My VPN software gives me an option to choose TCP or UDP for my VPN connection. By default it is set to TCP. The advice online is mixed and everyone gives a different answer. Should I set it to TCP (default) or UDP?

Question asked 6 months ago by Imran (email hidden)

Good question! The answer to choosing UDP or TCP isn't as straightforward as other websites would have you believe, and there are a lot of factors that affect the performances of each.

The general rule of thumb is to use TCP until you think you need UDP. TCP is more reliable than UDP for any type of traffic, not just VPN traffic, and has more built-in safeguards to make sure your data arrives at the destination in one piece.

That said, I found a good performance boost when I switched to UDP. My network is very unreliable; I use 3G mobile broadband and a cheap Wi-Fi router for my network devices. If a network could scream to use TCP it would be mine! And yet, even in poor conditions, UDP seems to outperform it.

It helps to understand the protocols and how they each handle data transfers, then to take a scientific approach to testing TCP and UDP for comparison. To understand the protocols, each method handles connections problems and latency differently and have different visibility across the Internet;

is reliable because the network conversation between two devices is "more chatty". The sender takes great care in describing the data being sent, how many packets are to be expected, what order they should arrive in, etc. The destination makes a point to send replies to each TCP packet, confirming reception of them, and requesting more data if needed. This adds overhead to data transfers and slows things down a bit but the overall effect should be a more reliable and, therefore, potentially faster network conversation. This is called a "stateful" protocol because the sender and destination always understand what state the data transfer is in.
on the other hand is "stateless". The sender throws packets to the destination as quickly as possible with very little extra "chatter" or overhead. It doesn't really matter what order the packets arrive at the destination, or if they get there at all. UDP is perfect for video streaming or gaming where each update is small but frequent, and if an update gets missed along the way, it doesn't matter so much because the next update will make up for it (or keyframes in video, etc).

All connections over the Internet fall into the TCP or UDP categories. UDP for video streaming, P2P file sharing, gaming, high-volume chat or log streaming and so forth. TCP for web page requests, small downloads, email, chat applications, etc.

When you use a VPN service your VPN tunnel is wrapping or encapsulating your existing UDP or TCP traffic with encryption then using your chosen protocol to send that encapsulated traffic. Wrapping TCP traffic in an encrypted TCP VPN adds nearly double the overhead. It also adds a layer of complexity that makes it difficult to predict how TCP or UDP VPN tunnels will behave.

Start testing by choosing a protocol and running a speed test. Note down the upload and download rates as well as the latency. Latency plays a big part in web browsing speed and gaming speed. Then swap to the other protocol and run the same tests. This should give you an indication of which protocol to choose.

Most speed test websites use TCP packets over HTTP, so the test isn't 100% fair. You'll also want to test your favourite applications and games to see if you notice a difference. Do some web browsing on sites you know are fast, play some games on known servers, and test video streaming at a high quality to check for missed frames.

You could also try using the tracert or traceroute command from a device on your home network to your VPN server. This will count the number of hops between you and your VPN provider. Ignore any entries which show asterisks in the results. If there are only a few hops and you have a fast, stable Internet connection, UDP is a viable option.

Many corporate networks, schools and some governments will block UDP traffic on certain ports (or altogether) so, in this case, TCP is preferred. Using TCP on port 443 is (almost) indistinguishable from normal HTTPS traffic and is unlikely to be detected without very deep packet inspection.

Answered by Xander (staff)