VPNs rely on VPN protocols to establish a tunnel that keeps your online traffic secure and private over the internet.
In this guide, you will learn what a VPN protocol is and various types of VPN protocols.
A VPN protocol determines how data is exchanged between your device and the VPN server. Among the available VPN protocols, OpenVPN is often regarded as the best for privacy and security. It is compatible with most encryption algorithms, stable with fast speeds, and has rare vulnerabilities. Moreover, almost all VPN providers support it.
You can substitute OpenVPN with other VPN protocols such as IKEv2/IPSec or WireGuard. IKEv2/IPSec is known for stability, while WireGuard offers the fastest speeds. Both are secure.
Read on to find more about VPN protocols.
Related guide: OpenVPN over TCP vs UDP
Related guide: VPN Router vs. VPN on Device
Related guide: VPN with Tails — The Basics You Need to Know
What is a VPN Protocol?
A VPN protocol is the set of instructions/rules that outline how a connection should be made between your device and the VPN server. The protocol in some way determines the speed and may use encryption algorithms to help keep your data secure.
Related guide: How to encrypt your internet traffic
Different protocols have different parameters and specifications when in use. These include authentication techniques, error correction types, address format, data packet size, among other things.
This guideline will focus more on security and privacy, speed, and even stability.
Notable VPN protocols supported by most commercial VPN providers include PPTP, L2TP/IPSec, SSTP, OpenVPN, IKEv2/IPSec, and WireGuard.
Related guide: Guide on picking the best VPN
Without further ado, let’s get started!
A brief comparison of various standard VPN protocols:
||Speed and stability
||(TCP) Moderate and high.
(UDP) Fast and moderate.
|Open-source. It is preferred by many. Fixed/rare vulnerabilities.
||It is highly recommended when privacy and security are top priorities.
||(TCP)Fast and very high
||Closed-source/open-source. It works well with mobile devices.
||Use on mobile phones or when regularly switching networks.
||Very fast and good
||Open-source. Relatively new.
It is still under development.
|Use for speed; however, there are privacy concerns.
||Very fast and high
||Open-source. New. Many providers do not implement it.
||Use for speed and security.
||Very fast and moderate
||Outdated. Compromised by NSA. It can be hacked.
||It is not recommended (poor privacy and security). Use for speed.
||Good and good
||Outdated. Vulnerable to MITM attacks (pre-shared keys). NSA may have compromised it.
||It is not recommended (can be vulnerable). Use when other protocols have failed.
||Fast and good
||Closed-source. Vulnerable to poodle MITM attacks. Owner association with NSA.
||Can bypass some restrictions. Use when other protocols have failed.
Commonly Used VPN Protocols
These are protocols most reputable VPN providers prefer to offer. They are very secure with fast speeds, stability, and they are not easily compromised.
They are as follows:
OpenVPN is the gold-industry standard of VPN protocols. OpenVPN is open source and utilizes the OpenSSL library alongside other security technologies. OpenSSL is a toolkit for SSL/TLS and cryptography – what is needed for secure end-to-end communications.
OpenVPN is the most secure VPN protocol and is also highly configurable. OpenSSL provides all the necessary encryption and authentication needed. OpenVPN can therefore use various ciphers offered by the OpenSSL library. Most VPN providers prefer to use the Blowfish and AES cipher.
Encryption is done on the data channel as well as the control channel. Data channel encryption secures your data, while the control channel encryption secures the connection.
This makes sure your VPN connection and your data are never at risk. However, most VPN providers use the highest encryption on the control channel encryption rather than the data channel.
Most commonly, OpenVPN uses the highest encryption available. That is a cipher with 256 encryption, RSA-4096 handshake, and SHA-512 hash authentication. Sometimes it can throw in HMAC authentication and Perfect Forward Secrecy.
It even uses hardware acceleration for improved performance.
Being open-source, OpenVPN has been audited by various entities and has been found secure with no severe vulnerabilities.
Often, when vulnerabilities are discovered, they are patched quickly. Additionally, it cannot be weakened even by government agencies, especially when Perfect Forward Secrecy is used.
Related guide: Cybersecurity Risks Everyone Faces at Home – And How to Overcome Them
OpenVPN TCP and OpenVPN UDP
Besides the impeccable security, OpenVPN also offers speed and reliability via its two communication protocols. OpenVPN TCP for reliability and OpenVPN UDP for speed.
OpenVPN TCP and UDP can run on a single TCP/UDP port 443. The same port is used for secure HTTP web traffic. This makes it hard to block OpenVPN connections. UDP can be set to run on another port.
It is recommended to use OpenVPN when security and privacy are of utmost importance. Due to the encryption overhead, OpenVPN might not be suitable for low latency tasks such as gaming. However, if you have a high-speed connection, this won’t matter.
Related guide: OpenVPN over TCP vs UDP: What’s the Difference
OpenVPN uses third-party software to be compatible with most VPN-capable devices. Almost all VPN providers also offer this protocol.
Moreover, the OpenVPN project has custom OpenVPN clients/apps that can be used individually. Manual configurations are involved.
- Impeccable security using Perfect Forward Secrecy.
- Compatible with a range of ciphers (configurable).
- It easily bypasses firewalls/restrictions.
- Almost every VPN provider offers it.
- It has been tested, audited, and proved.
- It includes UDP and TCP.
- Hard to be weakened.
- High encryption overhead.
- Not very fast.
- Heavy code base.
- It needs third-party software for compatibility.
This protocol is also known as IKEv2/IPsec. Internet Key Exchange version 2 (IKEv2) is a tunneling protocol, and from its name; used to exchange keys securely.
For it to be used as a VPN protocol, it needs another protocol for encryption and authentication. This is why it is paired with IPSec.
As mentioned earlier (L2TP/IPSec), IPSec offers a secure channel and allows various encryption algorithms. Hence, you can get up to 256-bit encryption on this protocol.
Since IKEv2 is a key exchange protocol, it uses Diffie-Hellman key exchange and allows Perfect Forward Secrecy to protect its data.
The protocol is reliable as it uses acknowledgments, error processing, transmission control, and a built-in Network address translation traversal.
It is also stable as it automatically re-establishes dropped VPN connections efficiently than other protocols.
Moreover, it supports standard mobility via the mobility and multihoming Protocol (MOBIKE). This allows users to change networks while it still maintains a secure connection.
Therefore, IKEv2 is suitable for mobile phones as they regularly switch between WIFI and mobile network internet connections. This is also why IKEv2 is the built-in protocol in most VPN-capable mobile phones.
Due to an improvement from IKEv1, IKEv2 is faster and efficient, consumes less bandwidth, and has no known vulnerabilities. Vulnerabilities arise when VPN providers poorly implement it.
Originally, IKEv2 was developed from a joint effort between Microsoft and Cisco. It was compatible with Blackberry, iOS, and Windows 7.
However, many iterations of IKEv2 are now open source and support other platforms.
A good VPN that uses IKEv2 is NordVPN.
- Seamless fast speeds.
- Maximum protection via AES.
- Stable auto-reconnections.
- You can change networks without worries.
- Secure without vulnerabilities.
- Supports Blackberry devices and other platforms.
- Poor implementation can lead to problems.
- Closed-source version.
- Can suffer from firewall restrictions.
WireGuard is a relatively new open-source protocol that is simple and easy to use. It was designed to be faster than IPSec and more performance efficient than OpenVPN.
Although still under development, most reputable VPN providers have adopted WireGuard as one of their main protocols. Others offer a tweaked version of it under a different name.
WireGuard uses state-of-the-art cryptography to keep your internet traffic safe. It uses new ciphers that are not adopted by other protocols.
For encryption, it uses the ChaCha20. ChaCha20 is very secure and offers faster performance than the common AES, even on mobile devices.
This state-of-the-art cryptography even ensures quantum computing won’t break the encryption easily.
Its base code is also light to ensure a minimal attack surface.
The code can be quickly reviewed even by individuals, unlike OpenVPN, which has a bulky code. The smaller the code, the easier it is to audit and identify vulnerabilities and weaknesses.
Since even its encryption mechanism is faster in mobile phones, WireGuard boasts high performance. It also uses a simple network interface that can be configured easily.
With efficient encryption, WireGuard uses the least bandwidth. Its connections rely on UDP. Due to its high performance, WireGuard offers the fastest speeds.
Besides all the good, WireGuard’s default configuration keeps a log of your static IP address. This is a significant privacy concern for most users.
Also, being relatively new and under development, it still needs some more testing.
WireGuard is compatible with almost all computing platforms. It is suitable for speed-intensive tasks, doesn’t consume much power, and offers secure encryption.
- High performance with Very fast speeds.
- Light base code.
- Works well even with mobile phones.
- Low bandwidth consumption.
- Excellent security.
- No known vulnerability.
- Only uses UDP.
- Easy to block.
- It is still under development.
- Risky default configuration – IP logging.
Outdated VPN Protocols
These are protocols that most reputable VPN providers stopped offering due to their vulnerabilities. However, you can still get them on a majority of VPN providers.
The protocols include:
Point-to-Point Tunneling Protocol (PPTP) is one of the oldest VPN protocols. This protocol does not specify how security should be implemented.
It relies on other various authentication methods to provide security, such as the MS-CHAP v2. This authentication method is not secure and has several known weaknesses and vulnerabilities.
In terms of encryption, PPTP relies on the RC4 encryption cipher with 128-bit encryption. This RC4 cipher is fast and lightweight. Additionally, it is also vulnerable to dictionary attacks, brute-force attacks, and even bit-flipping.
Coupling this with MS-CHAP v2, PPTP is not recommended for privacy and security. Over a decade ago, due to an exploit on MS-CHAP v2, PPTP was cracked within two days. Newer tools boasted cracking it in less than 24hrs by then.
Nonetheless, you can use PPTP for high-speed tasks. It is easy to set up (no additional software) and has a very low computational overhead.
Hence, up to date, PPTP is still a standard for corporate and commercial VPN services. It is also a built-in VPN protocol in most VPN-capable devices.
PPTP uses the TCP port 1723, which also makes it easier to block.
- Very fast speeds.
- Very easy to set up.
- A majority of VPN providers support it.
- Compatible with most platforms.
- Weak security and encryption.
- Doesn’t increase your privacy.
- Government agencies or even tech-savvy individuals easily crack it.
- Cannot bypass restrictions/easy to block.
- Multiple known vulnerabilities.
This protocol comprises two parts, even though, at times, it is referred to as L2TP. They are Layer 2 Tunneling Protocol (L2TP) and Internet Protocol Security (IPsec).
L2TP is just a tunneling protocol – it creates a secure connection for data exchange, but it doesn’t encrypt it. Hence, it needs to be paired with a protocol that can allow for data encryption. That’s the work for IPSec.
When used together, IPSec provides a secure channel while L2TP is responsible for the tunnel. IPSec is responsible for encryption, key exchange, and authentication. It allows the use of various encryption algorithms.
L2TP/IPSec can use 256-bit encryption, which is very secure. However, most VPNs don’t implement this protocol as they should be. They use pre-shared keys, which can be easily found. Hence, they make it weak.
Additionally, most experts strongly suggest that IPsec was weakened by NSA when it was under development.
L2TP/IPSec is relatively slower than other protocols. This is because of the double encapsulation. Such like PPTP, this protocol also uses fixed ports, which makes it easier to block.
Nonetheless, you can use it when other protocols fail as it offers good stability. It is easier to set up and is supported by almost all VPN-capable devices.
- Secure compared to its predecessor PPTP.
- Relatively stable.
- Easy to set up.
- Most VPN providers support it.
- Available on most computing platforms.
- Reliance on fixed ports.
- It can be blocked.
- It can be compromised.
- Relatively slower.
- The poor implementation makes it weak.
Secure Socket Tunneling Protocol (SSTP) is a secure protocol that provides encryption using the SSL/TLS encryption standards.
These standards are also used to provide secure HTTP traffic. SSTP can secure the Point-to-Point Protocol (PPP – a communication protocol) and, even in some cases, L2TP.
Through the SSL/TSL channel, SSTP can use various ciphers that can offer 256-bit encryption. However, SSL is susceptible to POODLE Man-in-the-middle (MITM). With tight integration, SSTP can be strong and stable like other very secure protocols.
The unique thing about SSTP is the use of port 443. This port is used for HTTPS traffic, essentially most of your web activities.
This makes SSTP a stealth VPN protocol. It can bypass geo-blocks and is hard to block on firewalls unless no one wants web traffic to follow.
If other better protocols are not available, SSTP can help you to bypass restrictions. When implemented correctly, it can offer good speeds. But at times, it can suffer from TCP meltdown, and this can hinder reliability and performance.
SSTP is a Microsoft protocol and is only supported by a few platforms. They include Windows, Linux, and BSD. As a Microsoft protocol, SSTP is not available for public audits.
Also, Microsoft’s cooperation with NSA may make you stay away from this protocol. That is if privacy and security is your top priority.
- Stealth, can bypass firewalls.
- Great Windows integration.
- Closed source.
- SSL is susceptible to MITM.
- It can be compromised.
- Not widely supported/compatible.
Note: Avoid outdated protocols unless you are not concerned about your privacy and security. They can be your last resort when everything else is not working.
Rarely Used VPN Protocols
These are VPN protocols only used by a few VPN providers.
SoftEther is also an open-source VPN protocol known for its excellent security and fast speeds. It started as part of a Master’s thesis at the University of Tsukuba.
Although it has not gained industry-wide traction, it has already show-cased excellent results on VPN providers that have adopted it.
SoftEther relies on OpenSSL for encryption and authentication. This gives it access to some of the powerful ciphers, including the AES-256 and RSA-4096.
Also, SoftEther tunnels traffic through the TCP port 443 like OpenVPN. This port guarantees that SoftEther traffic won’t be blocked easily as it is the port for HTTPS traffic.
This protocol boasts one of the best connection speeds. It has a built-in Network address translation traversal and an embedded dynamic DNS.
It also supports data compression, and priority is given to VoIP due to the quality of service.
Only two commercial VPNs offer SoftEther protocol; Hide.me and CactusVPN. Unlike other protocols, it is not natively supported by computing platforms.
- Fast speeds.
- Anti-restricted Firewall Solution.
- Can apply a range of ciphers.
- Relatively new.
- Used by very few VPN providers.
- Doesn’t support any platform natively.
Additional VPN guides you should check out:
Proprietary VPN Protocols
These are protocols that are owned and controlled by a given VPN provider. They are solely created and customized to be used within their VPN services.
Other VPN providers cannot use these protocols since they are closed source.
Proprietary VPN protocols are usually built to offer better connection speeds, security, stability and overcome challenges available in commonly used protocols.
Some providers may choose to create their own, while some build upon existing open-source protocols.
Since they are not open-source, no one knows what’s under the hood except the providers. Some providers state that their protocol has been independently audited with no flaws to inspire confidence.
Nonetheless, offerings from these protocols include light code to minimize the attack surface, well-established cryptography with Perfect Forward Secrecy, UDP and TCP support, excellent stability, high-performance advantage, and other features.
Some of the most commonly known proprietary VPN protocols from reputable VPNs include; Catapult Hydra, Chameleon, Lightway, and NordLynx.
Advantages of proprietary VPN Protocols
- Impeccable encryption.
- Fast connection speeds.
- High performance.
- Low bandwidth consumption.
- Ability to bypass censorship/firewall restrictions.
Disadvantages of proprietary VPN Protocols
- Closed source.
- A single provider only uses them.
- One cannot know about vulnerabilities.
VPN protocols provide guidelines and specifications on how a VPN connection should be made. Depending on the protocol in use, a VPN connection can be faster, secure, or stable.
Many VPN provider prefers the OpenVPN protocol as it all round. It has the best security, good connection speeds, and reliability.
It also bypasses firewalls and other restrictions easily. If this protocol is not working well, you can use other protocols such as WireGuard for fast speeds and IKEv2/IPSec for stability.
You also get good security. IKEv2/IPSec also works best with mobile phones and handles network changes efficiently.
If your VPN provider offers SoftEther, you can also use it. It is an excellent balanced option, such as the OpenVPN protocol.
If you can, avoid outdated protocols. Unless privacy and security are not your top priority.
Which VPN protocol should I use?
The OpenVPN protocol is the recommendable option. It offers impeccable security and privacy, incredible speeds, and also stability.
Nonetheless, you can use other protocols depending on your requirements at the time. For instance, WireGuard for speed and IKEv2/IPsec for stability.
What is the most stable VPN protocol?
IKEv2/IPsec is the most stable VPN protocol. It allows you to switch between various networks while still providing a secure, reliable connection. You can also use other protocols such as OpenVPN, provided the VPN provider has a kill switch.
What is the fastest VPN protocol?
WireGuard is the fastest protocol. Its lightweight, uses minimal power and is not heavy on your bandwidth. It also uses a new cipher and can also handle network changes somehow like IKEv2/IPsec.
However, it is still under development but with good uptake.
Which is better, OpenVPN TCP or OpenVPN UDP?
TCP is more reliable and stable, while UDP offers a faster connection speed. TCP offers error detection and control, acknowledgment, and even congestion control. Hence why it is slow.
OpenVPN UDP just sends data without these controls. Hence it is usually used for streaming, VoIP services, and gaming.
Can I use a proprietary VPN protocol?
If you are okay with closed-source, then you can use proprietary VPN protocols. They offer better speeds, security, and even stability.
Others even offer excellent bypassing abilities. Usually, proprietary VPN protocols are built to overcome problems with current protocols.