When installing and using a VPN, you can usually choose a protocol like OpenVPN, WireGuard, or Lightway—ExpressVPN’s own high-speed protocol built for better performance and reliability.
VPN protocols determine how data is encrypted and transmitted between your device and VPN servers around the world. The one you choose can have an impact on speed, privacy, and connection stability, so it’s worth understanding how they differ and when to use each one.
In this guide, we’ll explain what VPN protocols are, how they work, and help you compare options so you can choose the right one for your needs.
What are VPN protocols?
A VPN protocol is a set of rules governing how data is encrypted and sent between your device and a VPN server.
While all VPN protocols aim to create a secure connection, they go about it in different ways. This also means that their performance levels can vary—some prioritize speed, others focus on stronger security.
How do VPN protocols work?
Different protocols work in different ways, but they all follow the same basic steps:
- Encryption: Once the VPN application on your device (VPN client) and server establish a connection, the protocol encrypts your data before transmission, ensuring that it can’t be read by outsiders.
- Tunneling: The protocol wraps the encrypted data in a secure “tunnel,” protecting it as it travels across the internet.
- Data transmission: The protocol determines how data packets are formatted and sent to the VPN server. The VPN server decrypts the data and forwards it to the website or service you’re trying to access. The process is reversed for incoming data.
- Session management: The protocol keeps the connection stable, handling things like error correction and reconnection if your network drops.
Why protocols matter for privacy, speed, and security
Your VPN protocol plays a direct role in how private, secure, and fast your connection is.
Generally speaking, stronger encryption offers better security but can slow down your connection a bit.
Some protocols are built to strike a balance—delivering solid protection without sacrificing performance—while others are optimized for specific needs, like streaming, gaming, or use on mobile networks.
And a few modern protocols, like Lightway, aim to deliver the best of all worlds: fast, secure, reliable, and lightweight enough to perform well even on mobile devices.
VPN protocols compared: features, pros, and cons
With so many protocols available, it’s not always clear which one to use. With that in mind, we’ll now take a look at the most common VPN protocols, exploring how they work and listing their pros and cons—so you can make the best choice for your needs.
Lightway
Lightway is ExpressVPN’s proprietary VPN protocol, designed from the ground up to be lightweight, fast, and secure. It delivers faster speeds, stronger reliability, and lower battery usage compared to traditional VPN protocols like OpenVPN and IKEv2.
It supports both TCP (Transmission Control Protocol) and UDP (User Datagram Protocol), making it more versatile than protocols like WireGuard, which only supports UDP. This flexibility helps Lightway perform better on networks where UDP is blocked or unreliable.
In early 2025, ExpressVPN released a new version of Lightway, rewritten in Rust, a modern programming language that’s become popular for building reliable, high-performance systems. Lightway was originally written in C, but moving to Rust made it even more secure and efficient while also making the code easier to maintain and build on over time. Lightway is open-source (anyone can inspect its code here) and has been audited by two independent cybersecurity firms, Cure53 and Praetorian.
One of Lightway’s key features is that it stays connected in the background when a device switches networks or wakes from sleep. Instead of dropping the connection, it goes idle and reconnects almost instantly—minimizing interruptions and making the experience feel seamless, especially on mobile.
Lightway is also built with post-quantum cryptography in mind—it’s a core part of the protocol’s design. This means it uses next-generation encryption intended to keep your data secure even as computing power continues to grow.
An enhanced version called Lightway Turbo is also available, designed to make connections even faster. It’s currently available in the Windows app, with support for more platforms on the way.
| Pros | Cons |
| Lightning-fast | Only available in ExpressVPN |
| Strong security | |
| Very reliable | |
| Open-source & audited | |
| Future-proof encryption |
TCP vs. UDP: What’s the difference?
TCP is stream-based. It ensures that data arrives in order and none of it is missing—like a phone call, where your words come through in the exact sequence you said them. If something doesn’t arrive, TCP automatically resends it. This makes it highly reliable, which is ideal for things like file downloads, emails, or web browsing.
UDP (User Datagram Protocol) is message-based. Think of it like sending each word on a postcard. Some might arrive out of order, and a few may go missing entirely—but it’s faster, because it doesn’t bother checking. This makes it great for real-time applications like video or voice calls, where a steady stream matters more than perfection. A brief glitch is better than freezing the entire call to resend a missing packet.
That said, the gap between TCP and UDP performance has narrowed significantly over the years. Twenty years ago, gaming over TCP was painful. Today, most users won’t notice the difference unless they’re doing something latency-critical.
While it’s technically possible to build a reliable protocol on top of UDP, you’d have to reinvent things like ordering and retransmission—which is why, for many use cases, TCP remains the simpler and smarter choice. You can read more about the two protocols here.
OpenVPN
OpenVPN is one of the most trusted and secure VPN protocols. It’s open-source and widely used, with support across nearly all platforms and VPN services, making it a reliable choice for many users.
Like Lightway, OpenVPN works in two modes: TCP and UDP. If you’ve already read the section on Lightway, you’ll be familiar with the trade-offs between these two modes—TCP for reliability, UDP for speed. OpenVPN lets you manually choose between them, which can be handy if you’re troubleshooting or trying to fine-tune performance.
OpenVPN’s maturity is a strength: it’s been around for years, meaning it’s well-documented, battle-tested, and compatible with a huge range of devices and configurations. That said, newer protocols like Lightway or WireGuard may offer better speed and battery performance, especially on mobile.
| Pros | Cons |
| Strong levels of security | Slower than newer protocols without DCO (a feature that makes OpenVPN faster) |
| Open-source | |
| Widely supported |
IKEv2/IPSec
IKEv2/IPSec is a VPN protocol developed by Microsoft and Cisco. It combines two parts: IKEv2, which sets up and manages the secure connection between your device and the VPN server, and IPSec, which handles the encryption and makes sure your data stays private.
Together, they create a fast and stable protocol that works especially well on mobile devices. IKEv2/IPSec is good at reconnecting quickly when your internet connection drops or switches—like when you move between Wi-Fi and mobile data. It also performs well for things like streaming or video calls.
IKEv2/IPSec is built into most Apple and Windows devices, so setup is often quick and easy. Linux supports it through tools like strongSwan, though it may need some manual setup. Android doesn’t support IKEv2 on its own—you’ll need a third-party app. It can also run into trouble on restrictive networks, as it uses ports that are more likely to be blocked by firewalls.
| Pros | Cons |
| Very fast | Tricky manual setup on Android and Linux |
| Good for mobile | Potential vulnerabilities |
| Stable and reliable | Can be blocked by firewalls |
WireGuard
WireGuard is a newer VPN protocol that’s designed to be simple, fast, and secure. And like OpenVPN and Lightway, it’s open-source.
What sets WireGuard apart is how lean it is—it’s built from just several thousand lines of code (compared to OpenVPN’s tens of thousands). This makes it easier to audit, maintain, and update—and it also helps make it one of the fastest VPN protocols available today.
It works well across most major platforms and is a great choice for general browsing, streaming, and mobile use.
However, it doesn’t support TCP, so it may not work as reliably on networks with strict firewalls or heavy filtering. Unlike Lightway, WireGuard doesn’t offer native post-quantum encryption—support is possible, but only through workarounds.
| Pros | Cons |
| Faster than many VPN protocols | No TCP mode |
| Lean, streamlined, open-source code | *Still labeled “experimental” by some providers |
| Great compatibility |
L2TP/IPSec
L2TP/IPSec is one of the older VPN protocols still in use, but it’s generally not recommended today—there are much better and more secure alternatives. Like IKEv2/IPSec, this is another “dual” protocol. Here, L2TP (Layer 2 Tunneling Protocol) creates the tunnel between your device and the server, while IPSec handles encryption and security.
It’s considered outdated by many providers today, as faster and more modern protocols like Lightway, OpenVPN, and WireGuard have largely taken its place. L2TP/IPSec is relatively easy to set up, especially on older systems, but it’s slower than newer protocols. Plus, there are concerns that the National Security Agency (NSA) has compromised it.
| Pros | Cons |
| Easy to set up | Outdated |
| Relatively secure and stable | Slower than newer protocols |
| Security concerns |
PPTP
Point-to-Point Tunneling Protocol (PPTP) is one of the oldest VPN protocols still around—but it’s rarely used today. This is because this protocol, developed back in 1999 for early dial-up internet, simply can’t compete with the newer, more secure and advanced VPN protocols.
PPTP only supports up to 128-bit encryption, which is far weaker than the 256-bit AES encryption used by most other protocols today. Because of its outdated design and known security flaws, it can’t reliably protect your data.
It’s still fast, easy to set up, and works on most devices—but because it’s not secure, it’s only worth considering for very specific older setups.
| Pros | Cons |
| Fast | Very poor security standards |
| Works on most devices | Outdated nowadays |
| Simple to set up | Not recommended for privacy |
SSTP
Secure Socket Tunneling Protocol (SSTP) is another VPN protocol developed by Microsoft. It’s built directly into Windows and routes traffic through HTTPS (port 443), the same port used for secure websites. This makes it very effective at getting through firewalls that might block other protocols.
It’s secure, fast, and reliable, but it’s not supported on most platforms and hasn’t seen much real-world adoption. Since the code for SSTP has not been made public, it hasn’t been reviewed as thoroughly as some other protocols like Lightway, OpenVPN, and WireGuard.
| Pros | Cons |
| Great on Windows | Limited support on non-Windows |
| Decent levels of security | Closed-source |
| Easily gets past firewalls | Somewhat outdated |
SoftEther
SoftEther is an open-source VPN protocol developed in 2013 at the University of Tsukuba in Japan. Since its release, it has gained significant popularity due to its flexibility and extensive feature set.
SoftEther can act as both a VPN client and a VPN server. It supports multiple VPN protocols—including its own SSL-VPN protocol, as well as OpenVPN, SSTP, and more.
SoftEther can be complex to manage and isn’t particularly fast, making it a less appealing option compared to modern protocols like WireGuard or Lightway.
| Pros | Cons |
| Open-source | Relatively new |
| Good for advanced users | May require more configuration and knowledge for basic users |
| Customizable | Not as fast or intuitive as more modern protocols |
Shadowsocks (alternative protocol)
Shadowsocks isn’t a VPN protocol. However, it often comes up in conversations about VPNs and online privacy, so it’s worth mentioning.
At its core, Shadowsocks is a proxy protocol that helps disguise internet traffic and bypass restrictions. However, instead of encrypting all traffic between your device and a VPN server, it only encrypts specific app traffic between your device and a proxy server.
It’s used alongside a VPN to add an obfuscation layer that hides the fact that a VPN is being used, rather than as a standalone privacy tool.
| Pros | Cons |
| Useful in high-censorship environments | Not as secure or private as a VPN protocol |
| Fast and lightweight | Tricky to set up, especially for beginners |
Quick VPN protocol comparison table
Here’s a quick comparison of the VPN protocols discussed above that’ll help you make an informed choice whenever you need to pick among several protocols:
| VPN Protocol | Speed | Security | Stability |
| Lightway | Excellent | Excellent | Excellent |
| OpenVPN | Good | Excellent | Excellent |
| IKEv2/IPSec | Excellent | Good | Excellent |
| WireGuard | Excellent | Excellent | Excellent |
| L2TP/IPSec | Poor | Poor | Good |
| PPTP | Good | Poor | Good |
| SSTP | Good | Good | Good |
| SoftEther | Good | Good | Good |
VPN protocol face-off: Direct comparisons
Now let’s compare VPN protocols more directly, putting some of the most popular options head-to-head to compare their levels of speed, security, user-friendliness, and more.
IPSec vs. OpenVPN
IPSec isn’t always paired with another protocol—it can be used on its own in tunnel mode—but it’s often combined with protocols like IKEv2 or L2TP to add more functionality.. While it’s as secure as OpenVPN, actual performance depends on which protocol it’s combined with. OpenVPN’s performance also varies depending on whether you’re using the TCP or UDP version.
IKEv2 vs. OpenVPN
Technically, IKEv2 is just the key exchange part, used with IPSec for encryption—but most people just call the combo “IKEv2” for short.
IKEv2/IPSec and OpenVPN both work well for most activities, like streaming, gaming, and browsing. IKEv2/IPSec is usually faster and works better on mobile devices, while some users prefer OpenVPN for its strong security—especially when using UDP.
IKEv2 vs. IPSec
These aren’t competing protocols—they work together. IKEv2 creates the secure tunnel between your device and a VPN server, while IPSec handles encryption and security. You’ll often see them listed as a single protocol: IKEv2/IPSec.
PPTP vs. OpenVPN
PPTP is no match for OpenVPN. It’s outdated, far less secure, and shouldn’t be used if you care about privacy or data protection. While it may still offer decent speed and compatibility, there are much better and more secure options available. If your setup doesn’t support modern protocols, it’s worth upgrading—PPTP is almost never a good choice today.
L2TP vs. OpenVPN
OpenVPN wins again. It offers better speed, privacy, and security compared to L2TP, which is now considered outdated. While L2TP is a step up from PPTP, it’s still not very secure by modern standards. It works and is relatively easy to set up manually, but it’s no longer recommended for most users.
L2TP vs. IKEv2
Both L2TP and IKEv2 rely on IPSec for encryption, but IKEv2 is the stronger protocol overall. It is notably faster than L2TP, making it much better for tasks like streaming, gaming, or downloading. It has the edge in stability and security, too, though L2TP is a little easier to work with if you’re setting up a VPN manually.
IKEv2 vs. WireGuard
Both protocols perform well across the board: fast, secure, and stable. They’re both good for mobile use and work well for a wide range of tasks. IKEv2 has been around longer, but WireGuard has a leaner design and is more transparent.
WireGuard vs. IPSec
This isn’t a direct comparison. Like before, IPSec isn’t a complete VPN protocol—it’s the encryption layer used with others like IKEv2 or L2TP. WireGuard, on the other hand, is a full protocol and offers excellent speed, security, and compatibility, making it a strong all-round option.
What’s the best VPN protocol for your needs?
There’s no one-size-fits-all answer—many people switch between VPN protocols depending on what they’re doing online. Here’s a quick breakdown of the best options for different use cases:
Best VPN protocol for privacy and security
Lightway, WireGuard, IKEv2, and OpenVPN all offer strong security and privacy—you can’t go wrong with any of them.
Best VPN protocol for speed and performance
If speed is your top priority, Lightway (especially Lightway Turbo), WireGuard, and IKEv2 are all excellent choices. OpenVPN can also be fast—just make sure to use the UDP version, which performs better than TCP.
Best VPN protocol for gaming
For gaming, Lightway and WireGuard are among the top picks. They’re built for speed and low latency, so they won’t slow you down during gameplay.
Best VPN protocol for streaming
Lightway, WireGuard, IKEv2, and OpenVPN are all great for streaming in high quality without buffering.
Best VPN protocol for mobile devices
Lightway, IKEv2, and WireGuard stand out on mobile thanks to their stability. They let you switch between Wi-Fi and mobile data seamlessly, making them ideal for people on the move who need always-on VPN protection.
Common VPN protocol misconceptions
Finally, let’s clear up a few common misconceptions about VPN protocols:
- They’re all the same: Not true at all. As this guide has shown, VPN protocols differ significantly in terms of speed, security, stability, and device compatibility.
- They control your speed: Not entirely true. The protocol you choose does affect speed—but many other factors play a role, including your base internet speed, how far you are from the VPN server, and whether you’re on Wi-Fi or mobile data.
- Open-source protocols are less safe: Quite the opposite. Some people assume that making the code public makes open-source VPN protocols less secure, but this couldn’t be further from the truth. In fact, open-source protocols are actually safer because they’re reviewed by experts, which helps uncover and fix issues faster.
- One VPN protocol is best for everything: Some protocols—like Lightway or WireGuard—perform well in many situations, but the best choice always depends on what you’re doing.
FAQ: Common questions about VPN protocols
What is the most secure VPN protocol?
There’s no single “most secure” option, but Lightway, OpenVPN, WireGuard, and IKEv2 are all considered highly secure and reliable.
What is the fastest VPN protocol?
Lightway, IKEv2, and WireGuard all deliver excellent speeds.
What is the latest VPN protocol?
Lightway is one of the newest major VPN protocols. It was first released in 2020 and rewritten in the Rust programming language in 2025 for improved performance and security.
What type of protocols are used by VPN providers?
Many VPN providers offer a wide range of protocols, like OpenVPN, IKEv2, and SSTP. Some, like ExpressVPN, also have their own proprietary protocols.
Which VPN protocol should I use?
That depends on your needs. Lightway, WireGuard, and OpenVPN are all good all-rounders—but Lightway stands out for offering the best balance of speed, security, and reliability. WireGuard is great for gaming and streaming, while OpenVPN is known for security.
Can I switch between VPN protocols?
Yes, most major VPN providers allow you to switch between protocols as and when you want.
Is the VPN protocol TCP or UDP?
Some protocols support both TCP and UDP—like OpenVPN and Lightway—while others, like WireGuard, use UDP only.
What are common VPN protocol misconceptions?
Many people mistakenly assume all protocols are more or less the same, whereas in reality they all have unique strengths and limitations. It’s also a misconception that the protocol alone determines your connection’s speed or security—many other factors are involved.
What are the three most common VPN protocols?
OpenVPN, IKEv2, and L2TP have traditionally been the most widely used. However, newer options like WireGuard and Lightway are quickly becoming more popular due to their speed and stability.
30-day money-back guarantee
