If you’ve ever checked the settings on your ExpressVPN app, you’ll see a tab that lets you choose a protocol.
Protocols are methods by which your device connects to ExpressVPN’s secure servers. Find out how protocols differ and how to choose the best protocol for you.
30-day money-back guarantee
Let’s start with the basics. VPN stands for virtual private network, which is a secure tunnel between two or more devices. When you use a VPN, you are connected to the internet through an intermediary server run by the VPN provider (e.g., ExpressVPN).
The security of your connection is dictated by the VPN protocol, a set of instructions that defines how your device communicates with the VPN server.
VPN protocols work in various ways, but they usually perform two basic functions: authentication and encryption. Authentication ensures your device is communicating with a trusted VPN server, and encryption makes the communication itself unreadable to outsiders.
Different encryption standards and authentication methods result in differing levels of speed and security for VPN users. VPN protocols also have differing rules on how to handle potential errors, which affects stability and reliability.
There are at least seven common types of VPN protocols. Understand the differences and get to know our recommendations.
Built from the ground up by ExpressVPN, Lightway is created for the modern world, forgoing features that are no longer needed from a VPN and implementing those that provide a smooth, secure experience. Establishing a VPN connection takes only a fraction of a second, depending on your network, and you’ll stay connected to the VPN even when your device switches networks. Designed to be light on its feet, Lightway gets you connected quickly and securely while using less battery.
When it comes to security, Lightway uses wolfSSL, whose well-established cryptography library has been extensively vetted by third parties, including against the FIPS 140-2 standard. Lightway also includes post-quantum protection by default, shielding you against attackers with access to both classical and quantum computers. We’ve published the source code of Lightway on GitHub under an open-source license, ensuring transparency to our users.
In addition to running on the UDP protocol, Lightway also supports TCP, which can be slower than UDP but connects better on certain networks. This allows Lightway to be used in a wide range of scenarios.
Verdict: Always try Lightway first
A significant step up from pioneering but outdated protocols like PPTP and SSTP, the Layer 2 Tunneling Protocol delivers better security at the cost of reduced speed. L2TP is commonly paired with the IPsec protocol to deliver AES-256 encryption, with the combination of the two referred to as L2TP/IPsec.
IPsec stands for Internet Protocol security, a flexible VPN protocol that authenticates and encrypts each individual IP packet. It is often combined with protocols like L2TP that do not offer encryption by themselves.
L2TP/IPsec is more suited for anonymization than for security, as there are other protocols, such as OpenVPN, offering even stronger levels of security.
Verdict: Nice to have
OpenVPN is a highly configurable open-source protocol. It’s available freely for all platforms and is held in high regard by the community, and it is widely adopted among consumer VPN services.
OpenVPN can most easily be configured to mask itself as ordinary internet traffic, which helps it evade detection by filters and firewalls. It has been widely audited by trusted independent researchers, making it appropriate for deployment even in sensitive environments.
In the ExpressVPN apps, users can toggle between UDP (User Datagram Protocol) or TCP (Transmission Control Protocol) within the app settings if they wish.
Simply put, UDP prioritizes fast data transfer at the expense of reliability, while TCP prioritizes reliability over speed. Moreover, TCP is a connection-oriented protocol, requiring a connection to be established before data is exchanged, whereas UDP is a connectionless protocol, which can result in data packets being lost in transmission or arriving out of sequence.
Verdict: One of the best
IKEv2 is one of the newest protocols and has significant strengths, particularly its speed. It’s well-suited for mobile devices across all platforms.
However, being primarily used in corporate environments, IKEv2 doesn’t have native support for Linux, and its lack of configurability can be a drawback. IKEv2 is also difficult to audit due to its strict licensing. ExpressVPN uses an open-source implementation of IKEv2 to ensure the integrity of the protocol.
IKEv2 is a popular choice, and it will sometimes be used by ExpressVPN apps when the protocol is set to “Automatic.”
Verdict: A solid choice, especially on mobile
As one of the earliest entrants into the world of protocols, PPTP has a rich and storied history. It’s been around since the days of Windows 95 but relies on the outdated MS-CHAP v2 authentication suite, which means it’s easy to crack.
This inherent vulnerability does come with an advantage: The lack of encryption and authentication features means PPTP is the fastest VPN protocol. This also means that the contents of your connection can be seen by your ISP, your Wi-Fi operator, and government surveillance organizations like the NSA.
As such, we recommend that only people who know what they’re doing use PPTP, which is no longer supported on ExpressVPN apps.
WireGuard® is a free and open-source VPN protocol originally written by Jason A. Donenfeld and currently under development by Edge Security LLC. It has shown promise as a modern VPN protocol in terms of speed and its lighter codebase, and a number of VPN providers have begun adopting it in the past couple of years.
ExpressVPN currently does not support WireGuard.
The SSTP VPN protocol was solely developed by Microsoft and introduced along with Windows Vista. It is very similar to a PPTP tunnel wrapped in SSL, an early encryption protocol popular with securing web pages. As such, SSTP initially worked only on Windows devices, and it never gained popularity beyond that.
SSTP has limited configurability and does not stand out among available protocols.
ExpressVPN no longer supports SSTP.
If you’re looking for the trifecta of speed, security, and reliability, Lightway delivers on all fronts thanks to its lightweight codebase. It runs fast, uses less battery, and is easy to audit and maintain—meaning better security.
Lightway is generally the best VPN protocol for everything from gaming to IPTV, and other applications where speed and connection stability are crucial.
If Lightway isn’t available to you, OpenVPN or IKEv2 remain your go-to protocols. OpenVPN offers 256-bit AES encryption with best-in-class security algorithms, giving you extensive cloaking abilities and an impenetrable layer protecting your digital footprint. The codebase has been publicly audited and checked for bugs, implementation errors, and backdoors.
Mobile users will also be well-served by IKEv2, which offers similar speed, reliability, and security to OpenVPN.
Given different environments, internet speeds, or network configurations, different VPN protocols will perform better. Lightway is one of the fastest protocols available, alongside OpenVPN and IKEv2. Without its layer of encryption, PPTP could be called the fastest VPN protocol. However, we don’t recommend you use PPTP, and the protocol is not available on any ExpressVPN apps.
Lightway, IKEv2, L2TP, and OpenVPN are all secure protocols, but the title of the most secure VPN protocol should go to Lightway, which uses wolfSSL, a well-established cryptography library that is FIPS 140-2 validated—which means it has been rigorously vetted by third parties.
Lightway also includes post-quantum support, protecting our users against attackers with access to both classical and quantum computers. ExpressVPN is one of the first VPN providers to deploy post-quantum protection, helping users to remain secure in the face of quantum computing advancements.
Lightway’s core code was audited and open-sourced in 2021 so that it could be transparently and widely scrutinized for security vulnerabilities. In 2022, Lightway was independently audited for a second time, further validating its security.
OpenVPN is also recommended, because it has been extensively audited by multiple neutral experts. Its open-source implementations are available for anyone to inspect and improve.
Designed to deal with frequent network changes, Lightway is the most stable VPN protocol. Users experience fewer connection drops, especially on mobile, and stay connected even when the device switches networks. With Lightway, your VPN session persists even when your network connection drops unexpectedly, so once you’re back online, your VPN is, too.
Protocols don’t need to be set up within a VPN app—you are using a VPN protocol when you turn on the VPN app. If you’re looking for ease of use, leave your VPN protocol set to “Automatic” and ExpressVPN will choose the best option for your network—which is usually Lightway.