You can think of a VPN tunnel as a secure, layer 2 tunnel. from the perspective of two hosts on the outside of this tunnel, that is pretty much it. for example, if you have two offices connected to each other with a VPN tunnel over the internet, the computers at each office require no knowledge that this tunnel exists.
The purpose of the VPN routers at each office is to encrypt the traffic and send it across the network (could be the internet or other cloud). A layer 2 path is created within the tunnel. Each VPN endpoint will have an IP address assigned on the same logical segment. So for example, when the connection is established, router 1 will get an IP of 192.168.1.1 and router 2 will get an IP of 192.168.1.2. These are just logical IPs that are assigned for the tunnel. The VPN routers also have their own public IPs that they use to connect to the provider.
All protocols will pass as they would on the network, unless you have the VPN routers filter the traffic like a firewall.
The public IP is going to be where ever the edge of this connection is with the internet. A VPN tunnel may connect back to the remote office and route connections to some other portion of the network before leaving to the internet. what is mean is say you have a remote office that connects back to a main office via a VPN tunnel over the internet. The traffic that passes through the VPN tunnel while on the "internet", it is encapusated. When the traffic enters one side of the tunnel and exits through the other. So while a user in a remote site opens say, google.com, they go through the tunnel, through the main office network, then out through the main office internet connection. The public IP address you see is that of the outbound internet connection, not the VPN connections.
I am not familiar with what you mean by hotspot shield. I will need to look that up.
It is a free VPN for public. you can find more about it easily on google.
Let's say that we have a public address of a hacker or someone like that we need to trace back(police in involved too if it is a serious case with all the support they can get). but the public IP we have is the VPN's public IP of the hacker used. It it is encrypted and tunneled like that,would it be possible to trace back to the hacker's real IP address?