VPN vocabulary: all the key terms and jargon explained

VPN jargon and vocabulary
(Image credit: Pixabay)

Virtual private networks - even that trio of words feels like it needs a bit of unpicking. But the weird thing is when it comes to VPN services, that there are lots of mysterious and unfathomable terms for such a relatively simple bit of kit.

So if you're thinking about downloading one, but still can't quite sort your DNS from your DD-WRT and aren't entirely sure what the difference between a server and a service is, you've come to the right place.

Below you'll find an alphabetical list of some of the most common but least decipherable VPN-related jargon.

Advanced Encryption Standard (AES)

Created in 2001, Advanced Encryption Standard (AES) is an industrial-strength encryption cipher which defines how to encrypt and decrypt data. 

The cipher is often described with its key length, for example AES-128 encrypts using a 128-bit key, AES-256 uses 256 bits. More bits makes for stronger encryption, but AES is already as strong as it gets, and (as far as we know) even nation states don't have the computing power to break AES-128 with a brute force attack.

Black box

A software testing technique where auditors look at the system from an end user point of view. When testing a VPN, for instance, the auditor can only install and run the apps. This doesn't give as much information as white box audits, where the testers can also inspect app and server source code.

Catapult Hydra

A proprietary VPN protocol devised and used by Hotspot Shield. The company hasn't published full details on how it works, but the Hotspot Shield website has published some technical details. Apparently Catapult Hydra protocol uses TLS 1.2-based security, 'uses RSA certificates with 2048 bit key for server authentication and Elliptic Curve Diffie-Hellman algorithm (ECDHE) for Ephemeral Key Exchange.'


A cipher is a set of rules used for data encryption and decryption. There are many different ciphers available. Blowfish is a popular free cipher, created in 1993 and still in use today. Advanced Encryption Standard (AES) is stronger, though, and the current industry standard for most VPNs, while ChaCha20 is a speedy and secure cipher used in WireGuard and Google's HTTP/3. 


DD-WRT is a technology which allows wireless routers and access points to be updated with new functionality. VPNs claiming DD-WRT compatibility, such as ExpressVPN, NordVPN, ProtonVPN and Windscribe can be set up to run on routers from a wide range of manufacturers. 

Deep Packet Inspection (DPI)

A set of technologies used to analyze network traffic and understand its purpose. This can be used for good (to detect and block malware activity and network hackers), but it might also be used to stop P2P downloads, or by repressive governments to monitor their citizen’s internet use. 

Connecting to a VPN encrypts your internet traffic and makes it harder for snoopers to use DPI and figure out what you're doing. There are no guarantees, though, as DPI can also be used to detect and block VPN use. 

Domain Name System (DNS)

A service that translates addresses typed into the address bar of a browser, into the numeric IP address that is used to route traffic across the internet. While the default DNS provider for many users is their ISP, when using a VPN the DNS is provided by the VPN provider.

See What is DNS and how does it work? for more.

Eavesdropping Attack

A hacking attempt that steals information that is transmitted over an unencrypted, wireless internet connection, such as a free Wi-Fi connection that does not require any password. It is also known as a sniffing or spoofing attack.


The process of converting information into another form. Typically used to prevent others accessing that information, unless they know the type of encryption used and have the necessary encryption keys.

Encryption Key

An encryption key is a random set of information which is used by a cipher to encrypt and decrypt data. Keys are often described by their size: 256, 512, 1024, 2048 and more. The longer the key, the more possible variations from the encryption process, and the more difficult it is for an attacker to break the code.


A technology which restricts access to web content based on the location of the user. Geo-blocking is often used by streaming platforms, allowing providers to license content for availability in particular regions only. Using a VPN may allow users to appear to be in those regions, though, bypassing the geo-blocking and allowing them to stream whatever content they like.

IP address

An identifier which represents the location of a device on the internet, or a local network. Every internet user, website and other internet resource has an IP address, and this tells all other devices where they are, and allows devices to communicate with each other.


Internet Protocol version 4 is the standard protocol which defines how devices are located on the internet and other networks, and the method used to send data from one device to another. 

IPv4 is often used simply to refer to the protocol's type of IP address, with four numbers separated by periods, such as:


Internet Protocol version 6, the successor to IPv4, provides a new way of defining the IP addresses given to internet and network devices, and routing data between them.

IPv6 replaces the old IPv4 address ('') with a new format, like this: 2001:db8:0:1234:0:567:8:1

IPv6 isn't as common as IPv4 yet, but will bring several major benefits when it arrives: it's simpler, faster and supports 1,028 times more IP addresses than IPv4 (important, as the IPv4 world has run out.)

 IP leak

An IP leak occurs when the user’s real IP address is visible to the outside world, despite the use of a VPN.

IPLeak.net, IPLeak.org and BrowserLeaks.com use various techniques to detect IP and DNS leaks. Many VPNs have their own more general test pages (ExpressVPN's DNS leak test is  great example.)

Key Exchange

A process where two parties negotiate a shared key which they can then use to create an encrypted communications channel.

Common key exchange methods include Diffie-Hellman and Internet Key Exchange (the IKE in IKEv2.) 

Kill Switch

An important feature which protects your data by blocking internet access if the VPN connection drops. 

Without a kill switch, your device might switch to an unencrypted connection, leaving your traffic unprotected and perhaps resulting in an IP leak (see above.)

With a kill switch, the app doesn't allow you back online until the VPN is back and your connection is protected.

See VPN kill switches explained for more.


The time it takes for data to travel across a network from the source to its destination. Connecting to a VPN routes your traffic through the VPN server before travelling to the website, increasing latency and reducing your internet speeds.


A WireGuard-inspired VPN protocol created by ExpressVPN. Lightway is much simpler than OpenVPN, reducing its CPU requirements and extending battery life. It connects much faster, delivers better performance, and is built to handle common mobile networking issues (like your signal dropping out unexpectedly.) And unlike most other alternative VPN protocols, Lightway is open-source, and anyone can inspect the source code on Github and check that it works correctly.


In VPN terms, logging refers to any records a provider makes of accesses to its service. All VPN providers say they do not log the sites you visit, the files you download or any details of what you do online. But others carry out some session logging, which might include details such as the time you connect, the device you're using, the app version, your incoming IP address, the server you access and the bandwidth you use.

Providers sometimes describe what they're doing in their Privacy Policy. A few also have their processes independently audited to verify their claims. ExpressVPN, NordVPN and VyprVPN have all been through no-logging reviews, and TunnelBear has a big annual audit of its apps, servers and company infrastructure.

Man-in-the-middle attacks

A dangerous set of sneaky tricks which allow a snooper to intercept your communications, perhaps modify them or steal personal. 

For example, a hacker might use a fake or hijacked router to capture passwords or redirect you to phishing or other dangerous sites. 

Using a VPN protects you from many types of man-in-the-middle attacks by encrypting your activity, making it more difficult for anyone to see what you're doing.

No Logs Policy

This is a policy of the VPN provider that agrees to not keep a record of their user’s activities online. Better VPN services have this policy prominently available on their site and some, like NordVPN, have them audited independently.


In VPN terms, obfuscation refers to any technology or approach which makes it more difficult for websites, ISPs and anyone else monitoring the network to detect that you're using a VPN. 

This is especially important in countries like China, which makes huge efforts to censor the internet and block VPN use.


A secure and highly configurable open-source VPN encryption protocol. 

OpenVPN isn't as fast as WireGuard or the latest proprietary protocols (Lightway, NordLynx), but its flexible and versatile design mean it's still the industry standard.

See What is OpenVPN? for more.

Ping time

A measure of latency which describes the minimum time it takes for data to travel across a network from one device to another, and receive a response. 

Connect to a VPN and the data must be routed through the VPN server before travelling on to its destination, reducing internet speed and increasing ping time.


In VPN terms, a protocol is a set of instructions a VPN app and server use to set up a connection, then securely communicate with each other.

The protocol defines how the app logs into the VPN server; how the server proves its identity to the app; the methods used to send data in each direction, the encryption used, and every other aspect of how your VPN connection works.

Common VPN protocols include OpenVPN, WireGuard and IKEv2.

Public Wi-Fi

Wi-Fi hotspots, often provided by municipalities, that are designed for anyone to connect to via a radio signal, also known as a wireless connection, or Wi-Fi. In order to facilitate the access, no password is required to establish the connection. As this is unencrypted, users are at particularly high risk to be hacked, and a VPN is important to maintain the security of the data transmitted.

Split tunneling

A VPN feature that defines which apps have traffic routed through the VPN tunnel, and which use the device's regular internet connection.

Split tunneling is useful when an app doesn't work well with a VPN, for example if a local streaming platform blocks you when it appears you're in another country. Set up split tunneling to direct the streaming app traffic through your normal internet connection, instead, and it won't be affected by the VPN in future.


A popular open-source VPN app for Windows, Mac, Android and iOS. 

StrongSwan doesn't have many features, but it can be set up to work with most VPNs, which might be handy if you've problems with a provider's own apps. 

StrongSwan's Android edition is so reliable and highly rated (4.3 on Google Play) that some providers have used its code as the basis for their own apps.


Internet throttling is a traffic management system which reduces connection speeds in certain circumstances. 

Your ISP might slow you down when you access Netflix or other streaming platforms, for instance, or if it detects you're downloading torrents. 

Using a VPN helps avoid throttling as it prevents your ISP seeing which websites or internet services you access.


The Onion Router is an open-source project which allows secure communications by encrypting data multiple times and passing it through a randomly-chosen set of volunteer-run servers.

Tor has the same core idea as a VPN, hiding your IP address by routing traffic through another server, but the technology works very differently, and has its own distinct advantages and disadvantages. See What is Tor? for more information.


This is an encrypted connection - that is considered secure - between your computer and another network. For example to a VPN or to the darknet.

VPN Client

The device that the user has that connects, via the encrypted tunnel to the VPN Server. The device can include a computer, smartphone, tablet, games console, TV streaming device - even your router.

VPN Server

The server is run by the VPN provider, which in turn connects to the internet. Users use the encrypted tunnel to connect their device to the VPN Server. The world's best VPN - ExpressVPN - has in excess of 3,000 servers.

VPN Service

A service (often a company) that provides VPN servers for its users to make a connection to via an encrypted tunnel.

Warrant canary

A document which tells all VPN users whether the provider has received a gag order or government warrant requiring the VPN to supply user information. Warrants often forbid a provider telling a user they’re being investigated, but viewing the Warrant Canary allows all users to see if anything has changed. 

For examples, see Surfshark's Warrant Canary and NordVPN's Security Efforts page.


Created by Google, Web Real-Time Communications (WebRTC) is an open-source technology which allows web browsers and other apps to support audio, video and other communications. 

WebRTC can allow websites to detect the real IP address of a visitor, sometimes even if they're using a VPN, a problem known as a WebRTC leak. 

The BrowserLeaks site detects WebRTC leaks, the ExpressVPN site has a WebRTC Leak Test page, and NordVPN has more detailed WebRTC advice.

White box

An in-depth type of software testing where auditors have access to both the apps and their source code. 

White-box VPN audits provide more detailed results than black box tests, where the auditors only see the same information as end users (they can test apps, but don't see the source code.)


A next generation VPN encryption protocol, developed for ease of setup, and a smaller code base when compared to older VPN encryption protocols. The benefits include high reliability and faster throughput.

See What is WireGuard? for more.

Read more:

Mike Williams
Lead security reviewer

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.