VPN MCQ 60 Tests With Answers (2026)
PerfectNotes TeamUpdated: March 2026~15 min practice 60 Questions · 3 Levels
Virtual Private Networks create encrypted tunnels over public networks, enabling secure remote access and site-to-site connectivity. These 60 VPN MCQs cover VPN architecture types, IPSec (IKEv1/IKEv2, ESP, AH), SSL/TLS VPNs, PPTP/L2TP/SSTP protocols, split tunneling, DNS leak prevention, VPN security vulnerabilities, and modern Zero Trust alternatives.
These questions are organized into three progressive difficulty levels: Basics (20 Qs on VPN types, tunneling protocols, and core concepts), Concepts (20 Qs on IPSec, SSL/TLS VPNs, and split tunneling), and Advanced (20 scenario-based Qs on IKEv2, VPN security vulnerabilities, and Zero Trust alternatives). Each question includes an in-depth explanation to reinforce learning.
Use Study Mode to master VPN technologies, or Exam Mode to prepare for CompTIA Network+, Security+, or CCNA Security certifications.
Contents
- 1.Basics (20 Questions)VPN types · tunneling protocols · core concepts
- 2.Concepts (20 Questions)IPSec · SSL/TLS VPNs · split tunneling
- 3.Advanced (20 Questions)IKEv2 · VPN security vulnerabilities · Zero Trust alternatives
- 4.Conclusionsummary · next steps · study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept · definition · key fact table
- 7.FAQcommon questions answered
VPN — Basics
1What is the primary purpose of a Virtual Private Network (VPN)?
CorrectA: To create a secure, encrypted connection over a less secure network like the public internet
A VPN creates a private, encrypted 'tunnel' over a public network (typically the internet), allowing data to travel securely between the user and the destination as if they were on a private network.
IncorrectA: To create a secure, encrypted connection over a less secure network like the public internet
A VPN creates a private, encrypted 'tunnel' over a public network (typically the internet), allowing data to travel securely between the user and the destination as if they were on a private network.
2What does the term "Tunneling" mean in a VPN context?
CorrectB: The process of encapsulating an entire network packet within another packet for secure transit
Tunneling encapsulates a complete network packet (including headers) inside another packet. The outer packet carries it to the VPN endpoint, where the inner packet is extracted and processed—keeping the original data hidden in transit.
IncorrectB: The process of encapsulating an entire network packet within another packet for secure transit
Tunneling encapsulates a complete network packet (including headers) inside another packet. The outer packet carries it to the VPN endpoint, where the inner packet is extracted and processed—keeping the original data hidden in transit.
3Which VPN topology is typically used to connect a remote employee's laptop to the corporate network?
CorrectC: Remote Access (Client-to-Site) VPN
A Remote Access (Client-to-Site) VPN allows an individual user's device to securely connect to the corporate network over the internet, as if physically present in the office, using VPN client software.
IncorrectC: Remote Access (Client-to-Site) VPN
A Remote Access (Client-to-Site) VPN allows an individual user's device to securely connect to the corporate network over the internet, as if physically present in the office, using VPN client software.
4What is a Site-to-Site VPN primarily designed to connect?
CorrectD: Two or more geographically separated local area networks (LANs) into one cohesive virtual network
Site-to-Site VPNs permanently link entire networks (e.g., a branch office LAN to the headquarters LAN) via VPN gateways at each site. Users on either side can communicate as if they were on the same local network.
IncorrectD: Two or more geographically separated local area networks (LANs) into one cohesive virtual network
Site-to-Site VPNs permanently link entire networks (e.g., a branch office LAN to the headquarters LAN) via VPN gateways at each site. Users on either side can communicate as if they were on the same local network.
5Which fundamental security principle is achieved by encrypting the payload of a VPN tunnel?
CorrectB: Confidentiality
Encryption ensures Confidentiality—only authorized parties with the correct decryption key can read the data. Even if an attacker intercepts the encrypted VPN traffic, they cannot decipher its contents.
IncorrectB: Confidentiality
Encryption ensures Confidentiality—only authorized parties with the correct decryption key can read the data. Even if an attacker intercepts the encrypted VPN traffic, they cannot decipher its contents.
6What role does a VPN concentrator play in an enterprise network?
CorrectC: It serves as a dedicated hardware device that aggregates and manages hundreds or thousands of concurrent VPN connections
A VPN concentrator (e.g., Cisco ASA, Palo Alto) is purpose-built hardware/software that handles the overhead of encrypting, decrypting, and authenticating large numbers of simultaneous VPN sessions—offloading this work from general-purpose routers and firewalls.
IncorrectC: It serves as a dedicated hardware device that aggregates and manages hundreds or thousands of concurrent VPN connections
A VPN concentrator (e.g., Cisco ASA, Palo Alto) is purpose-built hardware/software that handles the overhead of encrypting, decrypting, and authenticating large numbers of simultaneous VPN sessions—offloading this work from general-purpose routers and firewalls.
7Why do users often experience a slight reduction in internet speed when connected to a VPN?
CorrectA: Because of the processing overhead required to encrypt and decrypt the packets, plus the additional routing distance to the VPN server
VPN speed reduction comes from two sources: cryptographic overhead (CPU cycles to cipher/decipher every packet) and routing latency (all traffic must physically travel to the VPN server before reaching the destination, adding round-trip time).
IncorrectA: Because of the processing overhead required to encrypt and decrypt the packets, plus the additional routing distance to the VPN server
VPN speed reduction comes from two sources: cryptographic overhead (CPU cycles to cipher/decipher every packet) and routing latency (all traffic must physically travel to the VPN server before reaching the destination, adding round-trip time).
8Which of the following is a common consumer use case for a commercial VPN service?
CorrectD: Masking the user's true IP address to bypass geographic content restrictions
Commercial VPNs (NordVPN, ExpressVPN, etc.) replace the user's real IP address with the VPN server's IP, making it appear as if the user is in the server's country—commonly used to access region-locked streaming services.
IncorrectD: Masking the user's true IP address to bypass geographic content restrictions
Commercial VPNs (NordVPN, ExpressVPN, etc.) replace the user's real IP address with the VPN server's IP, making it appear as if the user is in the server's country—commonly used to access region-locked streaming services.
9What is "Split Tunneling" in a VPN configuration?
CorrectA: A feature that routes specific corporate traffic through the encrypted VPN while sending general internet traffic directly out the local network
Split tunneling routes only defined traffic (e.g., 10.0.0.0/8 corporate subnets) through the encrypted VPN, while all other internet traffic (Netflix, Google) exits directly through the user's local ISP, preserving bandwidth.
IncorrectA: A feature that routes specific corporate traffic through the encrypted VPN while sending general internet traffic directly out the local network
Split tunneling routes only defined traffic (e.g., 10.0.0.0/8 corporate subnets) through the encrypted VPN, while all other internet traffic (Netflix, Google) exits directly through the user's local ISP, preserving bandwidth.
10Which older, natively supported VPN protocol is now widely considered obsolete and insecure due to its reliance on MS-CHAPv2?
CorrectC: Point-to-Point Tunneling Protocol (PPTP)
PPTP (1999) uses MS-CHAPv2 for authentication, which has been publicly broken since 2012. Its 128-bit MPPE encryption and susceptibility to dictionary attacks make it completely unsuitable for any security-conscious deployment today.
IncorrectC: Point-to-Point Tunneling Protocol (PPTP)
PPTP (1999) uses MS-CHAPv2 for authentication, which has been publicly broken since 2012. Its 128-bit MPPE encryption and susceptibility to dictionary attacks make it completely unsuitable for any security-conscious deployment today.
11How does a VPN technically mask an end-user's geographical location?
CorrectD: By replacing the user's originating public IP address with the IP address of the VPN server
All outgoing traffic exits the internet from the VPN server's IP address. Destination servers, geo-IP databases, and CDNs see only the VPN endpoint's IP—masking the user's true location and identity.
IncorrectD: By replacing the user's originating public IP address with the IP address of the VPN server
All outgoing traffic exits the internet from the VPN server's IP address. Destination servers, geo-IP databases, and CDNs see only the VPN endpoint's IP—masking the user's true location and identity.
12In VPN terminology, what is the "Payload"?
CorrectA: The actual user data and original IP header being encapsulated and transported inside the outer tunnel packet
In tunneling, the payload is the complete original packet (including its IP header and data) that is wrapped inside the outer tunnel packet. The outer packet's header handles routing; the inner payload is protected as cargo.
IncorrectA: The actual user data and original IP header being encapsulated and transported inside the outer tunnel packet
In tunneling, the payload is the complete original packet (including its IP header and data) that is wrapped inside the outer tunnel packet. The outer packet's header handles routing; the inner payload is protected as cargo.
13What does the "Kill Switch" feature on a VPN client software do?
CorrectB: It immediately blocks all network traffic if the VPN connection drops, preventing data from leaking over the unencrypted local connection
A VPN kill switch monitors the tunnel state and instantly blocks all internet traffic at the OS firewall level if the VPN drops unexpectedly. This prevents 'VPN leak' scenarios where unencrypted traffic would otherwise flow directly over the plain internet.
IncorrectB: It immediately blocks all network traffic if the VPN connection drops, preventing data from leaking over the unencrypted local connection
A VPN kill switch monitors the tunnel state and instantly blocks all internet traffic at the OS firewall level if the VPN drops unexpectedly. This prevents 'VPN leak' scenarios where unencrypted traffic would otherwise flow directly over the plain internet.
14Which component is absolutely necessary on a user's machine to establish a Remote Access VPN?
CorrectC: VPN client software or native operating system VPN capabilities
Remote Access VPNs require software on the endpoint—either a dedicated client (Cisco AnyConnect, WireGuard app) or the OS-native VPN stack (built-in IKEv2/L2TP in Windows/macOS)—to initiate the encrypted tunnel to the VPN gateway.
IncorrectC: VPN client software or native operating system VPN capabilities
Remote Access VPNs require software on the endpoint—either a dedicated client (Cisco AnyConnect, WireGuard app) or the OS-native VPN stack (built-in IKEv2/L2TP in Windows/macOS)—to initiate the encrypted tunnel to the VPN gateway.
15What is the primary difference between a VPN and a Web Proxy?
CorrectD: A VPN encrypts the entire network connection at the system level, while a proxy generally only routes and masks traffic for a specific application (like a browser)
A VPN operates at the OS network layer—all applications' traffic is encrypted and tunneled. A web proxy operates at the application layer—only the specific app configured to use it (usually a browser) has its traffic redirected; no encryption is added.
IncorrectD: A VPN encrypts the entire network connection at the system level, while a proxy generally only routes and masks traffic for a specific application (like a browser)
A VPN operates at the OS network layer—all applications' traffic is encrypted and tunneled. A web proxy operates at the application layer—only the specific app configured to use it (usually a browser) has its traffic redirected; no encryption is added.
16Which authentication method is highly recommended to secure enterprise VPN access against credential stuffing attacks?
CorrectA: Multi-Factor Authentication (MFA)
MFA requires a second factor (TOTP code, push notification, hardware token) beyond the password. Even if credentials are stolen via phishing or exposed in a breach, an attacker cannot authenticate to the VPN without the second factor.
IncorrectA: Multi-Factor Authentication (MFA)
MFA requires a second factor (TOTP code, push notification, hardware token) beyond the password. Even if credentials are stolen via phishing or exposed in a breach, an attacker cannot authenticate to the VPN without the second factor.
17What does a "No-Logs Policy" mean when advertised by a commercial VPN provider?
CorrectB: The provider claims to not record or store any data regarding the user's browsing activity, connection timestamps, or original IP addresses
A no-logs policy means the VPN provider's servers do not store records of which IP addresses connected, when, or what was accessed—so even if compelled by law enforcement or breached by attackers, there is no usable data to hand over.
IncorrectB: The provider claims to not record or store any data regarding the user's browsing activity, connection timestamps, or original IP addresses
A no-logs policy means the VPN provider's servers do not store records of which IP addresses connected, when, or what was accessed—so even if compelled by law enforcement or breached by attackers, there is no usable data to hand over.
18In a Site-to-Site VPN, where does the encryption and decryption process physically occur?
CorrectC: At the edge VPN gateways or routers located at each respective site
In site-to-site VPNs, end users are entirely unaware of the VPN. The VPN gateway (a router or firewall) at each site transparently encrypts outbound traffic and decrypts inbound traffic—users communicate normally on their LAN.
IncorrectC: At the edge VPN gateways or routers located at each respective site
In site-to-site VPNs, end users are entirely unaware of the VPN. The VPN gateway (a router or firewall) at each site transparently encrypts outbound traffic and decrypts inbound traffic—users communicate normally on their LAN.
19Which transport layer protocol does OpenVPN typically use by default to ensure the fastest transmission speed, despite not guaranteeing packet delivery?
CorrectD: User Datagram Protocol (UDP)
OpenVPN defaults to UDP (port 1194) because UDP's stateless, connectionless nature has lower latency—no handshake, no acknowledgments, no retransmission delays. TCP mode is offered for firewall traversal but causes TCP meltdown when tunneling TCP payloads.
IncorrectD: User Datagram Protocol (UDP)
OpenVPN defaults to UDP (port 1194) because UDP's stateless, connectionless nature has lower latency—no handshake, no acknowledgments, no retransmission delays. TCP mode is offered for firewall traversal but causes TCP meltdown when tunneling TCP payloads.
20What does IPsec stand for in the context of VPNs?
CorrectB: Internet Protocol Security
IPsec (Internet Protocol Security) is a standardized suite of protocols (RFC 4301+) that provides authentication, integrity, and confidentiality for IP communications by operating directly at the network layer (Layer 3).
IncorrectB: Internet Protocol Security
IPsec (Internet Protocol Security) is a standardized suite of protocols (RFC 4301+) that provides authentication, integrity, and confidentiality for IP communications by operating directly at the network layer (Layer 3).
VPN — Concepts
1Which two core protocols comprise the IPsec suite to provide data authentication, integrity, and confidentiality?
CorrectC: Authentication Header (AH) and Encapsulating Security Payload (ESP)
AH (RFC 4302) provides data origin authentication, connectionless integrity, and anti-replay protection—but no confidentiality. ESP (RFC 4303) provides all of AH's features plus encryption. Modern deployments almost always use ESP alone.
IncorrectC: Authentication Header (AH) and Encapsulating Security Payload (ESP)
AH (RFC 4302) provides data origin authentication, connectionless integrity, and anti-replay protection—but no confidentiality. ESP (RFC 4303) provides all of AH's features plus encryption. Modern deployments almost always use ESP alone.
2In an IPsec VPN, what is the function of the Internet Key Exchange (IKE) protocol?
CorrectD: It authenticates the communicating peers and securely negotiates the symmetric encryption keys establishing a Security Association (SA)
IKE (IKEv1 via RFC 2409, IKEv2 via RFC 7296) runs in two phases: Phase 1 establishes a secure, authenticated channel (ISAKMP SA) using Diffie-Hellman; Phase 2 uses that channel to negotiate the actual IPsec SAs protecting data traffic.
IncorrectD: It authenticates the communicating peers and securely negotiates the symmetric encryption keys establishing a Security Association (SA)
IKE (IKEv1 via RFC 2409, IKEv2 via RFC 7296) runs in two phases: Phase 1 establishes a secure, authenticated channel (ISAKMP SA) using Diffie-Hellman; Phase 2 uses that channel to negotiate the actual IPsec SAs protecting data traffic.
3How does an SSL/TLS VPN differ operationally from an IPsec VPN?
CorrectA: SSL/TLS VPNs typically operate via standard web browsers over port 443 without requiring specialized client software, whereas IPsec usually requires a dedicated client and alters network-layer routing
SSL VPNs (e.g., Cisco AnyConnect portal, Pulse Secure) leverage port 443 HTTPS—rarely blocked by firewalls—and often work directly in a browser (clientless mode). IPsec requires UDP 500/4500 and typically a full VPN client installation.
IncorrectA: SSL/TLS VPNs typically operate via standard web browsers over port 443 without requiring specialized client software, whereas IPsec usually requires a dedicated client and alters network-layer routing
SSL VPNs (e.g., Cisco AnyConnect portal, Pulse Secure) leverage port 443 HTTPS—rarely blocked by firewalls—and often work directly in a browser (clientless mode). IPsec requires UDP 500/4500 and typically a full VPN client installation.
4What is the primary operational advantage of the modern WireGuard VPN protocol compared to legacy protocols like OpenVPN or IPsec?
CorrectB: It features a significantly smaller codebase, leading to faster connection times, lower CPU overhead, and a highly reduced attack surface
WireGuard's entire codebase is ~4,000 lines (vs OpenVPN's ~70,000+ or strongSwan's ~400,000+). The minimal codebase means fewer bugs, easier auditing, faster handshakes (~1 RTT), and lower CPU utilization via efficient use of Curve25519 and ChaCha20-Poly1305.
IncorrectB: It features a significantly smaller codebase, leading to faster connection times, lower CPU overhead, and a highly reduced attack surface
WireGuard's entire codebase is ~4,000 lines (vs OpenVPN's ~70,000+ or strongSwan's ~400,000+). The minimal codebase means fewer bugs, easier auditing, faster handshakes (~1 RTT), and lower CPU utilization via efficient use of Curve25519 and ChaCha20-Poly1305.
5During IPsec operation, what does "Transport Mode" do differently than "Tunnel Mode"?
CorrectC: Transport Mode encrypts only the packet payload leaving the original IP header intact, while Tunnel Mode encrypts both the payload and the original IP header, wrapping it in a new IP header
Transport Mode (host-to-host) protects only the L4+ payload; the original IP header is visible for routing. Tunnel Mode (gateway-to-gateway or remote access) hides the entire original packet inside a new IP header—the internal IP structure is invisible to intermediaries.
IncorrectC: Transport Mode encrypts only the packet payload leaving the original IP header intact, while Tunnel Mode encrypts both the payload and the original IP header, wrapping it in a new IP header
Transport Mode (host-to-host) protects only the L4+ payload; the original IP header is visible for routing. Tunnel Mode (gateway-to-gateway or remote access) hides the entire original packet inside a new IP header—the internal IP structure is invisible to intermediaries.
6Which cryptographic algorithm is currently the industry standard for encrypting the data payload within an IPsec or OpenVPN tunnel?
CorrectB: Advanced Encryption Standard (AES)
AES (FIPS 197) is the NIST-mandated symmetric encryption standard, used in 128, 192, or 256-bit key variants. In VPNs it's typically deployed as AES-256-GCM (authenticated encryption) or AES-256-CBC, replacing the broken DES and 3DES.
IncorrectB: Advanced Encryption Standard (AES)
AES (FIPS 197) is the NIST-mandated symmetric encryption standard, used in 128, 192, or 256-bit key variants. In VPNs it's typically deployed as AES-256-GCM (authenticated encryption) or AES-256-CBC, replacing the broken DES and 3DES.
7What does the "Authentication Header" (AH) in IPsec provide?
CorrectD: Data origin authentication, data integrity, and anti-replay protection, but NO confidentiality (encryption)
AH (protocol number 51) covers the entire packet (IP header + payload) with an HMAC, proving the packet hasn't been tampered with and originated from the right peer. However, AH provides zero encryption—content is plaintext and readable.
IncorrectD: Data origin authentication, data integrity, and anti-replay protection, but NO confidentiality (encryption)
AH (protocol number 51) covers the entire packet (IP header + payload) with an HMAC, proving the packet hasn't been tampered with and originated from the right peer. However, AH provides zero encryption—content is plaintext and readable.
8Why does IPsec often struggle when traversing a Network Address Translation (NAT) router?
CorrectA: Because NAT alters the IP header, which invalidates the integrity check performed by IPsec, causing the packet to be dropped
IPsec AH signs the IP source address; NAT changes it, breaking the signature. Even with ESP, NAT rewrites port numbers, but ESP has no ports—NAT cannot track the session, causing drops. NAT-T (NAT Traversal) solves this by encapsulating ESP inside UDP port 4500.
IncorrectA: Because NAT alters the IP header, which invalidates the integrity check performed by IPsec, causing the packet to be dropped
IPsec AH signs the IP source address; NAT changes it, breaking the signature. Even with ESP, NAT rewrites port numbers, but ESP has no ports—NAT cannot track the session, causing drops. NAT-T (NAT Traversal) solves this by encapsulating ESP inside UDP port 4500.
9What mechanism was explicitly developed to solve the issue of IPsec traffic failing to pass through a NAT router?
CorrectC: NAT Traversal (NAT-T)
NAT-T (RFC 3947) detects NAT devices in the IKE path and encapsulates the ESP payload inside UDP port 4500 packets. This gives NAT routers a valid UDP port to track, allowing IPsec to traverse NAT without breaking integrity checks.
IncorrectC: NAT Traversal (NAT-T)
NAT-T (RFC 3947) detects NAT devices in the IKE path and encapsulates the ESP payload inside UDP port 4500 packets. This gives NAT routers a valid UDP port to track, allowing IPsec to traverse NAT without breaking integrity checks.
10What is a DMVPN (Dynamic Multipoint Virtual Private Network)?
CorrectA: A routing technique that allows branch locations to dynamically establish direct, on-demand IPsec VPN tunnels with one another, rather than routing all traffic through a central hub
DMVPN (Cisco) uses a hub-and-spoke base with mGRE and NHRP. When branch A needs to talk to branch B, it queries the hub (NHS) for B's dynamic IP and dynamically builds a direct spoke-to-spoke IPsec tunnel, eliminating hub bottlenecks.
IncorrectA: A routing technique that allows branch locations to dynamically establish direct, on-demand IPsec VPN tunnels with one another, rather than routing all traffic through a central hub
DMVPN (Cisco) uses a hub-and-spoke base with mGRE and NHRP. When branch A needs to talk to branch B, it queries the hub (NHS) for B's dynamic IP and dynamically builds a direct spoke-to-spoke IPsec tunnel, eliminating hub bottlenecks.
11In the context of a VPN KEX (Key Exchange), what does "Perfect Forward Secrecy" (PFS) ensure?
CorrectD: That the compromise of a long-term private key does not compromise past session keys, because unique, ephemeral keys are generated for each session
PFS uses ephemeral Diffie-Hellman each session. Even if an attacker records all past traffic and later obtains the long-term private key, they cannot derive past session keys—each session's DH exchange produces a unique, independent shared secret.
IncorrectD: That the compromise of a long-term private key does not compromise past session keys, because unique, ephemeral keys are generated for each session
PFS uses ephemeral Diffie-Hellman each session. Even if an attacker records all past traffic and later obtains the long-term private key, they cannot derive past session keys—each session's DH exchange produces a unique, independent shared secret.
12Which OSI layer does the Point-to-Point Tunneling Protocol (PPTP) operate at?
CorrectB: Layer 2 - Data Link Layer
PPTP (1999) tunnels PPP (Point-to-Point Protocol) frames, which operate at the Data Link Layer (OSI Layer 2). It encapsulates PPP frames in GRE, creating a Layer 2 tunnel transportable over a Layer 3 IP network.
IncorrectB: Layer 2 - Data Link Layer
PPTP (1999) tunnels PPP (Point-to-Point Protocol) frames, which operate at the Data Link Layer (OSI Layer 2). It encapsulates PPP frames in GRE, creating a Layer 2 tunnel transportable over a Layer 3 IP network.
13When configuring an OpenVPN server, what is the primary role of the Public Key Infrastructure (PKI)?
CorrectC: To issue, manage, and validate the digital certificates used to securely authenticate both the server and the connecting clients
OpenVPN's PKI (commonly built with Easy-RSA or a dedicated CA) issues X.509 certificates to the server and each client. Mutual TLS authentication requires both sides to present valid, CA-signed certificates, preventing unauthorized devices from connecting.
IncorrectC: To issue, manage, and validate the digital certificates used to securely authenticate both the server and the connecting clients
OpenVPN's PKI (commonly built with Easy-RSA or a dedicated CA) issues X.509 certificates to the server and each client. Mutual TLS authentication requires both sides to present valid, CA-signed certificates, preventing unauthorized devices from connecting.
14What port and protocol does OpenVPN use by default?
CorrectA: UDP Port 1194
OpenVPN defaults to UDP port 1194 (IANA assigned). UDP minimizes latency. Many deployments also configure TCP port 443 as a fallback to traverse firewalls and deep packet inspection that block non-standard ports.
IncorrectA: UDP Port 1194
OpenVPN defaults to UDP port 1194 (IANA assigned). UDP minimizes latency. Many deployments also configure TCP port 443 as a fallback to traverse firewalls and deep packet inspection that block non-standard ports.
15What specific problem does "Split DNS" aim to solve in a corporate VPN environment?
CorrectD: It allows the VPN client to use the corporate DNS server strictly for internal domains while using the local ISP's DNS for general internet browsing
Without split DNS, a VPN client sends all DNS queries through the corporate server—even for google.com—adding latency and exposing browsing habits internally. Split DNS routes internal FQDNs (corp.example.com) to the internal DNS server while external lookups use the local resolver.
IncorrectD: It allows the VPN client to use the corporate DNS server strictly for internal domains while using the local ISP's DNS for general internet browsing
Without split DNS, a VPN client sends all DNS queries through the corporate server—even for google.com—adding latency and exposing browsing habits internally. Split DNS routes internal FQDNs (corp.example.com) to the internal DNS server while external lookups use the local resolver.
16Which of the following is a fundamental characteristic of the L2TP (Layer 2 Tunneling Protocol)?
CorrectB: It does not provide any encryption or confidentiality by itself, requiring pairing with a protocol like IPsec for secure transit
L2TP (RFC 2661) is purely a tunneling protocol—it provides no encryption or authentication beyond PPP. The ubiquitous 'L2TP/IPsec' pairing uses IPsec ESP to provide the encryption and integrity that L2TP alone lacks.
IncorrectB: It does not provide any encryption or confidentiality by itself, requiring pairing with a protocol like IPsec for secure transit
L2TP (RFC 2661) is purely a tunneling protocol—it provides no encryption or authentication beyond PPP. The ubiquitous 'L2TP/IPsec' pairing uses IPsec ESP to provide the encryption and integrity that L2TP alone lacks.
17In IPsec terminology, what is a "Security Association" (SA)?
CorrectA: A unidirectional logical connection established between two endpoints that defines the exact cryptographic algorithms and keys to be used for the session
An SA is a one-way contract stored in the Security Association Database (SAD), identified by a unique SPI, destination IP, and security protocol. Since IPsec is bidirectional, a tunnel requires two SAs—one per direction. IKE negotiates and maintains them.
IncorrectA: A unidirectional logical connection established between two endpoints that defines the exact cryptographic algorithms and keys to be used for the session
An SA is a one-way contract stored in the Security Association Database (SAD), identified by a unique SPI, destination IP, and security protocol. Since IPsec is bidirectional, a tunnel requires two SAs—one per direction. IKE negotiates and maintains them.
18Which hashing algorithm is currently considered highly insecure and should NOT be used for data integrity checks within a modern VPN configuration?
CorrectC: MD5
MD5 was cryptographically broken in 2004 with full collision attacks demonstrated. NIST deprecated it for digital signatures in 2011. Modern VPN configurations should use SHA-256 or SHA-384 for HMAC integrity checks in IPsec.
IncorrectC: MD5
MD5 was cryptographically broken in 2004 with full collision attacks demonstrated. NIST deprecated it for digital signatures in 2011. Modern VPN configurations should use SHA-256 or SHA-384 for HMAC integrity checks in IPsec.
19What does the "Diffie-Hellman" algorithm provide during the establishment of a VPN tunnel?
CorrectD: A secure method for two parties to mathematically generate and agree upon a shared secret key over an insecure, monitored channel
Diffie-Hellman (DH) allows two parties to jointly generate the same secret number without transmitting it—an eavesdropper sees the public values but cannot compute the secret due to the Discrete Logarithm Problem. This shared secret seeds the symmetric encryption keys.
IncorrectD: A secure method for two parties to mathematically generate and agree upon a shared secret key over an insecure, monitored channel
Diffie-Hellman (DH) allows two parties to jointly generate the same secret number without transmitting it—an eavesdropper sees the public values but cannot compute the secret due to the Discrete Logarithm Problem. This shared secret seeds the symmetric encryption keys.
20In enterprise networking, how does a Clientless VPN typically function?
CorrectB: By utilizing the user's standard web browser to create a secure, encrypted HTTPS session to a specialized web portal, providing access to specific internal web applications
Clientless SSL VPNs (e.g., Cisco ASA WebVPN, Fortinet SSL-VPN) present a web portal over HTTPS. Users authenticate in their browser and access internal web apps, RDP, SSH, and file shares—no VPN agent installed, ideal for contractor access.
IncorrectB: By utilizing the user's standard web browser to create a secure, encrypted HTTPS session to a specialized web portal, providing access to specific internal web applications
Clientless SSL VPNs (e.g., Cisco ASA WebVPN, Fortinet SSL-VPN) present a web portal over HTTPS. Users authenticate in their browser and access internal web apps, RDP, SSH, and file shares—no VPN agent installed, ideal for contractor access.
VPN — Advanced
1During IKEv1 Phase 1, what is the primary difference between "Main Mode" and "Aggressive Mode"?
CorrectB: Main Mode requires six packet exchanges and encrypts the peer identities, while Aggressive Mode accomplishes the exchange in three packets but transmits the peer identities in plaintext
IKEv1 Main Mode uses 6 messages: SA proposal, DH exchange, then identity (encrypted). Aggressive Mode uses 3 messages but sends the identity (hostname, IP, group name) unencrypted—enabling offline dictionary attacks against PSK and identity enumeration.
IncorrectB: Main Mode requires six packet exchanges and encrypts the peer identities, while Aggressive Mode accomplishes the exchange in three packets but transmits the peer identities in plaintext
IKEv1 Main Mode uses 6 messages: SA proposal, DH exchange, then identity (encrypted). Aggressive Mode uses 3 messages but sends the identity (hostname, IP, group name) unencrypted—enabling offline dictionary attacks against PSK and identity enumeration.
2How does the encapsulation process of GRE (Generic Routing Encapsulation) differ significantly from IPsec ESP?
CorrectA: GRE can encapsulate various network layer protocols (like IPX, AppleTalk, or multicast traffic) but provides zero native encryption, whereas IPsec provides robust encryption but generally struggles with non-unicast IP traffic
GRE (RFC 2784) wraps any network-layer protocol inside an IP packet—supporting multicast, broadcast, and non-IP traffic—but has no encryption or authentication. IPsec encrypts and authenticates but only handles unicast IP traffic. Combining GRE+IPsec gets both capabilities.
IncorrectA: GRE can encapsulate various network layer protocols (like IPX, AppleTalk, or multicast traffic) but provides zero native encryption, whereas IPsec provides robust encryption but generally struggles with non-unicast IP traffic
GRE (RFC 2784) wraps any network-layer protocol inside an IP packet—supporting multicast, broadcast, and non-IP traffic—but has no encryption or authentication. IPsec encrypts and authenticates but only handles unicast IP traffic. Combining GRE+IPsec gets both capabilities.
3Why is BGP (Border Gateway Protocol) often run over a GRE over IPsec tunnel rather than directly over IPsec?
CorrectD: Because IPsec natively does not support multicast or broadcast traffic, which routing protocols often require; GRE encapsulates this traffic, and IPsec then encrypts the GRE tunnel
BGP itself is unicast TCP, but many routing protocols (OSPF, EIGRP) use multicast hellos that IPsec won't forward. The standard enterprise pattern is: IPsec protects the GRE tunnel, and GRE carries the routing protocol traffic—providing both encryption and protocol support.
IncorrectD: Because IPsec natively does not support multicast or broadcast traffic, which routing protocols often require; GRE encapsulates this traffic, and IPsec then encrypts the GRE tunnel
BGP itself is unicast TCP, but many routing protocols (OSPF, EIGRP) use multicast hellos that IPsec won't forward. The standard enterprise pattern is: IPsec protects the GRE tunnel, and GRE carries the routing protocol traffic—providing both encryption and protocol support.
4In an IKEv2 IPsec negotiation, what is the specific role of the IKE_AUTH exchange?
CorrectC: To authenticate the previous messages, transmit identities, and establish the first IPsec Child Security Association (Child SA)
IKEv2 uses just two exchanges: IKE_SA_INIT (DH + nonces + SA proposals) and IKE_AUTH (mutual authentication via certificates or PSK, identity transmission, and simultaneous creation of the first Child SA). This halves IKEv1's Phase 1+2 round trips.
IncorrectC: To authenticate the previous messages, transmit identities, and establish the first IPsec Child Security Association (Child SA)
IKEv2 uses just two exchanges: IKE_SA_INIT (DH + nonces + SA proposals) and IKE_AUTH (mutual authentication via certificates or PSK, identity transmission, and simultaneous creation of the first Child SA). This halves IKEv1's Phase 1+2 round trips.
5What is the function of "Dead Peer Detection" (DPD) in a VPN environment?
CorrectB: A mechanism that uses periodic keep-alive messages to determine if a VPN peer has become unreachable, allowing the system to tear down orphaned Security Associations and reclaim resources
DPD (RFC 3706) sends DPD R-U-THERE messages to idle peers. If no DPD ACK is received within the timeout, the local gateway assumes the peer is dead, tears down the associated SAs, and recovers the memory and state—preventing stale tunnel accumulation.
IncorrectB: A mechanism that uses periodic keep-alive messages to determine if a VPN peer has become unreachable, allowing the system to tear down orphaned Security Associations and reclaim resources
DPD (RFC 3706) sends DPD R-U-THERE messages to idle peers. If no DPD ACK is received within the timeout, the local gateway assumes the peer is dead, tears down the associated SAs, and recovers the memory and state—preventing stale tunnel accumulation.
6When configuring IPsec, what does a mismatch in the "Transform Set" across two peers result in?
CorrectA: A complete failure of Phase 2 negotiation, meaning the IPsec tunnel will not establish because the peers cannot agree on how to protect the data
A transform set defines the encryption algorithm, integrity algorithm, and DH group for Phase 2. If peer A offers AES-256/SHA-256/DH-14 and peer B only supports AES-128/SHA-1/DH-2, Phase 2 fails with NO_PROPOSAL_CHOSEN—no tunnel forms.
IncorrectA: A complete failure of Phase 2 negotiation, meaning the IPsec tunnel will not establish because the peers cannot agree on how to protect the data
A transform set defines the encryption algorithm, integrity algorithm, and DH group for Phase 2. If peer A offers AES-256/SHA-256/DH-14 and peer B only supports AES-128/SHA-1/DH-2, Phase 2 fails with NO_PROPOSAL_CHOSEN—no tunnel forms.
7In advanced VPN evasion, what technique do "Obfuscated Servers" (or Stealth VPNs) typically use to bypass Deep Packet Inspection (DPI) firewalls, such as the Great Firewall of China?
CorrectC: They wrap OpenVPN or WireGuard traffic inside an additional SSL/TLS wrapper or utilize XOR scrambling, making the packets appear as indistinguishable, regular HTTPS web traffic
Stealth/obfuscated VPNs (obfs4, Stunnel, V2Ray, Shadowsocks) wrap VPN payloads in TLS, obfuscate packet timing/length patterns, or apply XOR scrambling. The resulting traffic is statistically indistinguishable from HTTPS, defeating DPI signature matching.
IncorrectC: They wrap OpenVPN or WireGuard traffic inside an additional SSL/TLS wrapper or utilize XOR scrambling, making the packets appear as indistinguishable, regular HTTPS web traffic
Stealth/obfuscated VPNs (obfs4, Stunnel, V2Ray, Shadowsocks) wrap VPN payloads in TLS, obfuscate packet timing/length patterns, or apply XOR scrambling. The resulting traffic is statistically indistinguishable from HTTPS, defeating DPI signature matching.
8What specific cryptographic curve does the WireGuard protocol rely on for its highly efficient asymmetric key exchange?
CorrectD: Curve25519
WireGuard uses Curve25519 (X25519) for ECDH key exchange—designed by Daniel Bernstein for speed and resistance to implementation errors. Its static keys are permanently configured, with ephemeral Curve25519 keys added per handshake for PFS.
IncorrectD: Curve25519
WireGuard uses Curve25519 (X25519) for ECDH key exchange—designed by Daniel Bernstein for speed and resistance to implementation errors. Its static keys are permanently configured, with ephemeral Curve25519 keys added per handshake for PFS.
9When dealing with VPN fragmentation, what does adjusting the Maximum Segment Size (MSS) clamping effectively do?
CorrectB: It proactively instructs communicating TCP endpoints to reduce their maximum packet size, preventing the addition of IPsec/GRE headers from exceeding the MTU and causing packet fragmentation or drops
Adding IPsec/GRE headers (20–80 bytes) to full-sized 1460-byte TCP segments pushes packets over the 1500-byte Ethernet MTU. MSS clamping (via iptables or router policy) rewrites the TCP SYN's MSS option to ~1360 bytes, ensuring the full encapsulated packet stays within MTU.
IncorrectB: It proactively instructs communicating TCP endpoints to reduce their maximum packet size, preventing the addition of IPsec/GRE headers from exceeding the MTU and causing packet fragmentation or drops
Adding IPsec/GRE headers (20–80 bytes) to full-sized 1460-byte TCP segments pushes packets over the 1500-byte Ethernet MTU. MSS clamping (via iptables or router policy) rewrites the TCP SYN's MSS option to ~1360 bytes, ensuring the full encapsulated packet stays within MTU.
10What is the primary vulnerability of utilizing Pre-Shared Keys (PSKs) for Phase 1 IPsec authentication in a large enterprise?
CorrectC: If the single shared key is compromised, an attacker can authenticate as any endpoint, and managing secret distribution across hundreds of devices is highly unscalable
PSKs are symmetric secrets that must be distributed to all peers. With hundreds of branch offices, a single compromised PSK lets an attacker authenticate as any site, and rekeying requires manually updating every device. Certificate-based auth is recommended at scale.
IncorrectC: If the single shared key is compromised, an attacker can authenticate as any endpoint, and managing secret distribution across hundreds of devices is highly unscalable
PSKs are symmetric secrets that must be distributed to all peers. With hundreds of branch offices, a single compromised PSK lets an attacker authenticate as any site, and rekeying requires manually updating every device. Certificate-based auth is recommended at scale.
11Which cryptographic mode of operation is most heavily favored in modern IPsec implementations (such as AES-GCM) because it provides both confidentiality and data origin authentication simultaneously?
CorrectA: Authenticated Encryption with Associated Data (AEAD)
AEAD modes like AES-128-GCM and AES-256-GCM simultaneously encrypt the payload and produce an authentication tag covering both ciphertext and associated data (headers). This replaces the separate HMAC required by CBC, reducing overhead and eliminating padding oracle vulnerabilities.
IncorrectA: Authenticated Encryption with Associated Data (AEAD)
AEAD modes like AES-128-GCM and AES-256-GCM simultaneously encrypt the payload and produce an authentication tag covering both ciphertext and associated data (headers). This replaces the separate HMAC required by CBC, reducing overhead and eliminating padding oracle vulnerabilities.
12In the context of SSL/TLS VPNs (like Cisco AnyConnect or GlobalProtect), what does a "Datagram Transport Layer Security" (DTLS) fallback mechanism provide?
CorrectD: It allows the VPN to utilize UDP instead of TCP for the encrypted payload, significantly reducing latency and preventing the "TCP Meltdown" problem when tunneling TCP over TCP
DTLS (RFC 6347) is like TLS but over UDP. AnyConnect first establishes TLS (TCP 443) for control, then upgrades to DTLS (UDP 443) for data—eliminating retransmission compounding. If UDP is blocked, it falls back to TLS over TCP.
IncorrectD: It allows the VPN to utilize UDP instead of TCP for the encrypted payload, significantly reducing latency and preventing the "TCP Meltdown" problem when tunneling TCP over TCP
DTLS (RFC 6347) is like TLS but over UDP. AnyConnect first establishes TLS (TCP 443) for control, then upgrades to DTLS (UDP 443) for data—eliminating retransmission compounding. If UDP is blocked, it falls back to TLS over TCP.
13What is the function of the "SPI" (Security Parameter Index) within an IPsec Encapsulating Security Payload (ESP) header?
CorrectB: It is a unique 32-bit identifier used by the receiving gateway to determine which specific Security Association (SA) and cryptographic keys should be used to process the incoming packet
The SPI is the first field in the ESP header—a 32-bit value chosen by the receiver during IKE negotiation. The receiver looks up (SPI + destination IP + protocol) in the SAD to find the correct SA, retrieving the keys and algorithms needed to decrypt the packet.
IncorrectB: It is a unique 32-bit identifier used by the receiving gateway to determine which specific Security Association (SA) and cryptographic keys should be used to process the incoming packet
The SPI is the first field in the ESP header—a 32-bit value chosen by the receiver during IKE negotiation. The receiver looks up (SPI + destination IP + protocol) in the SAD to find the correct SA, retrieving the keys and algorithms needed to decrypt the packet.
14Why is the concept of a "TCP Meltdown" a major architectural concern when deploying OpenVPN over TCP?
CorrectC: Stacking a TCP connection (the payload) inside another TCP connection (the tunnel) causes compounding, exponentially delayed retransmissions when a single packet is lost on a congested network
TCP Meltdown: when the inner TCP detects a lost packet, it triggers retransmission. Meanwhile, the outer TCP also detects the loss and retransmits, causing two independent retransmit timers that compound—triggering connection timeouts at up to 15× the normal delay on congested links.
IncorrectC: Stacking a TCP connection (the payload) inside another TCP connection (the tunnel) causes compounding, exponentially delayed retransmissions when a single packet is lost on a congested network
TCP Meltdown: when the inner TCP detects a lost packet, it triggers retransmission. Meanwhile, the outer TCP also detects the loss and retransmits, causing two independent retransmit timers that compound—triggering connection timeouts at up to 15× the normal delay on congested links.
15Which advanced capability allows a modern SD-WAN architecture to scale massively compared to traditional Hub-and-Spoke IPsec VPNs?
CorrectA: Utilizing a centralized controller to orchestrate policies and relying on protocols like NHRP to allow branches to dynamically build direct, temporary IPsec tunnels to one another as traffic demands
SD-WAN controllers (like Cisco vManage or Versa) push policy centrally while branches use NHRP/DMVPN-like dynamic spoke-to-spoke tunnels on demand. This eliminates the hub bottleneck of traditional topologies and enables intelligent path selection across multiple WAN links simultaneously.
IncorrectA: Utilizing a centralized controller to orchestrate policies and relying on protocols like NHRP to allow branches to dynamically build direct, temporary IPsec tunnels to one another as traffic demands
SD-WAN controllers (like Cisco vManage or Versa) push policy centrally while branches use NHRP/DMVPN-like dynamic spoke-to-spoke tunnels on demand. This eliminates the hub bottleneck of traditional topologies and enables intelligent path selection across multiple WAN links simultaneously.
16What role does the "X-Auth" (Extended Authentication) mechanism serve in legacy IKEv1 VPN implementations?
CorrectC: It provides a secondary layer of authentication, requiring the remote user to enter a username and password (often linked to RADIUS/LDAP) after the initial machine-level IPsec tunnel is established
IKEv1 Phase 1 only authenticates the machine (via PSK or certificate). X-Auth (XAUTH, draft-beaulieu) adds a Phase 1.5 step prompting for user credentials linked to RADIUS, LDAP, or TACACS+. IKEv2 replaced this with the standardized EAP method.
IncorrectC: It provides a secondary layer of authentication, requiring the remote user to enter a username and password (often linked to RADIUS/LDAP) after the initial machine-level IPsec tunnel is established
IKEv1 Phase 1 only authenticates the machine (via PSK or certificate). X-Auth (XAUTH, draft-beaulieu) adds a Phase 1.5 step prompting for user credentials linked to RADIUS, LDAP, or TACACS+. IKEv2 replaced this with the standardized EAP method.
17In the IPsec protocol suite, what critical protection does incorporating a monotonically increasing "Sequence Number" in the ESP header provide?
CorrectD: It provides anti-replay protection, allowing the receiving gateway to detect and silently discard intercepted packets that an attacker attempts to maliciously re-transmit later
Each ESP packet carries a 32-bit monotonically increasing sequence number. The receiver maintains a sliding window; packets with duplicate or out-of-window sequence numbers are dropped. This prevents replay attacks where an attacker re-sends previously captured valid packets.
IncorrectD: It provides anti-replay protection, allowing the receiving gateway to detect and silently discard intercepted packets that an attacker attempts to maliciously re-transmit later
Each ESP packet carries a 32-bit monotonically increasing sequence number. The receiver maintains a sliding window; packets with duplicate or out-of-window sequence numbers are dropped. This prevents replay attacks where an attacker re-sends previously captured valid packets.
18How does a "Policy-Based VPN" differ architecturally from a "Route-Based VPN"?
CorrectA: Policy-Based VPNs rely on specific Access Control Lists (ACLs) to dictate which exact subnets trigger encryption, while Route-Based VPNs create a virtual tunnel interface (VTI) where any traffic directed to that route is encrypted
Policy-based VPNs use a crypto map with ACLs—only matching src/dst pairs are encrypted, one SA per policy. Route-based VPNs use a virtual tunnel interface (VTI or st0); routing protocols run over it automatically, enabling dynamic routing and simpler policy management.
IncorrectA: Policy-Based VPNs rely on specific Access Control Lists (ACLs) to dictate which exact subnets trigger encryption, while Route-Based VPNs create a virtual tunnel interface (VTI) where any traffic directed to that route is encrypted
Policy-based VPNs use a crypto map with ACLs—only matching src/dst pairs are encrypted, one SA per policy. Route-based VPNs use a virtual tunnel interface (VTI or st0); routing protocols run over it automatically, enabling dynamic routing and simpler policy management.
19Within the WireGuard protocol design, what is the concept of "Cryptokey Routing"?
CorrectB: A strict security mechanism where a specific public key is inextricably mapped to a specific list of allowed internal IP addresses, implicitly tying network routing to peer authentication
WireGuard has no concept of a connection—each peer's public key is mapped to an allowed-ips list. When a packet arrives, WireGuard verifies it decrypts correctly with a known public key AND that the inner IP is in that peer's allowed-ips—authentication and authorization in one step.
IncorrectB: A strict security mechanism where a specific public key is inextricably mapped to a specific list of allowed internal IP addresses, implicitly tying network routing to peer authentication
WireGuard has no concept of a connection—each peer's public key is mapped to an allowed-ips list. When a packet arrives, WireGuard verifies it decrypts correctly with a known public key AND that the inner IP is in that peer's allowed-ips—authentication and authorization in one step.
20When evaluating VPN security against quantum computing threats, what is the primary defensive strategy currently being developed for protocols like IPsec and TLS?
CorrectD: Implementing Post-Quantum Cryptography (PQC) Key Encapsulation Mechanisms (KEMs), such as ML-KEM, to establish quantum-resistant shared secrets during the initial handshake
NIST finalized PQC standards in 2024 (FIPS 203 ML-KEM, FIPS 204 ML-DSA). IETF is standardizing hybrid PQC/classical key exchange for IKEv2 (RFC 9370) and TLS 1.3. Hybrid mode runs both ECDH and ML-KEM simultaneously—secure if either algorithm holds.
IncorrectD: Implementing Post-Quantum Cryptography (PQC) Key Encapsulation Mechanisms (KEMs), such as ML-KEM, to establish quantum-resistant shared secrets during the initial handshake
NIST finalized PQC standards in 2024 (FIPS 203 ML-KEM, FIPS 204 ML-DSA). IETF is standardizing hybrid PQC/classical key exchange for IKEv2 (RFC 9370) and TLS 1.3. Hybrid mode runs both ECDH and ML-KEM simultaneously—secure if either algorithm holds.
Conclusion: VPN as Privacy and Access Control
VPNs are essential for both remote workers (enterprise) and privacy-conscious users (personal). These 60 MCQs span VPN protocols (OpenVPN, WireGuard, IPSec), security features (encryption, kill switch, DNS protection), threat models (ISP monitoring, WiFi eavesdropping), and VPN provider evaluation. Choose VPN based on use case: privacy = WireGuard/OpenVPN; enterprise = IPSec; mobility = IKEv2.
After completing this MCQ set, explore our VPN interview questions for deeper technical discussions, and review the full theory notes for detailed explanations of each concept covered here.
Key Takeaways — VPN
- VPN Protects: Confidentiality (encryption), integrity (authentication), but only handles transit security — the provider sees your true IP and destination.
- Protocol Performance: WireGuard is fast and modern; OpenVPN is highly flexible; IPSec is standard for corporate site-to-site tunnels; PPTP/L2TP are legacy and insecure.
- Kill Switch Mandatory: Prevents unencrypted traffic leakage if VPN connection drops.
- DNS Leaks Reveal Behavior: Even with VPN encryption, DNS queries to ISP's resolver leak website visits. VPN must handle DNS internally.
- Split Tunneling Trades Speed for Security: Faster but unencrypted traffic is visible to the local network or ISP.
- Zero Trust alternatives: Enterprises are shifting from traditional corporate-perimeter VPNs toward Zero Trust Network Access (ZTNA) to enforce identity-based access per resource.
Quick Review & Summary
Use this summary table to consolidate key concepts before or after attempting the questions.
| VPN Aspect | Consideration | Best Practice |
|---|---|---|
| Protocol | Speed, compatibility, complexity | WireGuard (modern), OpenVPN (flexible), IPSec (enterprise) |
| Encryption | Protect data from ISP/network monitor | AES-256-GCM or ChaCha20-Poly1305; TLS 1.3 for key exchange |
| Kill Switch | Prevent unencrypted leakage on disconnect | Mandatory; test with network interfaces disabled |
| DNS Leak | DNS queries reveal websites visited | VPN handles DNS internally; test with dnsleaktest.com |
| Split Tunneling | Speed vs. Security trade-off | Disable for sensitive data; enable if speed critical for non-sensitive |
| No-Logs Policy | Prevent data retention | Look for independently audited no-logs claims |
| Jurisdiction | Legal obligations to government requests | Countries with strong privacy laws (CH, NL, RO) |
Frequently Asked Questions
Q. What is a VPN and how does it work?
Q. What is the difference between Site-to-Site VPN and Remote Access VPN?
Q. What VPN protocols are most commonly used?
Q. What is a VPN split tunnel?
Q. What security risks do free VPN services present?
Q. What is a kill switch in a VPN?
Q. How does a VPN protect against Man-in-the-Middle attacks on public Wi-Fi?
Struggling with some questions? Re-read the full Theory Guide: VPN