VPN Protocols Explained: WireGuard vs OpenVPN vs IKEv2
A clear guide to VPN protocols including WireGuard, OpenVPN, IKEv2, Lightway, and NordLynx. Which is fastest? Most secure? Best for your needs?
A VPN protocol is the set of rules that governs how your device creates and maintains an encrypted connection to a VPN server. The protocol you use affects your speed, security, and reliability. Most modern VPN apps choose the best protocol automatically, but understanding the options helps you make informed decisions.
The Protocols That Matter in 2026
WireGuard
Released: 2020 (stable) | Code: ~4,000 lines | Open Source: Yes
WireGuard is the modern standard. It is fast, secure, and simple. With roughly 4,000 lines of code (compared to OpenVPN's 70,000+), it has a dramatically smaller attack surface and is far easier to audit.
Speed: The fastest general-purpose VPN protocol. Typically retains 85-90% of your baseline speed.
Security: Uses modern cryptographic primitives: ChaCha20 for encryption, Poly1305 for authentication, Curve25519 for key exchange, BLAKE2s for hashing. These are all considered state-of-the-art.
Limitations: WireGuard's original design assigns static IP addresses, which can theoretically be used to correlate sessions. VPN providers address this differently - NordVPN built NordLynx (a double NAT layer), while others rotate addresses or use similar workarounds.
When to use it: For almost everything. WireGuard is the default protocol recommendation in 2026.
OpenVPN
Released: 2001 | Code: ~70,000 lines | Open Source: Yes
OpenVPN is the veteran. It has been around for over two decades, is battle-tested, and remains the most configurable protocol available. It runs over either TCP (reliable, slower) or UDP (faster, less reliable).
Speed: Slower than WireGuard by 15-30% in most tests. The larger codebase and older architecture create more overhead.
Security: Uses OpenSSL for encryption, which supports a wide range of ciphers. When configured with AES-256-GCM, it is considered very secure. The downside of a 70,000-line codebase is a larger attack surface.
Strengths: Works on TCP port 443, which makes it look like regular HTTPS traffic. This makes it harder to block and useful for bypassing firewalls and censorship.
When to use it: When WireGuard is blocked, when you need to bypass restrictive firewalls, or when you need the configuration flexibility that only OpenVPN offers.
IKEv2/IPSec
Released: 2005 | Standard: IETF RFC
IKEv2 (Internet Key Exchange version 2) paired with IPSec is excellent for mobile devices. Its key advantage is MOBIKE support, which seamlessly handles network switches - moving from WiFi to mobile data, for example - without dropping the VPN connection.
Speed: Similar to OpenVPN, sometimes slightly faster.
Security: Uses strong encryption (AES-256) and is considered secure. Built into many operating systems natively.
When to use it: On mobile devices when WireGuard is not available, or when you need seamless network switching.
Proprietary Protocols
Several VPN providers have developed their own protocols:
NordLynx (NordVPN)
NordVPN's custom implementation built on WireGuard. Adds a double NAT system to address WireGuard's static IP privacy concern. In our tests, NordLynx is the fastest protocol from any VPN provider.
Lightway (ExpressVPN)
ExpressVPN's in-house protocol. Open source (audited by Cure53), uses wolfSSL for encryption, and is designed for fast connection establishment - typically under one second. Supports both UDP and TCP. Also supports post-quantum encryption.
Stealth (Proton VPN)
Proton VPN's obfuscation protocol designed specifically for use in censored regions. Makes VPN traffic look like regular web browsing to evade deep packet inspection.
Protocol Comparison Table
| Protocol | Speed | Security | Stability | Best For | |----------|-------|----------|-----------|----------| | WireGuard | Excellent | Excellent | Good | General use, speed priority | | OpenVPN (UDP) | Good | Excellent | Good | Firewall bypass, maximum compatibility | | OpenVPN (TCP) | Moderate | Excellent | Excellent | Restrictive networks, reliability priority | | IKEv2/IPSec | Good | Good | Excellent | Mobile devices, network switching | | NordLynx | Excellent | Excellent | Good | NordVPN users | | Lightway | Excellent | Excellent | Good | ExpressVPN users |
What About Post-Quantum Encryption?
Quantum computers powerful enough to break current encryption do not exist yet, but they may within the next 10-20 years. Post-quantum encryption uses algorithms that are designed to resist attacks from both classical and quantum computers.
Currently, only ExpressVPN (Lightway), Mullvad, and IVPN offer post-quantum encryption. For most users, this is a forward-looking feature rather than an immediate necessity, but it protects against "harvest now, decrypt later" attacks where an adversary records your encrypted traffic today with the intent of decrypting it once quantum computers are available.
Our Recommendation
Let your VPN app choose automatically. Modern VPN apps default to WireGuard (or their proprietary WireGuard-based variant), which is the right choice for nearly all situations. Only switch protocols manually if you are having connection issues or need to bypass specific network restrictions.
Further Reading
- What Is a VPN? - Start here if you are new to VPNs
- How to Choose a VPN - Practical buying guide
- VPN Speed Comparison Tool - See real speed data for each protocol