OpenVPN over TCP vs. UDP

OpenVPN can run over either the TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) transports. Choosing which one to use is a highly technical issue, and one that most VPN providers (quite understandably) keep hidden ‘behind the scenes’.

Some VPN providers, however, prefer to let customers choose which connection protocol they prefer. The reason for this is that while both offer distinct advantages and disadvantages in each other, choosing which is ‘best is’ difficult, as it depends what the internet is being used for, and what matters to individuals most – speed or reliability.

The Difference

TCP vs UDP, OpenVPN vs TCP, UDP vs OpenVPN... What is the difference, exactly?

TCP is, in general, the most commonly used connection protocol on the internet, as it offers error correction (and is therefore known as a ‘stateful protocol’). Whenever a computer sends a network packet using TCP, it waits for confirmation that the packet has arrived before resending the packet (if no confirmation is received), or sending the next packet (if confirmation is received). 

This means there is ‘guaranteed delivery’ of all data, making the protocol very reliable, but there is a considerable overhead as packets are sent, confirmed, re-sent etc., making it quite slow.

UDP is referred to as a ‘stateless protocol’ as it performs no such error correction, simply receiving packets with no or retries. This makes it much faster, but less reliable.

  • TCP = reliable
  • UDP = fast

Which one to use?

Which one you use, therefore, depends on whether reliability or speed is your primary concern, and, in general, UDP is better for streaming VoIP, and playing games online.

However, how much TCP actually slows a connection down in practice can be very dependent on other network factors, with distance being the most important. The further away you are from your VPN server geographically, the further TCP packets have to travel to and fro, and therefore the slower your connection will be. If the server is relatively close-by, then you may not see much of a speed loss, while benefiting from a more reliable connection.

That said, probably the best general advice is to use the faster UDP protocol unless you experience connection problems, which is the strategy adopted by most VPN providers by default.

Defeat censorship with OpenVPN on TCP Port 443

When you connect to a secure website your connection is protected by SSL encryption. You can tell that a website is secure because its URL (web address) begins with https: and a closed lock icon should appear to the left of your browser's URL bar. Traditionally it was mainly banks and online shops etc. that used SSL, but with growing public concern about internet security, it is increasingly common to see SSL encryption deployed on all kinds of websites.

SSL is the cornerstone of security on the internet, and any attempt to block it effectively breaks the internet (which hasn't stopped places such as Iran trying!). SSL runs over TCP port 443.

tcp vs udp


The interesting thing for OpenVPN (which is based on the OpenSSL libraries) is that configured to run on TCP port 443, OpenVPN traffic looks identical to regular SSL connections. This makes running OpenVPN over TCP port 443 ideal for evading censorship as:

  1. It is very difficult that OpenVPN is being used rather than regular SSL
  2. It is almost impossible to block without breaking the internet.

Some custom VPN clients allow you to select TCP port 443, or it can often be configured manually (ask your VPN provider for settings.)


Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

35 Comments

  1. Guillem Balague

    on December 11, 2019
    Reply

    Great article However I have a set up where I use UDP 443 for speed. I can find literally nowhere on the internet that mentions this - all is TCP 443? Does running UDP 443 instead of TCP 443 mean this is very easily detectable or something? Would really prefer to stay on UDP 443 Thanks!

    1. Douglas Crawford replied to Guillem Balague

      on December 11, 2019
      Reply

      Hi Guillem, You can run OpenVPN over almost any port (bar a few which are reserved for one reason or another). This can be useful for evading firewall blocks looking for UDFP port 1194 (the default port used by OpenVPN), but doesn't really offer any other advantages. UDP port 443 is just another port. UDP port 80 is arguably more useful as that's the port used by regular unencrypted HTTP traffic. On the other side, there are no real cons to running OpenVPN over UDP 443.

  2. Robert

    on November 9, 2019
    Reply

    Hi Douglas. Thanks for this post. I wonder. UDP is fast, but TCP is more reliable. Do you know how this effects the VPN in practice? Could the next problem be caused by UDP? We are experiencing some problems with OpenVPN and RDP. When users scroll PDF's or have other high load screen-updates (like animated things of the Windows 10 user-interface), the VPN sometimes stalls for a moment. PING's time-out. RPD freezes and reconnects after a while. Sometimes the OpenVPN log shows "Authenticate/Decrypt packet error: bad packet ID (may be a replay)". People suggest to use TCP in stead of UDP. I can imagine that a heavy load is more likely to have problems with UDP packets coming over in the wrong order, causing the replay-error. TPC packets, I guess, are confirmed packet after packet, in the correct order. If I test with UDP or TCP and scroll through PDF's, it looks like TCP is always very slow. UDP seems fast until the moment it 'breaks' and I have to wait +/- 20 seconds to reconnect. Is this a known phenomenon? Do you think it's caused by UDP and a less-good internet (like WiFi)? Do you know of a way to automatically fallback to TCP when UDP 's performance is bad? Thanks for your help! Robert

    1. Douglas Crawford replied to Robert

      on November 11, 2019
      Reply

      Hi Robert. I'm afraid I have not encountered this problem before. UDP is faster and is the "plain vanilla" way OpenVPN should work. In fact, if you talk to network engineers about OpenVPN over TCP they will screw up their faces and start using words like "ugly." OpenVPN over TCP is very inefficient. Its a cludge that can work when regular OpenVPN connections are blocked, but it is a cludge. So unless someone is actively blocking your OpenVPN connections (which doesn't sound like its what is happening, then I don't think UDP is the issue. I would blame other factors such as poor WFii or slow VPN servers (where distance is a big factor - don't connect to European servers from Australia and expect to get a fast connection!).

  3. David

    on July 15, 2019
    Reply

    Hi dear Douglas Thank you very much for sharing this helpful article You mentioned Iran in this article unfortunately the dictatorship regime sometimes blocks vpn ports and only a few numbers of vpns work correctly!!! for me, I configured openvpn on the DD - WRT router and use vpn providers such IPVANISH and NORDVPN to bypass censorship because when I use a vpn app on my phone specially on iOS the battery would die faster than normal Thanks again

    1. Douglas Crawford replied to David

      on July 22, 2019
      Reply

      Hi David. We are working on a report which measures popular VPN app metrics, including their effect on device battery life.

    2. Marc replied to David

      on August 22, 2019
      Reply

      Fastest VPN does not offer OpenVPN within its Windows app. Has to be configured manually. They do offer military AES encryption across all protocols That being said, if one chooses just UDP with AES encryption within their app, would one still be secure without using OpenVPN?

      1. Douglas Crawford replied to Marc

        on August 23, 2019
        Reply

        Hi Marc. An increasing number of VPN services are using IKEv2 in their apps thanks to its increased performance over OpenVPN. I'm guessing this is what your VPN service is doing since IKEv2 can be routed over UDP but not TCP (the same is also true of L2TP/IPsec, but the use of this protocol has been heavily depreciated in recent years as it is known to have been cracked by the NSA). IKEv2 (which is almost always paired with an AES cipher to secure the data itself) is widely believed to be very secure, although it has not been "battle-tested" in the way that OpenVPN has. Note that OpenVPN should only really be considered secure if strong settings are used (most particularly Perfect Forward Secrecy). Please see our Ultimate Guide to VPN Encryption (https://proprivacy.com/guides/vpn-encryption-the-complete-guide) for more details.

  4. Khilwat

    on November 30, 2016
    Reply

    Hi Greetings I Have IPVanish which I use regularly with UDP. But I need some websites whose addresses do not have https or http or any other sign of that kind but they are started with things like www.address.com. My question to you is can I think that because of these addresses I am not safe even though I am using IPvanish. I thank you in advance for your responses and help. Thanks Khilwat

    1. Douglas Crawford replied to Khilwat

      on November 30, 2016
      Reply

      Hi Khilwat, All websites (except dark web sites) start with either http or https. If one just says www.something dot com, then it really starts with http (as in your example above). Your VPN will protect you whichever websites you visit.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives: