Top10VPN is editorially independent. Buying a VPN through our links supports our work.
VPN Protocols: Review, Comparison & Test Results
Overview
A VPN protocol is a set of rules dictating how internet data is transmitted between your device and a VPN server. VPN apps use these protocols to create secure connections to and from VPN servers. WireGuard is the best protocol for security, speed, and data efficiency. OpenVPN is a highly secure but slower alternative, while IKEv2/IPSec best suits mobile connections.
VPN protocols can make a huge difference in your VPN connection speeds and security.
From tried-and-tested OpenVPN to the more modern WireGuard, each protocol offers a unique set of attributes that suit different circumstances.
In this guide, we’ll explain how VPN tunneling protocols work, review the most common ones used by VPN services, and share the results of our tests for speed, security, and data efficiency.
List of the Main VPN Protocols
WireGuard is the best VPN protocol, thanks to its superior speeds, increased security, and efficient data usage. It’s also available in most top-tier VPNs.
We’re fully independent and have been reviewing VPNs since 2016. Our advice is based on our own testing results and is unaffected by financial incentives. Learn who we are and how we test VPNs.
What Is a VPN Protocol?
A VPN protocol is a set of rules that govern how internet data is transferred between your device and a VPN server.
VPN applications use these protocols to establish a stable, encrypted tunnel to the server of your choice, hiding your IP address and browsing activity in the process. For this reason, they’re also referred to as tunneling protocols.
The underlying technology behind each VPN protocol is different, which means they can offer varying levels of speed, security, and compatibility.
Understanding the technical nuances of these protocols can help you decide which protocol to choose when configuring your VPN connection.
There are common protocols, which can be implemented by any provider, and proprietary protocols, which are unique to one specific VPN provider.
Whether you’re prioritizing speed for gaming, enhancing security for online purchases, or bypassing geo-restrictions, selecting the appropriate protocol can greatly affect the effectiveness and overall performance of your VPN.
VPN Protocol Comparison
Your choice of VPN protocol varies depending on which VPN you’re using. Some VPN services let you choose from a wide range of protocols. Other VPNs won’t let you choose at all.
Below is a table comparing the seven most commonly-used VPN protocols:
| Protocol | Speed | Security | Data Usage |
|---|---|---|---|
| WireGuard | Very Fast | Very High | Very Low |
| OpenVPN | Moderate | Very High | High |
| IKEv2/IPSec | Very Fast | High | Moderate |
| SoftEther | Very Fast | High | Low |
| L2TP/IPSec | Moderate | Moderate | High |
| SSTP | Slow | Moderate | High |
| PPTP | Slow | Low | Moderate |
These assessments come from our own testing — see the full results immediately below.
Our VPN Protocol Test Results
In the following section, we compare the speeds, data usage, and security of a range of VPN protocols: WireGuard, OpenVPN, IKEv2/IPSec, and PPTP.
We chose NordVPN and ExpressVPN for these tests because they are great VPNs that together offer the four most common protocols.
The Most Secure VPN Protocol
Key Findings:
OpenVPN stands out as the most secure VPN protocol due to its open-source code that has been extensively reviewed by security experts. WireGuard is a more streamlined alternative with a smaller codebase for easier auditing.
Below is a chart comparing the security of the seven commonly-used VPN protocols:
The Fastest VPN Protocol
Key Findings:
- WireGuard and IKEv2/IPSec are the fastest protocols.
- OpenVPN TCP and UDP are slower, especially on high-speed internet connections.
Keep in mind the speed of your VPN depends on many factors, including: your chosen VPN protocol, your standard internet speeds, the VPN server location, who else is using your network, and what encryption cipher you’re using.
Below is a bar chart showing our speed test results on a 350 Mbps baseline connection, comparing WireGuard, OpenVPN UDP, OpenVPN TCP, IKEv2/IPSec, and PPTP:
The Most Data-efficient VPN Protocol
Key Findings:
- WireGuard uses the least amount of data — just 4.53%.
- IKEv2/IPSec uses 7.88% — more than WireGuard but less than OpenVPN.
- OpenVPN UDP and TCP increases your data consumption by up to 20%.
Here’s a bar chart showing the different levels of data consumption between protocols, when sending the same file across the internet:
Popular VPN Protocols Reviewed
We’ll now review the seven main VPN protocols that have been widely used in VPN software since the 1990s.
Some are now outdated and risky to use, while others have emerged as the go-to protocols adopted by the most secure VPN services.
WireGuard: Best VPN Protocol
| Pros | Cons |
|---|---|
| Remarkably quick | Default setup can store user IP addresses |
| Concise & efficient code base | UDP-only (easily blocked by firewalls) |
| Minimal data usage | |
| Modern security & encryption |
WireGuard is a relatively new open-source VPN protocol. It’s extremely fast, data efficient, and natively only supports UDP communication.
Its widespread adoption among reputable VPNs, due to its fast speeds and secure ChaCha20 encryption, make it the best choice for the majority of users.
Its code base is much shorter than OpenVPN, making it less likely to produce errors, easier for VPN services to implement in their software safely, and quicker to audit thoroughly.
From our own speed tests, we found that WireGuard is two times faster than OpenVPN.
Also, WireGuard uses the least amount of data out of all the widely-used VPN protocols.
WireGuard uses ChaCha20 encryption, Poly1305 for authentication, Curve25519 for key exchange, and Perfect Forward Secrecy (PFS).
WireGuard is a modern and safe VPN protocol.
WireGuard’s default setup requires static IP addresses, which can compromise privacy. However, many top-tier VPN providers have addressed this with advanced configurations like double Network Address Translation (NAT) systems.
NordVPN, for example, integrates WireGuard with its own double NAT System to create a safer version of WireGuard called NordLynx. It allows servers to establish a WireGuard connection without having to store a static IP address on the server.
ProtonVPN has also implemented a double NAT system with its WireGuard servers to ensure no real IP addresses are stored.
Should I Use WireGuard? If configured properly, WireGuard is as safe and secure as OpenVPN, and is significantly faster. It’s also good for mobile VPN users due to its low bandwidth consumption.
OpenVPN: Highly Secure Alternative
| Pros | Cons |
|---|---|
| 100% safe to use | Bloated code and complicated construction |
| Highly-configurable protocol | Problematic default configuration |
| Compatible with many encryption ciphers | OpenVPN consumes a lot of data |
| Slower than other protocols |
OpenVPN is an open-source, trusted VPN protocol. It was once the most popular protocol and the industry gold standard for decades.
It has been rigorously audited for two decades by security researchers. It also offers PFS that generates new keys for every session of data transfer.
When you use OpenVPN, both the control channel (which handles authentication, key exchange, and configuration) and the data channel (which encrypts and transmits packets) are protected with SSL/TLS encryption. This makes it safer than other protocols that only encrypt the data channel.
It can also use all the cryptographic algorithms contained in the OpenSSL library, including: AES, Blowfish, Camellia, and ChaCha20.
OpenVPN is a popular and safe VPN protocol, available with most VPN services.
Most VPNs allow you to choose between two transmission modes: TCP and UDP. The key difference between UDP and TCP is that UDP is faster, whereas TCP is more stable and reliable.
This is because TCP establishes a connection before transmitting data, maintains the connection throughout transmission, and closes the connection after all data has been sent successfully.
TCP guarantees data delivery as it checks for errors, confirms whether any packets are lost, and re-initiates transmission if needed.
In contrast, UDP doesn’t open, maintain, and close a connection before delivering data. UDP simply sends the data without handshakes – there is no tracing or retransmission of lost packets.
Importantly, TCP is primarily used in situations where trustworthy communication is necessary, such as sending emails, transferring important files, and bypassing censorship. UDP is great for fast-paced activities, like gaming, streaming video or music, and online calls.
Almost every VPN app natively supports OpenVPN across popular operating systems, including Windows, macOS, Android, Linux, and iOS. You can also manually set up an OpenVPN connection.
However, OpenVPN has its drawbacks. It isn’t as efficient as WireGuard or IKEv2. It has over 70,000 lines of code — compared to just 4,000 in WireGuard. This makes it more difficult for security researchers to audit and increases the risk of bugs occurring.
Like WireGuard, OpenVPN stores your IP address and username by default but the protocol can easily be configured to not store IP addresses.
OpenVPN also increases your data usage by up to 20%, which is more than any other VPN protocol we’ve tested.
Should I Use OpenVPN? Only if privacy and security are your absolute top priority. Otherwise, WireGuard is a faster and more data-efficient choice.
IKEv2/IPSec: Tailored for Mobile Devices
| Pros | Cons |
|---|---|
| Very fast | Microsoft’s code base is closed-source |
| Switch between WiFi networks and mobile data seamlessly | Fails to bypass online censorship |
| Supports many strong encryption ciphers | It might be compromised by the NSA |
IKEv2 (Internet Key Exchange version 2) is a fast VPN protocol that provides a very stable connection. In our tests, IKEv2/IPsec was the second-fastest protocol. This is because it uses less bandwidth – just 7.88% compared to OpenVPN UDP’s 17.14%.
IKEv2 offers a unique auto-reconnect feature using Mobility and Multihoming Protocol (MOBIKE). This keeps the connection with a VPN gateway active while moving from one address to another.
MOBIKE helps users switch seamlessly between cellular data and WiFi networks on mobile.
We recommend Surfshark for mobile as it offers the IKEv2 protocol, GPS spoofing, a custom kill switch, and more.
However, IKEv2 doesn’t provide any encryption on its own, so it’s usually combined with IPSec (Internet Protocol Security) to form IKEv2/IPSec.
Microsoft and Cisco created the IKEv2/IPSec protocol together, which might cause concern due to their reputation for closed-source code, but there are now many open-source iterations that have been audited.
NOTE: Linux versions of IKEv2/IPSec are open-source, and audits have shown nothing untoward with the protocol. For this reason, the closed-source nature of IKEv2 is less concerning than with other closed-source protocols, such as SSTP.
IPSec is a suite of security protocols that uses 256-bit ciphers, such as AES, Camellia and ChaCha20. After IKEv2 has established a secure connection between your device and the VPN server, IPSec encrypts your data for its journey through the tunnel.
There are unconfirmed suspicions IPSec may have been hacked by the NSA. Security researchers like Edward Snowden have suggested that IPSec was deliberately weakened during its creation.
The VPN protocol also doesn’t bypass online censorship. IKEv2 is easily blocked by firewalls and WiFi administrators because it only works on UDP port 500.
IKEv2/IPSec is therefore a poor choice for unblocking websites in countries like China and Russia.
Should I Use IKEv2/IPSec? IKEv2/IPSec is a good option for mobile due to its fast speeds, ability to switch between networks, and low data consumption. However, being closed-source and possibly compromised is enough to cause concern.
SoftEther: Good for Bypassing Firewalls
| Pros | Cons |
|---|---|
| Designed to bypass internet firewalls | Not available with most VPNs |
| Compatible with strong encryption ciphers | Requires manual configuration to be safe |
When configured properly, SoftEther is a fast and secure open-source protocol, compatible with many encryption ciphers: AES-256, RC4-128, and Triple-DES-168.
The protocol is particularly good for bypassing “everyday” firewalls in workplaces and schools.
It bases its encryption and authentication protocols on OpenSSL. Like OpenVPN, this means it can use TCP Port 443, which firewalls find difficult to effectively block due to it being the port used for HTTPS (or secure websites).
Crucially, most VPNs never adopted SoftEther. It’s not supported natively on any operating system and, of the VPNs we’ve reviewed, only Hide.me supports it.
Also, SoftEther’s default configuration isn’t safe out of the box. By default, clients don’t verify the server’s certificate. Attackers can therefore impersonate a VPN server and gain access to user credentials and online activity.
And although its known for its censorship-circumventing capabilities, SoftEther now lags some of the most advanced VPN obfuscation necessary to beat aggressive internet restrictions.
Should I Use SoftEther? SoftEther is a good option to circumvent common firewalls you find in schools and workplaces, but make sure Always Verify Server Certificate is enabled before using it.
L2TP/IPSec: Slow & Insecure
| Pros | Cons |
|---|---|
| Compatible with strong encryption ciphers | Complex code leads to poor implementation |
| Open-source code | Fails to bypass firewalls |
| IPSec might be compromised | |
| Slower than other protocols | |
| Incompatible with NAT |
Layer 2 Tunneling Protocol (L2TP) was released in August 1999 as the immediate successor to PPTP. Like IKEv2, L2TP is usually combined with IPSec to form a hybrid L2TP/IPSec VPN protocol.
Overall, its performance is disappointing and L2TP is slowly being phased out of the VPN market. Less than half of VPNs we’ve reviewed offer it. Most reputable services offer faster and safer alternatives.
It was created by Microsoft and Cisco, but there are open-source code bases available on GitHub that have implemented L2TP/IPSec servers, so the protocols can be audited and checked for backdoors.
StrongVPN is one of the few VPNs to offer the L2TP/IPSec protocol.
Its complex code has led to poor implementation among VPNs. Due to the complexity of combining L2TP and IPSec, some VPNs used pre-shared keys to set up the protocol. This opened users up to Man-In-The-Middle attacks, in which an attacker falsifies authentication credentials, impersonates a VPN server, and eavesdrops on your connection.
L2TP/IPSec is also slower than other protocols, because it uses a double encapsulation feature that wraps your data in two layers of encryption.
While double encapsulation improves the security of the protocol, it’s also resource-intensive and slows down your VPN speeds.
L2TP/IPSec is also incompatible with NAT, which can cause connectivity problems. In this case, you’ll need to use a VPN passthrough feature on your router to connect to a VPN using L2TP.
Should I Use L2TP/IPSec? Don’t use L2TP/IPSec if you’re revealing personal information, concerned about NSA surveillance, or using a VPN that publicly shares its encryption keys online.
SSTP: Effective Obfuscation but Closed-Source
| Pros | Cons |
|---|---|
| Offers secure AES-256 encryption | Not available with most VPNs |
| Good for bypassing censorship | Closed-source and owned by Microsoft |
| Easy to set up on Windows |
Secure Socket Tunneling Protocol (SSTP) is a reliable option for bypassing firewalls, although most high-end VPNs have dropped it for more modern protocols.
SSTP is a proprietary protocol owned and operated by Microsoft. It’s typically used to protect native Windows connections. It uses SSL/TLS and TCP port 443 by default, as well as AES-256 encryption ciphers to establish a secure connection.
This is the port that all regular HTTPS traffic flows through, making it difficult for firewalls to block and effective for bypassing certain forms of web censorship.
It used to be vulnerable to Man-in-the-Middle attacks because it used SSL3. Nowadays, SSTP is configured to use TLS 1.2 and 1.3, which is much more secure and resistant to cyberattacks.
Overall, there are newer and more private alternatives already available with VPNs, like WireGuard and OpenVPN, so there isn’t a reason to use SSTP.
Should I Use SSTP? SSTP is only worth considering for bypassing censorship, but if you’re concerned about privacy, you might be deterred by the fact it’s closed-source. In addition, Hide.me is the only highly-rated VPN to offer SSTP.
PPTP: Outdated & Unsafe
| Pros | Cons |
|---|---|
| Fast speeds | Serious security vulnerabilities |
| Not compatible with 256-bit encryption keys | |
| Poor choice for bypassing censorship | |
| Reportedly cracked by the NSA |
Point-to-Point Tunneling Protocol (PPTP) is an obsolete VPN protocol that has many known security issues. It’s one of the oldest network protocols that were widely used for creating encrypted tunnels.
It was developed and released by Microsoft in July 1999 to function in everyday Windows environments, with low data consumption and high speeds. This was the era of dial-up internet: a lot has changed since then, and PPTP is no longer the standard.
As a result of its simple setup and good performance at the time, the protocol was popular with small- to medium-sized businesses for internal site-to-site and remote VPNs. Worryingly, some companies still rely on this protocol to this day.
Most VPN providers have stopped supporting PPTP altogether because of its inferior 128-bit encryption and known vulnerabilities.
For example, a blog post from 2016 claims that a PPTP-encrypted VPN connection can be cracked in just three minutes.
The NSA have also reportedly exploited PPTP’s insecurities to collect huge amounts of data from VPN users.
Should I Use PPTP? No, PPTP isn’t secure enough. You should never use PPTP for anything that involves sending private or sensitive data over the internet.
Proprietary VPN Protocols
A handful of VPN services have also created their own VPN protocols, either through improving existing open-source protocols, or creating their own unique protocol. We refer to them as proprietary VPN protocols.
ExpressVPN has developed its own protocol, Lightway.
VPN companies often build their own proprietary protocols for specific use cases. Most of the time it’s to further increase the security of existing protocols.
Other popular reasons include improved speeds, and the ability to circumvent sophisticated online firewalls.
These protocols usually perform better than common protocols. After spending time and money creating a new protocol, it’s only natural that a VPN service would dedicate its best infrastructure to improve its performance.
| Pros | Cons |
|---|---|
| Designed for specific use cases | Often closed-source & haven’t been independently audited |
The table below compares the three most popular proprietary VPN protocols on the market right now.
| VPN Protocol | Use Case | Effectiveness | Security Audit? |
|---|---|---|---|
| ExpressVPN – Lightway | General | Offers a balance of security & speed | Yes: 2021, 2023 & 2025 |
| Hotspot Shield – Catapult Hydra | Speed | Provides unparalleled speed, ideal for bandwidth-intensive tasks | Yes: Unreleased |
| Astrill – StealthVPN | Censorship | Circumvents China’s internet restrictions | No |
We’ve deliberately excluded NordVPN’s NordLynx as it’s a “branded” WireGuard protocol. We’re also waiting for Surfshark’s Dausos to be fully rolled out across platforms before testing it comprehensively.
Keep in mind that most VPNs keep their proprietary VPN protocols closed-source, meaning you’re unable to examine the code and verify it has no vulnerabilities or bugs.
That being said, reputable VPN companies commission independent security audits of their protocol’s code to provide privacy and security assurances.
