Why VPN Protocols Matter
A VPN protocol is the set of rules that determines how your device communicates with the VPN server. Different protocols make different trade-offs between speed, security, and reliability. Most commercial VPN apps let you switch protocols in the settings, but few explain what the difference actually is.
WireGuard: Fast, Modern, Open Source
WireGuard is the newest of the major protocols and has become the default for most providers. It uses modern cryptography (ChaCha20, Curve25519, BLAKE2) that is both fast and well-audited. The codebase is about 4,000 lines, compared to OpenVPN's 70,000+, which makes it easier to audit for security flaws.
Use WireGuard when: you want the fastest speeds and do not need to mask VPN traffic. WireGuard uses a fixed UDP port, which some networks block or flag. If you are behind a restrictive firewall (corporate network, some hotels), WireGuard may not connect where OpenVPN would.
OpenVPN: The Established Standard
OpenVPN has been the industry standard for over a decade. It can run on port 443 (the same port as HTTPS), making it nearly impossible for networks to block without also blocking regular web browsing. This makes it the best choice for bypassing censorship or restrictive firewalls.
The trade-off is speed and resource use. OpenVPN is slower than WireGuard and uses more CPU, which matters most on older mobile devices. On a modern laptop or desktop, the difference is negligible.
IKEv2/IPSec: Best for Mobile
IKEv2 (Internet Key Exchange version 2) paired with IPSec is particularly good on mobile because of its ability to quickly re-establish a connection when switching networks (from Wi-Fi to cellular, for example). This feature, called MOBIKE, makes IKEv2 the smoothest option for phones that regularly change networks throughout the day.
IKEv2 is fast, has good security, and is natively supported on iOS and macOS without third-party software. Its downside: it is easier for firewalls to detect and block than OpenVPN.
Which Protocol Should You Use?
General use on a reliable connection: WireGuard. Bypassing firewalls or censorship: OpenVPN with TCP on port 443. Primary device is a smartphone: IKEv2. Older device or resource-constrained hardware: IKEv2 or WireGuard. Most VPN apps will auto-select the best protocol; switching manually is only necessary when the automatic choice fails.