When you tap "Connect" on a VPN app, an encrypted tunnel is built behind the scenes. The rules that govern how that tunnel is created are called the VPN protocol.
Your choice of protocol directly affects connection speed, security strength, and battery consumption. Yet most VPN comparison articles skip the technical details entirely. This article is for those who want to understand the design trade-offs before choosing a protocol — not just pick from a "Top 5 VPNs" list.
What Is a VPN Protocol
A VPN protocol handles three jobs:
- Tunneling — wrapping packets inside other packets so the original data is hidden from third parties
- Encryption — encrypting the tunnel contents so intercepted data cannot be read
- Authentication — verifying that the server you connect to is genuine, preventing man-in-the-middle attacks
Each protocol approaches these three tasks differently:
- WireGuard — achieves all three with a minimal set of cryptographic primitives, optimizing for speed and simplicity
- OpenVPN — builds a flexible tunnel on top of SSL/TLS
- IKEv2/IPSec — leverages OS-native crypto stacks with strong mobile handoff support
All three are secure when implemented correctly. The differences lie in speed, flexibility, and the scenarios where each excels.
WireGuard: The Modern Lightweight Protocol
WireGuard was designed by Jason Donenfeld and merged into the Linux kernel (version 5.6) in 2020. Its design philosophy is radical: "Cryptography is not versioned. There is one correct choice, and we make it for you."
Technical Stack
| Component | Specification |
|---|---|
| Key exchange | Curve25519 (ECDH) |
| Encryption | ChaCha20-Poly1305 |
| Hashing | BLAKE2s |
| Handshake | Noise Protocol Framework (IK pattern) |
| Transport | UDP only |
| Codebase | ~4,000 lines |
Unlike traditional protocols that negotiate which cipher suite to use, WireGuard has no negotiation phase at all. The cryptographic algorithms are fixed. This means downgrade attacks are impossible by design.
Runs as a Kernel Module
While OpenVPN runs in userspace, WireGuard operates as a Linux kernel module. Packet processing requires no context switches, enabling high throughput and low latency.
# Check WireGuard interfaces (Linux)
ip link show type wireguard
NordLynx: Solving WireGuard's Privacy Gap
WireGuard's simplicity comes with a trade-off: it keeps the connecting client's IP address in memory on the server side. This is a problem for privacy-focused VPN services.
NordVPN solved this with NordLynx — a layer of double NAT on top of WireGuard that prevents user IP addresses from being stored on the server. It retains WireGuard's speed while addressing the privacy concern.
OpenVPN: The Battle-Tested Standard
OpenVPN was first developed by James Yonan in 2001 and has over 20 years of production use. It is built on the SSL/TLS library (OpenSSL), which gives it an extremely wide range of cipher suite options.
Technical Stack
| Component | Specification (recommended) |
|---|---|
| Key exchange | ECDHE (Perfect Forward Secrecy) |
| Encryption | AES-256-GCM |
| Authentication | RSA-4096 or ECDSA certificates |
| Hashing | SHA-256 |
| Transport | UDP or TCP |
| Codebase | ~70,000 lines (core) |
The Value of TCP Mode
While WireGuard and IKEv2 only support UDP, OpenVPN can run in TCP mode. This has significant practical advantages:
- Runs on port 443 (HTTPS) — VPN traffic becomes indistinguishable from regular HTTPS browsing
- Effective in restrictive networks — can bypass Deep Packet Inspection (DPI)
- Penetrates corporate firewalls — works even when UDP is completely blocked
This flexibility matters when you are connecting from a hotel Wi-Fi during a business trip, or working behind a restrictive corporate network.
The Code Size Trade-Off
OpenVPN's core codebase is around 70,000 lines. Compared to WireGuard's 4,000 lines, a larger codebase means a larger potential attack surface. However, two decades of security audits and patches have made it a well-understood, battle-hardened technology.
IKEv2/IPSec: Stable and Mobile-Friendly
IKEv2 (Internet Key Exchange version 2) is standardized in RFC 7296. Developed through the IETF with Microsoft as the primary RFC author, it is natively supported in Windows, macOS, and iOS.
Technical Stack
| Component | Specification |
|---|---|
| Key exchange | Diffie-Hellman (Group 14+ recommended) |
| Encryption | AES-256-CBC or AES-256-GCM |
| Authentication | X.509 certificates / EAP |
| Transport | UDP 500 / 4500 |
| MOBIKE | RFC 4555 supported |
Seamless Switching with MOBIKE
IKEv2's standout feature is MOBIKE (Mobility and Multihoming Protocol). When your device switches from Wi-Fi to cellular data, the VPN connection migrates seamlessly without dropping.
During a commute where your phone constantly switches between Wi-Fi and cellular, IKEv2 keeps the VPN tunnel alive without you even noticing. WireGuard reconnects quickly too, but IKEv2 with MOBIKE avoids the disconnection entirely.
Built into the OS
No additional app is required — you can configure IKEv2 directly from the OS-level VPN settings. This also makes it a natural fit for enterprise MDM (Mobile Device Management) deployments.
Head-to-Head Comparison
| Feature | WireGuard | OpenVPN | IKEv2/IPSec |
|---|---|---|---|
| Speed | Fastest | Moderate | Fast |
| Latency | Lowest | Higher | Moderate |
| Codebase | ~4,000 lines | ~70,000 lines | OS-dependent |
| Cipher selection | Fixed (ChaCha20) | Configurable (AES, etc.) | Configurable (AES, etc.) |
| TCP support | No | Yes | No |
| Mobile handoff | Fast reconnect | Reconnect needed | MOBIKE (seamless) |
| Security verification | Formal cryptographic proofs (multiple academic studies) | Multiple third-party audits | Varies by implementation |
| Linux kernel | Native | Userspace | Userspace |
| Censorship bypass | Weak | Strong (TCP 443) | Weak |
Which Protocol for Which Use Case
Remote Work and Home Office
WireGuard is the best fit. Fast, stable, and easy on battery life. It handles always-on connections without taxing your device. With NordVPN, selecting NordLynx gives you a WireGuard-based connection out of the box.
Public Wi-Fi (Cafes, Airports, Hotels)
Any of the three protocols provides sufficient encryption. However, on public Wi-Fi, reliably connecting matters more than raw speed. Keep OpenVPN (TCP) as a fallback in case UDP traffic is blocked.
Business Travel and Restrictive Networks
OpenVPN on TCP port 443 is the clear winner. It disguises VPN traffic as HTTPS, making it harder for DPI systems to block. WireGuard and IKEv2 use UDP packets that are easier to fingerprint and block.
Mobile-First (Commuting, On the Go)
IKEv2 is optimal. MOBIKE keeps the VPN connection alive when switching between Wi-Fi and cellular. WireGuard reconnects fast enough that the difference is often negligible, but IKEv2 is truly seamless.
Developers Managing VPS and Servers
Two options:
- Self-host WireGuard on your VPS — maximum control, but you are responsible for maintenance and updates
- Use a commercial VPN — zero setup, convenient when you need servers in multiple countries
Whether you spend time building your own or spend a few dollars a month on a commercial solution is your call.
Wrapping Up
There is no single "best" protocol. The right choice depends on your use case:
- Speed → WireGuard (NordLynx)
- Flexibility and censorship bypass → OpenVPN
- Seamless mobile connectivity → IKEv2/IPSec
All three are cryptographically sound when properly implemented. But protocol choice is only part of the equation. The provider's logging policy, operational transparency, and independent audit history matter just as much.
Understanding the technical foundations lets you move beyond "it seems safe" and make an informed decision that actually fits your needs.
Related articles:
- NordVPN Review: Pricing, Security, and Performance Tested
- How to Use NordVPN: Setup, Settings, and Troubleshooting
- Is NordVPN Safe? A Technical Security Analysis
- NordVPN on Linux: CLI Commands, Post-Quantum Encryption, and Docker
- VPN for Developers: SSH, WireGuard, and Commercial VPN Compared
Official resources:
- WireGuard — Official Site — protocol specifications and whitepaper
- OpenVPN — Community — open-source documentation
- RFC 7296 — IKEv2 — IKEv2 standard specification
- Noise Protocol Framework — the handshake framework used by WireGuard