When people choose a VPN, they usually compare providers — NordVPN vs Mullvad vs ProtonVPN. But the protocol running underneath matters at least as much as the brand. The protocol determines your connection speed, security properties, and how well the VPN handles network changes.

In 2026, three protocols dominate: WireGuard, OpenVPN, and IKEv2/IPsec. Each has distinct strengths and trade-offs. Here’s how they compare on the metrics that actually matter.

WireGuard

WireGuard is the newest of the three, designed from scratch by Jason Donenfeld and released as a stable protocol in 2020. It was built with a specific philosophy: simplicity reduces attack surface.

Codebase size: Approximately 4,000 lines of code. This is dramatically smaller than OpenVPN (~100,000 lines) or IPsec implementations (hundreds of thousands of lines). Smaller code is easier to audit, easier to verify, and statistically less likely to contain bugs.

Cryptography: WireGuard uses a fixed set of modern cryptographic primitives — Curve25519 for key exchange, ChaCha20 for symmetric encryption, Poly1305 for authentication, BLAKE2s for hashing, and SipHash24 for hashtable keys. There’s no cipher negotiation. You either use these specific algorithms or you don’t use WireGuard.

This is a deliberate design choice. Cipher negotiation in older protocols has been a source of downgrade attacks, where an attacker forces the connection to use a weaker cipher suite. WireGuard eliminates this entirely. The trade-off is that if any of its chosen algorithms are compromised, the entire protocol needs updating rather than just switching to a different cipher.

Performance: WireGuard is consistently the fastest protocol in benchmarks. Connection establishment is near-instant (compared to seconds for OpenVPN), and throughput is higher because the protocol is leaner and can operate within the Linux kernel rather than in userspace.

In practical testing, WireGuard typically achieves 400-600 Mbps on a modern connection, while OpenVPN struggles to exceed 200-300 Mbps on the same hardware. For gigabit connections, the difference is significant.

Privacy concern: WireGuard’s default design stores the client’s most recent IP address on the server for the duration of the session and briefly after. This conflicts with VPN providers’ no-logs claims. Most providers address this with wrapper implementations — NordVPN has NordLynx, Mullvad has their own implementation — that periodically delete this data. But the base protocol wasn’t designed with VPN provider anonymity in mind; it was designed as a general-purpose secure tunnel.

Roaming: WireGuard handles network changes well. Switching from WiFi to mobile data, or moving between access points, doesn’t interrupt the tunnel. The connection adapts silently.

OpenVPN

OpenVPN has been the default VPN protocol for nearly two decades. It’s mature, extensively audited, and supported by virtually every VPN provider and platform.

Codebase: Large and complex. OpenVPN’s ~100,000 lines of code have been audited multiple times, and serious vulnerabilities have been found and fixed over the years. The OpenSSL dependency adds significant additional code and attack surface. The size isn’t inherently bad — it reflects the protocol’s flexibility — but it means more places for bugs to hide.

Cryptography: OpenVPN supports multiple cipher suites and can negotiate which to use. The default in modern configurations is AES-256-GCM, which is strong. But misconfigurations are possible — an administrator could set up an OpenVPN server with weak ciphers, and clients would happily connect. Proper configuration matters.

Performance: OpenVPN runs in userspace, which means data passes through more layers than WireGuard’s kernel implementation. This creates more overhead and lower throughput. On the same hardware, OpenVPN typically delivers 60-70% of WireGuard’s throughput. For most users on sub-500 Mbps connections, this isn’t noticeable. For gigabit connections, it can be a bottleneck.

Flexibility: This is OpenVPN’s major advantage. It can run over TCP or UDP, operate on any port (including port 443, which makes it look like HTTPS traffic to basic DPI systems), and be configured in countless ways. If you need to get a VPN connection through restrictive firewalls or censorship systems, OpenVPN’s flexibility is valuable.

Maturity: Twenty years of deployment means OpenVPN’s behaviour is well-understood. Its failure modes are documented, its edge cases are known, and the community of expertise around it is large. If something goes wrong, there’s almost certainly someone who’s seen and solved the same problem.

TCP mode: OpenVPN can operate over TCP, which provides reliable delivery at the cost of performance. This matters in highly lossy network environments or when you need to tunnel through networks that block UDP. Neither WireGuard nor IKEv2 has a native TCP mode.

IKEv2/IPsec

IKEv2 (Internet Key Exchange version 2) paired with IPsec is the corporate VPN protocol of choice and is natively supported by most operating systems. You don’t need to install additional software on iOS, macOS, Windows, or Android to use it.

Native support: The biggest practical advantage. No third-party app is needed on most platforms. For organisations deploying VPN access to company devices, this simplifies management significantly.

Cryptography: IKEv2/IPsec supports multiple cipher suites, similar to OpenVPN. Modern implementations default to strong options (AES-256-GCM, SHA-384, Diffie-Hellman Group 20). The IPsec specification is complex, and misconfiguration is possible, but major OS implementations use secure defaults.

Performance: Better than OpenVPN, somewhat slower than WireGuard. IKEv2/IPsec operates at the kernel level on most platforms, giving it a performance advantage over userspace OpenVPN.

MOBIKE: IKEv2 has a built-in mobility extension (MOBIKE) that handles network changes gracefully — moving between WiFi networks, switching between WiFi and cellular data. This has historically been IKEv2’s standout feature, though WireGuard handles roaming similarly well.

Complexity: The IPsec specification is notoriously complex. Different implementations can interpret the spec differently, leading to interoperability issues. Connecting an iOS device to a Linux strongSwan server might work differently than connecting to a Cisco router. This complexity has been a source of configuration errors and vulnerabilities over the years.

Port restrictions: IKEv2 uses UDP ports 500 and 4500. These are sometimes blocked by corporate firewalls or restrictive networks. Unlike OpenVPN, you can’t easily change the port to work around blocks.

Head-to-Head Comparison

Feature	WireGuard	OpenVPN	IKEv2/IPsec
Speed	Fastest	Slowest	Middle
Code simplicity	Excellent	Poor	Poor
Auditability	Excellent	Good (well-audited)	Moderate (complex spec)
Firewall evasion	Limited	Excellent (TCP/443)	Limited
Native OS support	Growing	Minimal	Excellent
Roaming	Excellent	Poor	Excellent
Maturity	6 years	20+ years	15+ years
Configuration flexibility	Minimal	Extensive	Moderate

Which Should You Use?

For general privacy use: WireGuard. It’s the fastest, simplest, and most modern option. Most reputable VPN providers offer it, usually as their recommended protocol.

For bypassing censorship/firewalls: OpenVPN in TCP mode on port 443. Its ability to disguise itself as HTTPS traffic makes it the best option for restrictive network environments. If OpenVPN is blocked, look at protocols specifically designed for censorship circumvention like Shadowsocks or Tor bridges.

For corporate/enterprise VPN: IKEv2/IPsec. Native OS support simplifies deployment and management. Enterprises prioritise manageability, and IKEv2 delivers that without requiring users to install additional software.

For mobile devices: WireGuard or IKEv2. Both handle network changes well, maintaining the VPN connection as you move between networks. OpenVPN on mobile can be sluggish to reconnect after network changes.

The Protocol Matters Less Than the Provider

A final note: even the strongest protocol is useless if the VPN provider logs your traffic, has poor infrastructure security, or responds to legal requests by handing over data. The protocol secures the tunnel. The provider controls everything else.

Choose a provider with a clear, audited no-logs policy, transparent ownership, and a jurisdiction that provides meaningful privacy protections. Then use whatever protocol works best for your use case. The protocol is one piece of a much larger privacy puzzle.