Looking for something?

ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

OpenVPN over TCP vs. UDP

Category:
Guides
Last Updated:
June 23, 2013
Comments:
40
Douglas Crawford
Written by Douglas Crawford

OpenVPN can run over either the TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) transports. Choosing which one to use is a highly technical issue, and one that most VPN providers (quite understandably) keep hidden ‘behind the scenes’.

Some VPN providers, however, prefer to let customers choose which connection protocol they prefer. The reason for this is that while both offer distinct advantages and disadvantages in each other, choosing which is ‘best is’ difficult, as it depends what the internet is being used for, and what matters to individuals most – speed or reliability.

The Difference

TCP vs UDP, OpenVPN vs TCP, UDP vs OpenVPN... What is the difference, exactly?

TCP is, in general, the most commonly used connection protocol on the internet, as it offers error correction (and is therefore known as a ‘stateful protocol’). Whenever a computer sends a network packet using TCP, it waits for confirmation that the packet has arrived before resending the packet (if no confirmation is received), or sending the next packet (if confirmation is received). 

This means there is ‘guaranteed delivery’ of all data, making the protocol very reliable, but there is a considerable overhead as packets are sent, confirmed, re-sent etc., making it quite slow.

UDP is referred to as a ‘stateless protocol’ as it performs no such error correction, simply receiving packets with no or retries. This makes it much faster, but less reliable.

  • TCP = reliable
  • UDP = fast

Which one to use?

Which one you use, therefore, depends on whether reliability or speed is your primary concern, and, in general, UDP is better for streaming VoIP, and playing games online.

However, how much TCP actually slows a connection down in practice can be very dependent on other network factors, with distance being the most important. The further away you are from your VPN server geographically, the further TCP packets have to travel to and fro, and therefore the slower your connection will be. If the server is relatively close-by, then you may not see much of a speed loss, while benefiting from a more reliable connection.

That said, probably the best general advice is to use the faster UDP protocol unless you experience connection problems, which is the strategy adopted by most VPN providers by default.

Defeat censorship with OpenVPN on TCP Port 443

When you connect to a secure website your connection is protected by SSL encryption. You can tell that a website is secure because its URL (web address) begins with https: and a closed lock icon should appear to the left of your browser's URL bar. Traditionally it was mainly banks and online shops etc. that used SSL, but with growing public concern about internet security, it is increasingly common to see SSL encryption deployed on all kinds of websites.

SSL is the cornerstone of security on the internet, and any attempt to block it effectively breaks the internet (which hasn't stopped places such as Iran trying!). SSL runs over TCP port 443.

tcp vs udp

The interesting thing for OpenVPN (which is based on the OpenSSL libraries) is that configured to run on TCP port 443, OpenVPN traffic looks identical to regular SSL connections. This makes running OpenVPN over TCP port 443 ideal for evading censorship as:

  1. It is very difficult that OpenVPN is being used rather than regular SSL
  2. It is almost impossible to block without breaking the internet.

Some custom VPN clients allow you to select TCP port 443, or it can often be configured manually (ask your VPN provider for settings.)

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

40 Comments

Rob
on April 10, 2024
Hi Douglas, thanks for your article and the info on usage of port 443, I managed to configure my OpenVPN and then Apache as per the link you included in your Feb 6 2020 reply. A short comment on UDP versus TCP: if you use a lot of data that's of TCP type over your VPN connection, it's better to have a UDP connection, since with the error correction on TCP, any error on the line will cause a resend. With a VPN connection on UDP, any error will cause a packet resend of the connection inside the tunnel. With the VPN connection on TCP, there will be a correction/repeat packet inside the tunnel and one of the VPN connection itself. Since I had to get the solution with TCP on port 443 going (triggered by a recently visited hotel with blocks on loads of stuff, even ProtonVPN wasn't working unless in Stealth mode), I now just run 2 instances, one UDP and one TCP. Regards, Rob
Mark Johnson
on March 30, 2020
Hello Douglas, and thank you for the article. It helped me understand an issue that was always enigmatic to me. I MAY have sent you a post earlier today explaining a major performance issue I'm seeing with my VPN, but I don't see it listed here and can find no record that I actually sent it. Can you confirm that you saw it?
https://cdn.proprivacy.com/storage/images/2024/01/douglas-crawfordpng-avatar_image-small_webp.webp
Douglas Crawford replied to Mark Johnson
on March 31, 2020
Hi Mark. No, I'm afraid I haven't received any other comments from you. If you re-send I should get it :).
Janez
on February 5, 2020
Hi Douglas, is possible to run OpenVPN on TCP/443 over apache reverse proxy? Because we allready use TCP/443 port for our apache reverse proxy.
https://cdn.proprivacy.com/storage/images/2024/01/douglas-crawfordpng-avatar_image-small_webp.webp
Douglas Crawford replied to Janez
on February 6, 2020
Hi Janez. I'm not an expert on configuring Apache, but I believe this article might answer your question.
Guillem Balague
on December 11, 2019
Great article However I have a set up where I use UDP 443 for speed. I can find literally nowhere on the internet that mentions this - all is TCP 443? Does running UDP 443 instead of TCP 443 mean this is very easily detectable or something? Would really prefer to stay on UDP 443 Thanks!
https://cdn.proprivacy.com/storage/images/2024/01/douglas-crawfordpng-avatar_image-small_webp.webp
Douglas Crawford replied to Guillem Balague
on December 11, 2019
Hi Guillem, You can run OpenVPN over almost any port (bar a few which are reserved for one reason or another). This can be useful for evading firewall blocks looking for UDFP port 1194 (the default port used by OpenVPN), but doesn't really offer any other advantages. UDP port 443 is just another port. UDP port 80 is arguably more useful as that's the port used by regular unencrypted HTTP traffic. On the other side, there are no real cons to running OpenVPN over UDP 443.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

Get 3 months FREE on our #1 rated VPN
Get ExpressVPN Now »
No thanks

wasn't right for you?

We recommend you check out one of these alternatives:

Visit Site Read Review

The fastest VPN we test, unblocks everything, with amazing service all round

Visit Site Read Review

A large brand offering great value at a cheap price

Visit Site Read Review

One of the largest VPNs, voted best VPN by Reddit

Visit Site Read Review

One of the cheapest VPNs out there, but an incredibly good service