6 exercises — fill in the blanks in VPN configuration and design sentences, then answer comprehension questions on real VPN architecture descriptions.
0 / 6 completed
1 / 6
Fill in the blank: "We configured a ____ VPN between our two office locations so that traffic between both sites is always encrypted, without any per-user client software."
Site-to-site VPN — connects two entire networks (e.g., two office locations, or an office and a cloud VPC) over an encrypted tunnel, established between gateway devices (routers/firewalls) rather than individual user devices. Users on either side simply see normal connectivity to the other site — no client software or per-user login is required.
VPN type vocabulary: • Site-to-site VPN: network-to-network, gateway-to-gateway, always-on • Remote access VPN: an individual user's device connects to a corporate network from anywhere, typically via client software and requiring authentication (e.g., "sales reps use the remote access VPN to reach internal tools while travelling")
Sentence pattern: "We use a site-to-site VPN between our AWS VPC and our on-prem data centre" vs. "employees connect via a remote access VPN client when working from home."
2 / 6
Fill in the blank: "With ____, only traffic destined for the corporate network goes through the VPN tunnel — general internet browsing goes directly out the user's local connection."
Split tunneling — allows the user to access both the internet (directly, via their local connection) and the corporate network (via the VPN tunnel) simultaneously, routing only corporate-destined traffic through the tunnel.
Split tunnel vs. full tunnel: • Split tunneling: reduces load on the corporate VPN concentrator and improves general browsing performance, but internet traffic is not inspected or protected by corporate security controls • Full tunnel: ALL traffic — including general internet browsing — is routed through the VPN and out through the corporate network; gives full visibility and security control, but adds latency and load
Security trade-off vocabulary: "we disabled split tunneling for this policy group because compliance requires all traffic to pass through our DLP inspection" is a common justification for choosing full tunnel over split.
3 / 6
Fill in the blank: "IPsec typically uses ____ to negotiate and establish the security association between the two VPN endpoints before any data is encrypted."
IKEv2 (Internet Key Exchange version 2) — the protocol IPsec uses to negotiate cryptographic keys and parameters and establish a Security Association (SA) between two VPN endpoints, before any actual data traffic is encrypted and sent.
Key IPsec components: • IKE (IKEv1/IKEv2): negotiates and authenticates the tunnel, establishes shared keys • ESP (Encapsulating Security Payload): provides encryption and integrity for the actual data packets — the workhorse that protects the payload • AH (Authentication Header): provides integrity and authentication but NOT encryption (rarely used alone today, since most use cases need confidentiality) • Security Association (SA): the agreed-upon set of parameters (algorithm, keys, lifetime) both sides use for the tunnel
Sentence pattern: "The tunnel uses IKEv2 for key exchange and ESP in tunnel mode for encrypting the payload."
4 / 6
Fill in the blank: "____ is a modern VPN protocol known for its small codebase, fast performance, and use of state-of-the-art cryptography (Curve25519, ChaCha20) compared to older protocols like IPsec."
WireGuard — a modern VPN protocol (built into the Linux kernel since 5.6) prized for simplicity: its codebase is roughly 4,000 lines, versus tens of thousands for OpenVPN or IPsec implementations, making it easier to audit and generally faster.
Tunneling protocol landscape: • IPsec: the long-standing industry-standard suite (IKEv2 + ESP), widely supported across vendors, considered the "enterprise default" • OpenVPN: open-source, SSL/TLS-based, highly configurable, works over UDP or TCP (useful for bypassing restrictive firewalls since it can run on port 443) • WireGuard: modern, minimal, fast, increasingly the default choice for new deployments • GRE (Generic Routing Encapsulation): a simple tunneling protocol that encapsulates packets but does NOT encrypt them by itself — often paired with IPsec ("GRE over IPsec") to add encryption
Interview-relevant phrase: "GRE alone provides tunneling but no encryption — for a secure tunnel you'd run GRE over IPsec, or just use IPsec/WireGuard directly."
5 / 6
Comprehension: "Our architecture uses a hub-and-spoke VPN design: each branch office establishes a site-to-site IPsec tunnel back to the headquarters data centre, which acts as the hub. Branch-to-branch traffic is routed through the hub rather than directly between spokes." What is a likely downside of this design compared to a full mesh?
Hub-and-spoke trades off simplicity for indirect branch-to-branch paths: every spoke (branch) only needs one tunnel to the hub, so the number of tunnels scales linearly (N tunnels for N branches) rather than the N×(N-1)/2 tunnels a full mesh would need — much simpler to manage. The downside is that branch-to-branch traffic takes a longer path through the hub, adding latency, and the hub becomes a single point of failure/bottleneck if it goes down or is undersized.
Contrast with full mesh: every site has a direct tunnel to every other site — lower latency between any two sites, but the number of tunnels grows quickly and becomes hard to manage at scale.
This is a classic architecture trade-off engineers must be able to explain clearly: "we chose hub-and-spoke because the majority of our traffic is branch-to-headquarters, not branch-to-branch, so the indirect path isn't a practical problem, and it's far simpler to operate."
6 / 6
Comprehension: "The remote access VPN terminates on a concentrator in our DMZ. Users authenticate via SAML SSO before the tunnel is established, and once connected they can only reach a limited set of internal subnets defined by their access group — this is enforced by post-connection ACLs, not just the VPN itself." What security principle is being described?
Least privilege — a core security principle: users/systems should have access only to what they specifically need, nothing more. This passage describes a VPN architecture that does not simply grant full internal network access on connect; instead, ACLs applied after the VPN tunnel is up further restrict each user (or group) to specific subnets.
Related architecture vocabulary: • Concentrator: the device that terminates many VPN tunnels — typically a dedicated appliance or firewall feature • SSO (Single Sign-On) / SAML: authentication method integrated with the VPN login, often paired with MFA • Access group / policy group: a set of users mapped to specific permitted destinations • Zero trust: a broader philosophy where connecting to the VPN alone is not treated as sufficient trust — every subsequent access request is separately verified
This kind of description is common when justifying a VPN design in a security review or architecture document.
What does the "VPN & Tunneling Vocabulary — Networking Language Exercises" exercise cover?
Practise VPN and tunneling vocabulary in English: site-to-site vs. remote access, split vs. full tunnel, IPsec (IKEv2, ESP, AH), OpenVPN, WireGuard, GRE, and VPN architecture description.
Is this exercise free to use?
Yes. Every exercise on CoderSlingo, including this one, is free to use with no account, sign-up, or paywall.
How many questions are in "VPN & Tunneling Vocabulary — Networking Language Exercises"?
This exercise has 6 questions. Each one gives instant feedback with an explanation, so you can see exactly why an answer is right or wrong.
Do I need to create an account to save my progress?
No account is required. The progress bar and score are tracked in your browser for the current session -- the exercise is designed to be a quick, repeatable drill rather than something you resume later.
What happens if I get an answer wrong?
You'll see the correct answer highlighted immediately, along with a short explanation of why it's correct. Wrong answers aren't penalized beyond your score, and you can keep going through every question.
How is this exercise different from reading an article?
Articles explain vocabulary and concepts through prose, while exercises like this one are interactive drills -- multiple-choice questions -- that test and reinforce your recall of specific terms and phrasing.
Can I retry this exercise?
Yes -- use the "Try again" button on the results screen to reset your score and go through all the questions again from the start.
Where can I find more Networking Language exercises?
Browse the full Networking Language hub for related drills, or check the site-wide exercises index for other IT English topics.
Is this exercise suitable for beginners?
This exercise assumes basic familiarity with IT terminology. If a term feels unfamiliar, check the site Glossary for a plain-English definition before attempting the questions.
How often is new content like this published?
New exercises are added regularly across all categories, alongside new vocabulary sets and articles. Check back on the exercises hub to see what's new.