VPN protocols represent the processes and sets of instructions VPN clients rely on to establish secure connections between a device and a VPN server in order to transmit data.
In other words, a VPN protocol is a mix of transmission protocols and encryption standards.
Here are the main VPN tunnelling protocols you need to know about:
OpenVPN – Very Secure and Fast
OpenVPN is the industry gold standard VPN protocol and we recommend you use it whenever you can. It’s one of the most secure, and importantly is open-source, which means it’s completely transparent and continues to be publicly tested and improved.
It’s very configurable and while it’s not supported natively by any platform, most VPN providers offers free apps that support it across most major platforms.
Importantly, OpenVPN works on on both the UDP port and TCP 443 port, which is used by HTTPS traffic. This makes it tough to block as it’s hard to distinguish it from banking and e-commerce traffic using that port.
OpenVPN TCP (Transmission Control Protocol) is the most used connection protocol on the internet. It has integrated error correction meaning that when data is transferred, a confirmation of the data packet’s arrival is required before the next packet is sent. The current packet keeps being resent until a confirmation of arrival is received.
OpenVPN UDP (User Datagram Protocol) simply transmits data packets without requiring confirmation of arrival, before transmitting the next data packet. The fewer checks result in lower latency, and make it well suited for streaming and gaming.
OpenVPN also uses the OpenSSL library, which supports a range of ciphers.
Its encryption has two elements: data channel encryption and control channel encryption:
- Data channel encryption is what protects the information itself that’s been transmitted.
- Control channel encryption is what secures the connection between your device and the VPN server itself.
Be aware that some VPN services don’t use anywhere near the same level of encryption on both channels. Using weaker encryption on the data channel is a cheap shortcut to a faster connection as security comes at the expense of speed.
Unfortunately, a VPN is only as secure as its weakest element, so you should look for a VPN that’s as strong as possible in its encryption of both channels.
L2TP/IPsec – Secure, But Can Be Slow
Layer 2 Tunneling Protocol (LT2P) is a Microsoft-proprietary protocol that is typically implemented with the IPsec authentication as it doesn’t provide any encryption by itself. It’s usually used with the AES cipher.
The protocol uses a limited number of fixed ports, which makes it relatively easy to block.
In terms of speed, while its double encapsulation should make it slower than OpenVPN, it is actually theoretically faster because the encryption and decryption take place in the kernel and it supports multi-threading, which OpenVPN does not.
It has no known vulnerabilities when used with AES but there have been suggestions that it has been compromised by the NSA and was deliberately weakened during its creation.
The main problem though lies with VPN services that use pre-shared keys that can be downloaded from their websites. While these keys are only used to authenticate the connection with the VPN servers (the data itself remaining encrypted), it does open the door to potential hacks.
Despite these issues, LT2P/IPsec is a solid choice given that it’s supported natively by so many platforms as long as pre-shared keys are not used.
SSTP – Faster and More Secure than L2TP
Secure Socket Tunneling Protocol (SSTP) is a Microsoft-owned proprietary protocol that’s based on SSL 3.0, meaning that like OpenVPN it can use TCP port 443.
Unlike OpenVPN though, SSTP is not transparent, which means it’s not possible to disprove suggestions of backdoors or other vulnerabilities. This risk far outweighs any benefits from its close integration with Windows.
Another red flag is that SSL 3.0 is vulnerable to a man-in-the-middle attack known as POODLE. It’s not confirmed whether SSTP is affected but it’s not worth the risk in our view, despite sharing benefits with OpenVPN.
IKEv2 – Very Fast and Secure
Internet Key Exchange version 2 (IKEv2) is another closed standard, this time developed by Microsoft and Cisco. It’s natively supported by iOS, Windows 7 and later, and Blackberry.
There are open source versions developed for Linux, which don’t carry same the trust issues of the proprietary version.
On the plus side, it’s copes well with changing networks and is very good at reconnecting when users drop their internet connections making it particularly useful for mobile users.
It’s a shame that it’s closed source as IKEv2 is a very fast and secure protocol that’s particularly good for mobile users.
IKEv2 often won’t cut it when you’re trying to connect out of a highly censored country, though.
WireGuard – Promising New Protocol
Wireguard is a new tunnelling protocol that aims to be faster and more performant than the current most popular protocol, OpenVPN.
WireGuard aims to tackle the issues often associated with OpenVPN and IPsec: complex setup, disconnections (without additional configuration) and longer reconnection times, and have a heavy codebase (400,000 to 600,000 lines) which can make it harder to find bugs.
It seeks to improve on the other protocols by using more up-to-date ciphers and it has a code base of around 4,000 lines (~1% of OpenVPN’s and IPsec’s).
While it is still in development, early tests seem to suggest that WireGuard is very fast, very secure and reconnections are instant.
It’s early days and it has to still fully ‘prove itself’ however an increasing number of VPN providers are adding it to their clients, including ExpressVPN and IVPN.
PPTP – Weak Security, Avoid
The Point-to-Point Tunneling Protocol (PPTP) is an outdated VPN protocol developed by a Microsoft-funded team for creating VPN over dial-up and bundled with Windows in 1999.
It does have some positives: it’s compatible with pretty much everything, doesn’t need additional software and is very fast.
The major problem is that it’s proven to be insecure and easy to crack. It’s also simple to block as it relies on the GRE protocol that’s easily firewalled.
Avoid using this protocol unless absolutely necessary to change your IP address for non-sensitive reasons.