. The site has no idea your laptop exists behind it. |
Full tunnel vs split tunnel
| Full tunnel | Split tunnel | |
|---|---|---|
| Route added | 0.0.0.0/0 to tun0 (everything) | Only company ranges to tun0 |
| Your Netflix traffic | Goes through the company gateway | Goes straight out, normally |
| Privacy on public Wi-Fi | Everything protected | Only work traffic protected |
| Company can see | All your browsing | Only work traffic |
The whole thing in a few lines
- A client VPN adds a virtual adapter (tun0) with a company-issued IP.
- The real magic is the routing table: it decides which traffic enters the tunnel.
- Traffic in the tunnel is encrypted to the gateway, which then forwards it under its own IP.
- You don't replace your IP, you gain a tunnel IP and borrow the gateway's public IP.
- Full tunnel routes everything; split tunnel routes only company ranges.
Want to go deeper?
This article covers concepts taught hands-on in the Cloud Engineer and DevOps career paths, with real terminal labs, production scenarios, and structured lessons.