best vpns for us logo Get NordVPN Deal

VPN Encryption Explained in Plain English

What AES-256, WireGuard, and ChaCha20 actually do — and why some of the marketing claims do not matter.

Jordan Brennan — Editor & Lead Tester
By Jordan Brennan · Editor & Lead Tester
Last updated: April 24, 2026

Every VPN marketing page claims "military-grade encryption." The phrase is accurate and mostly meaningless — every serious VPN uses the same underlying cipher. The useful question is not "is my traffic encrypted" but "what protocol is wrapping the encryption, how keys are exchanged, and how the whole thing is implemented." Here is the working knowledge you need to read a VPN's security page without translating jargon.

What encryption actually does

Encryption is a mathematical transformation that turns readable data (plaintext) into unreadable data (ciphertext), and back again with the right key. A VPN encrypts every packet of data leaving your device before it reaches your ISP. To your ISP, all that traffic looks like uninterpretable random bytes — they can see that encrypted traffic is going to a specific VPN server, but not what is inside. To websites and services you visit, your traffic arrives from the VPN server's IP address rather than your real one.

AES-256 and ChaCha20: the two ciphers that matter

AES-256

The Advanced Encryption Standard with a 256-bit key is the cipher used by the US government for TOP SECRET data, by every major bank, and by every VPN we reviewed. A 256-bit key has 2^256 possible values — a number so large that brute-forcing it would require energy beyond anything physically feasible on a human timeframe. In practice, AES-256 is unbreakable by any known adversary when implemented correctly.

ChaCha20

A newer cipher designed by Daniel Bernstein. ChaCha20 offers the same security level as AES-256 but runs faster on devices without hardware AES acceleration — which means most mobile phones and older hardware. WireGuard uses ChaCha20-Poly1305 by default; NordLynx inherits this. AES and ChaCha20 are considered equivalent in security. The difference is performance characteristics, not strength.

Protocol: the wrapper around the cipher

The cipher encrypts and decrypts. The protocol handles everything else: how keys get exchanged, how connections are established and maintained, how traffic gets authenticated, how you reconnect after a Wi-Fi drop. These three protocols dominate in 2026:

WireGuard

Open-source, roughly 4,000 lines of code (compared to OpenVPN's 70,000), uses modern cryptography (ChaCha20, Poly1305, Curve25519), and runs dramatically faster than older protocols. WireGuard's one privacy concern out of the box is that it assigns a static IP per user inside the tunnel — which is why NordVPN layers NordLynx on top, adding a double-NAT that breaks that one-to-one mapping.

Lightway (ExpressVPN)

ExpressVPN's proprietary protocol, fully open source, based on wolfSSL. Designed specifically for fast reconnection when switching between Wi-Fi and cellular. Performance is comparable to WireGuard; reconnection is measurably faster on mobile.

OpenVPN

The older open-source standard. Slower than WireGuard or Lightway, but battle-tested and supported by virtually every VPN client and router firmware. Useful as a fallback on restrictive networks where WireGuard is blocked.

Legacy protocols to avoid

PPTP (2 decades old, broken encryption), L2TP/IPSec (slow and inconsistent), and SSTP (Microsoft proprietary with known issues) should only be used if no alternative is available on a specific device. No top-tier VPN in 2026 defaults to any of these.

Key exchange: why forward secrecy matters

Every VPN session negotiates its own unique encryption key. Forward secrecy is the property that even if an adversary captures your encrypted traffic today and steals the server's long-term keys tomorrow, they still cannot decrypt the captured traffic. All modern VPN protocols — WireGuard, Lightway, properly-configured OpenVPN — implement forward secrecy. If a VPN does not explicitly advertise this, check before buying.

Post-quantum cryptography

A growing concern: adversaries may be recording encrypted traffic today with the plan of decrypting it in a decade or two, when quantum computers can break classical elliptic-curve cryptography. NordVPN, ExpressVPN, and Mullvad have begun rolling out hybrid post-quantum key exchange that is resistant to known quantum attacks. For ordinary users, this matters only if you care about forward secrecy on a 10-20 year timeline. For most US users in 2026, it is a nice-to-have rather than a must-have.

Implementation matters more than algorithm

A VPN using AES-256 with a poorly implemented protocol is less secure than one using ChaCha20 with a well-implemented protocol. Historical VPN vulnerabilities — leaks, broken kill switches, DNS leaks, session-hijacking bugs — were all implementation failures, not cipher weaknesses. This is why independent audits matter: they verify the implementation, not just the theoretical algorithm choice.

What to look for on a VPN's security page

Frequently asked questions

Is AES-256 actually uncrackable? +
Yes, in any practical sense. Brute-forcing AES-256 would require energy on the scale of powering a star. The real risks in a VPN are key management, implementation bugs, and metadata — not the cipher itself.
What is the difference between AES-256 and ChaCha20? +
AES-256 is hardware-accelerated on most modern CPUs, which makes it slightly faster on desktops. ChaCha20 runs faster on mobile and older devices without AES instructions. Both offer equivalent security.
Is WireGuard less secure than OpenVPN? +
No. WireGuard uses newer, more auditable cryptography and has a smaller codebase (4,000 lines vs 70,000 for OpenVPN), which makes it easier to review. The tradeoff is that WireGuard is younger and has less historical battle-testing.