Show Author >

VPN Encryption & Protocols: The Ultimate Guide

Many VPN providers pride themselves on having the best encryption and protocols. Sad to say, the majority of consumers don’t know what they are. The two are often considered to be unessential security features. In reality, they’re what makes up the heart of a VPN service.

In this VPN encryption and protocol guide, we’ll take a closer look at both technologies. How they work to keep you safe during browsing sessions shall be explained.

Furthermore, I’ll also discuss each protocol that’s available in today’s market. Hopefully, after reading this, you’ll have a greater understanding of this complex topic and better assess the security claims made by the many competing VPN services.

What is VPN Encryption?

VPN services must stop third parties from intercepting, analyzing, changing, or substituting the contents of your internet traffic. To do this, they use VPN encryption to obscure all the data and connection information that goes through your device and their web servers.

Individuals may employ lots of methods to hack into your communications. Because of that, it’s necessary for VPNs to utilize symmetric and public-key encryption.

How It Works

How encryption works isn’t as complicated as it seems. In fact, the whole process is quite simple. Here’s a rough breakdown of how the technology operates:

Once you run a VPN client and pair it to a server, your connection requests are encrypted before they are sent over. After being received by the server of your choosing, they get decrypted and relayed through the web.

They then bounce back to the VPN client’s server, which encrypts them once more before being sent back to your device. Finally, your VPN client decrypts everything so the secure data can be read on your end.

As you can see, it isn’t as hard as it seems. Still, there’s much more that we must discuss. To get a complete understanding of what VPN encryption is and how it works, it’s essential to talk more about the following:

  • VPN protocols
  • Encryption ciphers
  • Types of encryption
  • VPN handshakes
  • Hash authentication

VPN Protocols

VPN protocols are sets of digital instructions that VPN providers follow to create a secure connection between your computer and a VPN server. At their core, VPN protocols basically consist of a combination of transmission protocols and encryption standards. Their main job is to safeguard your data while it’s at rest and in transit.

The majority of VPN services support the following protocols:

  • OpenVPN (UDP & TCP)
  • IPSec (IKEv2 & L2TP)
  • PPTP
  • SSTP
  • WireGuard

Here are other protocols that fewer VPNs have support for:

  • SoftEther
  • Lightway
  • SSL & TLS
  • Catapult Hydra
  • SOCKS5

Every one of these protocols has its own set of pros and cons. All good VPN services allow their users to pick which protocols they wish to use when linking up to a server. With all that being said, below is a table comparing each commonly used VPN protocol:

VPN Protocol Speed Connection Stability Maximum Encryption Strength Censorship Bypassing Capabilities
OpenVPN UDP Fast Stable 256-Bit Good
OpenVPN TCP Moderate Very Stable 256-Bit Good
IPSec L2TP Moderate Stable 256-Bit Moderate
IPSec IKEv2 Very Fast Very Stable 256-Bit Bad
PPTP Very Fast Very Stable 128-Bit Bad
SSTP Fast Very Stable 256-Bit Good
WireGuard Very Fast Very Stable ChaCha20 (256-Bit) Moderate

Let’s now go into the specifics. We’ll first examine the two OpenVPN protocols as they’re the most popular. After that, we are going to move on to the rest.

1. OpenVPN

OpenVPN is the VPN industry’s standard protocol. The reason why is because it offers superb levels of safety and security. As its name implies, it’s open-source, meaning that users can check its source code for weaknesses. They may also use it for many kinds of purposes.

Although no platform natively supports OpenVPN, its highly-configurable nature has allowed most VPN services to offer it on their apps. These apps can usually be downloaded on WindowsmacOSAndroidLinux, and iOS.

There are two versions of OpenVPN. While the differences between them are negligible, it’s still a must to be aware of them. After all, each has its pros and downsides that can make or break them with some users.

  • OpenVPN TCP

Data is sent through the internet in small chunks called packets. Transmission Control Protocol (TCP) was designed to ensure packets get delivered to the OpenVPN client exactly like how they were sent from the OpenVPN server.

TCP does this by:

  1. Delaying packet delivery to the OpenVPN client until it has received all the expected packets.
  1. Puts out-of-order packets into their proper place.
  1. Re-requesting and waiting for any packets that might have been lost in transmission.

In summary, OpenVPN TCP is an excellent option for those looking to establish a more reliable connection. It’s also perfect for individuals that wish to work around internet censorship measures taken up by countries like the UAETurkeyChina, and Belarus.

  • OpenVPN UDP

Unlike its counterpart, OpenVPN User Datagram Protocol (UDP) puts an emphasis on efficient data delivery. It sends smaller data packets and transmits them without requiring confirmation of arrival. As such, it’s faster but not as reliable and secure as TCP.


Point-to-Point Tunneling Protocol (PPTP) is the oldest VPN protocol. It was developed by a Microsoft employee and released in 1996. To this day, it still retains popularity despite the inception of newer protocols that are more robust. Here are the reasons why:

  1. Many protocols aren’t as fast as PPTP.
  1. PPTP is not hard to set up.
  1. Almost all platforms natively support PPTP.

The excellent speed capabilities of PPTP are due to its utilization of 128-bit encryption keys. In comparison, most other protocols like OpenVPN and SSTP are slower because they employ 256-bit encryption, which is more secure.

Since PPTP trades off speed for security, its users are left in a seriously vulnerable position. An experienced attacker can easily compromise a PPTP-encrypted connection in just a few minutes. Hence, it’s far from the best option for those who prioritize security.

Another drawback is that censorship systems can block it without much difficulty. Why? Because it makes use of TCP port 1723 and relies on the GRE protocol, which may both easily get firewalled.

You shouldn’t use PPTP unless it’s absolutely necessary. The obsolete protocol’s inferior ability to provide security and privacy makes it defeat the purpose of having a VPN. If anything, it’s only suitable for people who are handling non-sensitive data that want to have the fastest connection speeds.

3. L2TP/IPsec

Layer 2 Tunnelling Protocol (LT2P) was released back in 1999 as a successor of some sort to PPTP. It was jointly developed by Microsoft and Cisco using their PPTP and L2F protocols as a base. Thus, it should not come as a surprise that it boasts the best features as its predecessors and greatly improves upon them.

On its own, LT2P doesn’t have encryption. As such, it’s often combined with Internet Protocol Security (IPSec), which is a set of security protocols that work together to authenticate and encrypt data between your device and a VPN server.

When you connect to a VPN server using LT2P, IPSec establishes a secure control channel between the VPN client and the VPN server, usually using the AES cipher.

Data packets from your browser are encapsulated by LT2P. IPSec encrypts this data then relays it to your VPN provider’s server that decapsulates and decrypts the data. While this double decapsulation process makes LT2P/IPSec very secure, it also slows it down drastically.

A great thing about L2TP is that it’s not hard to configure. Furthermore, it’s built into most major platforms, meaning many VPNs offer support for it.


SSTP or Secure Socket Tunneling Protocol is a Microsoft-owned proprietary protocol. It’s based on the SSL 3.0 encryption standard. Due to that, much like OpenVPN, it can use TCP port 443 – a port that’s seldom blocked by censorship system firewalls.

Because it’s proprietary, SSTP isn’t open-source. For that reason, users cannot check its source code for weaknesses and change it for the better. The best they can do is report any seen vulnerabilities to Microsoft and hope the company does something about it.

We think that SSTP’s integration with Microsoft gives it a significant disadvantage. It doesn’t work on other operating systems besides Windows, and its being closed-source makes it more prone to security breaches. In addition, there have already been incidents where Microsoft has given away encrypted messages to the NSA upon request.

5. SoftEther

The origin of SoftEther is quite fascinating. It was developed as part of a master’s thesis at the University of Tsukuba in Japan. Like OpenVPN, it’s open-source, giving users the freedom to analyze its source code to scan for any weaknesses.

Released in 2014, SorftEther is one of the newest VPN protocols in the industry.

As a result, few service providers have support for it. Nevertheless, this soon might change as the protocol has a reputation for having good speed capabilities without compromising security. Besides that, it’s also optimized for working around censorship measures.

SoftEther supports robust encryptions ciphers like AES-256 and RSA-4096. However, it bases its encryption and authentication protocols on OpenSSL, allowing the traffic it relays to be almost identical to HTTPS traffic.

In 2018, Guido Vranken performed an 80-hour security audit on SoftEther and found 11 security issues. A patch was subsequently released by the protocol’s developers to address this. Sadly, experts at Aalto University discovered afterward that SoftEther was susceptible to man-in-the-middle attacks.

All in all, our team believes that SoftEther is a decent VPN protocol. It’s blazingly fast, good at bypassing censorship, and is getting more secure thanks to the continuous release of updates.

6. IKEv2/IPsec

Internet Key Exchange version 2 (IKEv2) is another VPN protocol that was jointly developed by Microsoft and Cisco.

It’s closed-source and natively supported by Windows (versions 7 or later), BlackBerry, and iOS. Some third parties have developed an open-source version for Linux OS. What’s nice about this version is that it is more trustworthy than the protocol’s original rendition since it’s open-source.

Much like LT2P, IKEv2 is typically combined with IPSec because it doesn’t have encryption on its own. But, unlike its counterpart, IKEv2/IPSec offers greater performance and better functionality due to the following reasons:

  • It is much faster as it’s programmed to use bandwidth more efficiently.
  • A lot more encryption ciphers are supported, including AES, Camellia, and Blowfish.
  • Changing networks is done seamlessly because of something called the MOBIKE Protocol.

With all of its advantages over LT2P, it seems like IKEv2 is way superior. However, you should know that it does not allow you to bypass most censorship systems. Why? Because the VPN protocol employs specified ports that can easily be detected and blocked.

  • MOBIKE Protocol

MOBIKE is basically an extension of the IPSec/IKEv2 protocol. It allows VPN services to alter internet addresses without re-establishing SAs with a server. Moreover, it also lets VPN clients and servers choose a particular reachable address when more than one is available.

7. WireGuard

The newest VPN protocol that’s available is WireGuard. It is open-source and is actually still being developed. Experts involved in creating the protocol aim for it to be faster and more secure than any competitor. Hence, many claim that WireGuard is the future of VPN protocols.

WireGuard seeks to address the problems that are commonly associated with OpenVPN and IPSec. Prime examples include frequent disconnections, long re-connection times, and complicated setup procedures.

For encryption, WireGuard utilizes the ChaCha20 cipher, which uses a 256-bit key. Although this encryption hasn’t been adopted by many VPNs, many say it’s more than capable of challenging AES. It is three times faster and has shown to be equally as secure.

Who Supports WireGuard?

NordVPN has announced the release of a new custom protocol called NordLynx, which is to be made available on all the platforms the VPN works on. This exclusive protocol is 100% based around WireGuard. Setting this version of WireGuard apart is it’s being combined with NordVPN’s proprietary double NAT (Network Address Translation) system.

Besides NordVPN, many more services are starting to support WireGuard. Below is a list of most of them:

Among these VPN service providers, only PIA and VyprVPN make it into our top 10 list. Still, this might change as the industry changes, and more VPNs begin to support WireGuard in one form or another.

8. SSL and TLS

SSL is an abbreviation that stands for Secure Sockets Layer. It’s the gold standard technology for securing internet connections and protecting data sent between two systems, mainly computers and servers.

Thanks to it, criminals and other third parties are prevented from reading and altering any info that’s transferred through the internet. It does this by ensuring that any data being transferred remains impossible to read. The technology makes use of encryption algorithms to scramble data that’s in transit.

Meanwhile, TLS (Transport Layer Security) is simply an improved version of SSL. It came about in 1999 and was standardized by the Internet Engineering Task Force (IETF).

The differences between SSL and TLS aren’t dramatic. As such, the two shouldn't be compared with each other. In fact, they form a continuously updated series of protocols that are known as SSL/TLS.

9. Other VPN Protocols

Apart from everything that’s mentioned, there are other VPN protocols that you should be aware of. Each of them isn’t as well-known or common as the protocols we talked about. Still, they play a vital role in the VPN industry.

  • Lightway

Lightway is ExpressVPN’s new proprietary protocol that’s based on WolfSSL instead of the more famous WireGuard. Despite that, it has been reported to offer the same benefits.

ExpressVPN has stated that it’s extremely fast, very secure, and is capable of connecting and reconnecting without delays. That said, the protocol still has much to prove because it is very new and hasn’t been tested by most experts.

  • SOCKS5

SOCKS5 is the latest version of the SOCKS internet protocol. It routes data packets between a client and a server using a proxy server. The technology utilizes proxy servers to form UDP or TCP connections through arbitrarily created IP addresses.

Here are some reasons why people use SOCKS5 proxy servers:

  • To work around internet blocks
  • Zero traffic, program, and protocol restrictions
  • Fast and more reliable connections
  • Fewer errors and greater performance
  • Superb operation on P2P platforms

The main thing that sets VPNs apart from proxies is that VPNs encrypt your traffic, whereas proxies don’t. Moreover, VPNs also provide more stable connections. As such, it’s better to use your VPN alongside SOCKS5 to double down on security.

  • Catapult Hydra

Catapult Hydra is another proprietary VPN protocol used by HotSpot Shield and other services owned by the Pango Group.

It delivers fast speeds and is more than capable of providing data leak protection. Sad to say, it’s closed-source, making it lack transparency. For that reason, we don’t recommend that you use it. You’ll be better off with other VPN protocols like WireGuard and OpenVPN.

VPN Encryption Ciphers

A cipher refers to the algorithm used for securing data on control and data channels. In most situations, ciphers are talked about alongside key lengths. While a protocol lays the foundation for a proper encryption tunnel to be established, ciphers are what actually encrypts all your data.

The most widely used ciphers by VPN providers are AES, Blowfish, and Camellia. However, a lot more are used. Let’s get into the details of each one:

1. Advanced Encryption Standard (AES)

AES stands for Advanced Encryption Standard. It’s sometimes called the Rijndael algorithm and is considered the best cipher available as it is very safe to utilize. The majority of experts refer to it as the standard when it comes to online encryption protocols. Hence, it should come as no surprise that it's the most popular cipher in the VPN industry.

Its origins can be traced back to 2001 when it was first established by the US National Institute of Standards and Technology (NIST).

You can find AES available in 128 or 256-bit key lengths. But, most VPNs use the latter version because it’s more secure. As a matter of fact, it’s so secure that many military and intelligence agencies worldwide use it to safeguard their data. This is why VPN providers often refer to AES-256 as “military-grade”.

2. Blowfish

Blowfish is a cipher that first came into existence in 1993. It was developed by the renowned cryptographer Bruce Schneier in the USA. The cipher was once the default cipher used in OpenVPN. However, it has since been replaced by the better AES-256 cipher.

You can usually encounter Blowfish used with a 128-bit key length. But, this can range from a mere 32 bits to a whopping 448 bits.

As with almost all ciphers, Blowfish has its own set of weaknesses. The most well-known one is its vulnerability to a cryptographic attack called Birthday Attack. With that said, we recommend that you only use the cipher as a backup to AES-256.

3. Twofish

Like Blowfish, Twofish was developed by Bruce Schneier. It’s loosely related to Blowfish, which isn’t astonishing given that both ciphers were created by the same person. It is fascinating that many people actually predicted that it would become the industry standard for encryption. Sad to say, it was beaten out by AES.

Twofish is distinct from other ciphers as it uses pre-computed, key-dependent S-boxes to alter how the key relates to the ciphertext. In the world of encryption ciphers, it’s the only one that does this, allowing it to stand out.

Studies have proven that Twofish is very secure. The reason why it was outshined by AES is that it’s rather sluggish. Still, you can find a handful of services that use Twofish because it’s reliable and can keep users safe.

4. Camellia

Camellia is a cipher that’s very comparable to AES when it comes to security and speed.

Many experts consider it safe despite utilizing a smaller key length option (128 bits). Many say that it cannot be affected by modern brute-force attacks. So far, no incident of it being compromised by a successful attack has ever been reported.

The number one reason why AES is more popular than Camellia is that it has yet to be certified by NIST, the same organization that developed AES.

Although many advocate for Camellia’s widespread implementation since it isn’t associated with the US government, few VPN providers have made it available. Due to that, the cipher has yet to be thoroughly tested and universally trusted.

5. Triple Data Encryption Standard (3DES)

Triple Data Encryption Standard (3DES) is an encryption standard derived from the original Data Encryption Standard. It was very prominent in the late 90s but has lost much popularity because of the introduction of more secure ciphers.

Recently, an announcement was made that 3DES will be retired by 2023. Despite that, some VPN providers still use it since it’s one of the most published and researched ciphers.

We suggest that you stay away from 3DES even when it’s available. It is obsolete, and there are better options available. Even if it has a good security record, you’ll be better off using a cipher that’s up-to-date and future-proof.

6. Microsoft Point-to-Point Encryption (MPPE)

As its name implies, Microsoft Point-to-Point Encryption (MPPE) is a method of encrypting data that was invented by Microsoft.

It uses an RSA algorithm for encryption and has support for 40 and 129-bit keys. These keys are regularly changed for much-increased security. Unlike other encryption standards, MPPE doesn’t expand or compress data. For that reason, it’s often used in conjunction with MPPC (Microsoft-Point-to-Point Compression).

7. Perfect Forward Secrecy

Perfect Forward Secrecy or just Forward Secrecy is a specific agreement protocol feature that assures that your session keys won’t be compromised even when the private key becomes compromised.

It works by generating an arbitrary session key for every session that you initiate. The only two ways to decrypt Perfect Forward Secrecy Sessions are to an agent on a VPN’s server or to route traffic through two TLS inspection devices. To put it simply, it’s very secure and is breachable only by the most experienced and highly-funded attackers.

I know that any conversation about VPN encryption ciphers can get really complicated in a matter of seconds.

However, our team hopes that you’ve learned the basics of what they are along with what you should use. After all, each cipher is different and has its own sets of advantages and disadvantages.

Types of Encryption

So far, we’ve tackled what VPN encryption is, the various protocols, and ciphers. Let us now dwell into one of the most important topics and discuss what are the types of encryption that VPN providers use:

1. Symmetric Encryption

Symmetric encryption (also known as symmetric-key encryption) is an encryption wherein only one key is used to encrypt and decrypt data. With it, your device and the VPN server need the same exact key to communicate. Common examples of symmetric-key ciphers include Camellia, AES, and Blowfish.

What’s nice about this type of encryption is that it’s fast. It requires the generation of just a single key, making the process mathematically simpler.

2. Asymmetric Encryption (Public-key)

Unlike its counterpart, asymmetric encryption (or public-key cryptography) creates both a public key and a matching private key to encrypt and decrypt data. This type of encryption is most often used by journalists or government dissidents that publish their public key online so sources may relay them secure messages.

The main advantage of employing asymmetric encryption is the security level that it provides its users. Compared to symmetric encryption, it’s way better for individuals who wish to bypass censorship or prevent others from detecting they’re using a VPN provider.

The Lowdown

VPN encryption combines symmetric and asymmetric encryptions. It makes use of asymmetric encryption to establish a secure VPN client-server connection where symmetric keys can be exchanged without problems.

VPN Handshake

In addition to protocols and ciphers, VPNs also use a technology called VPN handshake to secure and verify your VPN connection.

A handshake refers to the initial connection between two digital devices. It’s basically a greeting where both computers establish rules for communication and authenticate one another.

When a VPN handshake secures a given connection and makes a VPN tunnel. When it takes place, asymmetric encryption gets used. Once the connection is finally secured, a symmetric key is produced, shared, and used for the rest of the session.

Even if this process creates decent encryption, every session can still be decrypted with the private key used in a handshake.

If this “master key” gets compromised in any way, an attacker could use it to decrypt all the secure sessions on a given VPN server. It would then be possible for them to access the symmetric key and breach all the data going through a VPN tunnel.

For that reason, we highly recommend that you select a VPN provider that makes use of Perfect Forward Secrecy. Doing so would provide you with a larger assurance that your data shall remain safe from malicious third parties.

1. RSA

Most VPN handshakes utilize the RSA (Rivest-Shamir-Adleman) algorithm. This algorithm has formed the backbone of internet security since the early 2000s.

There are many renditions of RSA that a VPN provider can use. Examples include RSA-1024, RSA-2048, and RSA-4096. Among these, only 2048 and 4096 have maintained their popularity as 1024 is regarded as a security risk. While there’s no evidence proving that it’s been cracked, many say that it soon will, given the processing power of modern CPUs.

2. Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman (ECDH)

Diffie-Hellman (DH) and its variant, Elliptic Curve Diffie-Hellman (ECDH), allow a device and server to form a secret key over an unstable channel. Though the two are some of the first public-key protocols, they’re still widely used to secure a large array of internet services.

Sadly, researchers discovered that DH and ECDH key exchange protocols are less secure than most people believed. Both theoretically couldn’t prevent themselves from being breached during well-funded attacks.

Hash Authentication

Hash authentication or HMAC (Hash-Based Message Authorization Code) is a message authentication code (MAC) that VPNs use to check the integrity and authentication of a message to make sure it hasn’t been altered by third parties.

It works by changing source data using something called a hash function. The original source message is relayed through an algorithm that scrambles it into a fixed-length string of characters that makes it look completely different.

Note that hash authentication is a one-way process. Once a message is edited, it’s impossible to de-hash it to know the original message.

To put it simply, hash authentication is useful for VPNs as it prevents man-in-the-middle attacks since it detects the tampering of a message. In its absence, an attacker could impersonate a legitimate VPN server then fool you into connecting to a fake one. There, all your internet activities could be tracked and recorded.

What's the Most Ideal VPN Encryption?

Our team believes that OpenVPN TCP alongside AES-256 cipher is the best and safest protocol that you can use. The open-source nature of OpenVPN TCP has enabled it to be compatible with many platforms. It has also allowed the general public to test it for any weaknesses. Moreover, the protocol perfectly balances security and privacy.

Another protocol that you should consider using is WireGuard. While it’s relatively new, it has the potential to take OpenVPN’s place as the #1 most popular VPN protocol in the industry.

Research has proven that WireGuard is safe, fast, and secure. However, only time will tell if it lives up to the hype. As the number of VPNs that adapt increases, more and more reports regarding its performance shall come about.

When it comes to mobile devices, we think that your best bet would be IPSec/IKEv2. The protocol handles network changes really well since it can connect and reconnect you with blazingly fast speeds and absolute ease. Still, it’s not the best option if you’re in a foreign country like China where censorship systems can detect and block it.

For maximum security, it’s best to make sure your VPN encryption:

  • Employs SHA-2 hash authentication
  • Makes use of Perfect Forward Secrecy
  • Utilizes dependable key exchange protocols like RSA-4096 or ECDH

To finish things up, our team really wishes that you were able to learn everything you need to know about VPN encryption and protocols. I personally hope that it will finally be possible for you to pick out the right VPN. After all, doing so nowadays isn’t an easy task because of the many competing services on the market that all seem very similar.

By: Erwin Caniba
Eric is the co-founder of VPNOnline. He has been an avid user of VPNs since 2012. He has tested all of the major VPN providers and shares his findings on this website. Follow Eric on Facebook.