VPN Protocols Explained
A VPN protocol defines how your device creates and maintains the encrypted tunnel to the VPN server. Different protocols make different trade-offs between speed, security, compatibility, and resistance to censorship. This guide covers every major protocol in use today.
Protocol Comparison Overview
| Protocol | Speed | Security | Censorship resistance | Battery use | Status |
|---|---|---|---|---|---|
| WireGuard | Fastest | Excellent | Moderate (UDP only) | Low | Recommended |
| OpenVPN UDP | Good | Excellent | Moderate | Moderate | Recommended |
| OpenVPN TCP | Moderate | Excellent | High (port 443) | Higher | Use for censorship bypass |
| IKEv2/IPSec | Fast | Very good | Lower (fixed ports) | Low | Good for mobile |
| L2TP/IPSec | Slow | Good | Low | Moderate | Avoid if possible |
| SSTP | Moderate | Good | High (HTTPS port) | Moderate | Windows-only, rarely needed |
| PPTP | Fast | Broken | Low | Low | Never use |
Proprietary Protocols
Several providers have developed their own protocols built on top of established cryptographic foundations:
| Protocol | Provider | Based On | Key Advantage |
|---|---|---|---|
| NordLynx | NordVPN | WireGuard | Double NAT preserves no-logs guarantee |
| Lightway | ExpressVPN | wolfSSL | Very fast reconnects, open-sourced in 2021 |
| Stealth | ProtonVPN | Obfuscated WireGuard/OpenVPN | Bypasses deep packet inspection |
| Catapult Hydra | Hotspot Shield | DTLS/TLS | Proprietary speed optimisations |
Which Protocol Should You Use?
- Default choice: WireGuard - Fastest and modern.
- Restricted network (school, corporate, hotel): OpenVPN TCP on port 443 - Mimics HTTPS and is nearly unblockable.
- Mobile device: WireGuard first; IKEv2 as fallback for seamless network handoffs.
- Censorship-heavy country: Provider's obfuscated mode (Stealth, obfs4) or OpenVPN TCP 443.
- Legacy hardware: OpenVPN (runs on very old kernels and embedded routers).
- Never use: PPTP - It uses RC4 encryption which was broken in the early 2000s.
For WireGuard-specific details, see What Is WireGuard?. For OpenVPN specifics, see What Is OpenVPN?. Test your VPN setup with our VPN Leak Test or check our full VPN Guide hub.
How We Evaluate VPNs
Every recommendation in our VPN guides is weighed against the same five criteria:
- No-logs policy and audits - We prioritise providers whose no-logs claims have been verified by independent auditing firms, and we note real-world events (subpoenas, server seizures) that tested those claims.
- Leak-test results - A VPN must not expose your real IP, DNS servers, or WebRTC addresses. You can run the same checks we use with our free VPN Leak Test.
- Speed impact - We favour providers supporting modern protocols (WireGuard, or equivalents like NordLynx and Lightway) that keep overhead low.
- Jurisdiction - Where a provider is incorporated determines which governments can compel it to hand over data.
- Price transparency - Clear renewal pricing and honest refund terms. We avoid quoting specific prices in guides because promotions change frequently - Always check current pricing on the provider's site.
Our assessments are based on published third-party audits, vendor documentation, and our own leak-testing tooling - We do not have insider access to any provider's infrastructure. These pages are reviewed periodically and updated when audits, ownership, or features change.
Once you have picked a provider, two practical checks matter more than any review: if your connection fails, see how to fix a VPN that won't connect; and to confirm you are actually protected, learn how to test if your VPN is working.
ⓘ Affiliate disclosure: Some links to VPN providers in these guides are affiliate links - We may earn a commission at no extra cost to you. This never affects rankings or evaluations.
Last updated: June 2026