Want to know which VPN protocol is best? In this guide, we demystify the topic of VPN protocols by highlighting the difference between each protocol and explaining which one is best.
People use Virtual Private Networks (VPNs) for a multitude of reasons. Some want to bypass government restrictions to access censored news or social media services, while others seek to encrypt their connections to prevent ISPs and local networks from tracking their web visits. It's even possible to use a VPN to access home TV services while on vacation.
No matter why you use a VPN, you're probably wondering which VPN protocol is best. If you're new to VPNs, you may have noticed that VPN clients offer different protocols, which can be a bit confusing.
At Bleeping Computer, we exclusively recommend VPNs with reliable protocols, ensuring you won't encounter services with insecure options. While this simplifies things, it's still essential to understand the main differences between the various VPN protocols available.
In this guide, we will shed light on the best VPN protocols. Whether you want to access censored content, safeguard your privacy, or optimize your gaming experience, understanding these protocols will help you make an informed choice.
What is a VPN protocol?
A VPN is a privacy service that allows you to encrypt your internet connection and conceal your IP address from the websites you visit. This prevents your data from being monitored by local networks, Internet Service Providers, or government agencies. The encrypted connection provided by a VPN can also secure you against hackers on public WiFi.
In order to provide these privacy and security benefits, a VPN application must encrypt your data and tunnel it to a VPN location. The VPN protocol is a technology that allows the VPN to tunnel your data securely to the VPN server location you select in the application.
It consists of various rules and procedures that govern how data packets should be transmitted from your device to the VPN server. The key thing to remember is that the VPN protocol includes everything that your device needs to establish a secure connection to the VPN server. This includes all the cryptographic elements required to lock your data away from prying eyes.
As you have probably already realized, there are numerous VPN protocols. Some of those are tired-and-tested and have been available for many years. Others are newer and have been developed to improve the VPN’s overall performance.
Of course, there are also some protocols that are old and have become too weak to be employed for privacy and security purposes. VPNs that use these protocols are putting you at risk.
What are the different VPN protocols?
In this section, we have included a list of VPN protocols. These protocols are all currently used by some VPN providers. However, they are not all reliable or safe, so it is important to understand which ones should be avoided:
- OpenVPN: Fast speeds, high security, and excellent reliability.
- WireGuard: One of the fastest VPN protocols, minimal code base, high security, and great reliability.
- IKEv2/IPsec: Strong security and excellent compatibility with iOS and Mac.
- SSTP: Proprietary protocol with decent security and great Windows compatibility.
- L2TP/IPsec: Slower speeds, potential for easy blocking, and some security concerns.
- PPTP: Fast speeds but lacks privacy and security reliability.
Each VPN protocol has its strengths and weaknesses. Which VPN protocol you opt for will depend on your security needs, the devices you use, and your speed requirements. The section below will provide additional information about each protocol to help you pick.
Here are the most common VPN protocols in more detail:
1. OpenVPN
OpenVPN has been the most popular VPN protocol for around two decades. Since its initial release in 2001, the OpenVPN protocol gained widespread adoption due to its open-source nature, robust security features, and flexibility across various platforms and devices.
The OpenVPN protocol is maintained and updated by the OpenVPN project. This community is made up of many developers and contributors, including people who work for OpenVPN Inc. and independent individuals who are part of the broader OpenVPN community.
The primary drawback of the OpenVPN protocol is that it has an absolutely massive code base that requires a significant amount of time to audit. In total, the OpenVPN protocol is made up of around 70,000 lines of code.
This includes support for two different cryptographic libraries, meaning that VPN providers aren’t bound to the OpenSSL cryptographic library. As a result, VPN providers are free to implement OpenVPN using advanced authentication methods, including a username and password, two-factor authentication, and certificate-based authentication. It is also compatible with Perfect Forward Secrecy for added security.
Due to its large size, the OpenVPN protocol relies on public and private funding in order to engage in security audits. In 2017, OpenVPN was audited with money raised by OSTIF. The audit proved that the protocol is secure and allowed the OpenVPN project to carry out various improvements that helped to shore up the protocol further. As long as VPNs implement the OpenVPN protocol using the latest standards published by the OpenVPN project, the protocol is secure against attacks.
Until recently, most market-leading VPNs implemented OpenVPN as the primary protocol in their Windows, Android, and macOS apps. However, this has begun to change due to the growing popularity of the WireGuard protocol. On iOS, VPNs sometimes provide OpenVPN but often opt for an alternative protocol because of the difficulties involved in creating an iOS OpenVPN client.
VPNs that provide OpenVPN usually allow users to connect using two different versions of the protocol: OpenVPN UDP and OpenVPN TCP.
- UDP stands for User Datagram Protocol. UDP is the recommended version of OpenVPN for faster speeds and is ideal for tasks such as streaming, gaming, torrenting, and video calls due to its lower data verification requirements and resilience to packet loss.
- TCP stands for Transmission Control Protocol. TCP establishes a reliable and error-checked connection before commencing data transfer. This makes it a solid option for anybody suffering from disconnection issues or other connectivity issues when using OpenVPN UDP. The robust connection provided by OpenVPN TCP makes it a solid option for web browsing, file transfers, and private email communications. However, it is also slower than OpenVPN UDP.
OpenVPN is a great all-around VPN protocol that can provide users with both decent speeds and strong data security. This makes it a solid option for anybody who wants to gain privacy or data security, whether at home, at work, or on public WiFi.
Another advantage of OpenVPN is that it can be implemented with various additional layers of obfuscation. This includes Obfsproxy, Stunnel, XOR, SSL and TLS tunneling, and Shadowsocks bridges. This can allow OpenVPN to bypass firewalls and Deep Packet Inspection (DPI) methods that aim to detect VPN usage.
2. WireGuard
WireGuard is a VPN protocol developed by Jason Donenfeld in 2015 to provide strong security and fast connections that cater to the needs of modern VPN users.
One of the key benefits of the WireGuard protocol is that it has a minimalist codebase. This means that anybody with the technical knowledge to do so can audit the code in a short period of time. This makes it much cheaper to maintain and update, allowing the open-source community to spot any possible flaws or vulnerabilities quickly.
WireGuard uses modern cryptographic components such as the Noise protocol framework for authentication, ChaCha20 for encryption, and Curve25519 for key exchange, ensuring both speed and robust security. It also implements Perfect Forward Secrecy, which makes it comparable with popular protocols like OpenVPN and IKEv2.
This makes WireGuard a fantastic all-rounder that is well-suited for data-intensive tasks like streaming and gaming, as well as for gaining online privacy and data security.
WireGuard is modular, which means that if any of its cryptographic primitives are found to be vulnerable, the problematic component could easily be swapped out to update and fix the protocol.
However, this would mean that VPN services would have to temporarily block the protocol for security reasons, and then push an update to all of their users (the fix would involve updating all the servers and all the VPN clients, which might take a little time).
Due to its simplicity, fast speeds, and the efficacy with which it provides secure data transfers, WireGuard is quickly becoming the go-to default protocol for leading VPN providers. Some services, such as AtlasVPN, have built their entire client around this protocol.
Similar to OpenVPN, WireGuard can support obfuscation to bypass censorship and prevent DPI from detecting VPN use, making it a versatile choice for users looking for top speeds without compromising security.
WireGuard's biggest issue revolves around its IP address assignment method. WireGuard does not assign a new or different IP address to the user for each session. Instead, it uses the same IP address for every connection the user makes.
This approach helps to boost WireGuard's speed but it also means the VPN server retains records of the user's actual IP addresses and connection timestamps. Consequently, anyone with access to the logs can identify who accessed the VPN server and when. No-logs VPNs must address this concern by deleting this data at the end of each session (or setting up a double NAT system).
NordVPN tackled this problem in its WireGuard fork (NordLynx) by implementing a double NAT system. This innovative approach helps mitigate the issues and prevents user IP addresses from being logged on the WireGuard server.
3. IKEv2
IKEv2 (Internet Key Exchange version 2) is a widely used VPN protocol known for its speed, stability, and reliable security. It was developed as a replacement for its predecessor, IKEv1, which was deprecated due to performance and security issues that made it vulnerable to Man-in-the-Middle attacks.
IKEv2 is designed to establish a secure and efficient connection between devices. It offers fast connections comparable to those provided by OpenVPN UDP.
One benefit of IKEv2 is that it can be paired with the trusted IPsec (Internet Protocol Security) suite, offering authentication and encryption. This allows support for various encryption algorithms, although most leading VPNs implement IKEv2/IPsec using AES-256, the same cipher used in OpenVPN. It is also compatible with Perfect Forward Secrecy for added security.
The great thing about IKEv2 is that it can quickly reconnect and reestablish a connection when switching between networks, this provides a seamless experience when moving between WiFi and mobile data, or when rejoining a network following an interruption (such as emerging from an underground train system, for example).
One of the main reasons for its inclusion in modern VPN applications is its native compatibility with iOS and macOS. Those platforms can be pretty hard to implement with OpenVPN, which is why IKEv2 is often offered as an alternative. Thus, IKEv2/IPsec is commonly offered in iOS and Mac VPN clients, while OpenVPN is more prevalent on Android and Windows.
Perhaps the biggest caveat with IKEv2 is that it can be implemented in numerous ways, which means it is important to subscribe to a reputable provider that implements it to a secure standard.
IKEv2 is generally a decent all-rounder that has the ability to connect to a server quickly, offers great speeds for streaming, gaming, and making video calls, and offers reliable data privacy and security.
4. SSTP (Secure Socket Tunneling Protocol)
SSTP is a VPN protocol designed by Microsoft to offer reliable compatibility with the Windows operating system. As with the other protocols we have mentioned, SSTP provides a secure tunnel for transmitting data between the user's device and a VPN server.
Like OpenVPN, SSTP leverages 256-bit AES encryption for data security and 2048-bit SSL/TSL certificates for authentication. This allows it to provide reliable and secure connections.
Due to its convenient compatibility with Windows, it is most often found in Windows VPN applications. However, its proprietary nature, as well as the fact that it was created by Microsoft, often puts it out of favor with staunch privacy advocates. We will note that these criticisms are largely unsubstantiated, and while it is true that Microsoft has previously worked with the NSA, there is no evidence to prove that SSTP has a backdoor.
Thus, the protocol is generally considered reliable and is particularly useful for connecting to a VPN on networks that implement strict firewalls due to its use of TCP port 443. This is the same port used by HTTPS traffic, which makes it hard to block. As with OpenVPN and IKEv2, SSTP also supports Perfect Forward Secrecy.
One notable drawback of SSTP is its resource-intensive nature, requiring more CPU power than some other protocols. As a result, it may cause slower performance on machines with limited processing power. However, on faster machines with ample resources, SSTP delivers excellent connection speeds.
While SSTP has its critics due to being closed-source and resource-intensive, it can be a suitable option for Windows VPN users who need to bypass network firewalls that may prevent other VPN protocols from connecting.
5. L2TP/IPsec
L2TP/IPsec (Layer 2 Tunneling Protocol with IPsec) combines L2TP for tunneling and the IPsec suite for encryption. The protocol is generally considered secure, though there are rumors that it may have been weakened by the NSA, meaning that anybody with a heightened threat model may want to give it a miss.
The protocol is a little sluggish due to the fact that it uses double encapsulation for data. It is also fairly easy to block this protocol using a firewall, which makes it less reliable for bypassing local area network restrictions, and less likely to work in countries where ISPs block VPN connections.
One advantage of L2TP/IPsec is that it is supported natively by many operating systems. You can connect to the VPN using most devices without the need for a third-party client. This makes it a popular option for people who want to connect to a VPN manually.
6. PPTP (Point-to-Point Tunneling Protocol)
Point-to-Point Tunneling Protocol (PPTP) was one of the first VPN protocols ever developed. It offered basic encryption for secure data transmission, and when initially released in 1995, it allowed employees to access business networks securely to work remotely.
Unfortunately, as time passed, PPTP was found to harbor significant vulnerabilities. This led to it being deprecated. These days, PPTP's outdated encryption makes it vulnerable to attacks and data interception, which is why it is considered too weak for privacy or security purposes.
As a result of these concerns, most popular VPN providers have completely removed support for PPTP from their applications. Even if you find a VPN that has PPTP, we advise against using it due to its lack of robust security measures.
On the other hand, anybody who wants to change their IP – but doesn’t specifically require privacy for their connection – may find that PPTP is quite helpful.
That said, you would still be better off using a modern protocol like WireGuard; so the point is largely mute. Overall, we commend leading VPNs for excluding PPTP in their apps in favor of user security and privacy.
What are the best VPN protocols?
The most secure and reliable VPN protocols currently available in consumer-facing VPNs are:
- OpenVPN
- Wireguard
- IKEv2
We recommend using these protocols whenever possible, depending on your individual needs. Each protocol has its own benefits, so be sure to read this article thoroughly to understand which protocol to use and when.
How do VPN protocols differ?
VPN protocols differ in several key ways, including the level of security, speed, compatibility with devices and networks, and the underlying technology they use for encryption and tunneling. Some protocols are more stable and offer better reliability for tasks, such as streaming. Others have stronger encryption and are better for privacy purposes.
That said, it is worth noting that while each protocol differs slightly in how it establishes a connection and communicates with the VPN server, the underlying process is always the same:
- The VPN establishes a secure connection with the VPN server.
- The VPN client encrypts your data and sends it to the VPN server.
- The VPN server decrypts your data and sends it to its final destination (the website or service you asked to use).
- The VPN receives data back from the website you’re communicating with, encrypts it, and sends it back to your device.
- The VPN client decrypts the data on your device so that you can see it.
Below, we have included additional information about how VPN protocols differ:
1. Security
Some VPN protocols, such as OpenVPN and IKEv2/IPsec, offer robust encryption using advanced algorithms like AES (Advanced Encryption Standard) or ChaCha20. This type of encryption is considered futureproof, has been thoroughly audited by security experts, and ensures that your data remains private even if it is intercepted.
Older protocols such as PPTP use less secure encryption methods, which makes them more susceptible to vulnerabilities and could allow hackers, government agencies, or other third parties to intercept your data.
2. Speed
Some VPN protocols are faster than others. This makes them better for data-intensive activities such as torrenting, gaming, and streaming. Others are sluggish because they are prone to losing packets (resulting in retransmission) or suffer from other overheads.
3. Compatibility
Some protocols are easier for your device to use natively meaning that they don’t require any extra code. Others are more complicated and require you to install specific drivers and clients in order to be able to use them to connect to the VPN server.
4. Reliability
Some protocols are extremely robust and will stay connected for a longer period, transmitting your data securely without disconnecting from the VPN server. Others have a tendency to drop out, which could cause you to leak unprotected data to local networks, ISPs, or other snoops such as government agencies or cybercriminals.
5. Obfuscation and firewall bypassing
Some VPN protocols are designed to provide a stealthy connection that is hard to detect and can allow you to bypass network restrictions or censorship. These types of protocols are better for use in countries like China, Russia, and Iran, where ISPs often use firewalls to block VPNs and Deep Packet Inspection to detect VPN use.
6. Security auditing
Some VPN protocols are open source and have been thoroughly audited by reputable, independent security auditors. Open-source protocols are generally seen as a safer option.
Some comprise large code bases, which makes them harder to audit. This makes it hard for individuals to audit those protocols, and can significantly raise the cost of auditing. Other protocols have smaller code bases that any individual with technical knowledge can check.
Finally, some VPN protocols are proprietary. These are closed-source implementations that cannot be inspected by the community at large. These can only be audited by an authorized third party that has been commissioned by the VPN provider – usually at its own expense.
How do you choose a VPN protocol?
Choosing a reliable VPN protocol starts well before you subscribe to a VPN service. VPN providers continuously keep track of developing circumstances and technologies to ensure their protocols remain up-to-date and secure. This means that VPN protocols have a significant impact on how reliable VPNs develop their apps and services.
Similarly, we also consider VPN protocols carefully when making recommendations to our readers. Some protocols are outdated and will put their users’ data at risk of interception by government snoops, hackers, and other eavesdroppers. That is why we always consider VPN protocols as part of our review methodology.
It is our job to recommend VPNs that offer reliable protocols that are implemented securely. Our review process and tenting methods ensure that all the VPNs you find on our site are safe to use.
That said, it is a great idea to understand the different VPN protocols that are available so that you can make a more informed choice when picking a VPN provider. This will allow you to choose a VPN service that has the best VPN protocol for your specific needs and priorities.
Which VPN protocol should I use?
Most market-leading VPNs are beginning to favor WireGuard as their default protocol. This is understandable because, in addition to offering high levels of security, it is lightning-fast. This makes WireGuard a fantastic option for the average home internet user who desires privacy while maintaining decent speeds for streaming, torrenting, gaming, and making video calls.
That said, WireGuard's status as a relatively new protocol may lead some privacy advocates to be cautious. However, it is essential to note that WireGuard is built using trusted cryptographic primitives and has undergone multiple audits, which increases trust in its reliability.
Perhaps the biggest disadvantage of WireGuard is that it is cryptographically opinionated. If a flaw is found in one of its components, both the server and client-side will need updates. This is different from protocols like OpenVPN, which can be updated between sessions on the server side.
The ability to update the protocol server-side without requiring client-side updates is one of the advantages of OpenVPN's design. It allows VPN providers to improve security, performance, and other aspects of the protocol without inconveniencing their users with frequent software updates.
One of WireGuard’s primitives breaks, there will be a period when the protocol is unavailable and the VPN provider has to scramble to fix its service. Unfortunately, there is no concrete way to know when this might happen – but it almost certainly will happen, eventually.
Due to this underlying issue, it is wise for VPN services to offer a secure alternative to WireGuard in their clients. This will allow subscribers to connect to the VPN during any potential future WireGuard protocol downtime. Of these alternatives, we recommend OpenVPN and IKEv2 above the others.
OpenVPN is a tried and tested protocol that offers robust privacy and security. It has undergone rigorous audits and remains the VPN protocol of choice for users with elevated threat models, such as journalists, lawyers, and political activists. IKEv2 also uses strong AES-256 encryption, which makes it a viable alternative, particularly for users on Mac and iOS. On that note, most providers will offer a range of secure protocols for mobile devices.
What is a custom or proprietary VPN protocol?
Some VPN providers have developed their own protocols, such as Lightway from Hotspot Shield. These proprietary protocols are designed to provide faster speeds for their users, which makes them an outstanding option for users who favor fast speeds above all else.
Although VPN providers always claim that their proprietary protocols are secure, we would urge you to remember that it is impossible for the open-source community to verify the security of these protocols.
Closed-source software relies on trust – or verification by audits carried out by a reputable third-party security company. In some cases, VPNs may have undergone third-party audits of their proprietary protocols. If this is the case, you may feel comfortable using this protocol for privacy and security purposes.
That said, there is no definite way for us to verify the security of closed-source VPN protocols. For this reason, we cannot be absolutely sure that these protocols offer similar levels of privacy to protocols like OpenVPN, WireGuard, and IKEv2.
We recommend that you only use these protocols for non-critical use purposes such as streaming Netflix on vacation, or for online gaming privacy on public WiFi. If you need to use a VPN to protect sensitive data or to gain privacy in countries with overreaching surveillance, we would recommend steering away from proprietary protocols. However, it is worth noting that proprietary protocols tend to have some of the best connection speeds, as they are specifically designed to work with the VPN in question.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now