How is VPN tunneling actually implemented?


I am new to VPNs, have used them a few times, have read about "how they work" (which is all very high level), and am now confused about how this is actually implemented (so I can come full circle and understand what kind of security they are providing me).

It sounds like a VPN is something you install on your computer. You then perform your actions in the VPN UI (whether it’s a terminal or a GUI). These "local" actions are then encrypted (what is the encryption method/protocol?) locally. Then, say I am at my house using WIFI or at the coffee shop. It uses my newly allocated public IP address (the one I’ve been assigned for only the past few hours), to send this encrypted data across the public internet, in the public WIFI at the coffee shop. So people can tell I am sending something over the internet, just not sure what (because it’s encrypted). The way these articles sound, they make it sound like magic and that you get a static IP address locally which no one can see. That’s not the case right? It is doing exactly what I’m saying. I ask this question to clarify and make sure I’m understanding correctly.

So then the encrypted traffic (going across the public internet, using my publicly known IP address), is sent to some remote server. That server then performs the real actions I was typing at my VPN terminal/GUI. It makes whatever internet requests and whatnot, or SSH’s into some computer I’m targeting, and pipes the info back, encrypted, over the public internet, to decrypt it locally on my computer. Hopefully I’m still on the right track. Then that remote computer I sent my encrypted traffic to, what does it do to obscure my message or secure my message from its standpoint? Does it dynamically change its IP address? Is it situated in some remote wilderness guarded by gates so no one can intercept the traffic? How does it stay secure in sending messages to the actual target location? Or is it just the fact that the requests are no longer coming from my computer, so no one can know its me, all the security its accomplishing?

Basically, I’m wondering if this is sort of how it’s implemented.