VPN glossary
Every technical term used in our reviews and comparisons, explained clearly and jargon-free. 41 definitions sorted A to Z.
A
- AES-256
- Symmetric encryption standard with a 256-bit key, used by every serious VPN. Considered unbreakable by brute force with current technology (and even quantum-proof for the next few decades). The same standard used by US government agencies for top-secret material.
- No-logs audit
- Independent verification by a third-party firm (Deloitte, PwC, KPMG, Cure53…) that the VPN actually keeps no user data. Distinguishes the VPNs that claim it from those that prove it. See NordVPN (Deloitte 2023), Mullvad (Cure53 x4), PIA (Deloitte x3).
B
- Bandwidth
- The data-transfer capacity of a connection, expressed in Mbps or Gbps. A VPN always slightly reduces effective bandwidth due to encryption and routing through the intermediate server (typically 5-30% loss depending on the service).
- BVI (British Virgin Islands)
- Jurisdiction favoured by several VPNs (ExpressVPN, PureVPN) because it has no laws requiring user data retention and belongs to no intelligence-sharing alliance (5/9/14 Eyes).
C
- Cure53
- German cybersecurity audit firm based in Berlin, well respected in the open-source ecosystem. Regularly audits Mullvad (4 times between 2018 and 2024) and Proton VPN.
D
- DAITA (Defense Against AI-guided Traffic Analysis)
- Feature unique to Mullvad that adds random noise to VPN packets to defeat traffic-analysis attacks based on packet size and timing. Useful against sophisticated adversaries.
- DNS (Domain Name System)
- System that translates domain names (e.g.
netflix.com) into IP addresses usable by machines. Critical component of the internet. - DNS leak
- When your DNS queries bypass the VPN tunnel and go to your ISP — which can then see every site you visit. Test your VPN here.
- DoH (DNS-over-HTTPS)
- Protocol that encrypts DNS queries by sending them over HTTPS. Prevents observation of queries by your ISP or any network intermediary.
E
- Encryption
- Mathematical transformation of data to make it unreadable without a decryption key. All serious VPNs use AES-256 by default.
F
- Five Eyes / 14 Eyes
- 5 Eyes: intelligence alliance between the US, UK, Canada, Australia and New Zealand who automatically share data. 9 Eyes: adds the Netherlands, France, Denmark, Norway. 14 Eyes: adds Germany, Belgium, Italy, Sweden, Spain. A VPN based outside these alliances offers stronger legal protection.
G
- Geo-blocking
- Service access restriction based on the user's geographic location (Netflix US is only available to US IPs, for example). A VPN lets you bypass these restrictions.
I
- IKEv2 / IPSec
- Battle-tested VPN protocol, particularly suited to mobile thanks to its ability to resume a connection after a network change (Wi-Fi to 4G).
- IP address
- Unique numerical identifier assigned to every device connected to the internet. Allows rough geolocation and identification of your ISP. See your current IP.
- IPv6
- New version of the IP protocol (vs IPv4). If your VPN only handles IPv4 but your connection also uses IPv6, your real IPv6 leaks. Test here.
- ISP (Internet Service Provider)
- Company that provides your internet connection (Comcast, BT, Free, Orange…). Can see all unencrypted traffic and keep connection logs depending on legal obligations.
J
- Jurisdiction
- Country where the VPN company is legally registered. Determines which laws apply and which authorities can compel data sharing. The best VPN jurisdictions: Panama, Switzerland, British Virgin Islands, Romania.
K
- Kill switch
- Essential feature that instantly cuts your internet if the VPN tunnel drops — preventing any IP leak. Must be enabled on every serious VPN.
L
- Lightway
- In-house protocol from ExpressVPN, designed to be faster and lighter than OpenVPN while remaining just as secure. Open source since 2021, audited by Cure53.
- Logs
- Records of user activity. A no-logs VPN keeps none. Distinguish payment logs (which usually need to remain) from connection logs (which must be absent).
M
- MACE
- Built-in ad and tracker blocker in PIA, working at the DNS level. Blocks ads and malware across all apps, not just the browser.
- Monero (XMR)
- Privacy-by-design cryptocurrency whose transactions are untraceable. Accepted by Mullvad and PIA for strictly anonymous VPN payments.
- Multihop (double VPN)
- Routing of traffic through two consecutive VPN servers (e.g. Switzerland → Netherlands) instead of just one. Extra security: an attacker has to compromise both servers to identify you.
N
- NordLynx
- In-house protocol from NordVPN, based on WireGuard with a proprietary IP-assignment system. The fastest consumer VPN protocol in 2026.
O
- OpenVPN
- Battle-tested open-source VPN protocol, around since 2002. Slower than WireGuard but more universally compatible and more mature. Mullvad removed it in 2025.
- Open source
- Source code published publicly, generally on GitHub, auditable by anyone. Mullvad, Proton VPN and PIA are 100% open source.
P
- P2P (BitTorrent)
- Decentralised file-sharing protocol. A VPN with optimised P2P servers is necessary for safe torrent downloading. PIA and Mullvad are the best on this front.
- Perfect Forward Secrecy (PFS)
- Cryptographic mechanism that regularly regenerates session keys. Result: compromising one key does not allow decryption of past sessions. Standard on every decent VPN.
- Port forwarding
- Opening a specific port on your VPN IP. Useful for seedboxes, LAN games, self-hosting. Has become rare in 2026 — PIA and PureVPN are among the last to offer it.
- Protocol
- Set of technical rules defining how the encrypted tunnel is established between your device and the VPN server. The main ones: WireGuard (fastest), OpenVPN (most battle-tested), IKEv2 (mobile).
- Proxy
- Intermediate server that relays your traffic. Unlike a VPN, a proxy generally does not encrypt traffic and only applies to one app (often the browser).
R
- RAM-only servers
- VPN servers that store no data on disk — only in RAM. On any reboot, all data is wiped. Impossible to seize during a raid. Adopted by ExpressVPN (TrustedServer), NordVPN, Mullvad.
S
- Secure Core
- Flagship feature of Proton VPN that routes your traffic through a secure server in Switzerland, Iceland or Sweden before reaching the exit server. Variant of multihop with physically secured datacenters.
- SOCKS5 proxy
- Proxy type supported by PIA. Lets you configure a specific app (typically a BitTorrent client) with a different IP from the main VPN tunnel.
- Split tunneling
- Feature that lets you exclude certain apps from the VPN tunnel (useful for banking apps that detect VPNs, or to keep your local IP for Netflix FR while everything else goes through the US).
- STUN
- Protocol used by WebRTC to discover your real IP address. This mechanism can reveal your real IP despite an active VPN. Test here.
T
- TrustedServer
- Server architecture from ExpressVPN that runs all servers exclusively in RAM. Strong technical guarantee of no-logs: impossible to seize data.
- VPN tunnel
- Encrypted connection established between your device and the VPN server. All your traffic transits through this tunnel, unreadable for your ISP and any network intermediary.
V
- VPN (definition)
- Virtual Private Network. Service that encrypts your connection and routes your traffic through an intermediate server in the country of your choice. Our complete beginner's guide.
W
- WebRTC
- Protocol used by browsers for video calls and P2P. Can reveal your real IP even under VPN. Test the WebRTC leak.
- WireGuard
- Modern VPN protocol — faster, lighter, easier to audit than OpenVPN. The de facto standard in 2026. All recent evolutions (NordLynx, Lightway) are variants of it.
Want to go further?
- Our best VPN comparison 2026 — see all these concepts applied in practice
- Beginner guide: what is a VPN? — to understand the basics
- Our free tools — test your IP, DNS, WebRTC, IPv6 leaks
- Quiz: which VPN should I choose? — personalised recommendation in 1 minute