Always-On VPN — OS-level setting that forces all traffic through the VPN automatically on boot or profile start. On mobile, it prevents “leaks” when apps wake in the background.
Full Tunnel — All traffic (internet + DNS) goes through the VPN. Opposite of split tunneling.
Split Tunneling — Route only selected apps/sites/subnets via VPN; the rest uses the regular connection. “Inverse split” sends everything via VPN except specified items.
Remote-Access VPN — End-user device ↔ company or provider network (typical consumer VPN).
Site-to-Site VPN — Network ↔ network tunnel between two sites (offices, data centers).
TUN vs TAP — TUN = layer-3 (IP routing, typical for most VPNs). TAP = layer-2 (Ethernet bridging), useful for legacy protocols or broadcast needs.
Transport vs Tunnel Mode (IPsec) — Transport encrypts payload only; tunnel encrypts entire IP packet (common for site-to-site).
VPN Concentrator — Device/server that terminates many VPN connections for an organization.
Zero-Trust Network Access (ZTNA) — App-level access via identity and device posture, replacing flat network VPNs.
SASE — “Secure Access Service Edge,” a cloud bundle (ZTNA, SWG, CASB, etc.) delivering access + security.

Protocols (what carries the tunnel)

OpenVPN — TLS-based VPN; runs over UDP/TCP, flexible ports, widely supported.
WireGuard — Modern, fast, UDP-only protocol using the Noise cryptographic framework; simple codebase, great performance; relies on static public keys per peer (providers implement privacy workarounds).
IKEv2/IPsec — Fast handshake, stable on mobile (MOBIKE), commonly UDP 500/4500.
L2TP/IPsec — Older; often blocked; slower; keep for compatibility.
SSTP — Microsoft protocol over TLS (TCP/443); hard to block on corporate networks.
SoftEther — Multi-protocol suite; can mimic HTTPS/ethernet; useful where DPI is strict.
PPTP — Deprecated/insecure; don’t use.
TLS/SSL VPN — Generic term for VPNs that piggyback on TLS (e.g., OpenVPN TCP, SSTP).
GRE over IPsec — Encapsulates layer-3/layer-2 traffic across an IPsec tunnel.
SSH Tunneling — Not a VPN, but can forward ports or socks-proxy traffic.
Shadowsocks / V2Ray (VMess/Reality) — Encrypted proxies used mainly for censorship evasion, not full VPNs.

Encryption & cryptography

AES-GCM / AES-CBC — Symmetric ciphers; GCM provides authenticated encryption and is preferred over CBC for modern VPNs.
ChaCha20-Poly1305 — Fast AEAD cipher suite (great on mobile/low-power CPUs).
X25519 / Curve25519 — Popular elliptic-curve key exchange used by WireGuard/TLS 1.3.
ECDHE — Ephemeral Diffie-Hellman over ECC; enables Perfect Forward Secrecy (PFS).
PFS (Perfect Forward Secrecy) — Compromising a long-term key does not decrypt past sessions.
HMAC — Message authentication to detect tampering.
RSA — Legacy public-key algorithm (key exchange/signing in older TLS/OpenVPN setups).
Noise Protocol Framework — Cryptographic patterns used by WireGuard.
Key Rotation — Regularly generating fresh session keys to reduce exposure window.
Certificates / PKI — CA-signed identities used by TLS/OpenVPN and many enterprise VPNs.

Obfuscation & censorship circumvention

Obfuscation / Stealth — Making VPN traffic look like normal HTTPS or random noise to defeat DPI/firewalls (e.g., XOR patches, Stunnel/SSL, obfs4, uTLS, TLS-in-TLS).
Meek / Domain Fronting — Routing via large CDNs to hide the real destination (often restricted by providers/CDNs).
Packet Fragmentation Avoidance — Tweaking MTU/MSS so packets don’t fragment (helps bypass some middleboxes).
Camouflage Mode / Cloaking — Provider marketing terms for obfuscated transport.
Bridge / Pluggable Transport — Alternate entry nodes designed to be harder to block.

Privacy, logging & jurisdiction

No-Logs Policy — Provider claims not to store traffic, connection, or usage logs. Proof varies; independent audits improve trust.
Traffic Logs — Actual content/URLs—consumer VPNs should never keep these.
Connection/Metadata Logs — Timestamps, IPs, session duration, bandwidth. Some providers keep minimal metadata for abuse control.
RAM-Only (Diskless) Servers — Run from volatile memory; harder to seize persistent data.
Colocated vs Rented Servers — Colocated = provider owns hardware in racks; rented = third-party datacenter gear.
Warrant Canary — Statement updated periodically; if removed, may imply legal request (not guaranteed).
Jurisdiction — Country of incorporation/operation; affects data requests and gag orders.
5/9/14-Eyes — Intelligence-sharing alliances; not definitive, but part of a jurisdiction trust assessment.
MLAT — Mutual Legal Assistance Treaty; mechanism for cross-border data requests.
Shared IP — Many users share one egress IP; boosts anonymity but can cause captchas/blocks.
Dedicated IP / Static IP — IP just for you; reduces blocklists and captchas; less anonymous.
Residential IP — Routes through consumer ISP ranges to appear like home users; often pricier and ethically gray depending on sourcing.

Networking fundamentals

NAT / CGNAT — Address translation. Carrier-grade NAT is ISP-level NAT that can complicate inbound connections.
Port Forwarding (on VPN) — Provider opens an inbound port to your device through the tunnel (useful for P2P/self-hosting).
MTU / MSS Clamping — Maximum packet size; clamping avoids fragmentation when tunnels add overhead.
UDP vs TCP — UDP is faster/latency-friendly; TCP is more reliable but can double-encapsulate (TCP-over-TCP) and stall.
Keepalive / DPD — Heartbeats (e.g., Dead Peer Detection) to detect dead links and keep NAT bindings open.
DNS over VPN — DNS queries resolved by the provider’s resolvers inside the tunnel.
DNS Leak — DNS queries escaping to your ISP/third party; fix via VPN DNS, OS lock-down, or firewall rules.
IPv6 Leak — IPv6 traffic bypassing an IPv4-only VPN; disable IPv6 or ensure VPN supports v6.
WebRTC Leak — Browser STUN exposes local/public IPs; mitigate via browser settings/extensions/VPN firewall.
Split DNS — Different resolvers for different domains; common in enterprise.
Routing Table / AllowedIPs (WireGuard) — Determines which subnets go through the tunnel.

Features you’ll see in apps

Kill Switch — Blocks traffic if the VPN drops. App-level is reactive; firewall-based (system-level) is stronger (“hard kill”).
LAN Access Toggle — Allow devices on your local network (printers/NAS) while VPN is active.
Auto-Connect on Untrusted Wi-Fi — Starts the VPN when you join open networks.
Server Hopping / MultiHop / Double VPN — Chain through two or more VPN servers for layered egress.
Onion over VPN — VPN first, then Tor network; hides Tor usage from your ISP but Tor exit nodes still see traffic to destinations.
Smart Rules / Automation — Connect/disconnect based on app launch, network SSID, or time.
Streaming-Optimized Servers — Egress IPs and routes tuned to bypass streaming geoblocks.
P2P-Optimized Servers — Nodes and rules that allow torrenting + optional port forwarding.
Static Routes / Exclusions — App UI for split tunneling.
Protocol Auto-Select — Client chooses the best protocol (e.g., WireGuard → OpenVPN TCP if blocked).

Enterprise terms

EAP-TLS / PEAP / EAP-TTLS / MSCHAPv2 — Authentication methods for enterprise VPNs; EAP-TLS with certificates is the gold standard; MSCHAPv2 is weak.
RADIUS — AAA backend for VPN auth/accounting.
MFA — Multi-factor auth (TOTP, push, hardware keys) layered onto VPN login.
Device Posture — Checks (OS version, AV, disk encryption) before granting VPN/ZTNA access.
Policy-Based vs Route-Based IPsec — Match traffic by policy or create a virtual tunnel interface and route into it.
BGP over IPsec — Dynamic routing between sites across the tunnel.
Split-Tunnel Enterprise — Send SaaS/internet direct, corp subnets via VPN (reduces backhaul).

Performance & reliability

Latency / Jitter — Delay and variation; lower is better for calls/gaming.
Throughput / Bandwidth — How much data per second you can push.
Packet Loss — Dropped packets hurt streaming/VoIP; may indicate congestion or blocking.
Server Load — % utilization; higher load can reduce speed.
Exit Location — Physical/declared server region that determines your apparent country/geo-rights.
Fair Use Policy (FUP) — Provider caps or throttles heavy usage to maintain service quality.
Handshakes / Re-keys — Periodic renegotiation to keep sessions secure and stable.

Threats & testing

DPI (Deep Packet Inspection) — Network inspection that can detect/block VPNs; obfuscation resists DPI.
MITM (Man-in-the-Middle) — Attacker intercepts traffic; strong TLS/VPN ciphers + certificate validation mitigate.
Evil Twin AP — Fake Wi-Fi hotspot used for credential capture.
Traffic Correlation — Matching timing/volume at entry and exit to deanonymize; multihop/Tor can reduce risk but not eliminate it.
Leak Test — Check IP/DNS/WebRTC/IPv6 on testing sites; verify no real IP or DNS escapes.
Fingerprinting — Identifying VPN/proxy via TLS/SNI/packet patterns; ECH/obfuscation helps.

DNS & TLS extras (commonly discussed with VPNs)

DoH (DNS over HTTPS) / DoT (DNS over TLS) — Encrypt DNS queries to resolvers; can be used inside or outside VPN.
ECH (Encrypted Client Hello) — Hides the SNI (site name) in TLS 1.3; reduces censorship/fingerprinting where supported.
OCSP Stapling / Certificate Pinning — TLS features that improve trust and reduce MITM risk.

Platform & OS specifics

Android Always-On / Block Connections Without VPN — System setting enforcing a hard kill switch.
iOS Per-App VPN — MDM feature to tunnel specific apps only.
Windows Filtering Platform (WFP) — Underpins firewall-level kill switches on Windows.
pf / iptables / nftables — System firewalls used to implement hard kill switches on macOS/Linux.
wg-quick — Helper for WireGuard interface setup.
Network Extension (macOS/iOS) — Framework VPN apps use for tunnels and packet filtering.

P2P & content access

Geoblocking — Services deny access based on region; VPN changes apparent region.
IP Reputation / Blacklists — Some IP ranges are flagged by services; shared VPN IPs often hit CAPTCHAs.
Seedbox — Remote server that handles torrenting; you pull files via HTTPS/SFTP, often safer than local P2P.
Rotating IP — Provider rotates your egress IP periodically for anti-tracking.

Operations, billing & lifecycle

Device/Connection Limit — Max simultaneous devices per subscription.
Session — A single connected duration; sometimes capped.
Bandwidth Cap — Monthly data limit (many consumer VPNs are “unlimited”).
Audit (Third-Party) — Independent verification of security/no-logs claims.
Bug Bounty — Cash/credit for responsibly disclosed vulnerabilities.

Common comparisons & “sayings”

“Military-Grade Encryption” / “Bank-Grade Security” — Marketing speak; look for specific ciphers/protocols instead (e.g., AES-256-GCM, ChaCha20-Poly1305, WireGuard).
VPN vs Proxy — VPN encrypts system-wide (or per route), proxy forwards app-specific traffic and usually doesn’t encrypt by default.
VPN vs Tor — Tor is multi-hop anonymity with volunteer relays; slower, but stronger anonymity properties. VPN is single-provider, faster, and simpler.
Double VPN / Multihop vs Onion over VPN — Both chain traffic; Onion over VPN then exits via Tor; double VPN exits via another VPN server.
Stealth VPN — Any technique to look like non-VPN traffic (see obfuscation).
RAM-Only Infrastructure — Marketing label for volatile-memory servers (good for reducing stored state).
“No Activity Logs” vs “No Connection Logs” — Activity = content/URLs (should be none). Connection metadata sometimes retained (duration, timestamp) — read the policy.
“Bypass Throttling” — ISPs can’t easily shape specific apps if the tunnel hides them; overall bandwidth limits still apply.

Security hygiene with VPNs

Captive Portal — Hotel/airport Wi-Fi login page that can block VPN until you authenticate.
DNS Hijacking — Network forces its own DNS resolvers; a good VPN prevents this.
TLS Inspection — Corporate proxies that break/re-sign TLS; VPN above TLS can bypass this if allowed.
Posture Checks — Enterprise gatekeeping (disk encryption, AV, OS patch level) before allowing a tunnel.

WireGuard-specific terms

Peer — Another WireGuard endpoint defined by a key pair.
Public/Private Keys — Long-term identity; some providers rotate/abstract these for privacy.
AllowedIPs — Acts as both routing table and access control list in WireGuard.
PersistentKeepalive — Periodic pings to keep NAT bindings alive (useful behind NAT/CGNAT).
Handshake (NoiseIK) — The initial cryptographic exchange starting the session.

OpenVPN-specific terms

Control Channel / Data Channel — Control (TLS) negotiates; data channel carries traffic (often AES-GCM).
TLS-Auth / tls-crypt — Adds HMAC or encrypts control channel packets to resist scans/DPI.
Management Interface — Local control socket used by GUIs and scripts.

Legal & compliance extras

GDPR / CCPA — Data protection rules that affect how providers handle your info.
Retention Law — Country rules requiring some logs retention (varies widely).
Export Controls — Crypto/software restrictions in certain regions.