OpenVPN over TCP vs UDP

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are two communication protocols used to send information over the internet.

In VPN software, the OpenVPN protocol has to use either UDP or TCP to send data between your device and the VPN server.

Here’s a table showing the key differences between the two protocols:

	TCP	UDP
How It Works	Connection-oriented	Connectionless
Speed	Slower	Faster
Reliability	Higher	Lower
Resends Lost Packets	Yes	No
Packet Delivery	In Sequence	In a Stream
Error Correction	Thorough	Minimal
Flow Control	Yes	No
Data Consumption	Higher	Lower
Suitable for Real-Time Apps?	No	Yes

The bottom line is that UDP is usually the best option for a VPN connection due to its faster speeds and lower data overhead.

However, there are specific situations where TCP is the better option, especially when reliability is crucial.

Here’s a quick guide on when to use each protocol:

• TCP: Suited for web activities that require stability, such as web browsing (HTTP, HTTPS), email (SMTP, IMAP/POP), downloads and uploads (FTP), and remote computer access via secure shell (SSH)
• UDP: Suited for use cases where speed is key, like online gaming, video streaming, Voice over IP (VoIP), and Internet of Things (IoT) devices (e.g., sensors sporadically sending data home)

TCP creates a connection between two devices such as your computer and a web server. Data is sent through that connection. It’s like a phone call in which the two devices talk to each other so they can check if the information was received correctly.

TCP is a “connection-oriented” protocol and it uses a three-way handshake to establish that connection. It works through the exchange of the following packets:

1. SYN (Synchronize) Packet: The client initiates the connection by sending a SYN packet to the server. This packet contains the client’s initial sequence number
2. SYN-ACK (Synchronize-Acknowledge) Packet: Upon receiving the SYN packet, the server responds with a SYN-ACK packet. This packet acknowledges the client’s SYN and includes the server’s own initial sequence number.
3. ACK (Acknowledge) Packet: Finally, the client sends an ACK packet to the server, acknowledging the server’s SYN-ACK. At this point, the connection is established, and the client and server can begin exchanging data.

Here’s an example of a VPN establishing a TCP connection:

The three-way handshake ensures that both the client and server are ready to communicate and synchronizes the sequence numbers used to track the data being sent.

This process helps to prevent connection issues, data loss, and other problems that can occur during the initial connection establishment.

Once the handshake is complete, the client and server can engage in a full-duplex, reliable data exchange.

Unlike TCP, UDP is a connectionless protocol. Data is simply sent, but there’s no acknowledgement mechanism to confirm it was properly received. UDP is a little like sending something by post: you put it in the postbox and forget about it.

UDP is unreliable compared to TCP but because it does not need to establish and maintain a connection, UDP is faster than TCP. It’s ideal for applications that are highly sensitive to latency, such as video conferencing and online gaming.

An occasional missed packet might result in a glitch, but it’s better than the delay that would result while TCP resends the packet.

UDP also has a smaller header size compared to TCP, which results in lower overhead and faster transmission speeds.

The Domain Name System (DNS) can and does use UDP and TCP. While it is increasingly using TCP as query packets grow, UDP is the default protocol to make sure it is as fast as possible.

Although TCP and UDP are both network protocols that facilitate host-to-host internet communication, they differ significantly in how they transmit data.

Here are five key ways these protocols differ in practice:

1. UDP is Faster Than TCP

We tested ExpressVPN and NordVPN, the two top VPNs for 2024, to compare their speeds using the OpenVPN protocol with UDP and TCP.

Connecting from our US headquarters to servers in the US, UK, and Australia, we measured download speeds for each VPN and protocol.

As our data shows, UDP is usually faster than TCP, with the performance gap widening as the server distance increases.

This is because TCP delivers data in an ordered, error-checked stream, requiring retransmissions of any missing or corrupted packets, which adds latency.

In contrast, UDP packets have a smaller header, allowing more payload per connection, resulting in higher throughput.

Consequently, UDP is often the preferred choice for latency-sensitive applications like streaming and gaming.

Using ExpressVPN, UDP was 24% faster connecting from the US to the UK, and 37% faster to Australia.

The difference was even more pronounced with NordVPN. We lost 81% of our download speed connecting to the UK using TCP, and 94% to Australia.

However, we did find that TCP was marginally faster than UDP for NordVPN connections within in the same country.

2. TCP Consumes More Data Than UDP

TCP uses more data than UDP due to the additional information in its packet headers.

Every data packet sent over the internet has a header, like the address on an envelope. It contains the information required to get the data to the right place, and any additional information needed for the protocol.

While both protocols include source/destination ports, packet length, and checksums in the header, TCP adds extra fields for reliable delivery:

• Sequence number
• Acknowledgement number
• TCP flags (e.g., synchronization, acknowledgement)
• Window (receive buffer size)
• Urgent pointer
• Optional TCP options

While this makes TCP more reliable than UDP, it is less efficient. TCP headers can exceed 20 bytes, compared to just 8 bytes for UDP.

TCP also involves more communications between the sender and receiver. That’s because the receiver ACKs (Acknowledges) every other packet when it is received using TCP, and any lost packets are re-sent. As a result, TCP uses more data than UDP.

In fact, our analysis of VPN data usage found that OpenVPN with TCP consumed 19.96% more data compared to not using a VPN, versus 17.23% for OpenVPN with UDP.

If you are on a mobile data plan where you pay by the gigabyte, or you have a fixed data cap, you’ll use your allowance faster if you use TCP.

3. TCP Is Slightly More Secure Than UDP

Neither UDP nor TCP are inherently secure protocols — they simply handle the transmission of data packets over the internet.

Security concerns are typically addressed by higher-level protocols or applications.

That said, the sequencing and acknowledgement process used in TCP does make it slightly harder for a hacker to inject malicious data compared to the connectionless UDP.

This is because TCP ensures packets are received in the correct order and any missing/corrupted data is retransmitted.

However, in practical terms, neither protocol has significant security concerns when used with a VPN. Both TCP and UDP support the strong encryption and privacy features that keep you safe online.

4. TCP Is More Reliable than UDP

TCP is more reliable than UDP for a number of reasons, some of which we have covered, such as its more thorough error-checking and use of a three-way handshake to establish a connection.

Another reason for the reliability of TCP is that unlike UDP, it uses flow control mechanisms, which means it’s much less likely to drop packets.

TCP employs a “sliding window” mechanism to manage data transmission.

The receiver communicates the available buffer space it has to accept incoming packets.

TCP then limits the sender to only transmitting up to the size of this window, at which point it must wait for the receiver to signal it has more room before continuing.

This flow control process allows TCP to adapt the transmission pace to the receiver’s capabilities, preventing it from being overwhelmed.

However, the need to wait for this feedback before sending each packet also makes TCP slightly slower and less efficient than the connectionless UDP protocol.

In contrast, UDP transmits data at the rate best suited to the sender, without any flow control considerations.

This can result in a powerful server bombarding a receiver with multiple consecutive data streams, potentially exceeding their capacity.

When this happens, the receiver will simply drop the excess UDP packets it cannot process, rather than waiting for flow control signals.

5. UDP Supports Multicast, TCP Does Not

TCP is connection-oriented, meaning it establishes a one-to-one connection between a client and a server. This has many advantages for reliable point-to-point communication, such as between a browser and a web server.

However, this structure is incompatible with multicast, a type of network communication that’s used in video conferencing and online gaming, as it requires a one-to-many communication model.

In contrast, UDP is compatible with multicast as it doesn’t need to know if the intended recipient is there.

UDP’s preference for speed over reliability is ideal for multicast, as it transmits data without waiting for acknowledgement of receipt. Any dropped packets simply cause minor glitches in the real-time stream without affecting the overall transmission.

OpenVPN is an open-source VPN protocol used in the vast majority of secure VPN services. In many cases, users have the option to choose between OpenVPN UDP and OpenVPN TCP. In this section, we’ll explain how this decision affects your VPN’s functionality.

First, imagine you’re browsing a web page without a VPN. The connection between your device and the web server will use TCP because it’s more reliable than UDP. Here’s how it works:

When you start using a VPN, new communications are wrapped in an OpenVPN tunnel between your device and the VPN server. That tunnel connects between your device and the VPN server, and it could use either UDP or TCP.

When you’re changing your VPN’s settings, you’re simply deciding which wrapper to use.