The features offered by today's best VPN clients differ depending on the provider, but one thing they all have in common is that they use VPN protocols.
These protocols are the underlying technology that powers the encrypted connection between your device and VPN servers. Some providers are content with relying on existing protocols that have been tried and tested for decades, but NordVPN is pushing the industry forward by developing its own purpose-built VPN protocol.
We’re taking a closer look at NordVPN’s proprietary VPN protocol, NordLynx, to see how it squares up against older protocols. However, before we can talk about what NordLynx brings to the table, we’ve got to talk about its closest competitors – OpenVPN and WireGuard.
What is OpenVPN?
OpenVPN has been the gold standard for VPN protocols since 2001. It's secure, stable, and compatible with everything from ancient routers to the latest smartphones.
It’s also a full private VPN solution, unlike protocols like IKEv2 or Wireguard, which only provide part of the infrastructure needed to create a private VPN connection. Unfortunately, this also means that it’s pretty bloated. The OpenVPN codebase consists of over a hundred thousand lines of code, which creates a few issues.
First of all, all that code comes with a performance penalty. OpenVPN tends to take longer to connect and provides slower connections than other VPN protocols. Part of the reason for this is that OpenVPN runs in userspace rather than the kernel, which means every packet has to make multiple trips between user and kernel space.
Secondly, it makes OpenVPN difficult to maintain and extend. While OpenVPN is open source, it’s difficult for a single person to make meaningful changes to the existing codebase or audit the code for security.
Finally, OpenVPN wasn’t built with modern devices in mind. The performance hit from running a large codebase is particularly noticeable if you’re using a mobile device, as it’ll end up draining your battery quicker. It also takes a while for the protocol to reconnect if you’re changing between Wi-Fi and mobile data, which can interrupt your streaming or gaming.
So, while OpenVPN is a perfectly valid solution for VPN providers, it’s clear there are some improvements to be made. That’s why some providers also offer WireGuard as an alternative.
What is WireGuard?
WireGuard’s design philosophy is completely different from OpenVPN. Where OpenVPN is intended to be a one-size-fits-all solution that handles every aspect of the VPN process, WireGuard focuses on doing one thing exceptionally well: creating fast, secure VPN tunnels with minimal overhead.
It’s implemented entirely in the kernel, meaning that when a network packet reaches your device, it’s handled directly by the operating system instead of being handed off to a program you’re running in your userspace.
Doing these context switches is relatively expensive, so keeping everything running in the kernel allows WireGuard to process internet traffic faster and with less processing power.
It’s immediately apparent when you start digging into WireGuard’s internals how streamlined it is in comparison to OpenVPN. The entire protocol runs on around 4,000 lines of code. In fact, if you’re an experienced developer, it’s possible to audit the entire protocol single-handedly.
WireGuard focuses on doing one thing exceptionally well: creating fast, secure VPN tunnels with minimal overhead
Having a smaller codebase means there’s less of an attack surface for hackers trying to spot security flaws in WireGuard, and it’s easier for developers to maintain without introducing potential vulnerabilities.
It also means there’s less of a resource footprint compared to OpenVPN, which is essential for mobile devices. OpenVPN's complex architecture and constant encryption/decryption cycles can significantly impact battery life on mobile devices. WireGuard's leaner design uses substantially less CPU power, which translates to longer battery life.
The protocol also handles connection roaming much better than OpenVPN. If you're on a train switching between cell towers, or moving between Wi-Fi and mobile data, WireGuard seamlessly maintains the connection.
WireGuard’s lean development philosophy also extends to the encryption algorithms it supports. While OpenVPN supports a variety of cryptography ciphers, WireGuard exclusively uses ChaCha20 for encryption and Poly1305 for authentication.
Not only does cutting down on the libraries WireGuard uses keep the codebase small, but it also ensures that WireGuard can’t be configured to use insecure encryption. As a bonus, this design means that if researchers find flaws in the current encryption standards WireGuard uses, it can be updated to force users to upgrade to secure protocols instead of continuing to support outdated ones.
Why Nordlynx?
We’ve spent a lot of time talking about WireGuard, and not so much talking about NordLynx. There’s a good reason for that. Under the hood, NordLynx uses a lot of WireGuard code to power the protocol.
We’ll get onto what NordLynx does differently in a moment, but we should first talk about why WireGuard isn’t a perfect solution before we discuss what NordLynx does better.
Despite all the advantages we’ve discussed so far, WireGuard has some major flaws compared to OpenVPN for commercial VPN providers. Most of these revolve around how WireGuard assigns IPs and handles authentication. Simply put, WireGuard has rock-solid security guarantees but an iffy privacy implementation.
The core issue is that the protocol can't dynamically assign IP addresses, so it maintains a static table linking users to their assigned addresses. This is, in part, due to how WireGuard handles authentication. The default WireGuard implementation uses an IP whitelist authenticated with public keys to determine which users are allowed to connect to the server.
Unfortunately, this is a nightmare for VPN providers trying to maintain user privacy. If law enforcement seized a WireGuard server, they'd find a detailed log of which users were connected to which IP addresses. That's exactly the kind of logging that defeats the entire purpose of using a VPN.
This is where NordLynx comes into play. NordVPN has taken the WireGuard codebase and upgraded the server architecture with a clever privacy layer. Instead of one server handling both user authentication and traffic routing, NordLynx splits these functions across two separate systems.
The first server handles authentication. It verifies that you have a valid NordVPN subscription by soliciting your authentication details and assigns you the same local IP address as every other user. The second server handles traffic routing with dynamically assigned addresses. By breaking the link between authentication and routing, no single server contains both your identity and your traffic data.
Even if authorities seized NordVPN's servers, they'd only find half the puzzle on each machine. The authentication server knows who you are but not what you're doing, while the routing server knows what traffic is flowing but not who it belongs to.
How does NordLynx compare to other protocols?
Our speed tests show that the performance gap between OpenVPN on NordVPN and NordLynx is dramatic. While NordVPN's OpenVPN implementation delivered between 109-173 Mbps download when connecting from Dublin to our nearest server, NordLynx consistently hit 780-950+ Mbps. That's roughly a 6x performance improvement.
For context, we use a 1 Gbps testing connection to evaluate our top VPNs, so at the top end, NordLynx maxes out our testing line.
The results from our transatlantic test were more mixed, but still impressive at the top end. NordLynx delivered anywhere between 436-950 Mbps, depending on the time of day, compared to 98-159Mbps on OpenVPN.
Where NordLynx particularly shines is in upload performance. We’ve found that most providers struggle to maintain upload speeds that match their download performance, but NordVPN consistently delivered 950+ Mbps uploads on nearby servers.
Check out our guide to today's five fastest VPNs. We routinely put VPN performance to the test with in-house evaluations, and our rankings are always up to date.
Raw speed isn't everything. Latency (how long it takes for data to make a round trip) matters enormously for gaming and video calls. Here, the differences between protocols are significantly less pronounced.
For our nearest server tests, OpenVPN actually ended up beating out NordLynx slightly. We recorded 18-22ms for NordLynx, whereas OpenVPN posted 11-19ms.
It’s less clear for transatlantic connections, with NordLynx managing 73-82ms, and OpenVPN hitting anywhere between 63-94ms depending on time of day. Overall, there’s a very small difference between NordLynx and OpenVPN when connecting locally, whereas OpenVPN might perform just slightly worse when connecting overseas.
What do these speeds mean for you? Well, 25 Mbps is more than enough for 4K streaming, video calls, and general web browsing. As long as you meet the minimum requirements for streaming, the jump from 150 Mbps to 950+ Mbps won't transform your Netflix experience.
Where it does matter is for bandwidth-intensive activities like downloading large files, uploading content to YouTube, or covering a household with multiple users streaming simultaneously. The difference between waiting 10 minutes versus 2 minutes for a large download is meaningful.
There's one significant downside to NordLynx, however. It won't work with standard WireGuard clients. The double NAT architecture means you can't export your configuration to third-party apps or routers that support vanilla WireGuard. You're locked into NordVPN's official clients, which are available for all major platforms including Windows, iOS, Android, MacOS, and Linux.
If you prefer using your router's built-in VPN client or a third-party app, you'll need to stick with OpenVPN.
