VPN protocols compared at a glance
A VPN protocol is the set of rules used to establish and carry the protected connection between your device and a VPN endpoint. It affects the tunnel, but the app and service add other systems around it: authentication, server selection, DNS, address management, kill switches and account controls.
The automatic setting is usually a good first choice because the provider knows which protocol versions and server modes it currently supports. Pick one manually when you are trying to solve a specific connection problem.
| Setting | Good starting use | What to know | DoVPN guidance |
|---|---|---|---|
| Automatic or recommended | Most everyday connections | The app can choose among modes the provider currently supports. | Use this first unless you are troubleshooting or testing. |
| WireGuard | Everyday use, streaming, calls and mobile data | Compact modern design and UDP transport. The provider still supplies identity, address and service layers around it. | A strong manual default when it connects reliably. |
| OpenVPN UDP | Compatibility with established clients and custom setups | Highly configurable. OpenVPN documents UDP as its normal and more efficient transport. | Use when WireGuard is unavailable or a setup needs OpenVPN. |
| OpenVPN TCP | Networks where UDP cannot be used | TCP can pass on networks that block UDP, but TCP inside TCP can perform poorly on loss or congestion. | Treat it as a fallback, not an automatic speed choice. |
| IKEv2/IPsec | Supported mobile and operating-system VPN clients | MOBIKE can keep an IKEv2 tunnel active when the client address changes, such as a move between Wi-Fi and mobile data. | Useful where the provider and device still support it well. |
| L2TP/IPsec | Legacy compatibility only | Older platform support does not make it a current first choice. | Avoid for a new setup unless a required system leaves no alternative. |
| PPTP | Obsolete legacy systems | Modern platform guidance warns against relying on its security. | Do not use it for a new VPN connection. |
Which protocol is fastest?
There is no universal winner without testing the service on your connection. WireGuard's design makes it an appealing performance default, and OpenVPN says its TCP mode is usually less efficient than UDP. The result you get also depends on the VPN server, distance, congestion, device, operating system, packet size, provider changes and route to the destination.
Test with the same server and destination at similar times. Look at latency and stability as well as a headline download number. A protocol that is marginally slower but reconnects cleanly on your train journey may be the better mobile choice.
What should you use on a restricted network?
Plain WireGuard and standard VPN handshakes can be identified or blocked even though the traffic content remains encrypted. A provider's obfuscation mode may change packet shapes, wrap traffic in another transport or use a different tunnel. This can make simple blocking harder. It cannot guarantee access against every filtering system.
Start with the mode the provider currently documents for restrictive networks. Then keep a second tested method. Our guide to VPN and website blocking explains DNS, IP, TLS-name and protocol-level blocks in more detail.
Protocol evidence selector
Filter the provider options
Choose a situation, then add any platform or evidence requirements. The selector filters the 20 core registry records. It does not score them or decide which VPN service is best.
Start here
For everyday use, keep the app on its recommended modern setting or start with WireGuard. Change it only when you have a compatibility, blocking or battery-life problem to solve.
Provider-developed technologies
Showing 20 of 20 core records
AdGuard VPN
TrustTunnel
An open HTTP/2- and HTTP/3-based tunneling protocol created from AdGuard VPN's in-house design and released for independent deployment.
- Rollout
- Generally available
- Public source
- Full public source
- Public assessment
- No public protocol audit located
- Post-quantum status
- None documented
Platforms, transport and caveats
Platforms: Windows, Macos, Linux, Android, Ios, Server
Base: HTTP tunnel
Transport: HTTP/2 over TLS, HTTP/3 over QUIC
- The public release date is not the date the underlying design first entered AdGuard VPN.
- Transport resemblance is a design goal, not a guarantee of censorship resistance in every network.
Registry verification date: 2026-07-13
Amnezia VPN
AmneziaWG
An open, self-hostable WireGuard variant that changes observable packet patterns to make simple protocol detection and blocking harder.
- Rollout
- Generally available
- Public source
- Full public source
- Public assessment
- Related public assessment
- Post-quantum status
- None documented
Platforms, transport and caveats
Platforms: Windows, Macos, Linux, Android, Ios, Router, Server
Base: WireGuard
Transport: UDP
- Resistance to detection depends on configuration and censor capability.
- The related application audit cannot be treated as validation of the protocol design.
Registry verification date: 2026-07-13
Astrill VPN
OpenWeb
Astrill's closed web-oriented TCP tunnel, marketed for browsing and long-distance performance and documented as dating to 2009.
- Rollout
- Generally available
- Public source
- Closed
- Public assessment
- No public protocol audit located
- Post-quantum status
- None documented
Platforms, transport and caveats
Platforms: Windows, Macos, Linux, Android, Ios, Router
Base: Proprietary web-oriented tunnel
Transport: TCP
- Performance and censorship-resistance statements are provider claims.
- The public description is too limited for independent protocol-level analysis.
Registry verification date: 2026-07-13
Astrill VPN
StealthVPN
Astrill's closed OpenVPN-inspired variant with proprietary traffic obfuscation for restrictive or protocol-blocking networks.
- Rollout
- Generally available
- Public source
- Closed
- Public assessment
- No public protocol audit located
- Post-quantum status
- None documented
Platforms, transport and caveats
Platforms: Windows, Macos, Linux, Android, Ios, Router
Base: OpenVPN-derived design
Transport: TCP, UDP
- The precise relationship to OpenVPN cannot be independently confirmed from public code.
- Anti-detection effectiveness is not established by a public dedicated audit.
Registry verification date: 2026-07-13
ExpressVPN
Lightway
ExpressVPN's open VPN tunnel protocol, now implemented in Rust, with public client/server code, hybrid post-quantum deployment, and repeated dedicated audits.
- Rollout
- Generally available
- Public source
- Full public source
- Public assessment
- Dedicated public assessment
- Post-quantum status
- In production
Platforms, transport and caveats
Platforms: Windows, Macos, Linux, Android, Ios, Router
Base: Lightway protocol, wolfSSL
Transport: UDP, TCP
- Audit results apply to identified versions and scopes, not automatically to every later release.
- Open core code does not make the commercial service's entire infrastructure open source.
Registry verification date: 2026-07-13
Gen Digital
Mimic
A closed Gen Digital TLS-based tunnel shared by Norton, Avast, and AVG VPN products, designed to resemble web traffic and assessed publicly in 2025.
- Rollout
- Generally available
- Public source
- Closed
- Public assessment
- Dedicated public assessment
- Post-quantum status
- In production
Platforms, transport and caveats
Platforms: Windows, Macos, Android, Ios
Base: Proprietary TLS 1.3-based tunnel
Transport: TLS over TCP
- The exact post-quantum construction and full design remain non-public.
- Remediation statements for the assessed version do not establish that every legacy client or server was upgraded.
Registry verification date: 2026-07-13
Hotspot Shield
Hydra
Hotspot Shield's closed proprietary tunnel, primarily marketed for connection speed, reliability, and long-distance performance.
- Rollout
- Generally available
- Public source
- Closed
- Public assessment
- No public protocol audit located
- Post-quantum status
- None documented
Platforms, transport and caveats
Platforms: Windows, Macos, Android, Ios
Base: Proprietary tunnel
Transport: TCP, UDP
- The detailed protocol design and current cryptographic construction are not publicly reviewable.
- Broader company or service audits are not counted as a dedicated Hydra audit.
Registry verification date: 2026-07-13
Mullvad VPN
LWO
Mullvad's lightweight WireGuard header and packet obfuscation mode for networks that recognize or interfere with ordinary WireGuard traffic.
- Rollout
- Generally available
- Public source
- Partial public source
- Public assessment
- No public protocol audit located
- Post-quantum status
- Not applicable
Platforms, transport and caveats
Platforms: Windows, Macos, Linux, Android, Ios
Base: WireGuard
Transport: UDP
- LWO changes traffic appearance but does not create a new cryptographic VPN protocol.
- No public dedicated third-party assessment was located.
Registry verification date: 2026-07-13
Mullvad VPN
QUIC obfuscation
Mullvad's WireGuard-over-QUIC obfuscation transport, based on MASQUE CONNECT-UDP and typically carried over UDP port 443.
- Rollout
- Generally available
- Public source
- Partial public source
- Public assessment
- No public protocol audit located
- Post-quantum status
- Not applicable
Platforms, transport and caveats
Platforms: Windows, Macos, Linux, Android, Ios
Base: WireGuard, MASQUE CONNECT-UDP (RFC 9298)
Transport: QUIC, UDP 443
- The standardized MASQUE base does not make Mullvad's entire integration independently deployable.
- It is an obfuscation transport rather than a replacement for WireGuard cryptography.
Registry verification date: 2026-07-13
NordVPN
NordLynx
NordVPN's WireGuard-based tunnel with a proprietary double-NAT address-management layer and optional provider-described post-quantum protection.
- Rollout
- Generally available
- Public source
- Base protocol only
- Public assessment
- No public protocol audit located
- Post-quantum status
- Optional
Platforms, transport and caveats
Platforms: Windows, Macos, Linux, Android, Ios, Router
Base: WireGuard, NordVPN double NAT address-management layer
Transport: UDP
- Only the WireGuard base is public; the differentiating double-NAT layer is not.
- Post-quantum status records the provider's documented rollout, not an independent protocol assessment.
Registry verification date: 2026-07-13
NordVPN
NordWhisper
NordVPN's closed web-like tunnel for restrictive networks, introduced in 2025 as an alternative when standard VPN transports are blocked.
- Rollout
- Generally available
- Public source
- Closed
- Public assessment
- No public protocol audit located
- Post-quantum status
- None documented
Platforms, transport and caveats
Platforms: Windows, Linux, Android
Base: Proprietary web-tunnel design
Transport: Web-like transport
- The public technical detail is insufficient for independent implementation or cryptographic review.
- The encoded platform list is conservative and reflects explicitly sourced launch coverage.
Registry verification date: 2026-07-13
PrivateVPN
StealthVPN
PrivateVPN's branded OpenVPN-over-Shadowsocks stack for evading straightforward VPN blocking, rather than a newly designed cryptographic protocol.
- Rollout
- Limited rollout
- Public source
- Base protocol only
- Public assessment
- No public protocol audit located
- Post-quantum status
- None documented
Platforms, transport and caveats
Platforms: Windows
Base: OpenVPN, Shadowsocks
Transport: TCP
- Only the Windows setup is encoded from the current source.
- Open component projects do not make the provider's complete deployment fully open.
Registry verification date: 2026-07-13
Proton VPN
Stealth
Proton VPN's WireGuard-over-obfuscated-TLS mode for restrictive networks, with public client code but no standalone public server or formal specification.
- Rollout
- Generally available
- Public source
- Partial public source
- Public assessment
- No public protocol audit located
- Post-quantum status
- None documented
Platforms, transport and caveats
Platforms: Windows, Macos, Android, Ios
Base: WireGuard
Transport: TLS over TCP
- The source-status classification is partial, not full.
- No public dedicated protocol audit was found; application-level audits should be described separately.
Registry verification date: 2026-07-13
Surfshark
Dausos
Surfshark's closed post-quantum-oriented tunnel protocol, launched as a limited macOS beta in 2026 with a public Cure53 management summary.
- Rollout
- Beta
- Public source
- Closed
- Public assessment
- Dedicated public assessment
- Post-quantum status
- In production
Platforms, transport and caveats
Platforms: Macos
Base: Custom Dausos tunnel, TLS 1.3-derived handshake
Transport: HTTPS over TLS 1.3 control channel, UDP data channel
- Beta status and platform coverage can change quickly.
- The public audit document is only a management summary and omits detailed tickets and the exact severity distribution.
- A formal public specification and threat model were not available at verification time.
Registry verification date: 2026-07-13
TunnelBear
GhostBear
TunnelBear's closed traffic-obfuscation mode for restrictive networks, layered on the provider's tunnel and available only on selected app versions and platforms.
- Rollout
- Limited rollout
- Public source
- Closed
- Public assessment
- Related public assessment
- Post-quantum status
- Not applicable
Platforms, transport and caveats
Platforms: Windows, Macos, Android
Base: TunnelBear VPN tunnel
Transport: Obfuscated provider transport
- The 2024 Cure53 report is related evidence, not a dedicated GhostBear design audit.
- Platform support is version-sensitive.
- GhostBear is an obfuscation layer rather than a separate cryptographic tunnel.
Registry verification date: 2026-07-13
VPN Unlimited
KeepSolid Wise
VPN Unlimited's closed OpenVPN variant with provider-specific traffic masking and TCP 443 operation for restrictive networks.
- Rollout
- Generally available
- Public source
- Base protocol only
- Public assessment
- No public protocol audit located
- Post-quantum status
- None documented
Platforms, transport and caveats
Platforms: Unknown
Base: OpenVPN
Transport: TCP 443, UDP
- The provider-specific layer is not open merely because OpenVPN is open.
- Current platform coverage needs a stronger first-party platform matrix in a later review.
Registry verification date: 2026-07-13
VyprVPN
Chameleon
VyprVPN's proprietary OpenVPN variant that scrambles recognizable packet metadata for use on networks that identify or block conventional VPN traffic.
- Rollout
- Generally available
- Public source
- Base protocol only
- Public assessment
- No public protocol audit located
- Post-quantum status
- None documented
Platforms, transport and caveats
Platforms: Windows, Macos, Android, Ios, Router
Base: OpenVPN
Transport: TCP, UDP
- Only the OpenVPN base is public.
- Provider anti-censorship claims are not a substitute for a public dedicated assessment.
Registry verification date: 2026-07-13
Windscribe
Stealth
Windscribe's OpenVPN-over-stunnel mode, using an extra TLS layer to make VPN traffic resemble ordinary encrypted web transport.
- Rollout
- Generally available
- Public source
- Base protocol only
- Public assessment
- No public protocol audit located
- Post-quantum status
- None documented
Platforms, transport and caveats
Platforms: Windows, Macos, Linux, Android, Ios
Base: OpenVPN, stunnel
Transport: TLS over TCP
- Open component projects do not make the full provider deployment fully open.
- It is a composed transport stack rather than a new VPN cryptographic protocol.
Registry verification date: 2026-07-13
Windscribe
WStunnel
Windscribe's OpenVPN-over-WebSocket mode for networks where ordinary VPN transports are blocked but web-style socket traffic remains usable.
- Rollout
- Generally available
- Public source
- Base protocol only
- Public assessment
- No public protocol audit located
- Post-quantum status
- None documented
Platforms, transport and caveats
Platforms: Windows, Macos, Linux, Android, Ios
Base: OpenVPN, WebSocket tunnel
Transport: WebSocket, TCP
- The support-article date is not treated as the original launch date.
- WStunnel is a transport composition, not a separate VPN cryptographic protocol.
Registry verification date: 2026-07-13
X-VPN
Everest
X-VPN's closed proprietary tunnel family, exposed through several automatically selected transport modes but documented only at a high level.
- Rollout
- Generally available
- Public source
- Closed
- Public assessment
- No public protocol audit located
- Post-quantum status
- None documented
Platforms, transport and caveats
Platforms: Unknown
Base: Proprietary Everest tunnel family
Transport: TCP, UDP, HTTP-like modes, TLS-like modes
- The public documentation is sparse and many technical claims remain provider descriptions.
- Current platform-specific mode coverage requires further first-party evidence.
Registry verification date: 2026-07-13
Why provider protocol names are hard to compare
A VPN app may list a full tunnel protocol beside a WireGuard variant and an obfuscation transport. Those names describe different technical layers, so they are not always direct substitutes.
Tunnel protocol
Defines the protected tunnel itself. Lightway and TrustTunnel are classified this way in the registry.
Provider variant
Changes or extends a base protocol. NordLynx and AmneziaWG are examples with WireGuard roots but different surrounding goals.
Obfuscation transport
Changes how another tunnel appears or travels. Mullvad QUIC obfuscation and TunnelBear GhostBear sit in this group.
Protocol stack
Combines several components under one provider label. Windscribe Stealth and WStunnel are classified as stacks in this snapshot.
The registry has 4 other records covering transport acceleration, traffic-analysis defenses, implementation and cryptographic extensions. We keep them in the source snapshot but leave them out of the 20-record comparison because they are not the same kind of consumer choice.
What the public evidence shows
The July 13, 2026 release of Steve Price's VPN Protocol Registry records 24 technologies across 18 provider organizations. The figures below use the 20 records classified as core and come directly from the JSON snapshot used to build this page.
VPN Protocol Registry v0.1.0
What the 20 core records document
Dedicated public assessment: 3 of 20
Three core records have a published assessment dedicated to the protocol, and two more have a related public assessment. The other 15 are labelled "no public protocol audit located." That does not mean they were never reviewed. A private engagement, a provider-wide audit or a document outside the search would not meet the registry's rule for dedicated public evidence.
Full or partial public source: 6 of 20
Three core records are classified as full source and three as partial. Another six publish source only for the base protocol, while eight are closed in this snapshot. Public code is useful for inspection, but it does not prove that the production service runs the same revision or avoids operational mistakes.
Restricted-network purpose: 17 of 20
Restricted-network positioning is the most common purpose in the core records. Thirteen also include censorship circumvention. This helps explain why provider-specific names crop up so often when ordinary VPN traffic is blocked. A documented purpose does not prove reliable access on a particular ISP, campus or national network.
Post-quantum-related status: 4 of 20
Three records are marked as production and one as optional. They do not describe one kind of protection, so a single "quantum-safe" badge would be misleading. Check which part of the handshake is protected, whether the mechanism is optional and what evidence supports the claim. Classical cryptography and endpoint security still matter too.
How to use protocol evidence when buying a VPN
First decide whether you need a provider-specific protocol at all. A reliable modern default may be enough for browsing, streaming, calls and public Wi-Fi. Then compare the whole service: app quality, kill switch behavior, leak handling, account privacy, ownership, audit scope, server locations, plan length, renewal terms and support.
If a network regularly blocks your VPN, protocol choice moves higher on the list. Check that the relevant mode is available on the device you will carry. An interesting Windows-only or beta mode will not help on an iPhone trip.
Public implementation evidence
ExpressVPN Lightway
The snapshot classifies Lightway as full public source, with a dedicated public assessment. Its post-quantum status is in production.
Review ExpressVPN plan termsTwo different connection jobs
NordVPN NordLynx and NordWhisper
NordLynx is classified for general performance and address privacy. NordWhisper is a separate generally available record classified for restricted networks and censorship circumvention on its documented platforms.
Review NordVPN plan termsRestricted-network option
Proton VPN Stealth
Stealth is classified as generally available with partial public source and documented restricted-network purposes. The snapshot did not locate a dedicated public Stealth protocol assessment.
Compare whole-service privacyThe cards show how to read three different records. They are not a complete shortlist. For a wider commercial comparison, use our VPN comparison. If you prefer to control the server, read the Amnezia VPN self-hosted guide. After changing a protocol, verify the connection with the IP leak test rather than assuming a connected icon proves the routing and DNS behavior you expect.
Methodology and limitations
This page imports the immutable JSON from the VPN Protocol Registry v0.1.0 release. During a manual data refresh, a script verifies the file's SHA-256 checksum. DoVPN builds from a normalized local snapshot and does not fetch GitHub in production. Steve Price created the original dataset and licensed it under CC BY 4.0.
The registry marks 20 provider-developed protocols, variants, stacks and obfuscation transports as core records. It keeps adjacent technologies separate. The headline counts use only the core records, and the selector starts with all 20 visible in the page.
| Label | What it means here | What it does not mean |
|---|---|---|
| Full or partial source | The registry located public source at the stated scope. | Production parity, complete coverage or a security guarantee. |
| Dedicated public assessment | A public assessment focused on that protocol or implementation. | A no-logs audit or a verdict on the entire VPN service. |
| No public protocol audit located | None meeting the registry rule was found by the verification date. | Proof that no private or public review has ever happened. |
| Restricted-network purpose | Sources document that design goal or use. | A guarantee for a country, network or future filtering change. |
| Post-quantum related | The status is production, optional or claimed in the registry. | Equivalent mechanisms or complete post-quantum protection. |
The registry is a public-evidence review, not a lab speed test or a live censorship monitor. Provider apps, documentation and deployments can change after the snapshot. The page gives each record's verification date and links to the exact release. Check those details before relying on an older entry.
Primary references for the standard protocol guidance
- WireGuard protocol and cryptography documentation for its UDP transport and protocol design.
- OpenVPN 2.6 manual for TCP and UDP behavior. Version availability should be checked separately from these transport principles.
- RFC 7296 for IKEv2 and RFC 4555 for MOBIKE address changes.
- Microsoft's current VPN protocol guidance for its warning against new L2TP and PPTP use.
VPN protocol FAQ
Which VPN protocol should most people use?
Leave the VPN app on its recommended modern setting unless you have a reason to change it. If the app offers a straightforward choice, WireGuard or a well-supported WireGuard-based option is a sensible starting point for ordinary use. Test another option if your network blocks it or the connection is unreliable.
Is WireGuard always faster than OpenVPN?
No. WireGuard has a compact design and is often chosen for performance, but the result on your connection depends on the provider implementation, server load, distance, device, route, and OpenVPN configuration. A protocol name is not a benchmark result.
Is a proprietary VPN protocol less trustworthy?
Not automatically. A provider-developed protocol may have public source, a specification, and an independent assessment, or it may disclose very little. Judge the evidence that is actually available and remember that protocol transparency is only one part of evaluating the VPN service.
What should I try when a network blocks my VPN?
Try the provider mode specifically documented for restricted networks or obfuscation, then test a different server or transport if the app offers one. Keep a second connection method ready. No provider mode is guaranteed to work on every network or in every country.
Does a protocol audit prove that a VPN keeps no logs?
No. A protocol assessment can examine design or implementation details, while a no-logs audit examines different systems and operating controls. The registry audit label on this page is not a whole-service privacy verdict.
What does post-quantum mean in this comparison?
It means the registry recorded a production, optional, or claimed post-quantum-related mechanism for that record. The mechanism may protect one part of key establishment rather than every part of the VPN service, so records with the label are not necessarily equivalent.