VPN Protocols Explained & Compared

Your choice of VPN protocol varies depending on which VPN you’re using. Some VPN services let you choose from a wide range of protocols. Other VPNs won’t let you choose at all.

Below is a table comparing the seven most commonly-used VPN protocols:

Protocol Speed Security Data Usage
WireGuard Very Fast Very High Very Low
OpenVPN Moderate Very High High
IKEv2/IPSec Very Fast High Moderate
SoftEther Very Fast High Low
L2TP/IPSec Moderate Moderate High
SSTP Slow Moderate High
PPTP Slow Low Moderate

1. WireGuard: The Best VPN Protocol

Pros Cons
Remarkably quick Limited track record
Concise & efficient code base Privacy concerns with default settings
Minimal data usage
Modern security & encryption

WireGuard is the newest open-source VPN protocol. It’s extremely fast, data efficient, and natively only supports UDP communication. Its widespread adoption among high-quality VPNs, fast speeds, and secure encryption ciphers make it the best choice for the majority of users.

Its code base is much shorter than OpenVPN, making it less likely to produce errors, easier for VPN services to implement in their software safely, and quicker to audit thoroughly. In our own testing, WireGuard was consistently two times faster than OpenVPN. To compare the two protocols, read our in-depth exploration of WireGuard vs OpenVPN.

Our tests found that WireGuard uses the least bandwidth out of all the widely-used VPN protocols. WireGuard uses ChaCha20 encryption, Poly1305 for authentication, Curve25519 for key exchange and Perfect Forward Secrecy (PFS).

Illustration of a WireGuard VPN tunnel.

WireGuard is a modern and safe VPN protocol.

However, WireGuard was only released to the public in 2019, making it relatively new compared to other protocols. It will take time to establish genuine trust as more security experts audit the protocol over time.

WireGuard’s default setup requires static IP addresses, which can compromise privacy. However, many top-tier VPN providers have addressed this with advanced configurations like double Network Address Translation (NAT) systems.

NordVPN, for example, integrates WireGuard with its own double NAT System to create a safer version of WireGuard called NordLynx. It allows servers to establish a WireGuard connection without having to store a static IP address on the server.

ProtonVPN has also implemented a double NAT system with its WireGuard servers to ensure no real IP addresses are stored.

Should you use WireGuard? If configured properly, WireGuard is as safe and secure as OpenVPN, and is significantly faster. It’s also good for mobile VPN users due to its low bandwidth consumption.

2. OpenVPN: A Safe Alternative Protocol

Pros Cons
100% safe to use Bloated code and complicated construction
Highly-configurable protocol Problematic default configuration
Compatible with many encryption ciphers OpenVPN consumes a lot of data
Slower than other protocols

OpenVPN is an open-source, trusted VPN protocol. It’s the most popular protocol in this list and it’s available with most VPNs because it’s been the industry gold standard for decades.

It has been rigorously audited for two decades by security researchers. It also offers PFS that generates new keys for every session of data transfer.

When you use OpenVPN, both the control channel (which handles authentication, key exchange, and configuration) and the data channel (which encrypts and transmits packets) are protected with SSL/TLS encryption. This makes it safer than other protocols that only encrypt the data channel.

It can use all the cryptographic algorithms contained in the OpenSSL library, including: AES, Blowfish, Camellia, and ChaCha20.

Illustration of OpenVPN tunnel.

OpenVPN is a popular and safe VPN protocol, available with most VPN services.

Most VPNs allow you to choose between two transmission modes: TCP and UDP. The key difference between UDP and TCP is that UDP is faster, whereas TCP is more stable and reliable.

This is because TCP establishes a connection before transmitting data, maintaining the connection throughout transmission, and closes the connection after all data has been sent successfully. TCP guarantees data delivery as it checks for errors, confirms whether any packets are lost, and re-initiates transmission if needed.

In contrast, UDP doesn’t open, maintain, and close a connection before delivering data. UDP simply sends the data without handshakes – there is no tracing or retransmission of lost packets.

Importantly, TCP is primarily used in situations where trustworthy communication is necessary, such as sending emails, transferring important files, and bypassing censorship. UDP is great for fast-paced activities, like gaming, streaming video or music, and online calls.

Almost every VPN app natively supports OpenVPN across popular operating systems, including Windows, macOS, Android, Linux, and iOS. You can also manually set up an OpenVPN connection.

However, OpenVPN has its drawbacks. It isn’t as efficient as WireGuard or IKEv2. It has over 70,000 lines of code — compared to just 4,000 in WireGuard. This makes it more difficult for security researchers to audit and increases the risk of bugs occurring.

Similar to Wireguard, OpenVPN stores your IP address and username by default. The protocol can easily be configured to not store IP addresses.

OpenVPN actually consumes far more data than any other VPN protocol we’ve tested. This means if you’re using your VPN on mobile, you’ll reach your contract’s data limit around 20% quicker.

Should you use OpenVPN? If privacy and security are your absolute top priority, then you should use OpenVPN. However, if you’re gaming or streaming video and want the best speeds, we recommend opting for WireGuard instead. OpenVPN also has higher bandwidth consumption than other protocols, so it’s not the best option if you’re using 5G on a mobile plan, as you’ll reach your maximum allowance quicker.

3. IKEv2/IPSec: Great for Mobile Devices

Pros Cons
Very fast Microsoft’s code base is closed-source
Switch between WiFi networks and mobile data seamlessly Fails to bypass online censorship
Supports many strong encryption ciphers It might be compromised by the NSA

IKEv2 (Internet Key Exchange version 2) is a fast VPN protocol that provides a very stable connection. In our tests, IKEv2/IPsec was the second-fastest protocol. This is because it uses less bandwidth – just 7.88% compared to OpenVPN UDP’s 17.14%.

It offers a unique auto-reconnect feature using Mobility and Multihoming Protocol (MOBIKE). This keeps the connection with a VPN gateway active while moving from one address to another. The feature helps users switch seamlessly between cellular data and WiFi networks on mobile.

Screenshot of a Surfshark connection on iOS, using IKEv2.

We recommend Surfshark for mobile as it offers the IKEv2 protocol, GPS spoofing, a custom kill switch, and more.

However, IKEv2 doesn’t provide any encryption on its own, so it’s usually combined with IPSec (Internet Protocol Security) to form IKEv2/IPSec.

Microsoft and Cisco created the IKEv2/IPSec protocol together, which might cause concern due to their reputation for closed-source code, but there are now many open-source iterations that have been audited.

NOTE: Linux versions of IKEv2/IPSec are open-source, and audits have shown nothing untoward with the protocol. For this reason, the closed-source nature of IKEv2 is less concerning than with other closed-source protocols, such as SSTP.

IPSec is a suite of security protocols that uses 256-bit ciphers, such as AES, Camellia and ChaCha20. After IKEv2 has established a secure connection between your device and the VPN server, IPSec encrypts your data for its journey through the tunnel.

There are suspicions IPSec may have been hacked by the NSA. Security researchers like Edward Snowden have suggested that IPSec was deliberately weakened during its creation. While this is unconfirmed, it is widely suspected that any IPSec-based VPN protocol may be compromised by the NSA.

The VPN protocol also doesn’t bypass online censorship. IKEv2 is easily blocked by firewalls and WiFi administrators because it only works on UDP port 500. IKEv2/IPSec is a poor choice if you’re visiting countries with firewalls like China or Russia.

Should you use IKEv2/IPSec? IKEv2/IPSec is a great option for mobile due to its fast speeds, ability to switch between networks, and low data consumption. However, the protocol being closed-source and IPSec’s possible association with the NSA are enough to cause privacy concerns.

4. SoftEther: Great for Bypassing Censorship

Pros Cons
Well-designed to bypass firewalls Not available with most VPNs
Compatible with strong encryption ciphers Requires manual configuration to be safe

When configured properly, SoftEther is a fast and secure open-source protocol. Released in 2014, it’s one of the newer VPN protocols available, developed as part of a Master’s thesis at the University of Tsukuba.

Screenshot of Hide.me's Windows client, which shows its VPN Protocol page in Settings.

Hide.me offers the SoftEther protocol in its Windows client.

SoftEther is compatible with many encryption ciphers: AES-256, RC4-128, and Triple-DES-168.

SoftEther is particularly good for bypassing sophisticated firewalls. It bases its encryption and authentication protocols on OpenSSL. Like OpenVPN, this means it can use TCP Port 433, which firewalls find difficult to effectively block due to it being the port used for HTTPS (or secure websites).

Crucially, most VPNs never adopted SoftEther into their software and haven’t indicated plans to do so in the future. SoftEther is not supported natively on any operating system, and very few VPN providers currently support its use. Of those we’ve tested, Hide.me is now the only VPN to support the SoftEther protocol.

We suspect the reason is due to SoftEther’s complexity, and while it excels at bypassing censorship, a lot of VPNs develop their own protocols for this use case instead (like Astrill’s StealthVPN and Windscribe’s Stealth).

EXPERT ADVICE: When using SoftEther, be sure to tick the Always Verify Server Certificate box in the New VPN Connection settings.

It’s important to note that SoftEther’s default configuration is not safe out of the box. By default, clients do not verify the server’s certificate. Attackers can therefore impersonate a VPN server and gain access to user credentials and online activity.

Should you use SoftEther? SoftEther is a good option if you need to bypass sophisticated firewalls, but you should make sure Always Verify Server Certificate is enabled before using it. Hide.me is the only VPN we’ve reviewed that supports SoftEther, so you might want to opt for other more popular protocols, like WireGuard or OpenVPN, if you don’t want a Hide.me subscription.

5. L2TP/IPSec: Slow & Unsafe Protocol

Pros Cons
Compatible with strong encryption ciphers Complex code leads to poor implementation
Open-source code Fails to bypass firewalls
IPSec might be compromised
Slower than other protocols
Incompatible with NAT

Layer 2 Tunneling Protocol (L2TP) was created in 1999 as a successor to PPTP. Like IKEv2, L2TP is usually combined with IPSec to form a hybrid L2TP/IPSec VPN protocol.

Overall, its performance is disappointing and L2TP is slowly being phased out of the VPN market. Less than half of VPNs we’ve reviewed offer it, and it’s featured in none of the top 10 VPN providers. A majority of VPNs offer faster and safer alternatives instead.

It was created by Microsoft and Cisco, but there are open-source code bases available on GitHub that have implemented L2TP/IPSec servers, so the protocols can be audited and checked for back doors.

StrongVPN Protocols on macOS

StrongVPN is one of the few VPNs to offer the L2TP/IPSec protocol.

It’s complex code has lead to poor implementation among VPNs. Due to the complexity of combining L2TP and IPSec, some VPNs used pre-shared keys to set up the protocol. This opened users up to Man-In-The-Middle-Attacks (MITMs), in which an attacker falsifies authentication credentials, impersonates a VPN server, and eavesdrops on your connection.

IPsec provides a range of strong encryption protocols and authentication mechanisms, ensuring data confidentiality during transmission. However, it is susceptible to the same privacy concerns raised by Edward Snowden – that IPSec has been compromised by the NSA.

L2TP/IPSec is also slower than other protocols. This is because it uses a double encapsulation feature, which wraps your data in two layers of encryption. While this improves the security of the protocol, it’s also resource-intensive and slows down your speeds.

L2TP/IPSec has difficulties bypassing certain firewalls. It’s simply not as effective as other VPN protocols like OpenVPN or SoftEther. It’s also incompatible with NAT, which can cause connectivity problems. In this case, you’ll need to use a VPN passthrough feature on your router to connect to a VPN using L2TP.

Should you use L2TP/IPSec? Don’t use L2TP/IPSec if you’re revealing personal information, concerned about NSA surveillance, or using a VPN that publicly shares its encryption keys online.

6. SSTP: Effective Obfuscation, but Closed-Source

Pros Cons
Offers secure AES-256 encryption Not available with most VPNs
Great for bypassing censorship Closed-source and owned by Microsoft
Easy to set up on Windows

Secure Socket Tunneling Protocol (SSTP) is a highly reliable VPN for bypassing firewalls, and it offers decent speeds. However, most high-quality VPNs have dropped the protocol and integrated more modern protocols.

SSTP is a proprietary protocol owned and operated by Microsoft. It’s typically used to protect native Windows connections. It uses SSL/TLS and TCP port 443 by default, as well as AES-256 encryption ciphers to establish a secure connection.

This is the port that all regular HTTPS traffic flows through, making it difficult for firewalls to block and brilliant for bypassing web censorship.

IPVanish's protocol settings on Windows

IPVanish was the last top-rated VPN to offer SSTP, but it has since been discontinued.

A majority of VPNs never implemented or have discontinued the SSTP protocol. Out of the 65 VPNs we’ve reviewed, just a handful of VPNs offer it, which says a lot about whether it’s actually useful or not.

Ever since 2022, when IPVanish removed it, all of our top VPN recommendations offer safer, faster, and more private protocols instead of SSTP.

It used to be vulnerable to Man-in-the-Middle (or Poodle) attacks because it used SSL3. But nowadays SSTP is configured to use TLS 1.2 and 1.3, which is much more secure and resistant against cyberattacks.

Overall, there are newer and more private alternatives already available with VPNs, like WireGuard and OpenVPN, so there isn’t a reason to use SSTP.

Should you use SSTP? SSTP is a great protocol for bypassing censorship, but if you’re concerned about privacy, you might be put off by the fact it’s closed-source. In addition, Hide.me is the only top-rated VPN to offer SSTP in its apps.

7. PPTP: Outdated & Insecure Protocol

Pros Cons
Fast speeds Serious security vulnerabilities
Not compatible with 256-bit encryption keys
Poor choice for bypassing censorship
Reportedly cracked by the NSA

Point-to-Point Tunneling Protocol (PPTP) is an obsolete VPN protocol that has many known security issues. It is one of the oldest network protocols that was widely used for creating encrypted tunnels.

It was developed by Microsoft in 1999 to function in everyday Windows environments, with low data consumption and high speeds. But bear in mind that this was the era of dial-up internet: a lot has changed since then, and PPTP is no longer the standard.

Most VPN providers have stopped supporting PPTP altogether because of its vulnerabilities, so you likely won’t be able to access it. The protocol is fragile and seriously flawed as a VPN protocol designed to improve a user’s online security. Avoid this protocol if you’re concerned about your online privacy and security.

As a result of its simple setup and good performance (at its time of release), the PPTP protocol was popular with small to medium size businesses for internal site-to-site and remote VPNs. Worryingly, some companies still rely on this protocol in 2024.

In 2024, PPTP is severely outdated and completely unsafe to use with a consumer VPN.

There are a couple positives to PPTP — mainly that it’s easy to implement and relatively fast.

But these positives are vastly outweighed by the magnitude of negative risks. It has been proven to be full of vulnerabilities in the past two decades.

As PPTP is so old, it only supports encryption keys up to 128-bits. Other VPN protocols, like OpenVPN, offer stronger 256-bit encryption or newer cipher suites like ChaCha20.

For example, we found a blog post from 2016 claiming a PPTP-encrypted VPN connection can be cracked in just three minutes. The NSA have also reportedly exploited PPTP’s insecurities to collect huge amounts of data from VPN users.

Should you use PPTP? We do not recommend using PPTP ever. It simply isn’t secure enough in 2024. Importantly, you should never use PPTP for online banking, online purchases, or for logging into any other accounts.

link