WireGuard, OpenVPN, REALITY and picking the right tunnel

The moment you notice your VPN is the problem

I was on a train, tethered to my phone, trying to push a small release tag to GitHub before the next stop. The VPN was “connected,” the little icon looked happy, but every other packet vanished into the void. Slack half-loaded. DNS looked like it was flipping a coin.

That’s the day I stopped treating “VPN protocol” as a nerd setting you ignore.

Latency is the tax.

If you’ve only ever used whatever default your VPN app picks, you’re not alone. But different networks break in different ways, and each protocol has its own personality. Some are fast and fragile. Some are slow and stubborn. Some try to look like normal web traffic and, depending on where you are, that can matter more than raw speed.

WireGuard feels like cheating, until it doesn’t

WireGuard is my default when I just need the internet to behave. It’s modern, small, and usually fast. It runs over UDP, which is a big reason it’s snappy: less overhead, less waiting around for retransmits, and generally lower latency when the path is clean.

Battery matters.

On phones, WireGuard tends to be kind to the battery compared to older stacks that keep lots of state and renegotiate more often. Roaming is also where it shines: walking between Wi‑Fi and LTE, or hopping between access points, is usually less dramatic.

The catch is UDP.

Some networks hate UDP. Hotel Wi‑Fi, captive portals, corporate guest networks, and certain mobile carriers will happily let TCP through and treat UDP like suspicious noise. When that happens, WireGuard doesn’t degrade politely. It just stops working, or it “works” with random stalls that are worse than a clean failure.

A few practical notes from daily use:

• If you’re on mobile data and you see bursts of packet loss, try toggling airplane mode and reconnecting. WireGuard recovers fast, but the radio stack can get stuck.
• If you’re behind strict NAT (common on LTE/5G), keepalive settings can make the difference between stable and constantly dropping. Too aggressive, though, and you’ll pay in battery.

If your VPN provider exposes protocol selection, WireGuard is the one I try first. If you’re using a router like OpenWrt, it’s also the easiest way to get “always on” tunneling without cooking a low-power CPU.

OpenVPN is slower, but it gets through ugly networks

OpenVPN is the protocol I reach for when I’m somewhere hostile to modern traffic patterns. It’s older, heavier, and the crypto negotiation is a bit of a ceremony. You feel it on high-latency links.

Still, OpenVPN has one superpower: it can run over TCP, including TCP 443 (the same port your browser uses for HTTPS). In practice, that means it can blend into “normal” outbound web traffic at the port level, and it survives environments where UDP gets blocked or shaped into uselessness.

This part is annoying: OpenVPN over TCP can also trip into TCP-over-TCP meltdown. When both the inner tunnel and the outer transport try to do retransmissions, performance can fall off a cliff on lossy links. You’ll see the classic symptoms: a speed test looks okay for a second, then everything turns into molasses as retries pile up.

So I treat OpenVPN like a battering ram, not a sports car. If I’m on airport Wi‑Fi, a conference venue, or a locked-down office guest network, I’ll pick OpenVPN and accept the hit.

If you want to understand what your VPN app is actually offering (and what it isn’t), it’s worth scanning the provider’s capability list once. DuduVPN keeps that kind of detail on its VPN app features and protocol options page, which is where I’d check before I assume anything.

REALITY, VLESS, Shadowsocks-2022: when “looks normal” is the whole point

There’s a separate category of tools that aren’t trying to win benchmarks. They’re trying to survive inspection.

If you’ve used apps like Hiddify, NekoBox, V2RayNG, or Shadowrocket, you’ve already seen the ecosystem: VLESS, Trojan, Shadowsocks (including Shadowsocks-2022), and newer tricks like VLESS+REALITY.

Here’s the plain-English idea. Instead of advertising “hi, I’m a VPN,” these protocols try to resemble ordinary TLS traffic or otherwise avoid obvious fingerprints. REALITY is often discussed in that context because it can make traffic look like a legit HTTPS connection to a real site while still carrying your tunnel inside.

That’s useful in places where the block isn’t just “UDP is inconvenient,” but “known VPN patterns get throttled, reset, or logged.” It’s also useful on certain ISPs that do aggressive traffic shaping.

Trade-offs show up quickly:

• Setup is fussier. You’re dealing with URLs, UUIDs, SNI, public keys, and little details that are easy to mistype.
• Battery use can be worse on mobile, depending on the client and transport. More processing and more retries adds up.
• Latency can be unpredictable. Obfuscation and extra handshakes aren’t free.

If you’re the type who wants a one-button experience, this family can feel like too much. If you’re routinely on networks that play whack-a-mole with VPNs, it can be the only thing that stays up for more than a few minutes.

For client apps, the ones I keep seeing in the wild are:

• Android: V2RayNG, NekoBox
• iOS: Shadowrocket
• Desktop: Hiddify (varies by platform), plus native clients depending on protocol

My real-world decision tree (it’s not elegant)

I don’t pick protocols based on ideology. I pick them based on failure modes.

If I’m on a normal home connection, WireGuard is the default. It’s fast, simple, and it doesn’t make my laptop sound like a tiny jet engine. If I’m traveling and the Wi‑Fi is flaky, WireGuard still usually wins, because it reconnects quickly when the link changes.

When the network is actively hostile to UDP, I switch to OpenVPN TCP and move on with my life. I might lose some speed, but I get predictability, and predictability is what lets you actually work.

When I’m in an environment where known VPN signatures get singled out, that’s when I consider stealthier transports (VLESS+REALITY, Shadowsocks-2022, and similar). Honestly, I don’t enjoy configuring these on a phone screen. But if the alternative is no connection at all, I’ll take “fussy and functional.”

One more angle people forget: your device matters.

A modern MacBook on Wi‑Fi can brute-force a lot of overhead. A budget Android phone on LTE can’t. Extra CPU cycles mean extra heat, and heat means throttling. On mobile, packet loss and jitter are often the limiting factor, not raw bandwidth, so a protocol that recovers cleanly beats one that looks good on a perfect link.

If you’re trying to troubleshoot rather than guess, it helps to have a checklist: is it DNS, is it MTU, is it the port, is it the transport, is it captive portal weirdness. Providers that document common issues save you time. DuduVPN’s support FAQ for setup and connection problems is the sort of page I end up opening at 1 a.m. when one network behaves differently than the last.

Cost and convenience still matter

People love to argue protocols like it’s a religion, but most of us just want a stable tunnel on all our devices. That’s where the boring stuff matters: how many device slots you get, whether the apps are maintained, whether the service makes it easy to switch protocols when a network changes.

If you’re comparing services, glance at the plan details and see what’s included before you invest time migrating configs across phones, laptops, and routers. DuduVPN’s pricing and plan details are straightforward enough to sanity-check quickly.

Where DuduVPN fits (if you want fewer knobs, not more)

If you want a paid VPN that’s easy to run day-to-day but still lets you switch approaches when a network gets weird, I’d point you at DuduVPN and, if you prefer provisioning and account actions in chat, the DuduVPN Telegram bot.

If you only remember one thing: on mobile networks, try WireGuard first, and if it connects but stalls or never handshakes, switch to OpenVPN over TCP 443 and test again before you start changing DNS or blaming your phone.