News
11 min read

VPN TCP or UDP: what to choose and how to fix disconnections

VPN TCP or UDP: what to choose and how to fix disconnections If the VPN behaves strangely — disconnects, does not connect, or loads YouTube at 90s speeds — it is likely due to the choice of transport protocol. The question of VPN TCP vs UDP: how to fix this without blindly tweaking settings — is one

VPN TCP or UDP: what to choose and how to fix disconnections

If the VPN behaves strangely — disconnects, does not connect, or loads YouTube at 90s speeds — it is likely due to the choice of transport protocol. The question of VPN TCP vs UDP: how to fix this without blindly tweaking settings — is one of the most common in support. Below are specific steps, without fluff.

Short answer: what to switch right now

The logic is simple. UDP is speed and stability where the network is normal. TCP (especially port 443) is about passing through strict firewalls and DPI when the provider cuts UDP. Remember this rule, and 80% of problems can be solved in two minutes.

If the VPN disconnects or lags — try UDP

Connection drops every 10 minutes, speed fluctuates, ping jumps? First, make sure UDP is set. In OpenVPN Connect on Android or iOS — this is the "Protocol" option in the profile settings. On Windows — editing the .ovpn file, lineproto udp. UDP works faster precisely because it does not waste time on delivery confirmations.

If the VPN does not connect at all — switch to TCP

VPN hangs on "Connecting..." and drops with an error after 30 seconds? This is a sign that UDP is blocked or filtered. Changeproto udp toproto tcp in the .ovpn file — and try again. In Amnezia, this can be switched directly in the interface, without manual config editing.

Port 443 TCP as "masking" under HTTPS

The most effective trick for bypassing provider blocks — TCP on port 443. For DPI systems, this looks like regular HTTPS traffic to some website. In the .ovpn file, you need to specify bothproto tcp andport 443 at the same time. Most VPN services offer ready-made configs with such settings.

What is the difference between TCP and UDP in simple terms

Without technical lectures, but with necessary details — otherwise you won't understand why one solution works and another does not.

TCP — delivery with confirmation (reliable, but slower)

TCP is like a registered letter with a delivery notification. You send a packet — wait for confirmation. If it doesn't arrive — you send it again. This guarantees that all data will arrive and in the correct order. But each confirmation adds additional milliseconds of delay.

UDP — delivery without confirmation (fast, but without guarantees)

UDP is a postcard. You drop it in the mailbox and forget about it. Whether it arrived or not — unknown, you won't ask again. For video streaming and online games, this is normal: losing one frame is not critical. This is why YouTube, Zoom, and most games operate over UDP.

Why this is more important for VPN than it seems

VPN adds another layer over your traffic. The choice of protocol affects not only speed but also whether the provider will allow this traffic at all. Russian providers, under pressure from Roskomnadzor, actively use DPI, which can determine the type of traffic and selectively slow it down or block it.

“TCP over TCP” — the hidden reason for lags

This is what most competitors remain silent about. When you use OpenVPN over TCP and simultaneously open a website via HTTPS (also TCP), the effect of “TCP over TCP” occurs. In case of any packet loss, both layers start requesting retransmission simultaneously. This creates an avalanche of requests that throttles speed to modem levels. On a good network, you don't notice this. On unstable mobile internet or with a congested provider — the difference is colossal.

UDP is free from this effect — it simply does not ask again. Therefore, in an unstable network, UDP paradoxically performs better than “reliable” TCP.

Why the provider cuts UDP and what DPI has to do with it

Many users notice: at home on Wi-Fi, the VPN works, but on mobile data — it does not. Or it worked, and then stopped. This is not a coincidence.

How DPI (Deep Packet Inspection) recognizes VPN traffic

DPI is not just a firewall that looks at ports. It analyzes the content of packets, their size, timing, data entropy. OpenVPN and WireGuard have characteristic signatures: specific handshake patterns, fixed headers. Modern DPI systems (in Russia, solutions from Roskomnadzor's TSPU are widespread) can recognize them regardless of the port.

Blocks and slowdowns from providers and Roskomnadzor

Since 2021, Roskomnadzor has been actively implementing TSPU on the networks of major operators. During different periods, Twitter/X, YouTube, and VPN traffic with characteristic signatures have been subject to throttling. UDP on non-standard ports is the easiest to block — just filter everything that is not DNS, QUIC, or known services.

When UDP works and TCP does not — and vice versa

In corporate networks and public Wi-Fi, the picture is the opposite: often only HTTP/HTTPS traffic is allowed, that is, TCP on ports 80 and 443. UDP may be completely blocked — this is standard practice for corporate firewalls. Double NAT in hotels and airports also often only allows TCP 443.

Why it is harder to block TCP 443

Blocking TCP 443 means blocking all HTTPS. No provider in their right mind would do this: banks, government services, everything would fail. That is why TCP on port 443 remains the last line of defense when everything else is blocked. But I emphasize: this is not a panacea — smart DPI can distinguish OpenVPN TLS from real HTTPS even on port 443.

Step by step: how to switch TCP/UDP on different devices

Specific steps for each platform. I won't be taking screenshots — interfaces change with each update, while descriptions remain relevant longer.

OpenVPN on Android and iPhone

In OpenVPN Connect (version 3.x), open the profile → click on the pencil → "Advanced" → "Protocol". There is a UDP/TCP switch. If the profile was imported from a .ovpn file, it is easier to edit the file itself: find the lineproto udp orproto tcp and replace it. Then delete the old profile and import the updated file again.

On iPhone with Amnezia — in the settings section of a specific server, there is a dropdown list of protocols, including OpenVPN TCP and UDP.

OpenVPN on Windows and Mac

.ovpn files are usually located inC:\Users\[name]\OpenVPN\config\ on Windows and in~/.config/openvpn/ on Mac (or in the Tunnelblick application directory). Open it with a text editor, change the lineproto, save it. For TCP 443, you also need to change the port:remote server.example.com 443 tcp. After changing — reconnect the tunnel.

Amnezia (AmneziaWG / OpenVPN)

Amnezia is perhaps the most convenient solution for switching protocols without fussing with files. In the app, select the connection → "Settings" → "Protocol". Available are OpenVPN UDP, OpenVPN TCP, AmneziaWG, and Shadowsocks. Switching is applied without restarting the app. This is one of the reasons why Amnezia is popular for bypassing Russian blocks.

Router setup

On routers with OpenWrt or firmware like Keenetic, changingproto requires editing the config via SSH or web interface and subsequently restarting the OpenVPN service with the commandservice openvpn restart. Simply closing and opening the app on the phone is not enough — the tunnel is established on the router side. This is important for Smart TVs and gaming consoles: they cannot choose the protocol themselves, only the router can.

How to understand which protocol is currently active

In the logs of OpenVPN Connect, look for a line likeProto: UDP orTCP right after connecting. In the terminal on Linux/Mac, the commandss -tunp | grep openvpn will show active connections with the protocol. In Amnezia, the current protocol is displayed on the main screen under the server name.

If neither TCP nor UDP helps: what to do next

Honest conversation. If you've read this far and switching TCP/UDP didn't help — then the problem is deeper. The question of VPN TCP vs UDP: how to fix the situation when classic methods don't work has one answer: obfuscation is needed.

Port change: 1194, 443, 80

Port 1194 UDP is standard for OpenVPN, and it is the first one that gets blocked. Try sequentially: 443 TCP, then 80 TCP (HTTP), then 8080 TCP. Some providers cut non-standard ports wholesale, leaving only 80 and 443. If the VPN server supports multiple ports — the trial will take less than five minutes.

Switching to obfuscated protocols: Shadowsocks, VLESS/XRay, AmneziaWG

Modern DPI can identify OpenVPN and WireGuard even on port 443 — by handshake patterns and traffic structure. Shadowsocks encrypts not only data but also headers, making traffic statistically similar to random noise. VLESS/XRay go even further: they hide inside a legitimate WebSocket or gRPC connection to a real domain. AmneziaWG adds junk packets to WireGuard, breaking its signature.

Services like NvoVPN and Amnezia-based solutions support these protocols without manual configuration — this is one option if you don't want to deploy your own server. For self-configuration, you need a VPS and an hour of time with XRay or 3x-ui documentation.

When the problem is not with the protocol, but with MTU

Symptom: VPN connects, status "connected," but websites either do not load at all or load partially — text is present, images are not. This is a classic sign of an MTU conflict. VPN adds headers to packets, increasing their size beyond the allowable MTU of 1500 bytes. Packets start to fragment or get lost.

Solution for OpenVPN: add the following lines to the .ovpn filemssfix 1400 andfragment 1400. For WireGuard, set the MTU to 1380 in the interface settings. You can find the exact value using the commandping -M do -s 1400 8.8.8.8 (Linux/Mac) — reduce the size until the ping stops reporting fragmentation errors.

Checking on the server side and changing location

Sometimes the problem is not in the client settings. The VPN server may be overloaded, its IP may have been blacklisted by Roskomnadzor, or the hosting may have routing issues to Russian networks. Try connecting to another server in another country — if it works, then the problem was with a specific node. The Netherlands and Finland traditionally fare better through Russian providers than, for example, the USA or Australia.

Frequently asked questions

Which is faster for VPN — TCP or UDP?

UDP is almost always faster and has lower latency — there are no overheads for acknowledgments and retransmissions. On a normal network, the difference is 10–30% in speed and a noticeable difference in ping. TCP is chosen for its ability to pass through firewalls and DPI, consciously sacrificing speed. Keeping TCP as the main protocol without reason is a bad idea.

Why does my VPN only work on TCP, but UDP won't connect?

The provider or DPI system is cutting UDP traffic on non-standard ports. TCP on port 443 is disguised as regular HTTPS — that's why it passes where UDP fails. This is a direct sign of active traffic filtering. On mobile internet (LTE/5G), this occurs more often than on home fiber.

Which protocol to choose for bypassing blocks on YouTube, Instagram, and Telegram?

Start with UDP — it will provide decent speed for video and streaming. If UDP is being cut by the provider — switch to TCP 443. If that doesn't help, and Telegram or Instagram still won't open — then obfuscated protocols (VLESS/XRay, Shadowsocks, AmneziaWG) are necessary. The simple choice of TCP/UDP against modern DPI is just the first step.

Does WireGuard have a choice between TCP or UDP?

No. WireGuard works exclusively over UDP — this is part of its architecture. If your provider blocks UDP, WireGuard will not connect with any client-side settings. Solutions: switch to OpenVPN with TCP, use AmneziaWG (which adds obfuscation on top of WireGuard), or use the udp2raw wrapper, which tunnels UDP in TCP. This is one of the main reasons why WireGuard is blocked more often than OpenVPN TCP.

VPN connects, but there is no internet or websites load partially — what does TCP/UDP have to do with it?

Most likely, the problem is with MTU, not with the choice of protocol. VPN headers increase the size of packets, and they do not pass through the tunnel entirely. Try addingmssfix 1400 andfragment 1400 to the OpenVPN config or lowering the MTU to 1380 in the WireGuard settings. Also, check the port and server location change — sometimes the problem is there.

Is it dangerous to always use TCP instead of UDP?

It's not dangerous in terms of security. But on an unstable network, TCP is noticeably slower due to the "TCP over TCP" effect: double packet retransmissions during losses choke the speed. On good fiber, the difference is small. On mobile internet with packet loss of 2–5% — it is very noticeable. Keep TCP as a backup option for bypassing blocks, but return to UDP at the first opportunity.

To briefly summarize everything said above about VPN TCP vs UDP: how to fix most problems — start with UDP, switch to TCP 443 when blocked, and if that doesn't help, look towards obfuscation. The choice between TCP and UDP is the first tool in the arsenal, but not the last.

Related articles

You might also like