VPN glossary

A policy stating that the VPN provider does not record user activity such as visited sites, IP addresses, connection timestamps or bandwidth. Ideally verified by third-party audits (Deloitte, KPMG, Cure53).

Related: Independent audit, RAM-only server, Connection logs vs activity logs

A public report by well-known security firms (Deloitte, KPMG, Cure53, Securitum) that inspect a VPN's infrastructure and logs. A single audit is weak — repeated audits are a stronger trust signal. NordVPN has been audited six times.

Related: No-logs policy

Routes VPN traffic through two servers instead of one, producing two layers of encryption. The first server only sees the second server's IP; the second only sees the first. Used for maximum privacy — at the cost of speed. Offered as Double VPN (NordVPN), MultiHop (Surfshark) and Secure Core (Proton VPN).

Related: Onion Over VPN, Obfuscation / Stealth VPN

Stacks the Tor network on top of the VPN connection for triple-layer anonymity. The ISP only sees a VPN connection, while the Tor entry node cannot see your real IP. NordVPN offers it natively; with any VPN it can be replicated by using Tor Browser.

Related: Multi-hop / Double VPN, Tor Browser

An alias generator offered by some VPNs that lets you sign up to services without revealing your real email, name or phone number. Surfshark's Alternative ID and NordVPN's identity protection tools are examples. In a data breach, only the alias is exposed.

Related: Alternative ID (Surfshark), Email alias / Anonymous email

A technique that builds a unique user signature from screen resolution, fonts, plugins, timezone, canvas and WebGL render output. A VPN hides your IP but does not change your fingerprint — for that you typically need Tor Browser or Firefox with privacy extensions.

Related: WebRTC leak, Tracker / Ad blocker

A cryptographic method letting one party prove to another that a statement is true without sharing any additional data. Used by privacy services like Proton and Tutanota so the server never sees the user's password in plaintext.

A modern VPN protocol released in 2018. Its codebase is only ~4,000 lines (vs OpenVPN's ~100,000+), so it is easy to audit. Uses ChaCha20-Poly1305 encryption. NordVPN's NordLynx and Surfshark's WireGuard variant are built on it.

Related: OpenVPN, Lightway, ChaCha20-Poly1305

The most widely supported open-source VPN protocol, released in 2001. Runs over both UDP and TCP. Slower than WireGuard but more flexible (port and protocol choice). TCP mode is useful for bypassing restrictive networks.

Related: WireGuard, Lightway

A modern WolfSSL-based protocol developed by ExpressVPN. Small codebase, fast connection setup (with post-quantum encryption). Open source since 2022 — publicly auditable.

Related: WireGuard, OpenVPN, Post-quantum cryptography

Developed by Microsoft and Cisco; particularly common on iOS. Reconnects quickly when switching between Wi-Fi and mobile data. Not as fast as WireGuard but practical on mobile.

Related: WireGuard, OpenVPN, L2TP/IPsec

Combines L2TP tunneling with IPsec encryption. Native device support is broad but double encapsulation makes it slow. Uses UDP ports 500/4500, which are easy to block. Not recommended for new setups when WireGuard or OpenVPN are available.

Related: IKEv2/IPsec, PPTP (deprecated)

Developed in the late 1990s, paired with MS-CHAPv2 authentication. Practically breakable since 2012 — exists today only for legacy compatibility. No modern VPN provider offers it by default.

Related: L2TP/IPsec

A stream cipher designed by Daniel J. Bernstein, paired with the Poly1305 message authenticator. On devices without AES hardware acceleration (older phones, IoT) it is markedly faster than AES-256-GCM. It is WireGuard's default cipher.

Related: WireGuard, AES-256-GCM

Automatically cuts all internet traffic when the VPN connection drops, preventing your real IP from leaking. A system-wide kill switch is preferred — app-only kill switches are weaker.

Related: DNS leak, IP leak

DNS queries going to the ISP instead of the VPN provider while the VPN is active. The leak lets the ISP see which sites you visit. Trustworthy VPNs use their own DNS servers and provide leak protection. Test at dnsleaktest.com.

Related: Kill switch, DNS over HTTPS (DoH)

A technique that prevents VPN traffic from being identified by Deep Packet Inspection. Often required in countries that block VPNs (China, UAE, Iran) and on some workplace/university networks. NordVPN offers obfuscated servers, Surfshark NoBorders, ExpressVPN automatic obfuscation.

Related: WireGuard, Encrypted SNI (ESNI/ECH)

The standard encryption algorithm used by governments, banks and VPNs. The 256-bit key length is practically unbreakable with current compute. GCM (Galois Counter Mode) provides both encryption and integrity verification.

Related: ChaCha20-Poly1305

Generates short-lived, unique encryption keys for every VPN session. Even if a long-term private key is later compromised, past traffic stays unreadable. Modern protocols (WireGuard, OpenVPN, IKEv2) achieve PFS through Diffie-Hellman key exchange.

Related: WireGuard, OpenVPN

Your real IP leaking via WebRTC, IPv6 or DNS. Trustworthy VPNs offer both IPv4 and IPv6 leak protection. Test at ipleak.net and dnsleaktest.com.

Related: DNS leak, Kill switch, WebRTC leak, IPv6 leak

The browser's WebRTC (real-time communication) feature can expose your real IP via STUN requests, even with a VPN on. Fix: disable WebRTC in the browser, or use uBlock Origin's option to block WebRTC peer connections.

Related: IP leak, Browser fingerprinting

Many VPNs only tunnel IPv4 traffic; IPv6 traffic is sent directly by the OS to the ISP, exposing your real IPv6 address. Fix: pick a VPN that disables or tunnels IPv6. Test at ipv6leak.com.

Related: IP leak, DNS leak

DNS-level blocking by the VPN provider that uses a constantly updated blacklist to stop connections to fake bank pages, scam crypto exchanges and other phishing sites. Built into NordVPN Threat Protection, Surfshark CleanWeb and Proton NetShield.

Related: Threat intelligence, NetShield (Proton)

A VPN server with no disk that runs only in RAM — every reboot wipes all data, making persistent logs physically impossible and rendering physical seizure useless. NordVPN, ExpressVPN and Surfshark have moved their entire infrastructure to RAM-only.

Related: No-logs policy

Opens a specific port to the outside world so the device can accept inbound connections. Needed for peer-to-peer file sharing, hosting a game server or efficient BitTorrent seeding. PIA and Proton VPN support it; NordVPN, ExpressVPN and Mullvad (which removed it in 2023) do not.

Not a full VPN — only swaps the DNS server to get around some geographic restrictions. No encryption, no IP masking. Used to reach Netflix US on devices without a VPN app, like smart TVs and game consoles.

Related: Geo-blocking, DNS over HTTPS (DoH)

Encrypts DNS queries by wrapping them inside standard HTTPS traffic, preventing the ISP from reading or tampering with them. Built into Firefox and Chrome; provided by Cloudflare 1.1.1.1 and Google 8.8.8.8 as DoH resolvers.

Related: DNS over TLS (DoT), DNS leak

Encrypts DNS queries with TLS and sends them over dedicated port 853. Unlike DoH the DNS traffic is distinguishable, allowing network admins to filter it. Android 9+'s "Private DNS" feature uses DoT.

Related: DNS over HTTPS (DoH), DNS leak

Encrypts the hostname (SNI) field that is normally sent in plaintext during the TLS handshake. Its successor Encrypted Client Hello (ECH) is supported by Cloudflare and Firefox. Hides which site you are connecting to from a network observer.

Related: DNS over HTTPS (DoH), Obfuscation / Stealth VPN

A VPN IP address assigned exclusively to your account and not shared with anyone else. Useful for banking sessions, corporate systems with VPN whitelists and reducing CAPTCHAs. Usually a paid add-on; offered by NordVPN, Surfshark and PureVPN.

Related: Shared IP, Static IP

The default VPN behaviour: thousands of users share the same exit IP, making it hard to attribute traffic to one person. Ideal for privacy, but some sites automatically block these IPs.

Related: Dedicated IP

A server setup that hands you the same IP on every VPN connection; similar to a dedicated IP but may still be shared. Useful for remote access, IP-restricted services and hosting game sessions.

Related: Dedicated IP, Dynamic IP

The default mode in which the VPN server assigns a different IP on every connection. Harder to track than a static IP and offers stronger privacy — but breaks services that require an IP whitelist.

Related: Static IP, IP rotation

Automatically cycling the exit IP at set intervals (for example every few minutes). Used for web scraping, price tracking and advanced privacy. Surfshark's IP Rotator is an example.

Related: Dynamic IP

NordVPN's WireGuard-based feature that joins your own devices (or invited friends') into a virtual LAN. Enables file sharing, remote desktop and LAN gaming. A free alternative similar to Tailscale.

Related: WireGuard

When the ISP slows down specific types of traffic such as streaming, gaming or torrenting. A VPN can bypass throttling by hiding the traffic type — but if the ISP's packet detection is advanced, you may not see a speed bump.

When a service restricts content or access based on the country of your IP address. Classic examples are Netflix catalog differences, BBC iPlayer being UK-only and banking apps blocking foreign IPs. A VPN bypasses these by providing an IP in the target country.

Related: Smart DNS, Split tunneling

Lets you choose which apps go through the VPN and which connect to the internet directly. Useful, for example, to route a banking app outside the VPN while sending Netflix over it. Also saves bandwidth — only traffic that needs encryption uses the tunnel. Common on Windows and Android; limited on iOS.

Related: Geo-blocking

Where the VPN provider is headquartered determines which laws apply. Countries in the 5/9/14 Eyes intelligence alliances (US, UK, Germany, France, etc.) are exposed to legal pressure. Panama (NordVPN), Switzerland (Proton), Romania, BVI (ExpressVPN) generally offer stronger privacy protection.

Related: No-logs policy, 5/9/14 Eyes

Country alliances that share intelligence: 5 Eyes (US, UK, Canada, Australia, New Zealand); 9 Eyes (+ Denmark, France, Netherlands, Norway); 14 Eyes (+ Germany, Belgium, Italy, Spain, Sweden). VPN providers in these countries are exposed to legal pressure.

Related: Jurisdiction

The VPN provider keeps a statement on its site like "we have received no government data requests so far". If one ever arrives (and an NDA prevents disclosure), the statement is quietly removed. Mullvad and previously Proton VPN used this method.

Activity logs record visited URLs and traffic contents — unacceptable for privacy. Connection logs record metadata like timestamps, bandwidth used and real IP. It is critical whether a "no-logs" claim covers both; some providers only refrain from activity logs while still keeping connection metadata.

Related: No-logs policy, Independent audit

A modified Firefox that anonymises traffic by routing it through three volunteer-run nodes (entry, middle, exit). Provides access to .onion sites. Combined with a VPN it hides Tor usage from the ISP; however it is slow and many sites show extra CAPTCHAs.

Related: Onion Over VPN

A proxy only routes the traffic of a specific app through another server, usually without encryption (HTTP/SOCKS5). A VPN encrypts and tunnels the entire system's traffic. A proxy may be enough for geo-bypass; for privacy and security you need a VPN.

Related: Smart DNS, Tor Browser

Cryptographic algorithms designed to resist attacks even from a sufficiently powerful quantum computer (NIST picks such as Kyber and Dilithium). Defends against "harvest now, decrypt later" attacks. ExpressVPN Lightway and NordVPN NordLynx are rolling this out.

Related: Quantum-resistant encryption, Lightway

Practical deployment of post-quantum algorithms; in VPNs typically hybrid handshakes where a Kyber-based key encapsulation mechanism (KEM) is layered on top of the classical exchange. Defends against attackers who record traffic today to decrypt it tomorrow.

Related: Post-quantum cryptography, Perfect Forward Secrecy (PFS)

Blocks at the DNS or traffic layer using continuously updated databases of malware command-and-control servers, phishing domains and scam networks. NordVPN Threat Protection, Proton NetShield and Surfshark CleanWeb are built on this.

Related: Phishing protection, NetShield (Proton), Tracker / Ad blocker

Proton VPN's DNS-level filtering layer. Three modes: off, malware/malicious domain only, and full ad + tracker blocking. Works independently of the browser — active on mobile too.

Related: Threat intelligence, Tracker / Ad blocker

Network-level feature that blocks analytics and ad trackers embedded inside mobile apps (Google Analytics, Facebook SDK, etc.). Stops in-app trackers that browser-based blockers cannot reach. Bundled by some VPN providers.

Related: Tracker / Ad blocker, Threat intelligence

Stops requests to ad servers, third-party trackers and telemetry endpoints at the DNS layer or via a browser extension. Speeds up page loads, saves bandwidth and makes behavioural profiling much harder.

Related: TrackerSilencer, NetShield (Proton), Phishing protection

A feature bundled with some NordVPN plans: flags or blocks calls from known scam numbers. Relies on phone-number databases; effectiveness varies by region.

Related: Phishing protection

A Surfshark tool that generates a fake name, surname, birthdate and multiple email aliases. Lets you sign up without revealing your real identity; all email is forwarded to your real address.

Related: Identity masking, Email alias / Anonymous email

Intermediate addresses that sit in front of your real email and forward incoming mail to it. If spam or a breach hits, you simply disable the alias without affecting the real account. Provided by SimpleLogin (now part of Proton), AnonAddy and DuckDuckGo Email Protection.

Related: Identity masking, Alternative ID (Surfshark)

A service that continuously checks whether your email or password appears in known data breaches and alerts you when it does. Examples include NordVPN Dark Web Monitor, Surfshark Alert and integrations with Have I Been Pwned.

Related: Threat intelligence, Identity masking

A tool that generates strong, unique passwords for every service and stores them in an encrypted vault. Popular examples are NordPass (NordVPN), Proton Pass, 1Password and Bitwarden. Pairing it with a VPN is foundational security hygiene.

Related: Zero-knowledge proof, Data breach monitor

A security layer requiring a one-time code, hardware key (YubiKey) or biometric in addition to a password. TOTP apps (Authy, Google Authenticator) are safer than SMS. The first line of defence protecting your VPN account.

Related: Password manager

Paying for a VPN subscription with Monero, Bitcoin or cash sent by mail — severing the last link between your identity and the provider. Mullvad and Proton VPN openly support these options.

Related: Identity masking, Jurisdiction

The VPN client's source code is publicly published on platforms like GitHub — independent security researchers can verify the absence of backdoors or weaknesses. Proton VPN, Mullvad and IVPN release all their clients as open source.

Related: Independent audit, WireGuard

The signing process behind RAM-only servers: on every reboot the machine downloads a signed image over the network; there is no local disk, so persistent changes are impossible. Mullvad documents this approach.

Related: RAM-only server

A metric showing how saturated a VPN server's CPU, bandwidth and concurrent connections are, as a percentage. Lower-loaded servers deliver faster throughput; most clients automatically route to the least-loaded one.

Related: ISP throttling