Which VPN protocol is best?
You don’t need to know how a VPN works to use a VPN. But if you’ve ever checked the settings on your ExpressVPN app, you’ll see a tab that lets you choose a protocol.
Protocols are methods by which your device connects to ExpressVPN’s secure servers. Find out how protocols differ and how to choose the best protocol for you.
30-day money-back guarantee
Introducing ExpressVPN’s Lightway protocol
Lightway is currently available on our apps for Android, Windows, Mac, Linux, and routers, with iOS on the way. If you don’t yet have ExpressVPN, we encourage you to take advantage of our 30-day money-back guarantee and give it a try. We’re confident you’ll agree that Lightway is the best VPN protocol.
What are VPN protocols?
Let’s start with the basics. VPN stands for virtual private network, which is a secure tunnel between two or more devices. When you use a VPN, you are connected to the internet through an intermediary server run by the VPN provider (e.g., ExpressVPN).
The security of your connection is dictated by the VPN protocol, which is a set of instructions that define how two devices talk to each other. Different protocols use different encryption standards and authentication methods, resulting in differing levels of speed and security for VPN users.
Protocols determine what encryption algorithm to use, how to establish and verify encryption keys, and how to handle potential errors. VPN protocols may be designed to route all your data through this encrypted tunnel, or as is the case with HTTP proxies, only route your web traffic.
Which VPN protocol should you choose?
The ExpressVPN app takes the guesswork out of protocols by automatically selecting the best protocol for you based on the quality of your internet connection. That is why your protocol is always set to “Automatic” by default.
However, you may also manually choose a protocol if you have special circumstances or you are asked to do so by a member of our Support Team. Additionally, during its early phases, Lightway might not be included among the protocols available via the “Automatic” setting for all users. Therefore, users wanting to try Lightway might need to manually select it in their app settings.
What are the types of VPN protocols?
Before we dive into a discussion of the fastest VPN protocol or the most secure VPN protocol, it’s important to explain the different types of encrypted protocols first.
Built from the ground up by ExpressVPN, Lightway is created for the modern world, forgoing features that are no longer needed from a VPN and implementing those that provide a smooth, secure experience. Establishing a VPN connection might take only a fraction of a second, depending on your network, and you’ll stay connected to the VPN even when your device switches networks. Lightway does the minimum needed to get you connected quickly and securely, so you might even notice less battery usage.
Lightway uses wolfSSL, whose well-established cryptography library has been extensively vetted by third parties, including against the FIPS 140-2 standard.
Verdict: Always try Lightway first
Layer 2 Tunneling Protocol (L2TP)
A significant step up from pioneering but outdated protocols like PPTP and SSTP, the Layer 2 Tunneling Protocol delivers better security at the cost of reduced speed. L2TP is commonly paired with the IPsec protocol to deliver AES-256 encryption, with the combination of the two referred to as L2TP/IPsec.
However, L2TP/IPsec is still more suited for anonymization than for security, as there are other protocols, such as OpenVPN, offering even stronger levels of security.
Verdict: Nice to have
OpenVPN (TCP vs. UDP)
OpenVPN is a highly configurable open-source protocol. It’s available freely for all platforms and is held in high regard by the community, and it is widely adopted among consumer VPN services.
OpenVPN can most easily be configured to mask itself as ordinary internet traffic, which helps it evade detection by filters and firewalls. It has been widely audited by trusted independent researchers, making it appropriate for deployment even in sensitive environments.
In the ExpressVPN apps, users can toggle between UDP (optimal for speed) or TCP (optimal for connection reliability) within the app settings if they wish.
Verdict: One of the best
Internet Key Exchange Version 2 (IKEv2)
IKEv2 is one of the newest protocols and has significant strengths, particularly its speed. It’s well-suited for mobile devices across all platforms.
However, being primarily used in corporate environments, IKEv2 doesn’t have native support for Linux, and its lack of configurability can be a drawback. IKEv2 is also difficult to audit due to its strict licensing. ExpressVPN uses an open-source implementation of IKEv2 to ensure the integrity of the protocol.
IKEv2 is a popular choice, and it will sometimes be used by ExpressVPN apps when the protocol is set to “Automatic.”
Verdict: A solid choice, especially on mobile
Point to Point Tunneling Protocol (PPTP)
As one of the earliest entrants into the world of protocols, PPTP has a rich and storied history. It’s been around since the days of Windows 95 but relies on the outdated MS-CHAP v2 authentication suite, which means it’s easy to crack.
This inherent vulnerability does come with an advantage: The lack of encryption and authentication features means PPTP is the fastest VPN protocol. This also means that the contents of your connection can be seen by your ISP, your Wi-Fi operator, and government surveillance organizations like the NSA.
As such, we recommend that only people who know what they’re doing use PPTP, which is no longer supported on ExpressVPN apps.
WireGuard® is a free and open-source VPN protocol originally written by Jason A. Donenfeld and currently under development by Edge Security LLC. It has shown promise as a modern VPN protocol in terms of speed and its lighter codebase, and a number of VPN providers have begun adopting it in the past couple of years.
ExpressVPN currently does not support WireGuard.
Secure Socket Tunneling Protocol (SSTP)
The SSTP VPN protocol was solely developed by Microsoft and introduced along with Windows Vista. It is very similar to a PPTP tunnel wrapped in SSL, an early encryption protocol popular with securing web pages. As such, SSTP initially worked only on Windows devices, and it never gained popularity beyond that.
SSTP has limited configurability and does not stand out among available protocols.
ExpressVPN no longer supports SSTP.
What is the best VPN protocol?
If you’re looking for the trifecta of speed, security, and reliability, Lightway delivers on all fronts thanks to its lightweight codebase. It runs fast, uses less battery, and is easy to audit and maintain—meaning better security.
If Lightway isn’t available to you, OpenVPN or IKEv2 remain your go-to protocols.
OpenVPN offers 256-bit AES encryption with best-in-class security algorithms, giving you extensive cloaking abilities and an impenetrable layer protecting your digital footprint. The codebase has been publicly audited and checked for bugs, implementation errors, and backdoors.
Mobile users will also be well-served by IKEv2, which offers similar speed, reliability, and security to OpenVPN.
What is the fastest VPN protocol?
Given different environments, internet speeds, or network configurations, different VPN protocols will perform better. Lightway is one of the fastest protocols available, alongside OpenVPN and IKEv2. Without its layer of encryption, PPTP could be called the fastest VPN protocol, but we don’t recommend you use it and will not make it available in the apps.
What is the most secure VPN protocol?
Lightway, IKEv2, L2TP, and OpenVPN are all secure protocols, but the title of the most secure VPN protocol should go to Lightway, which uses wolfSSL, a well-established cryptography library that is FIPS 140-2 validated—which means it has been rigorously vetted by third parties. Lightway will soon be open-sourced so that it can be transparently and widely scrutinized for security vulnerabilities.
OpenVPN is also recommended, because it has been extensively audited by multiple neutral experts. Its open-source implementations are available for anyone to inspect and improve.
What VPN protocol should I use?
If you’re using ExpressVPN, your default choice is not to choose: Just select “Automatic” and let the app select the best protocol for your situation. But if you have special circumstances and want to choose your protocol manually, here’s an at-a-glance reference list of when to use each one:
Lightway: Very stable and secure, and typically connects in a split second. It’s built for the movement of a modern internet user, seamlessly reconnecting after network changes or drops. Plus it won’t drain your battery.
OpenVPN: Fast, rugged, and secure. Works on all devices and platforms without breaking a sweat. The only slight drawback is that manual configuration is tedious and uncomfortable. Generally use the OpenVPN protocol if Lightway is not available.
L2TP/IPsec: Cookie-cutter VPN solution that’s easy to set up and used widely across the VPN landscape. Has more advanced security features as compared with PPTP, but it can struggle to evade some firewalls.
IKEv2: Most suited for mobile devices, particularly if you’re using a BlackBerry. Stable, fast, and secure. A solid alternative to Lightway and OpenVPN.
PPTP: The oldest VPN protocol in use today, but also the most poorly configured. Offers top-notch speed but incredibly lax security and is likely compromised by state actors. Avoid PPTP.
WireGuard: Slowly gaining traction among consumer VPN services, this lean protocol is still under active development and currently lacks the trust of the OpenVPN suite.
SSTP: Works only on Microsoft devices. Considered to be secure and fast, but its ownership raises some questions.