Disclosure: Top10VPN is editorially independent. We may earn commissions if you buy a VPN through links on our site.

VPN Protocols Explained: Which One Is Best?

JP Jones - CTO @ Top10VPN

JP is our CTO. He has over 25 years of software engineering and networking experience, and oversees all technical aspects of our VPN testing process. Read full bio

Our Verdict

OpenVPN is considered to be the most secure VPN protocol. It's compatible with a range of encryption ciphers including AES-256, Blowfish, and ChaCha20. It has no known vulnerabilities and is natively supported by almost every VPN service. While we recommend OpenVPN, WireGuard is a secure and fast alternative.

illustration of a man putting a message into a secure network of pipes, protecting it from the unprotected data outside of the pipes

VPN protocols are the set of rules that describe how to create a secure connection between your device and a VPN server.

They’re also known as tunneling protocols, because they are responsible for forming the VPN tunnel that hides your activity from eavesdroppers.

VPNs use protocols to safely connect your device to a VPN server, and then use a cipher to encrypt the data that travels across that connection. For more detail, read our beginner’s guide to how VPNs work.

In this guide, we’ll explain and compare the different types of VPN protocol.

First, we’ll introduce the seven most common VPN protocols. Then, we’ll explain which one is best for you and your needs.

The 7 Main VPN Protocols Explained

Your choice of VPN protocol varies according to which VPN service you’re using. Some providers let you choose between a whole selection of protocols. Other VPNs won’t let you choose at all.

Each protocol has its own strengths and weaknesses, so it’s important to understand the differences between them in order to choose the best protocol for you and your activity.

Here are the seven most commonly-used VPN protocols and their advantages:

Table of VPN encryption protocols and their security risks.

1. OpenVPN: The #1 VPN Protocol

PROS

  • Natively supported by almost every VPN service
  • Open-source
  • Been thoroughly tested over a long period of time
  • No known vulnerabilities
  • Users can choose between UDP and TCP versions
  • Compatible with a range of ciphers, including AES-256
  • Supports Perfect Forward Secrecy
  • The gold-standard VPN protocol over the last 2 decades

CONS

  • High bandwidth consumption
  • Not the fastest VPN protocol around
  • Heavy code base

Created in 2001 by James Yonan, OpenVPN is considered to be the most secure VPN protocol there is.

The software is open-source and has been around for over two decades, which means security researchers have spent plenty of time testing it for weaknesses and insecurities.

Currently, OpenVPN has no known vulnerabilities, so you can be sure your VPN connection is safe and private when using OpenVPN.

The protocol is compatible with a wide range of encryption ciphers, including AES, Blowfish, and ChaCha20.

OpenVPN is also a highly-configurable protocol. Almost every VPN app natively supports OpenVPN across most major platforms, including Microsoft Windows, Apple MacOS, Android, Linux, and iOS.

For unsupported platforms, you’ll usually be able to download a configuration file that’ll allow you to manually set up an OpenVPN connection.

OpenVPN can work with two different communication protocols: TCP and UDP. These are transport-layer protocols that govern how carefully your data is transmitted across the network.

The key difference between them is that OpenVPN UDP is faster, but OpenVPN TCP provides a more reliable connection because it is better at bypassing firewalls.

Our advice is to always try UDP for your VPN connection. If you find it isn’t working, then switch to TCP.

OpenVPN’s main downside is that it isn’t as fast, lightweight, or efficient as some of the other VPN protocols. Its speeds are good, but not as quick as WireGuard or IKEv2.

It’s also the VPN protocol with the largest bandwidth requirements. As our VPN data usage tests show, OpenVPN consumes far more data than any other VPN protocol. This means if you’re using your VPN on mobile, you’ll reach your contract’s data limit around 20% quicker.

When to use OpenVPN:

  • If privacy and security are your absolute top priority, then you should use OpenVPN whenever possible.

When not to use OpenVPN:

  • If speed is crucial to your activity (e.g. gaming).
  • If you’re using a VPN while connected to cellular data (e.g. 3G/4G). You’ll reach your maximum allowance quicker and pay more in roaming charges when abroad.

SUMMARY

OpenVPN has been the industry’s leading VPN protocol for well over a decade. It expertly balances unbreakable security with fast performance. We recommend using OpenVPN whenever it’s available.

2. WireGuard: An Impressive New Protocol

PROS

  • Very light code base
  • Extremely fast speeds
  • Open-source
  • Limited data consumption
  • No known security issues
  • Good at handling network changes
  • Supports Perfect Forward Secrecy
  • Very easy to manually configure

CONS

  • There are privacy concerns with its default configuration
  • Not yet supported by every VPN service
  • Needs time to be fully tried-and-tested
  • Can only be used with UDP

WireGuard is a new, open-source tunneling protocol that was designed to be faster and more efficient than the current most popular VPN protocol: OpenVPN. (For a direct comparison of the two protocols, read our in-depth WireGuard vs OpenVPN guide).

Released in 2019, WireGuard has already made a big impression on the VPN industry. A lot of VPNs acted quickly to integrate WireGuard into their service, and many have installed it as their default protocol.

WireGuard delivers on many of its creator Jason Donenfield’s promises:

  • It is remarkably quick. According to WireGuard’s in-house tests, it performs over 3x faster than OpenVPN. We saw similar results in our own testing, especially on longer-distance connections.

  • The code base is impressively efficient. WireGuard stands at just 4,000 lines of code, which is around 100x smaller than counterparts like OpenVPN and IKEv2. Not only is this good for performance, it should also improve security. A smaller code base makes the protocol easier to audit and reduces the attack surface for hackers.

  • Data usage is minimal. Our tests found that WireGuard is by far the least bandwidth heavy VPN protocol. Compared to OpenVPN’s 20%, WireGuard only adds an additional 4% data consumption to your normal activity. Read more about this in our guide to VPNs and mobile data.

WireGuard’s infancy is the main factor working against it currently. While its performance benchmarks are excellent and there are no signs of any security vulnerabilities yet, it will take time to establish genuine trust.

This applies to its cipher as well. WireGuard is not compatible with tried-and-tested ciphers, such as AES-256. Instead, it uses the relatively new ChaCha20. All indicators suggest ChaCha20 is very secure and potentially even faster than AES, but privacy-conscious users always take time to warm up to new encryption technologies.

There are also some privacy concerns about WireGuard’s default configuration. VPN servers need to store a temporary log of your IP address for the protocol to work. This isn’t a requirement with other VPN protocols, which is concerning if left untreated.

Fortunately, mitigations can be put in place to overcome this issue. NordVPN, for example, integrates WireGuard with its proprietary Double NAT System to create a safer, custom protocol called NordLynx. Similarly, Mullvad deletes your IP address after ten minutes of inactivity.

Here’s a list of the VPN services that currently support WireGuard:

  • Astrill
  • AzireVPN
  • CactusVPN
  • CyberGhost
  • Hide.me
  • IVPN
  • Mullvad
  • NordVPN
  • PIA
  • StrongVPN
  • Surfshark
  • TorGuard
  • VPN.AC
  • VyprVPN
  • Windscribe

We expect this number to increase as WireGuard achieves mainstream acceptance.

When to use WireGuard:

  • All the early signs suggest that WireGuard is as safe and secure as OpenVPN, and significantly faster. If you’re happy trusting a newer protocol, we recommend using WireGuard for any activity.
  • WireGuard is especially good for mobile VPN users due to its low bandwidth consumption.

When not to use WireGuard:

  • If you’re especially cautious about your privacy and security online, you may prefer to give WireGuard more time to prove itself. You should also be wary of VPN services that are not taking measures to overcome the protocol’s IP logging requirement.
  • WireGuard is not as good at bypassing firewalls as other VPN protocols because it is only compatible with UDP. If you’re looking to circumvent censorship, you may have more success elsewhere.

SUMMARY

WireGuard is the newest VPN protocol on the scene, and it’s quickly matching OpenVPN. Its performance and efficiency are excellent, and there are no signs of insecurity (yet). If you’re not worried about its immaturity, then WireGuard might be the best VPN protocol for you.

3. PPTP: Outdated and Insecure

PROS

  • Very fast speeds
  • Natively supported on almost all platforms
  • Easy to set up

CONS

  • Known security vulnerabilities
  • Not compatible with 256-bit encryption keys
  • Won’t bypass censorship
  • Reportedly cracked by the NSA
  • Ineffective as a privacy tool

Point-to-Point Tunneling Protocol (PPTP) was the original VPN protocol. Developed by Microsoft engineer Gurdeep Singh-Pall in 1996, it marked the birth of VPN technology.

Nowadays, PPTP is outdated and completely unsafe to use in a consumer VPN.

We don’t recommend using PPTP unless it is absolutely necessary. It is obsolete as both a privacy and security tool.

PPTP does deliver fast speeds, but this is partly because the strongest encryption key it can use is 128-bit. It is not compatible with the military-grade AES-256 cipher that the most secure VPNs use.

The protocol trades off speed for security in a way that leaves it with several known vulnerabilities. For example, it has been shown that a skilled attacker can hack into a PPTP-encrypted VPN connection in just a matter of minutes.

The NSA have also reportedly exploited PPTP’s insecurities to collect huge amounts of data from VPN users.

While it’s still sometimes used within business VPN networks, you should definitely avoid using PPTP for your personal VPN. Some VPN providers have even chosen to stop supporting PPTP altogether because of its vulnerabilities.

When to use PPTP:

  • We don’t recommend ever using PPTP. The only exception might be if you’re just looking for fast speeds and don’t care about privacy or security.

When not to use PPTP:

  • It is especially important that you never use PPTP for any activity involving sensitive information, such as bank details or passwords.

SUMMARY

PPTP is fast because it doesn’t protect or secure your data. If you use PPTP to create your VPN tunnel, your traffic is easily exposed to eavesdroppers and it’s unlikely you’ll be able to unblock geographic restrictions or bypass firewalls.

4. IKEv2/IPSec: Great Protocol for Mobile Users

PROS

  • Provides a very stable connection
  • Delivers fast speeds
  • Compatible with a range of ciphers, including AES-256
  • Good at handling network changes
  • Supports Perfect Forward Secrecy

CONS

  • Closed-source (except for Linux)
  • Possibly compromised by the NSA
  • Bad for bypassing firewalls

Internet Key Exchange version 2 (IKEv2) is a VPN protocol that is especially popular among mobile users.

It offers very fast connection speeds and uses a MOBIKE protocol to seamlessly deal with the changing of networks. This makes IKEv2 great for mobile VPN users, who frequently switch between cellular data and WiFi networks.

IKEv2 was developed in a collaboration between Microsoft and Cisco, and is a successor to the original IKEv1.

What Is IPSec?

On its own, IKEv2 doesn’t provide any encryption. Its focus is on authentication and creating a secure VPN tunnel. That’s why IKEv2 is typically combined with IPSec (Internet Protocol Security) to form IKEv2/IPSec.

IPSec is a suite of security protocols that uses 256-bit ciphers, such as AES, Camellia or ChaCha20. After IKEv2 has established a secure connection between your device and the VPN server, IPSec encrypts your data for its journey through the tunnel.

IKEv2/IPSec is supported by most VPN services, but unfortunately its code base is closed-source.

The protocol appears secure from the outside, but without the transparency of open-source it is impossible to verify that Microsoft haven’t built backdoors or other vulnerabilities into it.

NOTE: Linux versions of IKEv2/IPSec are open-source and audits have shown nothing untoward with the protocol. For this reason, the closed-source nature of IKEv2 is less concerning than with other closed-source protocols, such as SSTP.

Security researchers like Edward Snowden have also suggested that IPSec was deliberately weakened during its creation. While this is unconfirmed, it is widely suspected that any IPSec-based VPN protocol may be compromised by the NSA.

There is no evidence to suggest that IKEv2/IPSec is vulnerable to less sophisticated adversaries, such as hackers or ISPs. It is a fast, flexible, and mostly safe VPN protocol that will work well on your cell phone.

IKEv2 only works on UDP port 500. This is an easy port for firewalls and WiFi administrators to block, meaning IKEv2/IPSec is not an effective VPN protocol for bypassing censorship in places like China or Russia.

When to use IKEv2/IPSec:

  • If you’re using a VPN on your mobile and regularly switching between WiFi and cellular data (e.g. 3G/4G).

When not to use IKEv2/IPSec:

  • If you’re trying to bypass firewalls on your school or work’s local network, or circumvent censorship in an authoritarian country.
  • If you’re especially worried about your privacy and anonymity. IKEv2 being closed-source and IPSec’s possible association with the NSA are enough to cast doubt on the privacy of IKEv2/IPSec.

SUMMARY

IKEv2/IPSec is a fast VPN protocol that provides a very stable connection for mobile users who regularly switch between networks. There are suspicions it may have been hacked by the NSA, but for regular browsing we recommend IKEv2 as a safe and secure protocol.

5. L2TP/IPSec: Slow and Not Worth Using

PROS

  • Double encapsulation offers increased security
  • Natively supported on most platforms
  • Compatible with a range of ciphers, including AES-256

CONS

  • Possibly compromised by the NSA
  • Slower than other VPN protocols
  • Susceptible to Man-in-the-Middle attacks

Created in 1999 as a successor to PPTP, Layer 2 Tunneling Protocol (L2TP) is an easy-to-use protocol that is natively supported by most VPN services, on most devices.

Like IKEv2, L2TP combines with IPSec to form a hybrid L2TP/IPSec VPN protocol. Unfortunately, this means it is susceptible to the same privacy concerns – raised by Edward Snowden – that IPSec has been compromised by the NSA.

There is also a separate security flaw with L2TP. This issue arises when it is used with a VPN service that uses pre-shared keys.

If the VPN’s encryption keys are available to download online, it opens the possibility for attackers to falsify authentication credentials, impersonate your VPN server, and eavesdrop on your connection. This is known as a man-in-the-middle attack.

L2TP does offer a double encapsulation feature, which wraps your data in two layers of protection. While this improves the security of the protocol, it also slows it down considerably.

L2TP/IPSec is the slowest VPN protocol on this list.

When to use L2TP/IPSec:

  • We recommend not using L2TP/IPSec at all.

When not to use L2TP/IPSec:

  • Don’t use L2TP if you’re revealing personal information, concerned about NSA surveillance, or using a VPN that publicly shares its encryption keys online.

SUMMARY

L2TP/IPSec is a relatively slow VPN protocol that requires workarounds to be used safely. Even then, it’s simply not worth it. There will almost always be a safer and faster VPN protocol available.

6. SSTP: Closed-Source With Potential Risks

PROS

  • Good at bypassing firewalls
  • Easy to set up on Windows
  • Uses strong AES-256 encryption

CONS

  • Closed-source
  • May be susceptible to Man-in-the-Middle attacks
  • Worrying links with the NSA

Secure Socket Tunneling Protocol (SSTP) is a proprietary protocol owned and operated by Microsoft. It is closed-source, so details of its implementation are unclear.

We do know that SSTP is based on the SSL/TLS encryption standards.

This is good because it allows SSTP to use TCP Port 443. This is the port that all regular HTTPS traffic flows through, which makes it very difficult for firewalls to block.

As a result, SSTP is an effective VPN protocol to use if you’re trying to bypass censorship, such as the Great Firewall of China.

On the other hand, SSL 3.0 is vulnerable to a particular man-in-the-middle attack known as POODLE. It has not been confirmed whether SSTP is also affected by this vulnerability, but in our view it’s not worth the risk.

There’s also the issue of Microsoft’s past cooperations with the NSA. As a closed-source protocol produced by Microsoft, there’s a possibility that the NSA has built a backdoor into it.

When to use SSTP:

  • If you’re trying to bypass school, work, or government firewalls, and there isn’t a better protocol available.

When not to use SSTP:

  • Given the possibility of a POODLE attack and/or NSA surveillance, don’t use SSTP for any activity where your privacy, security or anonymity is of the utmost importance.

SUMMARY

SSTP is a good VPN protocol in terms of performance: it’s reasonably fast and very effective at bypassing censorship. It has some notable privacy and security concerns, though. For these reasons, you should avoid using SSTP for sensitive traffic wherever possible.

7. SoftEther: Good For Bypassing Censorship

PROS

  • Open-source
  • Very fast speeds
  • Compatible with a range of ciphers, including AES-256
  • Good at bypassing firewalls

CONS

  • Only released in 2014
  • Requires manual configuration to be safe
  • Not natively supported on any OS
  • Compatible with only a few VPN services

SoftEther is an open-source VPN protocol initially developed as part of a Master’s thesis at the University of Tsukuba.

Released in 2014, SoftEther is one of the newer VPN protocols available. The early signs are that it offers good security without compromising on speed.

SoftEther supports strong encryption ciphers, including AES-256 and RSA-4096. It also boasts speeds that are reportedly 13x faster than OpenVPN.

It is also well-designed to bypass heavy web censorship. SoftEther bases its encryption and authentication protocols on OpenSSL. Like SSTP and OpenVPN, this means it can use TCP Port 433, which is very difficult for firewalls and censorship systems to block.

In 2018, SoftEther received an 80-hour security audit which revealed 11 security vulnerabilities. These were patched in a subsequent update, but researchers at Aalto University have recently found that SoftEther is sometimes vulnerable to man-in-the-middle attacks.

This is because the default configuration is for clients not to verify the server’s certificate. Attackers can therefore impersonate a VPN server and gain access to user credentials and online activity.

When using SoftEther, be sure to tick the Always Verify Server Certificate box in the New VPN Connection settings.

screenshot of the server certificate verification options on the SoftEther new VPN connection settings

SoftEther’s default settings do not include server certificate verification

SoftEther is not supported natively on any operating system and very few VPN providers currently support its use. Of those we’ve tested, only Hide.me and CactusVPN support the SoftEther protocol.

When to use SoftEther:

  • If your VPN service supports it, you can use SoftEther for fast and safe browsing.
  • It is especially effective at overcoming firewalls and bypassing censorship.

When not to use SoftEther:

  • Don’t start using SoftEther until you have turned on ‘Always Verify Server Certificate’.

SUMMARY

SoftEther is a very fast and reasonably secure protocol. It is particularly good for bypassing censorship, but users should be wary of its default configuration settings and lack of mainstream VPN compatibility.

Proprietary VPN Protocols

A number of VPN services don’t just offer the protocols listed above. Many also create their own. These are referred to as proprietary VPN protocols.

Using a proprietary VPN protocol comes with both pros and cons. The main positive is that it is likely to be faster than the other options offered.

After spending time and money creating a new protocol, it’s only natural that a VPN service would dedicate its best servers and infrastructure to make it as fast as possible. Providers will often claim it’s more secure, too.

On the other hand, these protocols are usually almost entirely opaque.

Open-source protocols like OpenVPN have been studied by thousands of people to make sure that it’s safe, secure, and does exactly what it promises. Proprietary VPN protocols tend to be closed-source, so it’s very hard to say exactly what is going on behind the scenes.

The number of VPN providers that use their own VPN protocol is small, but growing steadily. Here are some important ones to look out for:

  • Astrill – OpenWeb and StealthVPN
  • ExpressVPN – Lightway
  • Hotspot Shield – Catapult Hydra
  • Hidester – CamoVPN
  • NordVPN – NordLynx
  • VPN Unlimited – KeepSolid Wise
  • VyprVPN – Chameleon
  • X-VPN – Protocol X

What Is the Best VPN Protocol?

The best VPN protocol to use depends on why you need a VPN and which qualities you value the most.

Here’s a table summarizing how the different protocols compare:

Protocol Encryption Speed Reliability Weaknesses
OpenVPN TCP 256-bit Moderate Very High No Known
OpenVPN UDP 256-bit Fast High No Known
PPTP 128-bit Very Fast Moderate Known
L2TP/IPSec 256-bit Moderate Moderate Suspected
SSTP 256-bit Fast Very High Suspected
SoftEther 256-bit Very Fast Very High Needs Fix
IKEv2/IPSec 256-bit Very Fast High Suspected
WireGuard 256-bit Very Fast High No Known

OpenVPN is the most secure VPN protocol around. It is the best one to use when privacy and security are crucial, and you’re fine with some reduced speeds and flexibility.

You should use OpenVPN to access the free internet in high-censorship states, or when torrenting, for example.

If OpenVPN isn’t available, SoftEther is another good option for bypassing censorship.

WireGuard is the fastest VPN protocol we’ve seen. It also seems to be extremely safe and secure, although its immaturity means we still favor OpenVPN for highly sensitive tasks. Use WireGuard for any activity where speed is vital, such as gaming or streaming.

WireGuard is also the most data efficient VPN protocol. If you’re using a VPN on your cell phone and you’re worried about data consumption, use WireGuard. It’ll keep your data usage to a minimum.

IKEv2 is another good protocol for mobile VPN users. Its MOBIKE protocol makes it the best for handling frequent and sudden network changes (e.g. between WiFI and cellular data).

IKEv2’s data usage isn’t quite as low as WireGuard, but it is still much more efficient than other VPN protocols like OpenVPN.

How to Choose VPN Protocol

Most VPN services allow you to change VPN protocol within the VPN app’s settings menu.

If this is the case, simply open up the settings menu and select the VPN protocol you want to use.

VPN Protocols in Hide.me’s MacOS app settings

If there is no option to select protocol within the custom app, you may be able to install alternative protocols using manual configuration.

NordVPN is one example of a VPN service that runs on OpenVPN but allows for manual installation of IKEv2.

If your VPN service supports alternative protocol configuration be sure to carefully follow the instructions given on its website.

Remember that even a VPN using the most secure protocols and ciphers on the market may put your personal data at risk in other ways.

To learn more, read our guide to VPN logging policies or see our research into which VPNs leak.

About the Author


  • JP Jones - CTO @ Top10VPN

    JP Jones

    JP is our CTO. He has over 25 years of software engineering and networking experience, and oversees all technical aspects of our VPN testing process. Read full bio