VPN stands for Virtual Private Network and used to be used mainly by employees connecting to their company network from a remote location. These days, VPN services are popular with consumers who want to access content that's otherwise blocked because of their location or by people who don't want their online activity to be visible or traceable.
So what's a VPN tunnel?
When you browse websites without a VPN, the data that's sent from your router via your ISP to the website is visible to anyone that can hack into the connection.
However, that's not to say all the data is readable. When you use a website with HTTPS, the information is encrypted so a hacker can't read it. This is important when you're using online banking or making a purchase: you don't want your address and financial details to fall into the wrong hands.
Of course, not every site uses HTTPS and not all information sent via HTTPS is encrypted. For example, it's still possible for someone to see that you've visited a particular website, even if your credit card details are encrypted.
This is where VPNs come in. Technically a VPN doesn't mean the data is encrypted, it means it is encapsulated.
This is why it's called a VPN tunnel: the connection between your computer and the VPN server is essentially a tunnel which protects the data being transmitted within it from being accessed by anyone else. It's a bit like a tunnel for cars: the concrete tunnel itself protects the cars driving through it from the water or earth above crashing down.
Most - if not all - VPN services also encrypt the data that's sent through the tunnel, offering a second layer of protection.
Does a VPN tunnel mean the data is always encrypted?
Once the data reaches the VPN server, which could be in a different country, it is decrypted and sent onto the intended recipient, which could be a website or an email server - or something else.
The reason the data can't remain encrypted for the whole journey is that the final recipient doesn't have the means to decrypt it. The VPN server acts as a middle man and obfuscates the origin of the data so that final recipient has no idea where (or who) it has come from.
However, this doesn't mean you can't have end-to-end encryption. You simply need to use a service which does this already. And if the data you're sending is already encrypted (such as an email from one Gmail account to another) then the VPN adds a second layer of encryption which is removed when the data is forwarded on from the VPN server.