TCP/IP doesn’t work like a water pipe, where the flow is only in one direction or where a single data stream occupies the entire data path. Rather, the data stream is split up into packets of data. Each packet has a ‘source’ address and a ‘destination’ address (excluding broadcasts or multicasts).
An IP tunnel sets up a ‘private’ connection between two devices such that all of the data sent between those two connections is essentially ‘hidden’ – using encryption – from all of the other communication over the network. Going back to the water pipe analogy, it’s as if we’ve inserted a smaller water pipe inside the larger one which we use for our own, private supply of water.