Most VPN apps let you switch protocols in settings and then offer zero explanation of what any of them actually do. WireGuard, OpenVPN, IKEv2, L2TP, PPTP. All sitting there in a dropdown. Some are modern. Some are battle-tested. One of them was broken in 2012 and has no business being on that list at all.
Here's the short version if you genuinely don't want to read the whole thing. Use WireGuard for almost everything. Use OpenVPN TCP if you're behind a firewall that blocks VPN traffic. Use IKEv2 on your phone if your connection drops when you switch between Wi-Fi and cellular. Avoid PPTP like it owes you money.
Now here's the full breakdown, with real numbers and actual reasons.
What a VPN Protocol Actually Is
Think of a VPN like an armored truck delivering your data. The VPN is the truck. The protocol is the engine. Same destination, completely different performance depending on what's under the hood.
A VPN protocol is the set of rules that determines how your device creates the encrypted tunnel to the VPN server, how that tunnel stays alive, how fast data moves through it, and how it behaves when something goes wrong. Two VPNs using different protocols on the same server hardware will have completely different speeds, security properties, and behavior in restrictive network environments.
This is not a settings-page thing to ignore. The protocol you're using changes what your VPN actually does for you.
WireGuard: The New Standard
WireGuard was designed from scratch in 2015 by Jason Donenfeld and officially released in 2020. It was built with one goal: be fast, be secure, and be auditable. The code that runs the entire thing is about 4,000 lines. For context, OpenVPN is over 100,000 lines. Linux's kernel is millions of lines. WireGuard is small enough that a single security researcher can read the entire implementation in an afternoon.
That simplicity matters. A smaller codebase means fewer places for bugs to hide. It also means external auditors can actually verify the whole thing, not just spot-check representative sections. WireGuard has been independently audited multiple times and incorporated directly into the Linux kernel in 2020, which is about as close to an official stamp of approval as software gets.
The Encryption It Uses
WireGuard uses ChaCha20-Poly1305 for encryption, which is the same cipher suite Google uses in their QUIC protocol and Apple uses in iMessage. It's modern, fast on hardware that doesn't have AES acceleration built in (most phones), and has no known practical weaknesses. It also uses Curve25519 for key exchange, which is far simpler and less prone to implementation errors than the older approaches OpenVPN uses.
The Speed Numbers
On a gigabit connection, WireGuard consistently hits around 892 Mbps with roughly 5.6% protocol overhead. That overhead is mostly unavoidable encryption cost. At this point it's barely noticeable. Most internet connections aren't fast enough to see it at all.
The One Genuine Downside
WireGuard assigns you a static internal IP address on the VPN server. This isn't a security disaster, but it does mean that if a VPN provider keeps connection logs, your static IP makes it easier to correlate sessions over time. Good providers solve this by rotating IPs or using a layer on top of WireGuard (NordVPN's NordLynx does exactly this). If your VPN hasn't addressed this, it's worth asking them how they handle it. Check their no-logs audit for details.
OpenVPN: The 20-Year Veteran
OpenVPN has been around since 2001. That's not a criticism. Twenty years of production use means twenty years of real-world attack attempts, security patches, independent audits, and hardening. It is one of the most thoroughly battle-tested pieces of security software that exists.
It uses AES-256-GCM encryption by default, which is the same standard used by the US government for classified information. The code is over 100,000 lines, which makes comprehensive auditing difficult, but many organizations have attempted it over the decades and the results have generally been good.
The Superpower: It Bypasses Everything
Here's what makes OpenVPN irreplaceable even in a world where WireGuard exists. OpenVPN TCP can be configured to run on port 443, which is the same port that all regular HTTPS web traffic uses. From the outside, your VPN traffic looks identical to someone visiting a website. A corporate firewall that blocks all VPN protocols will still let port 443 traffic through. A censored country's deep packet inspection can't easily distinguish it from normal browsing.
WireGuard is UDP-only and runs on non-standard ports. It gets blocked easily in restrictive environments. OpenVPN TCP on port 443 is the closest thing to an unkillable tunnel that exists.
The Speed Numbers
OpenVPN UDP averages around 702 Mbps on a gigabit connection with about 25.7% overhead. OpenVPN TCP is slower than UDP because of the additional connection management overhead. On most real-world connections neither will feel slow, but the gap compared to WireGuard is measurable in benchmarks.
IKEv2/IPSec: The Mobile Specialist
IKEv2 (Internet Key Exchange version 2) paired with IPSec is a protocol that was developed jointly by Microsoft and Cisco. It is built into iOS, macOS, Windows, and most Android versions natively. No additional software required on most devices. That's convenient.
Speed-wise it sits between WireGuard and OpenVPN, averaging around 815 Mbps on a gigabit connection with about 13.8% overhead. Solid performance, nothing special.
The Superpower: MOBIKE
IKEv2 has a feature called MOBIKE (Mobility and Multihoming Protocol) that maintains your VPN tunnel when your device changes networks. Walk out of your house on Wi-Fi, your phone switches to 4G, and the VPN connection doesn't drop. It just follows the network change seamlessly. No reconnection delay. No brief exposure of your real IP.
WireGuard also handles network switching pretty well in practice. But IKEv2's implementation of this is more mature and built into the protocol specification itself rather than being an add-on behavior. If your phone constantly moves between networks and connection drops are a real problem for you, IKEv2 solves it cleanly.
The Caveat
Parts of IKEv2's implementation are closed-source on some platforms, particularly on Windows and iOS. You're trusting Microsoft's and Apple's implementations. For most people this is fine. For someone with serious security requirements, the partial black-box nature is a legitimate concern that WireGuard and OpenVPN don't have.
Side-by-Side Comparison
⚡ WireGuard
🔒 OpenVPN
📱 IKEv2/IPSec
The Protocols You Should Completely Ignore
🚫 PPTP: Genuinely Broken Since 2012
PPTP (Point-to-Point Tunneling Protocol) was fine in the 1990s. It is not fine now. Its 56-bit encryption can be cracked with modern hardware in minutes. Security researchers published practical attacks against PPTP's authentication system back in 2012 and it has never been fixed. There are documented cases of intelligence agencies decrypting captured PPTP traffic. If any VPN app still defaults to PPTP or even offers it prominently, that tells you something important about their engineering judgment.
⚠️ L2TP/IPSec: Potentially Compromised
L2TP by itself has no encryption. It's always used with IPSec layered on top, hence L2TP/IPSec. The encryption isn't terrible, but in 2013 documents from the NSA whistleblower Edward Snowden suggested that NSA may have inserted a backdoor into IPSec during its standardization process. This was never conclusively proven or disproven. Is it likely your traffic would be targeted? Probably not. Is there a better option available? Yes, three of them. So there's really no reason to use L2TP/IPSec in 2026.
If you open your VPN app settings and see "PPTP" set as the default protocol, change it immediately. Some older VPN apps and routers still ship with PPTP because it's easy to implement. Easy to implement also means easy to break.
Which Protocol for Which Situation
For everyday use (streaming, browsing, working from home)
WireGuard. It's the fastest, it's simple, it's well-audited. Modern VPNs like NordVPN (NordLynx), Surfshark, and ExpressVPN (Lightway, which is WireGuard-based) all default to WireGuard variants. If your VPN app has an "Automatic" setting, it will probably pick WireGuard and that's the right call. The speed advantage is real and noticeable on slower connections.
For bypassing censorship or corporate firewalls
OpenVPN TCP on port 443. This is the protocol choice for users in countries with deep packet inspection, or anyone trying to use a VPN on a network that actively blocks VPN traffic. A hotel Wi-Fi that blocks all VPN protocols won't block port 443 TCP because that would break the entire internet. OpenVPN on port 443 is the right tool for this exact problem.
For mobile devices with unreliable connections
IKEv2 if your VPN supports it and connection drops when switching networks are genuinely bothering you. WireGuard is a solid second option and many users won't notice a practical difference. The MOBIKE advantage of IKEv2 shows up most in situations where you're moving around a lot and switching networks frequently, like commuting.
For maximum security and auditability
WireGuard or OpenVPN. Both are fully open-source, both have been independently audited multiple times, and both have strong cryptographic foundations. If you're deciding between them on pure security grounds, WireGuard's smaller codebase arguably makes it easier to verify. OpenVPN's longer track record means more total eyes have reviewed it over time. Reasonable people pick either one.
THE PROTOCOL DOESN'T FIX LOGGING: Switching from OpenVPN to WireGuard does not make a bad VPN good. If your provider logs connection metadata, the protocol choice doesn't change that. The protocol affects speed and security of the tunnel. It doesn't affect whether the company keeps records of who used it. For that, you need a third-party audited no-logs policy from a provider in a privacy-friendly jurisdiction.
A Note on Proprietary Protocols
Several major VPNs now offer their own protocols. ExpressVPN has Lightway. NordVPN has NordLynx. Hotspot Shield has Catapult Hydra. These are almost all either built on WireGuard or designed to solve the same problems WireGuard solves. The marketing names are mostly branding.
Lightway is actually a well-regarded protocol that ExpressVPN open-sourced in 2021. NordLynx is WireGuard with a double NAT layer added to address the static IP issue. Both are legitimate engineering decisions, not just badge polishing.
Proprietary protocols from smaller or less transparent providers deserve more skepticism. If a VPN touts a "proprietary encryption system" without publishing any technical details, that's a red flag. Security doesn't come from secrecy about how the system works. It comes from open, audited implementations that can be verified independently.
The Verdict
For most people, most of the time: WireGuard. It's fast, it's modern, it's auditable, and the speed difference is real enough to matter on slower connections or congested servers.
If you're somewhere with heavy internet censorship or you use public Wi-Fi that blocks VPN traffic: OpenVPN TCP on port 443. It's slower but it goes through everything.
If you're constantly switching between Wi-Fi and mobile data and the reconnection lag is genuinely annoying you: IKEv2. The MOBIKE feature is legitimately useful for mobile use and most phones support it natively.
The worst outcome isn't picking the wrong protocol between these three. It's leaving it on PPTP because you never changed the default. Check your settings. Change it if it needs changing. Then forget about it and get on with your day.