Why the Protocol Matters
The VPN protocol is the set of rules that determines how your device and the VPN server communicate, encrypt data, and authenticate each other. Most people pick a VPN service and never think about this setting. That is a mistake. Different protocols make very different tradeoffs between speed, security, and reliability. Choosing the wrong one for your situation means you are either leaving performance on the table or using something that should have been retired years ago.
Here is every major protocol in use in 2026, what it actually does well, and when to use it.
WireGuard
WireGuard arrived in 2019 and has become the default recommendation for most use cases. Its entire codebase is around 4,000 lines, compared to OpenVPN's 100,000 lines. A smaller codebase means less surface area for security vulnerabilities and makes independent security audits far more practical. Researchers can actually read the full thing.
On performance, WireGuard benchmarks consistently show 3 to 5 times faster throughput than OpenVPN, especially on modern hardware. This matters on mobile devices and low-power hardware where OpenVPN's overhead is noticeable. WireGuard uses modern cryptographic primitives: ChaCha20 for encryption, Curve25519 for key exchange, BLAKE2 for hashing. These are well-vetted algorithms chosen specifically for performance and security.
In practice, WireGuard is now the primary protocol at NordVPN (where it runs under the NordLynx wrapper), Mullvad, and ExpressVPN's Lightway (which is WireGuard-derived). If your VPN provider offers it, this is the first setting to try.
The one honest caveat: WireGuard is newer than OpenVPN. It has fewer years of real-world deployment, which means fewer edge cases have been discovered and patched. For most users this is not a concern. For high-stakes corporate security, your IT team may want a few more years of track record before mandating it.
OpenVPN
OpenVPN has been the established standard for over 15 years. Every VPN service worth using supports it. Its massive open-source community means it has been audited, tested, and patched repeatedly. Known weaknesses are documented and fixed. That track record is its main strength.
OpenVPN runs in two modes: UDP and TCP. UDP is faster and the right default. TCP is slower but more reliable on networks that block or throttle UDP traffic, such as many corporate firewalls and hotel networks. Running OpenVPN TCP on port 443 mimics HTTPS traffic and gets through most firewalls without being blocked, which makes it the go-to choice when other protocols fail in restricted environments.
The downside is the 100,000-line codebase, which is difficult to audit thoroughly. Speed is also noticeably slower than WireGuard. On fast internet connections the difference is small, but on slower connections or mobile networks the overhead adds up.
IKEv2/IPSec
IKEv2 is the right protocol for mobile devices, specifically because of the MOBIKE protocol built into it. When your iPhone or Android switches from WiFi to cellular, IKEv2 automatically reconnects the VPN tunnel without dropping the connection. With OpenVPN or WireGuard, a network switch often requires a manual reconnect or a brief gap in VPN coverage.
Apple hardware has hardware-accelerated IKEv2 support built into iOS and macOS, which means it runs faster on Apple devices than any other protocol. Corporate environments also tend to support IKEv2 natively since it integrates with IPSec, which is already standard in most enterprise network stacks.
The limitation: IKEv2 is less flexible on custom ports, which makes it easier to block on restrictive networks. It also has fewer options for hiding VPN traffic as regular HTTPS.
L2TP/IPSec
L2TP/IPSec was once a reasonable option. In 2026, it is not. The Snowden documents suggested the NSA may have deliberately weakened or compromised L2TP/IPSec implementations. Whether or not that specific claim holds up, the combination uses older cryptographic methods and the overhead of running two protocols together (L2TP for tunneling, IPSec for encryption) makes it slower than any modern alternative.
If your VPN provider offers IKEv2, WireGuard, or OpenVPN, there is no reason to choose L2TP/IPSec. Avoid it.
PPTP
PPTP is dead. It uses RC4 encryption, which can be broken on modern hardware in hours. Security researchers cracked it thoroughly over a decade ago. It appears on some very old routers and legacy devices, but it should never be used for anything you care about protecting. If your VPN provider is still pushing PPTP as a default, that is a signal to find a different provider.
SSTP
SSTP is a Microsoft-owned protocol that runs over HTTPS port 443. This means it gets through nearly any firewall and is difficult to block or detect as VPN traffic. On Windows, it works well and is integrated at the OS level.
The problem is that it is closed-source and controlled by Microsoft. No independent security audit can verify what the protocol actually does. For users who need maximum assurance that their VPN traffic is not being logged or inspected, a closed-source protocol from a US company is a hard limitation. SSTP is useful in one specific scenario: you are on Windows, you have firewall issues that block everything else, and you trust Microsoft's implementation. Outside that narrow case, OpenVPN TCP on port 443 achieves the same firewall bypass without the closed-source concern.
Which Protocol to Use in 2026
There is no single right answer, but the decision tree is simple:
- Default for most users: WireGuard. It is the fastest, has the cleanest codebase, and works reliably on all major platforms. If your VPN has it, start here.
- For mobile devices with frequent network switching: IKEv2. The auto-reconnect behavior on WiFi-to-cellular switches makes it the best choice for iPhone users in particular.
- For firewalled networks (work, hotel, some countries): OpenVPN TCP on port 443. This mimics regular HTTPS traffic and gets through most deep packet inspection setups that block other protocols.
- For gaming (minimum latency): WireGuard. Its lower overhead translates directly to lower ping on connections where the VPN itself is the bottleneck.
- For maximum paranoia about audit history: OpenVPN. Fifteen years of public scrutiny means its weaknesses are known and patched.
- Avoid in 2026: PPTP (broken encryption), L2TP/IPSec (outdated, potential compromise), SSTP unless on Windows with specific firewall constraints.
Most quality VPN apps let you set the protocol in Settings. If your provider defaults to their proprietary protocol (NordLynx, Lightway, Catapult Hydra), those are generally WireGuard derivatives and are fine to use. The underlying cryptography is the same.