VPN and Proxy Glossary

A short reference on VPN, proxy and censorship-circumvention technologies. 24 key terms — from the WireGuard and VLESS Reality protocols to DPI and mobile proxies — explained in plain language.

Protocols & technology

VPN: A VPN (Virtual Private Network) is a technology that encrypts internet traffic and routes it through a remote server, hiding the real IP address and protecting data from interception by the provider or on public Wi-Fi.
WireGuard: WireGuard is a modern VPN protocol with a very small codebase (about 4000 lines) and high speed. It uses ChaCha20 and Curve25519 cryptography, connects quickly and saves battery, which made it the default for mobile VPNs.
OpenVPN: OpenVPN is a time-tested open-source VPN protocol built on OpenSSL. It runs over TCP or UDP, can be disguised as ordinary HTTPS on port 443, but is slower and heavier than WireGuard.
IKEv2/IPsec: IKEv2/IPsec is a protocol suite built into most operating systems. Its key strength is instant reconnection when the network changes (Wi-Fi to mobile data), which makes it convenient on smartphones.
Shadowsocks: Shadowsocks is a lightweight encrypted proxy designed to bypass censorship. It disguises traffic as ordinary connections, making it hard for filtering systems to detect; it is widely used in countries with heavy censorship.
VLESS + Reality: VLESS + Reality combines the VLESS protocol with the Reality technology, which makes your traffic look like a request to a real third-party site (for example microsoft.com). It uses no certificate of its own, so it is almost indistinguishable from legitimate HTTPS and resists DPI.
AmneziaWG: AmneziaWG is a fork of WireGuard with added obfuscation: it masks the distinctive WireGuard handshake signature that DPI systems learned to block. It keeps the original speed while bypassing protocol-level blocking.

Censorship circumvention

DPI (Deep Packet Inspection): DPI (Deep Packet Inspection) is a technology where the provider equipment examines not only the destination address but the contents of network packets. It can recognise and block specific protocols and applications, including VPNs.
ТСПУ: TSPU (technical measures to counter threats) is state-controlled DPI equipment installed at Russian providers since 2019. It centrally filters and throttles traffic, including attempts to block VPN protocols.
SNI и ECH: SNI (Server Name Indication) is a field at the start of a TLS connection that sends the requested site name in the clear, making it easy to block. ECH (Encrypted Client Hello) is an extension that encrypts the SNI and hides which site is being accessed.
Обфускация трафика: Obfuscation is the disguising of VPN traffic as ordinary internet traffic (usually HTTPS) so that DPI systems cannot recognise and block the connection. It is used in Shadowsocks, Reality, AmneziaWG and other protocols.
Hysteria 2: Hysteria 2 is a protocol over QUIC/UDP optimised for unstable and congested networks. Thanks to its own congestion control it keeps high speed even with packet loss, which helps when the provider shapes traffic.
Sing-box и Xray: Sing-box and Xray are universal client-server cores that bundle many circumvention protocols (VLESS, VMess, Trojan, Shadowsocks, Hysteria) in a single configuration. They are used to flexibly set up self-hosted VPN servers.

Proxy types

Прокси-сервер: A proxy server is an intermediary between your device and the internet that replaces your IP address with its own. Unlike a VPN, a plain proxy works at the application level and often does not encrypt all traffic.
Мобильный прокси: A mobile proxy is a proxy that uses a mobile carrier IP address (3G/4G/5G). Such addresses earn the most trust from websites and anti-fraud systems, because one carrier IP hides thousands of real subscribers.
Резидентный прокси: A residential proxy is a proxy with an IP address assigned to a home user by a regular ISP. Websites perceive it as a real visitor, so it is blocked less often than data-center addresses.
SOCKS5: SOCKS5 is a universal proxy protocol that passes any type of traffic (TCP and UDP) without inspecting its contents. It supports authentication and is often used in torrent clients, games and automation.
Дата-центр прокси: A data-center proxy is a proxy with an IP address from a server data center. They are cheap and fast, but easy to detect by their hosting-provider ownership, so large sites block them more often.

Core concepts

IP-адрес: An IP address is a unique network identifier of a device on the internet. It reveals the approximate location and provider, so replacing the IP through a VPN or proxy changes the country and region seen by websites.
DNS и DNS-утечка: DNS is the system that turns domain names (vpn.how) into IP addresses. A DNS leak happens when DNS requests still go to the provider while the VPN is on, revealing which sites you visit.
Kill Switch: A kill switch is a VPN feature that instantly blocks all internet traffic if the VPN connection drops. It prevents the real IP address and traffic from leaking onto an unprotected network.
No-logs (политика без логов): No-logs is a policy under which a VPN service keeps no records of user activity: visited sites, session times and real IP addresses. If there are no logs, they cannot be handed to third parties or recovered if a server is seized.
Split tunneling: Split tunneling is a mode where some applications go through the VPN and others connect directly. It lets you, for example, open blocked services through the VPN while keeping banking apps on the local IP.
WebRTC-утечка: A WebRTC leak is the exposure of the real IP address through the WebRTC technology built into browsers, even when a VPN is on. It is fixed by disabling WebRTC in the browser or using a VPN client with leak protection.