VPN 術語表:30 個核心詞彙解析
從 AES-256 到零知識架構——VPN 文檔中遇到的每個技術術語,清晰準確、去除術語地一一解析。
從 AES-256 到零知識架構——VPN 文檔中遇到的每個技術術語,清晰準確、去除術語地一一解析。
The military-grade symmetric encryption algorithm used by virtually all reputable VPNs to encrypt user data. AES-256 uses a 256-bit key — one of 2²⁵⁶ possible combinations — making brute-force attacks computationally impossible with any foreseeable technology. It's approved by the US NSA for protecting top-secret government information and operates by applying 14 rounds of substitution-permutation operations to data blocks. The "256" refers to key length; AES-128 (128-bit keys) is also secure but AES-256 provides a larger security margin.
A modern symmetric encryption cipher suite used by WireGuard and some other VPN implementations. ChaCha20 is the encryption algorithm (generating a keystream XORed with plaintext), while Poly1305 is the message authentication code (MAC) that verifies data integrity. ChaCha20 is particularly efficient on devices without hardware AES acceleration (older mobile phones, embedded systems) — it achieves equivalent security to AES-256 while running faster in software. WireGuard uses ChaCha20-Poly1305 exclusively, contributing to its excellent mobile battery efficiency.
The internet's "phone book" — a distributed system that translates human-readable domain names (google.com) into IP addresses (142.250.x.x) that computers use to route network traffic. When you type a URL in your browser, a DNS query is sent to resolve the domain name before your actual connection is made. Without a VPN, these DNS queries typically go to your ISP's DNS servers, revealing every domain you visit even if the actual content is encrypted by HTTPS. A VPN routes DNS queries through its own encrypted servers, preventing ISP-level domain visibility.
A security vulnerability where DNS queries bypass the VPN tunnel and route through your ISP's DNS servers instead of the VPN's own DNS infrastructure. A DNS leak means your ISP can see every domain you visit even while you're connected to a VPN, completely undermining the privacy benefit. DNS leaks occur due to misconfigured OS network settings, IPv6 routing bypassing the VPN tunnel, or WebRTC browser leaks. Test for DNS leaks at dnsleaktest.com — all DNS servers shown should belong to your VPN provider, not your ISP.
A privacy feature that routes your traffic through two VPN servers sequentially instead of one. Your data is encrypted twice — first to server A, which decrypts the outer layer and re-encrypts before forwarding to server B, which decrypts and forwards to the internet. This means server A knows your real IP but not your destination; server B knows the destination but not your real IP. Double VPN significantly reduces throughput (typically 40–60% slower) and adds latency. It's useful for journalists and activists with high-risk threat models, but unnecessary for general privacy use.
An intelligence-sharing alliance between the US, UK, Canada, Australia, and New Zealand, established under the UKUSA Agreement. Member countries' intelligence agencies share signals intelligence data and may collect information on each other's citizens on behalf of the alliance to circumvent domestic surveillance restrictions. VPN providers headquartered in Five Eyes countries are subject to these countries' laws, including secret data demands (like US National Security Letters) that come with gag orders. Extends to Nine Eyes (+ France, Netherlands, Denmark, Norway) and Fourteen Eyes (+ Germany, Belgium, Italy, Sweden, Spain).
A VPN protocol developed by Microsoft and Cisco that's natively supported on Windows, macOS, iOS, and Android. IKEv2 uses the IPSec suite for encryption (AES-256) and handles the key exchange and tunnel establishment. Its standout feature is MOBIKE (IKEv2 Mobility and Multihoming Protocol), which allows VPN connections to seamlessly persist across network changes (WiFi to 4G/5G) without re-establishing the full handshake. This makes IKEv2 particularly well-suited to mobile users who frequently switch networks. Speed is between WireGuard (faster) and OpenVPN (slower).
A unique numerical label assigned to each device connected to a network, used to identify and route communications. IPv4 addresses are 32-bit numbers written as four octets (e.g., 192.168.1.1); IPv6 addresses are 128-bit numbers written in hexadecimal (e.g., 2001:db8::1). Your public IP address — assigned by your ISP — identifies your approximate geographic location and, combined with ISP subscriber records, can identify you personally. A VPN replaces your public IP with the VPN server's IP address, hiding your identity and location from websites and services you access.
The process by which a VPN hides your real IP address by routing all your internet traffic through a VPN server, causing websites and services to see the VPN server's IP address instead of your own. IP masking provides basic pseudonymity by disconnecting your geographic location from your online activity — it prevents websites from knowing you're in Hong Kong, prevents advertisers from tracking you by IP across sites, and prevents government surveillance systems from building a browsing history linked to your household IP. IP masking alone doesn't provide full anonymity — see browser fingerprinting and cookie tracking.
A safety mechanism that immediately blocks all internet traffic when a VPN connection drops, preventing any unencrypted data from leaking through your real IP address during the dropout and reconnection period. System-level kill switches (using OS firewall rules like Windows Filtering Platform or iptables) are more reliable than app-level implementations because they function independently of the VPN app's process state. A kill switch is essential for torrenting, sensitive research, and any use case where even momentary IP exposure would be a serious privacy violation. Enable it in your VPN app settings before any privacy-critical activity.
A legacy VPN protocol that combines L2TP (which provides tunnelling but no encryption) with IPSec (which provides encryption). L2TP/IPSec was once widely used for consumer VPNs but is now considered outdated. Documents leaked by Edward Snowden suggested the NSA may have worked to weaken IPSec's cryptographic standards, raising concerns about L2TP/IPSec's security integrity for privacy-critical use. It's slower than IKEv2 and far slower than WireGuard. Use L2TP/IPSec only on legacy devices that don't support modern protocols — replace with WireGuard or IKEv2 wherever possible.
A VPN provider's commitment not to retain records (logs) of user activity or connection data. A genuine no-logs policy means the provider stores no connection timestamps, no IP addresses of connecting users, no DNS queries, and no session data that could link a user's identity to their online activity. The term is widely misused in VPN marketing — "no-logs" claims without independent third-party audit verification are unverifiable marketing statements. Look for published audit reports from reputable security firms (Cure53, PwC, KPMG) that specifically verify the server infrastructure and data retention practices.
Techniques used to disguise VPN traffic as ordinary internet traffic (typically HTTPS) to bypass deep packet inspection (DPI) firewalls used by ISPs, governments, and network administrators to detect and block VPN usage. Obfuscation is essential for using VPNs in mainland China, where the Great Firewall actively identifies and blocks standard VPN protocols. Common obfuscation methods include: wrapping VPN traffic in TLS/SSL packets (making it look like HTTPS), using Shadowsocks or V2Ray proxying, port scrambling, and adding random packet padding to prevent traffic analysis fingerprinting. ExpressVPN's Lightway, NordVPN's obfuscated servers, and Astrill's StealthVPN are leading implementations.
The most widely deployed open-source VPN protocol, developed by OpenVPN Inc. OpenVPN uses SSL/TLS for key exchange and supports multiple cipher suites including AES-256-GCM and ChaCha20. Its key advantage is flexibility: it runs over both UDP (faster) and TCP (more reliable on restricted networks), and can be configured to use port 443 (HTTPS port) making VPN traffic appear as normal web browsing to firewalls. OpenVPN's large codebase (70,000+ lines) makes it less efficient than WireGuard but highly configurable. It's the recommended protocol for users on restricted networks who need reliable firewall bypass.
A network architecture where computers communicate directly with each other rather than through a central server. BitTorrent is the most widely used P2P protocol for file sharing. In P2P networks, each participant's IP address is visible to all other participants — in a BitTorrent swarm, every peer can see every other peer's IP address. This is the primary reason VPNs are used for torrenting: by routing your torrent traffic through a VPN server, other peers see the VPN server's IP rather than your home IP. Not all VPNs permit P2P traffic on their networks — check provider policies and look for explicitly P2P-labelled servers.
A cryptographic property that ensures session encryption keys are not derived from or stored with the server's long-term private key. PFS is implemented using ephemeral Diffie-Hellman (DHE) or Elliptic Curve Diffie-Hellman (ECDHE) key exchange — a unique session key is generated for every connection and destroyed when the session ends. This means that even if a VPN server's private key is compromised in the future, previously recorded encrypted sessions cannot be decrypted because the session keys no longer exist. PFS is now standard in all reputable VPN implementations and is a key feature to verify when evaluating providers.
A technique that allows incoming connections from the internet to reach a specific device behind a VPN server. In standard VPN operation, the server blocks all unsolicited incoming connections — this protects privacy but reduces torrent speeds because peers cannot initiate connections to your client (you can only connect outbound). Port forwarding assigns a specific port number on the VPN server to forward to your device, allowing peers to connect directly. This often improves torrent download speeds by 50–300%. Port forwarding is supported by Private Internet Access, Mullvad, and Torguard, but not by NordVPN or ExpressVPN.
A legacy VPN protocol developed by Microsoft in the 1990s that is now cryptographically broken and should never be used for privacy-sensitive purposes. PPTP's MPPE (Microsoft Point-to-Point Encryption) uses RC4, a stream cipher that has been cracked. Known attacks against PPTP include MS-CHAPv2 credential attacks and traffic decryption. Despite being definitively insecure, PPTP still appears in some router firmware, old corporate VPN configurations, and occasionally in consumer VPN apps as a compatibility option. If you see PPTP listed in your VPN's protocol options, ignore it completely and use WireGuard or OpenVPN instead.
VPN servers that store all operational data — session information, encryption keys, routing tables — exclusively in RAM (Random Access Memory) rather than on persistent storage like hard drives or SSDs. RAM loses all data instantly when power is removed. This architecture provides a strong practical guarantee: even if authorities seize a VPN server, they find no user data because none was ever written to persistent storage. ExpressVPN (TrustedServer), NordVPN, and Mullvad all operate RAM-only server infrastructure. When ExpressVPN's Turkish servers were seized in 2017, investigators found no user data — a real-world validation of this architecture.
The most capable type of proxy protocol, operating at the transport layer and supporting all types of network traffic (HTTP, HTTPS, FTP, BitTorrent UDP, etc.) unlike HTTP proxies which only handle web traffic. SOCKS5 supports authentication (username/password), reducing abuse risk compared to open proxies. It does not encrypt traffic by default — unlike a VPN. Many VPN providers (NordVPN, ExpressVPN, Private Internet Access) include SOCKS5 proxy access with their VPN subscriptions. Power users configure torrent clients to route through SOCKS5 for IP masking without full VPN encryption overhead, while using the full VPN for general browsing.
A VPN feature that divides internet traffic into two streams: one routed through the encrypted VPN tunnel, and one connecting directly to the internet without VPN. This allows users to simultaneously protect specific apps or domains with VPN encryption while allowing other apps to use the full, unthrottled ISP connection. Common configurations: route browser and email through VPN while streaming and gaming connect directly for maximum speed; route corporate apps through company VPN while personal browsing goes through consumer VPN. Available in two forms: app-based (per-application routing) and URL/domain-based (per-destination routing, less common).
Cryptographic protocols that provide encrypted communication between clients and servers over the internet. TLS (the modern successor to SSL) is what creates HTTPS connections — the padlock icon in your browser. OpenVPN uses TLS for its key exchange and control channel. SSL/TLS uses asymmetric encryption (RSA or ECDSA) to authenticate the server and securely exchange symmetric session keys, after which symmetric encryption (AES) handles the bulk of data encryption. Modern TLS 1.3 (2018 standard) removed several deprecated cipher suites and significantly improved handshake efficiency. Ensure any VPN you use supports TLS 1.2 or 1.3, not the deprecated TLS 1.0 or 1.1.
A free, open-source anonymisation network that routes internet traffic through at least three volunteer-operated relay nodes, encrypting the traffic at each hop. The entry node knows your IP but not your destination; the exit node knows the destination but not your IP; intermediate nodes know neither. This multi-hop routing provides stronger anonymity than a VPN's single-hop architecture. Tor is significantly slower than VPNs (typical speeds of 1–10 Mbps) and not suitable for streaming. "Tor over VPN" (some VPN providers offer this as a feature) routes your VPN connection through Tor, hiding your VPN usage from your ISP while also preventing Tor entry nodes from seeing your real IP.
The core mechanism by which VPNs operate: encapsulating one network protocol inside another to create a secure "tunnel" through a public network. When you use a VPN, your data packets are wrapped (encapsulated) inside additional encrypted packets before transmission. The original packet — containing your actual data — is the payload; the outer encrypted packet contains the VPN routing information. At the VPN server, the outer layer is decrypted and removed (decapsulation), and your original packet is forwarded to its destination. The analogy is an armoured truck carrying valuables (your data) through public roads (the internet) — the outer vehicle (encrypted VPN packet) hides and protects the contents.
The software application installed on your device that initiates and manages the VPN connection. The VPN client handles: connecting to the VPN server using the selected protocol, encrypting outgoing traffic, decrypting incoming traffic, managing the kill switch, implementing split tunnelling rules, handling reconnection on network changes, and providing the user interface for server selection and settings management. Modern VPN clients (NordVPN, ExpressVPN, Mullvad apps) are highly polished consumer applications requiring no technical configuration. Enterprise VPN clients (Cisco AnyConnect, Palo Alto GlobalProtect) include additional features for IT management and policy enforcement.
A computer or virtual machine operated by the VPN provider that acts as the encrypted relay for user traffic. The VPN server receives encrypted connections from VPN clients, decrypts the traffic, forwards it to the destination on the internet, receives responses, re-encrypts them, and returns them to the client. The server's IP address is what websites and services see — hiding the user's real IP. Server infrastructure quality (hardware specifications, bandwidth capacity, network peering, geographic location, number of users per server) directly determines VPN performance. RAM-only servers add privacy by ensuring no session data persists between connections.
A browser-level privacy vulnerability where the WebRTC (Web Real-Time Communication) API — used for browser-based video calls, voice chat, and file transfers — exposes your real IP address directly through the browser, bypassing your VPN. WebRTC uses the ICE (Interactive Connectivity Establishment) protocol to discover the most efficient connection path, which involves querying STUN servers that can reveal your local network IP and public IP regardless of VPN status. Test for WebRTC leaks at browserleaks.com/webrtc. Fix by installing your VPN provider's browser extension (most block WebRTC leaks) or using uBlock Origin's WebRTC leak prevention setting.
A modern, high-performance VPN protocol released in 2019 and merged into the Linux kernel in 2020. WireGuard's design philosophy emphasises radical simplicity: approximately 4,000 lines of code compared to OpenVPN's 70,000+, making it easier to audit and less likely to contain security vulnerabilities. It uses exclusively modern cryptographic primitives: ChaCha20 for encryption, Poly1305 for authentication, Curve25519 for key exchange, BLAKE2 for hashing, and SipHash for hashtable keys. WireGuard operates at the kernel level on Linux (where most VPN servers run), delivering 2–4x the throughput of OpenVPN with lower latency and better battery efficiency on mobile devices.
A privacy design principle where the service provider has no access to user data — not because they choose not to look, but because the system is architecturally designed to make it impossible. In the VPN context, zero-knowledge architecture is implemented through RAM-only servers (no persistent data storage), cryptographic no-logs implementations (where connection state is never written to any non-volatile storage), and client-side encryption of any account data before it reaches the server. Mullvad VPN's account system exemplifies this: account numbers are generated randomly, no personal information is collected, and even payment data isn't linked to the VPN account in a recoverable way.
A modern security framework and increasingly an alternative to traditional VPN for enterprise environments. Unlike VPNs that grant broad network access once authenticated, Zero Trust operates on the principle of "never trust, always verify" — every access request is evaluated against identity, device health, location, and other context-based policies, regardless of whether the request originates inside or outside the corporate network. ZTNA solutions (Zscaler Private Access, Cloudflare Access, Palo Alto Prisma Access) provide granular, application-level access control rather than network-level access, reducing the blast radius of any compromised credential. ZTNA is increasingly recommended for cloud-first organisations as a VPN complement or replacement for application access scenarios.