A virtual private network encrypts your web traffic so that your internet service provider and internet-connected apps or websites don’t view your IP address. Instead, with a VPN enabled, ISPs, apps and websites view your traffic as originating from a different state or country.
A VPN protocol is the bedrock creating a secure, encrypted connection between your device and a VPN server. Essentially, a protocol dictates how your device “talks” to the server. Like other forms of communication, such as email, text, phone calls or carrier pigeons, different virtual private network protocols provide varied benefits. For instance, a carrier pigeon might take longer to reach its destination yet be more challenging to intercept than a cellphone call, which sends information quickly but is easy to triangulate. On the other hand, emails may be both fast and secure. Different VPN protocols offer various types of encryption and internet speeds. Let’s explore the various protocols so you can learn which is best for your needs.
What types of protocols are used in VPNs?
A virtual private network protocol requires both an internet protocol and an encryption protocol. Internet or network protocols define how data is transmitted over a network, while encryption protocols guard data from being intercepted.
VPN protocols use a network protocol, either UDP or TCP:
- UDP: User datagram protocol prioritizes speed of data transfer over reliability. It doesn’t require a connection, or “handshake,” between your device and a web server, so information is broadcast quickly but with the potential for data loss in the process.
- TCP: Transmission control protocol sends information between your device and a server while requiring an established connection. Accordingly, TCP focuses on data transfer reliability rather than speed.
Most personal VPNs use one of two encryption methods:
- AES-256: Used in OpenVPN, IKEv2/IPSec, SSTP and L2TP/IPSec.
- ChaCha20: Used in WireGuard.
There are several VPN protocols, each with advantages and disadvantages:
- WireGuard: Fast speeds without compromising on security.
- OpenVPN: Best-in-class security, but slower speeds.
- IKEv2/IPSec: Great for switching between Wi-Fi and mobile data networks.
- L2TP/IPSec: A VPN protocol intended as an improvement over PPTP.
- SSTP: A Microsoft-created VPN protocol used to remotely access servers.
- PTPP: An outdated VPN protocol.
We’ll dive into the details about the most widely used protocols: WireGuard, OpenVPN and IKEv2/IPSec. L2TP, SSTP and PPTP are rarely used in VPNs these days. Even if you’ve got an option to use one of those protocols, their age and relatively lower security compared with WireGuard, OpenVPN and IKEv2 make them poor choices.
WireGuard provides the best balance of speed and privacy
Pros:
- Fast
- Secure
- Open-source
- Lean source-code
Cons:
- Newer protocol -- not as time-tested as OpenVPN
- Harder to mask VPN traffic
Who should use it: Streaming video fanatics, gamers and anyone who needs the fastest possible internet speeds.
WireGuard is a comparatively newer, faster VPN protocol that still provides solid privacy. Because WireGuard is one of the fastest VPN protocols, it’s an excellent choice for situations where fast internet speeds are paramount -- like streaming 4K videos or gaming. WireGuard is open-source, meaning anyone can inspect its source code for debugging and identifying vulnerabilities. Additionally, it's a lean VPN protocol -- WireGuard consists of around 4,000 lines of code versus OpenVPN’s over 100,000 lines -- making it more efficient by using fewer system resources, like CPU power. WireGuard uses ChaCha20 encryption, which is faster but offers similar security to AES-256 encryption.
While WireGuard delivers faster speeds without sacrificing security, it's more challenging to hide that you're using a VPN. Additionally, as a newer VPN protocol, it's not as tried and tested, so folks with critical security needs may prefer OpenVPN. Most modern VPNs support WireGuard, and several virtual private network providers feature proprietary WireGuard-based protocols. For instance, NordVPN's NordLynx is built with WireGuard and features amenities like a double NAT for even stronger security.
OpenVPN is somewhat slower than WireGuard but offers best-in-class privacy
Pros:
- Highly secure
- Open-source
- Choice of UDP or TCP network protocols
Cons:
- Slower internet speeds than other protocols like WireGuard
Who should use it: People with critical privacy needs, such as political activists, investigative journalists or those requiring obfuscated servers.
OpenVPN is highly secure and reliable but slower than other VPN protocols, namely WireGuard. Therefore, OpenVPN is ideal for folks with serious privacy concerns. The seasoned tunneling method boasts outstanding AES-256 encryption. OpenVPN lets you choose between TCP and UDP, so you can benefit from faster data transmissions or greater reliability. Because OpenVPN is open-source, anyone can analyze its source code for flaws or backdoors. Coupled with its open-source code that’s easily audited, OpenVPN is widely used, time-tested and therefore reliable.
Most obfuscated servers -- which make it more difficult for apps, websites or ISPs to determine that you're using a VPN -- utilize the OpenVPN protocol. Obfuscated servers are great for situations where you're having difficulty unblocking streaming services or bypassing censorship with websites that restrict VPN access. The majority of current VPNs support OpenVPN.
IPSec/IKEv2 is a great VPN protocol for mobile devices
Pros:
- Fast
- Reliable
- Works well when switching connections, like from Wi-Fi to cellular
Cons:
- Only compatible with MacOS, iOS and iPadOS
Who should use it: IKEV2/IPSec is a solid choice for iPhones, iPads or Apple computers to seamlessly reconnect a VPN when jumping between mobile data and Wi-Fi networks.
Internet Key Exchange version 2, or IKEv2, is a tunneling protocol that works in conjunction with Internet Protocol Security, or IPSec, to establish a secure connection. IKEv2/IPSec maintains a secure connection even while switching networks, such as jumping back and forth between Wi-Fi and cellular networks. Therefore, IKEv2/IPSec is a solid choice for mobile devices, like iOS and iPadOS phones or tablets. IKEv2 also supports MacOS, but not Windows, Android or Linux. Like OpenVPN, IKEv2 uses AES-256-bit encryption.
IKEv2/IPSec is fast, reliable and secure -- but both WireGuard and OpenVPN provide more robust security. While many VPNs, including NordVPN and ExpressVPN, support IKEv2/IPSec, it's limited to iOS, iPadOS and MacOS. Linux, Android and Windows users are out of luck.
What is the best VPN protocol to use?
The average person seeking privacy and the fastest-possible internet connection should select WireGuard or an equivalent -- such as NordVPN’s WireGuard-based NordLynx, or ExpressVPN’s proprietary LightWay. WireGuard provides the best experience for low-lag online gaming, fast downloads and buffer-free streaming video.
Folks with serious privacy concerns or anyone requiring obfuscated servers should choose OpenVPN. If you need to hide the fact that you’re using a VPN -- for instance, when circumventing censorship or accessing a website that doesn’t load properly with a VPN enabled -- OpenVPN’s obfuscation capabilities come in handy. Use OpenVPN UDP for faster internet speeds or TCP for beefed-up privacy.
IKEv2/IPSec is a good option for iPhones, iPads or MacOS devices, but the main advantage it may hold over WireGuard and OpenVPN is its seamless VPN connection re-establishment when switching networks. For instance, if you’re using a mobile device with a VPN enabled and frequently hop between a cellular and Wi-Fi signal, IKEv2 is a great choice.
