Cord Cutting Guides, News, and Reviews
If you’ve spent any time looking at VPN providers, you’ve probably seen the words VPN protocol thrown around as if they have some important meaning. What those articles often don’t do, though, is actually explain what that important meaning is. In this article, we’ll fill that critical gap. We’ll explain what a VPN protocol is and why they are important. We’ll also discuss the differences between different protocols and tell you which VPN protocols to use to best protect yourself online.
To understand VPN protocols, you first have to have a general sense of what VPNs are. A VPN is a way of creating a secure connection between you and whatever you’re accessing online. VPNs do this in two important ways: First, they put a VPN server in between you and the device or website you’re communicating with. This reroutes your traffic and disguises your location. Second, VPNs encrypt your data. This keeps the bad guys from reading it and spying on you.
For a user on the VPN, everything looks exactly the same as their normal internet experience. Prying eyes or nefarious actors, however, will have a harder time spying on your activity or determining who you are behind the cloak of the VPN.
So what role do the VPN protocols play in this? I mentioned that the VPN both reroutes and encrypts your internet traffic. Rerouting your traffic just isn’t enough to stay private and secure: If you really want the full VPN protection, you need to encrypt all of the information you send to the server. And that’s where the VPN protocol comes in. The VPN protocol works as an instruction set for that process, containing all the information your computer needs to encrypt data and transmit it to the VPN server.
In other words, the encryption and transmission process isn’t always exactly the same — it depends on which VPN protocol your VPN service is using. The VPN protocols are standardized, so we know what we’re getting from each one — though most protocols do have several configurations, which can include options to switch encryption methods or change how your connection is authenticated (these little details are why you still need to be cautious about second-tier VPN providers, even if they are using a top-tier VPN protocol).
VPN protocols all set out to accomplish the same basic things, but they are not all created equal — so choose wisely!
With most VPN services, you’ll have a choice between multiple VPN protocols. Choosing the right VPN protocol can make your VPN use even more secure. Choosing the wrong one could make you less secure.
There are also cases where you may want to choose VPN protocols based on factors other than privacy and security; some VPN protocols are faster than others, for example, and others are harder for VPN-blocking software to detect. We generally recommend going with the most secure option available, but we’ll cover all of the most popular VPN protocols below.
Point-to-Point Tunneling Protocol (PPTP) was developed by Microsoft for use with Windows 95. It’s one of the oldest VPN protocols still in use, and it is incredibly common even today. PPTP is often used when speed is critical or when a VPN needs to be usable on old devices or devices with minimal processing power.
The biggest downside of PPTP is an important one: it’s not very secure. It uses an authentication protocol that has been cracked during several security analyses. This is why PPTP should not be considered a viable option for most use cases.
You need to know: PPTP is fast, but not as secure as we’d like.
Secure Socket Tunneling Protocol (SSTP) was created by Microsoft around the time of the Windows Vista SP1 release as an answer to the security flaws in PPTP. It’s essentially PPTP wrapped in SSL, an authentication protocol commonly used for securing websites.
It does successfully address the security pitfalls of PPTP, but Microsoft’s ownership of the protocol, limited attempts to enhance compatibility with non-Windows devices, and refusal to open-source the protocol have resulted in SSTP’s failure to gain significant traction.
You need to know: SSTP is an improvement on PPTP, but it doesn’t work on many devices.
Layer 2 Tunneling Protocol (L2TP) is another extension of PPTP, this one created by Microsoft and Cisco. It offers a significant improvement in security, but it loses some of PPTP’s speed in the process. L2TP has no built-in encryption, which is why it is almost always paired with IPSec encryption to form L2TP/IPSec.
The strength of this security is much better than PPTP, but it is still weak compared to some of the protocols we’ll discuss next. These concerns came to the forefront when Edward Snowden revealed that the NSA and other security agencies had either weakened or perhaps even breached L2TP/IPSec.
You need to know: L2TP/IPSec improves on PPTP, but the Feds have cracked this one and there are better options.
Internet Key Exchange Version 2 (IKEv2) was another joint venture of Microsoft and Cisco. IKEv2 is usually paired with IPSec for added security, forming IKEv2/IPSec. This combined protocol offers reasonable speed, high security, and excellent stability. Its biggest claim to fame, though, is its ability to maintain a stable connection while switching networks. This makes it an ideal choice for mobile users that frequently switch connections between a mobile network and WiFi.
You need to know: IKEv2 handles network-switching well, making it good for mobile VPN users.
OpenVPN was created in 2001 by James Yonan to be a highly customizable, open-source VPN protocol. This protocol was quickly adapted to work with several platforms, and it soon became the gold-standard protocol across consumer VPNs.
Much like SSTP, OpenVPN uses SSL for authentication. In many cases, you’ll see two options for OpenVPN: UDP and TCP. The primary difference is that UDP optimizes the connection for speed whereas TCP optimizes for a reliable connection.
You need to know: OpenVPN is a great all-arounder and a highly secure option.
WireGuard is the new kid on the block, with the first stable release having occurred in late 2019. The WireGuard developers were focused on creating a simplified — but still open-source — alternative to OpenVPN and IPSec. Due to their age and focus on customizability, the codebases of those VPNs had grown excessively large, raising concerns about their ability to be maintained and properly audited.
By eliminating outdated or low-quality encryption ciphers and taking advantage of other recent security advances, WireGuard was able to create a more easily configurable and much faster protocol. Its codebase, being one percent the size of OpenVPN or IPSec, is easier to debug and encourages more regular third-party security audits.
WireGuard does raise a potential privacy concern since it stores user IP addresses on the VPN server. However, many VPN providers have found ways to negate this issue.
You need to know: WireGuard is lean, fast, and highly secure.
VPN protocols are important, but they’re not always front and center in your VPN app. You may find yourself wondering: What VPN protocol am I using, anyway?
Depending on your VPN provider, the answer might be that you can’t tell — at least not directly. Some VPN apps will tell you which VPN protocol you’re using right on the main interface, but that is the exception rather than the rule. Advanced users can likely make an educated guess based on what ports their connection is using, but there are limitations to even that method.
For most of us, the better way is to check your VPN app settings. If there are multiple protocols available, you should see an option to select between them in the settings menu, often under either the General or Connection sections. Look for either an option called Protocol or a list that contains some of the protocol names that we discussed above. Alternatively, if you see options that say UDP and TCP, then that very likely means that you are using OpenVPN.
If all else fails, check the documentation. VPN apps that only have a single protocol often won’t list it anywhere in their app, but they almost always discuss it on their website. You should be able to find it in their description of security or features. You may also find the information you are looking for here at CordCutting.com, as our reviewers have already gone through each of the above steps for the most popular VPNs on the market, including ExpressVPN, NordVPN, and Private Internet Access (PIA).
Let’s break the question down into a few categories to help you decide on your ideal VPN protocol. We’ll focus this section primarily on OpenVPN, the current gold standard of VPNs, and WireGuard, the rising star.
Neither WireGuard nor OpenVPN has any known security vulnerabilities. WireGuard’s limited configuration options offer fewer chances to accidentally configure it in a subpar manner. WireGuard is only getting better with time, owing to the ease of maintaining and auditing its slim codebase.
OpenVPN, however, has been around the block. There will come a time when WireGuard has been tested more thoroughly, but that is years into the future. For now, OpenVPN remains the gold standard in security, and it’s the VPN protocol we’d recommend to most users in most cases.
Most secure VPN protocol: OpenVPN
On nearly all VPN apps, WireGuard will be faster than OpenVPN. If you need the extra speed, that is a point in WireGuard’s favor. Depending on your VPN provider, though, you may notice that the difference is negligible. In fact, OpenVPN is actually faster with certain providers due to their specific default settings.
Fastest VPN protocol: WireGuard
WireGuard’s simpler configuration comes at the expense of the robust options present in OpenVPN. WireGuard has enough customizability for the average user, but power users will appreciate the flexibility that OpenVPN provides.
Novice users shouldn’t let this extra customizability scare them too much — the best VPNs generally have excellent default OpenVPN settings.
Most customizable VPN protocol: OpenVPN
This category gets a surprise entry. While both OpenVPN and WireGuard offer good reliability, neither can match IKEv2/IPSec and its improved network switching ability, particularly when dealing with mobile devices.
Even with the improved reliability of IKEv2/IPSec, you should always use a kill switch to avoid losing your VPN’s protection while switching networks. A split second of interrupted VPN protection can result in your private data becoming much less private, and that is not a risk worth taking.
Most reliable VPN protocol: IKEv2/IPSec
If you are trying to figure out what VPN protocol to use, WireGuard and OpenVPN are almost always the best options. They both offer exceptional security, good speeds, and enough customization for typical use cases. OpenVPN is still the tried-and-true heavyweight champion, so it is an ideal choice for nearly all users. WireGuard has already proven itself a contender, though, and it is more than ready for everyday use. In short, you can’t go wrong with either of these selections.
Mobile users should also consider IKEv2/IPSec, especially if you switch frequently between WiFi and mobile networks. WireGuard and OpenVPN are likely still faster on mobile, but the extra reliability is crucial, especially if you don’t have access to a kill switch in your VPN app.
Now that you are up to speed on VPN protocols, we recommend our best VPNs list, where you can see how these protocols are put to use. You can also find all the rest of our VPN coverage by typing VPN into the search box at the top of the page.