You basically tell every switch or whatever that you connect with where you are going. That can't be encrypted. The new destination that is tacked on by the VPN is not encrypted and has to be the correct one if you want to get to your destination. Notice this does not include ports. The ISP doesn't need to know what ports are used. Only the browser has to know. Because at that point you are no longer going through the tunnel that you are connect to the VPN with. You are in no tunnel at that point. There can't be a tunnel to any web sites as they aren't connected to any VPN. The destination can't read your encryption unless it has the key. If you want to go to say Netflix to have a movie streamed to you encryption will not help you it will only hinder you. What is Netflix going to do with whatever is encrypted? So that traffic can't be encrypted regardless whether or not it's a public or private VPN or if it is a full tunnel that you are connected to the VPN in. A Public VPN can only hid who you are, your IP, nothing else. If it did encrypt your traffic how is Netflix going to handle it? There are no tunnels created by a public VPN except maybe between you and it. The other sites you go to do not connect to that VPN. That VPN can only hide your real IP. Remember you were asking about going through your companies VPN to browse the web. You are doing the same thing with any VPN public or private. Will your company even let you go to those sites through it's network? Only you and your company knows that. Which is what you would have to do to use a full tunnel.