VPN Protocols Explained: WireGuard, OpenVPN, IKEv2, and More

Most people pick a VPN, install it, and never touch the protocol settings. That's completely understandable — the default usually works. But here's the thing: the protocol your VPN uses isn't just a technical detail buried in the settings menu. It determines how fast your connection runs, how strong your encryption actually is, whether you can punch through restrictive firewalls, and in some cases, whether your traffic can be detected as VPN traffic at all.

The protocol is the engine. Everything else is the chassis.

When security researchers audited popular VPN apps in 2023, they found a significant number still defaulting to older protocols with known vulnerabilities — not because the VPNs were bad, but because users never changed settings they didn't understand. That's a preventable problem.

This article breaks down every major VPN protocol currently in use — WireGuard, OpenVPN, IKEv2/IPsec, L2TP/IPsec, SSTP, and PPTP — in plain language. You'll understand how each one works under the hood, what it's good at, where it falls short, and exactly which one you should be running for your situation. By the end, protocol selection won't be a mystery — it'll be a deliberate, informed choice.

Picture sending a letter through the post. You can drop it in an envelope, seal it, write the address on the front, and hand it over. The postal system handles the rest. Now imagine the protocol is the entire rulebook that defines: what kind of envelope you use, how many locks are on it, how the address gets encoded, which roads the carrier takes, and what happens if the letter gets intercepted halfway. Change the rulebook, and you change almost everything about how that letter travels — and how safe it is.

A VPN protocol is a standardized set of rules that governs how your device creates a secure connection to a VPN server, how your data gets encrypted before it leaves your machine, and how that encrypted data is transmitted and reassembled at the other end. The protocol determines the tunneling method, the cipher suite used for encryption, the authentication mechanism, and the transport layer — whether that's UDP, TCP, or something else entirely.

This matters enormously in practice. Two VPNs can both advertise "military-grade encryption" while using protocols that perform wildly differently in real-world conditions. One might drop your connection every time you switch from Wi-Fi to mobile data. Another might be so computationally heavy that it halves your internet speed. A third might use a protocol that's technically functional but has documented vulnerabilities that intelligence agencies have been quietly exploiting for years.

The VPN protocols landscape has also shifted dramatically in recent years. WireGuard emerged as a genuine paradigm shift — not just an incremental improvement. OpenVPN, which spent the better part of a decade as the gold standard, now shares the throne. IKEv2 remains the preferred choice on mobile networks for reasons that are deeply practical. And then there's the legacy tier — protocols that exist because older systems still rely on them, not because anyone would recommend them today.

Understanding the differences doesn't require a computer science degree. It requires understanding a few key concepts: what the protocol encrypts, how it handles authentication, how resilient it is under different network conditions, and what its track record looks like under adversarial scrutiny. Everything else follows from there.

When WireGuard was first publicly released by security researcher Jason Donenfeld in 2015, the VPN industry didn't take it seriously. It was too small, too new, too radical. By 2020, it had been merged into the Linux kernel — one of the most rigorously reviewed codebases on Earth — and the skeptics had largely gone quiet. That trajectory tells you something important about WireGuard: it earned its reputation the hard way.

How WireGuard's Codebase Changes Everything

The most striking thing about WireGuard isn't its speed or its security — it's its size. The entire protocol implementation is approximately 4,000 lines of code. OpenVPN, by comparison, runs to roughly 400,000 lines. IPsec implementations can exceed that. This isn't just a trivia fact. In security, code surface area is attack surface area. Every line of code is a potential hiding place for a bug, a vulnerability, or an unintentional backdoor. A smaller codebase can be audited by a single skilled security researcher in a weekend. A 400,000-line codebase cannot.

This design philosophy — radical minimalism — is deliberate. WireGuard implements one thing and implements it exceptionally well. It makes no attempt to be all things to all people. It doesn't support a menu of configurable ciphers. It doesn't offer backward-compatible legacy modes. Those are seen as features, not limitations.

The Cryptography Behind WireGuard's Speed

WireGuard uses a carefully selected, fixed set of modern cryptographic primitives: ChaCha20 for symmetric encryption, Poly1305 for message authentication, Curve25519 for key exchange, BLAKE2s for hashing, and SipHash24 for hashtable keys. These aren't arbitrary choices. ChaCha20 in particular was designed to be exceptionally fast on devices without dedicated hardware encryption acceleration — meaning it performs well on smartphones, embedded systems, and older hardware that would struggle with AES-based protocols.

The handshake process — the negotiation that establishes a secure session — completes in a single round trip. Compare that to TLS-based protocols, which can require multiple round trips before a byte of application data is sent. In high-latency environments, that difference is immediately perceptible.

WireGuard also operates at the kernel level rather than in user space, which means it avoids the overhead of context switching between kernel and user space that protocols like OpenVPN incur. The practical result: in independent benchmarks, WireGuard consistently delivers two to three times the throughput of OpenVPN at equivalent hardware, with dramatically lower CPU utilization.

WireGuard's Privacy Tradeoff — And How It's Being Solved

Here's what most people overlook about WireGuard: it was designed with a deliberate privacy limitation baked in. To function efficiently, WireGuard requires that the server store your assigned IP address persistently as long as your keypair is active. Traditional VPN protocols assign IPs dynamically per session and discard them — making it harder to correlate activity across sessions. WireGuard's architecture doesn't do this natively.

This sounds alarming but isn't fatal in practice. VPN providers who implement WireGuard correctly solve this through what's called a double NAT system or a periodic key rotation mechanism — essentially, the server rotates the IP mapping on a schedule so that no single IP can be associated with your long-term identity. Mullvad pioneered this approach with their WireGuard implementation. Most serious VPN providers now use equivalent solutions. The takeaway: WireGuard as a raw protocol has this limitation, but a competent VPN implementation around it eliminates the real-world impact.

When WireGuard Is the Right Choice (And When It Isn't)

WireGuard is the right default for the vast majority of users in 2024. It delivers the best speed-to-security ratio of any protocol currently available, its codebase is auditable, and its cryptographic choices are modern and conservative. It's particularly strong for streaming, gaming, large file transfers, and any scenario where throughput matters.

The scenario where WireGuard may not be ideal: highly restrictive networks that block non-standard UDP ports. WireGuard runs over UDP by default and doesn't have a native TCP fallback. In environments like some corporate networks, certain hotel Wi-Fi configurations, or countries with deep packet inspection infrastructure, WireGuard traffic can be fingerprinted and blocked. In those situations, OpenVPN over TCP port 443 remains the more reliable option.

For most of the 2010s, OpenVPN was the answer to virtually every VPN protocol question. Security researchers trusted it. Privacy advocates recommended it. Enterprise deployments ran on it. That confidence wasn't misplaced — OpenVPN earned it through years of public scrutiny, independent audits, and a track record that held up even when other protocols quietly failed.

OpenVPN is open-source software that implements a custom security protocol based on TLS — the same underlying technology that secures HTTPS connections across the web. It uses the OpenSSL library for its cryptographic operations, which means it inherits both the enormous flexibility and the occasional vulnerabilities of that library. The infamous Heartbleed vulnerability in 2014 affected OpenSSL and, by extension, any OpenVPN deployment that hadn't been patched — a reminder that using battle-tested technology doesn't mean immune to failure.

What OpenVPN does exceptionally well is configurability and firewall traversal. Because it can run over either UDP or TCP, and because it can be configured to run on any port including TCP port 443 (the same port used for HTTPS), OpenVPN traffic can be made essentially indistinguishable from regular web browsing traffic to unsophisticated network inspection tools. This makes it extremely useful in environments where VPN traffic is actively blocked or monitored. A corporate firewall that blocks everything except ports 80 and 443 typically won't block OpenVPN running on port 443.

The flexibility cuts both ways, though. OpenVPN supports an enormous range of cipher suites and configuration options. That's powerful in the hands of a security professional who knows exactly what they're doing, but it creates risk when VPN providers leave default configurations that aren't optimally secure, or when enterprise deployments are misconfigured. The cipher suite negotiation process — the back-and-forth between client and server to agree on encryption settings — can theoretically be downgraded if not configured to reject weak options explicitly.

Performance is OpenVPN's most frequently cited limitation. Running in user space rather than kernel space introduces overhead. TLS handshakes take time. The result is that OpenVPN typically delivers 30–50% lower throughput than WireGuard on equivalent hardware. For browsing, email, and general use, you won't notice. For 4K streaming, high-speed file transfers, or latency-sensitive applications like gaming, the gap becomes meaningful.

OpenVPN's biggest ongoing asset is its independent audit history. Multiple security firms have reviewed the codebase and found it to be fundamentally sound. For users in high-threat environments — journalists, activists, corporate security professionals — that audit history carries real weight. A protocol that thousands of security experts have scrutinized over two decades is a different proposition from one that's newer and less extensively reviewed, regardless of how elegant the newer design is.

Should you use UDP or TCP with OpenVPN? UDP is faster because it doesn't require the acknowledgment overhead that TCP does — packets go out and the protocol doesn't wait for confirmation before sending the next one. TCP guarantees delivery and ordering, which is valuable on unreliable connections but adds latency. The general rule: use UDP unless you're on a network that's blocking it or you're experiencing connection instability, in which case TCP port 443 is your fallback.

IKEv2 — Internet Key Exchange version 2 — wasn't designed with individual privacy in mind. It was designed for enterprise environments that needed fast, reliable VPN connections across mobile networks where signal drops, handoffs between towers, and switching between Wi-Fi and cellular data are facts of life. The fact that it became a popular consumer VPN protocol is a consequence of how well it solved those specific problems.

The defining feature of IKEv2 is MOBIKE — the Mobility and Multihoming Protocol. MOBIKE allows an IKEv2 session to survive a change in the client's IP address without requiring a full reconnection. When your phone switches from your home Wi-Fi to cellular data while you're walking out the door, a protocol without MOBIKE would drop the VPN tunnel and need to re-establish it from scratch. With MOBIKE, the session continues seamlessly. For mobile users, this is the difference between a VPN that works reliably throughout the day and one that constantly needs to reconnect.

IKEv2 uses IPsec for the actual data encryption and runs over UDP port 500 and port 4500. The cryptographic strength is solid — when configured with AES-256, SHA-2, and Diffie-Hellman group 14 or higher for key exchange, IKEv2 meets the security requirements of organizations including intelligence agencies. The NSA's Commercial National Security Algorithm Suite includes IKEv2 for that reason. That's a double-edged endorsement: it means the protocol is cryptographically respected, but it also means that any classified knowledge of weaknesses would never be publicly disclosed.

Speed sits between WireGuard and OpenVPN. IKEv2 handles the handshake efficiently and the IPsec data plane is optimized well on most modern operating systems. iOS and macOS have native IKEv2 support built in, which means it can run without a dedicated VPN app — a useful property in enterprise deployments. Android and Windows also support it natively, though with slightly more setup friction.

The limitation to be aware of: IKEv2 uses fixed UDP ports that are well-known, which means it's relatively easy to block. In countries with aggressive VPN restrictions, or on networks that specifically block VPN traffic, IKEv2 will fail where OpenVPN on port 443 would succeed. It also isn't open source in the same way as WireGuard or OpenVPN — while the protocol specification is a public RFC standard, specific implementations vary and not all are independently audited.

For most mobile users who aren't operating in restricted environments, IKEv2 is an excellent choice. The seamless reconnection behavior alone makes it noticeably smoother than alternatives when you're moving around.

These protocols aren't recommended as your primary option, but understanding them matters — both for situations where you might encounter them and for understanding why VPN protocol design has evolved the way it has.

L2TP/IPsec — Layer 2 Tunneling Protocol paired with IPsec — was the successor to PPTP and the dominant protocol of the early 2000s. L2TP itself doesn't provide encryption; it's just a tunneling mechanism. IPsec is added as a separate layer to provide confidentiality and integrity. This double-encapsulation architecture is part of why L2TP/IPsec is slower than modern alternatives — data goes through two layers of processing where one would suffice.

The bigger concern is security history. Documents disclosed by Edward Snowden in 2013 suggested that the NSA had deliberately influenced the IPsec standards process to introduce weaknesses, and that L2TP/IPsec specifically had been compromised at scale. This hasn't been independently confirmed with technical precision, and the academic debate continues. But the combination of performance limitations, the Snowden revelations, and the availability of clearly superior alternatives makes L2TP/IPsec a protocol you should avoid unless a legacy system forces your hand.

SSTP — Secure Socket Tunneling Protocol — was created by Microsoft and uses TLS over TCP port 443, which gives it excellent firewall traversal properties similar to OpenVPN on the same port. It's natively supported on Windows, which is occasionally useful. The problem is that SSTP is closed-source and proprietary. Microsoft controls the specification entirely, independent audits of the implementation are not possible, and given that Microsoft has historically cooperated with government surveillance programs under PRISM (disclosed by Snowden), trusting a closed Microsoft protocol with your privacy requires a degree of faith that most security professionals aren't comfortable extending. If you're on Windows and need port-443 traversal, OpenVPN configured on that port is a better choice.

PPTP — Point-to-Point Tunneling Protocol — should be treated as broken. Full stop. Microsoft developed it in 1999 and it was already showing serious weaknesses by the early 2000s. The MS-CHAPv2 authentication used by PPTP was cracked in 2012 with publicly available tools — meaning anyone on your network can intercept and decrypt PPTP traffic with modest technical skill and free software. The only reason PPTP still appears in any VPN client is for compatibility with extremely old infrastructure. If you see PPTP as an option, never select it for any purpose where the connection content matters.

With the individual protocols covered, here's how they stack up across the dimensions that matter most to real users. This table is designed to give you a fast reference point — the nuance lives in the sections above.

The speed ratings deserve a note. PPTP appears fast because it barely encrypts anything — speed from absence of security is not a feature. WireGuard's speed comes from elegant, efficient cryptographic design. The gap matters.

Firewall traversal matters more than most users realize until they need it. If you travel internationally, work from hotels or airports, or live in a country with internet restrictions, a protocol that can be easily blocked will fail you at the worst moment.

The thing nobody tells you is that there isn't one universally correct answer. The best protocol depends on a combination of your device, your network environment, and what you're primarily using the VPN for. Here's how to think through it.

If you want the best all-around experience for everyday use: WireGuard. It's fast, it's secure, its codebase has been reviewed extensively, and for most network environments it just works. Major providers who implement it correctly have solved the IP persistence issue. Start here.

If you're in a country with active VPN blocking, or on a restrictive corporate or school network: OpenVPN configured on TCP port 443. Its traffic is nearly indistinguishable from HTTPS to basic inspection tools, and it's survived in restrictive environments for years. This is the protocol that gets journalists and activists online when other options fail.

If you're primarily using VPN on a smartphone and move frequently between Wi-Fi and mobile data: IKEv2. The MOBIKE reconnection behavior makes a tangible difference in daily use. You won't notice your VPN reconnecting because it doesn't need to.

If you're a security professional or work in a high-threat environment where the protocol's audit history matters above all else: OpenVPN or WireGuard, both of which have public source code and documented audit histories. In this context, SSTP and L2TP/IPsec should be explicitly excluded regardless of performance considerations.

If a device or legacy system is forcing a specific protocol: Understand the limitations of whatever you're using, and compensate where possible (additional layers of security, careful about what you transmit over that connection).

One more factor worth considering: your threat model. A protocol that's slightly slower but has a decade of peer-reviewed scrutiny is worth more to a human rights journalist than a faster but newer option. A user who wants better Netflix performance has a completely different calculus. Both of those are valid situations — they just call for different answers.

If you've followed everything above, you now know exactly what to look for — and what questions to ask when evaluating any VPN service. Here's how UCN VPN approaches the protocol question.

UCN VPN uses WireGuard — the protocol security professionals actually recommend in 2026. Legacy and questionable protocols are deliberately excluded: including broken options creates unnecessary risk for users who might select them without understanding the implications.

WireGuard is the default for new connections on UCN VPN — implemented with the key rotation and double NAT architecture that eliminates the IP persistence concern described earlier in this article. You get WireGuard's speed without sacrificing the session anonymity that responsible VPN deployment requires.

The cryptographic configuration follows current best practice: ChaCha20-Poly1305 for data encryption, Curve25519 for key exchange, BLAKE2s for hashing. Forward secrecy is structural in WireGuard's Noise protocol handshake — new keys are negotiated independently for each session, so a compromised session key cannot expose any past or future session.

What matters here isn't just that UCN VPN supports the right protocols — it's that the implementation decisions behind those protocols reflect an understanding of how they actually work in the real world. Protocol support without correct implementation is meaningless. The detail is in the configuration, and that's where the difference between a trustworthy VPN and a marketing exercise becomes apparent.

What is the best VPN protocol to use?

For most users in most situations, WireGuard is the best VPN protocol available today. It offers the fastest speeds, a minimal auditable codebase, modern cryptographic primitives, and strong security when implemented correctly. If you're on a restrictive network or in a region with VPN blocking, OpenVPN on TCP port 443 is a better choice. IKEv2 is the strongest option for mobile users who switch frequently between Wi-Fi and cellular. The "best" protocol ultimately depends on your specific use case — but WireGuard is the correct starting point for the majority of people.

Is WireGuard better than OpenVPN?

WireGuard is faster than OpenVPN in almost every benchmark — typically delivering two to three times the throughput with significantly lower CPU usage. It's also simpler and easier to audit. OpenVPN has advantages in specific scenarios: it handles restrictive firewalls better (particularly when configured on TCP port 443), it has a longer documented audit history, and it offers more configuration flexibility for specialized deployments. For everyday use, WireGuard is the stronger choice. For censorship circumvention or environments where VPN traffic is actively blocked, OpenVPN remains essential.

What VPN protocol is the most secure?

WireGuard and OpenVPN are effectively tied for the most secure protocols in common use, with IKEv2 close behind. WireGuard uses a fixed set of modern cryptographic primitives with no legacy negotiation modes that could be downgraded. OpenVPN's security depends partly on configuration — correctly implemented with strong ciphers and forward secrecy enabled, it's extremely robust. IKEv2 with AES-256 is cryptographically sound and is used by enterprises with strict security requirements. L2TP/IPsec carries documented concerns from the Snowden disclosures. PPTP is cryptographically broken and should never be used.

Is IKEv2 safe?

Yes — IKEv2 is a safe and well-regarded protocol when configured correctly. It uses IPsec for encryption and, with AES-256 and SHA-2, meets the security requirements of intelligence-grade deployments. Its primary advantage is the MOBIKE extension, which allows VPN sessions to survive IP address changes — making it particularly reliable on mobile devices. The main caveats are that its fixed UDP ports make it easier to block than OpenVPN on port 443, and that specific implementations vary in quality. A correctly implemented IKEv2 connection is a secure one.

Why is WireGuard so much faster than OpenVPN?

Three factors explain most of the performance gap. First, WireGuard runs in kernel space, avoiding the context-switching overhead of OpenVPN's user-space operation. Second, WireGuard's handshake completes in a single round trip, while TLS-based OpenVPN requires multiple. Third, WireGuard uses ChaCha20 for symmetric encryption, which is architecturally faster than AES on devices without hardware acceleration. The result is that WireGuard uses dramatically less CPU time to process the same amount of data — which translates directly to higher throughput and lower latency, especially on less powerful devices.

Should I use UDP or TCP with OpenVPN?

UDP is the better default for OpenVPN in most situations. It's faster because it doesn't require delivery acknowledgment — packets go out without waiting for confirmation, which reduces overhead and latency. TCP guarantees delivery and packet ordering, which adds overhead but is useful on unreliable connections or when UDP traffic is being blocked. The specific case for TCP port 443 is firewall traversal: because port 443 is the standard HTTPS port, OpenVPN traffic on this port typically passes through even restrictive firewalls without triggering VPN blocking rules. Use UDP unless you have a specific reason not to.

Is PPTP VPN still safe to use?

No. PPTP should not be used under any circumstances where the security of the connection matters. The authentication mechanism used by PPTP — MS-CHAPv2 — was comprehensively broken in 2012 using publicly available tools. This means anyone with modest technical skill and access to your network traffic can decrypt PPTP connections. The speed of PPTP comes from minimal cryptographic overhead, which is not a benefit when that overhead is what would otherwise protect your data. If you see PPTP as an option in any VPN client, avoid it. Any modern protocol — including IKEv2 — is a safer choice.

Can a VPN protocol be detected and blocked?

Yes, and this happens in practice in countries with internet restrictions and on some corporate networks. Protocols with fixed, well-known port configurations — like WireGuard on UDP or IKEv2 — are relatively straightforward to block at the firewall level. OpenVPN on TCP port 443 is harder to block because it mimics HTTPS traffic, though sophisticated deep packet inspection can still identify it by analyzing traffic patterns. Some VPN providers offer additional obfuscation layers on top of standard protocols specifically to address this. In high-restriction environments, protocol selection and obfuscation capability together determine whether a VPN connection succeeds at all.

Every privacy decision you make online sits on a foundation built by protocols — and for most people, that foundation has been invisible. The good news is that understanding VPN protocols doesn't require understanding every cryptographic detail. It requires knowing what each protocol was designed to solve, where it performs well, and where it falls short. WireGuard, OpenVPN, and IKEv2 are the protocols worth knowing. The rest are context and history.

WireGuard is the right choice for everyday speed, mobile reliability, and modern security. The legacy protocols — especially PPTP — are warnings about what happens when security takes a back seat to convenience.

The protocol settings in your VPN app are there for a reason. Now you know how to use them deliberately. UCN VPN is built around exactly these principles — protocol selection, correct implementation, and honest tradeoffs — because the difference between privacy that works and privacy that merely looks good usually lives in details like these.

Knowing what protocol you're running, and why, is the difference between using a VPN and actually understanding what it's doing for you.

→ WireGuard Protocol: Speed, Security, and Setup Guide

→ OpenVPN Deep Dive: How It Works and When to Use It