PPTP
Intro
A very basic VPN protocol based on PPP. The PPTP specification does not actually describe encryption or authentication features and relies on the PPP protocol being tunneled to implement security functionality.
Encryption
The PPP payload is encrypted using Microsoft’s Point-to-Point Encryption protocol (MPPE). MPPE implements the RSA RC4 encryption algorithm with a maximum of 128 bit session keys.
Security weaknesses
The Microsoft implementation of PPTP has serious security vulnerabilities. MSCHAP-v2 is vulnerable to dictionary attack and the RC4 algorithm is subject to a bit-flipping attack. Microsoft strongly recommends upgrading to IPSec where confidentiality is a concern.
Speed
With RC4 and 128 bit keys, the encryption overhead is least of all protocols making PPTP the fastest.
Firewall ports
PPTP uses TCP port 1723 and GRE (Protocol 47). PPTP can be easily blocked by restricting the GRE protocol.
Setup / Configuration
All versions of Windows and most other operating systems (including mobile) have native support for PPTP. PPTP only requires a username, password and server address making it incredibly simple to setup and configure.
Stability / Compatibility
PPTP is not as realiable, nor does it recover as quickly as OpenVPN over unstable network connections. Minor compatibility issues with the GRE protocol and some routers.
Supported platforms
Windows
macOS
Linux
Apple iOS
Android
DD-WRT
Verdict 
Due to the major security flaws, there is no good reason to choose PPTP other than device compatibility. If you have a device on which only PPTP is supported then you should consider how to encrypt data at other layers e.g. HTTPS.
IPSec IKEv2
Intro
IKEv2 (Internet key exchange version 2) is part of the IPSec protocol suite. Standardized in RFC 7296. IPSec has become the defacto standard protocol for secure Internet communications, providing confidentiality, authentication and integrity.
Encryption
IKEv2 implements a large number of cryptographic algorithms including 3DES, AES, Blowfish, Camellia. IVPN implements IKEv2 using AES with 256 bit keys.
Security weaknesses
IPSec has no known major vulnerabilities and is generally considered secure when implemented using a secure encryption algorithm and certificates for authentication. However Leaked NSA presentations indicate that IKE could be exploited in an unknown manner to decrypt IPSec traffic.
Speed
IPSec with IKEv2 should in theory be the faster than OpenVPN due to user-mode encryption in OpenVPN however it depends on many variables specific to the connection. In most cases it is faster than OpenVPN.
Firewall ports
IKEv2 uses UDP 500 for the initial key exchange, protocol 50 for the IPSEC encrypted data (ESP) and UDP 4500 for NAT traversal.
IKEv2 is easier to block than OpenVPN due to its reliance on fixed protocols and ports.
Setup / Configuration
Windows 7+, macOS 10.11+ and most mobile operating systems have native support for IPSec with IKEv2.
Stability / Compatibility
IPSec is more complex than OpenVPN and can require additional configuration between devices behind NAT routers. However as long as both the server and client support NAT traversal there shouldn’t be any issues.
Supported platforms
Windows
macOS
Linux
Apple iOS
Android
Verdict
IKEv2 is an excellent choice, it is extremely fast, secure and reliable. In addition unlike OpenVPN it requires no additional software to be installed (in most cases) and is therefor the quickest to configure. If you have a threat model that includes sophisticated adversaries then you may want to consider OpenVPN due to the leaked NSA presentations discussed above.
OpenVPN
Intro
Open-source VPN protocol developed by OpenVPN technologies. Very popular however not based on standards (RFC). Uses a custom security protocol and SSL/TLS for key exchange. Provides full confidentiality, authentication and integrity.
Encryption
OpenVPN uses the OpenSSL library to provide encryption. OpenSSL implements a large number of cryptographic algorithms such as 3DES, AES, RC5, Blowfish.
As with IKEv2, IVPN implements AES with 256 bit keys.
Security weaknesses
OpenVPN has no known major vulnerabilities and is generally considered secure when implemented using a secure encryption algorithm and certificates for authentication.
Speed
When used in its default UDP mode on a reliable network OpenVPN performs similarly to IKEv2.
Firewall ports
OpenVPN can be easily configured to run on any port using either UDP or TCP thereby easily bypassing restrictive firewalls.
Setup / Configuration
OpenVPN is not included in any operating system release and requires the installation of client software. Installation typically takes less than 5 minutes.
Stability / Compatibility
Very stable and fast over wireless, cellular and other non reliable networks where packet loss and congestion is common. OpenVPN has a TCP mode for highly unreliable connections but this mode sacrifices significant performance due to the inefficiency of encapsulating TCP within TCP.
Supported platforms
Windows
macOS
Linux
Apple iOS
Android
DD-WRT (with the correct build)
Verdict
OpenVPN is an excellent choice for all platforms. It is extremely fast, secure and reliable. Additionally, the IVPN Multi-hop network and port forwarding is only available when connecting via OpenVPN.
WireGuard
Intro
WireGuard® is an extremely fast VPN protocol with very little overhead and state-of-the-art cryptography. It has the potential to offer a simpler, more secure, more efficient, and easier to use VPN over existing technologies.
Encryption
Built atop ChaCha20 for symmetric encryption (RFC7539), Curve25519 for Elliptic-curve Diffie–Hellman (ECDH) anonymous key agreement, BLAKE2s for hashing (RFC7693), SipHash24 for hashtable keys, and HKDF for key derivation (RFC5869). Makes use of a UDP-based handshake and the key exchange uses perfect forward secrecy while avoiding both key-compromise impersonation and replay attacks.
Security weaknesses
WireGuard® has no known major vulnerabilities. It is relatively new and has not seen the thorough vetting of OpenVPN, though the code-base is extremely small, so full audits are possible by individuals and not just large organizations. WireGuard® is in-tree with Linux Kernel 5.6 and has been reviewed by a 3rd party auditor.
Speed
WireGuard® benefits from extremely high-speed cryptographic primitives and deep integration with underlying operating system kernel, so speeds are very high with low overhead. Most customers report higher speeds than OpenVPN.
Firewall ports
WireGuard® uses the UDP protocol and can be configured to use any port. May succumb to traffic shaping more easily than OpenVPN due to lack of support for TCP.
Setup / Configuration
WireGuard® is in-tree with Linux Kernel 5.6. Other non-linux operating systems require the installation of a WireGuard® client app. Installation typically takes less than 5 minutes.
Stability / Compatibility
Extremely stable and robust. More stable than OpenVPN when roaming across networks. Uses an initial endpoint for connections and can switch servers while maintaining the connection. Client can also change networks without dropping the connection.
Supported platforms
Windows
macOS
Linux
Apple iOS
Android
Verdict
WireGuard® is an excellent choice and may be the best protocol for high speeds if you don’t use the IVPN multi-hop network or port-forwarding. WireGuard® promises better security and faster speeds compared to existing solutions. Since its merge into Linux Kernel (v5.6) and the release of v1.0, we consider WireGuard® to be ready for wide-scale use.
FAQs
Based on these findings, if you're looking for the fastest secure tunneling protocol, you should go with NordLynx (or WireGuard). The second fastest will be IKEv2, which can confidently hold its own even when connecting to the other side of the world.
What is the strongest VPN security protocol? ›
What is the most secure VPN protocol? Many VPN experts recommend OpenVPN as the most secure protocol. It uses 256-bit encryption as a default but also offers other ciphers such as 3DES (triple data encryption standard), Blowfish, CAST-128, and AES (Advanced Encryption Standard).
Which VPN solution is more secure IKEv2 or IPSec? ›
It's used along with IPSec, which serves as an authentication suite, and that's why it's referred to as IKEv2/IPSec with most VPN providers. Microsoft and Cisco developed IKEv2, and it's well known for being more stable, secure, and easier to set up than some of the alternatives.
What is the difference between OpenVPN WireGuard and IKEv2 IPSec protocols? ›
IKEv2 is easier to block than OpenVPN due to its reliance on fixed protocols and ports. OpenVPN can be easily configured to run on any port using either UDP or TCP thereby easily bypassing restrictive firewalls. WireGuard® uses the UDP protocol and can be configured to use any port.
Is WireGuard more secure than IKEv2? ›
IPSec/IKEv2. IPSec is also a fast, fairly recent protocol. However, WireGuard has two advantages: its cryptographic primitives may be faster, and it's built into the Linux kernel. One test found that IPSec beat WireGuard in one particular situation, while WireGuard was more consistently fast.
Is there anything better than WireGuard? ›
In short, OpenVPN TCP is more effective at bypassing censorship than WireGuard, because WireGuard can only be used with UDP. We usually recommend using UDP whenever possible because it's faster, more efficient, and equally stable when used within a VPN tunnel.
Is WireGuard more secure than OpenVPN? ›
Both WireGuard and OpenVPN are secure protocols, but WireGuard is considered more secure due to its use of modern cryptographic protocols and its smaller codebase. WireGuard also has fewer attack surfaces than OpenVPN.
Is IKEv2 more secure than OpenVPN? ›
The IKEv2 protocol is faster and more stable than OpenVPN, and it offers a ground-breaking auto-reconnect feature that improves both security and ease of use. This means that it will automatically resume your VPN's connection, even when your device switches from one internet source to another.
Should I use IKEv2 or OpenVPN? ›
Performance: In many cases, IKEv2 is faster than OpenVPN since it is less CPU-intensive. There are, however, numerous variables that affect speed, so this may not apply in all use cases. From a performance standpoint with mobile users, IKEv2 may be the best option because it does well establishing a reconnection.
Is WireGuard more secure than IPSec? ›
WireGuard is a more modern, simpler VPN protocol than IPsec, as well as being more secure by default. As of 2021, most operating systems support WireGuard through a kernel-based implementation.
PPTP has faster speeds and is easier to set up but offers a poorly secured connection. On the other hand, OpenVPN provides decent speeds and excellent security, plus it's great at circumventing geo-blocks and firewalls undetected.
Which VPN is most stable? ›
ExpressVPN received a CNET Editors' Choice Award for best overall VPN. We evaluate VPNs based on their overall performance in three main categories: speed, security and price. Express isn't the cheapest, but it's among the fastest and, so far, is the most secure. Surfshark is a close second among our picks.
What is the most secure VPN tunnel type? ›
OpenVPN is the most secure VPN protocol. It's compatible with a range of encryption ciphers including AES-256, Blowfish, and ChaCha20. It has no known vulnerabilities and is natively supported by almost every VPN service. While we recommend OpenVPN, WireGuard is a secure and faster alternative.
Is there anything more secure than a VPN? ›
Tor is better than a VPN for the following: Anonymously accessing the web – It's almost impossible to trace a Tor connection back to the original user. You can safely visit a website without leaving any identifying evidence behind, both on your device and on the website's server.
What are two benefits of using IKEv2 instead? ›
IKEv2 provides the following benefits over IKEv1:
- In IKEv2 Tunnel endpoints exchange fewer messages to establish a tunnel. ...
- IKEv2 has Built-in NAT-T functionality which improves compatibility between vendors.
- IKEv2 supports EAP authentication.
- IKEv2 has the Keep Alive option enabled as default.
VPN services can be hacked, but it's extremely difficult to do so. Most premium VPNs use OpenVPN or WireGuard protocols in combination with AES or ChaCha encryption – a combination almost impossible to decrypt using brute force attacks.
What is WireGuard weakness? ›
WireGuard disadvantages: Privacy, weak on censorship
One major security concern is that -- if left to its default configuration -- WireGuard would store IP addresses on a server and not assign them dynamically. VPNs that offer WireGuard must therefore address that problem in their own software.
Why not WireGuard? ›
It is extensible that new cryptographic primitives can be added. WireGuard does not have that. That means WireGuard will break at some point, because one of the cryptographic primitives will weaken or entirely break at some point.
What is the best protocol for private internet access? ›
OpenVPN: The most secure protocol and is available on all devices.
Which is more secure IPSec or OpenVPN? ›
IPSec and OpenVPN are both viable VPN solutions. But OpenVPN is generally regarded as a more secure, more flexible option. As an “always on” site-to-site VPN solution, IPSec is ideal for securing your on-premises resources, but it can be more difficult to implement with devices in the field, particularly in IoT.
IKEV2 VPN doesn't hides real IP from Windows client.
Is IKEv2 vulnerable? ›
IKEv2 has no known vulnerabilities on its own.
So, if your VPN provider configures IKEv2 properly, it will not have security issues.
What is the lifetime of IKEv2 VPN? ›
Many devices also allow the configuration of a kilobyte lifetime. This secondary lifetime will expire the tunnel when the specified amount of data is transferred. Cisco Meraki products, by default, use a lifetime of 8 hours (28800 seconds) for both IKE phase 1 and IKE phase 2.
What is better than OpenVPN? ›
WireGuard vs OpenVPN At A Glance
WireGuard is approximately twice as fast as OpenVPN. Neither protocol has any known security vulnerabilities, but WireGuard has a smaller attack surface with automatically updating code. In its default configuration, OpenVPN is a logless protocol.
Is IKEv2 more stable? ›
Security: IKEv2 is much more secure than IKEv1. IKEv2 uses leading encryption algorithms and high-end ciphers such as AES, Camellia, and ChaCha20. IKEv2 also uses encryption keys for both sides while IKEv1 doesn't, making it more secure.
Which is better WireGuard or IKEv2 Android? ›
Wireguard has better performance/throughput and uses less bandwidth than OpenVPN. IKEv2 is probably more secure (256-bit encryption through IPSec)... I'm sticking with the new kid on the block (Wireguard) as it works well on Android, Chromebooks and full blown OSes too.
Should I use WireGuard or OpenVPN? ›
Verdict: WireGuard has a smaller attack surface and uses modern encryption algorithms. On the other hand, OpenVPN offers greater freedom in terms of the encryption you can use and relies on slightly outdated technology. Regardless, both are highly secure protocols, and which one you choose depends on your preference.
When should I use IKEv2? ›
IKEv2 is better than most VPN protocols regarding performance and efficiency, especially on mobile devices. Other than robust security and fast speeds, IKEv2 uses fewer CPU resources (consumes less battery), and it is stable when switching between networks (re-establishes connections in a quick manner).
Is IKEv2 better? ›
IKEv2 is better than IKEv1. IKEv2 supports more features and is faster and more secure than IKEv1. IKEv2 uses leading encryption algorithms and high-end ciphers such as AES and ChaCha20, making it more secure than IKEv1. Its support for NAT-T and MOBIKE also makes it faster and more reliable than its predecessor.
What is the strongest VPN in the world for Android? ›
Top 5 best free VPNs for Android
- NordVPN – overall best free VPN for Android.
- Surfshark – free Android VPN for unlimited devices.
- Atlas VPN – beginner-friendly Android VPN for free.
- ExpressVPN – secure and fast free VPN.
- CyberGhost – free VPN with a massive server fleet.
Both WireGuard and OpenVPN are secure protocols, but WireGuard is considered more secure due to its use of modern cryptographic protocols and its smaller codebase. WireGuard also has fewer attack surfaces than OpenVPN.
Which is more secure IPSec or WireGuard? ›
WireGuard is a more modern, simpler VPN protocol than IPsec, as well as being more secure by default. As of 2021, most operating systems support WireGuard through a kernel-based implementation.
