1. Why VPNs Slow You Down in the First Place
Without a VPN, your data takes the most direct route between your device and the destination server. Add a VPN into the mix, and every packet has to go through three extra steps:
Encryption. Every outgoing packet gets encrypted on your device before it leaves. The heavier the encryption, the more CPU time it takes — and that adds up fast on mobile hardware.
Rerouting. Instead of going straight to the destination, your traffic first hits the VPN server, then gets forwarded. That extra hop adds real-world latency — there’s no way around the physics of it.
Protocol overhead. Different protocols package your data differently. Some are lean and efficient; others pack in so much handshaking and header data that they eat bandwidth before a single byte of your actual content moves.
According to Cloudflare’s VPN technical documentation, encryption overhead and protocol efficiency are the two biggest performance variables — more impactful, in most cases, than server count or geographic coverage.
2. The Main VPN Protocols Explained
Before comparing speeds, here’s what each protocol is and what it was built to do.
WireGuard
WireGuard is the fastest VPN protocol in widespread use today. Released in 2019, it was built from scratch with modern cryptography — ChaCha20 for encryption, Curve25519 for key exchange — and runs directly in the operating system kernel, cutting out a layer of processing that older protocols can’t avoid. Its codebase is around 4,000 lines, compared to over 70,000 for OpenVPN. Less code means fewer attack surfaces, easier auditing, and noticeably lower CPU overhead. The WireGuard project describes its design goal as “simple, fast, and modern” — and in benchmarks, it consistently delivers on all three.
IKEv2 / IPsec
IKEv2/IPsec is the dominant VPN standard in enterprise and mobile environments. IPsec handles encryption at the network layer, while IKEv2 manages the key exchange — a pairing refined over two decades of real-world deployment. Most operating systems implement IKEv2 natively, which means no client software is required on Windows, macOS, iOS, and Android. Its standout feature for mobile users is MOBIKE: when a device switches between Wi-Fi and cellular, the VPN session re-establishes almost instantly without user intervention. Performance is solid — typically faster than OpenVPN, with hardware acceleration available on most modern devices. The IKEv2 specification (RFC 7296) is maintained by the IETF and widely supported across routers and firewalls.
TUIC / QUIC
TUIC is a proxy protocol built on top of QUIC — the same transport layer that powers HTTP/3, originally developed by Google. Unlike TCP-based protocols, QUIC runs over UDP and handles packet loss stream-by-stream: if one data stream drops a packet, only that stream pauses while everything else keeps moving. On long-distance or mobile connections where packet loss and jitter are facts of life, that behavior makes a measurable difference in perceived speed and stability.
Shadowsocks
Shadowsocks is an encrypted proxy protocol that routes traffic through a SOCKS5-based tunnel using modern stream ciphers — typically ChaCha20-Poly1305 or AES-256-GCM. Originally released in 2012, it has been actively maintained ever since and has a large open-source ecosystem. Because it encrypts at the application layer rather than the OS level, overhead is low and it integrates well with split-routing setups. The official Shadowsocks project is widely deployed and supported by most multi-protocol VPN clients.
OpenVPN
OpenVPN has been the backbone of enterprise VPN infrastructure since 2001. It uses TLS/SSL for encryption and supports both UDP and TCP transport — a distinction that matters significantly for performance. OpenVPN’s own documentation recommends UDP for most use cases due to lower overhead, while TCP mode prioritizes reliability at the cost of speed. Both modes lag behind modern alternatives in raw throughput, but OpenVPN’s unmatched compatibility keeps it relevant in enterprise environments.
3. Protocol Speed Comparison
The chart below combines independently benchmarked data with published estimates from multiple sources. Data quality varies by protocol — see the source tier legend in the chart notes.
Shadowsocks note: No large-scale Gbps benchmark exists for Shadowsocks. The ~650 Mbps figure is an estimate based on its lightweight architecture (application-layer encryption only, no tunnel overhead) relative to verified protocols. Independent tests on low-bandwidth connections show roughly 89–92% speed retention vs. baseline.
| Protocol | Speed Retention | Added Latency | Best For |
|---|---|---|---|
| WireGuard | ~85–92% | +5–15 ms | Everyday use, streaming, gaming |
| TUIC (QUIC) | ~80–88% | +8–20 ms | Mobile networks, high packet-loss links |
| IKEv2 / IPsec | ~60–80% est. | +10–30 ms | Enterprise, native OS support, roaming |
| Shadowsocks | ~75–85% est. | +5–18 ms | Lightweight encrypted proxying |
| OpenVPN (UDP) | ~28–45% | +20–50 ms | Enterprise VPNs, firewall traversal |
| OpenVPN (TCP) | ~25–38% | +30–80 ms | Stability over speed, legacy networks |
Speed retention = measured throughput with VPN ÷ baseline throughput without VPN, on a 1 Gbps test link. IKEv2 and Shadowsocks figures marked “est.” are estimates from multiple sources without a single controlled benchmark. Actual results vary with server location, network conditions, and device hardware.
4. Other Factors That Affect Your VPN Speed
Getting the protocol right is step one. These factors determine how much of that potential you actually see in practice.
Server Distance
Physics sets the floor. Light through fiber takes roughly 7ms to travel from Singapore to Japan, and around 170ms to reach the US West Coast. Connecting to a server geographically closer to you almost always results in lower latency and better real-world speeds. ITU network infrastructure data shows that cross-border latency in the Asia-Pacific region is heavily shaped by submarine cable routing — making local server availability a practical priority, not just a nice-to-have.
Server Load
The more users sharing a server, the less bandwidth each one gets. Peak hours — US primetime evenings, for instance, when streaming demand spikes — can noticeably degrade performance even on a fast protocol. Quality VPN providers handle this with real-time load balancing, automatically routing you to a less congested node.
Your Local Network Quality
A VPN amplifies instability rather than smoothing it out. If your connection has high baseline packet loss, TCP-based protocols suffer disproportionately — every dropped packet triggers a retransmission that stalls the entire stream. QUIC-based protocols like TUIC handle loss on a per-stream basis, which makes them significantly more resilient on unreliable connections.
Device Performance
Encryption and decryption are CPU-intensive. On older phones or budget routers, the processor can become the bottleneck before the network does. WireGuard’s official benchmarks show substantially lower CPU utilization compared to OpenVPN on identical hardware — which also translates to better battery life on mobile devices. IKEv2/IPsec benefits from AES-NI hardware acceleration on most modern devices, partially closing the gap with WireGuard in real-world use.
Server Bandwidth
No protocol can fix an underpowered server. This is why the same protocol can perform very differently across VPN providers — the upstream pipe matters just as much as the encryption layer. When evaluating a service, it’s worth looking into their node bandwidth specs and whether they operate their own infrastructure or rely on third-party hosting.
5. The One Scenario Where a VPN Can Actually Speed Things Up
It sounds counterintuitive, but it happens. Some ISPs throttle specific types of traffic — P2P downloads, cross-border connections, or high-bandwidth streaming — using a technique called Quality of Service (QoS). When your traffic is encrypted inside a VPN tunnel, the ISP can no longer identify what type of traffic it is, so the throttling rules don’t apply. The result: your connection actually gets faster with the VPN on.
Research from multiple independent organizations has documented this effect — Netflix and YouTube speeds on certain ISPs in the US and parts of Asia have been measured 20–40% higher through a VPN than without one, specifically because the ISP’s throttling logic gets bypassed.
You’re most likely to see this on:
- Dorm or office networks that rate-limit P2P traffic
- ISPs with cross-border bandwidth caps
- Any connection where streaming is deprioritized during peak hours
6. TUN Mode vs. System Proxy — A Setting Most People Miss
If you’ve ever turned on a VPN and found that certain apps still felt slow or couldn’t connect, the issue might not be the VPN itself — it might be which mode it’s running in.
System proxy mode only routes traffic from apps that explicitly support proxy settings — typically browsers. Games, download managers, system updaters, and most background processes go straight to the internet, completely bypassing the VPN tunnel.
TUN mode creates a virtual network adapter at the OS level, capturing all traffic from every app on the device — no exceptions. It’s a more complete solution, though it consumes slightly more CPU and drains battery slightly faster than proxy mode.
If an app isn’t behaving as expected while your VPN is active, check whether TUN mode is enabled before assuming the problem is elsewhere.
7. Which Protocol Should You Actually Use?
Here’s how to match the right protocol to your use case:
- General everyday use: WireGuard is the default choice. It’s fast, well-audited, and the performance advantage over everything else is hard to ignore.
- Enterprise or corporate networks: IKEv2/IPsec is the standard — natively supported on all major operating systems, widely compatible with firewalls, and handles network switching gracefully.
- Mobile or unstable connections: TUIC’s QUIC foundation makes it significantly more stable as you move between Wi-Fi and cellular. IKEv2 also handles roaming well due to its MOBIKE extension.
- Lightweight proxying without full tunnel overhead: Shadowsocks is fast and encrypted, and integrates well with split-routing setups where you only want to proxy specific traffic.
- Need all apps covered: Make sure your client supports TUN mode — otherwise some apps will connect outside the tunnel entirely.
- Stability over speed: OpenVPN over TCP is the most reliable option on restrictive or unpredictable networks, though the speed trade-off is significant.
The Bottom Line
Every VPN slows you down to some extent — that’s unavoidable. But the gap between a well-chosen protocol and a poorly matched one can be enormous. WireGuard sets the performance bar; IKEv2/IPsec is the enterprise workhorse with native OS support; TUIC holds up better on mobile and long-distance links; Shadowsocks offers fast encrypted proxying with minimal overhead; and OpenVPN over TCP belongs in the narrow set of scenarios where compatibility trumps everything else.
Protocol aside, the infrastructure behind it matters just as much. Server proximity, available bandwidth, and load balancing all determine how much of the protocol’s ceiling you’ll actually reach. When comparing VPN services, those factors deserve at least as much scrutiny as the price.
About Surflare
If you’d rather not spend time configuring protocols manually, take a look at Surflare. It uses a transport protocol optimized for real-world network conditions — built to hold up on high-latency, high packet-loss connections. The client selects the best available route automatically, so you never have to think about which protocol or node to pick. Available on Windows, macOS, iOS, and Android.