VPN Protocols Explained: Modern Protocols, OpenVPN, and the Rest
Key points
- A modern VPN protocol is the best default: fast, small enough to audit, and easy on batteries.
- OpenVPN over TCP port 443 is the backup for strict networks that block UDP.
- IKEv2/IPsec is fine on phones, but newer protocols have largely replaced it.
- Avoid PPTP, L2TP/IPsec, and SSTP; all modern protocols are considered secure, so choose by fit.
On this page
- What a Protocol Actually Decides
- Modern Protocols: The Default vpn.now Uses
- OpenVPN: The Reliable Veteran
- IKEv2/IPsec: The Phone Specialist
- The Older Protocols: Leave Them Alone
- Side by Side
- How to Choose in Practice
- What Your Provider Controls
- Obfuscation and Stealth: Getting a VPN Through Strict Networks
- Summary
- Frequently asked questions
Open the settings of almost any VPN app and you will find a menu full of strange names: a modern protocol or two, OpenVPN, IKEv2, maybe a few more. These are protocols. A protocol is the rulebook your device and the VPN server follow to build an encrypted tunnel.
The protocol decides how fast your connection feels, how much battery it uses, and whether it works at all on strict networks. The good news is that you only need to understand three of them, and one of those three is the right default for most people.
This guide walks through each protocol in plain language. If you want a refresher on what the tunnel itself does first, our explainer on how VPNs work covers that ground.
What a Protocol Actually Decides
Every VPN connection has to answer the same questions. How do the two sides prove who they are? How do they agree on secret keys? Which cipher scrambles the data? How are packets wrapped and sent? A protocol is one complete set of answers to those questions.
Different protocols answer them in different ways, and those choices have real effects. A protocol with a fast handshake reconnects quickly when your phone switches networks. A protocol that can run over TCP port 443 slips past firewalls that block everything else. A protocol with a small codebase is easier for security researchers to audit.
You do not configure any of this yourself. Your VPN app handles the details. Your only job is to pick which rulebook to use, and that is what the rest of this article helps with.
Modern Protocols: The Default vpn.now Uses
The modern protocol vpn.now uses is the newest type of major protocol and the one most worth knowing. The design behind it was merged into the Linux kernel in 2020 and its entire codebase is about 4,000 lines. That is tiny for security software, which means experts can actually read all of it.
It makes the big decisions for you. It uses one modern cipher, ChaCha20-Poly1305, with no legacy options left around to misconfigure. It runs over UDP only. Its handshake completes in a fraction of a second, so connections start fast and recover fast when your network blips.
In daily use, this protocol mostly disappears. It moves smoothly between Wi-Fi and mobile data, it stays quiet when you are not sending traffic, and it is gentle on your battery. For most people on most networks, it is the protocol to leave selected and forget about.
OpenVPN: The Reliable Veteran
OpenVPN has been carrying real traffic since 2001. It is built on the same TLS security layer that protects websites, and a typical setup encrypts data with AES-256-GCM. Its codebase is far larger than that of newer protocols, but it has survived two decades of attacks and audits.
Its killer feature is flexibility. OpenVPN can run over UDP for speed or over TCP on almost any port. The TCP port 443 option matters most, because that is the port used by ordinary secure websites. Networks that block unknown traffic usually let it through, which makes OpenVPN the protocol of last resort on hotel, office, and campus Wi-Fi.
The trade-off is speed. OpenVPN processes packets with more overhead than a modern protocol does, so it is slower, especially on phones and older hardware. Our full guide on our protocol compared to OpenVPN goes deeper on the differences.
IKEv2/IPsec: The Phone Specialist
IKEv2/IPsec is a pairing of two standards. IKEv2 handles the handshake and IPsec carries the encrypted traffic. It has one standout strength: a feature called MOBIKE that keeps the session alive when your device changes networks. That made it popular on phones for years, and Apple still supports it natively on iPhones.
It is a solid, secure choice when set up well. Its weaknesses are practical rather than cryptographic. Fewer consumer apps offer it now, its setup is more complex than a modern protocol's, and it can be blocked by firewalls because it uses specific ports that are easy to filter.
If your app offers IKEv2 and it works well on your phone, there is no reason to avoid it. But modern protocols now match its network-switching skill with less complexity, which is why the industry has largely moved on.
The Older Protocols: Leave Them Alone
You may still see a few legacy names in older apps and routers. Treat them as history, not options:
- PPTP. Designed in the 1990s and broken for years. Its encryption can be cracked with modest effort. Never use it for anything you care about.
- L2TP/IPsec. Not broken in the same way, but dated, slower, and frequently deployed with weak preshared keys. There is no reason to choose it today.
- SSTP. A Microsoft protocol that tunnels over TLS. It works, but it is closed source, Windows-centric, and offers nothing the modern options lack.
If a VPN service promotes any of these as a main feature, that tells you something about how current the rest of its software is.
Side by Side
| Protocol | Speed | Strict firewalls | Best use |
|---|---|---|---|
| A modern protocol | Fastest on most hardware | Can be blocked, UDP only | Everyday default on all devices |
| OpenVPN (UDP) | Good | Sometimes blocked | Solid alternative where a modern protocol is unavailable |
| OpenVPN (TCP 443) | Slower | Usually passes | Hotels, offices, campuses with strict filtering |
| IKEv2/IPsec | Good | Often blocked | Phones, where natively supported |
| PPTP, L2TP, SSTP | Varies | Varies | None. Use a modern protocol instead. |
How to Choose in Practice
Start with a modern protocol. Use it everywhere and only change it when you hit a problem. The most common problem is a network that blocks UDP, and the fix is switching to OpenVPN over TCP port 443. That covers nearly every situation a normal person meets.
The UDP and TCP detail behind that advice is worth a minute of your time, because it explains most connection failures. Our short guide to UDP versus TCP lays it out without the jargon.
Tip: set up both a modern protocol and OpenVPN in your app before you travel. Switching protocols takes seconds when both are ready, and minutes of frustration when you have to configure one on hotel Wi-Fi.
One thing protocol choice does not change is safety in the broad sense. The modern protocols, OpenVPN, and IKEv2 are all considered secure when configured correctly. None of them has a known practical break of its encryption. You are choosing between good fits, not between safe and unsafe.
What Your Provider Controls
The protocol is half the story. The other half is how your provider runs it. A good service keeps its software updated, uses current ciphers, and offers every protocol on every server so you never trade location for protocol. You can see exactly which options we run and how they are configured on our protocols page.
If you want to try the protocols yourself before paying anything, vpn.now offers a free plan that includes more than one protocol, which makes it easy to test each one on your own networks.
Obfuscation and Stealth: Getting a VPN Through Strict Networks
Some networks do more than block certain websites. They try to spot and block VPN traffic itself. You might run into this on a workplace or school network, in some hotels, or in a few countries that filter the internet heavily. The network looks at your connection, decides it looks like a VPN, and refuses to let it through. When that happens, a normal VPN connection often just fails to start, no matter how many times you try.
This is where obfuscation comes in, sometimes called stealth mode. The idea is simple. Obfuscation disguises your VPN traffic so it looks more like the ordinary encrypted web traffic your browser sends every day. To a network that is hunting for VPNs, a disguised connection blends in with regular activity, so it has a better chance of slipping past the block.
A few honest points to keep in mind:
- It usually runs over TCP port 443, the same port normal secure websites use, so the traffic looks like everyday HTTPS.
- It can be a little slower than a plain connection, because the extra disguising adds work.
- Not every provider offers it, so check the app settings before you count on it.
- It is not magic. A network that is truly determined can still block your connection.
The takeaway is easy to remember. If a normal vpn.now connection will not establish on a restrictive network, look for an obfuscation or stealth option in the settings and turn it on. It will not work everywhere, but on many strict networks it is the one switch that gets you connected when nothing else will.
Summary
The short version of VPN protocols:
- A protocol is the rulebook for building the encrypted tunnel: handshake, keys, cipher, and packet format.
- A modern protocol is the best default. It is fast, modern, small enough to audit, and easy on batteries.
- OpenVPN over TCP port 443 is your backup for strict networks that block UDP.
- IKEv2/IPsec is fine on phones where it is offered, but modern protocols have largely replaced it.
- Avoid PPTP, L2TP/IPsec, and SSTP. They are outdated and offer nothing the modern options lack.
- All the modern protocols are considered secure. Choose based on fit, then test on your real networks.
