Which VPN Protocol is the Best? 6 Popular VPN Protocols Explained
- A VPN protocol (aka tunneling protocol) is a set of rules that help establish a secure connection (or “VPN tunnel”) between your device and a VPN server.
- OpenVPN and WireGuard are the most secure VPN protocols, and are widely used in VPN apps today.
- IKEv2/IPSec is great for mobile use, while SSTP is useful for bypassing censorship. However, neither is completely secure due to NSA-related concerns..
- Never use PPTP or L2TP/IPSec for any purpose, especially if you’re handling sensitive data online (e.g. logins, payment data).
VPN protocols are a combination of encryption standards, authentication methods, and transmission protocols. They influence how fast, stable, and secure your connection to the VPN server is. While there are plenty of VPN protocols out there, most VPN providers tend to stick to ones that offer the best performance and security.
In the following article, we’ll be taking a look at what a VPN protocol does. Next, we’ll discuss the most common VPN protocols available, and what the best VPN protocol is for popular use cases. Security, gaming, torrenting, bypassing censorship, you name it.
VPN Protocols Explained
Any Virtual Private Network (VPN) uses encryption protocols to provide secure connections between users and the services they use. And as mentioned initially, VPN protocols come with three main components.
First off, we have an encryption standard (e.g. AES-256 bit, ChaCha20). This is a set of complex algorithms that scramble your data to make it unreadable to outsiders.
Whether it’s hackers, your ISP, or three-letter government agencies, VPN encryption makes your Internet traffic look like complete gibberish.
Next, a VPN protocol needs an authentication method. Hashing algorithms like SHA-256 or SHA-512 can confirm whether the VPN server you’re connecting to is legit. They do so by using a unique print of a valid SSL certificate (much like those used by HTTPS websites).
In addition, each VPN protocol uses a transmission protocol (such as TCP or UDP). These are simply ways in which data packets are sent over the Internet.
The User Datagram Protocol (UDP) is useful for video calls, streaming, and gaming. Meanwhile, the Transmission Control Protocol (TCP) is used for email, instant messaging and similar activities where data integrity is essential.
Common VPN Protocols – A Quick Summary
Here’s a quick look at the different VPN protocols we’ll be discussing:
- OpenVPN – best VPN protocol for multiple purposes
- WireGuard – fastest VPN protocol on the market
- IKEv2/IPSec – best protocol for mobile devices
- L2TP/IPSec – useful when other VPN protocols don’t work
- SSTP – good for evading censorship, has security vulnerabilities
- PPTP – one of the more outdated protocols, easily hacked
Additionally, some VPN providers may have proprietary VPN protocols (i.e. built in-house). For example, NordVPN uses an upgraded version of WireGuard called NordLynx.
OpenVPN is a popular VPN protocol developed by James Yonan in 2001. Many VPN providers use it in their apps, as it’s widely considered the most secure VPN protocol available.
How so? Well, the OpenVPN protocol is open-source, meaning any tech-savvy individual can inspect the code for security vulnerabilities.
OpenVPN has no known security flaws, making it an excellent, secure protocol to protect your data against attackers.
Another advantage of OpenVPN is its flexibility. Most (if not all) VPN apps support OpenVPN on all operating systems, from Windows to Linux and mobile devices. Even unsupported platforms can use custom network configurations to enable manual OpenVPN connections.
You can also use OpenVPN with both TCP and UDP, depending on your current needs. While UDP is better for a VPN connection in general, TCP may be useful under poor network conditions.
It’s also the best protocol for VPN users that don’t want to fiddle with the default settings. In fact, some VPN services still have it as their default protocol. Some providers have a proprietary protocol enabled instead, which we’ll get to in a minute.
OpenVPN is also useful for bypassing VPN blocks when paired with various obfuscation methods. Obfuscation basically masks the fact that you’re using a VPN app, making it harder to detect by government filters.
Like anything, however, OpenVPN has a few disadvantages over other VPN protocols:
- Huge codebase – at around 600,000 lines of code, OpenVPN is not very efficient (versus something like WireGuard with only 4,000). This also makes it more difficult to inspect for any flaws.
- High data usage – OpenVPN is the most data-consuming protocol out there, especially if you have obfuscation enabled. Mobile users should keep this in mind.
When to use:
- One of the most secure protocols, perfect for staying safe and private online
- When you require obfuscation to hide your VPN activity and evade blocks
- Switching to OpenVPN TCP may help if you experience frequent disconnects.
When to avoid:
- For speed-reliant apps, such as online games
- If you have limited WiFi and cellular data, as OpenVPN increases data usage by up to 20%
WireGuard is the newest VPN protocol on the market (released in 2019 by Jason A. Donenfeld). Moreover, WireGuard is an open-source VPN protocol. Its open-source nature makes it easy to scan for potential security flaws.
And with its highly efficient 4,000 lines of code, it’s also the fastest VPN protocol that still provides a great degree of security. Plus WireGuard only increases data usage by around 5%, which is great news for mobile users.
Of course, the protocol’s relative novelty can work against it. OpenVPN has been tried-and-tested for over 20 years now. Meanwhile, there may be yet undiscovered security flaws with WireGuard.
One privacy concern is that VPN servers need to log your IP temporarily while using WireGuard. Fortunately, that concern quickly evaporates when you use a VPN provider like NordVPN or Surfshark.
In the former’s case, the provider created an in-house, WireGuard-based protocol called NordLynx. Both NordVPN and Surfshark use a double NAT system to assign dynamic local IP addresses, which are only valid during an active VPN session. Other VPNs simply delete your IP from their servers when inactive for a certain period.
Unfortunately, WireGuard is not the best choice if you want to bypass firewalls at school, work, or restrictive regions like China. The reason is that WireGuard runs strictly on UDP, which is easier to block than TCP.
When to use:
- Great all-purpose VPN tunneling protocol, with excellent speeds for gaming, streaming, and similar activities
- Lowest data usage out of all tunneling protocols; good option for use on mobile
When to avoid:
- Not the best at bypassing firewalls; different protocols are better equipped to deal with VPN blocks.
- Privacy-conscious users should avoid VPNs with WireGuard implementations that don’t attempt to solve its IP-logging.
A Note on IPSec – Internet Protocol Security
Before we get into Internet Key Exchange version 2 (IKEv2) and the Layer 2 Tunneling Protocol (L2TP), we should mention that neither of them can establish an encrypted connection by default.
Instead, the two are used in tandem with Internet Protocol Security. The IPsec protocol can encapsulate your data with AES, Camellia, ChaCha20, or other 256-bit ciphers. The end result is a properly authenticated and encrypted connection.
3. Internet Key Exchange version 2 (IKEv2/IPSec)
IKEv2 is the best protocol for VPN users on the go, as it can seamlessly transition between two different networks.
For example, mobile users don’t need to worry about a dropped VPN connection when switching from mobile data to Wi-Fi.
Aside from being the most stable VPN protocol, IKEv2 is also pretty fast. Many VPN providers include it in their apps for these reasons.
Security-wise, IKEv2/IPSec raises some concerns:
- It’s a closed-source VPN protocol created by Microsoft and Cisco, meaning no one can inspect its code for backdoors and security flaws. That said, the Linux version is open-source and is seemingly safe.
- As Der Spiegel reports, the Snowden documents suggest that the NSA has enough resources to crack IPSec-based encryption through specific attack methods.
Otherwise, the protocol is still secure enough to hide your activity from your ISP and protect against hackers.
When to use:
- Do you often find yourself switching between Wi-FI and mobile data? Then IKEv2 is just the protocol for you.
When to avoid:
- Like WireGuard, IKEv2/IPSec only runs on UDP. As such, it’s not a great option to bypass firewalls at work or school, or evade censorship.
- For high-risk situations (journalism, whistleblowing, activism, etc.) where privacy and anonymity are crucial
4. Layer 2 Tunneling Protocol (L2TP/IPSec)
L2TP was developed in 1999 and is intended to be an improved version of PPTP. Of course, that isn’t saying much.
Even when paired up to form the L2TP/IPSec protocol, it’s pretty slow and vulnerable against attacks by the NSA.
In certain situations, attackers can use fake authentication credentials to spy on your L2TP connection. One example is when using a site-to-site VPN with pre-shared keys.
Since it’s an older VPN protocol, you’ll need to configure VPN passthrough on your router to allow the L2TP connection to “pass through.” Otherwise, the router’s NAT system will simply reject the connection.
Due to security concerns, not many VPNs support L2TP/IPSec nowadays. A couple of providers such as ExpressVPN and IPVanish still keep it around in case other security protocols are blocked on some networks.
When to use:
- An extra alternative for when other protocols are blocked on your network, and not much else
When to avoid:
- In most situations, especially when working with sensitive information online, or if you are concerned about mass surveillance
5. Secure Socket Tunneling Protocol (SSTP)
Much like your average HTTPS website, the Secure Socket Tunneling Protocol (SSTP) uses SSL/TLS encryption to secure your data.
That means it can also use TCP Port 443, making it harder to block by the Great Firewall of China and similar filters.
Some other things to note about the protocol:
- It’s closed-source and developed by Microsoft, which has collaborated with the NSA in the past.
- SSL 3.0 is vulnerable to the POODLE man-in-the-middle (MITM) attack, and Microsoft haven’t confirmed whether this affects SSTP.
- It’s decently fast, but it mostly works on Windows, meaning it has limited use.
When to use:
- Get around firewalls when other protocols don’t work.
When to avoid:
- For privacy and security purposes, due to its potential for MITM attacks and ties to the NSA
6. Point-to-Point Tunneling Protocol (PPTP)
The Point-to-Point Tunneling Protocol (PPTP) is the first VPN protocol in existence, and yet again created by a Microsoft engineer.
While it’s the easiest VPN protocol to set up due to its inclusion on most platforms, it’s also an outdated model that is easy to crack.
Its only advantage is faster speeds, as it only supports up to 128-bit encryption. Most VPNs nowadays have completely dropped PPTP for its multiple security flaws.
When to use:
- Not worth using even if you’re unconcerned with privacy or security. If you’re looking for faster speeds, try WireGuard (and similar protocols) instead.
When to avoid:
- Completely avoid when making online payments or logging into any service.
Custom VPN Protocols
Also called proprietary VPN protocols, these are usually upgraded versions of existing protocols (with some exceptions). The upgrades are meant to fix security flaws, improve performance, or help evade censorship tactics in countries like China or Russia.
- NordLynx (NordVPN) – WireGuard-based protocol with a double NAT system designed to fix its IP-logging requirement
- Lightway (ExpressVPN) – in-house, open-source protocol that uses the wolfSSL cryptography library
- Chameleon (VyprVPN) – essentially an OpenVPN 256-bit protocol with an additional data scrambling feature to bypass VPN detection systems
Which VPN Protocol to Use? (4 Cases)
Need a quick pointer on which VPN protocol to use in different scenarios? Here are 4 common use cases you should check out.
1. Privacy and Security
If you’re adamant about keeping your data safe against any and all threats, we recommend OpenVPN. Alternatively, you can use a custom VPN protocol, such as NordLynx or Lightway.
WireGuard is also pretty secure if paired with a double NAT system (see Surfshark), or if the provider deletes all IP-logs created by the protocol.
2. Bypassing Censorship
VPN technology helps boost Internet freedom by allowing users to bypass government-imposed firewalls. Of course, not every protocol is equipped to deal with VPN filters in heavily-censored countries.
The best VPN protocols to use in regions that block VPNs are:
- OpenVPN TCP (with obfuscation)
- ExpressVPN Lightway
- VyprVPN Chameleon
3. Gaming and Streaming
You’ll need a fast gaming VPN protocol for high-octane online matches and Ultra HD video. In that case, WireGuard / NordLynx and Lightway are excellent choices. If you’re gaming or streaming on your phone or tablet, IKEv2/IPSec is a decent alternative.
OpenVPN is not a great choice, as it’s much slower than either of the two protocols above. It also uses 15% more data on average, which stings if you’re on a limited data plan.
OpenVPN is the ideal VPN protocol for secure torrenting. WireGuard is an alright second choice due to its fast speeds.
However, make sure to use a VPN that mitigates the protocol’s IP-logging requirement. That means NordLynx or Surfshark’s WireGuard implementation, as both use double NAT. Lightway is another good choice you can try out.
VPN Protocol FAQ
We answer some common questions about VPN protocols down below.
What is the Best VPN Encryption Protocol?
Overall, OpenVPN is the best VPN protocol for the average user. While WireGuard is faster, and IKEv2/IPSec is better for mobile use, OpenVPN is open-source and has none of the security concerns.
What is the Most Secure VPN Protocol?
Once again, OpenVPN provides the best security among all tunneling protocols. It has no IP-logging requirement like WireGuard, and is not closed-source like IKEv2.
What Protocol Does Windows VPN Use?
Windows 10 and 11 have a built-in VPN client. However, you still need to sign up for a secure VPN service to use it. Once you do, you can simply select your preferred VPN protocol during the setup process.
Of course, the setup is pretty cumbersome. You also have to go through it every time you want to change regions. Skip all the hassle with NordVPN, the best VPN with a dedicated app for Windows.
Can a VPN Server Be Limited to a Specific Protocol?
In some situations, VPN services may limit which protocol is available on a server. The reason? Well, different VPN protocols may simply not function within the region. For example, NordVPN’s servers in the UAE only support OpenVPN UDP and TCP.