What is the right VPN protocol for you?
WireGuard, obviously. Or Lightway. NordLynx? No, OpenVPN...
Browse the websites of most of the best VPN providers and you'll frequently find enthusiastic boasts about supporting this VPN protocol or that. Often the lists go on and on.
Which should you use, though? They don't always have quite so much to say about that.
One reason is there's no one-protocol-fits-all solution which is the best choice in every given situation. Your ideal option depends on a range of factors, from your device type and network setup to your security priorities and whatever it is you're trying to do.
Fortunately, you don't require ninja-level networking skills to figure this out. This feature looks at the most popular VPN protocols and talks about their strengths along with highlighting any potential weaknesses. Based on that information you should then have all the details you need to make much smarter protocol choices.
WireGuard
WireGuard may still be a fresh-faced newcomer in the VPN world, but it's made a real impact.
A real positive is the protocol is all about simplicity, throwing out much of OpenVPN's feature overload in favor of a stripped-back, minimalist design (more on that below).
Most users won't notice any difference in functionality. Connect with OpenVPN, for instance, and your traffic might be encrypted via AES, Camellia, ChaCha20, Poly1305, GOST 28147-89 and more; connect with WireGuard and it'll only get to use ChaCha20. But, as that's as secure as it gets, will you care very much? We suspect not.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Switching to WireGuard should give you a very noticeable difference in performance, though. Connection times can be just a couple of seconds (down from 10-20 seconds with some protocols), and in recent testing WireGuard's download speeds were at least twice as fast as anything we saw from OpenVPN. Take a look at our fastest VPNs countdown, and the top players all feature WireGuard (or at least a proprietary version based on it).
There are some complications. WireGuard isn't as flexible as OpenVPN, for example, and it may have more difficulty bypassing firewalls or getting online in VPN-unfriendly countries - trying to use your VPN in China, for example.
It's also not as well supported by VPN providers, or other devices. If your router supports VPNs, for instance, it's far more likely to use OpenVPN. You may be able to use WireGuard by installing OpenWRT, but that's another article altogether.
In general, though, WireGuard offers rock-solid security with leading-edge speeds, and it's a great protocol to try first.
OpenVPN
OpenVPN has been around for 20 years, which is a long time, but its mix of features, security and speed mean the protocol is still one of the market leaders.
The flexibility offered by OpenVPN is a big plus. When a VPN app connects via OpenVPN, it potentially has all kinds of options. Are you connecting via UDP, or TCP? Which port are you using? How can you log into the server? How should the server prove its identity to you? Which encryption algorithms are you using? And the list goes on.
All this functionality requires a lot of code though, making OpenVPN more complex than many competitors. It's an open-source project, however, which means anyone can look at the internals, confirm it's working properly, help fix any bugs they find or suggest better ways of doing something.
Still, OpenVPN does add more overhead to your VPN traffic than many competitors, with some very noticeable effects. IKEv2, WireGuard and many modern protocols can connect in a couple of seconds; OpenVPN often takes 10-20. In our recent speed tests, OpenVPN typically managed 200-400Mbps; WireGuard reached 450-900Mbps.
This won't make much difference to many users (how often have you needed more than 200Mbps on public Wi-Fi?), and OpenVPN still makes an excellent protocol choice for most users: flexible, secure, some handy features to get around firewalls, and it's fast enough for most situations.
But if you're looking for rapid connection times, less hassles on mobile devices as you move between networks, and the maximum possible download speeds, WireGuard or another modern protocol may give you better results.
L2TP/IPsec
L2TP (Layer 2 Tunneling Protocol)/IPsec (Internet Protocol Security), sometimes known as L2TP or just IPsec, is a Microsoft VPN protocol which is also supported on many other platforms and devices.
Admittedly, it doesn't have a lot of features, but there's enough to get by. L2TP can't match OpenVPN for its choice of encryption algorithms, for instance, but when using AES (the typical choice) it's as effective as anything else.
As with Microsoft's IKEv2, L2TP isn't designed to bypass firewalls. It typically uses UDP ports 500 and 4500, for instance, making it relatively easy to block.
A different concern appeared in 2013, when Edward Snowden's disclosures suggested that IPsec security had been compromised by the NSA. And even if you're not being watched by a nation state, if IPsec was bypassed ten years ago, it's highly likely others have figured out how to do the same by now.
This is all very theoretical, and in the real world, if you're just wanting to do some online shopping over public Wi-Fi, L2TP/IPsec is easy to set up and should keep you very secure.
It wouldn't be our first choice, though, and we'd opt for WireGuard, OpenVPN or a provider's own custom protocol first.
IKEv2
IKEv2 is the common name for IKEv2/IPsec protocol, or Internet Key Exchange version two / Internet Protocol Security.
Developed by Microsoft and Cisco, IKEv2 has been around since 2005. Don't let its age put you off, though. The technology avoided the mistakes of earlier protocols, such as PPTP, and is still regarded as highly secure, even today. And because IKEv2 is mature, it's now widely supported by many VPNs on both desktops and mobile VPN apps.
IKEv2 typically scores well for connection times in our tests, and we often see it up and running in under two seconds. Meanwhile, OpenVPN connections can take 10-20 seconds before they're established. If you turn your VPN on and off regularly, maybe to check emails, that can make a huge difference.
Download speeds aren't bad, with the protocol capable of outperforming OpenVPN in some cases, but lagging well behind WireGuard. IKEv2 peaked at 290Mbps in our recent VPN update; WireGuard reached 900Mbps, and might have done even better if we'd had a faster network connection.
Overall, IKEv2 doesn't excel at anything in particular. It doesn't have the features or configurability of OpenVPN, it can't match the speed of WireGuard. But if they don't work for you, for some reason (or they're just not available), IKEv2 is a strong all-round choice that will keep your traffic secure and deliver more than enough speed for most situations.
SSTP
Secure Socket Tunneling Protocol (SSTP) is a Microsoft technology which comes integrated with Windows.
SSTP works a little like OpenVPN, using SSL (and, optionally, TCP and port 443) to avoid detection and get connected in VPN-unfriendly environments.
The problem is that SSTP is a proprietary standard owned by Microsoft. Unlike the open-source OpenVPN, WireGuard and others, it's not possible to review the source code to check what it's doing. And because it's a Microsoft product, you won't find SSTP supported by many platforms or VPN apps.
In general, SSTP looks very secure. And if you need to manually set up a VPN connection on a Windows system, SSTP can do the job without having to install any third-party apps.
If you're installing your provider's app anyway, though, we'd choose OpenVPN (where available) ahead of SSTP.
PPTP
First appearing back in the 1990s, PPTP (Point-To-Point Tunnelling Protocol) is one of the oldest VPN protocols around.
This has some advantages. PPTP is very simple, with few overheads, making it very fast. It also runs well on old devices, which may not have the power or features to run more up-to-date protocols.
The problem is that researchers have found multiple PPTP issues over the years, and Microsoft was suggesting users switch to something else as long ago as 2012.
As a result, most VPN providers have dropped support for PPTP, and we think that makes sense. It's insecure and best avoided.
If your provider still offers PPTP, then it might be useful in situations where security isn't important (when you only need to unblock a particular website, say). But only use it if every other protocol has failed, and make sure you switch to something better before you start online banking, or anything else even faintly sensitive.
Proprietary protocols
Some big VPN providers haven't restricted themselves to the standard protocols: they've actually developed innovative technologies of their own.
ExpressVPN offers Lightway, for instance; NordVPN has NordLynx; Hotspot Shield uses Catapult Hydra, and VyprVPN has its own Chameleon.
We think this is very positive sign about any provider, as it shows a company with real resources and technical expertise, that's also making huge efforts to improve the service for its customers. It also makes a strong argument for heading in the direction of one of the big name VPN options, because everything comes packed into the package. If you’re less keen on getting technical and are looking for a solution that simply works, you may well be better off just signing up for one of the best VPN deals and going from there.
Cautionary tales
However, it’s also worth pointing out that there can be down sides, too. For example, OpenVPN, WireGuard and ExpressVPN's Lightway are all open source, allowing anyone to check the code and verify it's living up to its privacy promises. But, most of the other proprietary protocols are closed source and because of that, users are left to trust that the provider knows what it's doing, and there are no bugs lurking in the code.
When we look at the technical specs and our own testing, though, all these protocols appear very secure, and they can deliver very high speeds - for example, NordVPN peaked at 880Mbps in our last checks.
Some custom protocols are designed for specific situations only. VyprVPN's Chameleon can do a good job of getting you online in China, for instance, so is well worth a try if you're travelling somewhere VPNs are blocked. But VyprVPN's WireGuard delivers better performance in general use.
Lightway, NordLynx and Catapult Hydra are designed as all-purpose protocols, though, and in our experience they perform very well. If you've signed up with ExpressVPN, NordVPN or Hotspot Shield then we'd recommend choosing those above more standard protocols for the best possible results.
Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.