A remote employee connects to the corporate network via a full-tunnel VPN, then opens a web browser to visit a public news website. Where does the web traffic go first?
ADirectly to the news website's server — only corporate-bound traffic is tunneled
BTo the employee's ISP, which forwards it to the VPN gateway before reaching the internet
CThrough the encrypted tunnel to the corporate VPN gateway, which then forwards the request to the news website
DTo a DNS resolver chosen by the VPN client, which routes traffic based on domain name
In a full-tunnel VPN, ALL traffic — including requests to public websites — is routed through the encrypted tunnel to the corporate gateway. The gateway then forwards the request to the internet on the employee's behalf. This is why full-tunnel VPNs create a performance bottleneck (all internet traffic makes a detour through corporate infrastructure) but give the organization complete visibility and control over employee traffic. Option A describes split tunneling, not full tunneling. Option B incorrectly describes how the traffic reaches the gateway.
Question 2 Multiple Choice
What makes a site-to-site VPN essential for connecting two offices that use private IP address ranges (e.g., 10.1.0.0/16 and 10.2.0.0/16)?
APrivate IP addresses are blocked by firewalls and must be translated before internet transit
BPrivate IP addresses are not routable on the public internet, so traffic must be encapsulated inside packets with routable public addresses
CThe offices need a dedicated leased line, and a VPN provides the same physical infrastructure
DVPN encryption prevents ISPs from throttling inter-office traffic based on IP range
Private IP address ranges (RFC 1918: 10.x.x.x, 172.16–31.x.x, 192.168.x.x) are reserved for internal networks and are not routable on the public internet — routers discard packets with private destination addresses. A site-to-site VPN solves this by encapsulating (tunneling) the entire original private-IP packet inside a new packet with public IP addresses. The VPN gateways have public IPs; the original packet is hidden inside as payload. When the destination gateway receives and decrypts the outer packet, it recovers the private-IP packet and routes it onto its internal network. Option A is about NAT, which is a related but different mechanism. Option C is wrong — VPNs use shared public internet infrastructure, not dedicated lines.
Question 3 True / False
A VPN makes users substantially anonymous online because most their traffic is encrypted and can seldom be traced back to them.
TTrue
FFalse
Answer: False
False. A VPN shifts trust, not eliminates it. With a VPN, your ISP can no longer see the content of your traffic — they only see that you are connecting to a VPN server. However, the VPN provider (or corporate gateway) now sees all your traffic and knows your identity. You are trusting the VPN operator instead of your ISP. Additionally, many other tracking mechanisms (browser fingerprinting, cookies, account logins) operate above the network layer and are completely unaffected by a VPN. The common consumer marketing claim that VPNs provide anonymity is an oversimplification.
Question 4 True / False
In IPsec tunnel mode (the mode used in site-to-site VPNs), the VPN gateway encrypts the entire original IP packet — including its source and destination addresses — before adding a new outer IP header.
TTrue
FFalse
Answer: True
True. This is the defining characteristic of IPsec tunnel mode and the key to how VPNs handle private IP addresses. The complete original packet (header + payload) is treated as the inner payload, encrypted, and encapsulated inside a new outer IP packet. The outer packet carries the public IP addresses of the two VPN gateways. This is what hides the private address space from the public internet — the inner packet's private IPs are invisible to any routers between the gateways. In contrast, IPsec transport mode only encrypts the payload, leaving the IP header intact — transport mode is used for host-to-host encryption, not site-to-site tunneling.
Question 5 Short Answer
Explain what 'tunneling' means in the context of a site-to-site VPN, and why it is necessary when connecting two offices that use private IP address ranges.
Think about your answer, then reveal below.
Model answer: Tunneling means taking an entire network packet (including its headers) and wrapping it as the payload of another packet. In a site-to-site VPN, the VPN gateway encrypts and encapsulates each private-IP packet inside a new packet with public IP addresses. The public internet routes the outer packet to the remote gateway, which strips the outer layer, decrypts, and delivers the original private-IP packet to its destination. This is necessary because private IP addresses are not routable on the public internet — without encapsulation, routers would discard packets destined for 10.x.x.x or 192.168.x.x addresses.
The term 'virtual' in VPN captures this mechanism: the private network connection is virtual (simulated through encapsulation) rather than physical (a dedicated leased line). The public internet carries the outer packets without knowing about the inner private network structure. Both encryption (for confidentiality) and encapsulation (for routing) are required — encryption alone would not solve the private-IP routing problem.