If you’re put off by the technical jargon used to explain VPN protocols, this guide will be your saving grace. I packed it to the brim with essential information – all in user-friendly terms!
Luckily, doing so was easy. Throughout the last 7+ years, I’ve worked one-on-one with many VPN protocols, helping me gain valuable insight.
So, expect to learn anything and everything, including the 7 most common VPN protocols, what they’re best (and not best) for, proprietary VPN protocols, and much more.
For example, I also put the 7 VPN protocols through a series of tests and comparisons!
Let’s get started.
What Are VPN Protocols?
A VPN (Virtual Private Network) protocol is a middleman between your device and the VPN server you’re connecting to.
Think of it like this – when you connect to a VPN, your network traffic is routed through an encrypted tunnel. The VPN protocol you’re using is how that tunnel is built.
But VPN protocols aren’t created equal. Some prioritize speed over security, while others provide a balance of both. And this is important, as the VPN protocol you choose determines how stable (secure) your VPN tunnel is.
Here’s a layman’s analogy – can you drive a bulldozer through the VPN “tunnel” without so much as a crack? Or do you need to tiptoe and hope the tunnel doesn’t collapse?
What about the speed of your bulldozer? Is it fast enough to make the journey in a reasonable time?
There are many factors to consider before choosing your VPN protocol.
But don’t worry! I’ll walk you through every step, starting with the seven most popular VPN protocols and what they’re best for (and when to avoid them).
But to get us started, here’s a preview of what to expect:
|+Super secure||+Super secure||+Open-source||+Secure||+Easy to use||+Great for evading censorship||+Fast|
|+Open-source||+Open-source||+Super-fast||+Great for mobile devices||+Works with 256-bit AES||+Works with 256-bit AES|
|+Trustworthy||+Lightning-fast||+Great for evading censorship||+Super-fast speeds|
|-Slower than other VPN protocols||-Security risks||-Security risks are too great to use, ever|
|-Slower than other VPN protocols like WireGuard||-Default configuration temporarily stores IP||-Manual configuration required to avoid security risks||-Closed-source||-Security risks||-Possible links to NSA||-Easy to hack|
|-Created in 2019 (no extensive history)||-Not offered by many VPN providers||-Possible links to NSA||-Possible links to NSA||-History of MitM attacks|
7 VPN Protocol Types Explained
In the next sections, I’ll discuss the seven most popular VPN protocols in-depth, including pros, cons, when to use them, when not to use them, and their test results. Let’s hop in!
1. OpenVPN – Most Secure Protocol (But Sometimes Slow)
|Speed Loss Difference:||-12.25 Mbps (TCP ) & -10.49 Mbps (UDP)|
|Data Consumption:||4.1 MB more data spent|
|Strongest Encryption Key:||256-bit|
|Does It Support AES?||Yes|
OpenVPN is one of (if not the) most popular VPN protocols.
If you’re subbed to a reliable VPN provider, chances are they offer it!
It’s also open-source, meaning anyone can scavenge its code to ensure it’s secure and trustworthy. So, there’s no worry of backdoors!
Speaking of security, OpenVPN is the most secure VPN protocol you’ll find. Specifically, it works with the super-secure AES encryption key size (256 bits).
But you can also use it with other encryption ciphers (like Blowfish and ChaCha20) and traffic protocols (like TCP and UDP, discussed below).
OpenVPN also makes it easy to bypass your firewall, so if you configure your own VPN setup with the protocol, you won’t run into compatibility issues.
On the other hand, if you opt for a VPN with OpenVPN integrated directly in its app, you’ll enjoy access on all major platforms, including Windows, macOS, iOS, Android, and Linux.
There are two downsides to OpenVPN, though.
As shown in the table above, OpenVPN isn’t as fast as other protocols (like WireGuard and IKEv2) and uses more data than all the other protocols on my list.
For reference, I started with a data consumption of 80.1 MB.
Then, I watched a YouTube video. I reached 93.1 MB.
Compared to my data consumption without any VPN protocol watching the same video (8.9 MB), that’s 4.1 MB more data spent.
(I’ll discuss my data consumption testing process in more detail later!)
So, if you use OpenVPN on a limited data plan, expect to reach your cap a lot quicker. On the bright side, you can do something about the speed issues (to some extent). Let’s discuss.
OpenVPN TCP vs. UDP
OpenVPN is usually paired with two traffic protocols, TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).
These determine the security of your network traffic as it journeys through the VPN tunnel.
So, to bring back the analogy from earlier, your traffic protocol governs the stability of your bulldozer. A stable tunnel means nothing if your transportation breaks down halfway through!
When it comes to OpenVPN TCP and UDP specifically, TCP is more secure while UDP is faster.
However, because OpenVPN is already secure, I recommend using UDP for a speed boost. Your “bulldozer” should be stable enough to make the journey but should do so a little faster.
For a more in-depth comparison on TCP vs. UDP, check out this YouTube video by Tom Spark Reviews:
- You want the utmost security and privacy during online activities (like torrenting).
- You run a business and want the best security and privacy for you and your employees.
- Other VPN protocols like WireGuard and IKEv2 aren’t available.
- Speed is essential – for example, if you’re playing heavy games (like GTA 5 or modded Minecraft).
2. WireGuard – Fastest VPN Protocol With High-Tier Security
|Speed Loss Difference:||-8.23 Mbps (Surfshark)|
|Data Consumption:||2.0 MB more data spent|
|Strongest Encryption Key:||256-bit|
|Does It Support AES?||No (ChaCha20)|
WireGuard is a newcomer in the world of VPN protocols.
But, like OpenVPN, its code is open-source, so there are no surprises hidden within.
Its code also comprises just 4,000 lines – that’s 100x smaller than OpenVPN and (some) other protocols (like IKEv2). This is likely why WireGuard is impressively fast.
In fact, its speeds outperformed all the other protocols on my list, with a very small speed loss difference of -8.23 Mbps. Take a look!
Speed Without WireGuard (Surfshark):
Speed With WireGuard (Surfshark):
WireGuard also did its own internal speed tests, where it (reportedly) performed 3x faster than OpenVPN. Take a look.
Beyond that, WireGuard’s compact code also makes it easier to identify security vulnerabilities.
So, while it’s not as secure as OpenVPN, its potential is undeniable.
But security researchers and privacy-conscious users are still hesitant to accept it as-is.
One primary concern is that WireGuard doesn’t support well-known and reliable encryption ciphers like AES-256. Instead, its primary cipher is ChaCha20 – very secure, but, like WireGuard, still in its infancy.
On the bright side, ChaCha20 is suggested to be faster than AES, meaning if security researchers thoroughly test it in the upcoming years, it could surpass AES in security and speed.
As for WireGuard, there are a couple more concerns.
First, the only traffic protocol it’s compatible with is UDP.
This can make it unreliable for bypassing censorship, especially as it struggles with evading firewalls.
Second, due to WireGuard’s default configuration, it temporarily stores your IP address so it can work properly. This is perhaps its biggest downfall and what pushes it behind other more secure protocols like OpenVPN, as even a temporary log poses a risk.
Luckily, some renowned VPN providers have already implemented solutions to negate this temporary storage. For example, NordVPN created a WireGuard fork called NordLynx that uses a Double NAT System – but more on that later.
The last disadvantage to using WireGuard as your primary VPN protocol is that not a lot of VPNs support it yet. But some of the ones that do are very reliable!
Here’s a (non-exhaustive) list:
- Astrill VPN
- Private Internet Access
WireGuard is also available on most major platforms, including Windows, macOS, iOS, Android, and Linux. Plus, it consumed the least amount of data during my tests. Keep reading for an in-depth comparison!
Is WireGuard Better Than OpenVPN?
WireGuard surpasses OpenVPN in some areas – namely, speed.
It actually performed the fastest in my speed tests (with 8.23 Mbps speed loss vs. OpenVPN UDP’s 10.49 Mbps speed loss).
It also spent 2.1 MB less data than OpenVPN (2 MB more data spent in total compared to no VPN protocol), making it a great choice if you’re on a limited data plan.
However, due to its lack of compatibility with encryption ciphers like AES-256 and its temporary storing of your IP address, WireGuard as a standalone protocol (not counting forks) has yet to surpass OpenVPN in security.
So, whether WireGuard is better than OpenVPN depends on your reason for using a VPN.
But if you’re hungry for more information, one of my favorite YouTube channels, All Things Secured, did a video on WireGuard vs. OpenVPN.
In the video, he narrows down WireGuard’s distinctiveness to three factors:
- Its ability to create a stable, fast connection.
- Its performance (up to 4x faster than OpenVPN and IPsec-based VPNs).
- Its utilization of modern cryptography.
You can get all the details by watching All Things Secured’s YT full video:
- You want the best possible speeds during online activities.
- You’re running a limited data plan and want to consume less data.
- You’re willing to forgive its infancy and trust that it’s as secure as OpenVPN.
- You’re hesitant to trust a new VPN protocol.
- Your VPN hasn’t implemented something to combat WireGuard’s temporary storage of your IP address.
- You want to use a traffic protocol other than UDP.
3. SoftEther – Secure But Requires Manual Configuration
|Speed Loss Difference:||-8.42 Mbps (hide.me)|
|Data Consumption:||2.2 MB more data spent|
|Strongest Encryption Key:||256-bit|
|Does It Support AES?||Yes|
SoftEther was launched in 2014 by a student at the University of Tsukuba – and despite being somewhat new, it’s already more secure than a few other protocols (like LT2P/IPSec and PPTP), thanks to its compatibility with the strongest encryption ciphers.
This includes the essential AES-256, and other ciphers like AES-128, RC4-128, and Triple-DES-168. Plus, because SoftEther is based on OpenSSL, users have access to TCP port 443 (the HTTPS protocol), so circumventing censorship shouldn’t be an issue.
In fact, SoftEther recommends the port for “enabling passage even on networks with stringent security settings.” Beyond that, the VPN protocol boasts an 80-hour security audit – of which all discovered security liabilities were immediately patched.
But there’s a catch.
Despite its strong security, SoftEther’s flaw is that it “may require application-level authentication between the client and the server,” as discovered by Aalto University researchers.
To put that in simpler terms, SoftEther and VPN providers that offer SoftEther have the “CheckServerCet” parameter set to false – meaning the protocol doesn’t verify the server certificate, leaving it susceptible to Man in the Middle attacks.
The good news? There’s a solution.
The bad news? It requires manual configuration, and most (or all) VPNs that offer SoftEther don’t have dedicated instructions on how to do so.
Luckily, it’s not hard. In SoftEther’s settings, select Connect > New VPN Connection Setting and look for “Server Certificate Verification Option.”
Then, check the box next to “Always Verify Server Certificate.”
Moving on, SoftEther also claims to be “13x faster than OpenVPN,” thanks to “reducing the frequency of memory copies” and “resolving the MTU problems.”
And while it wasn’t 13x faster during my speed tests, SoftEther still outperformed OpenVPN with a speed loss difference of 8.42 Mbps vs. OpenVPN UDP’s 10.49 Mbps!
Furthermore, though the VPN protocol isn’t natively supported on any operating system, you can configure it on Windows, Linux, Mac OS X, FreeBSD, and Solaris.
But it is rare to find a VPN provider that offers the SoftEther protocol.
So far, the only ones that do (that I know of) are hide.me and CactusVPN.
- Your VPN provider offers it, and you want fast speeds and secure browsing.
- You need a port like TCP 443 (for example, to bypass censorship).
- You haven’t checked the “Always Verify Server Certificate” box.
- You’re hesitant to trust a “newer” VPN provider.
4. IKEv2/IPSec – Fast VPN Protocol for Mobile Devices
|Speed Loss Difference:||-9.04 Mbps (Surfshark)|
|Data Consumption:||2.2 MB more data spent|
|Strongest Encryption Key:||256-bit|
|Does It Support AES?||Yes|
If you use your VPN on your phone, chances are you’ve seen this VPN protocol.
But why is Internet Key Exchange version 2 (IKEv2) used so often on mobile VPN apps?
For starters, it utilizes the MOBIKE protocol, making it easy to change networks – for example, from your home network to mobile data – without needing to re-establish “security associations” with your VPN.
IKEv2 is also fast. It scored third during my speed tests, with a speed loss difference of 9.04 Mbps. It also used 2 MB less data than OpenVPN and tied with SoftEther (starting with 142.0 MB and ending with 153.1 MB, for a total of 2.2 MB more data spent).
Additionally, Microsoft and Cisco designed IKEv2 to be more secure by pairing it with protocols like security protocol, IPSec (Internet Protocol Security).
So, while IKEv2 doesn’t directly encrypt your connection, IPSec does after IKEv2 establishes a connection from your device to the VPN server.
And IPSec supports a whole slew of encryption ciphers, including AES (256-bit), Triple DES-CBC, and ChaCha20.
Plus, despite being closed-source on Windows and other operating systems, IKEv2/IPSec’s Linux releases are open-source and have audits confirming their stability and security.
This gives me a sense of confidence that other OS versions are also stable and secure – more so than other closed-source VPN protocols (like SSTP, discussed below).
But there is a potential problem.
Despite assurances that IKEv2 is more secure than IKEv1, IPSec VPNs were suggested to be purposely vulnerable, according to privacy fanatics like Edward Snowden and Mustafa Al-Bassam.
Specifically, they claim IPSec was created in a way that allows government bodies like the NSA to have access to it.
The history of IPSec VPNs is littered with remote code execution vulnerabilities for over a decade. If you use IPSec, assume you're pwned.— Mustafa Al-Bassam 🧱 (@musalbas) August 19, 2016
However, this is based on words with no proof other than the original IKEv1’s involvement in the Shadow Brokers leak, where the hacker group claimed IKEv1 was compromised by the NSA and used to spy on people.
So, unless concrete evidence surfaces for IKEv2 explicitly, I’m comfortable recommending it as a reliable and fast VPN protocol for your mobile device(s).
One last thing worth mentioning, though. IKEv2 is limited to UDP port 500, making it prone to blocks. For this reason, the VPN protocol isn’t great for evading censorship.
- You want a fast, secure VPN protocol on your mobile phone.
- You frequently switch between networks.
- Its closed-source nature and implications with the NSA concern you.
- You need to bypass censorship.
5. L2TP/IPSec – Slow With Security Vulnerabilities
|Speed Loss Difference:||-14.88 Mbps (ExpressVPN)|
|Data Consumption:||4.0 MB more data spent|
|Strongest Encryption Key:||256-bit|
|Does It Support AES?||Yes|
L2TP (Layer 2 Tunneling Protocol) is a mixed bag.
It’s user-friendly, compatible with most operating systems, and offered by many VPN providers (almost as much as OpenVPN).
L2TP was actually created as a replacement for PPTP (discussed below), and like IKEv2, it’s primarily paired with IPSec for enhanced security and compatibility with AES-256 and 3DES-256 ciphers.
Of course, this also produces the same concern as IKEv2/IPSec – that the NSA potentially has access to IPSec VPNs. However, as stated earlier, this is based exclusively on the words of security researchers, with no concrete evidence to guarantee its accuracy.
That said, L2TP/IPSec has another security vulnerability when paired with VPN providers with pre-shared keys. Specifically, it’s vulnerable to Man in the Middle attacks.
To put it in layman’s terms, if your VPN provider offers its encryption keys online, a cybercriminal can pretend to be your VPN server using those keys and snoop on your connection. Attendants at a Black Hat conference (BH 2003) dived deeper into this vulnerability with real-life demos using IPSec.
You can find the full summary here.
L2TP does have a solution for this in the form of a double encapsulation feature (doubling your data’s security), but it significantly impacts your speeds.
L2TP isn’t the fastest VPN protocol, to begin with, so this is a huge disadvantage.
On top of that, L2TP is another VPN protocol that doesn’t excel at bypassing censorship, as firewalls and network administrators frequently block it.
For these reasons, I don’t recommend using L2TP.
- I don’t recommend using L2TP/IPSec at all.
- You’re concerned about privacy, Man in the Middle attacks, and speed issues.
|Speed Loss Difference:||-10.68 Mbps (hide.me)|
|Data Consumption:||3.3 MB more data spent|
|Strongest Encryption Key:||256-bit|
|Does It Support AES?||Yes|
SSTP (Secure Socket Tunneling Protocol) immediately raises red flags, thanks to its creator, Microsoft.
As you probably know, Microsoft doesn’t concern itself too much with security and privacy. In fact, the company is known to work with the NSA, leaving you wondering just how private SSTP actually is.
On top of that, SSTP is closed-source, meaning there’s no way to investigate its code for potential security risks (or NSA backdoors).
SSTP is also based on SSL/TLS encryption protocols.
This has its advantages but also leads to a bigger concern, as SSL is associated with a specific Man in the Middle attack called POODLE (Padding Oracle On Downgraded Legacy Encryption) that uses SSL 3.0 to obtain encrypted messages.
So, while SSTP was never proven to be directly affected by this security threat, you’re better off avoiding it when possible due to its closed-source nature.
That said, SSTP does have one primary (and important) use: bypassing censorship.
The primary advantage of SSTP being based on SSL/TLS encryption is that it uses TCP port 443. As detailed above, this port is great at circumventing blocks, making it helpful for users in countries like China and the UAE who don’t have other VPN protocols at their disposal.
SSTP is also relatively fast (with a speed loss of 10.68 Mbps).
It also only used 3.3 MB more data (12.2 MB in total) than my data consumption without a VPN protocol (8.9 MB).
- You need to bypass censorship in countries like China or restricted locations like school/work, and no other alternative protocols are available.
- Other VPN protocols (like OpenVPN) are available.
- You’re uncomfortable with SSTP’s association with the NSA and/or concerned about Microsoft owning it and/or its security risk (POODLE).
|Speed Loss Difference:||N/A|
|Strongest Encryption Key:||128-bit|
|Does It Support AES?||Yes|
PPTP (Point to Point Tunneling Protocol) is the last VPN protocol on my list for a reason – I don’t recommend using it, ever.
Like SSTP, PPTP’s creator is related to Microsoft.
Specifically, Gurdeep Singh-Pall is a Microsoft engineer who brought VPN technology to life by developing PPTP as the very first VPN protocol in 1996.
That’s cool and all, but today, PPTP is useless.
Not only does its relation to Microsoft yield the same privacy concerns as SSTP, but PPTP doesn’t support 256-bit encryption keys.
128-bit is the strongest you’ll get. Because of this, PPTP is susceptible to many vulnerabilities.
Moreover, it’s so easy to hack that it’s been used as the focal point for school assignments. And then there are the NSA associations to consider.
PPTP is said to have been exploited by the NSA to gather massive sums of data from users using it. And if that’s not enough to convince you to avoid PPTP, even Microsoft recommends switching to L2TP or SSTP.
Really, PPTP’s only advantage is that it’s fast.
But considering the price you pay for that speed, it’s still not worth using.
Many VPN providers agree on that, too, as the VPN protocol has slowly started vanishing from renowned VPN services like ExpressVPN and NordVPN.
So, all in all, I don’t recommend PPTP.
- I don’t recommend using PPTP, ever.
- Avoid PPTP at all costs – but especially when handling sensitive data.
BONUS: Proprietary VPN Protocols
It’s becoming more normal for VPN providers to release their own proprietary VPN protocols. These are typically “beefed up” versions of existing protocols (like OpenVPN and WireGuard).
I’ll discuss and compare the most prominent ones in the next sections to give you an idea.
Here’s a preview of the primary proprietary protocols you’ll learn about:
- Lightway (ExpressVPN)
- NordLynx (NordVPN)
- Chameleon (VyprVPN)
However, it’s important to note that most proprietary VPN protocols come with a risk. Specifically, if they’re closed-source, there’s no way to confirm any promises that they’re “more secure” than other protocols.
The biggest example of this is VyprVPN’s proprietary protocol, Chameleon.
But before we tackle Chameleon, let’s discuss two trustworthy, open-source proprietary VPN protocols.
Lightway is ExpressVPN’s proprietary VPN protocol designed to enhance your VPN experience by giving you better speeds without skimping on security.
And like OpenVPN, Lightway offers TCP and UDP options (with the same caveats – TCP is more secure, UDP is faster). For the speed tests below, I used Lightway UDP.
Lightway is also compatible with 256-bit keys, ciphers like AES and ChaCha20, and utilizes wolfSSL, which is supported by thorough vetting by third parties, “including against the FIPS 140-2 standard.”
This is likely why Lightway is as fast as ExpressVPN promises (and aptly named).
It scored first in my proprietary protocol speed tests, with a speed loss of just 4.57 Mbps! Take a look.
Speed Without Lightway:
Speed With Lightway:
NordLynx is NordVPN’s more secure version of WireGuard.
It’s meant to give you security on-par with OpenVPN and speeds that rival WireGuard’s. But why didn’t NordVPN just use WireGuard?
Well, NordVPN is known for being privacy-conscious, and, as mentioned above, WireGuard temporarily stores your IP address.
NordLynx bypasses this privacy concern, thanks to its RAM-only servers that automatically delete your logs every time the server reboots and a double NAT system that hides multiple user IP addresses behind a single public IP accessed by WireGuard.
On top of that, NordLynx is open-source, consists of 4,000 lines of code (same as WireGuard), and supports the same encryption cipher as its predecessor (ChaCha20).
Plus, it’s fast! My base speed was 217.61, and my speed with NordLynx was 209.30 Mbps, for a total speed loss of 8.31.
Speed Without NordLynx:
Speed With NordLynx:
Next up, VyprVPN’s proprietary VPN protocol, Chameleon, is based on OpenVPN.
However, unlike Lightway and NordLynx (primarily developed for speed and security), Chameleon’s main focus is bypassing censorship in countries like China and the UAE.
It does this by scrambling OpenVPN packet metadata and making it undetectable via deep packet inspection (DPI) – a method commonly used to impose internet restrictions.
Chameleon also uses OpenVPN’s unmodified 256-bit protocol for its core data encryption. But as an added precaution, VyprVPN also implemented “Smart IP,” which changes your IP address periodically while you’re connected to Chameleon (without interrupting your connection).
Unfortunately, Chameleon was the slowest proprietary VPN protocol out of the three I tested, with a speed loss of 13.54 Mbps.
Here are those results:
Speed Without Chameleon:
Speed With Chameleon:
So, using it is a matter of security vs. speed.
Additionally, the protocol is closed-source – and VyprVPN has a somewhat controversial opinion on why it’s closed-source, saying that because Chameleon doesn’t replace or change the encryption performed by the core OpenVPN connection, it’s “NOT a piece of security software and it doesn’t need to be open source for you to see that it doesn’t do nefarious things.”
Proprietary Protocols Compared
I wanted to compare the three proprietary VPN protocols above to help show you the bigger picture and see which ones excel in which areas.
Here’s a table with all my findings:
|Proprietary Protocol||Lines of Code||Open-Source?||Supported Encryption Ciphers||Strongest Encryption Key||Base Download Speed/VPN Download Speed|
|Lightway (ExpressVPN)||+/- 2,000||Yes||AES, ChaCha20, and more||256-bit||207.11 Mbps / 202.54 Mbps|
|NordLynx (NordVPN)||+/- 4,000||Yes||ChaCha20||256-bit||217.61 Mbps / 209.30 Mbps|
|Chameleon (VyprVPN)||Unknown||No||AES||256-bit||217.29 Mbps / 203.75 Mbps|
Other Proprietary VPN Protocols
There are numerous proprietary VPN protocols, and the more time passes, the more new ones creep up. While not an exhaustive list, here are a few examples:
- Astrill – OpenWeb and StealthVPN
- Hidester – CamoVPN
- Hotspot Shield – Catapult Hydra
- VPN Unlimited – KeepSolid Wise
- X-VPN – Protocol X
Testing & Comparing VPN Protocols
To ensure my VPN protocol recommendations are trustworthy and top-notch, I put all of them through several tests, including speed, encryption, and data consumption.
First, I’ll walk you through my testing process. Then, I’ll discuss my results in-depth.
To get started, here are step-by-step instructions on how I tested each VPN protocol:
- For the best picture, I looked for VPNs with multiple protocols, so I could test several protocols with one VPN. Here’s a breakdown of what protocols I tested with what VPNs:
- ExpressVPN – OpenVPN (TCP and UDP), IKEv2, and L2TP/IPSec
- Surfshark – OpenVPN (TCP and UDP), IKEv2, and WireGuard
- Hide.me – OpenVPN (TCP and UDP), SSTP, IKEv2, WireGuard, and SoftEther
- CyberGhost – OpenVPN (unspecified), IKEv2, and WireGuard
- For speed tests, I used the nearest server (I’m in Slovakia) and used Windows. I took each protocol’s highest speed out of all the tests.
- You’ll see what VPN provider performed the fastest results for a specific protocol in the results.
- For encryption tests, I used Wireshark with every VPN and every VPN protocol.
- In the test results, you’ll see “Yes” or “No” next to “Encryption Success (Wireshark).” If I mark “Yes,” the VPN protocol displayed gibberish results, meaning it worked. “No” means some or all of the results were readable.
- For data tests, I used GlassWire on my PC to monitor my data consumption with and without the VPNs while performing the same task (watching the All Things Secured YT video linked above). I tested each VPN with each protocol, took a single protocol’s least data consumption, and subtracted it from my data consumption without any VPN protocol, which was 31.9 MB.
- In the test results, you’ll see what VPN provider had the least data consumption for any given protocol.
- I also included other variables worth considering in the results, such as how big each protocol’s code is, whether they’re open-source, any known issues, launch date, reliability, and more.
The only VPN protocol I did NOT test is PPTP.
However, I was only able to test SoftEther and SSTP with hide.me and L2TP/IPSec with ExpressVPN, so consider that.
Let’s discuss my test results!
VPN Protocol Test Results
|VPN Protocol||Speed Loss Difference||Encryption Success (Wireshark)||Strongest Encryption Key||Does it support AES?||Data Consumption||Size of Code (+/-)||Open-Source?||Known Issues||Launch Date||Reliability|
|OpenVPN TCP||-12.25 Mbps (ExpressVPN)||Yes||256-bit||Yes||5.6 MB more data spent (Surfshark)||600,000 (+OpenSSL)||Yes||Slower than UDP and other protocols||2001||10/10|
|OpenVPN UDP||-10.49 Mbps (ExpressVPN)||Yes||256-bit||Yes||4.1 MB more data spent (ExpressVPN)||600,000 (+OpenSSL)||Yes||Less secure than TCP||2001||9.8/10|
|WireGuard||-8.23 Mbps (Surfshark)||Yes||256-bit||No (ChaCha20)||2.0 MB more data spent (Surfshark)||4,000||Yes||Temporarily stores IP address, only supports UDP||2019||8.7/10|
|SoftEther||-8.42 Mbps (Hide.me)||Yes||256-bit||Yes||2.2 MB more data spent (Hide.me)||380,000||Yes||Requires manual configuration to bypass security risk||2014||8.2/10|
|IKEv2/IPSec||-9.04 Mbps (Surfshark)||Yes||256-bit||Yes||2.2 MB more data spent (ExpressVPN)||400,000 (IPSec)||No||Possible associations with the NSA, closed-source, not great at bypassing censorship||2005||8.6/10|
|L2TP/IPSec||-14.88 Mbps (ExpressVPN)||Yes||256-bit||Yes||4.0 MB more data spent (ExpressVPN)||400,000 (IPSec)||No||Closed-source, vulnerable to speed issues, privacy issues, and Man in the Middle attacks||1999||3/10|
|SSTP||-10.68 Mbps (Hide.me)||Yes||256-bit||Yes||3.3 MB more data spent (Hide.me)||N/A||No||Known security risks, possible association with the NSA, closed-source||2007||4.6/10|
|PPTP||N/A||N/A||128-bit||Yes||N/A||N/A||No||PPTP is unsecure and unreliable – DO NOT USE||1996||0/10|
What’s the Best VPN Protocol?
Security researchers typically recommend OpenVPN as the best VPN protocol, as it’s the most secure, thanks to its clean history, open-source nature, and compatibility with AES-256-bit encryption (and others).
However, protocols like WireGuard, SoftEther, and IKEv2 are catching up with OpenVPN’s security (plus, they all support 256-bit encryption keys) – and have already surpassed OpenVPN’s speeds.
For this reason, the best VPN protocol for you depends on your needs and whether you want to prioritize speed, security, or both.
To help you make a sound decision, I’ll discuss choosing the best VPN protocol in the next section.
How to Choose the Best VPN Protocol?
When choosing the best VPN protocol, there are several questions you should ask yourself before moving to the “testing phase.”
Does the Protocol Support 256-Bit Encryption Keys?
256-bit encryption keys are the strongest keys (currently) in existence.
They’re said to be military-grade and unhackable (at least for now).
Make sure to avoid anything less.
The only protocol on my list that doesn’t support 256-bit encryption keys is PPTP – and you shouldn’t use that protocol, anyway.
However, ensure the VPN service you’re using offers a 256-bit encryption key for your chosen protocol (some only offer 128-bit keys).
Does the Protocol Support Numerous Encryption Ciphers?
The most well-known and trusted encryption cipher is AES (Advanced Encryption Standard), so it’s preferable if your VPN protocol is compatible with it.
However, there are other trustworthy ciphers, such as ChaCha20, Triple DES, and RSA, and it pays if your VPN protocol is also compatible with those.
Of course, there are always exceptions – like WireGuard, which only supports ChaCha20.
In the end, the most important thing is your VPN protocol’s strongest encryption key.
Is the Protocol Fast Enough for Your Activity?
Some VPN protocols are faster than others. This is important to consider, as the most secure VPN protocol (OpenVPN) is on the slower side.
So, if you’re doing heavy gaming or torrenting, consider using WireGuard (optimized to negate its temporary storage of your IP address), SoftEther (with the “Always Verify Server Certificate” enabled), or IKEv2 (if you’re on mobile) instead.
Are There Security Vulnerabilities Associated With the Protocol?
Some VPN protocols – like L2TP, SSTP, and PPTP – should be avoided whenever possible due to their security risks. Others, like WireGuard and SoftEther, should be optimized to bypass security risks before using.
To revisit the security risks associated with each VPN protocol, see the table under “VPN Protocol Test Results.”
Is the Protocol Open-Source and/or Trustworthy?
It’s easier to trust a VPN protocol with an open-source code, as it allows anyone to scavenge the code for vulnerabilities, backdoors, and other risks.
It also encourages the community to discuss the code, find bugs, and build a rapport.
However, there might be exceptions to the “open-source” rule.
For example, IKEv2 is closed-source on most operating systems except Linux, where its open-source code is risk-free.
This makes it easier to trust that its other OS versions are also risk-free.
Does Your VPN Support the Protocol?
Before you decide on a VPN protocol, ensure your VPN provider offers that protocol. As you can see from my testing section, different VPNs offer different VPN protocols.
The most common protocol you’ll find is OpenVPN, though WireGuard and IKEv2 are slowly catching up. Meanwhile, SoftEther is rare.
After considering the questions above, put your top 2-3 contenders through a series of tests (like I did). Consider their speed, security, and data consumption results before making a final decision.
How to Set Up Your VPN Protocol?
Most VPN providers make it easy to switch protocols, so you can use one protocol for one activity and another protocol for a different activity.
The process is also similar across most VPN apps.
For ExpressVPN, follow these steps:
- Open the ExpressVPN app.
- Click the three lines in the upper-left corner and select “Options.”
- Under the “Protocol” tab, select your preferred protocol.
- Click “OK” and connect to a VPN server.
For Surfshark, follow these steps:
- Open the Surfshark app.
- Click the Settings cog in the lower-left corner.
- Scroll down and click “Advanced.”
- Click the dropdown menu under “Protocol” and choose your preferred protocol.
- Navigate back to the server list and connect to a VPN server.
VPN Protocol Isn’t Working? (Troubleshooting)
If your VPN protocol isn’t working, there are several troubleshooting steps you can do to try and resolve the issue. Try them in this order (progressing to the next step if the previous steps don’t work):
- Disconnect from your VPN server and reconnect to a new one.
- Quit your VPN app and relaunch it.
- Ensure your VPN is up-to-date.
- Ensure you have an internet connection without your VPN.
- If your VPN protocol requires manual configuration, ensure you configured it correctly.
- At this point, if you’re still having difficulties, try a different VPN protocol. Disconnect from your server, choose a new protocol and reconnect.
- If this doesn’t solve the problem, ensure the firewall isn’t blocking your VPN. Look in your firewall settings and add an exception for your VPN.
- Still having issues? Try uninstalling and reinstalling your VPN.
- Reach out to your VPN provider’s support team for additional troubleshooting steps as a last resort.
In the past, PPTP was supposedly the fastest VPN protocol.
However, I didn’t test PPTP because it’s insecure, unreliable, and should be avoided.
Instead, WireGuard performed the fastest, placing ahead of OpenVPN (TCP and UDP), SoftEther, IKEv2/IPSec, SSTP, and L2TP/IPsec.
It had a speed loss difference of just 8.23 Mbps.
For reference, my base speed was 219.14, and WireGuard’s speed was 210.91 (using Surfshark).
The OpenVPN protocol is the most secure, with OpenVPN TCP more secure than UDP. Many security experts even back the VPN protocol, recommending it over all other protocols.
This is thanks to OpenVPN’s support for the strongest encryption key (256-bit) and numerous encryption ciphers, such as AES and Triple Des.
OpenVPN is also open-source, adding to its trustworthiness with a history of transparency and reliability.
IKEv2/IPSec is the most stable VPN protocol, thanks to its utilization of MOBIKE, allowing users to easily switch networks without interrupting the VPN connection (and thus, their security).
However, IKEv2 isn’t as secure as other protocols like OpenVPN, especially as most of its code is closed-source (save for Linux).
It also has potential ties to the NSA, so stability comes with a small risk.
The easy answer is SSTP, thanks to its utilization of port 443.
However, I don’t recommend using SSTP to bypass censorship if you can help it, as it has several known security risks and ties with the NSA.
If offered by your VPN provider, a great alternative is SoftEther, which also utilizes port 443, making it great for accessing content worldwide.
Just ensure you enable the “Always Verify Server Certificate.”
If SoftEther isn’t available, try OpenVPN before switching to SSTP.
The easiest VPN protocol to use is L2TP/IPSec – however, it’s not the most secure, so ease-of-use isn’t worth the risk.
Instead, consider that most VPN providers directly support the best VPN protocols in their apps (like OpenVPN, WireGuard, and IKEv2), making it easy to use any protocol. It’s usually as easy as clicking “Settings” and switching protocols.
The best VPN protocol for torrenting depends on your priorities.
If you prefer speed over security, WireGuard is a great choice for torrenting, as it offers the fastest speeds.
However, if you want security first and speed second, OpenVPN is better.
And OpenVPN UDP (faster than TCP) is a great compromise for slightly better speeds with strong security.
That said, both OpenVPN and WireGuard support 256-bit encryption keys, so either option is a good choice (if properly optimized).
WireGuard is my preferred protocol for gaming, as it offers a mix of speed and security. Specifically, you’ll get 256-bit encryption with the ChaCha20 cipher.
Just ensure your VPN provider implements a solution for WireGuard’s temporary storage of your IP address – or use a WireGuard fork like NordLynx (NordVPN’s proprietary protocol).
Another great protocol for gaming is ExpressVPN’s proprietary protocol, Lightway, as it consistently gives me lightning-fast speeds without compromising security.
By now, you should have a clear idea of what VPN protocols are, how they work, and what ones are the most popular.
You should also know what protocols to use for what activities – and what ones to avoid.
In conclusion, it’s a toss-up on the best VPN protocol.
OpenVPN, WireGuard, IKEv2, and SoftEther all have advantages and disadvantages.
However, my recommendation is to alternate between OpenVPN and WireGuard. Use OpenVPN when speed isn’t a necessity and switch to WireGuard when it is.
And don’t forget to share this article when someone asks, “What VPN protocol should I use?”