Where These Protocols Fit
WireGuard is the recommended default for new VPN setups — faster, simpler, and with a smaller attack surface than older protocols. But WireGuard is not available everywhere: older routers do not support it, enterprise firewall appliances from major vendors (Cisco, Palo Alto, Juniper) are built around IPsec, mobile device management systems often deploy IKEv2 profiles, and some network environments block UDP traffic entirely. IKEv2, L2TP, and OpenVPN exist because real-world constraints mean WireGuard is not always the answer.
Protocol Comparison
| Protocol | Speed | Firewall Friendliness | Mobile Support | Status |
|---|---|---|---|---|
| IKEv2/IPsec | Fast (uses AES hardware acceleration) | Moderate — uses UDP 500/4500, blocked by some strict firewalls | Excellent — built into iOS, macOS, Windows, Android | Current; recommended for mobile and managed devices |
| L2TP/IPsec | Slower than IKEv2 due to double encapsulation | Poor — uses UDP 1701, often blocked; NAT issues common | Good — built into most OS, but often broken by default configs | Deprecated; use only for legacy compatibility |
| OpenVPN UDP | Good; more overhead than WireGuard/IKEv2 | Moderate — uses UDP 1194 by default, configurable | Via third-party app; not native on any major OS | Mature and maintained; good fallback for routers and enterprises |
| OpenVPN TCP 443 | Slower (TCP-in-TCP problem); higher latency | Excellent — looks like HTTPS, passes most firewalls | Via third-party app | Best option for restrictive networks that block UDP |
IKEv2/IPsec in Detail
IKEv2 (Internet Key Exchange version 2) handles the key negotiation phase of an IPsec tunnel. It replaced IKEv1, which had known weaknesses. The key practical advantage of IKEv2 is MOBIKE (Mobility and Multihoming Protocol) — it allows the VPN tunnel to persist across network changes. Walk out of your house, switch from Wi-Fi to cellular, and an IKEv2 tunnel can resume within seconds without re-authentication. This is why enterprise MDM systems, corporate VPN profiles for iOS and Android, and many managed deployments use IKEv2.
The firewall caveat: IKEv2 uses UDP ports 500 and 4500. Networks that block these ports (some corporate firewalls, aggressive ISP filtering) will prevent IKEv2 from connecting entirely. OpenVPN TCP 443 is the fallback in those environments.
L2TP/IPsec: Why It Persists and When to Avoid It
L2TP (Layer 2 Tunneling Protocol) provides no encryption by itself — it is a tunneling protocol that creates the connection structure. IPsec is then used to encrypt the L2TP tunnel, which means two layers of encapsulation and double the overhead compared to IKEv2. L2TP/IPsec was the dominant "built-in" VPN option for years because Windows, macOS, iOS, and Android all supported it natively without additional software.
Its weaknesses are now well-documented: the double encapsulation makes it slower than alternatives, its NAT traversal is fragile (connections often fail behind NAT without manual configuration), and its protocol signatures are easy for firewalls to identify and block. There is also a historical concern: alleged weaknesses in the pre-shared key mechanism were highlighted in leaked NSA documents in 2013, though properly configured L2TP/IPsec with strong keys is still considered computationally secure in practice. Use it only when the target device cannot run IKEv2 or OpenVPN.
OpenVPN: The Flexible Option
OpenVPN has been the workhorse of self-hosted VPN deployments for over 20 years. It is not built into any major operating system (requiring an app or client), but it is supported on virtually every platform and nearly every VPN-capable router firmware (DD-WRT, OpenWRT, pfSense, OPNsense). Its main practical advantage is flexibility: it can run over UDP for performance or over TCP when UDP is blocked, and it can be configured to run on any port — including port 443, making it appear as ordinary HTTPS traffic to most firewalls.
OpenVPN's weaknesses are its overhead and configuration complexity relative to WireGuard and IKEv2. The TLS handshake it uses is also detectable by deep packet inspection even on port 443, which is why obfuscated modes exist as an additional layer. For new deployments where WireGuard is supported, OpenVPN is rarely the best choice — but for legacy infrastructure, complex enterprise PKI setups, or environments that need TCP 443 traversal, it remains the most compatible option.
Choosing the Right Protocol
- New personal or home VPN setup: WireGuard first; if not available, IKEv2.
- iPhone or Android with a commercial VPN app: WireGuard or IKEv2 depending on what the app offers.
- Corporate mobile device management (MDM): IKEv2 — it integrates cleanly with device configuration profiles.
- Hotel, airport, school, or captive portal network: OpenVPN TCP 443 or obfuscated mode; these environments often block UDP.
- Old router (consumer, pfSense, OPNsense): OpenVPN if WireGuard is not supported; L2TP only as last resort.
- Legacy Windows device or old NAS: L2TP/IPsec if nothing else is available; accept the limitations.
Frequently Asked Questions
Is L2TP/IPsec still safe to use in 2026?
For practical purposes, L2TP/IPsec with a strong pre-shared key or certificate-based authentication is still computationally secure against casual attackers — the encryption itself has not been publicly broken. The real problems are performance (it is noticeably slower than IKEv2 or WireGuard), NAT fragility (many home and office networks break L2TP connections), and the fact that far better alternatives now exist with equivalent or greater OS support. If you are using L2TP because an old device requires it, that is acceptable; if you are choosing it for a new setup, choose IKEv2 or WireGuard instead.
Can IKEv2 be blocked by firewalls?
Yes — IKEv2 relies on UDP ports 500 and 4500, which are well-known IPsec ports that corporate and campus firewalls sometimes block. When IKEv2 is blocked, OpenVPN TCP 443 is the most reliable alternative because it looks like standard HTTPS traffic and passes nearly all firewalls. Some VPN providers also offer obfuscated modes that wrap IKEv2 inside a TLS session for environments that perform deep packet inspection.
Why do commercial VPN apps still offer all three legacy protocols?
Compatibility requirements span a huge range of devices and network environments. A commercial VPN provider may have customers on old Android tablets that do not support WireGuard, users in countries where IKEv2 is blocked by ISPs, and enterprise customers who need to configure VPN profiles through MDM systems that only support IKEv2. Supporting multiple protocols is a practical necessity when a service needs to work everywhere, not a sign that the older protocols are recommended.