When is traffic encrypted when using a VPN?

Question

When traffic is travelling through the following route:

PC > Router > VPN server > Internet

1. Where does the ISP come in?
2. During which steps is my data encrypted?

I'm using OpenVPN and servers found on vpngate.net.

Answer 1

The outgoing traffic is encrypted by the VPN client software on one end, and decrypted by the VPN server on the other end – and vice versa for incoming. (That's really the reason why you use a VPN client in the first place...) Your ISP still does the exact same thing, except it only sees all packets having one destination: the VPNgate server.

Assuming the OpenVPN client is installed on your own computer:

1. You send an IP packet to a google.com server.
2. It goes through the virtual OpenVPN "Tap" adapter.
3. Your OpenVPN client app receives the packet from the virtual adapter, packs it into the encrypted VPN protocol, and sends the resulting VPN packet (also via IP) to the VPN server.
4. The encrypted VPN packet is sent through your real Ethernet/Wi-Fi adapter, goes through your and ISP's routers, and eventually reaches the VPN server.
5. The VPN server receives the VPN packet from Ethernet, recognizes its protocol/port, and passes it to the OpenVPN server program.
6. The OpenVPN server program decrypts & unpacks the VPN packet, finds the original IP packet inside, and sends that out again.
7. The original IP packet travels to the google.com server from step 1.

With --- indicating plain and === indicating tunnelled traffic:

[ browser --- OpenVPN ] === Internet === [ OpenVPN ] --- Internet --- [ web server ]

^-   your computer   -^                  ^ VPNgate ^                  ^ final rcpt ^

Note that the VPN server at step 6 also changes the packet's "source" (return) address to its own, so that replies go back to that same VPN server (which again encrypts them and sends to your VPN client app).