VPN protocols compared: WireGuard, OpenVPN, VLESS Reality, and the rest in 2026
VPN protocols are not interchangeable. Each one optimises for something different — usually trading speed for encryption overhead, or vice versa. Most consumer VPN reviews flatten this into "WireGuard fastest, OpenVPN most compatible" and stop there, which leaves out the protocols that actually matter when you cross a censorship border.
Here's the honest version, written for someone choosing what to actually run.
Quick comparison
| Protocol | Speed | Security | Censorship resistance | Setup |
|---|---|---|---|---|
| WireGuard | Excellent | Strong, formally analysed | Poor (recognisable signature) | Easy |
| OpenVPN | Moderate | Strong, very mature | Poor by default; better with obfs | Easy |
| VLESS Reality (XRay) | Good | Strong | Excellent (real TLS handshake) | Hard if self-hosted |
| IPSec/IKEv2 | Very good | Strong (NSA-grade) | Poor (well-known signature) | Easy on mobile |
| Shadowsocks | Good | Adequate | Moderate (recognisable patterns now) | Hard if self-hosted |
If you are on a free network, WireGuard is the default answer. If you are behind DPI in a country that targets VPNs, VLESS Reality with the Vision flow is the only protocol on this list that is seriously hard to detect.
WireGuard
The default for any new VPN deployment in 2024+. About 4,000 lines of core code, formally analysed, ChaCha20-Poly1305 encryption, Curve25519 key exchange, BLAKE2s hashing. Stateless cryptokey routing means no session table to maintain. The handshake is two round-trips and the data path is tight.
In practice this means low latency, low CPU on both client and server, fast roaming between networks, and ~5% throughput cost on a typical home connection.
The catch: the protocol makes no attempt to hide itself. WireGuard packets have a distinctive shape — UDP, fixed header structure, message types 1–4. A DPI system that wants to recognise WireGuard can do so cheaply. Iran and Russia regularly block WireGuard endpoints by signature.
Use WireGuard when your network isn't actively hostile to VPNs.
OpenVPN
The compatibility fallback. Around since 2001. Runs over UDP or TCP. Wraps an OpenSSL/mbedTLS-driven control channel and a separate data channel. TLS 1.3 + ECDSA + AES-256-GCM is the modern config; older deployments still run TLS 1.2 + RSA.
OpenVPN is slower than WireGuard. The control channel is heavier, the data path involves more userspace work, and TCP fallback adds head-of-line blocking when packets are lost. It's also a recognisable protocol — TCP/443 OpenVPN is detectable by anyone running DPI, despite looking like HTTPS at first glance.
What OpenVPN gets you is reach. It runs over TCP/443. It works on hotel networks that block UDP. It runs on routers, NAS boxes, ancient Linux distros, anything with an openvpn package. When everything else fails, OpenVPN over TCP usually connects.
The major win in modern OpenVPN deployments is short-lived certificates. Issuing 24-hour client certs from a Vault PKI eliminates the certificate-revocation problem that plagued long-lived OpenVPN PKIs.
VLESS Reality
Built specifically to defeat DPI in censored countries. Run on XRay (a fork of v2ray-core).
The trick: VLESS Reality establishes a real TLS 1.3 connection to a real, well-known website (a "handshake host" like microsoft.com or cloudflare.com). The TLS handshake is genuine; the certificate is the real one served by that public site. Inside the established session, your VPN data flows.
To DPI watching the wire, your connection looks identical to someone else loading microsoft.com from a browser. The censor can't distinguish your traffic from any other HTTPS session to the same host. Blocking it would mean blocking the handshake host, which the censor probably won't do.
Cost: extra latency from the TLS handshake, more CPU on the client because of the cryptography, and slightly higher throughput cost than WireGuard. Worth it when WireGuard is blocked.
How Fexyn uses VLESS Reality · Why VLESS Reality beats WireGuard in censored countries.
IPSec / IKEv2
The protocol your phone OS already speaks. macOS, iOS, and Windows all ship native IKEv2 clients. AES-256, 3DES (deprecated), HMAC-SHA2. Strong cryptography, well-audited.
Speed is good. Reconnection on network change is excellent — IKEv2's MOBIKE extension is one of the cleanest mobile-VPN handover stories of any protocol. That's why mobile providers love it for corporate VPN.
Censorship resistance is poor. IKEv2 uses UDP/500 and UDP/4500 with extremely recognisable handshake patterns. Anywhere that filters VPNs by signature filters IKEv2 immediately.
Most consumer VPNs ship IKEv2 because the OS already supports it, not because it's the right protocol. It's a convenience, not a security choice.
Shadowsocks
A SOCKS5-based encrypted proxy, originally built in China to defeat the GFW. Single-port, encrypted with stream or AEAD ciphers. Lightweight enough to run on a $5 VPS.
For a few years (roughly 2017–2020) it was the default DPI-evasion tool. Then the GFW learned its fingerprints — the timing patterns, the lack of padding diversity, the entropy distribution of the ciphertext. By 2023, vanilla Shadowsocks was being detected and throttled in the regions that matter.
Variants like ShadowTLS and shadow-tls-v3 patch this by wrapping the traffic in a real TLS handshake — which is structurally similar to what VLESS Reality does, except VLESS Reality starts from a fresh design instead of retrofitting.
Use Shadowsocks if you already know it. For new deployments in 2026, VLESS Reality is the better choice.
More on the comparison: VLESS vs Shadowsocks.
What about Trojan?
Trojan was a clever protocol — wrap a SOCKS connection in TLS that looks like an HTTPS server, falling back to a real web page if the password is wrong. Smart design, well-implemented.
Fexyn doesn't ship Trojan. The reason is simple: VLESS Reality covers the same use case (DPI evasion via real TLS) and is more actively maintained. Running both would mean two protocols competing for the same role with no clear advantage to having both.
How Fexyn picks for you
Fexyn ships three protocols and rotates between them automatically:
- Fexyn Bolt is WireGuard. The default on clean networks.
- Fexyn Stealth is VLESS Reality with the Vision flow (xtls-rprx-vision). For restrictive networks.
- Fexyn Secure is OpenVPN. The compatibility fallback for the most locked-down networks.
The rotation engine tries protocols in an order that depends on what your network has historically allowed. You don't manage this unless you want to. Pin a protocol from the app settings if you have a specific reason.
We don't ship IKEv2 because the OS already does it and doing it again would just be a worse client. We don't ship Shadowsocks because VLESS Reality covers it.
Related
- WireGuard on Fexyn
- OpenVPN on Fexyn
- VLESS Reality on Fexyn
- VLESS vs WireGuard
- VLESS vs Shadowsocks
- Deep packet inspection, explained
Try Fexyn free for 7 days — all three protocols included, with automatic rotation.