Research guide and selector

Which VPN protocol should you use? 20 provider technologies compared

Start with the connection problem you need to solve. Then see what providers have made public about source code, assessments, rollout, platforms and difficult networks.

By Published July 13, 2026 Registry snapshot v0.1.0
Laptop and phone sending data through several distinct VPN tunnel routes to a server cluster, with research and evidence symbols below
A protocol changes how the tunnel is built and carried. It does not decide the quality of the whole VPN service.
Core records
20
Providers
18
Dedicated assessments
3
Full or partial source
6

Counts describe public evidence located for the dated snapshot. They are not security or whole-service verdicts.

VPN protocols compared at a glance

A VPN protocol is the set of rules used to establish and carry the protected connection between your device and a VPN endpoint. It affects the tunnel, but the app and service add other systems around it: authentication, server selection, DNS, address management, kill switches and account controls.

The automatic setting is usually a good first choice because the provider knows which protocol versions and server modes it currently supports. Pick one manually when you are trying to solve a specific connection problem.

Setting Good starting use What to know DoVPN guidance
Automatic or recommended Most everyday connections The app can choose among modes the provider currently supports. Use this first unless you are troubleshooting or testing.
WireGuard Everyday use, streaming, calls and mobile data Compact modern design and UDP transport. The provider still supplies identity, address and service layers around it. A strong manual default when it connects reliably.
OpenVPN UDP Compatibility with established clients and custom setups Highly configurable. OpenVPN documents UDP as its normal and more efficient transport. Use when WireGuard is unavailable or a setup needs OpenVPN.
OpenVPN TCP Networks where UDP cannot be used TCP can pass on networks that block UDP, but TCP inside TCP can perform poorly on loss or congestion. Treat it as a fallback, not an automatic speed choice.
IKEv2/IPsec Supported mobile and operating-system VPN clients MOBIKE can keep an IKEv2 tunnel active when the client address changes, such as a move between Wi-Fi and mobile data. Useful where the provider and device still support it well.
L2TP/IPsec Legacy compatibility only Older platform support does not make it a current first choice. Avoid for a new setup unless a required system leaves no alternative.
PPTP Obsolete legacy systems Modern platform guidance warns against relying on its security. Do not use it for a new VPN connection.

Which protocol is fastest?

There is no universal winner without testing the service on your connection. WireGuard's design makes it an appealing performance default, and OpenVPN says its TCP mode is usually less efficient than UDP. The result you get also depends on the VPN server, distance, congestion, device, operating system, packet size, provider changes and route to the destination.

Test with the same server and destination at similar times. Look at latency and stability as well as a headline download number. A protocol that is marginally slower but reconnects cleanly on your train journey may be the better mobile choice.

What should you use on a restricted network?

Plain WireGuard and standard VPN handshakes can be identified or blocked even though the traffic content remains encrypted. A provider's obfuscation mode may change packet shapes, wrap traffic in another transport or use a different tunnel. This can make simple blocking harder. It cannot guarantee access against every filtering system.

Start with the mode the provider currently documents for restrictive networks. Then keep a second tested method. Our guide to VPN and website blocking explains DNS, IP, TLS-name and protocol-level blocks in more detail.

Protocol evidence selector

Filter the provider options

Choose a situation, then add any platform or evidence requirements. The selector filters the 20 core registry records. It does not score them or decide which VPN service is best.

Start here

For everyday use, keep the app on its recommended modern setting or start with WireGuard. Change it only when you have a compatibility, blocking or battery-life problem to solve.

Provider-developed technologies

Showing 20 of 20 core records

AdGuard VPN

TrustTunnel

Tunnel protocol

An open HTTP/2- and HTTP/3-based tunneling protocol created from AdGuard VPN's in-house design and released for independent deployment.

Rollout
Generally available
Public source
Full public source
Public assessment
No public protocol audit located
Post-quantum status
None documented
Restricted networks Mobile efficiency Transport reliability
Platforms, transport and caveats

Platforms: Windows, Macos, Linux, Android, Ios, Server

Base: HTTP tunnel

Transport: HTTP/2 over TLS, HTTP/3 over QUIC

  • The public release date is not the date the underlying design first entered AdGuard VPN.
  • Transport resemblance is a design goal, not a guarantee of censorship resistance in every network.

Registry verification date: 2026-07-13

Amnezia VPN

AmneziaWG

Provider protocol variant

An open, self-hostable WireGuard variant that changes observable packet patterns to make simple protocol detection and blocking harder.

Rollout
Generally available
Public source
Full public source
Public assessment
Related public assessment
Post-quantum status
None documented
Restricted networks Censorship circumvention General performance
Platforms, transport and caveats

Platforms: Windows, Macos, Linux, Android, Ios, Router, Server

Base: WireGuard

Transport: UDP

  • Resistance to detection depends on configuration and censor capability.
  • The related application audit cannot be treated as validation of the protocol design.

Registry verification date: 2026-07-13

Astrill VPN

OpenWeb

Tunnel protocol

Astrill's closed web-oriented TCP tunnel, marketed for browsing and long-distance performance and documented as dating to 2009.

Rollout
Generally available
Public source
Closed
Public assessment
No public protocol audit located
Post-quantum status
None documented
Restricted networks Long-distance performance General performance
Platforms, transport and caveats

Platforms: Windows, Macos, Linux, Android, Ios, Router

Base: Proprietary web-oriented tunnel

Transport: TCP

  • Performance and censorship-resistance statements are provider claims.
  • The public description is too limited for independent protocol-level analysis.

Registry verification date: 2026-07-13

Astrill VPN

StealthVPN

Provider protocol variant

Astrill's closed OpenVPN-inspired variant with proprietary traffic obfuscation for restrictive or protocol-blocking networks.

Rollout
Generally available
Public source
Closed
Public assessment
No public protocol audit located
Post-quantum status
None documented
Restricted networks Censorship circumvention
Platforms, transport and caveats

Platforms: Windows, Macos, Linux, Android, Ios, Router

Base: OpenVPN-derived design

Transport: TCP, UDP

  • The precise relationship to OpenVPN cannot be independently confirmed from public code.
  • Anti-detection effectiveness is not established by a public dedicated audit.

Registry verification date: 2026-07-13

ExpressVPN

Lightway

Tunnel protocol

ExpressVPN's open VPN tunnel protocol, now implemented in Rust, with public client/server code, hybrid post-quantum deployment, and repeated dedicated audits.

Rollout
Generally available
Public source
Full public source
Public assessment
Dedicated public assessment
Post-quantum status
In production
General performance Mobile efficiency Transport reliability Post-quantum related
Platforms, transport and caveats

Platforms: Windows, Macos, Linux, Android, Ios, Router

Base: Lightway protocol, wolfSSL

Transport: UDP, TCP

  • Audit results apply to identified versions and scopes, not automatically to every later release.
  • Open core code does not make the commercial service's entire infrastructure open source.

Registry verification date: 2026-07-13

Gen Digital

Mimic

Tunnel protocol

A closed Gen Digital TLS-based tunnel shared by Norton, Avast, and AVG VPN products, designed to resemble web traffic and assessed publicly in 2025.

Rollout
Generally available
Public source
Closed
Public assessment
Dedicated public assessment
Post-quantum status
In production
Restricted networks Censorship circumvention Post-quantum related
Platforms, transport and caveats

Platforms: Windows, Macos, Android, Ios

Base: Proprietary TLS 1.3-based tunnel

Transport: TLS over TCP

  • The exact post-quantum construction and full design remain non-public.
  • Remediation statements for the assessed version do not establish that every legacy client or server was upgraded.

Registry verification date: 2026-07-13

Hotspot Shield

Hydra

Tunnel protocol

Hotspot Shield's closed proprietary tunnel, primarily marketed for connection speed, reliability, and long-distance performance.

Rollout
Generally available
Public source
Closed
Public assessment
No public protocol audit located
Post-quantum status
None documented
General performance Long-distance performance Transport reliability
Platforms, transport and caveats

Platforms: Windows, Macos, Android, Ios

Base: Proprietary tunnel

Transport: TCP, UDP

  • The detailed protocol design and current cryptographic construction are not publicly reviewable.
  • Broader company or service audits are not counted as a dedicated Hydra audit.

Registry verification date: 2026-07-13

Mullvad VPN

LWO

Obfuscation transport

Mullvad's lightweight WireGuard header and packet obfuscation mode for networks that recognize or interfere with ordinary WireGuard traffic.

Rollout
Generally available
Public source
Partial public source
Public assessment
No public protocol audit located
Post-quantum status
Not applicable
Restricted networks Censorship circumvention General performance
Platforms, transport and caveats

Platforms: Windows, Macos, Linux, Android, Ios

Base: WireGuard

Transport: UDP

  • LWO changes traffic appearance but does not create a new cryptographic VPN protocol.
  • No public dedicated third-party assessment was located.

Registry verification date: 2026-07-13

Mullvad VPN

QUIC obfuscation

Obfuscation transport

Mullvad's WireGuard-over-QUIC obfuscation transport, based on MASQUE CONNECT-UDP and typically carried over UDP port 443.

Rollout
Generally available
Public source
Partial public source
Public assessment
No public protocol audit located
Post-quantum status
Not applicable
Restricted networks Censorship circumvention Transport reliability
Platforms, transport and caveats

Platforms: Windows, Macos, Linux, Android, Ios

Base: WireGuard, MASQUE CONNECT-UDP (RFC 9298)

Transport: QUIC, UDP 443

  • The standardized MASQUE base does not make Mullvad's entire integration independently deployable.
  • It is an obfuscation transport rather than a replacement for WireGuard cryptography.

Registry verification date: 2026-07-13

NordVPN

NordLynx

Provider protocol variant

NordVPN's WireGuard-based tunnel with a proprietary double-NAT address-management layer and optional provider-described post-quantum protection.

Rollout
Generally available
Public source
Base protocol only
Public assessment
No public protocol audit located
Post-quantum status
Optional
General performance Address privacy Post-quantum related
Platforms, transport and caveats

Platforms: Windows, Macos, Linux, Android, Ios, Router

Base: WireGuard, NordVPN double NAT address-management layer

Transport: UDP

  • Only the WireGuard base is public; the differentiating double-NAT layer is not.
  • Post-quantum status records the provider's documented rollout, not an independent protocol assessment.

Registry verification date: 2026-07-13

NordVPN

NordWhisper

Tunnel protocol

NordVPN's closed web-like tunnel for restrictive networks, introduced in 2025 as an alternative when standard VPN transports are blocked.

Rollout
Generally available
Public source
Closed
Public assessment
No public protocol audit located
Post-quantum status
None documented
Restricted networks Censorship circumvention
Platforms, transport and caveats

Platforms: Windows, Linux, Android

Base: Proprietary web-tunnel design

Transport: Web-like transport

  • The public technical detail is insufficient for independent implementation or cryptographic review.
  • The encoded platform list is conservative and reflects explicitly sourced launch coverage.

Registry verification date: 2026-07-13

PrivateVPN

StealthVPN

Provider protocol stack

PrivateVPN's branded OpenVPN-over-Shadowsocks stack for evading straightforward VPN blocking, rather than a newly designed cryptographic protocol.

Rollout
Limited rollout
Public source
Base protocol only
Public assessment
No public protocol audit located
Post-quantum status
None documented
Restricted networks Censorship circumvention
Platforms, transport and caveats

Platforms: Windows

Base: OpenVPN, Shadowsocks

Transport: TCP

  • Only the Windows setup is encoded from the current source.
  • Open component projects do not make the provider's complete deployment fully open.

Registry verification date: 2026-07-13

Proton VPN

Stealth

Provider protocol variant

Proton VPN's WireGuard-over-obfuscated-TLS mode for restrictive networks, with public client code but no standalone public server or formal specification.

Rollout
Generally available
Public source
Partial public source
Public assessment
No public protocol audit located
Post-quantum status
None documented
Restricted networks Censorship circumvention
Platforms, transport and caveats

Platforms: Windows, Macos, Android, Ios

Base: WireGuard

Transport: TLS over TCP

  • The source-status classification is partial, not full.
  • No public dedicated protocol audit was found; application-level audits should be described separately.

Registry verification date: 2026-07-13

Surfshark

Dausos

Tunnel protocol

Surfshark's closed post-quantum-oriented tunnel protocol, launched as a limited macOS beta in 2026 with a public Cure53 management summary.

Rollout
Beta
Public source
Closed
Public assessment
Dedicated public assessment
Post-quantum status
In production
General performance Transport reliability Post-quantum related Restricted networks
Platforms, transport and caveats

Platforms: Macos

Base: Custom Dausos tunnel, TLS 1.3-derived handshake

Transport: HTTPS over TLS 1.3 control channel, UDP data channel

  • Beta status and platform coverage can change quickly.
  • The public audit document is only a management summary and omits detailed tickets and the exact severity distribution.
  • A formal public specification and threat model were not available at verification time.

Registry verification date: 2026-07-13

TunnelBear

GhostBear

Obfuscation transport

TunnelBear's closed traffic-obfuscation mode for restrictive networks, layered on the provider's tunnel and available only on selected app versions and platforms.

Rollout
Limited rollout
Public source
Closed
Public assessment
Related public assessment
Post-quantum status
Not applicable
Restricted networks Censorship circumvention
Platforms, transport and caveats

Platforms: Windows, Macos, Android

Base: TunnelBear VPN tunnel

Transport: Obfuscated provider transport

  • The 2024 Cure53 report is related evidence, not a dedicated GhostBear design audit.
  • Platform support is version-sensitive.
  • GhostBear is an obfuscation layer rather than a separate cryptographic tunnel.

Registry verification date: 2026-07-13

VPN Unlimited

KeepSolid Wise

Provider protocol variant

VPN Unlimited's closed OpenVPN variant with provider-specific traffic masking and TCP 443 operation for restrictive networks.

Rollout
Generally available
Public source
Base protocol only
Public assessment
No public protocol audit located
Post-quantum status
None documented
Restricted networks Censorship circumvention
Platforms, transport and caveats

Platforms: Unknown

Base: OpenVPN

Transport: TCP 443, UDP

  • The provider-specific layer is not open merely because OpenVPN is open.
  • Current platform coverage needs a stronger first-party platform matrix in a later review.

Registry verification date: 2026-07-13

VyprVPN

Chameleon

Provider protocol variant

VyprVPN's proprietary OpenVPN variant that scrambles recognizable packet metadata for use on networks that identify or block conventional VPN traffic.

Rollout
Generally available
Public source
Base protocol only
Public assessment
No public protocol audit located
Post-quantum status
None documented
Restricted networks Censorship circumvention
Platforms, transport and caveats

Platforms: Windows, Macos, Android, Ios, Router

Base: OpenVPN

Transport: TCP, UDP

  • Only the OpenVPN base is public.
  • Provider anti-censorship claims are not a substitute for a public dedicated assessment.

Registry verification date: 2026-07-13

Windscribe

Stealth

Provider protocol stack

Windscribe's OpenVPN-over-stunnel mode, using an extra TLS layer to make VPN traffic resemble ordinary encrypted web transport.

Rollout
Generally available
Public source
Base protocol only
Public assessment
No public protocol audit located
Post-quantum status
None documented
Restricted networks Censorship circumvention
Platforms, transport and caveats

Platforms: Windows, Macos, Linux, Android, Ios

Base: OpenVPN, stunnel

Transport: TLS over TCP

  • Open component projects do not make the full provider deployment fully open.
  • It is a composed transport stack rather than a new VPN cryptographic protocol.

Registry verification date: 2026-07-13

Windscribe

WStunnel

Provider protocol stack

Windscribe's OpenVPN-over-WebSocket mode for networks where ordinary VPN transports are blocked but web-style socket traffic remains usable.

Rollout
Generally available
Public source
Base protocol only
Public assessment
No public protocol audit located
Post-quantum status
None documented
Restricted networks Censorship circumvention
Platforms, transport and caveats

Platforms: Windows, Macos, Linux, Android, Ios

Base: OpenVPN, WebSocket tunnel

Transport: WebSocket, TCP

  • The support-article date is not treated as the original launch date.
  • WStunnel is a transport composition, not a separate VPN cryptographic protocol.

Registry verification date: 2026-07-13

X-VPN

Everest

Tunnel protocol

X-VPN's closed proprietary tunnel family, exposed through several automatically selected transport modes but documented only at a high level.

Rollout
Generally available
Public source
Closed
Public assessment
No public protocol audit located
Post-quantum status
None documented
Restricted networks General performance Transport reliability
Platforms, transport and caveats

Platforms: Unknown

Base: Proprietary Everest tunnel family

Transport: TCP, UDP, HTTP-like modes, TLS-like modes

  • The public documentation is sparse and many technical claims remain provider descriptions.
  • Current platform-specific mode coverage requires further first-party evidence.

Registry verification date: 2026-07-13

Why provider protocol names are hard to compare

A VPN app may list a full tunnel protocol beside a WireGuard variant and an obfuscation transport. Those names describe different technical layers, so they are not always direct substitutes.

Tunnel protocol

Defines the protected tunnel itself. Lightway and TrustTunnel are classified this way in the registry.

Provider variant

Changes or extends a base protocol. NordLynx and AmneziaWG are examples with WireGuard roots but different surrounding goals.

Obfuscation transport

Changes how another tunnel appears or travels. Mullvad QUIC obfuscation and TunnelBear GhostBear sit in this group.

Protocol stack

Combines several components under one provider label. Windscribe Stealth and WStunnel are classified as stacks in this snapshot.

The registry has 4 other records covering transport acceleration, traffic-analysis defenses, implementation and cryptographic extensions. We keep them in the source snapshot but leave them out of the 20-record comparison because they are not the same kind of consumer choice.

What the public evidence shows

The July 13, 2026 release of Steve Price's VPN Protocol Registry records 24 technologies across 18 provider organizations. The figures below use the 20 records classified as core and come directly from the JSON snapshot used to build this page.

VPN Protocol Registry v0.1.0

What the 20 core records document

Dedicated assessment 3 of 20
Full or partial source 6 of 20
Restricted-network relevance 17 of 20
Post-quantum related 4 of 20
Each bar uses its own definition. Its length shows the share of core records that match, not a safety score. The categories overlap, so do not add them together.

Dedicated public assessment: 3 of 20

Three core records have a published assessment dedicated to the protocol, and two more have a related public assessment. The other 15 are labelled "no public protocol audit located." That does not mean they were never reviewed. A private engagement, a provider-wide audit or a document outside the search would not meet the registry's rule for dedicated public evidence.

Full or partial public source: 6 of 20

Three core records are classified as full source and three as partial. Another six publish source only for the base protocol, while eight are closed in this snapshot. Public code is useful for inspection, but it does not prove that the production service runs the same revision or avoids operational mistakes.

Restricted-network purpose: 17 of 20

Restricted-network positioning is the most common purpose in the core records. Thirteen also include censorship circumvention. This helps explain why provider-specific names crop up so often when ordinary VPN traffic is blocked. A documented purpose does not prove reliable access on a particular ISP, campus or national network.

Post-quantum-related status: 4 of 20

Three records are marked as production and one as optional. They do not describe one kind of protection, so a single "quantum-safe" badge would be misleading. Check which part of the handshake is protected, whether the mechanism is optional and what evidence supports the claim. Classical cryptography and endpoint security still matter too.

How to use protocol evidence when buying a VPN

First decide whether you need a provider-specific protocol at all. A reliable modern default may be enough for browsing, streaming, calls and public Wi-Fi. Then compare the whole service: app quality, kill switch behavior, leak handling, account privacy, ownership, audit scope, server locations, plan length, renewal terms and support.

If a network regularly blocks your VPN, protocol choice moves higher on the list. Check that the relevant mode is available on the device you will carry. An interesting Windows-only or beta mode will not help on an iPhone trip.

Public implementation evidence

ExpressVPN Lightway

The snapshot classifies Lightway as full public source, with a dedicated public assessment. Its post-quantum status is in production.

Review ExpressVPN plan terms

Two different connection jobs

NordVPN NordLynx and NordWhisper

NordLynx is classified for general performance and address privacy. NordWhisper is a separate generally available record classified for restricted networks and censorship circumvention on its documented platforms.

Review NordVPN plan terms

Restricted-network option

Proton VPN Stealth

Stealth is classified as generally available with partial public source and documented restricted-network purposes. The snapshot did not locate a dedicated public Stealth protocol assessment.

Compare whole-service privacy

The cards show how to read three different records. They are not a complete shortlist. For a wider commercial comparison, use our VPN comparison. If you prefer to control the server, read the Amnezia VPN self-hosted guide. After changing a protocol, verify the connection with the IP leak test rather than assuming a connected icon proves the routing and DNS behavior you expect.

Methodology and limitations

This page imports the immutable JSON from the VPN Protocol Registry v0.1.0 release. During a manual data refresh, a script verifies the file's SHA-256 checksum. DoVPN builds from a normalized local snapshot and does not fetch GitHub in production. Steve Price created the original dataset and licensed it under CC BY 4.0.

The registry marks 20 provider-developed protocols, variants, stacks and obfuscation transports as core records. It keeps adjacent technologies separate. The headline counts use only the core records, and the selector starts with all 20 visible in the page.

Label What it means here What it does not mean
Full or partial source The registry located public source at the stated scope. Production parity, complete coverage or a security guarantee.
Dedicated public assessment A public assessment focused on that protocol or implementation. A no-logs audit or a verdict on the entire VPN service.
No public protocol audit located None meeting the registry rule was found by the verification date. Proof that no private or public review has ever happened.
Restricted-network purpose Sources document that design goal or use. A guarantee for a country, network or future filtering change.
Post-quantum related The status is production, optional or claimed in the registry. Equivalent mechanisms or complete post-quantum protection.

The registry is a public-evidence review, not a lab speed test or a live censorship monitor. Provider apps, documentation and deployments can change after the snapshot. The page gives each record's verification date and links to the exact release. Check those details before relying on an older entry.

Primary references for the standard protocol guidance

VPN protocol FAQ

Which VPN protocol should most people use?

Leave the VPN app on its recommended modern setting unless you have a reason to change it. If the app offers a straightforward choice, WireGuard or a well-supported WireGuard-based option is a sensible starting point for ordinary use. Test another option if your network blocks it or the connection is unreliable.

Is WireGuard always faster than OpenVPN?

No. WireGuard has a compact design and is often chosen for performance, but the result on your connection depends on the provider implementation, server load, distance, device, route, and OpenVPN configuration. A protocol name is not a benchmark result.

Is a proprietary VPN protocol less trustworthy?

Not automatically. A provider-developed protocol may have public source, a specification, and an independent assessment, or it may disclose very little. Judge the evidence that is actually available and remember that protocol transparency is only one part of evaluating the VPN service.

What should I try when a network blocks my VPN?

Try the provider mode specifically documented for restricted networks or obfuscation, then test a different server or transport if the app offers one. Keep a second connection method ready. No provider mode is guaranteed to work on every network or in every country.

Does a protocol audit prove that a VPN keeps no logs?

No. A protocol assessment can examine design or implementation details, while a no-logs audit examines different systems and operating controls. The registry audit label on this page is not a whole-service privacy verdict.

What does post-quantum mean in this comparison?

It means the registry recorded a production, optional, or claimed post-quantum-related mechanism for that record. The mechanism may protect one part of key establishment rather than every part of the VPN service, so records with the label are not necessarily equivalent.