VPN protocols

VPN (Virtual Private Network) protocols are to a VPN what morals are to society – rules essential to ensure the function, safety, and stability of the entire process. And we’re going to tell you about a wide variety of VPN protocols, both current and outdated, how they compare and which ones are best for every situation.

    What is a VPN protocol?

    A VPN protocol is a set of rules for creating or participating in a Virtual Private Network (VPN). It determines the authorization, authentication, encryption, traffic capturing, and transportation methods under which your VPN client establishes your connection to a VPN server.

    What a VPN protocol is not

    Let’s bust some widespread VPN myths to kick us off:

    VPN protocols determine your connection speed: not directly, this statement is only very partially true.

    VPN protocols determine the security of your connection: they don’t, encryption algorithms they use do.

    You may wonder what makes VPN protocols important then?

    Protocols help VPN services build and configure their VPN networks on an existing digital foundation.

    It is possible to develop and use your own protocols, but it would mostly be a waste of time and resources. Most VPN providers use open-source protocols built to support multiple operating systems, audited and trusted by the cybersecurity community.

    A deep dive into different VPN protocols

    Let’s take a closer look at what makes some VPN protocols shine and the others not so much.

    1. OpenVPN

    • No known vulnerabilities
    • Top-tier encryption and authentication
    • Open-source
    • Bulky code
    • Software setup may seem daunting

    Verdict: Recommended in most situations.


    OpenVPN is an open-source VPN system that comes both as software and a protocol for VPN services. It bases its encryption and verification processes on TLS (Transport Layer Security) methodologies.

    It is usually paired with the very secure AES-256-GCM encryption algorithm, while the open source nature has made it possible for specialists around the world to check it for security gaps and other issues. 

    The downside is that it can be hard to set up, but if you’re a regular user using a VPN service (like Surfshark), that doesn’t matter to you. 

    2. IKEv2/IPSec

    • Very fast
    • Reliable
    • Works well on mobile networks
    • Speed may vary depending on the device-server distance

    Verdict: Recommended in most situations.


    Internet Key Exchange version 2 (IKEv2) is the authentication protocol used with the IPSec VPN protocol. As IPSec partly runs in the background on the system’s kernel, it allows IKEv2 to be very fast.

    IKEv2 is implemented in most operating systems these days, so you can easily use it over the slower OpenVPN. While it uses the same grand security tools like OpenVPN, IKEv2 is much easier to scale and maintain on a server level.

    3. WireGuard

    • Secure
    • Only 4,000 lines of code
    • Open-source
    • Exceptional speed
    • Connectionless
    • Easy to set up
    • Still relatively new

    Verdict: Highly recommended in most cases.


    WireGuard is a spunky protocol that delivers a connection speed faster than both IKEv2 and OpenVPN, yet only uses 4,000 lines of code (OpenVPN clocks in at around 400,000). Its lightweight code allows easier auditing and should also improve its stability in the process.

    While it doesn’t have the years of experience (and testing) like OpenVPN, WireGuard offers top-tier security and encryption standards at unmatched speed due to its simplicity. After it was implemented in Linux and Android, it seems to be here to stay.

    *WireGuard is a registered trademark of Jason A. Donenfeld.

    4. SoftEther

    • Fast, stable, and secure
    • Comes with additional features to protocols like OpenVPN
    • Open-source
    • Has not yet stood the test of time

    Verdict: Good alternative to OpenVPN.


    SoftEther is an open-source multi-protocol VPN client and server software. It adds advanced functionality features GUI Management and RPC (Remote Procedure Calls) over HTTPS (Hypertext Transport Protocol).

    It is faster than OpenVPN and can use the same security tools. However, it’s not been as tested as OpenVPN, which has been around for years already and tried out by many people.

    5. Tunneling protocol: PPTP


    • Easy setup
    • Fast
    • Awful security
    • Known to be exploited
    • Severely outdated
    • Easily blocked by firewalls

    Verdict: Not recommended. Ever.


    Point to Point Tunneling Protocol (PPTP) is an old and obsolete tunneling protocol that no VPN service should ever use. It only supports encryption ciphers up to 128 bits and has several known exploits revealed by the US government and the NSA.

    As an internet security and privacy advocate, I cannot recommend PPTP under any circumstances.

    6. Tunneling protocol: SSTP

    • Easily bypasses firewalls
    • Can use industry-standard encryption
    • Not bad at negotiating and checking internet traffic
    • Easy set up on Windows OS
    • Code was never revealed/audited
    • Difficult to make compatible with other OS apart from Windows
    • Code is unavailable for VPN developers to tinker with

    Verdict: Secure-ish but not recommended.


    Secure Socket Tunneling Protocol (SSTP) is a tunneling protocol that can send PPP traffic. SSTP can run over port 443, which is often left open in many firewalls allowing the user to circumvent them. 

    However, SSTP’s downfalls are twofold: there’s a lack of compatibility with other operating systems aside from Windows, and its code remains unaudited, raising some concerns that it might have in-built backdoors. 

    7. L2TP/IPsec

    • Relatively secure
    • Outdated
    • L2TP does not encrypt itself
    • Bad authentication
    • Slow

    Verdict: Not recommended.


    Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol that does not provide security on its own and uses IPSec for encryption.  L2TP encapsulates data twice, which slows down the connection speed. In comparison, IKEv2 is slightly faster than L2TP for that reason.

    Also, L2TP is rumored by John Gilmore, one of the founders of EFF (Electronic Frontier Foundation), to have been deliberately made less secure during its development stages.

    8. What about Shadowsocks?

    Shadowsocks is a tunnel proxy based on SOCKS5, and while it can run through a VPN application, is not a VPN protocol. 

    It’s an open-source project that was specifically designed to circumvent the Great Firewall of China.  However, it’s not the most graceful of protocols to implement and run. For our Chinese users, our NoBorders mode should help meet that need. 

    What is the best VPN protocol?

    Is there such a thing as the best VPN protocol at all?

    Truthfully, “best” is a strong word and I refrain from using it. The two protocols that form today’s crème de la crème are WireGuard and IKEv2/IPSec

    OpenVPN is a close third and, on paper, delivers the same results but is more difficult to work with. However, many routers are made OpenVPN-compatible, and it’s handy if you want to set up a VPN on your home network!

    Now look at this handy table:

    VPN protocols explained

    VPN Protocol
    Speed Potential
    Set up
    Good for
    OpenVPN TCP
    Very secure (No known vulnerabilities)
    Very fast
    Depends on server configuration
    Easy with a VPN, difficult on its own
    Router compatibility, any and everyday use
    OpenVPN UDP
    Very secure (No known vulnerabilities)
    Very fast
    Depends on server configuration
    Easy with a VPN, difficult on its own
    Router compatibility, any and everyday use
    Very secure (No known vulnerabilities)
    Very fast
    Depends on server configuration
    Easy with a VPN, difficult on its own
    Short-distance connections, mobile networks, and everyday use
    Very secure (No known vulnerabilities)
    Very fast
    Depends on server configuration
    Any and everyday use
    Very secure (No known vulnerabilities)
    Very fast
    Depends on server configuration
    Client setup
    Everyday use
    Tunneling Protocol PPTP
    Very fast
    Depends on server configuration
    128 bit
    Very easy
    Nothing but outdated hardware and old devices
    Tunneling Protocol SSTP
    Depends on server configuration
    Easy on Windows
    Connecting windows devices
    Depends on server configuration
    Easy on Windows
    Nothing that IKEv2/IPSec cannot offer

    VPN protocol comparison table

    As you see, most protocols are fairly similar. Surfshark employs WireGuard, IKEv2, and OpenVPN to give you a trustworthy alternative depending on your needs. By that metric, you could say that we consider these protocols to be the best in the world *wink*.

    Which VPN protocol is the most secure?

    Which VPN protocol is the most secure?

    Just like with the “best” category, there’s no such thing as “the most secure VPN protocol.” WireGuard, IKEv2, and OpenVPN all achieve about equal levels of security – and they’re really secure.

    But even with secure protocols, it’s how a provider builds and configures their VPN network that matters the most – you probably shouldn’t trust a free VPN even if it runs WireGuard!

    Which VPN protocol is the fastest?

    Which VPN protocol is the fastest?

    Contrary to popular belief, VPN protocols themselves don’t have a dramatic impact on your connection speed. Here’s what really matters:

    • The speed of your internet connection. (Great impact)
    • VPN server load and throughput. (Moderate to great impact)
    • Compatibility and quality of your device. (Great impact)
    • The geographical distance between you and the VPN server. (Moderate impact)

    Most of our tests and user feedback show that the connection speed competition comes down to the wire between WireGuard and IKEv2 (pun fully intended).

    OpenVPN TCP vs. UDP: what is that? 

    OpenVPN TCP and OpenVPN UDP are not two separate VPN protocols.

    TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are essentially different transport layer protocols that OpenVPN can use to establish a VPN connection. 

    TCP ensures a stable connection by making sure all the data packets arrive in order. UDP does it faster by just throwing everything at you and then arranging them to work. 

    While UDP works best for most users, the general advice is to try them both out and use the one that provides you with a smoother connection.

    Why WireGuard, OpenVPN, and IKEv2 are better than other VPN and tunneling protocols

    Most older protocols outside of WireGuard, OpenVPN, and IKEv2 are outdated and full of vulnerabilities and obsolete. There is no real reason to use any other VPN protocols outside The Big Three. In truth, one protocol would be enough to provide a good VPN service, but due to differences in compatibility for routers and different OS (operating systems), we provide all three.

    Experience VPN protocols in action

    You now know everything about VPN protocols a VPN user might need.The most important thing is to pick one that best suits your circumstances. I recommend using WireGuard or IKEv2 for general use, and OpenVPN if you need to set up a VPN on your router. Incidentally, Surfshark offers all three!

    Put this theory to practice

    Get Surfshark