Picking the right VPN for your needs is never easy, especially when you have to choose a VPN protocol to use. TCP/UDP, encryption, handshakes, authentications… all these technical terms can be intimidating for anyone.
If you don’t care about the nitty-gritty of cryptography and just want to be protected at all times, this is the guide for you. We explain the ins and outs of the most common VPN protocols out there:
- OpenVPN — Open-Source, Secure, and Versatile
- PPTP — Fast but Obsolete
- L2TP/IPSec — The Successor of PPTP
- SSTP — Primarily Used on WIndows
- IKEv2 — Ideal for Mobile Users
- WireGuard — Next-Get, Open-Source Wonder
If you’re in a hurry and just want a solid VPN option straight up, we recommend going with NordVPN. It’s fast, secure, stable, and offers a super-fast proprietary protocol based on WireGuard.
Our online privacy is under constant attack. Hackers, mass government surveillance, relentless marketers… the list just goes on. It’s no wonder the use of VPNs has skyrocketed in the past years. Projections for global VPN use are up by 27% in 2020 alone.
However, picking the best VPN protocol still remains challenging for a lot of people. The matter is rather technical and entails a lot of terms you’ve probably never heard before.
But don’t worry — that’s where this guide comes in! We’ll simplify the best VPN protocols while dissecting them one by one. Keep reading to learn more.b
What is a VPN Protocol?
Among other things, virtual private networks (VPNs) encrypt your online activity inside a protected data tunnel. They accomplish this by using systems called “encryption protocols” or “VPN protocols.”
Top VPNs usually offer several VPN protocols to choose from. Here are the most common ones:
All VPN protocols come with their pros and cons, so you’ll never find just one that can cover all your needs. Some are faster, while some are more secure, and others are easier to set up.
That’s why it’s important to define your personal needs before choosing a VPN protocol. Are you an avid streamer? Do you torrent a lot? Do you face censorship in your country? Depending on your responses, different VPN protocols will meet your needs.
With that in mind, let’s discuss these protocols in a little more detail.
1. OpenVPN — Open-Source, Secure, and Versatile
OpenVPN (Open-Source Virtual Private Network) is the gold standard in VPN protocols. It’s reasonably fast and is configurable with most ports and encryptions. It works on all major platforms, including Windows, macOS, Linux, Android, and iOS. This is ideal if you plan on running your VPN on multiple devices.
|Solid security with the best encryption algorithms||Difficult to set up manually|
|Extensively tested and audited|
|Works on all platforms|
|Gets around firewalls|
|Connection over UDP for streaming, video calls, etc.|
Is OpenVPN safe?
Yes! OpenVPN ticks all the right security boxes. Its open-source approach means it’s not owned (and controlled) by corporate giants. Instead, a community of programmers is constantly working on improving it and eliminating glitches. Its custom security protocol relies heavily on the OpenSSL library, just like encrypted HTTPS sites.
OpenVPN supports the best encryption ciphers, including AES and Blowfish. The ability to use any port means that your VPN traffic can easily be disguised to look like regular browsing. This makes OpenVPN very difficult to flag and block.
How fast is OpenVPN?
OpenVPN is reasonably fast, but far from the fastest VPN protocol out there. It’s faster than L2TP/IPSec, slower than PPTP, and much slower than WireGuard.
However, your speed will always depend on your device and configuration options. When using a VPN, your can boost your speed by using features like split-tunneling or double encryption.
Even the fastest VPNs struggle to find that perfect balance between speed and reliability. OpenVPN gives you a clear choice, depending on your current needs:
- OpenVPN-TCP: Very reliable and secure protocol but slower than UDP. However, it can guarantee data delivery to its destination and even retransmit lost data packets. It is used by HTTP, HTTPS, POP, SMTP, FTP, and more.
- OpenVPN-UDP: Much faster and more practical than TCP but also less reliable. It’s unable to sequence data and can’t retransmit lost packets nor guarantee data delivery to its destination. You should use this for streaming, video conferences, VoIP, DNS, and more.
Is OpenVPN easy to install & configure?
If you’re doing it manually, then no. OpenVPN sits at more than 400,000 lines of code, and setting it up on your own takes a lot of tech knowledge. Luckily, our most recommended VPNs offer native apps that make it easier to install and run OpenVPN. You can just download the app and install it without any manual configuration.
What’s OpenVPN best suited for?
OpenVPN is the default protocol among commercial VPN providers. It’s fast, secure, and great for bypassing firewalls in countries like China. Users mostly set OpenVPN to port 443 for this purpose.
OpenVPN-UDP can be used for streaming Netflix, “zooming,” and everything else that can sacrifice some stability for sheer speed. It’s an all-rounder VPN protocol that will meet the needs of most VPN users.
2. PPTP — Fast but Obsolete
PPTP (Point-to-Point Tunneling Protocol) is one of the oldest VPN protocols out there. Microsoft originally developed it for dial-up networks. Unfortunately, it hasn’t aged well and is nowadays considered obsolete. Its rudimentary encryption makes it ultra-fast — but it can do next to nothing to keep you safe online.
|Integrated into most operating systems||Susceptible to attacks and exploits|
|Easy to set up manually||Cracked by the NSA|
|Effortless configuration, even on Linux||Easily recognized and blocked|
|A number of unfixable issues|
|Not supported by many VPNs|
Is PPTP safe?
No! PPTP reaches as far back as Windows 95 and NT, and its age is definitely showing. The first flaws in its cryptography were spotted as early as 1998. Nowadays, people can break its encryption with relative ease. In fact, the NSA managed to crack it and spy on VPN users who were connecting using this protocol.
PPTP uses MPPE (Microsoft Point-to-Point Encryption) with keys up to 128 bits. This type of encryption is weak as it is, but it gets worse. It can use either MS-CHAP-v1 or MS-CHAP-v2 for authentication, neither of which are secure. In other words: you’ll be opening yourself to all sorts of hack attacks (bit-flipping, dictionary attacks, brute force, etc.).
You can use PPTP on pretty much any platform out there, but anti-VPN systems will likely flag it right away — so, it’s not even that great for bypassing geo-restrictions.
How fast is PPTP?
Due to its low-level encryption, PPTP is one of the fastest VPN protocols out there. Encryption usually slows down your connection speed, but PPTP’s cipher is too slim to cause much of a difference.
Is PPTP easy to install & configure?
PPTP is integrated into most operating systems, which makes it extremely easy to set up and configure. Even Linux users can set it up in no time. All you have to do is enter server-related data in your network settings area and tweak some additional protocol settings.
What’s PPTP best suited for?
PPTP essentially offers no security benefits. Even still, people who like building their own VPN can’t resist it since it’s so easy to set up. You can use it to connect to your corporate intranet, but even that is something we can’t recommend. As it stands, PPTP has a lot of unfixable issues and should only be used as a last resort.
3. L2TP/IPSec — The Successor of PPTP
L2TP (Layer 2 Tunneling Protocol) emerged in 1999 as a successor to PPTP. It was developed by Microsoft and Cisco and represents a mishmash of PPTP and Ciscos’s L2F (Layer 2 Forwarding).
However, L2TP itself doesn’t encrypt data. So, the encryption part of the equation is left to IPSec (Internet Protocol Security). That’s where the name “L2TP/IPSec” comes from.
|Decent speed||Resource-intensive due to double encapsulation|
|Good security package||Only three ports available|
|L2TP is native to Windows and macOS||Easily blocked by firewalls|
|Easy to set up on other systems||Allegedly cracked by the NSA|
Is L2TP/IPSec safe?
On its own, L2TP offers zero protection since it can’t protect data payloads. IPSec, however, can support the AES-256 cipher and is generally considered safe. It encapsulates your traffic like a regular PPTP connection, with a second encapsulation provided by IPSec. All in all, L2TP/IPSec is a pretty secure protocol, but it should be paired with a good no-log VPN for optimal results.
Allegedly, the NSA has cracked (or at least weakened) IPSec, but there’s no hard proof to back this up. It’s up to you to decide if this VPN protocol is worth a shot.
L2TP/IPSec uses only three ports (UDP 500/4500 and ESP IP Protocol 50), which means the firewalls will block it left and right. On its own, L2TP uses only UDP 1701. So, if unlocking Netflix or fighting censorship are your main goals, this is not the protocol for you. OpenVPN and WireGuard fit the bill much better here.
How fast is L2TP/IPSec?
Without IPSec, L2TP is very fast since it doesn’t have any encryption to slow it down. With IPSec, the speeds will be decent but not extreme.
L2TP/IPSec is very resource-intensive so you’ll need a fast connection (100+ Mbps) and a powerful CPU. With that in mind, this is not a protocol for people with slow internet and older devices.
Is L2TP/IPSec easy to install & configure?
L2TP is native to Windows and macOS. With IPSec, it’s only a matter of selecting the IPSec encryption. L2TP/IPSec is also fairly easy to set up manually, even on devices without native support. For example, OpenVPN is much more challenging to configure and requires a lot of specific knowledge. Even though it can work on all platforms, it’s not native to them.
What’s L2TP/IPSec best suited for?
L2TP/IPSec does a lot of things well, but there are VPN protocols that do it better. OpenVPN and WireGuard are both faster and require less computing power. If you want to build your own VPN, it’s a better option than PPTP. However, bypassing NAT firewalls requires further configuration, which can complicate the process significantly.
4. SSTP — Primarily Used on Windows
SSTP (Secure Socket Tunneling Protocol) was developed by Microsoft and first introduced with Windows Vista. It’s largely seen as the successor of PPTP and L2TP and can be found in the later versions of Windows as well. Its security almost rivals OpenVPN and it can also bypass firewalls.
|Good security with solid encryption algorithms||Difficult to set up on non-Windows devices|
|Decent speed||Susceptible to “TCP meltdown”|
|Gets around firewalls|
|Easy to set up on Windows devices|
Is SSTP safe?
SSTP utilizes SSL and encapsulates data packets over HTTPS. Furthermore, it supports the AES-256 cipher, which is the best encryption option out there. With that in mind, we would say that SSTP is a pretty safe protocol.
However, we have to mention its susceptibility to “TCP meltdown.” SSTP can cause connectivity issues when TCP connection within the VPN tunnel clashes with the TCP transmission protocol. Basically, we have a TCP VPN connection contained within another TCP connection. This is not a huge security problem, but it can get annoying during torrenting or streaming Netflix on foreign servers.
SSTP is also solely owned by Microsoft. There’s no solid evidence of any cracks in the protocol, but Microsoft is known for its close collaboration with the NSA in the past.
SSTP uses TCP port 443 (like HTTPS), which makes it very difficult to block. So, if you need to bypass some geo-restrictions, SSTP will definitely get the job done.
How fast is SSTP?
In spite of its encryption, SSTP is a pretty fast protocol. However, it’s also resource-heavy and demands a ton of bandwidth paired with a strong CPU. If your configuration is not up to par, you could experience occasional lag and speed drops.
Is SSTP easy to install & configure?
SSTP is integrated into the Windows OS, so it’s easy to set up on Windows devices. Using it with other systems, though, will be more challenging. If you’re not using Windows, we recommend going with other options like OpenVPN or WireGuard.
What’s SSTP best suited for?
Like L2TP/IPsec, SSTP performs well in a number of important fields. We can even go one step further and say it’s the best protocol integrated into Windows OS — but we have VPN protocols that perform better.
Even on Windows, we would rather use OpenVPN or WireGuard. They require less power and are not owned by Microsoft. So, if you want to use a “native” protocol on Windows, SSTP is your best bet. It’s just not something we’d recommend with so much better options out there.
5. IKEv2 — Ideal for Mobile Users
Like some other VPN protocols on this list, IKEv2 (Internet Key Exchange) was also developed by Microsoft with Cisco. This protocol is the successor of IKEv1. It’s particularly popular among mobile users because it does an excellent job of establishing a reconnection. Similar to L2Tp, IKEv2 also uses IPSec for encryption. Even though Microsoft worked on it, IKEv2 is not a completely closed-source protocol; we do have open-source implementations.
|Good security package with high-end ciphers||Allegedly exploited by the NSA|
|Usually faster than OpenVPN||Easily blocked by some firewalls|
|Easily resists network changes|
|Relatively easy to set up|
|Supports all major operating systems|
Is IKEv2 safe?
IKEv2 supports multiple high-end ciphers with 256-bit keys, including AES, Camellia, 3DES, and ChaCha20. Its MOBIKE feature makes sure you never drop connection when switching networks. It also supports perfect forward secrecy.
IKEv2 also implements a certificate-based authentication process. In other words, the identity of the requester has to be determined and confirmed before any action is taken.
Having said that, IKEv2 has a couple of problems we need to address:
- Since IKEv2 uses IPSec, it’s also vulnerable to the same Man-in-the-Middle attacks (downgrade attacks, to be specific).
- There’s an allegation that the NSA was able to decrypt IPSec traffic.
- If you’re building your own VPN, you’ll have to use an extra-strong password. IKEv2 can be hacked quite easily if your password is weak.
IKEv2 uses UDP packets and UDP ports 500 and 4500. This reduces the latency but also means that firewalls will catch you alongside websites that block these specific ports.
How fast is IKEv2?
IKEv2 is an exceptionally fast VPN protocol. Some would even say as fast as PPTP. As mentioned, the UDP port 500 ensures low latency and better speeds. Its efficient request-response message exchange is also a huge contributing factor. IKEv2 is also less CPU-intensive than OpenVPN.
Speeds connected to IKEv2 should remain stable even as you switch networks, thanks to the aforementioned MOBIKE feature. IKEv2 also establishes a connection much faster than OpenVPN while being less CPU-heavy.
Is IKEv2 easy to install & configure?
Generally, IKEv2 is pretty easy to set up. It’s natively supported on a number of platforms, including Windows 7+, macOS 10.11+, and most mobile systems (even BlackBerry!). However, if you want to set up an IKEv2 server on your own, things get a bit more complicated. IPSec is a rather complex protocol (more complex than OpenVPN), so it will require some extra configuration.
What’s IKEv2 best suited for?
IKEv2 became extremely popular among mobile users due to its sophisticated reconnection capabilities. You can switch between mobile and Wi-Fi networks without ever exposing yourself to potential data leaks. It’s ideal for people who travel a lot and want solid protection on all their devices while on the go.
6. WireGuard — Next-Gen, Open-Source Wonder
WireGuard came out in 2018, which makes it the youngest VPN protocol on this list. It was developed by the founder of Edge Security, Jason Donenfeld. Despite its age, WireGuard has already built quite a name for itself. It offers tight security, fast speeds, and is relatively easy to install (especially on Linux). Linus Torvalds, Linux’s main developer, called it a “work of art.”
|Ultra-fast (faster than OpenVPN)||Only works on UDP|
|Solid security with cutting-edge cryptography|
|Small codebase (just around 4,000 lines)|
|Aced numerous security audits|
|Supports all major operating systems|
|Easy to set up on Linux and other systems|
|Lower battery consumption on mobile|
Is WireGuard safe?
Yes! After plenty of independent audits, it’s clear that WireGuard offers top-notch security. It supports only the ChaCha20 cipher, which can prevent faulty encryption deployment. In other words, it put an end to the so-called “cryptographic agility.” The encryption keys rotate every few minutes in order to provide users with perfect forward secrecy.
With only around 4,000 lines of code, WireGuard is beautiful in its simplicity. The smaller codebase makes security audits much simpler and quicker — a tenet of secure coding. Consequently, there’s less space for cybercriminals to maneuver, and all vulnerabilities can be easily located and fixed.
Note that WireGuard only runs over UDP. So, if network admins block UDP ports, they will effectively block your VPN. However, Linux users can program their connection to use port 443 and send UDP packets over TCP. Apart from this problem, WireGuard is difficult to block since it can use pretty much any port.
How fast is WireGuard?
WireGuard is probably the fastest protocol we currently have. For example, it’s much faster than both OpenVPN and IPSec. Even NordVPN used it as a basis for its amazing NordLynx protocol. Its speed is attributed to its small codebase, quicker connections and handshakes, and efficient CPU usage.
Mobile users can especially benefit from this approach since their batteries will drain slower. Also, WireGuard was designed to provide superior roaming support. Linux users stand to benefit the most from WireGuard since it lives inside the Linux kernel (the “guts” of the operating system).
Is WireGuard easy to install & configure?
If you’re using Linux, then yes. Since it lives inside the Linux kernel, it’s only a matter of typing in a few commands. It’s not that simple on other operating systems, but it’s not too difficult, either. WireGuard now provides downloadable clients for many platforms, including Windows, macOS, Android, and iOS.
If you’re not interested in technical tinkering, many VPNs have incorporated WireGuard in their service. VPNs like Surfshark and VyprVPN have built it into their apps, and you can just pick it from the list and use it as any other VPN protocol.
What’s WireGuard best suited for?
WireGuard is an excellent choice if you need sheer speed without sacrificing online privacy and security. So, it’ll be perfect for your streaming, online gaming, and all other data-intensive operations. If you’re traveling abroad and need a secure option for roaming, WireGuard can fit that bill as well. It’s also pretty impressive at bypassing firewalls unless the network is blocking UDP traffic.
Needless to say, it’s very important to choose the VPN protocol that’s right for you. Every protocol has its own advantages and disadvantages.
In most cases, OpenVPN or WireGuard will be your best bet. PPTP is a protocol we don’t recommend using because of its relatively low-level encryption. However, you could try this protocol when privacy and security are not your highest priorities, such as for unblocking streams. If OpenVPN is not supported or does not work well for whatever reason, you could consider using L2TP/IPSec or IKEv2.
At the end of the day, as long as you know what your goals are for using a VPN, you can pick a VPN protocol that will match your needs and keep you safe online.
Do you have some extra questions about VPN protocols? Check our answers to the most frequently asked questions below.
At the moment, we would say that WireGuard is the fastest protocol out there. Even the likes of NordVPN have used it as the basis for their proprietary protocols. It offers amazing speeds without sacrificing security.
If you’re not interested in security, however, PPTP would be the fastest protocol. Its encryption is pretty low-trier, so there’s nothing to slow down your traffic. We don’t recommend using this outdated protocol, though, unless you know exactly what you’re doing. Read more about PPTP in our article here.
The most important differences between VPN protocols include:
- Security configuration
- Compatibility with various platforms
- How easy are they to set up
When it comes to security, OpenVPN, WireGuard, IKEv2, and L2TP/IPSec are your best bet. WireGuard is the fastest one. OpenVPN offers the best platform compatibility. Learn more about their differences in our extensive comparison guide.
It depends on your personal needs. TCP is better for bypassing online censorship and accessing static data like websites or your email. UDP is faster, which makes it ideal for streaming, online gaming, and real-time communication. Using UDP for these operations would cause a significant amount of lag and ruin your experience.