The best VPN protocols and differences between VPN types

A VPN protocol is a ruleset determining how data is encrypted and online traffic moves between a device and a VPN server. VPN providers use these protocols to deliver stable and secure connections for their users. Typically, each protocol focuses on a specific combination of features, for instance, compatibility and high speed or robust encryption and network stability.

However, no VPN protocol is perfect. Each may have potential vulnerabilities, documented or yet to be discovered, that may compromise your online security. Let’s look into each protocol’s pros and cons.

Though there’s a variety of VPN protocols in the market, we’ll review the six most popular ones widely used within the VPN industry.

OpenVPN is a very popular and highly secure protocol many VPN providers use. It runs on either the TCP (transmission control protocol) or UDP (user datagram protocol) internet protocol. The former guarantees that your data is delivered in full and in the right order, while the latter focuses on faster speeds. Many VPNs, including NordVPN, will let you choose between the two.

Pros

• 

  Open source, meaning it’s transparent. Anyone can check the code for hidden backdoors or vulnerabilities that might compromise your VPN’s security.
• 

  Versatility. It can be used with an array of different encryption and traffic protocols, configured for different uses, or be as secure or light as you need it to be.
• 

  Security. Since OpenVPN is an open source protocol, it’s compatible with additional features that can enhance the protocol’s security.
• 

  Bypasses most firewalls. Firewall compatibility isn’t an issue when using NordVPN, but it can be if you ever set up your own VPN. Fortunately, with OpenVPN, you’ll be able to bypass your firewall easily.

Cons

• 

  Complex setup. Its versatility means that most users may be paralyzed by choice and complexity if they try to set up their own OpenVPN server.

When to use it. OpenVPN is a good choice when you need comprehensive security and stable connections, especially when browsing on unsecure public Wi-Fi.

IKEv2/IPsec establishes an authenticated and encrypted connection. Microsoft and Cisco developed it to be fast, stable, and secure. As part of the IPsec internet security toolbox, IKEv2 uses other IPsec tools to provide comprehensive VPN coverage.

Pros

• 

  Stability. IKEv2/IPsec uses a tool called the Mobility and Multi-homing Protocol, which supports a VPN connection as you move between internet connections. This makes IKEv2/IPsec a dependable and stable protocol for mobile devices.
• 

  Security. As part of the IPsec suite, IKEv2/IPsec works in combination with other secure algorithms, making it a secure VPN protocol.
• 

  Speed. It takes up little bandwidth when active, and its network address translation (NAT) traversal makes it connect and communicate faster. It also helps to get through firewalls.

Cons

• 

  Complex Configuration. Setting up IKEv2/IPsec is more complex compared to other protocols. Its configuration requires good knowledge of networking concepts and might be too complicated for a beginner VPN user.

When to use it. With IKEv2/IPsec, you won’t lose your VPN connection when switching from Wi-Fi to mobile data, so it is a good choice when you’re on the move. It also quickly bypasses firewalls and can offer high speeds online.

WireGuard is the newest and fastest tunneling protocol the entire VPN industry is talking about. It uses state-of-the-art cryptography that outshines the current leaders – OpenVPN and IKEv2/IPsec. However, it’s still considered experimental, so VPN providers need to look for new solutions (like NordLynx by NordVPN) to overcome WireGuard’s shortcomings.

Pros

• 

  Free and open source. Anyone can look into its code, which makes it easier to deploy, audit, and debug.
• 

  Modern and extremely fast. It consists of only 4,000 lines of code, making it “the leanest” protocol of them all. In comparison, OpenVPN code approximately has 100 times more lines.

Cons

• 

  Room for improvement. WireGuard seems to be the “next big thing,” but its implementation is still in its growing stages with some room for improvement.

When to use it. Use WireGuard whenever speed is a priority: Streaming, online gaming, or downloading large files.

Secure Socket Tunneling Protocol (SSTP) is a fairly secure and capable VPN protocol created by Microsoft. It has its upsides and downsides, meaning that each user has to decide for themselves whether this protocol is worth using. Despite being primarily a Microsoft product, SSTP is available on other systems besides Windows.

Pros

• 

  Secure. Similarly to other leading VPN protocols, SSTP supports the AES-256 encryption protocol.
• 

  Bypasses firewalls. SSTP can get through most firewalls without interrupting your communications.

Cons

• 

  Owned by Microsoft, meaning that the code isn’t available to security researchers for testing. Microsoft has been known to cooperate with the NSA and other law-enforcement agencies, so some suspect that the system may have backdoors. Many VPN providers avoid this protocol.

When to use it. SSTP is generally good for enhancing privacy while browsing the internet.

Layer 2 tunneling protocol (L2TP) doesn’t actually provide any encryption or authentication – it’s simply a VPN tunneling protocol that creates a connection between you and a VPN server. It relies on other tools in the IPsec suite to encrypt your traffic and keep it private and secure. This protocol has a few convenient features, but certain issues prevent it from being a leading VPN protocol. (L2TP is not among supported NordVPN protocols.)

Pros

• 

  Security. Ironically, L2TP not offering any security at all makes it fairly secure. That’s because it can accept a number of different encryption protocols, making the protocol as secure or lightweight as you need it to be.
• 

  Widely available. L2TP is available on almost all modern consumer systems, meaning admins will have no trouble finding support and get it running.

Cons

• 

  Slow. The protocol encapsulates data twice, which can be useful for some applications but makes it slower compared to other protocols that only encapsulate your data once.
• 

  Has difficulties with firewalls. Unlike other VPN protocols, L2TP has no clever ways to get through firewalls. Surveillance-oriented system administrators use firewalls to block VPNs, and people who configure L2TP themselves are an easy target.

When to use it. It’s beneficial to use L2TP when you want to connect several company branches into one network.

Point-to-Point Tunneling Protocol (PPTP) was created in 1999 and was the first widely available VPN protocol designed to tunnel dial-up traffic. It uses some of the weakest encryption ciphers of any VPN protocol on this list and has plenty of security vulnerabilities. (PPTP is not a supported NordVPN protocol.)

Pros

• 

  Fast. It doesn’t require a lot of resources to be run, so modern machines operate PPTP very efficiently. It’s fast but offers minimal security.
• 

  Highly compatible. In the years since it was made, PPTP has become the bare minimum standard for tunneling and encryption. Almost every modern system and device supports it, which makes it easy to set up and use.

Cons

• 

  Insecure. Numerous vulnerabilities and exploits have been identified for PPTP. Some, though not all, have been patched, but even Microsoft has encouraged users to switch to L2TP or SSTP.
• 

  Cracked by the NSA. The NSA is said to decrypt this protocol as a matter of course regularly.
• 

  Blocked by firewalls. As an old, outdated, bare-bones protocol, PPTP connections are easier to block via a firewall. If you’re using the protocol at a school or business that blocks VPN connections, this can disrupt your service.

When to use it. Since PPTP is an old protocol, it’s considered not secure and is better to be avoided.

VPN protocol	Speed	Encryption	Streaming	Stability	P2P	Available in NordVPN app
OpenVPN	Fast	Very good	Good	Good	Good
IPsec/IKEv2	Fast	Very good	Good	Very good	Good
Wireguard*	Very fast	Very good	Good	Very good	Good
SSTP	Medium	Good	Medium	Medium	Good
L2TP/IPsec	Medium	Medium	Poor	Good	Poor
PPTP	Fast	Poor	Poor	Good	Poor

* Our NordLynx protocol is built around WireGuard and you can find it on the NordVPN app.

The best VPN protocol is a question of preference. It depends largely on your needs, priorities, and the contexts in which you will use your VPN. Every VPN protocol has its own advantages and disadvantages, which you should consider before making your choice. Below are the main factors you should think of before choosing the right VPN for you:

• Security. OpenVPN and WireGuard are protocols that can offer the most robust encryption and the highest level of security. OpenVPN uses an AES 256-bit encryption key, widely used by top-tier entities, such as NASA and the military. Meanwhile, WireGuard® uses a comparatively new and sturdy encryption protocol called XChaCha20. It’s faster than AES 256-bit encryption and doesn’t require special hardware, making it increasingly popular on the cyber scene.
• Speed and performance. Currently, WireGuard is one of the fastest VPN protocols on the market. It offers quicker connection times than its counterparts and an improved battery life for mobile devices. IKEv2/IPsec is also considered a fast protocol, especially efficient at reestablishing broken VPN connections. NordLynx by NordVPN couples WireGuard’s speed with enhanced security and is your best choice for gaming.
• Compatibility. Being an open-source protocol, OpenVPN offers a high level of versatility and can be supported by almost all platforms, from desktops to mobile devices. IKEv2 is compatible with the majority of mobile platforms, whereas SSTP is a good choice if you’re using a Windows device since it’s natively supported.
• Stability on mobile networks. IKEv2/IPsec provides a strong connection over mobile devices and allows users to switch between networks without risking their security. This makes it the most stable VPN protocol for mobile devices.
• Bypassing firewalls and restrictions. SSTP uses port 443, which is typically open on most networks and effectively bypasses firewalls and other network restrictions. OpenVPN can also be configured to work on port 443, offering some rivalry to SSTP.
• Easy configuration. As a relatively new and technologically advanced protocol, WireGuard is your best choice for a simple configuration and setup.
• Open source and proprietary protocols. While proprietary protocols are the sole responsibility of their developers, open-source protocols are more transparent because the security enthusiast can audit them publicly. It helps to spot and patch software vulnerabilities more efficiently. That’s why many privacy and security experts prefer OpenVPN and WireGuard protocols.

A VPN can be used in various situations and for various reasons, be it for accomplishing specific tasks for your work or leisurely browsing the internet. Let’s take a look at the different types of VPNs and their use cases.

Remote access VPN

Remote access VPNs allow employees to securely access their company’s internal network and resources from remote locations. Businesses primarily use them to keep their resources secure and have more robust access control. For this, they typically use multi-factor authentication (MFA) methods and allow access to specific resources based on an employee’s role or department.

Site-to-site VPN

Site-to-site VPNs extend a company’s network between different locations. They can be divided into two categories:

• Intranet-based VPNs, which combine multiple LANs to one private network.
• Extranet-based VPNs, which companies use to extend their network and share it with partners or customers.

Personal VPNs

Personal VPNs enable individual users to connect to a private network remotely. They encrypt the user data and send it through an encrypted tunnel to a VPN server. Afterward, the encrypted data gains the IP address of a VPN server and is transferred to the endpoint – a website, for instance.

Mobile VPNs

Mobile VPNs allow mobile devices to securely access their home network with its resources and software applications while being on network. Mobile VPNs are designed to handle switching between wireless and wired networks without dropping secure VPN sessions and maintaining a stable connection at all times.

Browser-based VPN/VPN Proxy Extension

A browser-based VPN is a service designed to operate specifically on a web browser. Web-based VPNs only encrypt and route the online traffic from a browser on which it’s installed. Essentially, they are HTTPS proxies that route your web traffic through a remote server. Browser-based VPNs utilize Secure Sockets Layer/Transport Layer Security (SSL/TLS) for encryption. However, they don’t cover an entire device’s connection.

A VPN is not the only way to connect to private networks. It’s also not the only tool to securely share files and access resources over public networks. Below is the list of alternatives of a VPN:

• Peer-to-peer (P2P) file sharing. A P2P connection allows users to share files with each other without using dedicated servers.
• Multi-protocol label switching (MPLS) VPN. It’s a protocol typically used by VPN service providers to forward encrypted data packets through the network. It’s easily scalable and versatile without compromising security.
• Dynamic multipoint virtual private network (DMVPN). This VPN modality allows enterprises to create a mesh VPN network for direct communication between sites without requiring an intermediary hub. DMVPN is typically used for branching networks, optimizing performance, and reducing latency.
• IKEv2 mobility and multihoming (MOBIKE). An extension of the IKEv2 protocol, MOBIKE supports mobile VPN clients by allowing them to move between different networks and IP addresses without impairing their VPN connection.
• Secure Shell (SSH). Similarly to a VPN, SSH is used to secure access to various systems when connecting over unsecured networks. It’s usually network administrators that get the most benefits from SSH. The main difference between a VPN and SHH is that an SSH works only on the application level, whereas a VPN protects all internet traffic.
• Layer 2 Forwarding Protocol (L2F). A precursor to a modern VPN, the L2F Protocol was established to support the connection between remote workers and enterprise networks. It was designed to work over dial-up networks.
• Generic routing encapsulation (GRE). GRE encapsulates network layer protocols inside point-to-point connections. Afterward, it creates virtual point-to-point links that are meant to reach remote routers over IP networks.

Check out our video on VPN protocols below:

Why is it important to choose the right VPN protocol and type for you?

Every type of VPN has its own specific features and use cases, and every VPN protocol was created with a specific focus in mind. Rounding up your needs and choosing a VPN can help you get the best service.

What is the latest VPN protocol?

The latest VPN protocol on the market is WireGuard. Released in 2015, WireGuard received praise for its efficiency, simplicity, and robust security standards from many industry experts and is widely used among VPN service providers.

Can I switch between different VPN protocols?

You can switch between different VPN protocols. However, every protocol has different performance and security characteristics, which will likely impact your VPN connection in one way or another.

Some VPN providers have taken additional steps and created their own VPN protocols, mixing functionalities of already established ones. For instance, NordVPN has created its own iteration of WireGuard called NordLynx. It allows faster connection to VPN servers and improves VPN connection speed without compromising security.

Though many reliable VPN providers allow VPN protocol switching, you should always make sure that both your VPN client and VPN server support the desired protocol. For a smoother process, consider checking out NordVPN’s protocol switching guidelines.