Learn
VPN & privacy glossary
Short, plain-language definitions of the terms that come up when you read about VPNs, encryption, censorship, and network privacy. Each entry is 400-600 words and links to deeper reading.
Hysteria vs VLESS Reality
Hysteria uses QUIC (UDP-based); VLESS Reality uses TLS 1.3 (TCP-based). Hysteria is faster on lossy networks; Reality survives more aggressive DPI environments.
OpenVPN vs IKEv2
OpenVPN is more configurable and supports TCP-443 firewall bypass. IKEv2 is faster and reconnects better on mobile. Different tools for different jobs.
OpenVPN vs SSTP
SSTP is Windows-only and Microsoft-proprietary. OpenVPN is cross-platform and open-source. OpenVPN wins for every modern use case.
Shadowsocks vs Trojan-GFW
Both are censorship-circumvention tools. Shadowsocks is older and more entropy-detectable. Trojan does real TLS handshakes but uses your own certificate.
VLESS Reality vs Shadowsocks
Both target DPI-heavy markets. Shadowsocks (2012) is older and increasingly detected. VLESS Reality (2023) survives where Shadowsocks fails.
VLESS Reality vs Trojan-GFW
Both perform real TLS handshakes. Trojan uses your own certificate; Reality uses a third party's. Reality survives Certificate Transparency comparison; Trojan increasingly does not.
VLESS Reality vs WireGuard
WireGuard is faster and simpler. VLESS Reality survives DPI in censored markets where WireGuard is blocked. Different tools for different networks.
What is a captive portal
The login or terms-acceptance page that public Wi-Fi networks force you through before granting internet access.
What is a certificate authority
An organisation that issues digital certificates verifying that a public key really belongs to who it says.
What is a data broker
Companies that aggregate consumer data from multiple sources and sell it for advertising, fraud detection, identity resolution, and increasingly law enforcement.
What is a DNS leak
When DNS queries bypass the VPN tunnel and reach your ISP, exposing the sites you visit even though traffic itself is encrypted.
What is a man-in-the-middle attack
An attack where someone inserts themselves between two parties, reading or modifying traffic without either party realising.
What is a no-logs policy
A VPN provider's commitment about what user activity they do not record. The specifics matter more than the headline.
What is a VPN
An encrypted tunnel between your device and a VPN server that hides your IP and traffic from the network in between.
What is a VPN kill switch
A feature that blocks all internet traffic if the VPN tunnel drops, so your real IP doesn't leak during reconnects.
What is a VPN protocol
The set of rules and cryptography a VPN uses to authenticate, encrypt, and route traffic between client and server.
What is a warrant canary
A periodic public statement that no national-security warrants have been received, designed to signal a gag-ordered subpoena indirectly by ceasing to be published.
What is a WebRTC leak
When a webpage uses the browser's WebRTC API to discover your real IP, even with a VPN active.
What is active probing
Censorship technique where censors send their own probes to suspected proxy servers to verify the server is or is not a VPN, then block based on the response.
What is an internet shutdown
A government-ordered disruption of internet access affecting a region or whole country. Often deployed during elections, protests, or exam periods.
What is an IP address
The numeric address that identifies your device on the internet, assigned by your ISP and visible to every site you visit.
What is an IPv6 leak
When IPv6 traffic bypasses a VPN that only tunnels IPv4, exposing your real IPv6 address to sites you visit.
What is Automatic Content Recognition (ACR)
Smart-TV technology that captures viewing data — frame samples, audio fingerprints — and sends to manufacturer servers. Sold to advertisers and data brokers.
What is censorship resistance
The property of a tool or protocol that makes it hard to block, throttle, or filter even by adversarial networks.
What is DNS
The system that translates domain names like fexyn.com into the IP addresses computers actually use to connect.
What is DNS-over-HTTPS (DoH)
Encrypts DNS queries between your client and the resolver. Hides queries from your ISP. Standardised in RFC 8484. Different from VPN but complementary.
What is DPI (deep packet inspection)
Network equipment that looks inside packets to identify what protocol or application they belong to, used to filter or throttle traffic.
What is encryption
The math that turns readable data into ciphertext that only someone with the right key can decode.
What is geo-blocking
Restricting access to a website or service based on the user's geographic location, usually inferred from their IP address.
What is ISP throttling
When your internet provider slows down specific kinds of traffic — streaming, gaming, torrents — without telling you upfront.
What is net neutrality
The principle that ISPs should treat all internet traffic equally, without throttling or prioritising specific services. US repealed in 2017; EU and UK retain protection.
What is OpenVPN
A mature, widely-supported VPN protocol that runs on TCP/443, useful when faster protocols are blocked.
What is PKI (public key infrastructure)
The system of certificates, signing keys, and trust roots that lets parties verify each other's identities online.
What is Reality (Reality protocol)
A transport for VLESS that performs a real TLS handshake to a real public site, forwarding that site's actual certificate so DPI sees ordinary HTTPS.
What is Shadowsocks
A SOCKS5-style proxy with stream encryption, created in 2012 to bypass China's Great Firewall. Predecessor to VLESS Reality and other modern censorship-circumvention protocols.
What is SNI (Server Name Indication)
A field in TLS handshakes that tells the server which hostname you're trying to reach, in plaintext, visible to anyone watching.
What is split tunneling
A VPN feature that lets you send some apps through the tunnel while others use your normal connection.
What is the Five Eyes alliance
An intelligence-sharing arrangement between the US, UK, Canada, Australia, and New Zealand for communications surveillance.
What is the Great Firewall of China
The world's most extensive internet-censorship system, operated at China's international gateways. Combines DNS poisoning, IP blocking, DPI, active probing, and ML traffic classification.
What is TLS
Transport Layer Security — the protocol that puts the S in HTTPS, encrypting connections between clients and servers.
What is traffic obfuscation
Techniques that disguise VPN traffic so it looks like ordinary internet activity, used to bypass DPI in censored networks.
What is TSPU
Russia's nationwide deep-packet-inspection system, deployed at every licensed Russian ISP since 2021. Identifies and blocks VPN protocols at the packet level.
What is VLESS
A VPN protocol designed to look indistinguishable from regular HTTPS traffic, used to defeat DPI in censored countries.
What is VPN tunneling
Wrapping IP packets inside another protocol's packets so they travel encapsulated across an untrusted network.
What is WireGuard
A modern VPN protocol with a small codebase, fast handshake, and excellent performance — the default for most consumer VPNs since 2020.
What is WPA3
The Wi-Fi Alliance's third-generation Wi-Fi security standard, ratified in 2018, replacing WPA2's vulnerable PSK handshake with SAE.
WireGuard vs IKEv2
Both are fast modern protocols. WireGuard is simpler with smaller codebase. IKEv2 has better mobility (MOBIKE) for switching networks.
WireGuard vs L2TP/IPsec
L2TP is legacy. WireGuard is modern, faster, simpler, and more secure. Use WireGuard. The only reason to consider L2TP is legacy compatibility.
WireGuard vs OpenVPN
WireGuard is faster, simpler, and modern. OpenVPN is more configurable and more mature. The honest 2026 comparison.
Try Fexyn free for 7 days
Windows app available now in Beta. WireGuard, VLESS Reality, and OpenVPN with no browsing-history, DNS-query, or traffic-content logs.
See pricing