Glossary
What is a VPN protocol
The set of rules and cryptography a VPN uses to authenticate, encrypt, and route traffic between client and server.
A VPN protocol is the set of rules and cryptographic primitives a VPN uses to establish and maintain its tunnel. Different protocols make different trade-offs — speed vs. compatibility, simplicity vs. flexibility, raw performance vs. censorship resistance. Choosing the right one depends on what you're trying to accomplish.
The three that matter for consumer VPNs in 2026:
- WireGuard — fast, modern, small codebase. Default for clean networks.
- VLESS Reality — censorship-resistant. For networks that block standard VPNs.
- OpenVPN — mature, widely supported. Compatibility fallback.
What a protocol decides
Each protocol specifies:
- Authentication. How clients prove who they are. WireGuard uses peer public keys; OpenVPN uses TLS certificates; VLESS uses UUID-based authentication inside a real TLS session.
- Key exchange. How both sides agree on session keys without sending them in the clear. WireGuard uses Curve25519; OpenVPN uses TLS-driven key exchange; VLESS Reality uses TLS 1.3 ECDHE.
- Symmetric encryption. What cipher protects the tunneled data. WireGuard uses ChaCha20-Poly1305; OpenVPN typically uses AES-256-GCM; VLESS uses what TLS 1.3 negotiated.
- Transport. UDP, TCP, or layered. WireGuard is UDP-only; OpenVPN supports both; VLESS uses TCP wrapped in TLS.
- Roaming behaviour. How the tunnel survives network changes. WireGuard handles this natively; OpenVPN reconnects; VLESS reconnects.
The protocol determines the mathematical guarantees. Implementation determines whether those guarantees actually hold.
Other protocols you'll see in marketing
Some that exist but Fexyn doesn't ship:
- IPSec / IKEv2. Native on iOS and macOS. Easy to set up. Recognisable to DPI — fingerprinted by every censor immediately. Good for corporate VPN, mediocre for privacy.
- Shadowsocks. Lightweight, originally built to defeat the GFW. Well-fingerprinted by 2023 DPI. Use VLESS Reality instead.
- L2TP / PPTP. Old, weak cryptography, deprecated. If you see "L2TP/PPTP" advertised as a feature in 2026, treat it as a red flag.
- Trojan. Clever protocol that wraps SOCKS in TLS. Fexyn doesn't ship it because VLESS Reality covers the same use case more robustly.
How to choose
Most users don't actively choose. They install a VPN and use whatever default the client picks. That's fine when the default is good.
Fexyn rotates through three protocols automatically:
- Fexyn Bolt (WireGuard) — the default on networks that aren't actively hostile.
- Fexyn Stealth (VLESS Reality) — fallback when Bolt is blocked.
- Fexyn Secure (OpenVPN) — fallback when Stealth fails too.
The rotation engine is described in the comparison page and the choosing the right protocol guide.
You only think about protocols when something goes wrong. On a normal home network, Bolt connects in milliseconds and you forget the choice exists. On a hotel network that blocks UDP, Bolt fails and the rotation tries Stealth — still transparent to you. On a censored network, you might pin Stealth manually so the rotation doesn't waste time on Bolt.
The number of protocols a VPN ships is less important than whether the rotation works. A VPN with three good protocols and automatic fallback beats one with seven and manual switching every time.
Try Fexyn free for 7 days — three protocols included on every plan.
Related terms
Try Fexyn free for 7 days
Windows app available now in Beta. WireGuard, VLESS Reality, and OpenVPN with no browsing-history, DNS-query, or traffic-content logs.
See pricing