VPN Glossary

Understanding VPNs: Common VPN terms and what they mean.


Advanced Encryption Standard. A symmetric encryption standard also known as Rijndael, after its inventors Joan Daemen and Vincent Rijmen. A well audited and understood standard used to encrypt data of all kinds in many different applications. It became widely used after gaining the trust of the U.S. government in 2002.


You are anonymous if it is not possible to identify you in a group. Anonymity only exists within groups, and the larger the group, the more valuable your anonymity is. For example, as part of the Tor network you can only be identified as ‘a Tor user.’ The more Tor users there are, the less this identification is meaningful. See also: Pseudonymity.

Asymmetric encryption

Any encryption protocol in which the participants create a key pair, consisting of a public and private part. The private key is usually created randomly, and the public key derived through a function. Public keys are required for communication and can be safely handed out, while private keys usually never leave the owner’s device.


A payment method secured by cryptography rather than institutions. Generally not controlled by anybody, Bitcoin allows for more anonymous payments than other electronic options.


A classified program by the U.S. National Security Agency and used to decrypt every communication channel. VPN services and protocols are targeted by Bullrun.


Certificate Authority. When relating to VPNs, this usually refers to a file that identifies which key is considered the authority, or whether a connection to a Server is authentic. The Certificate Authority consists of a public and private key. The public key is given to each user (or included in the Software). The private key is one of the most secured files in a VPN company.


The suppression of speech by powerful individuals or institutions. On the internet, censorship is usually deployed through DNS poisoning, DDos attacks, and Deep Package Inspection. However, the threat of physical violence is the biggest censorship enforcer, making anonymity a highly desired feature of online speech.


Referring to the algorithm that’s used to encrypt the connection between the client and the server. Popular ciphers include Blowfish, Twofish, and AES.

Cloud Storage

Computing power that is not dedicated to a single organization, but rather shared and provided as a utility. It’s increasingly common to host sensitive information in the cloud, rather than an intranet behind a firewall, which drastically changes the security models of the internet.

Connection speed

The amount of data that can be transmitted in a certain amount of time. Usually measured in kilobit or megabit per second.


The study of communications secured by mathematics.

Dark web

The part of the internet that exists on pseudonymity networks like Tor and I2P. The dark web can only be accessed with special software that typically hides the identity and location of its participants.


A overlay network that shields users from each other by routing traffic randomly around the world. The darknet allows for hidden services like the Tor and I2P networks. Often used interchangeably with Dark Web.

Data retention

The policy or law under which a company retains data of its users. In most jurisdictions Internet Service Providers (ISPs) are required to store information such as browsing history for a few months.


A Linux-based operating system or firmware for a router. Typically open source, routers running this type of software can be more easily modified for things like VPN connections. Many VPN providers provide software for DD-WRT routers.

DDoS attacks

An attack in which a server is overwhelmed with requests and shuts down or becomes unresponsive. A common tactic for censorship and extortion.

Dedicated server

A hosting service in which the physical machine works exclusively for a single customer. See also: VPS.

Deep package inspection

A technique that looks at each transferred data package to check for malicious content, or undesired recipients. This can be done for surveillance, but also for censorship, and man-in-the-middle attacks.

Deep web

The part of the internet that is not indexed by search engines. The Deep Web includes private forums and social networking sites that give control over privacy settings and chat services. Not to be confused with Dark Web.

Diffie–Hellman key exchange

Allows two parties to negotiate a secret (such as a asymmetric encryption key) over an unsecure channel, without having to meet in person. The D-H is used by VPN Protocols and HTTPS alike. The Diffie–Hellman key exchange is a type of handshake.


Domain Name System. A naming system that maps domain names to IP Addresses. Commonly used as a point to censor and monitor internet traffic.

DNS leak

Under certain circumstances, a misconfigured VPN connection can lead a user to identify themselves to the sites they visit inadvertently.

DNS poisoning

When a DNS server does not return the correct IP address of a domain name. Commonly used for censorship, but can also be used to divert traffic fraudulently.

Domain name

Consists of the TLD (e.g. the .com in example.com), the second-level domain (e.g. example) and the host name (e.g. www.), separated by dots and identical to the hostname.


The proposed Data Retention and Investigatory Powers Act 2014 required ISPs to keep records of their customers’ internet activity and make it available to law enforcement without judicial oversight. Succeeded by the Snoopers’ Charter (Investigatory Powers Act 2016).

Edward Snowden

A former employee of U.S. intelligence, in 2013 Snowden released information that proved the United States and its allies were guilty of grave violations of privacy.


The process of encoding information so that only authorized people can access it. Usually achieved through mathematics, secret numbers and, primes.

Encryption key

The key that allows someone to encrypt or decrypt information. Often just a large number that is either created randomly or negotiated in a key exchange.

Encryption key length

The size of the Encryption Key. Usually denominated in bits. Common key lengths in symmetric systems like AES are 128, 256, and 512 bit. In asymmetrical systems like RSA, keys are usually 1024 to 4096 bits in length.

End-to-end encryption

Any encryption system in which data can only be accessed at the end-points, e.g. nobody but the sender and recipient can access it.


The dominant standard network connection cable. Infamously dropped by Apple. Such a network is called a LAN.


On the internet, people and organizations are commonly extorted using DDoS Attacks, Ransomware, or physical threat.


The fingerprint of data is its unique identifier, commonly derived through a Hash Function. Fingerprints are used to authenticate encrypted channels or to verify the integrity of data.


A system that monitors inbound and outbound packets between networks and devices. Firewalls come as both software or hardware and are commonly used to protect infrastructure, but can also be used to restrict access and censor content. See also Great Firewall.


Firmware is used to control devices, similar to an operating system in computers. If the firmware of your Router supports firmware (e.g. DD-WRT), you can run a VPN on your router.

Five Eyes

An intelligence ring that traces back to World War II. The United States, the United Kingdom, Australia, New Zealand, and Canada are members. Documents released by Edward Snowden shows that Five Eyes intelligence agencies have been systematically spying on each other’s citizens. The information is then shared amongst the group, which circumvents restrictions that disallow a state from surveilling its citizens.

Gag order

Given by a court to an individual or organization to forbid them from talking about something, e.g. an ongoing investigation or trial. Gag orders are commonly used to conceal companies that are ordered to spy on their customers in Five Eyes countries. A possible defense is a warrant canary.


Self-imposed mechanisms by companies that restrict access to their service in certain locations, often through IP addresses or GPS coordinates.


Any attempt by a user to hide or fake their location, perhaps through the use of anonymity networks like Tor, VPNs, or software that relays incorrect GPS coordinates.


See also Great Firewall.

Golden Shield

Golden Shield (Chinese: 金盾工程) is the name of the systems used to monitor and control the internet in China. Golden Shield has also been used to attack foreign platforms to impose China’s censorship practices. The Great Firewall is a part of the Golden Shield.

Great Firewall

The Great Firewall of China often abbreviated GFW (Chinese: 防火长城). A sophisticated system used by the government of China to restrict access to foreign media and protect its intranet from attacks. The GFW is part of the Golden Shield.


The establishment of any communication channel. In VPN protocols, this not only includes establishing a connection but also verifying its integrity. See also Key exchange.

Hash function

A function that condenses a file or text into some a fixed length. While the information in the document is lost, the number serves as a unique identifier of the file. They are used to identify encryption keys and software. Because they cannot be reversed (decrypted), they are also called one-way encryption.

Hidden service

A server hidden in the Tor or I2P networks. The URLs will end in .onion or .i2p.


See Domain Name.

HTTP proxy

A service similar to a VPN Service. But HTTP proxies will reroute only your browsing traffic.


Technology that secures your connection to a website with end-to-end encryption. HTTPS needs to be enabled by the website administrator and is quickly becoming a minimum standard for security on the web. Check for an HTTPS connection by looking for a lock symbol in your address bar.


Invisible Internet Project. An anonymity network similar to Tor. Hidden services on the I2P network end with .i2p.


The intranet is a private network that interacts little with the open internet. Intranets were popular among big corporates to manage proprietary data, but recently intranets have increasingly been replaced with Cloud infrastructure.

IP address

The unique identifier of a device in a network. A device might be identified within its LAN to the router, and the router identified to the internet. In this case, the router has two IP Addresses, one facing the internet, another facing the LAN. The router performs NAT between the two networks.

IP leak

When anonymity software fails to route traffic properly, some data might go around the tunnel and reach a service directly, thus revealing the true IP.


Internet Protocol Security works directly on the IP Layer, meaning it encrypts each Packet individually. IPSec is commonly used as a VPN Protocol.


Core protocol of the internet. IPv4 defines IP Addresses and how data is routed between them. Slowly, IPv4 is being succeeded by IPv6.


Upgrade of IPv4, due to space constraints. IPv6 potentially allows for each device to have its own unique IP Address, rather than rely on NAT.


Internet Service Provider. The company that connects a home, office, or datacenter to the internet. This service is usually heavily licensed, and ISPs are subject to laws that require them to monitor and censor their users.

Key exchange

Before encrypted channels can be established, there must be an exchanging of keys. Asymmetric encryption systems exchange and verify public keys. Symmetric encryption systems use processes like the Diffie–Hellman key exchange.

Kill switch

A feature of popular VPN Software that ensures no data can leave the device after a VPN Connection has been interrupted or terminated.

Kilobit / Megabit / Gigabit

Common unit to measure internet speeds, e.g. Gigabit per second, or Gb/s or gbs. 8 Gigabit/s is equal to 1 Gigabyte/s.

Kilobyte / Megabyte / Gigabyte

Common unit to measure file sizes, e.g. 1 Megabyte. On a connection with a speed of 1mb/s (1 Megabit per second), it will take 8 seconds to download one Megabyte.


Local Area Network. A network of devices that can communicate with each other via an Ethernet cable. A LAN can be connected to the internet with a router.


A file maintained by a server that records activity. While no server can function without logs, it is considered problematic to maintain logs of user activity, such as web browsing. Other logs providers keep may concern how much data a client consumers or which platform they use.

Man-in-the-middle attacks

MitM. An attack in which messages are intercepted by interfering with the key exchange. To defend against MitM Attacks, CAs are used, or encryption keys are verified manually with their fingerprints.


Data about data. In the context of a letter, metadata would describe any characteristic visible without opening the envelope, such as recipient, sender, weight, date, and size. All data, even encrypted data, reveals something about itself by its metadata.


Network Address Translation. A device is needed to translate between private and public networks, such as an intranet and the internet and their IP addresses. A router commonly performs Network Address Translation, as well as a VPN Service.


An alternative name of the Tor network, named after its layered privacy. .onion (dot onion) is also the ending of Tor URLs, which are not registered, but generated like an encryption key.


Open Secure Shell. A set of tools used to secure communications between devices. Frequently used as a VPN Protocol.


The most commonly trusted VPN protocol among commercial VPN providers. OpenVPN uses technology similar to HTTPS connections, making it the most potent method to circumvent censorship as its traffic looks similar to regular web traffic.

P2P Software

Peer-to-peer software is any software in which users directly communicate with each other, rather than through commercial servers. Bittorrent and Bitcoin are the most popular P2P software tools, while Tor can also be regarded as P2P software. Many networks do not allow P2P traffic due to concerns about illegal file sharing.


While systems like radio simply stream data, computers on the internet, through the IPv4 and IPv6 protocols, disseminate data into packets which are re-assembled by the other side of the communication.

Perfect forward secrecy

Any encryption system in which previous communication channels do not become compromised if a key is leaked. With OpenVPN and HTTPS, for example, each session has its encryption key, gained from a Diffie-Hellman key exchange.

Ping time

The time, usually measured in milliseconds, that it takes for a server to respond. Low ping times usually correspond to higher speeds, but not necessarily.




Point-to-point Tunneling Protocol. An older protocol that doesn’t offer security or privacy features such as encryption. Still in use today by users who require high connection speeds and low ping time.


Any computer that reroutes traffic, either as infrastructure or to implement or circumvent monitoring or censorship. Technically routers, VPN Services, the Great Firewall, and darknets are all proxy services, though the term is primarily used for HTTP proxies.


Pseudonymity means you are only identifiable through a pseudonym or alter-ego. Certain actions can be uniquely attributed to this pseudonym, but your “real” identity cannot be tracked back to it.


Malware that encrypts your files and demands a payment, typically in cryptocurrency, to release the encryption key.

Rijndael Cipher



A router is a device that forwards data between computer networks. Most commonly used to connect a LAN or WLAN to the open internet. If the firmware of a router supports VPN protocols, such as DD-WRT, a router can be configured to connect a LAN to a VPN service.


Named after its designers Ron Rivest, Adi Shamir, and Leonard Adleman, RSA is an asymmetrical encryption standard, developed in 1977 and still in common use today.

Safe harbor

A legal principle that limits the liability that another law creates. While copyright infringement is a civil or criminal offense, safe harbor statutes limit the liability of Internet Service Providers, Data Center Operators, or VPN Services.


Secure Hashing Algorithm. SHA-1 is a hashing function increasingly used less due inherent insecurities. SHA-2 (which includes SHA-256 and SHA-512) is commonly used to identify files and cryptographic keys.

Simultaneous connections

Terminology used by VPN Services to define how many devices are permitted to connect to the service at the same time by a single user.


A service similar to a DNS service in which a provider will route traffic based on the user’s location and intent, for example, to circumvent geoblocking.

Snoopers’ Charter

Successor of DRIPA. Officially called the Investigatory Powers Act, it went into effect on December 31, 2016, and forces ISPs in the United Kingdom to collect and hand over customer user data to law enforcement.


Secure Sockets Layer. Previously the common standard for HTTPS. Succeeded by TLS.


Secure Socket Tunneling Protocol. An attempt to make PPTP connections secure by layering them inside a HTTPS channel. Commonly used in Microsoft Products.


A network switch is a device that forwards packets between network participants.

Symmetric encryption

Any encryption protocol in which participants negotiate or create a single key to encrypt and decrypt information.


Top Level Domain. Often the identifier of a country, but increasingly arbitrary. Examples: .com, .uk (United Kingdom), .jp (Japan), .name.


Transport Layer Security. Currently the dominant standard for HTTPS connections. Successor of SSL.


The Onion Router is the most popular distributed anonymity network. Traffic is routed and encrypted through multiple HTTP proxies run by volunteers to hide the origin and destination of the traffic.


A secure and encrypted connection between your computer and a privacy network, such as a VPN or darknet.


Uniform Resource Locator. Consists of the protocol (e.g. HTTP), the domain name (e.g. www.example.com) and the file name (e.g. index.html). http://www.example.com.


Voice over IP. A protocol that allows users to send real-time phone conversations over the internet. It has become very common even for traditional telecoms to route phone calls over VoIP.


see VPN Client

VPN client

The VPN client connects to the VPN Server to establish a secure connection with the internet. VPN clients are controlled by the user and usually installed on a phone, tablet, computer, router, or server.

VPN company

A company providing a VPN Service. Can also refer to a company building VPN Clients, or VPN Protocols.

VPN protocol

The predefined methodology of how to establish and maintain a VPN Connection. Common protocols include SSTP, PPTP, IPsec, OpenVPN, and OpenSSH.

VPN server

The traffic is routed from the VPN Client to the VPN Server through an encrypted connection. Many users will use the same server at the same time and share an IP address.

VPN service

A VPN service offers one or more VPN servers for their customers to connect to. Usually, the service is provided for a fee or bundled together with another product. Some companies also provide their VPN service to employees


Virtual Private Server. Unlike a dedicated server, many VPS can simultaneously exist within a single computer, each controlled remotely by a different client. Common product for cloud services.

Warrant canary

Since a gag order can force someone to be silent but not force them to lie. Some companies employ warrant canaries to subtly let their customers know about a gag order. The warrant canary might read “we do not spy on our customers” and will regularly be renewed. Once the message does not get renewed, the company is likely under a gag order.


Web Real-Time Communication. A variety of tools that allow for P2P connections between browsers, e.g. to facilitate VoIP phone calls or video chats.


Wired Equivalent Privacy. Deprecated standard to secure Wi-Fi networks. Trivial to hack.


Wi-Fi connects devices via radio signals to a network, typically through a router. These radio signals can easily be intercepted by anyone, which is why it’s important to use Wi-Fi Encryption or a VPN.

Wi-Fi encryption

Encryption standards to secure Wi-Fi signals from unauthorized interception. The currently recommended standard is WPA2, while WEP is also still widely in use.


Wireless Local Area Network. See Wi-Fi.


Wi-Fi Protected Access 2. Successor of Wi-Fi Protected Access, it’s the current recommended standard to encrypt radio signals of Wi-Fi networks from surveillance. WPA2 is also used to limit access to a Wi-Fi network through the use of a password.