WireGuard
Year2019
ProtocolUDP only
EncryptionChaCha20-Poly1305
Key exchangeCurve25519
Code lines~4,000
Speed★★★★★ Fastest
Handshake1-RTT
Best formobile, modern
OpenVPN
Year2001
ProtocolTCP or UDP
EncryptionAES-256-GCM
Key exchangeTLS (OpenSSL)
Code lines~70,000
Speed★★★★☆ Good
HandshakeTLS 1.3
Best forfirewall bypass (TCP 443)
IPsec/IKEv2
Year1995 / 2005
ProtocolUDP 500/4500
EncryptionAES-256-GCM
Key exchangeDiffie-Hellman
Code lines~40,000
Speed★★★★☆ Fast
HandshakeIKEv2
Best forenterprise, iOS native
L2TP/IPsec
Year2000
ProtocolUDP 1701
EncryptionAES-256 (outer)
Double encapL2TP inside IPsec
Speed★★★☆☆ Slow
StatusLegacy — avoid
Best fornothing modern
⚠ DNS Leak — the VPN's invisible hole
Even with a VPN, your DNS queries may bypass the VPN tunnel and go directly to your ISP's DNS server. This reveals every domain you visit even though your traffic is encrypted.
Why it happens: Your OS may use a system DNS resolver that ignores the VPN's pushed DNS settings, especially on Windows with Smart Multi-Homed Name Resolution (SMHNR).
Without VPN: DNS → ISP DNS → ISP can log domains
With VPN (no leak): DNS → VPN tunnel → VPN provider DNS
With VPN + DNS leak: DNS → ISP DNS directly ← ISP sees everything
Fix: Use a VPN client that forces DNS through the tunnel, or manually set DNS to 1.1.1.1 or 9.9.9.9 and block all other DNS at the firewall.