OpenVPN over TCP vs. UDP

OpenVPN can run over either the TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) transports. Choosing which one to use is a highly technical issue, and one that most VPN providers (quite understandably) keep hidden ‘behind the scenes’.

Some VPN providers, however, prefer to let customers choose which connection protocol they prefer. The reason for this is that while both offer distinct advantages and disadvantages in each other, choosing which is ‘best is’ difficult, as it depends what the internet is being used for, and what matters to individuals most – speed or reliability.

The Difference

TCP vs UDP, OpenVPN vs TCP, UDP vs OpenVPN... What is the difference, exactly?

TCP is, in general, the most commonly used connection protocol on the internet, as it offers error correction (and is therefore known as a ‘stateful protocol’). Whenever a computer sends a network packet using TCP, it waits for confirmation that the packet has arrived before resending the packet (if no confirmation is received), or sending the next packet (if confirmation is received). 

This means there is ‘guaranteed delivery’ of all data, making the protocol very reliable, but there is a considerable overhead as packets are sent, confirmed, re-sent etc., making it quite slow.

UDP is referred to as a ‘stateless protocol’ as it performs no such error correction, simply receiving packets with no or retries. This makes it much faster, but less reliable.

  • TCP = reliable
  • UDP = fast

Which one to use?

Which one you use, therefore, depends on whether reliability or speed is your primary concern, and, in general, UDP is better for streaming VoIP, and playing games online.

However, how much TCP actually slows a connection down in practice can be very dependent on other network factors, with distance being the most important. The further away you are from your VPN server geographically, the further TCP packets have to travel to and fro, and therefore the slower your connection will be. If the server is relatively close-by, then you may not see much of a speed loss, while benefiting from a more reliable connection.

That said, probably the best general advice is to use the faster UDP protocol unless you experience connection problems, which is the strategy adopted by most VPN providers by default.

Defeat censorship with OpenVPN on TCP Port 443

When you connect to a secure website your connection is protected by SSL encryption. You can tell that a website is secure because its URL (web address) begins with https: and a closed lock icon should appear to the left of your browser's URL bar. Traditionally it was mainly banks and online shops etc. that used SSL, but with growing public concern about internet security, it is increasingly common to see SSL encryption deployed on all kinds of websites.

SSL is the cornerstone of security on the internet, and any attempt to block it effectively breaks the internet (which hasn't stopped places such as Iran trying!). SSL runs over TCP port 443.

tcp vs udp

The interesting thing for OpenVPN (which is based on the OpenSSL libraries) is that configured to run on TCP port 443, OpenVPN traffic looks identical to regular SSL connections. This makes running OpenVPN over TCP port 443 ideal for evading censorship as:

  1. It is very difficult that OpenVPN is being used rather than regular SSL
  2. It is almost impossible to block without breaking the internet.

Some custom VPN clients allow you to select TCP port 443, or it can often be configured manually (ask your VPN provider for settings.)

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

39 Comments

Mark Johnson
on March 30, 2020
Reply
Hello Douglas, and thank you for the article. It helped me understand an issue that was always enigmatic to me. I MAY have sent you a post earlier today explaining a major performance issue I'm seeing with my VPN, but I don't see it listed here and can find no record that I actually sent it. Can you confirm that you saw it?
https://cdn.proprivacy.com/storage/images/2020/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-default.png
Douglas Crawford replied to Mark Johnson
on March 31, 2020
Reply
Hi Mark. No, I'm afraid I haven't received any other comments from you. If you re-send I should get it :).
Janez
on February 5, 2020
Reply
Hi Douglas, is possible to run OpenVPN on TCP/443 over apache reverse proxy? Because we allready use TCP/443 port for our apache reverse proxy.
https://cdn.proprivacy.com/storage/images/2020/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-default.png
Douglas Crawford replied to Janez
on February 6, 2020
Reply
Hi Janez. I'm not an expert on configuring Apache, but I believe this article might answer your question.
Guillem Balague
on December 11, 2019
Reply
Great article However I have a set up where I use UDP 443 for speed. I can find literally nowhere on the internet that mentions this - all is TCP 443? Does running UDP 443 instead of TCP 443 mean this is very easily detectable or something? Would really prefer to stay on UDP 443 Thanks!
https://cdn.proprivacy.com/storage/images/2020/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-default.png
Douglas Crawford replied to Guillem Balague
on December 11, 2019
Reply
Hi Guillem, You can run OpenVPN over almost any port (bar a few which are reserved for one reason or another). This can be useful for evading firewall blocks looking for UDFP port 1194 (the default port used by OpenVPN), but doesn't really offer any other advantages. UDP port 443 is just another port. UDP port 80 is arguably more useful as that's the port used by regular unencrypted HTTP traffic. On the other side, there are no real cons to running OpenVPN over UDP 443.
Robert
on November 9, 2019
Reply
Hi Douglas. Thanks for this post. I wonder. UDP is fast, but TCP is more reliable. Do you know how this effects the VPN in practice? Could the next problem be caused by UDP? We are experiencing some problems with OpenVPN and RDP. When users scroll PDF's or have other high load screen-updates (like animated things of the Windows 10 user-interface), the VPN sometimes stalls for a moment. PING's time-out. RPD freezes and reconnects after a while. Sometimes the OpenVPN log shows "Authenticate/Decrypt packet error: bad packet ID (may be a replay)". People suggest to use TCP in stead of UDP. I can imagine that a heavy load is more likely to have problems with UDP packets coming over in the wrong order, causing the replay-error. TPC packets, I guess, are confirmed packet after packet, in the correct order. If I test with UDP or TCP and scroll through PDF's, it looks like TCP is always very slow. UDP seems fast until the moment it 'breaks' and I have to wait +/- 20 seconds to reconnect. Is this a known phenomenon? Do you think it's caused by UDP and a less-good internet (like WiFi)? Do you know of a way to automatically fallback to TCP when UDP 's performance is bad? Thanks for your help! Robert
https://cdn.proprivacy.com/storage/images/2020/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-default.png
Douglas Crawford replied to Robert
on November 11, 2019
Reply
Hi Robert. I'm afraid I have not encountered this problem before. UDP is faster and is the "plain vanilla" way OpenVPN should work. In fact, if you talk to network engineers about OpenVPN over TCP they will screw up their faces and start using words like "ugly." OpenVPN over TCP is very inefficient. Its a cludge that can work when regular OpenVPN connections are blocked, but it is a cludge. So unless someone is actively blocking your OpenVPN connections (which doesn't sound like its what is happening, then I don't think UDP is the issue. I would blame other factors such as poor WFii or slow VPN servers (where distance is a big factor - don't connect to European servers from Australia and expect to get a fast connection!).

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

Large brand with very good value, and a budget price

The fastest VPN we test, unblocks everything, with amazing service all round

Longtime top ranked VPN, with great price and speeds

One of the cheapest VPNs out there, but still a good service