WireGuard vs OpenVPN vs IKEv2: VPN Protocols Explained

WireGuard — the modern default

WireGuard launched in 2019 and is now the default on NordVPN (NordLynx), Surfshark, Mullvad, ProtonVPN, and others. It's open-source with a codebase of ~4,000 lines — dramatically simpler than OpenVPN (~400,000 lines), which means fewer potential vulnerabilities and faster auditing.

• ◆Speed: The fastest VPN protocol — 5–10% overhead vs 20–30% for OpenVPN
• ◆Security: Uses modern cryptography (ChaCha20, Curve25519, BLAKE2) — not legacy algorithms
• ◆Battery: Lower CPU usage means less battery drain on mobile
• ◆Firewall bypass: Uses UDP, which can be blocked by some corporate firewalls
• ◆Logs concern: By design, WireGuard stores IPs until server restart — VPNs like Mullvad use rotating IPs to address this

OpenVPN — the battle-tested standard

OpenVPN has been the industry standard for 20 years. It's open-source, extremely flexible, and can run over both UDP (faster) and TCP (more reliable, better at bypassing firewalls). It's slower than WireGuard but has an unparalleled track record.

• ◆Speed: Slower than WireGuard — 20–30% speed overhead typical
• ◆Firewall bypass: TCP mode can masquerade as HTTPS traffic on port 443 — harder to block
• ◆Audit history: Extensively audited over decades — well-understood security profile
• ◆Battery: Higher CPU usage than WireGuard
• ◆Best for: Bypassing corporate firewalls, censorship-restricted networks

IKEv2/IPSec — best for mobile

IKEv2 (Internet Key Exchange v2) is built into iOS and macOS natively. It's fast and stable, with one key advantage: MOBIKE (Mobility and Multihoming Protocol) allows seamless reconnection when switching between WiFi and cellular without re-establishing the tunnel. This makes it the best choice for mobile data.

• ◆Speed: Fast — similar to WireGuard in practice
• ◆Reconnection: Seamlessly handles network switches (WiFi ↔ cellular)
• ◆Battery: Efficient — built-in OS support means lower overhead
• ◆Firewall bypass: Uses UDP 500/4500, which some firewalls block
• ◆Best for: Mobile users who frequently switch between WiFi and cellular

Proprietary protocols

Several VPNs have developed proprietary protocols optimized for their infrastructure:

• ◆NordLynx (NordVPN): WireGuard base with a double NAT system to address the IP logging concern. Fast and private.
• ◆Lightway (ExpressVPN): Proprietary protocol by ExpressVPN. Very fast, particularly good at reconnecting after drops. Open-source.
• ◆Catapult Hydra (Hotspot Shield): Optimized for speed. Proprietary — no independent audit of the protocol itself.
• ◆StealthVPN / OpenWeb (Astrill): Designed specifically to bypass deep packet inspection in China. Works when standard protocols fail.

Which protocol should you use?

• ◆Default everyday use: WireGuard (fastest, modern, well-audited)
• ◆Corporate or restricted networks: OpenVPN TCP (best firewall bypass)
• ◆Mobile (iOS/Android): WireGuard or IKEv2 (both handle network switches well)
• ◆China/censorship bypass: StealthVPN, Obfuscated OpenVPN, or Lightway (obfuscated)
• ◆Maximum compatibility: OpenVPN (supported everywhere)