A few years ago, choosing a VPN protocol was a pretty cut-and-dry affair. OpenVPN was by far the best option, and if you were using a Mac or mobile device IKEv2 was also a decent choice.
However, in recent years we’ve seen a number of alternatives crop up, and now almost every one of the best VPN providers offers a modern alternative – be that based on open-source tech or developed in-house.
Of the new protocols, WireGuard is the most widely used and has been adopted by just about every VPN worth its salt. However, other options like ExpressVPN’s in-house (but open-source) Lightway are also in use. Here, we’ll compare what we consider the three most important protocols – OpenVPN, WireGuard and Lightway – to see which is best suited for particular purposes, and whether the protocols a provider offers should impact your buying decision.
First and foremost, a VPN protocol has to keep you and your information safe. Predictably, all three of the most popular protocols are safe to use and offer good privacy – but there are times when one might be favorable over another.
OpenVPN has been trusted for almost two decades, and despite a somewhat bloated and ageing codebase it’s still solid and safe to use. OpenVPN uses OpenSSL, the most widely-used SSL library, and the protocol’s open-source nature means there are no hidden nasties.
Rather than being based on old, iterated code, WireGuard was developed just a few years ago to be fast, lightweight and secure. However, it was not designed with privacy as a priority. Vanilla WireGuard stores IP addresses on the server and does not delete them, which poses a problem for VPNs that claim to be zero-logging.
However, with a couple of tweaks this inherent issue can be remedied, and providers like NordVPN, IVPN and Surfshark all offer WireGuard or WireGuard-based protocols combined with a fix that stops IPs being stored. We've explored in-depth whether we consider WireGuard safe to use if you're interested.
Finally, we come to Lightway. Much like WireGuard, Lightway has been built from the ground up using wolfSSL, which means its code is cleaner and easier to understand than OpenVPN’s. It’s also open-source, and has been fully audited by Cure53.
Unlike WireGuard, though, there are no patches needed for Lightway to be used safely – great news for any budding developers looking to create their own VPN.
Second only to privacy, having a fast VPN is essential – and this is where the modern protocols really start demonstrating OpenVPN’s weaknesses.
When we test VPN providers, we test them a number of times on a 1Gbps line to see what they can really do. Speed data is obviously changeable from day to day, but our repeat testing allows us to effectively determine which VPNs are speedy and which aren’t.
When using WireGuard, the fastest speed out of any VPN was a staggering 950Mbps from TorGuard. That was closely followed by Hide.me with 900Mbps, IPVanish with 890Mbps, CyberGhost with 850Mbps and Surfshark with 790Mbps. Suffice to say, WireGuard certainly won’t slow you down.
In our last round of testing only ExpressVPN used Lightway, and with a peak speed of 630Mbps it’s impressive, but can’t keep up with the fastest implementations of WireGuard. In practice, though, neither Lightway nor WireGuard will slow you down. Especially if you’re using a slower domestic connection. It’s also worth noting that, in our testing, Lightway reliably established connections much faster than any other protocol.
OpenVPN is a different story... The very fastest OpenVPN connection we recorded was 490Mbps from Mullvad, closely followed by Hide.me at 450Mbps and ProtonVPN at 440Mbps. However, closer to the average were Surfshark with 150Mbps, IVPN with 180Mbps, IPVanish with 160Mbps, and NordVPN with 250Mbps.
So, if you’re after speed, we would highly recommend signing up to a VPN that offers Lightway or WireGuard. As domestic lines get faster, OpenVPN simply can’t keep up any more.
Bypassing governmental restrictions on content is one of the most important VPN uses, and again, there’s a definite difference between the protocols here.
Evading restrictions sees OpenVPN return to form, and it’s still the gold standard when it comes to avoiding internet blocks in China, Turkey, Russia, and elsewhere. In fact, VPNs that offer dedicated Stealth or Camouflage modes – Surfshark, for instance – instruct users to switch to OpenVPN from the default WireGuard in order to activate it.
We’ve seen reports of Lightway being effective for avoiding blanket bans of websites and content, but this seems to be a thorn in WireGuard’s side. Almost every FAQ from any VPN on the subject will begin the same way: ‘switch to OpenVPN’.
Thankfully though, just about every VPN will offer OpenVPN as well as WireGuard, meaning that even though the newer protocol can’t do everything, you’re not missing out on any functionality.
When it comes to unblocking region-locked streaming sites and content, the protocol you choose can definitely make a difference.
Both OpenVPN and Lightway support UDP and TCP (our sister site TechRadar has an excellent explainer of UDP and TCP), and if you’re having issues streaming, switching from one to the other may help. In most cases you’ll want to use UDP thanks to its faster performance, but TCP can occasionally connect more effectively.
WireGuard is UDP-only, meaning that if you’re having issues streaming something, you won’t be able to test if changing mode has an effect. However, with its class-leading speeds, it’s unlikely you’ll be left buffering.
OpenVPN vs WireGuard vs Lightway – which is best?
As with many questions, there’s no one answer to this. OpenVPN is still a very effective protocol that will be part of all quality VPNs’ offerings for a long time.
However, it’s clear why for day-to-day use we’re moving away from OpenVPN and embracing the likes of WireGuard and Lightway. Unless you’re using obfuscated servers or you’re having other issues related to WireGuard or Lightway, the modern protocols are by far a better choice.
They’re faster, connect quicker, deliver more reliable connections, and now work on just about any device that OpenVPN does. We’ve still got time for OpenVPN, but it’s like an antique crockery set – only worth using on special occasions.