VPN protocols explained

Using a VPN is not rocket science - all you need to do is download the app, choose a location and press the connect button. But if we go deeper, there is more to fiddle with - VPN protocols. But what are they, really?

You’ve probably seen such names as OpenVPN or WireGuard, or heard something about their speed and other properties. Such descriptions are often highly technical and not easy to understand if you don’t have the technical knowledge.

However, worry not because in this article, we’ll explain what VPN protocols are, how they work, take a look at a couple of different ones, and suggest which VPN protocol is the best for particular use cases.

What is a VPN protocol?

A VPN protocol is a set of rules on how the data will be packaged and sent over a private network. They establish VPN tunnels to safely exchange data. It is sort of similar to sending a package via post in real life. Let’s look at an analogy:

Let’s say you’re sending an expensive tea set to your grandma abroad. If you want it to reach her in one piece, you'll have to wrap it in bubble wrap, add a "fragile" sticker on the box, and choose a reputable delivery service. But if you're sending a baseball bat to your cousin, fragile stickers and bubble wrap won’t be necessary.

Different VPN protocols are like the bubble wrap - or the absence of it - when it comes to sending data over the VPN. The less encryption and verification (bubble wrap), the faster data delivery is. But with less encryption, online traffic becomes less secure.

Therefore, when it comes to specific purposes when security is less important than speed and vice versa, it is best to use different protocols that prioritize different aspects of the data exchange process. We discuss which protocols are best for different use cases further down in the article.

Now that we know the basics of a VPN protocol, let’s take a look at the most common ones.

Common VPN protocols

Here are the most common VPN protocols in more detail:

IKEv2

Internet Key Exchange version 2, or IKEv2 for short, is very common on VPN mobile apps. The reason for that is that when the connection with a VPN server is interrupted, you will be automatically reconnected. This allows for virtually seamless switching between wifi and mobile data.

The protocol also supports advanced cipher functions. You can use it with 3DES and AES for encryption, with the latter being the safest method.

OpenVPN

Probably the most popular VPN protocol. OpenVPN uses TLS with SSL/TLS for private key exchange. It relies on the OpenSSL crypto library - an index of secure cryptography algorithms that make your tunnel safer.

OpenVPN uses two types of standard network protocols:

• User Datagram Protocol (UDP) - less data verification, therefore quite fast.
• Transmission Control Protocol (TCP) - usually requires multiple data verifications, which in turn slows down the data exchange process. On the other hand, this allows for stable connections and is good for connecting to remote servers.

L2TP/IPSec

Layer 2 Tunneling Protocol (L2TP) doesn't have any encryption, so it also uses the Internet Protocol Security (IPSec) with 256bit AES variant. L2TP creates the tunnel and handles authentication.

L2TP itself is a combination of two protocols that preceded it: Layer 2 Forwarding Protocol and Point to Point Tunneling Protocol. This VPN protocol is considered secure, but there is one concern: L2TP/IPSec was co-developed with NSA, and there are suspicions that there may be backdoors to L2TP/IPSec traffic.

WireGuard

The most recent major tunneling protocol, WireGuard offers by far the best connection speeds, all while maintaining security. This protocol solves problems that arise from IPSec and OpenVPN implementations, which tend to be quite complicated and more prone to misconfigurations. Wireguard has very few lines of code and is therefore very easy to implement or patch.

WireGuard uses publicly available cryptography packages like Poly1305 for data authentication and ChaCha20 for encryption.

WireGuard also offers tools for developers to add their extensions and scripts.

SSTP

Secure Socket Tunneling Protocol (SSTP) is a development of PPTP and L2TP protocols. It sends PPTP or L2TP traffic through the SSL 3.0 channel. This addition allows data integrity checks and encryption measures. Plus, it uses the standard SSL and TCP port 443, so you can bypass most firewalls. It also means that the exchanged data can be unsupervised and work around closed ports and other restrictions put in place by your network administrator.

The SSTP protocol uses 2048-bit certificates for authentication and the 256-bit SSL cipher for encryption. It's one of the most secure VPN protocols, even though it's not very recent.

PPTP

Point to Point Tunneling Protocol (PPTP) is one of the first tunneling protocols, and is gravely outdated. This protocol encrypts data in transit with the MPPE cipher, which is very vulnerable to attacks from modern computers. Data packets could potentially be intercepted and modified. The protocol has no methods to verify the legitimacy of sources which sent the data.

What are proprietary VPN protocols?

Some VPN service providers have created their own tunneling protocols, such as NordVPN’s NordLynx or Hotspot Shield’s Catapult Hydra. Some of these offer better speeds, security, or an improved ability to bypass firewalls.

The main problem with proprietary protocols is that most of them aren’t open-source, most likely to protect the developers’ work. But this also makes inspecting them virtually impossible, and a sense of transparency is lost.

In comparison, some common tunneling protocols like OpenVPN or WireGuard are open-source. This makes them transparent, as anyone who is interested can inspect the source code and verify the security of the protocol.

However, some protocols, like NordLynx, are just modified versions of the same WireGuard or OpenVPN, so there probably is no need to worry that much about their safety.

VPN protocol comparison

Here are the VPN protocols compared in terms of compatibility, encryption, security and efficiency:

Choosing the Best VPN protocols for different use cases

Although it would seem tempting to call Wireguard the best tunneling protocol, the reality may not be as clear cut. Also, not all your devices will support all the existing protocols (relevant if you're using the VPN without a VPN app). In such cases, it's good to know which protocols you should use in which scenarios.

Streaming

If you think about streaming media, you're likely to need speed over privacy. VPNs are often used to avoid geo-blocking, and in such a situation, you're probably less afraid about the police knocking down your door because you've watched a TV series on Hulu. For the best performance, you should probably use NordVPN’s NordLynx, which is built around Wireguard. Simply using WireGuard will also work, and IKEv2, L2TP/IPSec, or even OpenVPN in UDP mode are all decent choices.

Downloads

If you want to download data from P2P networks, you'll have to combine speed with privacy in equal parts. Downloaded torrents put your IP out in the open due to the transparency of BitTorrent. It makes you an easy target for copyright holders as well as hackers. So, you should be using the protocol versions that are secure and speedy like Wireguard, such as NordVPN’s NordLynx, or OpenVPN in UDP mode.

Gaming

If you need a VPN for gaming, your focus should be a slow ping as possible. The best option to reduce is to pick a fast tunneling protocol like IKEv2 or WireGuard and connect to a nearby location. The closer it is, the less distance the signal has to travel back and forth, adding less latency.

Privacy

Suppose you're a whistleblower or someone working in a very restrictive country. In that case, the privacy and security of the connection should be your top goals. For this reason, you should pick only the safest possible protocols: Wireguard and OpenVPN. You also want to seek out a VPN that has some sort of "stealth mode" to bypass firewalls.

FAQ