VPN Protocols Compared: OpenVPN, WireGuard, IKEv2, L2TP/IPsec, and PPTP

A VPN protocol is the set of rules that determines how a VPN tunnel is established, how data is encrypted, and how the connection is maintained between your device and the VPN server. The protocol you choose has a direct impact on connection speed, security strength, stability, and compatibility with your devices and router. Not all protocols are created equal. Some are modern and efficient, while others persist as legacy options that should be avoided.

Five protocols dominate the consumer and business VPN landscape. Each one has specific strengths that make it suited for different use cases. Understanding these tradeoffs helps you configure your VPN client or router for the best possible balance of speed and security.

OpenVPN

OpenVPN is the most widely deployed VPN protocol and has been the industry standard since its release in 2001. It is open source, meaning its code is publicly available for inspection, and it has been audited by multiple independent security firms over the years.

OpenVPN uses the OpenSSL library for encryption, giving it access to a broad range of cryptographic algorithms. The default and recommended configuration uses AES-256-GCM for data encryption, RSA or ECDSA certificates for authentication, and HMAC-SHA256 for integrity verification. This combination provides strong security that has withstood over two decades of scrutiny.

The protocol operates over either UDP or TCP. UDP mode is faster and recommended for most uses. TCP mode adds overhead but can be run on port 443 (the standard HTTPS port), making it difficult for firewalls and network administrators to block. This TCP-over-443 capability makes OpenVPN one of the most censorship-resistant protocols.

OpenVPN’s primary drawback is performance. The protocol’s codebase is large and complex, and its reliance on the OpenSSL library adds processing overhead. On a typical connection, OpenVPN over UDP reduces throughput by 15-25% compared to no VPN. On resource-constrained devices like consumer routers, OpenVPN can become a significant bottleneck because the router’s modest processor handles all the encryption.

Many routers support OpenVPN natively. ASUS routers include OpenVPN client and server functionality in their stock firmware. Routers running OpenWrt, DD-WRT, or Tomato firmware also support OpenVPN. For router-level VPN use, ensure your router has a CPU capable of handling the encryption load at your internet speed.

WireGuard

WireGuard is the newest mainstream VPN protocol, initially released in 2018 and merged into the Linux kernel in 2020. It was designed from the ground up with simplicity and performance in mind, and it delivers on both counts.

The entire WireGuard codebase is approximately 4,000 lines of code. For comparison, OpenVPN’s codebase spans hundreds of thousands of lines. This small footprint makes WireGuard easier to audit for security vulnerabilities and reduces the attack surface.

WireGuard uses a fixed set of modern cryptographic primitives: ChaCha20 for encryption, Poly1305 for authentication, Curve25519 for key exchange, BLAKE2s for hashing, and SipHash24 for hashtable keys. There are no cipher negotiations and no configuration options for the cryptography. This “opinionated” design eliminates the misconfiguration risks that affect protocols with many tunable parameters.

Performance is where WireGuard excels. The protocol operates entirely within the kernel (on Linux), avoiding the user-space context switching that slows OpenVPN. Benchmarks consistently show WireGuard delivering 2-4 times the throughput of OpenVPN on the same hardware. On routers with limited processing power, WireGuard can handle 200-400 Mbps where OpenVPN might cap at 50-100 Mbps.

WireGuard does have limitations. It does not natively support TCP, making it blockable by firewalls that restrict UDP traffic. It assigns static internal IP addresses by default, which some consider a privacy concern because the VPN server must maintain a mapping between public keys and IP addresses. Most commercial VPN providers have implemented workarounds for this.

Router support for WireGuard is growing rapidly. ASUS added native WireGuard support to its routers in 2023. OpenWrt has supported WireGuard for years. If you plan to run a VPN on your router, WireGuard is the recommended protocol due to its low CPU requirements and high throughput.

IKEv2/IPsec

IKEv2 (Internet Key Exchange version 2) paired with IPsec (Internet Protocol Security) is a VPN protocol developed jointly by Microsoft and Cisco. It is built into Windows, macOS, iOS, and Android, meaning no additional software is needed on most devices.

The protocol’s standout feature is MOBIKE (Mobility and Multihoming Protocol), which allows the VPN connection to seamlessly survive network changes. When your phone switches from WiFi to cellular data or moves between WiFi networks, IKEv2 re-establishes the VPN tunnel almost instantly without dropping the connection. OpenVPN and WireGuard can also reconnect after network changes, but IKEv2’s MOBIKE does it faster and more gracefully.

IKEv2/IPsec uses strong encryption, typically AES-256 for data and Diffie-Hellman groups for key exchange. The protocol has been thoroughly audited and is considered secure when properly configured. It was designed from the beginning with strong authentication and is resistant to man-in-the-middle attacks.

Performance falls between OpenVPN and WireGuard. IKEv2/IPsec is faster than OpenVPN in most scenarios because it operates in kernel space on most platforms. It is not as fast as WireGuard due to the more complex IPsec processing pipeline.

Router support for IKEv2/IPsec is limited in consumer models. Enterprise routers and firewalls support it universally, but most home routers do not include an IKEv2 VPN client. If you need router-level VPN, OpenVPN or WireGuard are more practical choices.

L2TP/IPsec

L2TP (Layer 2 Tunneling Protocol) paired with IPsec is an older VPN protocol that combines L2TP for tunneling with IPsec for encryption. L2TP alone provides no encryption. It only creates the tunnel. IPsec wraps the tunnel in encryption. The two protocols always work together.

L2TP/IPsec is built into most operating systems, making it easy to configure without third-party software. The encryption is provided by IPsec and uses the same strong algorithms (AES-256, SHA-256) as other IPsec implementations. When properly configured, the encryption itself is secure.

The protocol has several practical drawbacks. It encapsulates data twice (once in L2TP, once in IPsec), which adds overhead and reduces throughput. It exclusively uses UDP port 500 and port 4500, making it easy for firewalls to detect and block. The double encapsulation also causes problems with NAT traversal in some network configurations.

L2TP/IPsec is a legacy protocol. It remains functional and reasonably secure but offers no advantages over OpenVPN, WireGuard, or IKEv2. If your VPN provider or corporate IT department requires L2TP/IPsec, it is acceptable to use. For new deployments, choose one of the three modern alternatives instead.

Some consumer routers support L2TP/IPsec VPN servers, which allows you to connect back to your home network when traveling. The setup is typically straightforward in the router’s admin panel under VPN settings.

PPTP (Deprecated)

PPTP (Point-to-Point Tunneling Protocol) was developed by Microsoft in the 1990s and was the first widely available VPN protocol for consumer use. It was included in Windows 95 and remained a default option in Windows for decades. Despite its historical importance, PPTP is fundamentally broken and should not be used for any purpose where security matters.

PPTP’s authentication relies on MS-CHAPv2, which uses the DES cipher. DES has been broken since the late 1990s. In 2012, Moxie Marlinspike demonstrated a service (CloudCracker) that could crack any MS-CHAPv2 handshake within 24 hours. The encryption layer (MPPE) built on top of this broken authentication is also compromised.

The only remaining use case for PPTP is connecting to legacy corporate VPNs that have not been updated. If your organization still requires PPTP, advocate strongly for an upgrade to WireGuard or OpenVPN. The effort to migrate is trivial compared to the security risk of continuing to use a protocol that provides no meaningful protection.

PPTP does have one technical advantage: extremely low overhead. Because the encryption is so weak and simple, PPTP adds almost no latency and minimal throughput reduction. Some users in non-security-sensitive scenarios (like bypassing a simple geographic restriction where privacy is not a concern) have used PPTP for its speed. This is not recommended because secure alternatives like WireGuard now offer comparable speed with actual protection.

Choosing the Right Protocol

The decision tree is straightforward for most users.

Default choice: WireGuard. It is the fastest, has excellent security, and works on all platforms. Choose WireGuard unless you have a specific reason not to.

When WireGuard is blocked: OpenVPN over TCP on port 443. Restrictive networks that block WireGuard’s UDP traffic usually cannot block OpenVPN disguised as HTTPS traffic. This is the best censorship circumvention option.

On mobile devices that switch networks frequently: IKEv2/IPsec. MOBIKE handles WiFi-to-cellular transitions seamlessly. WireGuard handles this well too, making IKEv2 a preference rather than a requirement.

On routers: WireGuard. Consumer router processors are too weak for OpenVPN at high speeds. WireGuard’s efficiency makes it the only protocol that can handle fast internet connections on typical router hardware.

Never: PPTP. There is no legitimate security use case for PPTP in 2026. Remove it from your options entirely.