The ExpressVPN app takes the guesswork out of protocols by automatically selecting the best protocol for you based on the quality of your internet connection. That is why your protocol is always set to “Automatic” by default. However, you may also manually choose a protocol if you have special circumstances or you are asked to do so by a member of our Support Team.
Which VPN protocol is best?
You don’t need to know how a VPN works to use a VPN. But if you’ve ever checked the settings on your ExpressVPN app, you’ll see a tab that lets you choose a protocol.
Protocols are methods by which your device connects to ExpressVPN’s secure servers. Find out how protocols differ and how to choose the best protocol for you.
What are VPN protocols?
Let’s start with the basics. VPN stands for virtual private network, which is a secure tunnel between two or more devices. When you use a VPN, you are connected to the internet through an intermediary server run by the VPN provider (e.g., ExpressVPN).
The security of your connection is dictated by the VPN protocol, which is a set of instructions that define how two devices talk to each other. Different protocols use different encryption standards and authentication methods, resulting in differing levels of speed and security for VPN users.
Protocols determine what encryption algorithm to use, how to establish and verify encryption keys, and how to handle potential errors. VPN protocols may be designed to route all your data through this encrypted tunnel, or as is the case with HTTP proxies, only route your web traffic.
Which VPN protocol should you choose?
What are the types of VPN protocols?
Before we dive into the discussion of the fastest VPN protocol or the most secure VPN protocol, it’s important to take a step back and explain the different types of encrypted protocols first.
Point to Point Tunneling Protocol (PPTP)
As one of the earliest entrants into the world of protocols, PPTP has a rich and storied history. It’s been around since the days of Windows 95 but relies on the outdated MS-CHAP v2 authentication suite, which means it’s easy to crack.
This inherent vulnerability does come with an advantage: The lack of encryption and authentication features means PPTP is the fastest VPN protocol. This also means that the contents of your connection can be seen by your ISP, your Wi-Fi operator, and government surveillance organizations like the NSA.
As such, we recommend that only people who know what they’re doing use PPTP.
Verdict: Avoid if possible
Layer 2 Tunneling Protocol (L2TP)
A significant step up from PPTP, the Layer 2 Tunneling Protocol delivers robust security at the cost of reduced speed. L2TP is commonly paired with the IPsec protocol to deliver AES-256 encryption, with the combination of the two referred to as L2TP/IPsec.
L2TP was also developed in the ’90s via a partnership between Cisco and Microsoft. There’s been some chatter in security circles against it due to the small role that the NSA played in its development, but no backdoors have ever been found.
IKEv1 is used instead of L2TP/IPsec in the ExpressVPN iOS app. It is referred to simply as IPsec and offers similar service to L2TP.
Verdict: Nice to have
OpenVPN (TCP vs. UDP)
OpenVPN is a highly configurable open-source protocol. It’s available freely for all platforms and is held in high regard by the community, and it is widely adopted among consumer VPN services.
OpenVPN can most easily be configured to mask itself as ordinary internet traffic, which helps it evade detection by filters and firewalls. It has been widely audited by trusted independent researchers, making it appropriate for deployment even in sensitive environments.
For many situations, OpenVPN is the VPN protocol of choice.
Many ExpressVPN apps use OpenVPN by default when the protocol is set to “Automatic.” Users can toggle between UDP (optimal for speed) or TCP (optimal for connection reliability) within the app settings if they wish.
Verdict: Most of the time, opt for this
Internet Key Exchange Version 2 (IKEv2)
IKEv2 is one of the newest protocols and has significant strengths, particularly its speed. It’s well-suited for mobile devices across all platforms.
However, being primarily used in corporate environments, IKEv2 doesn’t have native support for Linux, and its lack of configurability can be a drawback. IKEv2 is also difficult to audit due to its strict licensing. ExpressVPN uses an open-source implementation of IKEv2 to ensure the integrity of the protocol.
IKEv2 is a popular choice, and it will sometimes be used by ExpressVPN apps when the protocol is set to “Automatic.”
Verdict: A solid alternative to OpenVPN, especially on mobile
WireGuard has a reputation as the VPN protocol of the future, but a stable version has not yet been released. Under development by Edge Security LLC, WireGuard’s architecture promises faster encryption and decryption of data and with a reduced possibility of leaks as compared with other VPN protocols.
WireGuard is expected to be easy to deploy across applications and devices of all sizes, while maintaining an uncomplicated code base for both security audits and implementation alike.
ExpressVPN currently does not support WireGuard.
Secure Socket Tunneling Protocol (SSTP)
The SSTP VPN protocol was solely developed by Microsoft and introduced along with Windows Vista. It is very similar to a PPTP tunnel wrapped in SSL, an early encryption protocol popular with securing web pages. As such, SSTP initially worked only on Windows devices, and never gained popularity beyond that.
SSTP has limited configurability and does not stand out among available protocols.
ExpressVPN no longer supports SSTP.
What is the best VPN protocol?
If you’re looking for the trifecta of speed, security, and reliability, OpenVPN or IKEv2 remain your go-to protocols. (These are the protocols your ExpressVPN app will choose when set to “Automatic.”)
It’s difficult to pinpoint a clear winner between the two as either protocol is advantageous, given different situations.
OpenVPN offers 256-bit AES encryption with best-in-class security algorithms, giving you extensive cloaking abilities and an impenetrable layer protecting your digital footprint. The codebase has been publicly audited and checked for bugs, implementation errors, and backdoors. As such, the security of OpenVPN is among the most respected.
There’s not much of a tradeoff when it comes to speed either, with OpenVPN fast enough to cater to the gamut of internet use cases (such as live-streaming events, browsing through sites, and using VoIP apps).
Mobile users will also be well-served by IKEv2, which offers similar speed, reliability, and security to OpenVPN.
What is the fastest VPN protocol?
Given different environments, internet speeds, or network configurations, different VPN protocols will perform better. To optimize for connection speeds, ExpressVPN selects OpenVPN and IKEv2 as the fastest protocols. Without its layer of encryption, PPTP could be called the fastest VPN protocol, but we don’t recommend you use it and will not make it available in the apps.
What is the most secure VPN protocol?
IKEv2, L2TP, and OpenVPN are all secure protocols, but the title of the most secure VPN protocol should go to OpenVPN, if only because it has been extensively audited by multiple neutral experts. Its open-source implementations are available for anyone to inspect and improve. This means OpenVPN is constantly under scrutiny and tested for bugs and errors.
What VPN protocol should I use?
If you’re using ExpressVPN, your default choice is not to choose: Just select “Automatic” and let the app select the best protocol for your situation. But if you have special circumstances and want to choose your protocol manually, here’s an at-a-glance reference list of when to use each one:
OpenVPN: Incredibly fast, rugged, and secure. Works on all devices and platforms without breaking a sweat. Only slight drawback is that manual configuration is tedious and uncomfortable. Generally use the OpenVPN protocol whenever available.
L2TP/IPsec: Cookie-cutter VPN solution that’s easy to set up and used widely across the VPN landscape. Has more advanced security features as compared with PPTP, but it can struggle to evade some firewalls. Opt for L2TP when OpenVPN is unavailable.
IKEv2: Most suited for mobile devices, particularly if you’re using a BlackBerry. Is stable, fast, and secure. A solid alternative to OpenVPN.
PPTP: The oldest VPN protocol in use today, but also the most poorly configured. Offers top-notch speed but incredibly lax security and is likely compromised by state actors. Avoid PPTP.
WireGuard: Slowly gaining traction among consumer VPN services, this lean protocol is still under active development and currently lacks the trust of the OpenVPN suite.
SSTP: Works only on Microsoft devices. Is considered to be secure and fast, but its ownership raises some questions.