WireGuard

What Happens When You Connect to a VPN? Step-by-Step

By CarrotVPN Team··7 min read

You tap Connect on CarrotVPN and see a lock icon appear on your screen. But what actually happened in that moment? This article walks through what occurs technically — from the initial handshake to traffic encryption — explaining every step in plain language.

Table of Contents

  1. Before: Normal Internet Connection
  2. Step 1: You Tap Connect
  3. Step 2: The WireGuard® Handshake
  4. Step 3: Encrypted Tunnel Established
  5. Step 4: Traffic Routing Changes
  6. Step 5: What Browsing Looks Like Now
  7. What Happens When You Disconnect

Before: Normal Internet Connection

Without a VPN, your internet connection works like this:

  1. Your device sends a request (e.g., "load google.com") to your router
  2. Your router passes it to your ISP
  3. Your ISP sees the request, resolves the domain via DNS, and routes the traffic to Google's servers
  4. Google's response comes back through the same path — ISP → router → your device

At every step, your real IP address is visible. Your ISP can see every site you visit. Google sees your real IP.

Step 1: You Tap Connect

When you tap Connect in CarrotVPN, the app:

  • Requests a VPN permission from Android (if not already granted)
  • Identifies the best server based on location and load
  • Initiates a connection to that server's IP address and port over UDP
  • Begins the WireGuard® handshake process

This entire process takes less than 1–3 seconds with WireGuard®, compared to 10–30 seconds with older protocols.

Step 2: The WireGuard® Handshake

The handshake establishes the encryption keys used for this session:

  1. Your app already has the server's public key (configured in the app)
  2. Your app sends an Initiation message containing its own public key and an ephemeral (temporary) key, encrypted with the server's public key
  3. The server verifies the message and sends a Response message with its own ephemeral key
  4. Both sides compute the same shared session secret from their private keys + the other's public key (Diffie-Hellman math)
  5. This shared secret is used to derive the session encryption keys

The entire handshake takes 1 round-trip — sending 2 UDP packets. Previous protocols required 6–10 round-trips. WireGuard®'s speed advantage starts here.

Step 3: Encrypted Tunnel Established

With session keys established, a bidirectional encrypted tunnel now exists between your device and the VPN server. All data passing through is encrypted with ChaCha20-Poly1305:

  • ChaCha20 encrypts the data — converts readable content to ciphertext
  • Poly1305 authenticates the data — ensures nothing was tampered with in transit

The keys rotate automatically every few minutes (perfect forward secrecy). If a session key were somehow compromised, only a few minutes of traffic could be decrypted — not past sessions.

Step 4: Traffic Routing Changes

The VPN creates a virtual network interface on your device (e.g., wg0) and changes your routing table:

  • Before VPN: Default route → your router → your ISP
  • After VPN: Default route → wg0 (VPN interface) → encrypted to VPN server → internet

Android shows the VPN icon (key symbol) in the status bar to indicate that all traffic is now routing through the VPN. The kill switch (if enabled) adds a firewall rule that blocks any traffic not going through the VPN interface — preventing leaks if the VPN drops.

Step 5: What Browsing Looks Like Now

When you open your browser and visit a site:

  1. Your device sends the DNS query and HTTP request through the VPN interface
  2. The request is encrypted with ChaCha20 and sent as a WireGuard® UDP packet to the VPN server
  3. Your ISP sees: encrypted UDP packet going to VPN server IP — nothing else
  4. The VPN server decrypts the packet and forwards your request to the website
  5. The website sees: request from VPN server's IP address — not your real IP
  6. The website's response goes back to the VPN server, which encrypts it and sends it back through the tunnel
  7. Your device decrypts the response and displays the page

All of this happens in milliseconds. The added latency is typically 1–10ms, imperceptible in normal use.

What Happens When You Disconnect

When you disconnect CarrotVPN:

  • The WireGuard® session keys are deleted from memory — they cannot be recovered
  • The virtual network interface is removed
  • Routing tables revert to normal — traffic goes directly to your ISP again
  • The kill switch (if enabled) is deactivated
  • No session data is stored on CarrotVPN servers — there's nothing to delete

If you disconnect while loading a page, the kill switch may briefly cut internet until you either reconnect to CarrotVPN or disable the kill switch in settings.

Experience WireGuard® Speed Yourself

CarrotVPN connects in under 3 seconds and encrypts every byte you send — free forever.

Download CarrotVPN Free

Related Articles

WireGuard

How Does a VPN Encrypt Your Data?

WireGuard

What Is WireGuard® VPN Protocol?

Basics

What Is a VPN? The Complete Guide