Protocol Comparison
| Protocol | Typical Speed Overhead | Security | Firewall Compatibility | Best Use Case |
|---|---|---|---|---|
| WireGuard | 5–10% overhead; fastest in practice | Excellent (ChaCha20, Curve25519) | UDP only — blocked by some networks | Default choice; home use, mobile, routers |
| OpenVPN UDP | 10–20% overhead | Excellent (OpenSSL, AES-256) | Good — UDP 1194 blocked sometimes | Reliable fallback when WireGuard is blocked |
| OpenVPN TCP | 20–40% overhead (TCP-on-TCP problem) | Excellent | Best — TCP 443 almost never blocked | Restrictive networks (hotel, corporate, airport) |
| IKEv2/IPsec | 10–15% overhead | Excellent (AES-256, SHA-2) | Good — UDP 500/4500; blocked by some firewalls | iOS/macOS native profiles; managed mobile devices |
| L2TP/IPsec | 15–25% overhead | Fair (encryption optional; depends on config) | Fair — well-known ports, often detected | Legacy devices only; avoid for new setups |
| SSTP | Similar to OpenVPN TCP | Good (TLS) | Excellent — TCP 443 | Windows-only corporate environments |
| Proprietary (Lightway, NordLynx, Catapult Hydra) | Varies; WireGuard-based ones are fast | Varies by implementation | Varies | Provider-specific; good when audited and WireGuard-based |
WireGuard: Why It Became the Default
WireGuard was merged into the Linux kernel in 2020 and is now the protocol of choice for most VPN providers and router firmware. The reasons:
- Code size: ~4,000 lines vs OpenVPN's 100,000+ lines — a smaller codebase means fewer places for bugs
- Modern cryptography: uses ChaCha20-Poly1305 for encryption and Curve25519 for key exchange — algorithms designed for software efficiency on modern CPUs
- Connection speed: reconnects in milliseconds when network changes (Wi-Fi to cellular handoff is nearly seamless)
- Throughput: on a typical home connection, WireGuard adds only 5–10% overhead vs 20–40% for OpenVPN TCP
- Limitation: runs on UDP only — networks that block non-HTTP UDP traffic (some corporate firewalls, hotel Wi-Fi) block WireGuard entirely
OpenVPN: The Universal Fallback
OpenVPN has been the backbone of the VPN industry for over 15 years. It is slower than WireGuard but more adaptable:
- UDP mode: faster, preferred when available; uses port 1194 by default but can be set to any UDP port
- TCP mode on port 443: looks identical to HTTPS traffic to firewalls — almost impossible to block without also blocking web browsing. Use this for restrictive networks
- TCP-on-TCP problem: OpenVPN TCP wraps a reliable stream inside another reliable stream — if packets are lost, two layers of retransmission occur, causing significantly higher latency spikes than UDP
- CPU usage: higher than WireGuard on low-power devices like routers and older phones; can be a limiting factor for throughput
IKEv2/IPsec: Best for Native Mobile
IKEv2 is built into iOS, macOS, Android, and Windows without any app installation. This makes it useful for mobile device management (MDM) profiles and corporate environments where installing a separate VPN app may not be possible. Key characteristics:
- Excellent reconnection handling — maintains the VPN session through network changes (MOBIKE extension)
- Requires UDP ports 500 and 4500 — some corporate and hotel firewalls block these
- When those ports are blocked, IKEv2 cannot fall back to TCP — the connection fails silently
- Security is good when using strong cipher suites (AES-256, SHA-256, DH group 14+) — older configs may use weak settings
How to Choose by Situation
| Situation | Recommended Protocol | Why |
|---|---|---|
| Home use, any OS | WireGuard | Fastest, simplest, most modern |
| iPhone or iPad, native profile | IKEv2/IPsec | Built into iOS; no app needed; handles handoffs well |
| Corporate network that blocks UDP | OpenVPN TCP 443 | Indistinguishable from HTTPS to firewalls |
| Hotel or airport Wi-Fi | OpenVPN TCP 443 or stealth mode | Most permissive option; avoids common VPN port blocks |
| VPN on a home router | WireGuard | Lower CPU overhead than OpenVPN; better throughput on limited hardware |
| Maximum compatibility across old devices | OpenVPN UDP | Widely supported; works on nearly every OS and device |
| Speed-sensitive use (large downloads via VPN) | WireGuard | Lowest overhead; closest to raw connection speed |
Speed Impact of VPN Protocols
VPN overhead on a 500 Mbps connection (approximate benchmarks):
| Protocol | Typical Throughput Retained | Latency Added |
|---|---|---|
| WireGuard | 450–490 Mbps (90–98%) | +1–5ms |
| OpenVPN UDP | 400–450 Mbps (80–90%) | +5–15ms |
| OpenVPN TCP | 300–400 Mbps (60–80%) | +10–30ms |
| IKEv2/IPsec | 420–470 Mbps (84–94%) | +3–10ms |
| L2TP/IPsec | 350–420 Mbps (70–84%) | +5–20ms |
Note: actual numbers depend heavily on server distance and hardware. The server location — not the protocol — is usually the dominant factor in VPN speed. A WireGuard server 5,000 miles away will be slower than an OpenVPN server 50 miles away.
Proprietary VPN Protocols
Several major VPN providers offer branded protocols — NordLynx (Nord), Lightway (ExpressVPN), Catapult Hydra (Hotspot Shield). How to evaluate them:
- Check if the protocol is based on WireGuard or OpenSSL — if so, the cryptographic foundation is sound
- Look for independent security audits by firms like Cure53 or Trail of Bits — providers that avoid audits are a warning sign
- Proprietary protocols sometimes add obfuscation features that improve compatibility with restrictive networks, which is a legitimate advantage over standard WireGuard
- If the provider cannot explain what the protocol does or cites only marketing claims, treat it as legacy/unknown regardless of the branding
Frequently Asked Questions
Which VPN protocol is fastest?
WireGuard is the fastest common protocol in practice. Its kernel-level implementation and lightweight cryptography produce 5–10% overhead on most connections, compared to 20–40% for OpenVPN TCP. The protocol matters less than server distance, however — a nearby OpenVPN server will outperform a distant WireGuard server in both speed and latency.
Which VPN protocol is most secure?
WireGuard, OpenVPN, and IKEv2/IPsec are all secure when properly configured. WireGuard has the smallest code surface area (making auditing easier) and uses modern algorithms with no configurable weak options. OpenVPN's security depends heavily on configuration — a poorly configured OpenVPN setup can use weak ciphers. L2TP without IPsec is not encrypted at all; avoid it.
Why does my VPN app have automatic protocol selection?
Because no single protocol works on all networks. Automatic mode tries WireGuard first (fastest), falls back to OpenVPN UDP if WireGuard fails, then falls back to OpenVPN TCP 443 if UDP is blocked. This covers home, corporate, hotel, and mobile scenarios without user intervention. You can override automatic selection if you know a specific network's restrictions.
Does protocol choice affect privacy?
The protocol affects how detectable your VPN traffic is and what metadata leaks are possible, but not the underlying privacy of the tunnel once established. WireGuard requires that the server store your IP address while you are connected (by design), which some privacy-focused providers address with double-NAT or ephemeral key rotation. OpenVPN and IKEv2 do not have this characteristic. For high-privacy use cases, check how your specific provider implements WireGuard.