Skip to content

Glossary

Here are some common terms used in the Crux documentation along with a few other general networking terms.

VPN

Acronym for Virtual Private Network: a logical network of hosts layered on top of other, physical networks (such as the physical networks that make up the Internet). Typically the communication between hosts in a VPN is encrypted, and is routed via private network addresses. This enables applications running on two hosts separated by multiple insecure, physical networks to communicate as if they had a direct, secure connection to one another.

Sometimes “VPN” is also used as shorthand for a VPN server.

VPN Server

Host that can route traffic from other hosts in a VPN to hosts outside of the VPN. For consumer-oriented VPNs, a VPN server usually routes traffic from the VPN to the Internet; for business VPNs, a VPN server usually routes traffic from the VPN to other private networks of the business. With Crux VPN, any host (if so configured) can act as a VPN server — the underlying WireGuard protocol does not have built-in server or client roles.

VPN Client

Host that is part of a VPN, but does not route traffic for other hosts in the VPN.

Host

A computer running an operating system with a network stack, such as a server, laptop, virtual machine, mobile phone, tablet, or Internet-of-Things (IoT) device.

Crux VPN Host

A host running Crux VPN agent. When run inside a Docker container, the Crux VPN host is the container itself, not the container’s host.

When we use the general term “host” in the documentation, we typically mean a Crux VPN host.

The Crux VPN UI uses this icon for hosts:

Crux VPN Agent

A lightweight service that runs on each monitored host and sends usage and audit logs to the Crux servers. If configured to do so, it can also update the host’s Crux VPN and network configuration.

When we use the general term “agent” in the documentation, we typically mean the Crux VPN agent.

The Crux VPN UI uses this icon for agents:

Monitored Host

A host running the Crux VPN agent software. When the agent is run inside a Docker container, the monitored host is the container itself, not the container’s host.

Network Device

Generally any component that is physically or logically part of a network. From a software perspective, this may be a physical hardware device, such as an Ethernet card, or a virtual device that emulates the behavior of a physical network device.

Crux VPN presents a virtual network device to each Host on which it runs, allowing the host’s software to interact with it exactly the same as if it were a physical network device.

Network Interface

A software device that connects a host to a network. It may represent a physical connection through a wired or wireless network card on the computer (such interfaces typically would be given names like eth0 or wl0), or it may represent an entirely virtual connection (such as the connection to a Crux VPN network).

Crux VPN Interface

A Crux VPN network interface running on a host. The same host may have many different interfaces.

A host sends traffic to a Crux VPN network through its interface to the network. From the perspective of a host, an interface is the local side of its connection to a network.

The convention for naming Crux VPN interfaces is to prefix them with the lowercase letters crux, and use a digit (usually starting with 0) to distinguish among multiple interfaces of the same type on a host (so on a host with two interfaces, the interfaces typically would be named crux0 and crux1).

When we use the general term “interface” in the documentation, we typically mean a Crux VPN interface.

The Crux VPN UI uses this icon for Crux VPN interfaces:

Crux VPN Endpoint

The combination of IP address and port (such as 192.0.2.1:51820) to which traffic for a member of a Crux VPN network is sent. From the perspective of a host, an endpoint is the remote side of its connection to another member.

When we use the general term “endpoint” in the documentation, we typically mean a Crux VPN endpoint.

The Crux VPN UI uses this icon for Crux VPN endpoints:

Crux VPN Peer

The identity of a member of a Crux VPN network. The same host may be a member of many distinct networks, appearing as a different peer to each.

Each peer uses a unique X25519 key pair to authenticate itself to other peers. The public part of this key pair, its “public key” (typically represented as a 44-character base64-encoded string like O2onvM62pC1io6jQKm8Nc2UyFXcd4kOmOsBIoYtZ2ik=), uniquely identifies the peer.

The Crux VPN UI uses this icon for Crux VPN peers:

Local Peer

From the perspective of a host, one of the identities the host itself uses to connect to one or more of its Crux VPN networks.

Remote Peer

From the perspective of a host, the identity of a different member of one or more of the host’s Crux VPN networks.

When we use the general term “peer” in the documentation, we typically mean a remote peer.

Crux VPN Network

A virtual private network, using private IP addresses (such as in the 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 blocks), to connect two or more peers via a secure tunnel through other physical public and private networks.

The same host may be part of many different, overlapping networks. From the perspective of a host, a network consists of the peers to which it can connect via a specific interface.

Network Port

Identifier assigned to a specific remote process or service available at an IP Address. For example, a well-known DNS resolution service is available from Cloudflare on port 53 at IP address 1.1.1.1.

The default network port for Crux VPN is 51820.

TCP

Acronym for Transmission Control Protocol (and also sometimes referred to as “TCP/IP”): a standard protocol for exchanging network traffic. Most network traffic takes the form of either TCP or UDP packets.

UDP

Acronym for User Datagram Protocol (and also sometimes referred to as “UDP/IP”): a standard protocol for exchanging network traffic. Most network traffic takes the form of either TCP or UDP packets.

Crux VPN uses UDP, so if you are prompted to choose between TCP and UDP when setting up or troubleshooting firewalls or other network configuration for Crux VPN, make sure you choose UDP for anything that’s supposed to identify or otherwise select Crux VPN traffic.

Public Key Pair

AKA asymmetric key pair: A pair of cryptographic keys, one of which is called the “public” key, and the other the “private” or “secret” key. The pair can be used two ways: 1) one party can use the public key to encrypt data that only the party with the private key can decrypt; and 2) the party with the private key can use it to sign data such that another party can use the public key to verify that the data was signed with the private key.

The security of data encrypted or signed rests entirely with the private key being kept secret, and nothing else. The public key and data encrypted or signed by the private key can be exposed to the world without risk of the data being decrypted or forged, provided the private key remains secret.

Crux VPN generates non post-quantum safe public key pairs via Curve25519 which can be used as a fall back to a post-quantum safe deployment.

Symmetric Key Pair

Unlike asymmetric (public/private) key pairs, symmetric cryptography uses a single secret key that is shared between both parties. This key is used for both encrypting and decrypting data. Because both parties use the same key, it must be securely exchanged and kept secret on both ends—if the key is compromised, so is the communication.

In Crux VPN, symmetric keys are used for session encryption and are derived using a quantum-safe key agreement protocol. These symmetric keys are rotated regularly to ensure forward secrecy and can be refreshed without relying on traditional PKI or public key exchange. Crux VPN eliminates the need for certificates, instead treating symmetric key establishment as a secure and verifiable handshake process.