Picking the right VPN for your needs is never easy, especially when you have to choose a VPN protocol to use. TCP/UDP, encryption, handshakes, authentications… all these technical terms can be intimidating for anyone.
If you don’t care about the nitty-gritty of cryptography and you’re just looking for online protection at all times, this is the guide for you. We explain the ins and outs of the most common VPN protocols out there:
- WireGuard: Top notch security with some privacy issues
- OpenVPN: Works on all major platforms and is widely used
- IKEv2: A very fast VPN protocol that is ideal for mobile users
- SSTP: Primarily used on Windows and has solid encryption algorithms
- L2TP/IPSec: The successor of PPTP, has a decent speed, but it is easily blocked by firewalls
- PPTP: One of the oldest VPN protocols that is very fast but offers low-level encryption
If you’re in a hurry and just want a solid VPN option straight up, we recommend going with NordVPN. It’s secure, stable, and offers a super-fast proprietary protocol based on WireGuard.
Our online privacy is under constant attack. Hackers, mass government surveillance, relentless marketers… the list just goes on. It’s no wonder the use of VPNs has skyrocketed in the past years.
However, picking the best VPN protocol still remains challenging for a lot of people. This is mostly due to the wide range of technical terms involved with VPN protocols and how they operate.
But don’t worry. That’s where this VPN protocol comparison guide comes in! We’ll take a deep dive into the different types of VPN protocols that are more frequently used while evaluating them one by one. Keep reading to learn more.
What Is a VPN Protocol?
Among other things, VPNs (Virtual Private Networks) encrypt your online activity inside a protected data tunnel. They accomplish this by using systems called “encryption protocols” or “VPN protocols.”
Top VPNs usually offer several VPN protocols to choose from. However, these protocols differ in various factors, like their security features, speed, and operating systems they can be used.
To make it easier for you to choose the best VPN protocol for you, we have summarized some of their most important characteristics in the table below.
|VPN protocol||Level of encryption||Connection speed||Operating systems||Good for|
|WireGuard||Very good||Fast||Windows, macOS, Linux, Android, and iOS||Online gaming|
|OpenVPN||Very good||Medium||Windows, macOS, Linux, Android, and iOS||Torrenting|
|IKEv2||Good||Fast||Windows, macOS, Android, and iOS||Streaming, switching between mobile and Wi-Fi networks|
|SSTP||Good||Medium (requires a lot of bandwidth and strong CPU)||Windows||Bypassing firewalls|
|L2TP/IPSec||Moderate||Medium||Windows, macOS, Android, and iOS||Protecting your data (double encapsulation can cause connectivity issues)|
|PPTP||Poor||Fast||Windows, macOS, Linux, Android, and iOS||Unblocking streams (one of the least secure protocols)|
Even the most secure VPN protocols come with their pros and cons, so you’ll never find just one that can cover all your needs. Some are faster, while some are more secure, and others are easier to set up.
That’s why it’s important to determine your personal needs before choosing a VPN protocol. Are you an avid streamer? Do you torrent a lot? Do you face censorship in your country? Depending on your responses, numerous VPN protocols will meet your needs.
With that in mind, let’s discuss the different types of VPN protocols in a little more detail.
1. WireGuard: Next-Gen, Open-Source Wonder
WireGuard came out in 2018, which makes it the youngest VPN protocol on this list. It was developed by the founder of Edge Security, Jason Donenfeld. Despite its age, WireGuard has already built quite a name for itself. It offers tight security, fast speeds, and is relatively easy to install (especially on Linux). Linus Torvalds, Linux’s main developer, called it a “work of art.”
- Ultra-fast (faster than OpenVPN)
- Solid security with cutting-edge cryptography
- Small codebase (just around 4,000 lines)
- Aced numerous security audits
- Supports all major operating systems
- Easy to set up on Linux and other systems
- Lower battery consumption on mobile
- Only works on UDP
- Out-of-the-box version has privacy issues
Is WireGuard safe?
Yes! After plenty of independent audits, it’s clear that WireGuard offers top-notch security. It supports only the ChaCha20 cipher, which can prevent faulty encryption deployment. In other words, it put an end to the so-called “cryptographic agility.” The encryption keys rotate every few minutes to provide users with perfect forward secrecy.
With only around 4,000 lines of code, WireGuard is beautiful in its simplicity. The smaller codebase makes security audits much simpler and quicker – a tenet of secure coding. Consequently, there’s less space for cybercriminals to maneuver, and all vulnerabilities can be easily located and fixed.
Despite its speed and security, WireGuard alone can’t ensure your privacy. The protocol can’t assign IP addresses dynamically to users connected to a server. Therefore, the local static IP has to be stored on the server itself. This means that your identity has to be recorded on the VPN server and linked to an internal IP address.
In essence, every VPN has to strengthen WireGuard’s wobbly privacy to benefit from its speed and security. That’s why we recommend using WireGuard-based protocols only if they come from reputable VPN providers. NordVPN, for example, fixes WireGuard’s privacy issues with the so-called “double NAT (network address translation)” system. This allows the VPN provider to establish secure connections without storing identifiable data on its servers.
How fast is WireGuard?
WireGuard is probably the fastest protocol when compared to other types of VPN protocols. For example, it’s much faster than both OpenVPN and IPSec. Even NordVPN used it as a basis for its amazing NordLynx protocol. Its speed is attributed to its small codebase, quicker connections and handshakes, and efficient CPU usage.
In order to avoid unnecessary speed drops, WireGuard doesn’t support tunneling over TCP. This can lead to problems if network administrators block UDP traffic. However, reputable VPN providers can fix this issue by transforming WireGuard’s UDP packets into TCP. This is achieved by adding an upper layer of obfuscation, which deals with deep packet inspection.
Mobile users can especially benefit from this setup since the batteries of their devices will drain slower. Also, WireGuard was designed to provide superior roaming support. Linux users stand to benefit the most from WireGuard since it lives inside the Linux kernel (the “guts” of the operating system).
Is WireGuard easy to install & configure?
If you’re using Linux, then yes. Since it lives inside the Linux kernel, it’s only a matter of typing in a few commands. It’s not that simple on other operating systems, but it’s not too difficult, either. WireGuard now provides downloadable clients for many platforms, including Windows, macOS, Android, and iOS.
If you’re not interested in technical tinkering, many VPNs have incorporated WireGuard into their service. VPNs like Surfshark and VyprVPN have built it into their apps, and you can just pick it from the list and use it as any other VPN protocol.
What’s WireGuard best suited for?
WireGuard is an excellent choice if you need sheer speed without sacrificing online security. So, it’ll be perfect for your streaming, online gaming, and all other data-intensive operations. If you’re traveling abroad and need a secure option for roaming, WireGuard can fit that bill as well. It’s also pretty impressive at bypassing firewalls unless the network is blocking UDP traffic.
2. OpenVPN: Open-Source, Secure, and Versatile
OpenVPN (Open-Source Virtual Private Network) is the gold standard in VPN protocols. It’s reasonably fast and configurable with most ports and encryptions. It works on all major platforms, including Windows, macOS, Linux, Android, and iOS. This is ideal if you plan on running your VPN on multiple devices.
- Solid security with the best encryption algorithms
- Decent speed
- Highly customizable
- Regularly updated
- Extensively tested and audited
- Works on all platforms
- Gets around firewalls
- Connection over UDP for streaming, video calls, etc.
- Difficult to set up manually
Is OpenVPN safe?
Yes! OpenVPN ticks all the right security boxes. Its open-source approach means it’s not owned (and controlled) by corporate giants. Instead, a community of programmers is constantly working on improving it and eliminating glitches. Its custom security protocol relies heavily on the OpenSSL library, just like encrypted HTTPS sites.
OpenVPN supports the best encryption ciphers, including AES and Blowfish. The ability to use any port means that your VPN traffic can easily be disguised to look like regular browsing. This makes OpenVPN very difficult to flag and block.
How fast is OpenVPN?
OpenVPN is reasonably fast but far from the fastest VPN protocol out there. It’s faster than L2TP/IPSec, slower than PPTP, and much slower than WireGuard.
However, your speed will always depend on your device and configuration options. When using a VPN, your can boost your speed by using features like split tunneling, for example. If you’re using obfuscation or double encryption, on the other hand, your speeds will go down.
Even the fastest VPNs struggle to find that perfect balance between speed and reliability. OpenVPN gives you a clear choice depending on your current needs:
- OpenVPN-TCP: Very reliable and secure protocol but slower than UDP. However, it can guarantee data delivery to its destination and even retransmit lost data packets. It is used by HTTP and HTTPS, POP, SMTP, FTP, and more.
- OpenVPN-UDP: Much faster and more practical than TCP but also less reliable. It’s unable to sequence data and can’t retransmit lost packets nor guarantee data delivery to its destination. You should use this for streaming, video conferences, VoIP, and DNS.
Is OpenVPN easy to install & configure?
If you’re building your VPN manually, then no. OpenVPN sits at more than 400,000 lines of code, and setting it up on your own takes a lot of tech knowledge. Luckily, our most recommended VPNs offer native apps that make it easier to install and run OpenVPN. You can just download the app and install it without any manual configuration.
What’s OpenVPN best suited for?
OpenVPN is the default protocol among commercial VPN providers. It’s fast, secure, and great for bypassing firewalls in countries like China. Users mostly set OpenVPN to port 443 for this purpose.
OpenVPN-UDP can be used for streaming Netflix, “Zooming,” and everything else that can sacrifice some stability for sheer speed. It’s an all-rounder VPN protocol that will meet the needs of most VPN users.
3. IKEv2: Ideal for Mobile Users
Like some other VPN protocols on this list, IKEv2 (Internet Key Exchange) was also developed by Microsoft and Cisco. This protocol is the successor of IKEv1. It’s particularly popular among mobile users because it does an excellent job of establishing a reconnection. Similar to L2TP, IKEv2 also uses IPSec for encryption. Even though Microsoft worked on it, IKEv2 is not a completely closed-source protocol; we do have open-source implementations.
- Good security package with high-end ciphers
- Usually faster than OpenVPN
- Easily resists network changes
- Relatively easy to set up
- Supports all major operating systems
- Allegedly exploited by the NSA
- Easily blocked by some firewalls
Is IKEv2 safe?
IKEv2 supports multiple high-end ciphers with 256-bit keys, including AES, Camellia, 3DES, and ChaCha20. Its MOBIKE feature makes sure you never drop connection when switching networks. It also supports perfect forward secrecy.
IKEv2 also implements a certificate-based authentication process. In other words, the identity of the requester has to be determined and confirmed before any action is taken.
Having said that, IKEv2 has a couple of problems we need to address:
- Since IKEv2 uses IPSec, it’s also vulnerable to the same Man-in-the-Middle attacks (downgrade attacks, to be specific).
- There’s an allegation that the NSA was able to decrypt IPSec traffic.
- If you’re building your own VPN, you’ll have to use an extra-strong password. IKEv2 can be hacked quite easily if your password is weak.
IKEv2 uses UDP packets and UDP ports 500 and 4500. This reduces the latency but also means that firewalls will catch you alongside websites that block these specific ports.
How fast is IKEv2?
IKEv2 is an exceptionally fast VPN protocol. Some would even say as fast as PPTP. As mentioned, the UDP port 500 ensures low latency and better speeds. Its efficient request-response message exchange is also a huge contributing factor. IKEv2 is also less CPU-intensive than OpenVPN.
Speeds connected to IKEv2 should remain stable even as you switch networks, thanks to the aforementioned MOBIKE feature. IKEv2 also establishes a connection much faster than OpenVPN while being less CPU-heavy.
Is IKEv2 easy to install & configure?
Generally, IKEv2 is pretty easy to set up. It’s natively supported on a number of platforms, including Windows 7+, macOS 10.11+, and most mobile systems (even BlackBerry). However, if you want to set up an IKEv2 server on your own, things get a bit more complicated. IPSec is a rather complex protocol (more complex than OpenVPN), so it will require some extra configuration.
What’s IKEv2 best suited for?
IKEv2 became extremely popular among mobile users due to its sophisticated reconnection capabilities. You can switch between mobile and Wi-Fi networks without ever exposing yourself to potential data leaks. It’s ideal for people who travel a lot and want solid protection on all their devices while on the go.
4. SSTP: Primarily Used on Windows
SSTP (Secure Socket Tunneling Protocol) was developed by Microsoft and was first introduced with Windows Vista. It’s largely seen as the successor of PPTP and L2TP and can be found in the later versions of Windows as well. Its security almost rivals OpenVPN, and it can also bypass firewalls.
- Good security with solid encryption algorithms
- Decent speed
- Gets around firewalls
- Easy to set up on Windows devices
- Difficult to set up on non-Windows devices
- Susceptible to "TCP meltdown"
Is SSTP safe?
SSTP utilizes SSL and encapsulates data packets over HTTPS. Furthermore, it supports the AES-256 cipher, which is the best encryption option out there. With that in mind, we would say that SSTP is a pretty safe protocol.
However, we have to mention its susceptibility to a “TCP meltdown.” SSTP can cause connectivity issues when the TCP connection within the VPN tunnel clashes with the TCP transmission protocol. Basically, we have a TCP VPN connection contained within another TCP connection. This is not a huge security problem, but it can get annoying during torrenting or streaming Netflix on foreign servers.
SSTP is also solely owned by Microsoft. There’s no solid evidence of any cracks in the protocol, but Microsoft is known for its close collaboration with the NSA in the past.
SSTP uses TCP port 443 (like HTTPS), which makes it very difficult to block. So, if you need to bypass some geo-restrictions, you can count on SSTP.
How fast is SSTP?
In spite of its encryption, SSTP is pretty fast compared to other types of VPN protocols. However, it’s also resource-heavy and demands a ton of bandwidth paired with a strong CPU. If your configuration is not up to par, you could experience occasional lag and speed drops.
Is SSTP easy to install & configure?
SSTP is integrated into the Windows OS, so you can easily set it up on Windows devices. Using it with other systems, though, will be more challenging. If you’re not using Windows, we recommend going with other options like OpenVPN or WireGuard.
What’s SSTP best suited for?
Like L2TP/IPsec, SSTP performs well in a number of important fields. We can even go one step further and say it’s the best protocol integrated into Windows OS – but we have VPN protocols that perform better.
Even on Windows, we would rather use OpenVPN or WireGuard. They require less power and are not owned by Microsoft. So, if you want to use a “native” protocol on Windows, SSTP is your best bet. It’s just not something we’d recommend, with so many better options out there.
5. L2TP/IPSec: The Successor of PPTP
L2TP (Layer 2 Tunneling Protocol) emerged in 1999 as a successor to PPTP, which we’ll discuss in a moment. It was developed by Microsoft and Cisco and represents a mishmash of PPTP and Ciscos’s L2F (Layer 2 Forwarding).
However, L2TP itself doesn’t encrypt data. So, the encryption part of the equation is left to IPSec (Internet Protocol Security). That’s where the name “L2TP/IPSec” comes from.
- Decent speed
- Good security package
- L2TP is native to Windows and macOS
- Easy to set up on other systems
- Resource-intensive due to double encapsulation
- Only three ports available
- Easily blocked by firewalls
- Allegedly cracked by the NSA
Is L2TP/IPSec safe?
On its own, L2TP offers zero protection since it can’t safeguard data payloads. IPSec, however, can support the AES-256 cipher and is generally considered safe. It encapsulates your traffic like a regular PPTP connection, with a second encapsulation provided by IPSec. All in all, L2TP/IPSec is a pretty secure protocol, but you should pair it with a good no-log VPN for optimal results.
Allegedly, the NSA has cracked (or at least weakened) IPSec, but there’s no hard proof to back this up. It’s up to you to decide if this VPN protocol is worth a shot.
L2TP/IPSec uses only three ports (UDP 500/4500 and ESP IP Protocol 50), which means firewalls will block it left and right. On its own, L2TP uses only UDP 1701. So, if unlocking Netflix or fighting censorship are your main goals, this is not the protocol for you. OpenVPN and WireGuard fit the bill much better here.
How fast is L2TP/IPSec?
Without IPSec, L2TP is very fast since it doesn’t have any encryption to slow it down. With IPSec, the speeds will be decent but not extreme.
L2TP/IPSec is very resource-intensive, so you’ll need a fast connection (100+ Mbps) and a powerful CPU. With that in mind, this is not a protocol for people with slow internet and older devices.
Is L2TP/IPSec easy to install & configure?
L2TP is native to Windows and macOS. With IPSec, it’s only a matter of selecting the IPSec encryption. L2TP/IPSec is also fairly easy to set up manually, even on devices without native support. For example, OpenVPN is much more challenging to configure and requires a lot of specific knowledge. Even though it can work on all platforms, it’s not native to them.
What’s L2TP/IPSec best suited for?
L2TP/IPSec has a lot of functions, but there are other types of VPN protocols that can be better at the same things. For example, OpenVPN and WireGuard are both faster and require less computing power. If you want to build your own VPN, L2TP/IPSec is a better option than PPTP. However, bypassing NAT firewalls requires further configuration, which can complicate the process significantly.
6. PPTP: Fast but Obsolete
PPTP (Point-to-Point Tunneling Protocol) is one of the oldest VPN protocols out there. Microsoft originally developed it for dial-up networks. Unfortunately, it hasn’t aged well and is nowadays considered obsolete. Its rudimentary encryption makes it ultra-fast – but it can do next to nothing to keep you safe online.
- Integrated into most operating systems
- Easy to set up manually
- Effortless configuration, even on Linux
- Low-level encryption
- Susceptible to attacks and exploits
- Cracked by the NSA
- Easily recognized and blocked
- A number of unfixable issues
- Not supported by many VPNs
Is PPTP safe?
No! PPTP reaches as far back as Windows 95 and NT, and its age is definitely showing. The first flaws in its cryptography were spotted as early as 1998. Nowadays, people can break its encryption with relative ease. In fact, the NSA managed to crack it and spy on VPN users who were connecting using this protocol.
PPTP uses MPPE (Microsoft Point-to-Point Encryption) with keys up to 128 bits. This type of encryption is weak as it is, but it gets worse. It can use either MS-CHAPv1 or MS-CHAPv2 for authentication, neither of which is secure. In other words: you’ll be opening yourself to all sorts of hack attacks (bit-flipping, dictionary attacks, brute force, etc.).
You can use PPTP on pretty much any platform out there, but anti-VPN systems will likely flag it right away, so it’s not even that great for bypassing geo-restrictions.
How fast is PPTP?
Due to its low-level encryption, PPTP is one of the fastest VPN protocols out there. Encryption usually slows down your connection speed, but PPTP’s cipher is too slim to cause much of a difference.
Is PPTP easy to install & configure?
PPTP is integrated into most operating systems, which makes it extremely easy to set up and configure. Even Linux users can set it up in no time. All you have to do is enter server-related data in your network settings area and tweak some additional protocol settings.
What’s PPTP best suited for?
PPTP essentially offers no security benefits. However, people who like building their own VPN can’t resist it since it’s so easy to set up. You can use it to connect to your corporate intranet, but even that is something we can’t recommend. As it stands, PPTP has a lot of unfixable issues, and you should only use it as a last resort.
Conclusion: What Is the Right Type of VPN Protocol for You?
Needless to say, it’s very important to choose the right type of VPN protocol that will suit your needs. Every protocol has unique benefits and drawbacks, as this VPN protocol comparison guide has revealed.
In most cases, OpenVPN or WireGuard will be your best bet. PPTP is a protocol we don’t recommend using because of its low-level encryption. However, you could try this protocol when privacy and security are not your highest priorities, such as for unblocking streams. If OpenVPN is not supported or does not work well for whatever reason, you could consider using L2TP/IPSec or IKEv2.
At the end of the day, as long as you know what your goals are for using a VPN, you can pick a VPN protocol that will match your needs and keep you safe online. Have a look at the articles below if you want to learn more about VPNs and online safety.
- How to be Safe Online: 8 Cyber Hygiene Tips to Keep you Safe
- Best VPN Providers: Our Top 5
- What Is the Fastest VPN: Take a Look at Our VPN Speed Test
Do you have some extra questions about VPN protocols? Check our answers to the most frequently asked questions below.
At the moment, we would say that WireGuard is the fastest protocol out there. Even the likes of NordVPN have used it as the basis for their proprietary protocols. It offers amazing speeds without sacrificing security.
If you’re not interested in security, however, PPTP would be the fastest protocol. Its encryption is pretty low-trier, so there’s nothing to slow down your traffic. We don’t recommend using this outdated protocol, though, unless you know exactly what you’re doing.
The most important differences between VPN protocols include:
- Security configuration
- Compatibility with various platforms
- How easy they are to set up
When it comes to security, OpenVPN, WireGuard, IKEv2, and L2TP/IPSec are your best bet. WireGuard is the fastest one and OpenVPN offers the best platform compatibility. Learn more about their differences in our extensive VPN comparison guide.
It depends on your personal needs. TCP is better for bypassing online censorship and accessing static data like websites or your email. UDP is faster, which makes it ideal for streaming, online gaming, and real-time communication. Using UDP for these operations would cause a significant amount of lag and ruin your experience.