VPN protocols

VPN (Virtual Private Network) protocols are to a VPN what morals are to society – rules essential to ensure the function, safety, and stability of the entire process. 

And while the opening sentence was unnecessarily dramatic, I promise it is the only unnecessary one in this article. 

Below, you will find many more sentences that will inform you about a wide variety of VPN protocols, both current and outdated, how they compare and which ones are best for every situation.

    What is a VPN protocol?

    A VPN protocol is a set of rules that needs to be followed to create or participate in a Virtual Private Network (VPN). It determines the authorization, authentication, encryption, traffic capturing, and transportation methods under which your VPN client establishes your connection to a VPN server.

    What a VPN protocol is not

    Before we continue, there’s a lot of misinformation about VPN protocols out there, so let’s bust some widespread myths about them to kick us off:

    1. VPN protocols determine your connection speed. Not directly, this statement is only very partially true.
    2. VPN protocols determine the security of your connection. They don’t, encryption algorithms do.

    You may wonder what makes VPN protocols important then? Well, they essentially help VPN services to build and configure their VPN networks on already trusted code. 

    It is possible to develop and use your own protocols, but it would mostly be a waste of time and resources. Most VPN providers do not make their own VPN protocols but use open-sourced ones built to support multiple operating systems, audited and trusted by the cybersecurity community.

    What is the best VPN protocol?

    What is the best VPN protocol?

    Going by what I’ve discussed above, the question should really be – is there such a thing as the best VPN protocol at all?

    Truthfully, “best” is a strong word and I refrain from using it. The two VPN protocols that form today’s crème de la crème are WireGuard and IKEv2/IPSec

    OpenVPN is a close third and, on paper, delivers the same results but is more difficult to work with. However, many routers are made OpenVPN-compatible, and it’s handy if you want to set up a VPN on your home network!

    To visualize, let’s take Surfshark as an example to compare these three protocols in action:

    Security
    Speed
    Stability
    Best for
    WireGuard
    Very Secure
    Very Fast
    Very Stable
    Any and everyday use
    IKEv2
    Very Secure
    Very Fast
    Very Stable
    Short-distance connections, mobile networks, and everyday use
    OpenVPN over TCP
    Very Secure
    Very Fast
    Very Stable
    Router compatibility, any and everyday use
    OpenVPN over UDP
    Very Secure
    Very Fast
    Very Stable
    Router compatibility, any and everyday use

    Comparison table of the top three VPN protocols on Surfshark

    No, the table is not false – all protocol performance is more or less the same because of how we configure our VPN servers but can differ for each user and device. I can only advise taking protocol (or internet tech in general) comparisons with a grain of salt and try each of them out yourself.

    Which VPN protocol is the most secure?

    Which VPN protocol is the most secure?

    The truth is, all three VPN protocols – WireGuard, IKEv2, and OpenVPN – achieve equal security, albeit some in various ways and using different cryptographic suites. A protocol is considered secure when it has no known vulnerabilities, and all three fall under this category.

    As mentioned about security and encryption before, it is how a provider builds and configures their VPN network that matters the most. So, get a provider you trust!

    Which VPN protocol is the fastest?

    Which VPN protocol is the fastest?

    Contrary to popular belief, VPN protocols themselves don’t have a dramatic impact on your connection speed. How fast your internet feels when connected to a VPN mostly depends on the following factors:

    • The speed of your internet connection. (Great impact)
    • VPN server load and throughput. (Moderate to great impact)
    • Compatibility and quality of your device. (Great impact)
    • Your device’s proximity to the VPN server. (Moderate impact)

    Most of our tests and user feedback show that the connection speed competition comes down to the wire between WireGuard and IKEv2 (pun fully intended).

    However, how VPN protocols interact with your internet connection always varies, making it tricky to answer which one is “the fastest.”

    To find out which protocol is best for you, I encourage you to experiment with their speed and connection stability over different servers and devices. You can see which protocol suits you best by using each of them to connect to multiple locations and testing your connection with an internet speed test.

    So, which out of these VPN protocols is the fastest? The answer is you better test it yourself!

    OpenVPN TCP vs. UDP 

    OpenVPN TCP vs. UDP 

    Disclaimer: OpenVPN TCP and OpenVPN UDP are not separate VPN protocols.

    TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are essentially different transport layer protocols that OpenVPN can use to establish a VPN connection. 

    TCP creates a stream of data packets and ensures that they reach their destination in the order they’ve been sent out. In theory, this means more stable communication.

    On the other hand, UDP is volatile and connectionless, sending data packets out in no specific order and without validation. This makes it faster and superior for time-sensitive transmissions.

    However, OpenVPN works better on UDP for many users. Even though the data is mixed and scrambled, the protocol itself rearranges these packets in order and validates them when they reach the server.

    Even then, the general advice is to try them both out and use the one that provides you with a smoother connection.

    Why WireGuard, OpenVPN, and IKEv2 are better than other VPN and tunneling protocols

    Some VPN providers offer a wide variety of protocols, but that is unnecessary and can even be dangerous.

    Most older protocols are outdated and, aside from our mentioned top three, are full of vulnerabilities and obsolete. Here’s how some of the most common VPN and tunneling protocols compare.

    VPN Protocol
    Security
    Speed Potential
    Stability
    Encryption
    Set up
    Good for
    OpenVPN TCP
    Very secure (No known vulnerabilities)
    Very fast
    Depends on server configuration
    AES-256
    Easy with a VPN, difficult on its own
    Router compatibility, any and everyday use
    OpenVPN UDP
    Very secure (No known vulnerabilities)
    Very fast
    Depends on server configuration
    AES-256
    Easy with a VPN, difficult on its own
    Router compatibility, any and everyday use
    IKEv2/IPSec
    Very secure (No known vulnerabilities)
    Very fast
    Depends on server configuration
    AES-256
    Easy with a VPN, difficult on its own
    Short-distance connections, mobile networks, and everyday use
    WireGuard
    Very secure (No known vulnerabilities)
    Very fast
    Depends on server configuration
    AES-256
    Easy
    Any and everyday use
    SoftEther
    Very secure (No known vulnerabilities)
    Very fast
    Depends on server configuration
    AES-256
    Client setup
    Everyday use
    Tunneling Protocol PPTP
    Bad
    Very fast
    Depends on server configuration
    128 bit
    Very easy
    Nothing but outdated hardware and old devices
    Tunneling Protocol SSTP
    Average
    Average
    Depends on server configuration
    AES-256
    Easy on Windows
    Connecting windows devices
    L2TP/IPsec
    Secure
    Fast
    Depends on server configuration
    AES-256
    Easy on Windows
    Nothing that IKEv2/IPSec cannot offer

    VPN protocol comparison table

    In other words, there is no real reason to use any other VPN protocols outside The Big Three. In truth, one protocol would be enough to provide a good VPN service, but due to differences in compatibility for routers and different OS (operating systems), we provide all three.

    A deep dive into different VPN protocols

    Now that we’ve established the most common VPN protocols, let’s take a closer look at what makes some shine and the others not so much.

    1. OpenVPN

    Pros:
    Cons:
    • No known vulneraibilites
    • Top-tier encryption and authentication
    • Open-source
    • Bulky code
    • Software setup may seem daunting

    Verdict: Recommended in most situations.

     

    OpenVPN is an open-source VPN system that comes both as software and a protocol for VPN services. It bases its encryption and verification processes on TLS (Transport Layer Security) methodologies.

    Along with IKEv2/IPSec and WireGuard, OpenVPN is considered one of the safest VPN protocols out there. It is most often paired with the AES-256-GCM encryption algorithm, together with very strong authentication methods and pre-shared certificates.

    OpenVPN is also open-source, and its code has been examined through and through by industry experts and security enthusiasts around the world.

    When configuring OpenVPN on servers, it is more difficult to work with than IKEv2 or WireGuard. However, this doesn’t influence user experience in any way.

    2. IKEv2/IPSec

    Pros:
    Cons:
    • Very fast
    • Reliable
    • Works well on mobile networks
    • Speed may vary depending on the device-server distance

    Verdict: Recommended in most situations.

     

    Internet Key Exchange version 2 (IKEv2) is a VPN protocol widely esteemed for its speed, security, and connection stability, especially when using mobile networks.

    Since it uses IPSec, which partly runs in the background on the system’s kernel, it allows IKEv2 to be fast.

    Over the years, most major OSs have implemented IKEv2, so there is no reason to use OpenVPN over IKEv2 aside from some compatibility cases.

    Like OpenVPN, IKEv2 uses the TLS library for encryption and verification and can pair with AES-256-GCM. It is also much easier to scale and maintain on a server level than OpenVPN.

    3. WireGuard

    Pros:
    Cons:
    • Secure
    • Only 4,000 lines of code
    • Open-source
    • Exceptional speed
    • Connectionless
    • Easy to set up
    • Still relatively new

    Verdict: Highly recommended in most cases.

     

    WireGuard is an ambitious VPN protocol project set out to deliver the same security and better connection speed than both IKEv2 and OpenVPN with only 4,000 lines of code. Its lightweight code allows easier auditing and should also improve its stability in the process.

    Like OpenVPN, it comes as a standalone open-source software and a VPN protocol, but it doesn’t have the same legacy yet. It is relatively new compared to its current competitors, so it naturally receives some pushback.

    Regardless, WireGuard offers top-tier security and encryption standards at unmatched speed due to its simplicity. After it was implemented in Linux and Android 12 Linux kernels, it seems to be here to stay.

    *WireGuard is a registered trademark of Jason A. Donenfeld.

    4. SoftEther

    Pros:
    Cons:
    • Fast, stable, and secure
    • Comes with additional features to protocols like OpenVPN
    • Open-source
    • Has not yet stood the test of time

    Verdict: Good alternative to OpenVPN.

     

    SoftEther is an open-source multi-protocol VPN client and server software. It adds advanced functionality features GUI Management and RPC (Remote Procedure Calls) over HTTPS (Hypertext Transport Protocol).

    In theory, SoftEther is faster than OpenVPN due to tweaked optimization and can be made just as secure as any other protocol paired with AES-256 bit encryption.

    However, SoftEther is not widely used or distributed by VPN providers, and so it doesn’t have a strong legacy like its contemporaries. 

    Also, it’s open-source under an Apache License 2.0, which states that “The source code doesn’t need to be public when a distribution of the software is made,” leaving a lot of room for interpretation if a VPN service was to use it as a protocol.

    5. Tunneling protocol: PPTP

     

    Pros:
    Cons:
    • Easy setup
    • Fast
    • Awful security
    • Known to be exploited
    • Severely outdated
    • Easily blocked by firewalls

    Verdict: Not recommended. Ever.

     

    Point to Point Tunneling Protocol (PPTP) is not a VPN protocol but an old and obsolete tunneling protocol that no VPN service should ever use. The crux of it is in the name, it delivers information from one point to the other.

    It only supports encryption ciphers up to 128 bits and has several known exploits revealed by the US government and the NSA.

    While PPTP’s poor encryption and lack of authentication methods allow it to be very fast, it is also easily blocked by firewalls.

    Now its easy setup and fast connection may seem tempting, but as an internet security and privacy advocate, I cannot recommend PPTP under any circumstances.

    6. Tunneling protocol: SSTP

    Strengths:
    Weaknesses:
    • Easily bypasses firewalls
    • Can use industry-standard encryption
    • Not bad at negotiating and checking internet traffic
    • Easy set up on Windows OS
    • Code was never revealed/audited
    • Difficult to make compatible with other OS apart from Windows
    • Code is unavailable for VPN developers to tinker with

    Verdict: Secure-ish but not recommended.

     

    Secure Socket Tunneling Protocol (SSTP) is a tunneling protocol that can send PPP traffic. It uses the TLS library for encryption and integrity checking. SSTP can run over port 443, which is often left open in many firewalls allowing the user to circumvent them. 

    However, SSTP’s downfalls are twofold and severe:

    1. Its lack of compatibility with other operating systems aside from Windows. 
    2. Its code remains unaudited, raising some concerns that it might have in-built backdoors. 

    Lastly, to work at a decent speed, SSTP requires a strong connection. But even with excess bandwidth, it doesn’t perform as well as IKEv2 or WireGuard.

    7. L2TP/IPsec

    Pros:
    Cons:
    • Relatively secure
    • Outdated
    • L2TP does not encrypt itself
    • Bad authentication
    • Slow

    Verdict: Not recommended.

     

    Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol that does not provide security on its own and uses IPSec for encryption. 

    L2TP encapsulates data twice, which slows down the connection speed. In comparison, IKEv2 is slightly faster than L2TP for that reason.

    In terms of security, L2TP can use the AES-256 bit algorithm, which, in combination with its layered approach, makes it safe in theory. However, unlike IKEv2, OpenVPN and WireGuard, L2TP still lacks in authentication and verification stages.

    Also, L2TP is rumored by John Gilmore, one of the founders of EFF (Electronic Frontier Foundation), to have been deliberately made less secure during its development stages.

    8. What about Shadowsocks?

    Shadowsocks is a tunnel proxy based on SOCKS5, and while it can run through a VPN application, is not a VPN protocol

    It’s an open-source project that was specifically designed to circumvent the Great Firewall of China. For internet privacy and censorship purposes, most VPN providers, including Surfshark, often have Shadowsocks among their protocols.

    Experience VPN protocols in action

    You now know everything about VPN protocols a VPN user might need. Hopefully, this knowledge will help you make conscious decisions when choosing between protocols if you ever need to.

    The most important thing is to pick one that best suits your circumstances. I recommend using WireGuard or IKEv2 for general use, and OpenVPN if you need to set up a VPN on your router.

    Surfshark has all three plus Shadowsocks to suit the comfort and compatibility needs of our users. If you’re looking for connection speed, internet security and privacy, then we’ve got your back.

    Now you know your protocols

    Find out how they work in action

    Get Surfshark