Hot topics close

What is the best VPN protocol?

What is the best VPN protocol
WireGuard, obviously. Or Lightway. NordLynx? No, OpenVPN...

Browse most VPN provider websites and you'll find boasts about supporting this VPN protocol or that.

Which should you use, though? They don't have so much to say about that.

One reason is there's no one-protocol-fits-all solution which is the best choice in every given situation. Your ideal option depends on a range of factors, from your device type and network setup, to your security priorities and whatever it is you're trying to do.

Fortunately, you don't require ninja-level networking skills to figure this out. Here we'll look at the most popular VPN protocols, talk about their strengths and weaknesses, and give you the details you need to make smarter protocol choices.

WireGuard

WireGuard may still be a fresh-faced newcomer in the VPN world, but it's made a real impact.

The protocol is all about simplicity, throwing out much of OpenVPN's feature overload in favor of a stripped-back, minimalist design (more on that below).

Most users won't notice any difference in functionality. Connect with OpenVPN, for instance, and your traffic might be encrypted via AES, Camellia, ChaCha20, Poly1305, GOST 28147-89 and more; connect with WireGuard and it'll only get to use ChaCha20, but as that's as secure as it gets, will you care very much? We suspect not.

WireGuard logo

(Image credit: WireGuard)

Switching to WireGuard should give you a very noticeable difference in performance, though. Connection times can be just a couple of seconds (down from 10-20 seconds with some protocols), and in recent testing WireGuard's download speeds were at least twice as fast as anything we saw from OpenVPN. Take a look at our fastest VPNs countdown, and the top players all feature WireGuard (or at least a proprietary version based on it).

There are some complications. WireGuard isn't as flexible as OpenVPN, for example, and it may have more difficulty bypassing firewalls or getting online in VPN-unfriendly countries - trying to use your VPN in China, for example.

It's also not as well supported by VPN providers, or other devices. If your router supports VPNs, for instance, it's far more likely to use OpenVPN. You may be able to use WireGuard by installing OpenWRT, but that's another article altogether.

In general, though, WireGuard offers rock-solid security with leading-edge speeds, and it's a great protocol to try first.

OpenVPN

OpenVPN has been around for 20 years, but its mix of features, security and speed mean the protocol is still one of the market leaders.

Its flexibility is a big plus. When a VPN app connects via OpenVPN, it potentially has all kinds of options. Are you connecting via UDP, or TCP? Which port are you using? How can you log into the server? How should the server prove its identity to you? Which encryption algorithms are you using? And the list goes on.

All this functionality requires a lot of code, making OpenVPN more complex than many competitors. It's an open-source project, though, which means anyone can look at the internals, confirm it's working properly, help fix any bugs they find or suggest better ways of doing something.

The OpenVPN logo

(Image credit: OpenVPN)

Still, OpenVPN does add more overhead to your VPN traffic than many competitors, with some very noticeable effects. IKEv2, WireGuard and many modern protocols can connect in a couple of seconds; OpenVPN often takes 10-20. In our recent speed tests, OpenVPN typically managed 200-400Mbps; WireGuard reached 450-900Mbps.

This won't make much difference to many users (how often have you needed more than 200Mbps on public Wi-Fi?), and OpenVPN still makes an excellent protocol choice for most users: flexible, secure, some handy features to get around firewalls, and it's fast enough for most situations.

But if you're looking for rapid connection times, less hassles on mobile devices as you move between networks, and the maximum possible download speeds, WireGuard or another modern protocol may give you better results.

L2TP/IPsec

L2TP (Layer 2 Tunneling Protocol)/IPsec (Internet Protocol Security), sometimes known as L2TP or just IPsec, is a Microsoft VPN protocol which is also supported on many other platforms and devices.

It doesn't have a lot of features, but there's enough to get by. L2TP can't match OpenVPN for its choice of encryption algorithms, for instance, but when using AES (the typical choice) it's as effective as anything else.

As with Microsoft's IKEv2, L2TP isn't designed to bypass firewalls. It typically uses UDP ports 500 and 4500, for instance, making it relatively easy to block.

A different concern appeared in 2013, when Edward Snowden's disclosures suggested that IPsec security had been compromised by the NSA. And even if you're not being watched by a nation state, if IPsec was bypassed ten years ago, it's highly likely others have figured out how to do the same by now.

This is all very theoretical, and in the real world, if you're just wanting to do some online shopping over public Wi-Fi, L2TP/IPsec is easy to set up and should keep you very secure.

It wouldn't be our first choice, though, and we'd opt for WireGuard, OpenVPN or a provider's own custom protocol first.

Surfshark IKEv2/IPsec graphic

(Image credit: Surfshark)
IKEv2

IKEv2 is the common name for IKEv2/IPsec protocol, or Internet Key Exchange version two / Internet Protocol Security.

Developed by Microsoft and Cisco, IKEv2 has been around since 2005. Don't let its age put you off, though. The technology avoided the mistakes of earlier protocols, such as PPTP, and is still regarded as highly secure, even today. And because IKEv2 is mature, it's now widely supported by many VPNs on both desktops and mobile VPN apps.

IKEv2 typically scores well for connection times in our tests, and we often see it up and running in under two seconds. Meanwhile, OpenVPN connections can take 10-20 seconds before they're established. If you turn your VPN on and off regularly, maybe to check emails, that can make a huge difference.

Download speeds aren't bad, with the protocol capable of outperforming OpenVPN in some cases, but lagging well behind WireGuard. IKEv2 peaked at 290Mbps in our recent VPN update; WireGuard reached 900Mbps, and might have done even better if we'd had a faster network connection.

Overall, IKEv2 doesn't excel at anything in particular. It doesn't have the features or configurability of OpenVPN, it can't match the speed of WireGuard. But if they don't work for you, for some reason (or they're just not available), IKEv2 is a strong all-round choice that will keep your traffic secure and deliver more than enough speed for most situations.

SSTP

Secure Socket Tunneling Protocol (SSTP) is a Microsoft technology which comes integrated with Windows.

SSTP works a little like OpenVPN, using SSL (and, optionally, TCP and port 443) to avoid detection and get connected in VPN-unfriendly environments.

The problem is that SSTP is a proprietary standard owned by Microsoft. Unlike the open-source OpenVPN, WireGuard and others, it's not possible to review the source code to check what it's doing. And because it's a Microsoft product, you won't find SSTP supported by many platforms or VPN apps.

In general, SSTP looks very secure. And if you need to manually set up a VPN connection on a Windows system, SSTP can do the job without having to install any third-party apps.

If you're installing your provider's app anyway, though, we'd choose OpenVPN (where available) ahead of SSTP.

PPTP

First appearing back in the 1990s, PPTP (Point-To-Point Tunnelling Protocol) is one of the oldest VPN protocols around.

This has some advantages. PPTP is very simple, with few overheads, making it very fast. It also runs well on old devices, which may not have the power or features to run more up-to-date protocols.

The problem is that researchers have found multiple PPTP issues over the years, and Microsoft was suggesting users switch to something else as long ago as 2012. 

As a result, most VPN providers have dropped support for PPTP, and we think that makes sense. It's insecure and best avoided.

If your provider still offers PPTP, then it might be useful in situations where security isn't important (when you only need to unblock a particular website, say). But only use it if every other protocol has failed, and make sure you switch to something better before you start online banking, or anything else even faintly sensitive.

ExpressVPN Lightway Protocol

(Image credit: ExpressVPN)
Proprietary protocols

Some big VPN providers haven't restricted themselves to the standard protocols: they've actually developed innovative technologies of their own.

ExpressVPN offers Lightway, for instance; NordVPN has NordLynx; Hotspot Shield uses Catapult Hydra, and VyprVPN has its own Chameleon.

We think this is very positive sign about any provider, as it shows a company with real resources and technical expertise, that's also making huge efforts to improve the service for its customers.

There can be down sides, too. OpenVPN, WireGuard and ExpressVPN's Lightway are all open source, allowing anyone to check the code and verify it's living up to its privacy promises. But most of the other proprietary protocols are closed source, and users are left to trust that the provider knows what it's doing, and there are no bugs lurking in the code.

When we look at the technical specs and our own testing, though, all these protocols appear very secure, and they can deliver very high speeds - for example, NordVPN peaked at 880Mbps in our last checks.

Some custom protocols are designed for specific situations only. VyprVPN's Chameleon can do a good job of getting you online in China, for instance, so is well worth a try if you're travelling somewhere VPNs are blocked. But VyprVPN's WireGuard delivers better performance in general use.

Lightway, NordLynx and Catapult Hydra are designed as all-purpose protocols, though, and in our experience they perform very well. If you've signed up with ExpressVPN, NordVPN or Hotspot Shield then we'd recommend choosing those above more standard protocols for the best possible results.

Compare today's best overall VPNs

Similar news
News Archive
  • Dizzee Rascal
    Dizzee Rascal
    Dizzee Rascal’s ex-fiancée Cassandra Jones says ‘wealth and status’ should not be used to silence women
    7 Mar 2022
    17
  • Carlos Alcaraz
    Carlos Alcaraz
    Carlos Alcaraz sinks Ugo Humbert to progress to quarter-finals
    7 Jul 2024
    25
  • Chinese New Year
    Chinese New Year
    How Lunar New Year Is Being Celebrated By Asian Communities ...
    10 Feb 2024
    16
  • Michael Hunter
    Michael Hunter
    Michael Hunter dresses as Predator but can’t kill off Alexander Povetkin in draw on Joshua undercard
    7 Dec 2019
    6
  • Chromakopia
    Chromakopia
    Every single feature on Tyler, the Creator's Chromakopia, ranked
    28 Oct 2024
    3
  • Advantest
    Advantest
    Advantest Postpones its VOICE 2020 Developer Conference in Scottsdale, AZ Over COVID-19 Concerns; New September Dates Announced
    25 Mar 2020
    2