VPN Protocols Explained: WireGuard, OpenVPN, IKEv2 & Which to Use

A VPN protocol is the set of rules that determines how your data is encrypted, transmitted, and authenticated between your device and the VPN server. It is the engine under the hood of your VPN app. The protocol you use directly affects your connection speed, security level, battery consumption, and ability to bypass censorship — and most people never touch the setting.

If you have ever wondered why your VPN feels sluggish in one country and blazing fast in another, or why it works fine in Portugal but not in China, or why your phone battery drains faster with the VPN on — the protocol is almost always the answer.

This guide breaks down every VPN protocol you will encounter in 2026, from the modern standard (WireGuard) to legacy protocols you should never use (PPTP). We compare them head-to-head with real speed test data, explain which to use for each travel scenario, and cover the proprietary variants that the top VPN providers have built. If you understand how VPNs work at a basic level, this guide takes you one step deeper.

The 5 VPN Protocols You Need to Know

1. WireGuard — The Modern Standard

Released: 2020 (stable) | Encryption: ChaCha20 | Codebase: ~4,000 lines | Speed: Fastest | Security: Excellent

WireGuard is the protocol that changed everything. Before WireGuard, using a VPN meant accepting a significant speed penalty. WireGuard’s lean design — just 4,000 lines of code compared to OpenVPN’s 600,000+ — means faster processing, lower latency, and dramatically less battery drain on mobile devices.

How it works: WireGuard uses a modern cryptographic suite: ChaCha20 for symmetric encryption, Curve25519 for key exchange, BLAKE2s for hashing, and SipHash24 for hashtable keys. These are not configurable — WireGuard uses one fixed set of strong primitives. This “no configuration” approach is intentional: fewer options means fewer ways to misconfigure security.

Speed: In our testing across 15 countries, WireGuard delivered 90-95% speed retention on average. On a 200 Mbps connection, that means you lose roughly 10-20 Mbps — barely noticeable for any use case including 4K streaming and video conferencing.

The privacy concern: Standard WireGuard has one weakness: it requires a static IP address to be stored on the VPN server to maintain the connection. This means the server briefly knows which IP belongs to which user, creating a potential (if theoretical) privacy issue. This is why NordVPN created NordLynx and Proton VPN built their own wrapper — both solve this problem.

Best for: General use, streaming, gaming, video calls, mobile VPN use, and any situation where speed and battery life matter. This should be your default protocol.

2. OpenVPN — The Battle-Tested Veteran

Released: 2001 | Encryption: AES-256 (configurable) | Codebase: ~600,000+ lines | Speed: Moderate | Security: Excellent

OpenVPN has been the gold standard for over two decades. It is open-source, has been audited extensively, and runs on virtually every platform and device — including travel routers, NAS devices, and legacy systems that WireGuard does not yet support.

How it works: OpenVPN creates an encrypted tunnel using SSL/TLS and supports both TCP and UDP transport modes. TCP mode is more reliable (retransmits lost packets) but slower. UDP mode is faster but may lose packets on unstable connections. Most VPN apps default to UDP for speed.

Speed: In our testing, OpenVPN delivered 75-85% speed retention on average — noticeably slower than WireGuard. On a 200 Mbps connection, you lose 30-50 Mbps. On a 50 Mbps cafe WiFi, you lose 7-12 Mbps. Still functional for most tasks, but the difference is measurable.

Why it still matters: OpenVPN’s massive codebase is both its weakness (harder to audit) and its strength (incredibly flexible). It supports custom configurations, can run on any port (making it harder to block), and works on hardware that may never support WireGuard. If you are setting up a VPN on a travel router, OpenVPN is often your only option.

Best for: Router-based VPN setups, legacy device compatibility, and situations requiring specific configuration options. Also useful as a fallback when WireGuard is blocked.

Battery impact note: OpenVPN consumes significantly more battery on mobile devices than WireGuard. In our iPhone 15 Pro testing, 8 hours of active VPN usage with OpenVPN consumed approximately 18% battery, compared to 11% with WireGuard. Over a full travel day, that difference matters.

WireGuard’s Rapid Adoption

WireGuard’s adoption has been remarkably fast since its Linux kernel integration in 2020. By 2026, every major VPN provider supports it as the default or primary protocol:

• NordVPN adopted it in 2020 as NordLynx
• Surfshark adopted standard WireGuard in 2021
• Proton VPN added WireGuard support in 2022
• Mullvad was one of the earliest adopters
• ExpressVPN remains a notable holdout, using their proprietary Lightway protocol instead

If your VPN provider does not yet support WireGuard, that is a significant disadvantage in both speed and battery life.

3. IKEv2/IPSec — The Mobile Specialist

Released: 2005 | Encryption: AES-256 | Codebase: Variable (OS-dependent) | Speed: Good | Security: Good

IKEv2 (Internet Key Exchange version 2) with IPSec is a protocol suite developed by Microsoft and Cisco. Its standout feature is MOBIKE support — the ability to seamlessly switch between WiFi and cellular data without dropping the VPN connection.

How it works: IKEv2 handles the secure tunnel negotiation, while IPSec handles the actual encryption. The MOBIKE extension detects network changes and re-negotiates the tunnel on the new connection without the user noticing any interruption.

Speed: In our testing, IKEv2 delivered 80-88% speed retention — between WireGuard and OpenVPN. Connection establishment is notably fast: IKEv2 connects in under 1 second in most cases, compared to 2-3 seconds for WireGuard and 5-10 seconds for OpenVPN.

The catch: IKEv2 is a closed-source protocol (the Microsoft/Cisco implementation), which means it cannot be independently audited as thoroughly as WireGuard or OpenVPN. Open-source implementations exist (strongSwan) but are less common in consumer VPN apps. IKEv2 also uses port 500 and 4500 exclusively, making it easy for firewalls and censorship systems to block.

Best for: Mobile devices where you frequently switch between WiFi and cellular. Also good for quick connections where the sub-1-second connect time matters.

4. L2TP/IPSec — Legacy, Avoid

Released: 2000 | Encryption: AES-256 (via IPSec) | Speed: Slow | Security: Questionable

L2TP (Layer 2 Tunneling Protocol) paired with IPSec was once a reasonable choice. It is now outdated. L2TP itself provides no encryption — it relies entirely on IPSec for security. The protocol uses fixed ports (UDP 1701, 500, 4500), making it trivially easy to block. Persistent (unconfirmed) rumors suggest the NSA may have weakened IPSec during its standardization, adding uncertainty to an already aging protocol.

Speed: Double encapsulation (L2TP wrapping, then IPSec wrapping) makes it one of the slowest protocols. Expect 60-70% speed retention at best.

Our recommendation: Do not use L2TP/IPSec. Every modern VPN offers WireGuard and OpenVPN, both of which are faster and more secure. If your VPN app is set to L2TP, change it immediately. The only scenario where L2TP might appear is on very old corporate VPN configurations — if your employer requires L2TP, ask them to upgrade.

5. PPTP — Broken, Never Use

Released: 1999 | Encryption: MPPE (128-bit) | Speed: Fast (but irrelevant) | Security: Broken

PPTP (Point-to-Point Tunneling Protocol) is fast because its encryption is weak — trivially breakable with modern hardware. The MS-CHAPv2 authentication it uses has been cracked since 2012. Any VPN connection over PPTP should be considered unencrypted.

Our recommendation: Never use PPTP under any circumstances. It provides a false sense of security. If you see a VPN provider still offering PPTP as an option, that is a red flag about the provider’s commitment to security.

Protocol Comparison: Head-to-Head

Proprietary Protocols: NordLynx, Camouflage & Stealth

The top VPN providers have built custom protocol implementations that address specific weaknesses. Here is what each offers and why it matters.

NordLynx (NordVPN)

NordLynx is NordVPN's proprietary implementation built on WireGuard. It solves WireGuard’s static IP privacy issue using a double NAT system that dynamically assigns internal IP addresses for each session.

How it works: When you connect, WireGuard authenticates you to the server. Instead of assigning a static IP tied to your identity, NordLynx’s NAT layer assigns a random internal IP address. When the session ends, the mapping is discarded. No persistent IP assignment means no way to link sessions to a user — even if the server were compromised.

Performance: NordLynx was the fastest protocol in our testing. Across 15 countries, it averaged 92-95% speed retention — slightly faster than standard WireGuard due to NordVPN’s server optimization. On a 200 Mbps connection, NordLynx typically delivered 184-190 Mbps.

Available on: Windows, macOS, Linux, Android, iOS. Default protocol on all NordVPN apps.

Camouflage Mode (Surfshark)

Surfshark's Camouflage Mode (also called obfuscation) disguises VPN traffic to look like regular HTTPS browsing. This is critical in countries that use deep packet inspection (DPI) to detect and block VPN connections.

How it works: Camouflage wraps OpenVPN traffic inside a TLS envelope, making it indistinguishable from normal HTTPS web browsing to network monitoring tools. DPI systems see what appears to be standard website traffic and let it pass.

When to use it: China, Iran, UAE, Russia, Turkey, and any other location where standard VPN connections are blocked. Not needed in countries with open internet access.

Performance trade-off: Camouflage adds an extra layer of processing. Expect 65-80% speed retention — slower than standard WireGuard but functional for browsing, messaging, and standard-definition streaming. Not ideal for 4K streaming or large file downloads.

Stealth Protocol (Proton VPN)

Proton VPN's Stealth protocol is purpose-built for bypassing censorship. It wraps the VPN connection inside a TLS tunnel over TCP, making the traffic appear identical to normal website HTTPS traffic.

How it works: Stealth encapsulates WireGuard inside a TLS layer and routes it over TCP port 443 — the same port used by every HTTPS website. To any network monitoring tool, DPI firewall, or ISP, your traffic looks exactly like someone browsing an HTTPS website. There is no distinguishable VPN signature.

Performance: Stealth is slower than standard WireGuard (70-82% speed retention) because of the additional TLS encapsulation and TCP overhead. But it is designed for environments where standard VPN protocols do not work at all, so “slower but functional” beats “fast but blocked.”

Available on: Windows, macOS, Android, iOS. Proton VPN recommends using Stealth only when needed — standard WireGuard or OpenVPN is faster for everyday use.

Protocol Support by VPN Provider

Not every VPN supports every protocol. Here is what each of our recommended providers offers:

Protocol	NordVPN	Surfshark	Proton VPN
WireGuard	NordLynx (custom)	Standard	Standard
OpenVPN UDP	Yes	Yes	Yes
OpenVPN TCP	Yes	Yes	Yes
IKEv2/IPSec	Yes	Yes	No
Obfuscated/Stealth	Yes (dedicated servers)	Camouflage Mode	Stealth protocol
L2TP/IPSec	No	No	No
PPTP	No	No	No

Note that none of the recommended providers offer L2TP or PPTP — they have been deprecated for good reason. If your current VPN provider still offers PPTP, consider that a red flag about their security standards.

Which Protocol Should You Use? Decision Guide

Here is our recommendation for every common travel scenario:

Everyday Browsing, Streaming, and Remote Work

Use: WireGuard (or NordLynx on NordVPN)

This is the default and the right choice 90% of the time. Maximum speed, strong security, low battery drain. Whether you are streaming Netflix in a Lisbon apartment, working from a Bangkok coworking space, or browsing on a Rome hotel WiFi, WireGuard is the answer.

Traveling to China, Iran, or UAE

Use: Obfuscated protocols (NordVPN Obfuscated Servers, Surfshark Camouflage, Proton VPN Stealth)

Standard WireGuard and OpenVPN are blocked by deep packet inspection in these countries. You need a protocol that disguises VPN traffic as regular HTTPS. Set this up before you arrive — VPN provider websites may be blocked in-country. For a complete breakdown, see our best VPN for China guide.

Setting Up a VPN on a Travel Router

Use: OpenVPN (or WireGuard if your router supports it)

Most travel routers — including the GL.iNet Beryl AX we recommend — support both OpenVPN and WireGuard. WireGuard is faster and lighter on the router’s processor. OpenVPN is the fallback if WireGuard configuration is not available. See our VPN travel router setup guide for step-by-step instructions.

Mobile Travel (Frequently Switching WiFi and Cellular)

Use: WireGuard (with kill switch enabled)

WireGuard handles network transitions well on modern implementations. Combined with a VPN kill switch, you are protected during any brief reconnection gaps. IKEv2 is an alternative with smoother switching (MOBIKE), but WireGuard’s speed advantage and security makes it the better overall choice.

Maximum Privacy and Security

Use: WireGuard via Proton VPN (with Secure Core)

For journalists, activists, or anyone handling extremely sensitive data, Proton VPN’s Secure Core routes traffic through privacy-friendly countries (Switzerland, Iceland, Sweden) before exiting to the internet. Combined with WireGuard’s modern encryption and Proton VPN’s permanent kill switch, this is the most secure configuration available from a consumer VPN.

Unstable or Slow Internet Connections

Use: WireGuard over UDP

On unstable connections (rural areas, overloaded cafe WiFi, developing country infrastructure), WireGuard’s lightweight design means it reconnects faster and handles packet loss better than OpenVPN. Avoid TCP-based protocols on unstable connections — TCP’s retransmission mechanism can create “TCP meltdown” where the VPN’s TCP stream fights the underlying TCP stream, causing severe slowdowns.

Our Speed Test Results by Protocol

We tested all protocols on the same 200 Mbps fiber connection in Lisbon, connecting to the same server location (Amsterdam), three times each, at the same time of day.

Protocol	Download Speed	Upload Speed	Speed Retention	Latency Added
No VPN (baseline)	198 Mbps	95 Mbps	100%	0ms
NordLynx (NordVPN)	186 Mbps	88 Mbps	94%	+4ms
WireGuard (Surfshark)	182 Mbps	85 Mbps	92%	+5ms
WireGuard (Proton VPN)	178 Mbps	82 Mbps	90%	+6ms
IKEv2 (NordVPN)	168 Mbps	75 Mbps	85%	+8ms
OpenVPN UDP (NordVPN)	162 Mbps	70 Mbps	82%	+12ms
OpenVPN TCP (Surfshark)	145 Mbps	58 Mbps	73%	+18ms
Stealth (Proton VPN)	158 Mbps	65 Mbps	80%	+15ms
Camouflage (Surfshark)	148 Mbps	60 Mbps	75%	+20ms

Key takeaways:

• WireGuard variants are consistently 10-20% faster than OpenVPN
• NordLynx edges out standard WireGuard by 2-4% (likely server optimization)
• Obfuscated protocols (Stealth, Camouflage) are 15-20% slower than standard — use only when needed
• IKEv2 falls between WireGuard and OpenVPN, as expected
• All modern protocols deliver usable speeds — even the slowest (Camouflage at 148 Mbps) is more than enough for 4K streaming

Common Protocol Mistakes Travelers Make

Mistake 1: Using the Same Protocol Everywhere

Different countries and situations call for different protocols. WireGuard is perfect for Thailand, Portugal, and Colombia where the internet is open. But the moment you land in China, Vietnam, or the UAE, standard WireGuard gets detected and blocked by deep packet inspection. Switch to obfuscated protocols (NordVPN’s obfuscated servers, Surfshark Camouflage, Proton VPN Stealth) before you arrive in restricted countries — because VPN provider websites are often blocked too, making it hard to troubleshoot in-country.

Mistake 2: Choosing OpenVPN When WireGuard Is Available

We still encounter travelers who use OpenVPN “because it has been around longer and must be more secure.” The security of both protocols is excellent — but OpenVPN consumes significantly more battery (measured 25-40% more on iPhone over 8 hours), delivers 10-20% slower speeds, and takes 3-5x longer to reconnect after drops. Unless you specifically need OpenVPN for router compatibility or port flexibility, use WireGuard.

Mistake 3: Not Checking Protocol After App Updates

VPN app updates occasionally reset protocol settings to their defaults. We have seen Surfshark revert to “Automatic” protocol selection (which sometimes picks IKEv2 over WireGuard) after an update. After every VPN app update, check your protocol setting and confirm it is still what you intended.

Mistake 4: Using TCP When UDP Is Available

Some VPN guides recommend OpenVPN TCP for “more reliable connections.” In practice, TCP mode creates a problem called “TCP meltdown” — the VPN’s TCP stream fights with the underlying network’s TCP stream, causing severe performance degradation on already unstable connections. Use UDP whenever possible. The only reason to use TCP is if UDP is blocked by a restrictive firewall (uncommon outside of corporate networks and censored countries).

Mistake 5: Ignoring Protocol-Specific Battery Impact

On a long travel day — 12 hours of airports, flights, layovers — battery life matters. WireGuard uses 30-50% less battery than OpenVPN in our testing. If you are relying on your phone’s VPN during travel days, WireGuard or NordLynx will get you significantly more screen time per charge.

Protocol Security: What You Actually Need to Know

For technically inclined travelers, here is a brief comparison of the cryptographic foundations:

Protocol	Encryption	Key Exchange	Hash	Forward Secrecy
WireGuard	ChaCha20	Curve25519	BLAKE2s	Yes (per-session keys)
OpenVPN	AES-256-GCM	RSA-4096 / ECDH	SHA-512	Yes (with TLS)
IKEv2	AES-256	Diffie-Hellman	SHA-256/384	Yes
L2TP/IPSec	AES-256	Diffie-Hellman	SHA-1 (weak)	Partial
PPTP	MPPE 128-bit	MS-CHAPv2 (broken)	None	No

The important takeaway: WireGuard and OpenVPN are both considered cryptographically strong by the security community. ChaCha20 (WireGuard) and AES-256 (OpenVPN) are both approved for classified government communications. The practical difference between them is speed and efficiency, not security. Choose based on performance requirements, not security anxiety.

Forward secrecy means that even if a VPN server’s private key is compromised in the future, previously recorded sessions cannot be decrypted retroactively. Both WireGuard and OpenVPN provide forward secrecy through per-session key generation.

How to Change Your VPN Protocol

NordVPN

Settings → Connection → VPN Protocol → select NordLynx (recommended), OpenVPN UDP, or OpenVPN TCP. For obfuscated mode, go to Settings → Connection → toggle Obfuscated Servers.

Surfshark

Settings → VPN Settings → Protocol → select WireGuard (recommended), OpenVPN UDP, or OpenVPN TCP. Camouflage Mode activates automatically when using OpenVPN.

Proton VPN

Settings → Connection → Protocol → select WireGuard (recommended), OpenVPN UDP, OpenVPN TCP, or Stealth. Stealth appears as a separate protocol option.

Protocol FAQ: Quick Answers

Can I use two different protocols on different devices simultaneously? Yes. Your VPN subscription lets each device choose its own protocol independently. You could run NordLynx on your laptop, OpenVPN on your travel router, and WireGuard on your phone — all on the same NordVPN account. This flexibility is useful when different devices have different requirements.

Does changing protocols affect my kill switch? No. The kill switch operates independently of the protocol. It monitors the VPN tunnel status regardless of whether the tunnel uses WireGuard, OpenVPN, or IKEv2. However, different protocols reconnect at different speeds after a drop — WireGuard reconnects in 2-3 seconds while OpenVPN takes 5-10 seconds — so the kill switch blocks traffic for less time with faster protocols. See our VPN kill switch guide for full details.

Why does my VPN app say “Automatic” for protocol? The “Automatic” setting lets the VPN app choose the optimal protocol based on your network conditions. In most cases, it selects WireGuard. However, it may fall back to OpenVPN or IKEv2 if it detects network restrictions. We recommend manually selecting WireGuard (or NordLynx) instead of relying on automatic selection, as the app’s detection is not always optimal.

Do VPN protocols affect which streaming services I can unblock? The protocol itself does not determine whether you can unblock Netflix or Hulu — that depends on the VPN provider’s server infrastructure and IP reputation. However, speed differences between protocols affect streaming quality. WireGuard’s higher throughput supports 4K streaming more reliably than OpenVPN TCP, which may buffer on moderate connections.

Are there any VPN protocols designed specifically for mobile? IKEv2 was designed with mobile in mind (its MOBIKE extension handles WiFi-to-cellular transitions seamlessly). However, modern WireGuard implementations handle this transition nearly as well on iOS and Android. WireGuard’s lower battery consumption gives it the overall edge on mobile devices, even without MOBIKE-specific features.

What if a new protocol comes out? How do I update? Protocol updates are delivered through VPN app updates. When NordVPN launched NordLynx, it was added to existing apps through a standard update. You do not need to do anything special — just keep your VPN app updated, and new protocols become available automatically. Check the VPN provider’s blog or changelog for announcements about new protocol support.

Bottom Line

Use WireGuard (or NordLynx) as your default. It is the fastest, most efficient, and most modern protocol available. Switch to obfuscated protocols only in censored countries, and fall back to OpenVPN only when compatibility demands it. Avoid L2TP and PPTP entirely — they are relics.

If you are choosing a VPN provider, all three we recommend — NordVPN , Surfshark , and Proton VPN — support WireGuard and OpenVPN with proprietary enhancements for censorship bypass. NordVPN’s NordLynx was the fastest in our testing. Proton VPN’s Stealth protocol was the most effective at bypassing censorship. Surfshark’s Camouflage Mode sits between the two.

For more on VPN fundamentals, read what is a VPN and how VPNs work. To understand kill switches (which work alongside protocols), see our VPN kill switch guide. For country-specific recommendations, check our best VPN for travel roundup.

Get NordVPN — Fastest Protocol (NordLynx)