6 Types of VPN Protocols, Compared: Which is the Best to Use?

Machinery representing VPN protocols
Click here for a quick summary!
6 Types of VPN Protocols, Compared: A Quick Summary

Picking the right VPN for your needs is never easy, especially when you have to choose a VPN protocol to use. TCP/UDP, encryption, handshakes, authentications… all these technical terms can be intimidating for anyone.

If you don’t care about the nitty-gritty of cryptography and just want to be protected at all times, this is the guide for you. We explain the ins and outs of the most common VPN protocols out there:

  • OpenVPN — Open-Source, Secure, and Versatile
  • PPTP — Fast but Obsolete
  • L2TP/IPSec — The Successor of PPTP
  • SSTP — Primarily Used on WIndows
  • IKEv2 — Ideal for Mobile Users
  • WireGuard — Next-Get, Open-Source Wonder

If you’re in a hurry and just want a solid VPN option straight up, we recommend going with NordVPN. It’s fast, secure, stable, and offers a super-fast proprietary protocol based on WireGuard.

However, if you want to learn more about different VPN protocols, you’ll find everything you need in our beginner-friendly guide below.

Our online privacy is under constant attack. Hackers, mass government surveillance, relentless marketers… the list just goes on. It’s no wonder the use of VPNs has skyrocketed in the past years. Projections for global VPN use are up by 27% in 2020 alone.

However, picking the best VPN protocol still remains challenging for a lot of people. The matter is rather technical and entails a lot of terms you’ve probably never heard before.

But don’t worry — that’s where this guide comes in! We’ll simplify the best VPN protocols while dissecting them one by one. Keep reading to learn more.b

What is a VPN Protocol?

Among other things, virtual private networks (VPNs) encrypt your online activity inside a protected data tunnel. They accomplish this by using systems called “encryption protocols” or “VPN protocols.”

Top VPNs usually offer several VPN protocols to choose from. Here are the most common ones:

  1. OpenVPN (TCP/UDP)
  2. PPTP
  3. L2TP/IPSec
  4. SSTP
  5. IKEv2
  6. WireGuard

All VPN protocols come with their pros and cons, so you’ll never find just one that can cover all your needs. Some are faster, while some are more secure, and others are easier to set up.

That’s why it’s important to define your personal needs before choosing a VPN protocol. Are you an avid streamer? Do you torrent a lot? Do you face censorship in your country? Depending on your responses, different VPN protocols will meet your needs.

With that in mind, let’s discuss these protocols in a little more detail.


1. OpenVPN — Open-Source, Secure, and Versatile

Open VPN protocol wide page banner

OpenVPN (Open-Source Virtual Private Network) is the gold standard in VPN protocols. It’s reasonably fast and is configurable with most ports and encryptions. It works on all major platforms, including Windows, macOS, Linux, Android, and iOS. This is ideal if you plan on running your VPN on multiple devices.

ProsCons
Solid security with the best encryption algorithmsDifficult to set up manually
Decent speed
Highly customizable
Regularly updated
Extensively tested and audited
Works on all platforms
Gets around firewalls
Connection over UDP for streaming, video calls, etc.

Is OpenVPN safe?

Yes! OpenVPN ticks all the right security boxes. Its open-source approach means it’s not owned (and controlled) by corporate giants. Instead, a community of programmers is constantly working on improving it and eliminating glitches. Its custom security protocol relies heavily on the OpenSSL library, just like encrypted HTTPS sites.

OpenVPN supports the best encryption ciphers, including AES and Blowfish. The ability to use any port means that your VPN traffic can easily be disguised to look like regular browsing. This makes OpenVPN very difficult to flag and block.

How fast is OpenVPN?

OpenVPN is reasonably fast, but far from the fastest VPN protocol out there. It’s faster than L2TP/IPSec, slower than PPTP, and much slower than WireGuard.

However, your speed will always depend on your device and configuration options. When using a VPN, your can boost your speed by using features like split-tunneling or double encryption.

Even the fastest VPNs struggle to find that perfect balance between speed and reliability. OpenVPN gives you a clear choice, depending on your current needs:

  • OpenVPN-TCP: Very reliable and secure protocol but slower than UDP. However, it can guarantee data delivery to its destination and even retransmit lost data packets. It is used by HTTP, HTTPS, POP, SMTP, FTP, and more.
  • OpenVPN-UDP: Much faster and more practical than TCP but also less reliable. It’s unable to sequence data and can’t retransmit lost packets nor guarantee data delivery to its destination. You should use this for streaming, video conferences, VoIP, DNS, and more.

Is OpenVPN easy to install & configure?

If you’re doing it manually, then no. OpenVPN sits at more than 400,000 lines of code, and setting it up on your own takes a lot of tech knowledge. Luckily, our most recommended VPNs offer native apps that make it easier to install and run OpenVPN. You can just download the app and install it without any manual configuration.

What’s OpenVPN best suited for?

OpenVPN is the default protocol among commercial VPN providers. It’s fast, secure, and great for bypassing firewalls in countries like China. Users mostly set OpenVPN to port 443 for this purpose.

OpenVPN-UDP can be used for streaming Netflix, “zooming,” and everything else that can sacrifice some stability for sheer speed. It’s an all-rounder VPN protocol that will meet the needs of most VPN users.


2. PPTP — Fast but Obsolete

PPTP VPN protocol wide page banner

PPTP (Point-to-Point Tunneling Protocol) is one of the oldest VPN protocols out there. Microsoft originally developed it for dial-up networks. Unfortunately, it hasn’t aged well and is nowadays considered obsolete. Its rudimentary encryption makes it ultra-fast — but it can do next to nothing to keep you safe online.

ProsCons
Ultra-fastLow-level encryption
Integrated into most operating systemsSusceptible to attacks and exploits
Easy to set up manuallyCracked by the NSA
Effortless configuration, even on LinuxEasily recognized and blocked
A number of unfixable issues
Not supported by many VPNs

Is PPTP safe?

No! PPTP reaches as far back as Windows 95 and NT, and its age is definitely showing. The first flaws in its cryptography were spotted as early as 1998. Nowadays, people can break its encryption with relative ease. In fact, the NSA managed to crack it and spy on VPN users who were connecting using this protocol.

PPTP uses MPPE (Microsoft Point-to-Point Encryption) with keys up to 128 bits. This type of encryption is weak as it is, but it gets worse. It can use either MS-CHAP-v1 or MS-CHAP-v2 for authentication, neither of which are secure. In other words: you’ll be opening yourself to all sorts of hack attacks (bit-flipping, dictionary attacks, brute force, etc.).

You can use PPTP on pretty much any platform out there, but anti-VPN systems will likely flag it right away — so, it’s not even that great for bypassing geo-restrictions.

How fast is PPTP?

Due to its low-level encryption, PPTP is one of the fastest VPN protocols out there. Encryption usually slows down your connection speed, but PPTP’s cipher is too slim to cause much of a difference.

Is PPTP easy to install & configure?

PPTP is integrated into most operating systems, which makes it extremely easy to set up and configure. Even Linux users can set it up in no time. All you have to do is enter server-related data in your network settings area and tweak some additional protocol settings.

What’s PPTP best suited for?

PPTP essentially offers no security benefits. Even still, people who like building their own VPN can’t resist it since it’s so easy to set up. You can use it to connect to your corporate intranet, but even that is something we can’t recommend. As it stands, PPTP has a lot of unfixable issues and should only be used as a last resort.


3. L2TP/IPSec — The Successor of PPTP

L2TP VPN protocol wide page banner

L2TP (Layer 2 Tunneling Protocol) emerged in 1999 as a successor to PPTP. It was developed by Microsoft and Cisco and represents a mishmash of PPTP and Ciscos’s L2F (Layer 2 Forwarding).

However, L2TP itself doesn’t encrypt data. So, the encryption part of the equation is left to IPSec (Internet Protocol Security). That’s where the name “L2TP/IPSec” comes from.

ProsCons
Decent speedResource-intensive due to double encapsulation
Good security packageOnly three ports available
L2TP is native to Windows and macOSEasily blocked by firewalls
Easy to set up on other systemsAllegedly cracked by the NSA

Is L2TP/IPSec safe?

On its own, L2TP offers zero protection since it can’t protect data payloads. IPSec, however, can support the AES-256 cipher and is generally considered safe. It encapsulates your traffic like a regular PPTP connection, with a second encapsulation provided by IPSec. All in all, L2TP/IPSec is a pretty secure protocol, but it should be paired with a good no-log VPN for optimal results.

Allegedly, the NSA has cracked (or at least weakened) IPSec, but there’s no hard proof to back this up. It’s up to you to decide if this VPN protocol is worth a shot.

L2TP/IPSec uses only three ports (UDP 500/4500 and ESP IP Protocol 50), which means the firewalls will block it left and right. On its own, L2TP uses only UDP 1701. So, if unlocking Netflix or fighting censorship are your main goals, this is not the protocol for you. OpenVPN and WireGuard fit the bill much better here.

How fast is L2TP/IPSec?

Without IPSec, L2TP is very fast since it doesn’t have any encryption to slow it down. With IPSec, the speeds will be decent but not extreme.

L2TP/IPSec is very resource-intensive so you’ll need a fast connection (100+ Mbps) and a powerful CPU. With that in mind, this is not a protocol for people with slow internet and older devices.

Is L2TP/IPSec easy to install & configure?

L2TP is native to Windows and macOS. With IPSec, it’s only a matter of selecting the IPSec encryption. L2TP/IPSec is also fairly easy to set up manually, even on devices without native support. For example, OpenVPN is much more challenging to configure and requires a lot of specific knowledge. Even though it can work on all platforms, it’s not native to them.

What’s L2TP/IPSec best suited for?

L2TP/IPSec does a lot of things well, but there are VPN protocols that do it better. OpenVPN and WireGuard are both faster and require less computing power. If you want to build your own VPN, it’s a better option than PPTP. However, bypassing NAT firewalls requires further configuration, which can complicate the process significantly.


4. SSTP — Primarily Used on Windows

SSTP VPN protocol wide page banner

SSTP (Secure Socket Tunneling Protocol) was developed by Microsoft and first introduced with Windows Vista. It’s largely seen as the successor of PPTP and L2TP and can be found in the later versions of Windows as well. Its security almost rivals OpenVPN and it can also bypass firewalls.

ProsCons
Good security with solid encryption algorithmsDifficult to set up on non-Windows devices
Decent speedSusceptible to “TCP meltdown”
Gets around firewalls
Easy to set up on Windows devices

Is SSTP safe?

SSTP utilizes SSL and encapsulates data packets over HTTPS. Furthermore, it supports the AES-256 cipher, which is the best encryption option out there. With that in mind, we would say that SSTP is a pretty safe protocol.

However, we have to mention its susceptibility to “TCP meltdown.” SSTP can cause connectivity issues when TCP connection within the VPN tunnel clashes with the TCP transmission protocol. Basically, we have a TCP VPN connection contained within another TCP connection. This is not a huge security problem, but it can get annoying during torrenting or streaming Netflix on foreign servers.

SSTP is also solely owned by Microsoft. There’s no solid evidence of any cracks in the protocol, but Microsoft is known for its close collaboration with the NSA in the past.

SSTP uses TCP port 443 (like HTTPS), which makes it very difficult to block. So, if you need to bypass some geo-restrictions, SSTP will definitely get the job done.

How fast is SSTP?

In spite of its encryption, SSTP is a pretty fast protocol. However, it’s also resource-heavy and demands a ton of bandwidth paired with a strong CPU. If your configuration is not up to par, you could experience occasional lag and speed drops.

Is SSTP easy to install & configure?

SSTP is integrated into the Windows OS, so it’s easy to set up on Windows devices. Using it with other systems, though, will be more challenging. If you’re not using Windows, we recommend going with other options like OpenVPN or WireGuard.

What’s SSTP best suited for?

Like L2TP/IPsec, SSTP performs well in a number of important fields. We can even go one step further and say it’s the best protocol integrated into Windows OS — but we have VPN protocols that perform better.

Even on Windows, we would rather use OpenVPN or WireGuard. They require less power and are not owned by Microsoft. So, if you want to use a “native” protocol on Windows, SSTP is your best bet. It’s just not something we’d recommend with so much better options out there.


5. IKEv2 — Ideal for Mobile Users

IKEv2 VPN protocol wide page banner

Like some other VPN protocols on this list, IKEv2 (Internet Key Exchange) was also developed by Microsoft with Cisco. This protocol is the successor of IKEv1. It’s particularly popular among mobile users because it does an excellent job of establishing a reconnection. Similar to L2Tp, IKEv2 also uses IPSec for encryption. Even though Microsoft worked on it, IKEv2 is not a completely closed-source protocol; we do have open-source implementations.

ProsCons
Good security package with high-end ciphersAllegedly exploited by the NSA
Usually faster than OpenVPNEasily blocked by some firewalls
Easily resists network changes
Relatively easy to set up
Supports all major operating systems
Auto-reconnection

Is IKEv2 safe?

IKEv2 supports multiple high-end ciphers with 256-bit keys, including AES, Camellia, 3DES, and ChaCha20. Its MOBIKE feature makes sure you never drop connection when switching networks. It also supports perfect forward secrecy.

IKEv2 also implements a certificate-based authentication process. In other words, the identity of the requester has to be determined and confirmed before any action is taken.

Having said that, IKEv2 has a couple of problems we need to address:

  • Since IKEv2 uses IPSec, it’s also vulnerable to the same Man-in-the-Middle attacks (downgrade attacks, to be specific).
  • There’s an allegation that the NSA was able to decrypt IPSec traffic.
  • If you’re building your own VPN, you’ll have to use an extra-strong password. IKEv2 can be hacked quite easily if your password is weak.

IKEv2 uses UDP packets and UDP ports 500 and 4500. This reduces the latency but also means that firewalls will catch you alongside websites that block these specific ports.

How fast is IKEv2?

IKEv2 is an exceptionally fast VPN protocol. Some would even say as fast as PPTP. As mentioned, the UDP port 500 ensures low latency and better speeds. Its efficient request-response message exchange is also a huge contributing factor. IKEv2 is also less CPU-intensive than OpenVPN.

Speeds connected to IKEv2 should remain stable even as you switch networks, thanks to the aforementioned MOBIKE feature. IKEv2 also establishes a connection much faster than OpenVPN while being less CPU-heavy.

Is IKEv2 easy to install & configure?

Generally, IKEv2 is pretty easy to set up. It’s natively supported on a number of platforms, including Windows 7+, macOS 10.11+, and most mobile systems (even BlackBerry!). However, if you want to set up an IKEv2 server on your own, things get a bit more complicated. IPSec is a rather complex protocol (more complex than OpenVPN), so it will require some extra configuration.

What’s IKEv2 best suited for?

IKEv2 became extremely popular among mobile users due to its sophisticated reconnection capabilities. You can switch between mobile and Wi-Fi networks without ever exposing yourself to potential data leaks. It’s ideal for people who travel a lot and want solid protection on all their devices while on the go.


6. WireGuard — Next-Gen, Open-Source Wonder

WireGuard VPN protocol wide page banner

WireGuard came out in 2018, which makes it the youngest VPN protocol on this list. It was developed by the founder of Edge Security, Jason Donenfeld. Despite its age, WireGuard has already built quite a name for itself. It offers tight security, fast speeds, and is relatively easy to install (especially on Linux). Linus Torvalds, Linux’s main developer, called it a “work of art.”

ProsCons
Ultra-fast (faster than OpenVPN)Only works on UDP
Solid security with cutting-edge cryptographyOut-of-the-box version has privacy issues
Small codebase (just around 4,000 lines)
Aced numerous security audits
Supports all major operating systems
Easy to set up on Linux and other systems
Lower battery consumption on mobile

Is WireGuard safe?

Yes! After plenty of independent audits, it’s clear that WireGuard offers top-notch security. It supports only the ChaCha20 cipher, which can prevent faulty encryption deployment. In other words, it put an end to the so-called “cryptographic agility.” The encryption keys rotate every few minutes to provide users with perfect forward secrecy.

With only around 4,000 lines of code, WireGuard is beautiful in its simplicity. The smaller codebase makes security audits much simpler and quicker — a tenet of secure coding. Consequently, there’s less space for cybercriminals to maneuver, and all vulnerabilities can be easily located and fixed.

Despite its speed and security, WireGuard alone can’t ensure your privacy. The protocol can’t assign IP addresses dynamically to users connected to a server. Therefore, the local static IP has to be stored on the server itself. This means that your identity has to be recorded on the VPN server and linked to an internal IP address.

In essence, every VPN has to strengthen WireGuard’s wobbly privacy to benefit from its speed and security. That’s why we recommend using WireGuard-based protocols only if they come from reputable VPN providers. NordVPN, for example, fixes WireGuard’s privacy issues with the so-called “double NAT system” (network address translation). This allows them to establish secure connections without storing identifiable data on their servers.

How fast is WireGuard?

WireGuard is probably the fastest protocol we currently have. For example, it’s much faster than both OpenVPN and IPSec. Even NordVPN used it as a basis for its amazing NordLynx protocol. Its speed is attributed to its small codebase, quicker connections and handshakes, and efficient CPU usage.

In order to avoid unnecessary speed drops, WireGuard doesn’t support tunneling over TCP. This can lead to problems if network administrators block UDP traffic. However, reputable VPN providers can fix this issue by transforming WireGuard’s UDP packets into TCP. This is achieved by adding an upper layer of obfuscation, which deals with deep packet inspection.

Mobile users can especially benefit from this setup since their batteries will drain slower. Also, WireGuard was designed to provide superior roaming support. Linux users stand to benefit the most from WireGuard since it lives inside the Linux kernel (the “guts” of the operating system).

Is WireGuard easy to install & configure?

If you’re using Linux, then yes. Since it lives inside the Linux kernel, it’s only a matter of typing in a few commands. It’s not that simple on other operating systems, but it’s not too difficult, either. WireGuard now provides downloadable clients for many platforms, including Windows, macOS, Android, and iOS.

If you’re not interested in technical tinkering, many VPNs have incorporated WireGuard in their service. VPNs like Surfshark and VyprVPN have built it into their apps, and you can just pick it from the list and use it as any other VPN protocol.

What’s WireGuard best suited for?

WireGuard is an excellent choice if you need sheer speed without sacrificing online security. So, it’ll be perfect for your streaming, online gaming, and all other data-intensive operations. If you’re traveling abroad and need a secure option for roaming, WireGuard can fit that bill as well. It’s also pretty impressive at bypassing firewalls unless the network is blocking UDP traffic.


In Conclusion

Needless to say, it’s very important to choose the VPN protocol that’s right for you. Every protocol has its own advantages and disadvantages.

In most cases, OpenVPN or WireGuard will be your best bet. PPTP is a protocol we don’t recommend using because of its relatively low-level encryption. However, you could try this protocol when privacy and security are not your highest priorities, such as for unblocking streams. If OpenVPN is not supported or does not work well for whatever reason, you could consider using L2TP/IPSec or IKEv2.

At the end of the day, as long as you know what your goals are for using a VPN, you can pick a VPN protocol that will match your needs and keep you safe online.

VPN Protocols, Compared: Frequently Asked Questions

Do you have some extra questions about VPN protocols? Check our answers to the most frequently asked questions below.

At the moment, we would say that WireGuard is the fastest protocol out there. Even the likes of NordVPN have used it as the basis for their proprietary protocols. It offers amazing speeds without sacrificing security.

If you’re not interested in security, however, PPTP would be the fastest protocol. Its encryption is pretty low-trier, so there’s nothing to slow down your traffic. We don’t recommend using this outdated protocol, though, unless you know exactly what you’re doing. Read more about PPTP in our article here.

The most important differences between VPN protocols include:

  • Security configuration
  • Speed
  • Compatibility with various platforms
  • How easy are they to set up

When it comes to security, OpenVPN, WireGuard, IKEv2, and L2TP/IPSec are your best bet. WireGuard is the fastest one. OpenVPN offers the best platform compatibility. Learn more about their differences in our extensive comparison guide.

It depends on your personal needs. TCP is better for bypassing online censorship and accessing static data like websites or your email. UDP is faster, which makes it ideal for streaming, online gaming, and real-time communication. Using UDP for these operations would cause a significant amount of lag and ruin your experience.

Author
Tech journalist
Djordje is a cybersecurity copywriter with an extensive background in law and marketing. He was a team leader in a company specializing in content creation in the field of technology. His main interests include legal frameworks for censorship on all levels and the place of VPNs and other cybersecurity software on that spectrum.
Author
Tech journalist
Tove has been working for VPNoverview since 2017 as a journalist covering cybersecurity and privacy developments. She has broad experience developing rigorous VPN testing procedures and protocols for our VPN review section and has tested dozens of VPNs over the years.