When you start exploring VPNs and digital privacy, technical terms multiply fast: WireGuard, kill switch, no-log, Five Eyes jurisdiction, perfect forward secrecy... Every comparison uses them as if they're self-evident, without ever defining them. This glossary fixes that: 30 short, precise definitions, organized by topic, written to be understood in under 30 seconds.
It works as a quick reference to keep at hand and as a foundation for understanding the VPN audits and technical guides on this site. The most critical terms — those that actually define whether a VPN protects you or not — are called out explicitly.
Table of Contents
- VPN Protocols
- Encryption and Security
- Leaks and Vulnerabilities
- Privacy and Jurisdiction
- Key Features
- Related Tools and Technologies
VPN Protocols
VPN (Virtual Private Network)
A VPN is an encrypted tunnel between your device and a remote server managed by the provider. It masks your real IP address, encrypts all traffic, and makes sites believe you're browsing from the server's location. Your ISP sees only the encrypted tunnel — not which sites you visit.
WireGuard
WireGuard is the most modern VPN protocol (under 4,000 lines of source code, versus 400,000 for OpenVPN). It uses ChaCha20 for encryption and Curve25519 for key exchange. It is 2 to 5 times faster than OpenVPN in throughput benchmarks, with lower latency and a minimal attack surface. The recommended standard in 2026.
OpenVPN
OpenVPN is the reference open-source VPN protocol since 2001. Heavily audited, highly flexible, available on all operating systems — but technically heavier than WireGuard. It uses AES-256-GCM and supports TCP (stable but slow) and UDP (fast). Still relevant for bypassing firewalls that block WireGuard. See our WireGuard vs OpenVPN comparison.
IKEv2/IPsec
IKEv2 (Internet Key Exchange v2) combined with IPsec is a performant protocol, native on iOS and macOS, particularly stable when switching networks (Wi-Fi → 4G). Slightly slower than WireGuard but more battle-tested on mobile. A solid alternative when WireGuard has network compatibility issues.
Split tunneling
Split tunneling lets you choose which applications or domains go through the VPN tunnel and which use the direct connection. Useful for accessing local resources (printer, NAS, banking app) while protecting everything else. Disable split tunneling during technical audits to avoid skewed measurements.
Encryption and Security
AES-256
AES-256 (Advanced Encryption Standard, 256-bit key) is the symmetric encryption standard used by virtually all modern VPNs. Direct brute-force is computationally impossible with current hardware — including quantum computers under the current threat model. The GCM variant (Galois/Counter Mode) adds integrated message authentication.
Perfect forward secrecy (PFS)
Perfect forward secrecy generates a unique session key for each connection, independent of the master key. If one session key is compromised, past and future sessions remain protected. Without PFS, a compromised long-term key decrypts the entire communication history. Modern WireGuard and OpenVPN implement PFS by default via ECDH.
End-to-end encryption (E2E)
End-to-end encryption ensures only the sender and recipient can read the message — not the service provider or any network intermediary. Signal, ProtonMail, and some messaging apps implement it. Key distinction: a VPN encrypts network transit but not application content; E2E encrypts the application payload itself.
Obfuscation
Obfuscation disguises VPN traffic to look like ordinary HTTPS traffic, making detection and blocking difficult. Used to bypass deep packet inspection (DPI) firewalls — notably in China (Great Firewall), Russia, and the UAE. ExpressVPN (obfuscated Lightway), NordVPN (obfuscated servers), and Mullvad offer this option.
Zero-knowledge
A zero-knowledge system stores or processes data without ever having access to the plaintext content. In the VPN context, this means the provider technically cannot access your browsing data even if compelled to. Different from simple no-log: no-log is a policy promise; zero-knowledge is an architectural guarantee.
Leaks and Vulnerabilities
DNS leak
A DNS leak occurs when domain name resolution requests (which server corresponds to "google.com"?) exit outside the VPN tunnel and go through the ISP's DNS servers. Result: your ISP sees every domain you visit, even if the content is encrypted. It's the most common and least visible leak. Full guide: testing DNS leaks.
WebRTC leak
WebRTC is a browser API for peer-to-peer communication. To function, it queries all network interfaces on your machine — including your real IP, before the VPN masks it. A malicious JavaScript script can thus retrieve your real IP despite the active VPN. Fix: enable WebRTC protection in the VPN client or disable WebRTC in the browser.
IP leak
An IP leak exposes your real IP address to an external site despite the active VPN. Possible causes: misconfigured tunnel, client bug, unsupported protocol (IPv6 if the VPN only tunnels IPv4). Verifiable in 30 seconds with our leak test tool. Every serious VPN audit starts here.
IPv6 leak
If your ISP deploys IPv6 natively and your VPN only tunnels IPv4, your real IPv6 address remains visible externally. Platforms like Google or Facebook prefer IPv6 when available — so they see your real identity. Fix: disable IPv6 at the OS level or use a VPN that handles both protocols.
Fingerprinting (browser fingerprint)
Fingerprinting identifies a browser or device through the unique combination of its technical characteristics: screen resolution, installed fonts, timezone, Canvas/WebGL rendering, extension list. This fingerprint survives IP changes — a VPN does not mask it. Countermeasures: Firefox with privacy.resistFingerprinting, Brave Shields, or Tor Browser. See our complete VPN audit for the dedicated test.
Privacy and Jurisdiction
No-log (zero logs)
A no-log policy means the VPN provider records neither source IP, nor visited sites, nor connection timestamps, nor data volumes. An unverified claim is just a marketing argument. Only a recent independent audit (PwC, Deloitte, Cure53) published by the provider constitutes technical proof. NordVPN, ExpressVPN, Mullvad, and ProtonVPN all have published audits.
Five/Nine/Fourteen Eyes (5/9/14 Eyes)
The Five Eyes (US, UK, Canada, Australia, New Zealand) actively share intelligence data. The Nine Eyes add France, Denmark, Netherlands, Norway. The Fourteen Eyes extend further. A VPN headquartered in one of these countries can be legally compelled to cooperate. Jurisdictions outside the alliance: Panama (NordVPN), British Virgin Islands (ExpressVPN), Switzerland (ProtonVPN).
Jurisdiction
Jurisdiction is the country whose laws apply to the VPN provider. It determines which legal orders it can receive, what data retention obligations apply, and which intelligence services it may be compelled to cooperate with. Panama, Romania, Switzerland, and the Cayman Islands are the most privacy-friendly jurisdictions in 2026.
Warrant canary
A warrant canary is a public statement regularly updated by a VPN provider to signal it has received no secret government order. If the statement stops being updated or disappears, it's an indirect signal that the company received a legally sealed demand. Mullvad and ProtonVPN publish active canaries.
Threat model
A threat model defines who you're trying to protect yourself from and against what. A journalist protecting a source has a very different model than a user who just wants to avoid ISP advertising surveillance. Defining your threat model enables choosing appropriate tools: VPN alone, VPN + Tor, or full OPSEC. Without this step, protection tools are often over- or under-engineered.
Independent audit
An independent audit is a technical examination of a VPN provider's code, infrastructure, and practices performed by a recognized external firm (PwC, Deloitte, Cure53, Securitum). It verifies that the no-log policy is respected in the actual technical implementation, not just in the terms of service. The audit date matters as much as the auditor: a 2019 report is obsolete in 2026.
Key Features
Kill switch
A kill switch automatically cuts your internet connection if the VPN tunnel drops. Without it, your real IP is exposed during reconnection. Two levels exist: system-level kill switch (cuts all traffic) or per-app (cuts only listed apps). For serious privacy use, enable the system level. Detailed guide: VPN kill switch explained.
Double VPN (multi-hop)
Double VPN (or multi-hop) routes your traffic through two sequential VPN servers instead of one. The first server encrypts and forwards; the second decrypts and exits. Advantage: even if one server is compromised, the attacker sees neither the source IP nor the final destination. Drawback: doubled latency, reduced throughput. Recommended for high-risk journalists and activists.
RAM-only server
A RAM-only server runs entirely in volatile memory, with no disk writes. Every reboot permanently erases all data. If authorities physically seize the server, no user data can be recovered — which disk-based servers would allow. ExpressVPN (TrustedServer) and NordVPN have migrated their infrastructure to this model.
Port forwarding
Port forwarding allows incoming connections to traverse the VPN tunnel to reach your device. Useful for home servers, active P2P file sharing, and some online games. Not all VPNs offer this — Mullvad and ProtonVPN support it, NordVPN does not (since 2023). Can introduce security risks if misconfigured.
P2P (peer-to-peer)
P2P refers to decentralized file-sharing networks (torrents, eMule). Some VPNs block P2P or limit it to dedicated servers to avoid legal complications in certain jurisdictions. VPNs recommended for torrenting have specific P2P servers optimized for volume with a verified no-log policy.
Related Tools and Technologies
Tor (The Onion Router)
Tor is an anonymization network that routes traffic through three successive relays managed by volunteers. Each relay only knows its direct neighbors — no one sees both the origin and the destination simultaneously. Tor offers stronger anonymity than a VPN but is 10 to 20 times slower. Core distinction: VPN = trust delegation, Tor = decentralized architecture with no central trust. See Tor vs VPN.
Tor over VPN
Tor over VPN means connecting to the VPN first, then launching Tor. Advantage: the Tor entry node sees the VPN server's IP, not your real IP. Drawback: severely degraded performance (cumulative latency), and your VPN provider knows you're using Tor. Use case: journalists under active surveillance, whistleblowers. Configuration guide: Tor over VPN 2026.
Proxy
A proxy is a network intermediary that redirects one application's requests through a third-party server. Unlike a VPN, it operates at the application layer only, without content encryption, and covers only one application at a time. Used to bypass simple geographic blocks or filter corporate traffic. Does not protect against traffic interception.
DoH (DNS over HTTPS)
DNS over HTTPS encrypts DNS queries inside standard HTTPS traffic, making them unreadable to network intermediaries (ISP, corporate Wi-Fi). Different from a VPN: DoH doesn't hide your IP or encrypt the rest of your traffic — it only protects DNS queries from surveillance. Can complement a VPN or be used standalone to improve DNS privacy.
Digital privacy
Digital privacy encompasses all the practices and tools that let you control what personal data is collected, stored, and shared online. It includes VPN, encryption, cookie management, fingerprinting protection, legal rights (GDPR in Europe, CCPA in California), and behavioral choices. A VPN is one tool among many — not a complete solution. See why digital privacy matters in 2026.
What this glossary doesn't replace
Knowing the terms is a starting point, not an end goal. Real protection comes from verifying your VPN actually does what it promises. For that: our 9-test VPN audit covers IP, DNS, WebRTC, and IPv6 leaks, the kill switch, streaming geolocation, logging policy, and browser fingerprinting — in about 30 minutes. And if you want to go deeper on protection against public Wi-Fi surveillance, the public Wi-Fi risks guide 2026 details real attack vectors and countermeasures.
Guides and tools to go further
- Complete VPN audit: 9 tests →Quarterly protocol: IP, DNS, WebRTC, kill switch, logs, jurisdiction
- WireGuard vs OpenVPN in 2026 →Protocol comparison on speed, security, and use cases
- VPN kill switch explained →Mechanism, OS variants, practical test
- Testing DNS and IPv6 leaks →Complete detection and fix guide by OS
- Tor vs VPN: differences and combination →When to use one, the other, or both
- Public Wi-Fi risks in 2026 →What network operators actually see
- Why digital privacy matters →Real 2025-2026 data collection figures
Article published June 11, 2026. Definitions drawn from official technical specifications (WireGuard RFC, RFC 8826 WebRTC, NIST AES-256), VPN provider audits (PwC, Deloitte, Cure53), and recommendations from the Electronic Frontier Foundation (Surveillance Self-Defense) and PrivacyGuides. Updated continuously as protocols or regulations evolve significantly.
Get NordVPN
30 jours satisfait ou remboursé
