Glossary — VPN terms in plain language

A kill switch monitors the VPN tunnel and blocks all internet traffic the moment the tunnel breaks — for example when you switch Wi-Fi or the server loses its connection. Without one, your computer keeps sending packets through your regular network until the client reconnects, exposing your real IP address. For anyone using a VPN to hide their location, a kill switch is effectively mandatory.

Split tunneling splits your traffic into two paths. You can, for example, run your browser through the VPN while letting your banking app or local printers go around it — which otherwise often ends with the service blocking you or being slower than it needs to be. The opposite of split tunneling — full tunnel — sends everything through the VPN regardless of app.

With multi-hop (sometimes called double VPN), your traffic is chained through two servers in different countries. The first server sees your real IP but not what you visit; the second sees the destination but not where the traffic originally came from. It protects against a provider that slips up on logging discipline, but it costs speed and is overkill for most people.

Every time you open a web page, your computer looks up the domain name through a DNS server. If that DNS traffic accidentally goes straight to your ISP instead of through the VPN tunnel, they still see the full list of sites you visit, even if the page load itself is encrypted. DNS leak protection forces those lookups into the tunnel.

A VPN protocol decides how the client and server negotiate an encrypted tunnel and how packets are wrapped. WireGuard is the modern standard: a small code base, fast, and good on mobile networks. OpenVPN is older and slower but extremely well-tested and available everywhere. IKEv2/IPsec handles network switching well and is common on phones. Avoid older protocols like PPTP or L2TP without IPsec.

All serious VPN services encrypt traffic with AES-256 or ChaCha20. Both are practically unbreakable with known methods today. Phrases like "military-grade" or "bank-grade encryption" are pure marketing — there is no such standard. What matters more is how keys are exchanged and whether perfect forward secrecy is used, which every modern protocol does.

The country where the company is headquartered governs which courts and intelligence agencies can demand data or force the provider to start logging. Countries inside the Five/Nine/14 Eyes arrangements routinely share intelligence; providers based outside them (Panama or Switzerland, for instance) stand a bit freer. That said, jurisdiction does not save you from a bad no-logs policy — a country without retention laws only helps if the provider actually keeps nothing.

Read more about Five / Nine / 14 Eyes →

Server count is a popular figure to brag about but says little on its own. Three thousand servers in five countries is worse than three hundred servers in fifty countries. What matters is whether there are servers close to where you are (latency) and in the countries you need to connect to (geoblocking). Big numbers also reflect how the provider counts — virtual instances and load balancers are often included.

The number of countries with servers determines which geographical regions you can get an IP address from. If you want to reach BBC iPlayer there has to be servers in the UK; if you want US Netflix there has to be servers in the US. For most people 30–50 countries is plenty; anything beyond that is mainly for edge cases.

Server locations tell you where you can get an exit point. Some providers run physical servers in every country listed; others use virtual servers where the actual machine sits somewhere else but hands you an IP address from the target country. For geoblocking they are equivalent; for latency, physical placement is better.

A free plan is typically a taster, not a full alternative. Common limits are 500 MB to 10 GB of traffic per month, a handful of server countries and reduced speeds. Avoid free VPNs from unknown providers — running the infrastructure is expensive, and if you are not paying you are likely the product (ad tracking or reselling your traffic).

The guarantee is effectively a free trial: you pay the annual fee and request a refund before the window closes if you are not happy. Read the fine print — some providers refuse refunds if you have used too much data, signed up through the App Store or bought through specific promotions.

Almost every VPN provider markets itself with a deeply discounted introductory price and then returns to a considerably higher standard rate when you renew. The discount can be 60–80 % for the first year. The renewal price is the long-term cost — that is the number you should be comparing.

The limit determines how many of your devices can be signed in to the VPN at the same time. A router counts as a single device but covers everything that connects through it, so installing on the router is a smart way to economize on the device count. If you share the account with family, you typically want support for 5–10 simultaneous devices.

With unlimited simultaneous connections you can sign in on as many devices as you like at once. Handy for big households, smart-home gear and sharing the account with close family. Reasonable use is assumed — providers will usually crack down on commercial sharing.

Most VPN ad blockers are essentially a DNS blocklist: the server refuses to resolve known ad domains. That works against banners and third-party trackers but misses ads served from the same domain as the content (YouTube, for example). A dedicated browser plugin like uBlock Origin is more thorough. Two advantages of the VPN variant: it protects every device and works inside apps, not just the browser.

An official app for the VPN service makes installation easy and handles details like the kill switch and DNS leak protection automatically. Common support covers Windows, macOS, Linux, iOS and Android. If a platform is missing (a specific router or Apple TV, say) you can usually still connect manually via OpenVPN or WireGuard configuration files, but without the extra features.

A VPN extension for Chrome or Firefox is in most cases an HTTPS proxy, not a full VPN tunnel. Only browser traffic is protected; everything else on the network (other apps, system updates, email client) goes the regular way. Useful when you want to switch exit country briefly without setting up a system-wide tunnel, but no substitute for a proper VPN client.

We mark Yes if the provider's own site mentions streaming as a feature. Many streaming services maintain lists of VPN IP addresses and block them. A provider that works today may stop working next week. A short money-back guarantee is the best insurance if streaming is your main purpose.

The number of streaming services the provider itself lists as supported on their site. Some publish an exhaustive list on a dedicated page, some only list a subset, and others do not list any at all.