VPNs have emerged as powerful tools to ensure your security and boost your privacy online. Nevertheless, not all services are built equally in terms of safety. The strength of a virtual private network lies in the VPN protocols that it utilizes.
When we say “VPN protocol,” we’re really talking about the tunneling protocol (sometimes also called the “security protocol”). They determine the level of security, speed, and more subtle characteristics, such as what types of devices they’re better for or which CPUs can handle them better.
In this article, we will look at the most secure VPN protocols in 2023. We will analyze their features, strengths, and weaknesses to see which one is the best.
NordVPN offers the most secure and swiftest VPN protocols. You’ll get OpenVPN and the ultimate, proprietary NordLynx tunneling protocol. It couples WireGuard’s speed with enhanced security. So, you’ll enjoy the best VPN performance.
What is a VPN protocol?
A VPN protocol is a set of rules that determines how a VPN creates and maintains encryption between your device and a VPN server. Additionally, they establish mechanisms used for data encryption, authentication, and data transfer within the virtual private network.
Nevertheless, there are various tunneling protocols that provide different levels of performance and safety. The best VPNs often have OpenVPN, WireGuard, NordLynx, and IKEv2 tunneling protocols. There are some other protocols that we will look at in a bit.
Most secure VPN protocols overview
Below, you’ll find the most popular and well-know VPN protocols. All of them are used by VPN providers to ensure the best performance on different devices.
Some protocols might be are more secure and flexible, while others focus on simplicity and speed. Each tunneling protocol has its strengths, allowing users to choose the most suitable option for their needs.
1. OpenVPN – the most used VPN protcol
Authored by James Yonan and released in 2001, OpenVPN is an open source VPN tunneling protocol used to provide secure point-to-point or site-to-site access. Due to its security and open source nature, OpenVPN has become the primary protocol used in commercial VPN solutions.
OpenVPN supports an array of OS including, but not limited to Windows, macOS, Android, and iOS.
How does OpenVPN work?
The protocol uses the OpenSSL library for encryption and data authentication, which means it has access to all the ciphers in the OpenSSL library. The most commonly used are AES, Blowfish, and ChaCha20.
OpenVPN uses UDP and TCP as standard network protocols to create a transport tunnel. It allows users to bypass firewalls and Network Address Translation (NAT).
Third-party plug-ins can be used to enable extensions established at defined entry points. This is necessary to enable authentication via usernames/passwords in OpenSSL. It is also important to extend the application with the ever-changing internet firewalls.
How to use OpenVPN
Most people will not use OpenVPN directly. Nowadays, this protocol is an integral part of most top VPN services, such as NordVPN, Surfshark, Atlas VPN, etc. That’s a good thing – many of these VPN providers combine the secure tunneling capabilities of OpenVPN and strong additional features to provide an all-around product.
With that said, there are situations where using the standalone app makes more sense. In those cases, how to use OpenVPN will differ based on your GUI. For more information, we will again refer you back to OpenVPN’s How To page.
|OpenVPN benefits||OpenVPN drawbacks|
|✅ Open-source software||❌ Could be more stable when switching network|
|✅ Top-notch encryption & cryptographic algorithms||❌ Not the best protocol for censorious countries|
|✅ Offers many configuration options|
|✅ Available on many platforms|
2. IKEv2/IPsec – best VPN protocol for mobile devices
Internet Key Exchange Version 2 (IKEv2) is a protocol developed by Microsoft and Cisco (primarily) for mobile users. It was introduced as an updated version of IKEv1 in 2005. The IKEv2 MOBIKE (Mobility and Multihoming) protocol allows the client to maintain a VPN connection despite network switches, such as when leaving a wifi area for a mobile data area.
IKEv2 uses the IPsec protocol suite and works on most platforms, including some less-common ones. It also has native support on iOS, making the protocol particularly good for Apple’s mobile OS.
How does IKEv2 work?
IKEv2 is not a tunneling protocol per se. Whenever you read this title associated with VPN technology, you should assume that it means IKEv2/IPsec. In other words, the two protocols are used in combination, both performing different functions. IKEv2 uses UDP for transport, namely, UDP port 500 and 4500.
Just like OpenVPN, IKEv2 supports a variety of encryption ciphers, the most common of which are, again, AES, Blowfish, and ChaCha20.
IKEv2 is considered one of the fastest tunneling protocols, mainly because it doesn’t place much of a load on the CPU. Perhaps the most important criticism we can level at IKEv2 is that it’s not open source and is not independently auditable.
How to use IKEv2
You’re most likely going to use IKEv2 as part of a VPN app. As mentioned previously, it has benefits as part of a mobile VPN app – that’s where you’ll likely encounter it instead of OpenVPN.
It is also possible to use the protocol independently, and many contemporary VPN services will include instructions on how to do that. IKEv2 use is particularly prominent on iOS, where the protocol enjoys native support. This practice is seen at the top of the VPN market, with services like VyprVPN offering it.
|IKEv2 benefits||IKEv2 drawbacks|
|✅ Very secure & compatible with lots of ciphers||❌ Not open-source software|
|✅ One of the fastest protocols|
|✅ Best for smartphones|
|✅ Not very CPU-intensive|
3. WireGuard – super fast & simplistic VPN protocol
WireGuard is at the cutting edge of VPN tunneling technology. The project was started in 2015 by Jason A. Donenfeld with the goal of creating an easily-implementable, easily-auditable, secure, and fast VPN protocol for the 21st century. Instead of taking some sort of framework and upgrading it, WireGuard was built from the ground up. This allowed the team to build something not plagued by many of the old preconceptions behind the most popular tunneling protocols in use today.
The result is widespread adoption or planned adoption within the VPN community. The software already supports most of the major platforms and operating systems.
How does WireGuard work?
Unlike the previously-mentioned protocols, WireGuard doesn’t offer a choice of encryption ciphers. It also doesn’t offer the most widely-used cipher today – AES. Instead, data encryption is handled by the more modern ChaCha20 cipher, which is a stream cipher rather than a block cipher. It is therefore easier on devices without CPUs that have native AES support.
Its developers call WireGuard a “connection-less protocol,” because the only state it keeps is a simple handshake, renegotiated every few minutes. This way, the protocol is able to ensure perfect forward secrecy.
Similarly to IKEv2, WireGuard should be particularly resilient to network changes, making it perfect for mobile devices.
How to use WireGuard
You can download WireGuard from the website, where you will also find some instructions on how to install/use it. However, it is also becoming increasingly available as part of consumer VPN services. A notable example is Mullvad VPN, who were one of the first adopters of WireGuard.
|WireGuard benefits||WireGuard drawbacks|
|✅ The fastest tunneling protocol||❌ Can‘t choose the encryption cipher|
|✅ Easy to implement||❌ Doesn‘t support TCP (only UDP)|
|✅ Code is easy to audit|
|✅ Very secure|
4. SSTP – tunneling protocol for bypassing firewalls & geo-blocks
The Secure Socket Tunneling Protocol was designed (and is still owned) by Microsoft and first introduced with Windows Server 2008. As such, it is only available on Windows (with some support on other operating systems) and has a potential security concern – that Microsoft may have a backdoor in place to decipher SSTP traffic.
Despite concerns over Microsoft‘s ownership of SSTP (and unlike its younger brother – PPTP) it is considered a secure protocol.
How does SSTP work?
In SSTP traffic is routed over TCP port 443 through an SSL/TLS channel. The traffic is thus able to bypass proxy servers and even firewalls. This makes SSTP a hard protocol to block and a good choice in countries that rely on DPI to block VPN traffic (like China).
SSTP works similarly to PPTP: it wraps up packets of data in a protective sheath. When using Secure Socket Tunneling Protocol, users are required to connect via a standard Transmission Control Port (TCP), which allows the target server to initiate authentication procedures. This involves sending a couple of encryption keys to the user’s system, which form the basis for the SSTP tunnel. When that’s done, the packets can be sent with relatively high levels of security directly to the server.
As with OpenVPN, SSTP uses OpenSSL, which means the same data encryption ciphers apply: AES, Blowfish, ChaCha20, etc. This makes the protocol cryptographically secure.
How to use SSTP
The protocol is natively supported by Windows, which means you can use it on this OS without any additional third-party software. On other operating systems, you’ll need some sort of app – for example, there’s an SSTP client for macOS called iSSTP.
In terms of using as part of a mainstream VPN client, you will still see the protocol available in some VPN suites (e.g. Astrill VPN), but there aren’t many.
|SSTP benefits||SSTP drawbacks|
|✅ Solid cryptographic security||❌ Owned by Microsoft (impossible to audit)|
|✅ Can pass through firewalls||❌ Limited support on operating systems outside of Windows|
|✅ Can work as an anti-DPI protocol|
5. L2TP/IPsec – highly secure VPN protocol
A combination of two protocols – the aforementioned IPsec and Layer 2 Tunneling Protocol (L2TP). L2TP originates from Cisco‘s (now outdated) L2F and Microsoft‘s (equally outdated) PPTP. While the popularity of this protocol combination is waning, it is still being used by many mainstream VPN services, particularly on iOS, where developers can‘t include OpenVPN as part of their apps.
L2TP/IPsec is considered secure, however, the Snowden leaks have revealed that the NSA may have found a way to compromise the protocol.
How does L2TP/IPsec work?
The basic premise of L2TP/IPsec is that L2TP is used to establish a tunnel and IPsec is responsible for encryption/authentication. L2TP does not provide any confidentiality in and of itself, which is why it is mostly used in conjunction with a protocol like IPsec. The data encryption ciphers on IPsec include the secure AES-CBC and AES-GCM, as well as the outdated TripleDES-CBC.
L2TP/IPsec enjoys native support on many operating systems, which means users don‘t need third-party software to use it. All that is required are configuration files, which you can get from your VPN service provider.
The connections in L2TP/IPsec are UDP, rather than TCP. In particular, it uses UDP Port 500 for the initial key exchange, which can sometimes cause issues with firewalls – have that in mind if your connection simply doesn‘t get through.
How to use L2TP/IPsec
Although you can use the protocol natively on most operating systems, regular folks will likely use L2TP/IPsec as part of some VPN apps. Many of the top VPNs on the market still offer the protocol and some rely on it to do the heavy lifting on their iOS apps – CyberGhost is one such example.
|SSTP benefits||SSTP drawbacks|
|✅ Secure cryptography||❌ Allegedly compromised by NSA|
|✅ Native support on most operating systems||❌ No TCP support|
|✅ Quite fast||❌ Not the best for smartphones|
VPN protocols: Comparison
|Stability||Very good||Good||Very good||Adequate||Good|
|Encryption||Very good||Good||Very good||Good||Adequate|
|VPN providers that use the protocol||NordVPN, Surfshark, CyberGhost, etc.||Surfshark, ExpressVPN, etc.||NordVPN, Surfshark, Atlas VPN, etc.||PureVPN, IPVanish, Astrill VPN, etc.||PrivateVPN,ExpressVPN, PureVPN, etc.|
As you can see, one of the best and most versatile VPN protocols is WireGuard. It offers break-neck speeds, strong encryption, and excellent device compatibility. Plus, most industry-leading VPNs, such as NordVPN, Surfshark, and Atlas VPN, utilize this protocol in one way or another. So, enjoy a seamless experience with the WireGuard tunneling protocol.
Here you’ll find VPN protocols which are outdated and shouldn’t be trusted.
PPTP – VPN protocol with terrible security
The Point-to-Point Tunneling Protocol was developed by Microsoft and first implemented with Windows 95. It is supported by most operating systems in general, particularly all versions of Windows. While PPTP is not very reliable, it is nevertheless quite fast. This has a lot to do with its cryptography, which is very weak in relation to the capabilities of contemporary computers.
PPTP is still seen on mainstream VPN apps, but its prevalence is dwindling. And with good reason – it doesn’t provide much security anymore.
How does PPTP work?
Like its more advanced brother SSTP, PPTP is routed over TCP (in this case, port 1723). The tunnel is established by using General Routing Encapsulation (GRE). At both ends of the tunnel, PPTP also authenticates the data packets being transferred, beginning and completing the process.
From the very beginning, using a PPTP server has been a risky idea for security-conscious web users. By 1998 (three years after the protocol was launched), hackers had published ways to extract password hashes from users employing the MS-CHAPv1 authentication protocol, which is part of the PPTP package.
Since then, PPTP’s list of unfixable security issues has grown to include vulnerabilities to cryptoanalysis, brute force attacks, and dictionary attacks. Multiple components of PPTP have been shown to be inherently susceptible to these: vulnerabilities plague MS-CHAPv1, MS-CHAPv2, as well as MPPE.
Therefore, despite its utility as a fast protocol that requires little computational power, PPTP should not be used where security is needed.
How to use PPTP
If you are a Windows, macOS, Linux, iOS, or Android user, you’ll be able to use PPTP without any additional software. It is one of the most straightforward protocols for setting up your own VPN server. However, a majority of users will find it integrated in their consumer VPN apps. PPTP is still part of many VPN services despite seriously lacking security.
Overall, instead of using outdated and unreliable protocols, you should pick a VPN that offers multiple secure options. For that, we recommend NordVPN, a service with various industry-standard protocols.
UDP vs TCP
Tunneling protocols such as OpenVPN can be routed over TCP (Transmission Control Protocol) or UDP (User Datagram Protocol). So what‘s the difference between the two and when should one be favored over the other?
Both TCP and UDP are used for the same general purpose – to send data from one point to another. Both are built on top of the internet protocol (hence, TCP/IP and UDP/IP) and both are ways of sending packets of data over the internet. There are more protocols serving the same function and these two are simply the most commonly used.
TCP is a connection-based protocol and its main benefits are error checking and reliability. Because in TCP exchanges are controlled – packets are numbered and discrepancies are compensated – data cannot be lost or corrupted on its way from one place to another. Naturally, this process slows connections down simply because it requires back-and-forth communication.
These characteristics of TCP are useful for file transfers as well as browsing the web.
Meanwhile, UDP is a so-called “connectionless“ protocol. There’s no error checking as seen in TCP – the packets are sent and they arrive or are lost. As you would expect, this makes UDP a faster protocol, but also less reliable and prone to in-transit file corruption.
The quickness and one-way nature of UDP is useful for situations where retrieving lost packets isn’t useful. This includes gaming, streaming, or VoIP.
When it comes to using TCP or UDP with OpenVPN, the choice should also be informed by the applications you intend to use it for. The security level doesn’t change in any meaningful way.
WireGuard explained: Video review
Want to learn more about the WireGuard tunneling protocol? Check out the easy-to-follow video review:
VPN protocols are essential to ensure speedy, secure, and private connection between your device and the VPN server. That way, you can browse, stream, torrent, and do other activities on the web without having to worry about various dangers. As we explored multiple protocols, we found out that each of them offers unique features and advantages.
And if you are looking for a VPN with the most secure protocols, we recommend NordVPN. It offers the fastest and most secure options: NordLynx (WireGuard) and OpenVPN. That way, you can traverse through the web trouble-free.
What VPN protocols do you usually use? Let us know in the comments!
Which is the most common VPN protocol?
The most common VPN protocol is OpenVPN. It offers great encryption, decent speeds, and reliable overall performance. Not to mention, it works on most platforms and is highly customizable. Even the top providers like NordVPN or Surfshark still offer this VPN protocol.
What is the most secure VPN protocol?
OpenVPN and IKEv2 are the safest VPN protocol choices. While they might be a bit slow, they will ensure reliable protection. You can also try the WreGuard tunneling protocol which is one of them most advanced.
What is the difference between NordLynx and OpenVPN?
The main difference between NordLynx and OpenVPN is the speed. NordLynx is a lot faster (1200 Mbps) compared to OpenVPN (400 Mbps). Additionally, NordLynx is a proprietary protocol created by NordVPN, that is based on the WireGuard tunneling protocol.