OpenVPN over TCP vs. UDP: what is the difference, and which should I choose?

OpenVPN can run over either the TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) transports. Choosing which one to use is a highly technical issue, and one that most VPN providers (quite understandably) keep hidden ‘behind the scenes’.

Some VPN providers, however, prefer to let customers choose which connection protocol they prefer. The reason for this is that while both offer distinct advantages and disadvantages in relation  to each other, choosing which is ‘best is’ difficult, as it depends what the internet is being used for, and what matters to individuals most – speed or reliability.

The Difference

TCP is, in general, the most commonly used connection protocol on the internet, as it offers error correction (and is therefore known as a ‘stateful protocol’). Whenever a computer sends a network packet using TCP, it waits for confirmation that the packet has arrived before resending the packet (if no confirmation is received), or sending the next packet (if confirmation is received).

This means there is ‘guaranteed delivery’ of all data, making the protocol very reliable, but there is a considerable overhead as packets are sent, confirmed, re-sent etc., making it quite slow.

UDP is referred to as a ‘stateless protocol’ as it performs no such error correction, simply receiving packets with no acknowledgments or retries. This makes it much faster, but less reliable.

  • TCP = reliable
  • UDP = fast

Which one to use?

Which one you use, therefore, depends on whether reliability or speed is your primary concern, and, in general, UDP is better for streaming media , VoIP, and playing games online.

However, how much TCP actually slows a connection down in practice can be very dependent on other network factors, with distance being the most important. The further away you are from your VPN server geographically, the further TCP packets have to travel to and fro, and therefore the slower your connection will be. If the server is relatively close-by, then you may not see much of a speed loss, while benefiting from a more reliable connection.

That said, probably the best general advice is to use the faster UDP protocol unless you experience connection problems, which is the strategy adopted by most VPN providers by default.

Defeat censorship with OpenVPN on TCP Port 443

When you connect to a secure website your connection is protected by SSL encryption. You can tell that a website is secure because its URL (web address) begins with https://, and a closed lock icon should appear to the left of your browser’s URL bar. Traditionally it was mainly banks and online shops etc. that used SSL, but with growing public concern about internet security, is increasingly common to see SSL encryption deployed on all kinds of websites.

bestvpn httpsSSL is the cornerstone of security on the internet, and any attempt to block it effectively breaks the internet (which hasn’t stopped places such as Iran trying!) SSL runs over TCP port 443.

The interesting thing for OpenVPN (which is based on the OpenSSL libraries) is that if configured to run on TCP port 443, OpenVPN traffic looks identical to regular SSL connections. This makes running OpenVPN over TCP port 443 ideal for evading censorship as:

  1. It is very difficult detect that OpenVPN is being used rather than regular SSL
  2. It is almost impossible to block with breaking the internet.

Some custom VPN clients allow you to select TCP port 443, or it can often be configured manually (ask your VPN provider for settings.)



Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage

18 responses to “OpenVPN over TCP vs. UDP: what is the difference, and which should I choose?

  1. Thanks for post! I have one important question:
    Does TCP in applications will be reliable if I will use it through UDP VPN?
    For example I have VPN server with some application listen TCP on
    and I will connect from TCP from host to Will it be reliable ?

    1. Hi van,

      TCP requires packet authentication, so yes, it should be reliable. If any packets are lost due to routing via a UDP VPN connection, your TCP connections may slow down, however, because they are waiting for any lost TCP packets to be resent. In practice I doubt that you will notice this unless your VPN connection is very unstable..

  2. Does SSL only run on TCP? I am using UDP, does that mean i have the normal OpenVPN, which is not being protected by SSL layer?

    1. Hi Ioanna,

      OpenVPN use the OpenSSL library and SSLv3/TLSv1 protocols, along with an amalgam of other technologies, to provide a strong and reliable VPN solution. So yes, your OpenVPN connection is always protected by an SSL layer (in both TCP and UDP configurations). TCP port 443 is the port used for regular HTTPS connections (HTTP over SSL), so running OpenVPN on TCP port 443 hides the fact that you are using OpenVPN (as it now looks exactly like regular HTTPS traffic). This also makes it very difficult to block OpenVPN without blocking access to all SSL-secured (HTTPS) websites.

  3. About Port 25 support!

    Please, I would like to confirm, if port 25 is opened in your VPN for Desktop client or Bulk email senders?. Thanks for your kind answer.

    1. Hi Prince Coleman,

      I can’t speak for every VPN provider, but yes, Port 25 is usually open when using a VPN client, allowing you to send email as normal.

  4. I experience a lot of idle traffic using UDP – about 1 KByte/s per Client which sums up to about 500 MB a day for 8 clients. That’s way to much for a limited LTE/HSDPA connection.

    I read some links ago that OpenVPN via TCP produces nearly no traffic on idle. Is there someone that confirms to that?

    1. Hi Boandlgramer,

      By “idle traffic” do you mean lost/undelivered network packets? If so then switching to TCP will fix the problem because it uses error correction (it waits for confirmation that the packet has arrived before resending the packet (if no confirmation is received), or sending the next packet (if confirmation is received). In any case, why not just switch to TCP and run tests to see if this fixes the issue you are experiencing?

  5. Awesome post on the difference between these 2. Though I was wondering if I Use tcp will I not disconnect from a game randomly since the packets are guaranteed to reach? Since I’m playing an online game that requires a vpn. The UDP speed is kinda drawing me to it more though.

    1. Hi Anonymous,

      Thanks. Using TCP may not stop you disconnecting (depending on the cause of disconnection,) but assuming that you have some connection, it will guarantee that all packets get through. If you are experiencing regular disconnections you can certainly try using TCP to see if it helps, or else contact your provider (although this may be an issue relating to your ISP or local internet environment, rather than anything to do with the VPN per se.).

  6. Keep in mind that if your internet connection is not reliable itself, UDP data wont reach the destination properly and that causes more data loss in overall while a TCP connection at least helps the reliability of communications.

  7. Thanks, this is what I needed: a concise explanation.

    I just set up my first VPN connection and am using it now.
    Based on this article I chose the UDP file.

    Already changing clients from Tunnelblick to SoftEther, hoping it’s faster.

  8. hey,

    we experience high paket loss when using brigded network with TCPoverTCP via a 10Mbit link instead of 2Mbit. Over the 2Mbit link everything is fine but the latencies – but that is a thing we can live with because we have lots of GSM/UMTS road warriors. We want to change to briged network via TCPoverUDP to improve performance.

  9. Take UDP:
    Using TCP holds the risk of variable delay e.g. because of packet loss at the VPN tcp layer. This delay can be interpretted as packetloss by the tcp stack for the traffic in the tunnel. As a result it can lead to multiple retransmits on multiple layers. E.g. a single packet loss at the VPN layer could trigger a retransmit for multiple packets within the tunnel, for packets that are not lost to begin with as these packets are guaranteed to be delivered by the TCP stack of the tunnel.

    1. Hi Ruud,

      That is exactly right, and is why UDP is faster than TCP (I was trying to keep the article as simple and layman friendly as possible). Basically, unless you are experiencing problems (packet loss), you should stick with UDP.

    2. Seriously, take UDP:
      Using TCP even makes no sense as your protocols INSIDE the tunnel will again use TCP for reliable data transfers.
      And as Ruud S says, TCP over TCP is a bad idea.

      The only reason to use TCP (e.g. on Port 443) is for traversing restrictive Firewalls.

  10. Take UDP.
    In Most Cases UDP is the better Choice(simply faster then TCP)
    OpenVPN has a buildin Flowcontrol witch Works over UDP.


Leave a Reply

Your email address will not be published. Required fields are marked *