VPN protocols

Not only do you have dozens (if not hundreds) of VPN services to choose from, there are multiple VPN protocols as well. This can make choosing a VPN provider all the more complicated, particularly when you consider that not all VPNs offer the same VPN protocols. Some VPN protocols are faster than others (making them more suitable for streaming), while others provide greater protection from security threats.

In this guide, we’ll take you through all of the most popular VPN protocols including OpenVPN and WireGuard. We’ll answer key questions including what each VPN protocol is used for and how easy it is to set up. We’ll also reveal the fastest VPN protocol and the most secure VPN protocol. Our hope is that this guide helps you narrow down your options when shopping for a VPN, as well as find the VPN protocol that best fits your needs.

Don’t have time to read the full guide? Here’s an at-a-glance guide to the most popular VPN protocols to help you make a quick decision:

  • OpenVPN is always a solid option, especially when the setup is handled by a third-party app
  • L2TP/IPSec is probably the most widely available alternative that offers decent security
  • SSTP is also a solid option for Windows users, assuming you trust proprietary tech from Microsoft
  • IKEv2 is a fast and secure alternative for devices that support it, particularly mobile devices
  • PPTP should only be used as a last resort.
  • Wireguard is a newer protocol that promises to be faster and more efficient, but has some privacy drawbacks

What is a VPN protocol?

Before we take you through the various VPN protocols, we should take the time to first explain what a VPN protocol actually is. A VPN protocol is a set of rules or instructions that determine how your data travels between your device and the VPN server. 

Most VPN providers offer more than one protocol for you to choose from. Some VPNs even offer their own proprietary protocols. Examples of this include NordVPN (NordLynx) and ExpressVPN (Lightway). Each VPN protocol has its own unique pros and cons but by taking a look at each, you should have a better idea of which to use (as well as which to avoid).

OpenVPN

What is it?

An open-source VPN protocol that’s highly configurable for a variety of ports and encryption types. OpenVPN is one of the newer protocols with an initial release in 2001.

What’s it used for?

Third-party VPN clients often utilize the OpenVPN protocol, as OpenVPN isn’t built into computers and mobile devices. It’s become increasingly mainstream for general purpose VPN use, and is now the default protocol used by most paid VPN providers.

Is it fast?

Not as fast as PPTP, about the same speed as L2TP depending on the device and configuration.

Is it secure?

Yes. OpenVPN uses a custom security protocol that relies heavily on OpenSSL, similar to the encryption used on HTTPS websites. Because it can be configured to use any port, it can easily be disguised as normal internet traffic and is therefore very difficult to block. It supports several encryption algorithms, the most common being AES and Blowfish.

Is it easy to set up?

If you plan on setting it up manually, no. Many native VPN clients from consumer VPN providers, however, make it much easier to install and run. In those cases, OpenVPN usually requires no manual configuration, as the provider’s app takes care of that for you.

L2TP/IPSec

What is it?

Layer 2 Tunnel Protocol is the VPN protocol, and it’s usually paired with IPSec for security. L2TP was developed by Cisco and Microsoft in the 90s.

What’s it used for?

Accessing the internet through a VPN when security and privacy are concerns.

Is it fast?

Sort of. There’s some debate out there about whether it’s faster than OpenVPN or not. The average user probably won’t notice a difference in connection speed between the two. L2TP/IPSec is slower than PPTP.

Is it secure?

Yes, L2TP/IPSec has no known major vulnerabilities. Some experts have voiced concerns that the protocol might have been weakened or compromised by the NSA, though. The NSA helped develop IPSec.

Is it easy to set up?

That depends. Like PPTP, L2TP/IPSec support is built-in to most modern computers and mobile devices today. The setup process is similar, but the port that L2TP uses is easily blocked by firewalls. If you need to get around these firewalls, you’ll need to forward the port, which requires a more complicated configuration.

PPTP

What is it?

The oldest widely-used VPN protocol, originally developed by Microsoft for dial-up networks. PPTP stands for point-to-point-tunneling.

What’s it used for?

PPTP is used for both connecting to internet and intranet (i.e. accessing a corporate office building’s internal network).

Is it fast?

Yes. Due to the lower encryption standard, PPTP is one of the fastest VPN protocols.

Is it secure?

No. PPTP hasn’t aged well, and many security vulnerabilities have arisen over the years. The NSA actively decrypts and monitors PPTP traffic. Even though it normally uses 128-bit encryption, it effectively offers no security benefits.

Is it easy to set up?

Yes. PPTP is the most common protocol built into many computers and mobile devices today, making it on of the simplest–if not the simplest–to manually set up.

SSTP

What is it?

Secure Socket Tunneling Protocol was developed by Microsoft and first built into to Windows Vista. The proprietary (read: not open-source) protocol works on Linux but is primarily thought of as a Windows-only technology.

What’s it used for?

Not much. SSTP might be used by a few hardcore Windows fans because it comes built-in, but it has no real advantages over OpenVPN. It’s better than L2TP for getting around firewalls without a complicated configuration.

Is it fast?

About the same as OpenVPN.

Is it secure?

Yes, assuming you trust Microsoft (questionable). It is usually configured using strong AES encryption.

Is it easy to set up?

Manual setup is fairly easy on Windows machines. Macs won’t run it and probably never will. Linux and a few other systems will have a harder time.

IKEv2

What is it?

Internet Key Exchange version 2 isn’t exactly a VPN protocol, but can be treated as such. It was jointly developed by Microsoft and Cisco.

What’s it used for?

It’s especially useful for mobile devices on 3G or 4G LTE because it’s good at reconnecting whenever the connection drops out. This can happen when the user drives through a tunnel and temporarily loses service or when they switch from the mobile connection to wifi. Support for IKEv2 is built into Blackberry devices.

Is it fast?

IKEv2 throughput is comparable to OpenVPN, but one advantage is that it establishes a VPN connection much quicker.

Is it secure?

Yes, again, if you trust Microsoft. IKEv2 supports several levels of AES encryption and, like L2TP, uses the IPSec encryption suite. Some open-source versions are also available for those who prefer to avoid Microsoft’s proprietary version.

Is it easy to set up?

IKEv2 is not widely supported, but for those devices that are compatible, it’s quite easy to set up.

IPSec

What is it?

Internet protocol security, or IPSec, is a protocol used for several purposes, one of them being VPNs. It operates at the the network level as opposed to the application level (used by SSL).

What’s it used for?

IPSec is often paired with other VPN protocols like L2TP to provide encryption, but it can also be used by itself. It’s frequently used for site-to-site VPNs, and many iOS VPN apps also utilize IPSec in lieu of OpenVPN or some other protocol.

Is it fast?

IPSec is generally considered faster than SSL, but your results may vary depending on configuration and intended use.

Is it secure?

Yes, IPSec is secure, although in 2013 the Snowden leaks revealed that the NSA was actively working to insert vulnerabilities.

Is it easy to set up?

Depending on what you plan to use it for, configuring an IPSec VPN can be complex. For the average user with an iPhone just trying to connect to their VPN provider’s servers, it shouldn’t be a problem.

SSL/TLS

What is it?

Transport Security Layer (TLS) and its predecessor secure socket layer (SSL) are the most common cryptographic protocols in use today. Any time you connect to an HTTPS website, your connection to the server is protected with SSL. It is used in some VPN protocols but is not in itself a VPN protocol.

What is it used for?

When it comes to VPNs, OpenVPN’s encryption is built on the OpenSSL library, and OpenVPN is considered an SSL VPN.

SSL is also be used to create HTTPS proxies, which are passed off as VPNs by some companies. These are often advertised as browser-based VPNs that run as Chrome or Firefox extensions and do not provide the full security benefits of a true VPN.

Is it fast?

This depends more on the VPN protocol and the level of encryption used.

Is it safe?

To maximize security, TLS is newer and better protects against attacks than SSL.

Is it easy to set up?

SSL VPNs are generally considered easier to configure than IPSec VPNs for remote client connections.

Wireguard

What is it?

Wireguard is a secure tunnel protocol for VPNs that aims to improve on the other protocols in this list in terms of speed, ease of deployment, and overhead. It is the newest protocol on this list.

What’s it used for?

Wireguard is still in development, but it’s available for several platforms. It’s lightweight enough to run on embedded interfaces but is also appropriate for containers like Docker all the way up to high performance devices and networks.

Wireguard is finding its way into more and more VPN apps these days, largely thanks to speed improvements over OpenVPN and IKEv2.

Is it fast?

Yes. Wireguard does away with a lot of the bloat found in other protocols and runs from the Linux kernel to improve speed.

Our speed tests have shown massive improvements across almost every provider that has adopted Wireguard, with download bandwidth doubling and in some cases tripling what was previously achieved by other protocols.

Is it secure?

Yes, though we remind readers that Wireguard is still in development. Wireguard uses state-of-the-art cryptography, can easily be audited, and uses a concept called “cryptokey routing” to handle network management and access control in lieu of complicated firewall rules.

However, Wireguard assigns IP addresses statically and not dynamically, which means some user data needs to be stored on the server.

Is it easy to set up?

Yes, though it’s not widely implemented yet. The creators liken Wireguard to configuring SSH, a very simple secure protocol. It allows roaming between IP addresses. Wireguard’s website states, “There is no need to manage connections, be concerned about state, manage daemons, or worry about what’s under the hood.”

Proprietary protocols

A few VPN providers opt to write their own protocols instead of using an existing one. Hotspot Shield’s Catapult Hydra, ExpressVPN’s Lightway, and NordVPN’s NordLynx are a few examples.

Proprietary protocols vary in their performance and security, and sometimes their code is not public. We recommend only using protocols that are open source.

Some custom protocols are built from the ground up, but many of them are just forks of open-source protocols. NordLynx, for example, is just Wireguard with a double-NAT system to prevent logging of IP addresses.

Types of VPNs: Secure vs Trusted

All of the VPNs we review at Comparitech are considered “secure” VPNs. This means the online traffic sent and received through them is encrypted and authenticated. Being a secure VPN also means that both the server and client agree on the security properties, and no one outside the VPN can affect these properties. Secure VPNs use one of the protocols listed above.

A “trusted” VPN is distinct from a secure VPN. Trusted VPNs may not use any encryption. Instead, users “trust” the VPN provider to make sure that no one else can use the same IP address and pathway. No one other than the provider can change data, inject data, or delete data on a path in the VPN.

Trusted VPNs are far less common nowadays. They were typically used by corporations for staff to remotely access internal company resources, not to connect to the world wide web. But the threats to security became to great for most companies to risk using an non-encrypted connection.

VPNs that combine the encryption properties of a secure VPN and the dedicated line properties of a trusted VPN are sometimes called “hybrid” VPNs. Hybrid VPNs are common today, particularly for corporations. But most commercial VPN providers that offer unrestricted access to the internet do not give customers a dedicated IP address, so they are not considered hybrids.

What is the best VPN protocol?

While it’s nice to have a definitive answer to this question, the reality is that there’s no such thing as a “best VPN protocol”. It really depends on your specific needs. Below, we list some of the common VPN use cases and match them to an appropriate VPN protocol:

  • Browsing: OpenVPN is a strong all-rounder making it highly suitable for general-purpose use such as personal browsing and accessing geo-blocked content.
  • Streaming: WireGuard is the best VPN protocol for streaming thanks to its lightweight design. This makes it highly suitable for other bandwidth-intensive activities such as torrenting and online gaming.
  • Security: OpenVPN is one of the most secure VPN protocols you can use. It supports strong encryption (and a range of ciphers) and is open source. Furthermore, it can be configured to meet specific security requirements.
  • Mobile: IKEV2 is highly suitable for mobile users (Android and iOS) because it provides a secure connection that’s quick and reliable. Furthermore, if the internet connection drops, it can quickly reconnect.
  • Older devices: L2TP/IPSec is supported by a wide range of operating systems and devices. This includes older versions of Windows, Android, MacOS, and Linux. It’s also highly secure.

VPN protocols: FAQs

What is the fastest VPN protocol?

WireGuard is widely considered to be the fastest VPN protocol around. It’s very lightweight with a codebase that consists of just 4,000 lines of code. As a result, it’s highly efficient and this contributes to its very fast connection speeds. Many VPNs have implemented WireGuard in recent years and benefited from the improved performance.

Which VPN protocol is most secure?

It’s fair to argue that OpenVPN is the most secure VPN protocol. OpenVPN supports strong encryption and is open source. It can operate over TCP or UDP, providing a great deal of flexibility too.

While WireGuard is another secure VPN protocol to use, OpenVPN has simply been around for far longer. As such, it has undergone more extensive security audits, contributing to its high level of security.

Can I switch between VPN protocols?

Yes, most VPN providers offer multiple VPN protocols. In almost all cases, you need only head to the settings page in order to switch VPN protocols.

Due to the fact that each VPN protocol has different characteristics, you’ll want to make sure that the VPN protocol you’re switching to is appropriate.

For example, while you might be using WireGuard to enjoy a faster connection for streaming, you’d need to switch to your VPN’s stealth protocol (often built on top of OpenVPN over TCP) in order to bypass internet censorship.

What is the difference between TCP and UDP?

While you may come across TCP and UDP while reading about VPN protocols, they’re actually transport layer protocols. VPN protocols can use TCP and UDP to establish a VPN connection.

The main difference between the two is that TCP is a connection-based protocol (it requires a connection before sending data. Data is then delivered reliably and in the correct order.

In contrast, UDP is a connectionless protocol in that it doesn’t establish a connection before sending data. This is done without confirming receipt or checking for errors.

Of the two communications protocols, TCP is the more reliable although UDP is faster.