VPN usage is becoming more and more common. This is easy to imagine, given the steady increase in (mass)-surveillance, hackers and online tracking by advertisement companies. It also helps the times when VPNs were only for tech-savvy computer-enthusiasts are long gone. However, to get the most out of your VPN service, it’s very important to choose the VPN protocol that suits your needs best. That’s why in this article, we’ll explain what a VPN protocol is, the options that are out there and their advantages and disadvantages.
What is a VPN protocol?
A VPN, among others, encrypts your data traffic before it’s sent to the VPN’s server(s). The system which is responsible for this encryption is usually referred to as an encryption protocol, or VPN protocol. Most modern VPN providers offer users several encryption protocols to choose from. It’s very important you choose your encryption protocol wisely. After all, every protocol comes with its own advantages and disadvantages. The most popular VPN protocols are the following 6:
- OpenVPN with a UDP port
- OpenVPN with a TCP port
- Wireguard (This experimental protocol is still under development)
Needless to say, to choose the best VPN protocol for you, it’s important to know the difference between the different protocols.
Differences between the most popular VPN protocols
|General||Popular open-source VPN protocol that offers cross-platform capabilities||Quite basic VPN protocol. This is the first VPN protocol that was supported by Windows.||Tunneling protocol which uses the IPSec protocol for security and encryption. L2TP only offers UDP ports (which are known to be faster, but less reliable and secure than TCP ports).||Like L2TP, IKEv2 is a tunneling protocol that relies on IPSec for encryption. However, this protocol is supported by fewer devices and systems.||A new, currently experimental open-source protocol. This protocol, which is still under development, is praised thanks to its speed, efficiency and small code base. This last feature, after all, makes it easier to inspect and audit (evaluate) the protocol.|
|Encryption||OpenVPN offers strong, high-quality encryption, using openSSL. Algorithms used: 3DES, AES, RC5, Blowfish. 128 bit encryption with 1024 bit keys.||PPTP uses the MPPE protocol to encrypt data. The algorithm it uses is the RSA RC4 algorithm with a key length of 128 bits.||Uses IPSec for encryption, using the 3DES/AES algorithm, with a 256 bit key.||Just like L2TP/IPSec, IKEv2 uses IPSec for encryption. IKEv2 can use the following encryption algorithms: 3DES, AES, Blowfish, Camellia.||Wireguard uses the ChaCha20 algorithm for encryption. An audit of Wireguard in June 2019 showed no serious security flaws. However, the auditors did indicate the protocol’s security showed room for improvement. This is undoubtedly one of the reasons the protocol’s developers haven’t launched a stable release yet. It’s important to stress Wireguard is still under a lot of development and therefore, as of now, should be considered an experimental protocol.|
|Usability||Can be installed through separately available software (not integrated in operating systems) and uses *.ovpn configuration-files, combined with a username and password. Also integrated in a lot of software (most moderns VPNs eg).||Can be directly installed within your operating system. Also, PPTP is integrated in a lot of software (many VPN providers offer this protocol).||Can be directly installed within your operating system. Also, L2TP/IPSec is integrated in a lot of software (many VPN providers offer this protocol).||Can be directly installed within your operating system. Also, IKEV2 is integrated in a lot of software (many VPN providers offer this protocol).||Since Wireguard is still under development, the majority of VPN providers do not support this protocol (yet). However, the protocol is compatible with most operating systems.|
|Speed||Depending on many different variables, such as the speed of your system and the speed of the server(s) you’re connected to. OpenVPN with a UDP port in general results in greater speeds than using a TCP port.||Speed depends on many different variables, such as the speed of your system and the speed of the server(s) you’re connected to. Generally though, PPTP is known to be a fast protocol, mainly because of its relatively simple and low-level encryption (compared to more modern protocols).||Speed depends on many different variables, such as the speed of your system and the speed of the server(s) you’re connected to. L2TP itself is very fast (since it just offers a communication tunnel but no encryption). However, the necessary addition of IPSec for security (encryption mainly) makes L2TP/IPSec slower than OpenVPN.||Just like L2TP, IKEv2 uses UDP port 500, which makes it quite a fast protocol. Some sources even claim IKEv2 is capable of reaching greater speeds than OpenVPN.||According to its developers, the efficient and small codebase, combined with the fact Wireguard lives in the Linux kernel, should result in great speeds. This is also affirmed by the benchmarks available on Wireguard’s website.|
|Stability and reliability||Offers great stability and reliability regardless of network type used (WLAN, LAN, mobile networks, etc.). Obtaining a stable connection with OpenVPN generally does not require the advanced and complex configuration that IKEv2 can require.||PPTP, relatively speaking, has quite a few stability and reliability issues. Most of this can be attributed to compatibility issues.||Comparable to OpenVPN, but sometimes depends on network stability.||IKEv2 is a more complex protocol than OpenVPN. That’s why sometimes IKEv2 requires a more advanced and complicated configuration process to work well.||Since Wireguard is still under development, it’s difficult to make any strong claims as far as stability and reliability go.|
|Privacy & Security||OpenVPN is known to contain very few (if any) security flaws. Do you require maximum privacy and VPN protection without a lot of configuration-hassle? Then most often OpenVPN will be the right protocol for you.||At least among Windows users, PPTP is known to have several security flaws.||L2TP, when combined with IPSec, is known to be a very safe protocol. According to Edward Snowden, however, L2TP/IPSec has been exploited before by the NSA (National Security Agency)||Many consider IKEv2 to be as safe as L2TP/IPSec, since they use the same protocol for encryption (IPSec). Unfortunately however, leaked presentations from the NSA, suggest that the IKEv2 protocol too has been exploited in the past by malicious parties.||Wireguard’s main advantage in this regard, is the fact its codebase is relatively small (under 4000 lines, compared to way over 100000 lines for both OpenVPN and L2TP/IPSec eg). This means the attack surface for hackers to exploit is a lot smaller. Also, this makes it easier to detect security flaws.|
|Advantages||Offers great speeds and possibly the best security out of all VPN protocols
Is able to bypass most firewalls, network- and ISP restrictions
|Easy to configure
Supported by many devices and systems
|Easy to configure
Able to bypass network-, geo- and ISP restrictions.
|Easy to configure
|Small codebase (easier to audit and less attack surface)
According to developers and some critics it’s an easy to use, fast protocol.
|Disadvantages||Sometimes installation requires separate software||Degree of stability and reliability can vary a lot
Not as safe and private as modern protocols (especially when compared to OpenVPN)
Easy for websites, governments and ISPs to detect and block PPTP users
|Relatively slow and can be blocked by firewalls, since it uses a port that’s often blocked: UDP 500||Relatively often blocked by firewalls (uses UDP port 500)
Supported by fewer systems and software than OpenVPN, L2TP/IPSec and PPTP
|Still under development. This makes it hard to draw any definite conclusions regarding the protocol’s safety and stability
As of now, Wireguard seems to be incompatible with a no-logging policy (more about this later)
|Conclusion||For many OpenVPN will (rightfully) be the VPN protocol of choice. OpenVPN is fast, stable and safe.||PPTP is generally easy to configure, but less stable and secure than more modern protocols, such as OpenVPN and L2TP/IPSec. That’s why we mainly recommend using PPTP when other protocols aren’t working for you or are too difficult to configure.||L2TP/IPsec is often slower than OpenVPN and PPTP, but can occasionally bypass blockades that those two can’t. We’d recommend using L2TP/IPSec as an alternative if OpenVPN doesn’t suit your specific needs.||According to several critics, IKEv2 seems to offer the same level of security as L2TP/IPSec, but at higher speeds. However, IKEv2’s speed depends on many variables. To guarantee a stable connection and good reliability, IKEv2 can require a relatively complex configuration. This is why, especially for “VPN beginners”, we only recommend this protocol if OpenVPN doesn’t work for instance.||Without a doubt, Wireguard shows a lot of potential. However, the protocol is still under development. That’s why we, like its developers and many VPN providers, only recommend using the protocol for experimental purposes or when privacy and anonymity are not absolutely crucial. Think unblocking geo-blockades for instance.|
Right now we’ll discuss these protocols in a little more detail.
OpenVPN (which stands for open source virtual private network) is the most popular VPN protocol. Its popularity can mainly be attributed to its strong, high-level encryption and open-source code. OpenVPN is supported by all well-known operating systems, such as Windows, MacOS and Linux. The protocol is also supported by mobile operating systems such as Android and iOS.
Of course, one of the main purposes of a VPN protocol is providing high-level data encryption. In this area OpenVPN performs really well. After all, OpenVPN uses 265 bit encryption through OpenSSL. Also, many VPN services (most, in fact) support the use of OpenVPN.
OpenVPN supports the usage of two different types of ports: TCP and UDP.
- OpenVPN-TCP is the most commonly used and most reliable protocol. Using a TCP port means every individual “data package” has to be approved by the receiving party, before a new one is sent. This makes one’s connection very reliable and secure, but slower.
- OpenVPN-UDP is considerably faster than OpenVPN-TCP. All “data packages” are sent without the need for approval from the receiving party. This results in a faster VPN-connection, but means some loss of reliability and stability.
OpenVPN’s advantages and disadvantages
- + OpenVPN is very safe
- + Supported by a lot of software and virtually all modern VPN providers
- + Supported by basically all operating systems
- + Extensively audited and tested
- – Sometimes requires additional software
PPTP VPN protocol
The Point-to-Point Tunneling Protocol (PPTP) is one of the oldest VPN protocols out there. In fact, it was the first VPN protocol supported by Windows. The NSA has managed to exploit security flaws of the PPTP protocol. That, and because of its lack of high-level encryption, is why this protocol is not considered safe anymore. However, PPTP’s lack of strong encryption does mean it’s a very fast protocol.
Because PPTP is so old as a protocol, it’s the most widely supported VPN protocol among different devices and systems. However, firewalls which try to block VPN users, will generally quite easily recognize PPTP users. This of course makes it not the best protocol out there for unblocking purposes (and we already saw its security also leaves something to be desired).
PPTP’s advantages and disadvantages
- + very fast
- + simple and easy to use
- + is compatible with virtually all operating systems
- – only offers quite basic, low-level encryption
- – easy to recognize and block by firewalls and the like
- – hackers often exploit PPTP’s security flaws
The Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used for creating a so-called “VPN-tunnel” (which your data traffic is guided through). However, L2TP itself does not encrypt any data. That’s why in virtually all cases L2TP is combined with IPSec, s protocol which does in fact encrypt data (and does so quite well). That’s where the name L2TP/IPSec comes from.
IPSec stands for Internet Protocol Security and takes care of the end-to-end encryption of data in the L2TP tunnel. Using the L2TP/IPSec combination as a VPN protocol is much safer and ensures more privacy than using PPTP. Just like any protocol, L2TP/IPSec also comes with its disadvantages though. One of the protocol’s disadvantages is the fact that some firewalls block users of this protocol. That’s because L2TP uses port UDP 500 and some websites block this port. Speed wise, L2TP on its own performs very well, because of its lack of encryption. However, the necessary addition of IPSec can slow one’s connection down quite a bit. All in all, OpenVPN is generally faster than L2TP/IPSec.
L2TP/IPSec’s advantages and disadvantages
- + better encryption than PPTP
- + directly compatible with many operating systems
- – slower than OpenVPN
- – according to Snowden the NSA has exploited security vulnerabilities of the L2TP/IPSec protocol
- – this protocol can be blocked by some firewalls
IKEv2 VPN protocol
IKEv2 stands for Internet Key Echange Version 2. As its name reveals, IKEv2 is IKE’s successor. When using IKEv2 as a VPN protocol, your data traffic will first of all be encrypted by the IPSec protocol. After, a VPN-tunnel is created after which all your (encrypted) data travels through this secure VPN-tunnel. Just like L2TP/IPSec, IKEv2 makes use of port UDP 500. This means some firewalls will block IKEv2 users. Thanks to its usage of IPSec for encryption, IKEv2 by many is considered to as safe as L2TP/IPSec. Something to take note of though: when using a weak password, IKEv2 is very vulnerable to hackers.
IKEv2’s advantages and disadvantages
- + IKEv2 is very fast
- + quite high-level encryption
- + is able to restore lost connections
- + easy and simple to use
- – easily blocked by some firewalls
- – possibly exploited by the NSA
- – unsafe when using a weak password
- – not as universally supported as OpenVPN and L2TP/IPSec
Wireguard is a new and, as of now, experimental VPN protocol, written by Jason A. Donenfeld. The protocol is still under development. However, several VPN providers already support this protocol. The protocol prides itself on its very small codebase (about 4000 lines), compared to competitors. This smaller codebase should make the protocol and its safety a lot easier and faster to audit (evaluate). Also, it should, in combination with the code itself, make for a simpler, faster, more efficient and easier to use VPN protocol. However, since this protocol is still under a lot of development, the developers and many VPN providers only recommend using it for experimental purposes, or when privacy is not absolutely crucial (as of now). Also, Wireguard’s current version only supports the use of static IP addresses. According to many authorities in the field, this means Wireguard as a VPN protocol is not compatible with a no-logging policy.
Wireguard’s advantages and disadvantages
- + In theory, and according to benchmarks found on its own website, Wireguard is a very fast VPN protocol
- + Its small code base should make the protocol easier to audit
- – Most VPN providers do not support and offer this protocol (yet)
- – Wireguard, as of now, only provides static IP addresses and therefore is not compatible with a no-logging policy
Needless to say, it’s very important to choose the VPN protocol that’s right for you. Every protocol has its own advantages and disadvantages. In most cases, OpenVPN will be your best bet. PPTP is a protocol we do not recommend using, because of its relatively low-level encryption. However, you could try this protocol when privacy and security are not your highest priorities, such as for unblocking streams. If OpenVPN is not supported or does not work well for whatever reason, you could consider using L2TP/IPSec or IKEv2.