Top10VPN is editorially independent. We may earn commissions if you buy a VPN via our links.
VPN Protocols Explained: Which One Is Best?
Our Verdict
WireGuard is the VPN protocol we recommend using by default, as it excels in security, speed, and data efficiency. OpenVPN is a reliable alternative, with established privacy standards and a history of detailed security audits. IKEv2/IPSec suits mobile users in need of flexibility, while L2TP/IPSec, SSTP and PPTP should be avoided due to speed and security issues.
Most VPNs are easy to use: simply install the app, login, and press the connect button. But did you know that the default settings aren’t always the safest option. VPN protocols can make a huge difference in your VPN connection speeds and security.
From tried-and-tested OpenVPN to modern WireGuard, each protocol offers a unique set of attributes that suit different circumstances.
In this guide, we’ll explore the results of our tests for speed, security, and data efficiency. We’ll also introduce lesser-known proprietary protocols developed by popular VPN services.
Quick Summary: The Seven Most Common VPN Protocols
- WireGuard: The Best VPN Protocol
- OpenVPN: A Safe Alternative Protocol
- IKEv2/IPSec: Great Protocol for Mobile Devices
- SoftEther: Great for Bypassing Censorship
- L2TP/IPSec: Slow & Unsafe Protocol
- SSTP: Effective Obfuscation, but Closed Source
- PPTP: Outdated & Insecure Protocol
WireGuard outperforms all other VPN protocols thanks to its superior speeds, increased security, and efficient data usage. It’s also available in most high-quality personal VPN services, including NordVPN, PIA, and Surfshark.
Why Trust Us?
We’re fully independent and have been reviewing VPNs since 2016. Our advice is based on our own testing results and is unaffected by financial incentives. Learn who we are and how we test VPNs.
What Actually Is a VPN Protocol?
A VPN protocol is a set of rules dictating how your data is transmitted between your device and a VPN server.
VPN applications use these protocols to establish a stable, encrypted tunnel to the server of your choice, hiding your IP address and browsing activity in the process. For this reason, they’re also referred to as ‘tunneling protocols’.
The underlying technology behind each VPN protocol is different, which means they can offer varying levels of speed, security, and compatibility.
Understanding the technical nuances of these protocols can help you decide which protocol to choose when configuring your VPN connection.
There are common protocols, which can be implemented by any provider, and proprietary protocols, which are unique to one specific VPN provider.
NordVPN offers OpenVPN and NordLynx protocols on macOS.
Whether you’re prioritizing speed for gaming, enhancing security for online purchases, or bypassing geo-restrictions, selecting the appropriate protocol can greatly affect the effectiveness and overall performance of your VPN.
The 7 Main VPN Protocols Explained
Your choice of VPN protocol varies depending on which VPN you’re using. Some VPN services let you choose from a wide range of protocols. Other VPNs won’t let you choose at all.
Below is a table comparing the seven most commonly-used VPN protocols:
| Protocol | Speed | Security | Data Usage |
|---|---|---|---|
| WireGuard | Very Fast | Very High | Very Low |
| OpenVPN | Moderate | Very High | High |
| IKEv2/IPSec | Very Fast | High | Moderate |
| SoftEther | Very Fast | High | Low |
| L2TP/IPSec | Moderate | Moderate | High |
| SSTP | Slow | Moderate | High |
| PPTP | Slow | Low | Moderate |
1. WireGuard: The Best VPN Protocol
| Pros | Cons |
|---|---|
| Remarkably quick | Limited track record |
| Concise & efficient code base | Privacy concerns with default settings |
| Minimal data usage | |
| Modern security & encryption |
WireGuard is the newest open-source VPN protocol. It’s extremely fast, data efficient, and natively only supports UDP communication. Its widespread adoption among high-quality VPNs, fast speeds, and secure encryption ciphers make it the best choice for the majority of users.
Its code base is much shorter than OpenVPN, making it less likely to produce errors, easier for VPN services to implement in their software safely, and quicker to audit thoroughly. In our own testing, WireGuard was consistently two times faster than OpenVPN. To compare the two protocols, read our in-depth exploration of WireGuard vs OpenVPN.
Our tests found that WireGuard uses the least bandwidth out of all the widely-used VPN protocols. WireGuard uses ChaCha20 encryption, Poly1305 for authentication, Curve25519 for key exchange and Perfect Forward Secrecy (PFS).
WireGuard is a modern and safe VPN protocol.
However, WireGuard was only released to the public in 2019, making it relatively new compared to other protocols. It will take time to establish genuine trust as more security experts audit the protocol over time.
WireGuard’s default setup requires static IP addresses, which can compromise privacy. However, many top-tier VPN providers have addressed this with advanced configurations like double Network Address Translation (NAT) systems.
NordVPN, for example, integrates WireGuard with its own double NAT System to create a safer version of WireGuard called NordLynx. It allows servers to establish a WireGuard connection without having to store a static IP address on the server.
ProtonVPN has also implemented a double NAT system with its WireGuard servers to ensure no real IP addresses are stored.
Should you use WireGuard? If configured properly, WireGuard is as safe and secure as OpenVPN, and is significantly faster. It’s also good for mobile VPN users due to its low bandwidth consumption.
2. OpenVPN: A Safe Alternative Protocol
| Pros | Cons |
|---|---|
| 100% safe to use | Bloated code and complicated construction |
| Highly-configurable protocol | Problematic default configuration |
| Compatible with many encryption ciphers | OpenVPN consumes a lot of data |
| Slower than other protocols |
OpenVPN is an open-source, trusted VPN protocol. It’s the most popular protocol in this list and it’s available with most VPNs because it’s been the industry gold standard for decades.
It has been rigorously audited for two decades by security researchers. It also offers PFS that generates new keys for every session of data transfer.
When you use OpenVPN, both the control channel (which handles authentication, key exchange, and configuration) and the data channel (which encrypts and transmits packets) are protected with SSL/TLS encryption. This makes it safer than other protocols that only encrypt the data channel.
It can use all the cryptographic algorithms contained in the OpenSSL library, including: AES, Blowfish, Camellia, and ChaCha20.
OpenVPN is a popular and safe VPN protocol, available with most VPN services.
Most VPNs allow you to choose between two transmission modes: TCP and UDP. The key difference between UDP and TCP is that UDP is faster, whereas TCP is more stable and reliable.
This is because TCP establishes a connection before transmitting data, maintaining the connection throughout transmission, and closes the connection after all data has been sent successfully. TCP guarantees data delivery as it checks for errors, confirms whether any packets are lost, and re-initiates transmission if needed.
In contrast, UDP doesn’t open, maintain, and close a connection before delivering data. UDP simply sends the data without handshakes – there is no tracing or retransmission of lost packets.
Importantly, TCP is primarily used in situations where trustworthy communication is necessary, such as sending emails, transferring important files, and bypassing censorship. UDP is great for fast-paced activities, like gaming, streaming video or music, and online calls.
Almost every VPN app natively supports OpenVPN across popular operating systems, including Windows, macOS, Android, Linux, and iOS. You can also manually set up an OpenVPN connection.
However, OpenVPN has its drawbacks. It isn’t as efficient as WireGuard or IKEv2. It has over 70,000 lines of code — compared to just 4,000 in WireGuard. This makes it more difficult for security researchers to audit and increases the risk of bugs occurring.
Similar to Wireguard, OpenVPN stores your IP address and username by default. The protocol can easily be configured to not store IP addresses.
OpenVPN actually consumes far more data than any other VPN protocol we’ve tested. This means if you’re using your VPN on mobile, you’ll reach your contract’s data limit around 20% quicker.
Should you use OpenVPN? If privacy and security are your absolute top priority, then you should use OpenVPN. However, if you’re gaming or streaming video and want the best speeds, we recommend opting for WireGuard instead. OpenVPN also has higher bandwidth consumption than other protocols, so it’s not the best option if you’re using 5G on a mobile plan, as you’ll reach your maximum allowance quicker.
3. IKEv2/IPSec: Great for Mobile Devices
| Pros | Cons |
|---|---|
| Very fast | Microsoft’s code base is closed-source |
| Switch between WiFi networks and mobile data seamlessly | Fails to bypass online censorship |
| Supports many strong encryption ciphers | It might be compromised by the NSA |
IKEv2 (Internet Key Exchange version 2) is a fast VPN protocol that provides a very stable connection. In our tests, IKEv2/IPsec was the second-fastest protocol. This is because it uses less bandwidth – just 7.88% compared to OpenVPN UDP’s 17.14%.
It offers a unique auto-reconnect feature using Mobility and Multihoming Protocol (MOBIKE). This keeps the connection with a VPN gateway active while moving from one address to another. The feature helps users switch seamlessly between cellular data and WiFi networks on mobile.
We recommend Surfshark for mobile as it offers the IKEv2 protocol, GPS spoofing, a custom kill switch, and more.
However, IKEv2 doesn’t provide any encryption on its own, so it’s usually combined with IPSec (Internet Protocol Security) to form IKEv2/IPSec.
Microsoft and Cisco created the IKEv2/IPSec protocol together, which might cause concern due to their reputation for closed-source code, but there are now many open-source iterations that have been audited.
NOTE: Linux versions of IKEv2/IPSec are open-source, and audits have shown nothing untoward with the protocol. For this reason, the closed-source nature of IKEv2 is less concerning than with other closed-source protocols, such as SSTP.
IPSec is a suite of security protocols that uses 256-bit ciphers, such as AES, Camellia and ChaCha20. After IKEv2 has established a secure connection between your device and the VPN server, IPSec encrypts your data for its journey through the tunnel.
There are suspicions IPSec may have been hacked by the NSA. Security researchers like Edward Snowden have suggested that IPSec was deliberately weakened during its creation. While this is unconfirmed, it is widely suspected that any IPSec-based VPN protocol may be compromised by the NSA.
The VPN protocol also doesn’t bypass online censorship. IKEv2 is easily blocked by firewalls and WiFi administrators because it only works on UDP port 500. IKEv2/IPSec is a poor choice if you’re visiting countries with firewalls like China or Russia.
Should you use IKEv2/IPSec? IKEv2/IPSec is a great option for mobile due to its fast speeds, ability to switch between networks, and low data consumption. However, the protocol being closed-source and IPSec’s possible association with the NSA are enough to cause privacy concerns.
4. SoftEther: Great for Bypassing Censorship
| Pros | Cons |
|---|---|
| Well-designed to bypass firewalls | Not available with most VPNs |
| Compatible with strong encryption ciphers | Requires manual configuration to be safe |
When configured properly, SoftEther is a fast and secure open-source protocol. Released in 2014, it’s one of the newer VPN protocols available, developed as part of a Master’s thesis at the University of Tsukuba.
Hide.me offers the SoftEther protocol in its Windows client.
SoftEther is compatible with many encryption ciphers: AES-256, RC4-128, and Triple-DES-168.
SoftEther is particularly good for bypassing sophisticated firewalls. It bases its encryption and authentication protocols on OpenSSL. Like OpenVPN, this means it can use TCP Port 433, which firewalls find difficult to effectively block due to it being the port used for HTTPS (or secure websites).
Crucially, most VPNs never adopted SoftEther into their software and haven’t indicated plans to do so in the future. SoftEther is not supported natively on any operating system, and very few VPN providers currently support its use. Of those we’ve tested, Hide.me is now the only VPN to support the SoftEther protocol.
We suspect the reason is due to SoftEther’s complexity, and while it excels at bypassing censorship, a lot of VPNs develop their own protocols for this use case instead (like Astrill’s StealthVPN and Windscribe’s Stealth).
EXPERT ADVICE: When using SoftEther, be sure to tick the Always Verify Server Certificate box in the New VPN Connection settings.
It’s important to note that SoftEther’s default configuration is not safe out of the box. By default, clients do not verify the server’s certificate. Attackers can therefore impersonate a VPN server and gain access to user credentials and online activity.
Should you use SoftEther? SoftEther is a good option if you need to bypass sophisticated firewalls, but you should make sure Always Verify Server Certificate is enabled before using it. Hide.me is the only VPN we’ve reviewed that supports SoftEther, so you might want to opt for other more popular protocols, like WireGuard or OpenVPN, if you don’t want a Hide.me subscription.
5. L2TP/IPSec: Slow & Unsafe Protocol
| Pros | Cons |
|---|---|
| Compatible with strong encryption ciphers | Complex code leads to poor implementation |
| Open-source code | Fails to bypass firewalls |
| IPSec might be compromised | |
| Slower than other protocols | |
| Incompatible with NAT |
Layer 2 Tunneling Protocol (L2TP) was created in 1999 as a successor to PPTP. Like IKEv2, L2TP is usually combined with IPSec to form a hybrid L2TP/IPSec VPN protocol.
Overall, its performance is disappointing and L2TP is slowly being phased out of the VPN market. Less than half of VPNs we’ve reviewed offer it, and it’s featured in none of the top 10 VPN providers. A majority of VPNs offer faster and safer alternatives instead.
It was created by Microsoft and Cisco, but there are open-source code bases available on GitHub that have implemented L2TP/IPSec servers, so the protocols can be audited and checked for back doors.
StrongVPN is one of the few VPNs to offer the L2TP/IPSec protocol.
It’s complex code has lead to poor implementation among VPNs. Due to the complexity of combining L2TP and IPSec, some VPNs used pre-shared keys to set up the protocol. This opened users up to Man-In-The-Middle-Attacks (MITMs), in which an attacker falsifies authentication credentials, impersonates a VPN server, and eavesdrops on your connection.
IPsec provides a range of strong encryption protocols and authentication mechanisms, ensuring data confidentiality during transmission. However, it is susceptible to the same privacy concerns raised by Edward Snowden – that IPSec has been compromised by the NSA.
L2TP/IPSec is also slower than other protocols. This is because it uses a double encapsulation feature, which wraps your data in two layers of encryption. While this improves the security of the protocol, it’s also resource-intensive and slows down your speeds.
L2TP/IPSec has difficulties bypassing certain firewalls. It’s simply not as effective as other VPN protocols like OpenVPN or SoftEther. It’s also incompatible with NAT, which can cause connectivity problems. In this case, you’ll need to use a VPN passthrough feature on your router to connect to a VPN using L2TP.
Should you use L2TP/IPSec? Don’t use L2TP/IPSec if you’re revealing personal information, concerned about NSA surveillance, or using a VPN that publicly shares its encryption keys online.
6. SSTP: Effective Obfuscation, but Closed-Source
| Pros | Cons |
|---|---|
| Offers secure AES-256 encryption | Not available with most VPNs |
| Great for bypassing censorship | Closed-source and owned by Microsoft |
| Easy to set up on Windows |
Secure Socket Tunneling Protocol (SSTP) is a highly reliable VPN for bypassing firewalls, and it offers decent speeds. However, most high-quality VPNs have dropped the protocol and integrated more modern protocols.
SSTP is a proprietary protocol owned and operated by Microsoft. It’s typically used to protect native Windows connections. It uses SSL/TLS and TCP port 443 by default, as well as AES-256 encryption ciphers to establish a secure connection.
This is the port that all regular HTTPS traffic flows through, making it difficult for firewalls to block and brilliant for bypassing web censorship.
IPVanish was the last top-rated VPN to offer SSTP, but it has since been discontinued.
A majority of VPNs never implemented or have discontinued the SSTP protocol. Out of the 61 VPNs we’ve reviewed, just a handful of VPNs offer it, which says a lot about whether it’s actually useful or not.
Ever since 2022, when IPVanish removed it, all of our top VPN recommendations offer safer, faster, and more private protocols instead of SSTP.
It used to be vulnerable to Man-in-the-Middle (or Poodle) attacks because it used SSL3. But nowadays SSTP is configured to use TLS 1.2 and 1.3, which is much more secure and resistant against cyberattacks.
Overall, there are newer and more private alternatives already available with VPNs, like WireGuard and OpenVPN, so there isn’t a reason to use SSTP.
Should you use SSTP? SSTP is a great protocol for bypassing censorship, but if you’re concerned about privacy, you might be put off by the fact it’s closed-source. In addition, Hide.me is the only top-rated VPN to offer SSTP in its apps.
7. PPTP: Outdated & Insecure Protocol
| Pros | Cons |
|---|---|
| Fast speeds | Serious security vulnerabilities |
| Not compatible with 256-bit encryption keys | |
| Poor choice for bypassing censorship | |
| Reportedly cracked by the NSA |
Point-to-Point Tunneling Protocol (PPTP) is an obsolete VPN protocol that has many known security issues. It is one of the oldest network protocols that was widely used for creating encrypted tunnels.
It was developed by Microsoft in 1999 to function in everyday Windows environments, with low data consumption and high speeds. But bear in mind that this was the era of dial-up internet: a lot has changed since then, and PPTP is no longer the standard.
Most VPN providers have stopped supporting PPTP altogether because of its vulnerabilities, so you likely won’t be able to access it. The protocol is fragile and seriously flawed as a VPN protocol designed to improve a user’s online security. Avoid this protocol if you’re concerned about your online privacy and security.
As a result of its simple setup and good performance (at its time of release), the PPTP protocol was popular with small to medium size businesses for internal site-to-site and remote VPNs. Worryingly, some companies still rely on this protocol in 2024.
In 2024, PPTP is severely outdated and completely unsafe to use with a consumer VPN.
There are a couple positives to PPTP — mainly that it’s easy to implement and relatively fast.
But these positives are vastly outweighed by the magnitude of negative risks. It has been proven to be full of vulnerabilities in the past two decades.
As PPTP is so old, it only supports encryption keys up to 128-bits. Other VPN protocols, like OpenVPN, offer stronger 256-bit encryption or newer cipher suites like ChaCha20.
For example, we found a blog post from 2016 claiming a PPTP-encrypted VPN connection can be cracked in just three minutes. The NSA have also reportedly exploited PPTP’s insecurities to collect huge amounts of data from VPN users.
Should you use PPTP? We do not recommend using PPTP ever. It simply isn’t secure enough in 2024. Importantly, you should never use PPTP for online banking, online purchases, or for logging into any other accounts.
What Are Proprietary VPN Protocols?
| Pros | Cons |
|---|---|
| Designed for specific use cases | Often closed-source & haven’t been independently audited |
Some VPN services offer more than the protocols listed above. Many also create their own, either through improving existing open-source protocols, or creating their own unique protocol. These are referred to as proprietary VPN protocols.
Proprietary protocols are often created for specific use cases, most notably to increase the security of popular protocols. Other popular use cases include: improved speeds and ability to circumvent sophisticated online firewalls.
These protocols usually perform better than common protocols. After spending time and money creating a new protocol, it’s only natural that a VPN service would dedicate its best infrastructure to improve its performance.
ExpressVPN offers Lightway (a proprietary protocol), OpenVPN, and IKEv2 on macOS.
It’s important to keep in mind that a majority of VPNs keep their proprietary VPN protocols closed-source, meaning you’re unable to examine the code and verify it has no vulnerabilities or bugs.
Some VPNs also don’t conduct independent security audits of the code, or refuse to publish them. In contrast, open-source protocols like OpenVPN have been studied by thousands of people to make sure that it’s safe, secure, and does exactly what it promises.
VPNs are often unwilling to release proprietary software code because they want to avoid other VPNs using their innovations.
The number of VPN providers that use their own VPN protocol is small, but growing steadily. Here are some important ones to look out for:
| VPN Protocol | Use Case | Effectiveness | Security Audit? |
|---|---|---|---|
| ExpressVPN – Lightway | General | Offers a balance of security & speed | Yes: 2021 & 2023 |
| Hotspot Shield – Catapult Hydra | Speed | Provides unparalleled speed, ideal for bandwidth-intensive tasks | Yes: Unreleased |
| Astrill – StealthVPN | Censorship | Circumvents China’s internet restrictions with a 100% success rate | No |
What Is the Best VPN Protocol?
The best VPN protocol for you will depend on your own use cases and circumstances.
If you’re in a country with online censorship, proprietary stealth protocols or SoftEther will be the best for bypassing censorship. If you plan to use your VPN for streaming, fast speeds will be a priority, and WireGuard will be more suitable.
In the following section, we compare the speeds, data usage, and security of a range of VPN protocols: WireGuard, OpenVPN, IKEv2/IPSec, and PPTP. We chose NordVPN, ExpressVPN, and PrivateVPN for these tests because they are high-quality VPNs that together offer the four most common protocols.
Which VPN Protocol Is the Most Secure?
Key Findings:
OpenVPN stands out as the most secure VPN protocol due to its open-source code that has been extensively reviewed by security experts, and its virtually unbreakable encryption ciphers. Its longer tenure in the field adds to its trustworthiness and reliability.
WireGuard is a more streamlined alternative with a smaller codebase for easier auditing, but it does require additional server configuration from VPNs for optimal privacy and security.
Using a secure VPN protocol is crucial for safeguarding online privacy. The most secure VPN protocols are open-source, have been scrutinized by security experts, are continually fixing bugs, and aren’t vulnerable to known cyberattacks.
A majority of VPNs will do the heavy lifting for you, by choosing the most secure VPN protocols for their service and implementing them in the safest way possible. That’s why a majority of VPNs offer OpenVPN or WireGuard — though ideally you’ll have a choice of both.
Below is a chart comparing the security of the seven commonly-used VPN protocols:
What Is the Fastest VPN Protocol?
Key Findings:
- WireGuard and IKEv2/IPSec are the fastest protocols across the widest range of VPN services and platforms.
- OpenVPN TCP and UDP are significantly slower, when tested on a high speed internet connection. But if you’re using a VPN on a connection around 100Mbps, the difference won’t be too noticeable.
- PPTP lags behind in last place, though that is to be expected from a VPN that’s old and insecure.
It’s important to keep in mind the speed of your VPN depends on a lot of factors, including: your chosen VPN protocol, your regular internet speeds, the VPN server location, who else is using your network, and what encryption cipher you’re using.
Below is a bar chart showing our speed test results on a 350Mbps baseline connection, comparing WireGuard, OpenVPN UDP, OpenVPN TCP, IKEv2/IPSec, and PPTP:
These results also match tests done by NordVPN, WireGuard, and Vlad Talks Tech.
Which VPN Protocol Uses the Least Data?
Key Findings:
- WireGuard uses the least amount of data — just 4.53%.
- IKEv2/IPSec and PPTP use more data than WireGuard (7.88% and 8.24% respectively), but still less than half the amount that OpenVPN uses.
- OpenVPN UDP and TCP increases your data consumption by up to 20% when browsing the internet. This is almost four times the amount of data that Wireguard uses.
When you’re using a VPN, you should expect your data usage to increase from five to 20 percent, depending on the protocol and VPN you’re using.
If you’re worried about your monthly data usage, we recommend choosing WireGuard or IKEv2/IPSec. These two lightweight protocols use the least amount of data when browsing the internet, streaming video, and playing games.
In contrast, OpenVPN UDP and TCP might be the safest VPNs, but they use much more data as a result of clunky code and extended tunneling processes.
Here’s a bar chart showing the different levels of data consumption between protocols, when sending the same file across the internet:
