When reviewing reviews, reviews, and VPN offerings, we often find information about protocols that we can use. Very often, non-oriented technical names such as PPTP, L2TP / IPSec, SSTP, IKEv2 or OpenVPN will not say much. Are they supported by my system or mobile device? How do they behave when changing networks? What level of security can I provide? This is a very important issue as it is the choice of the right VPN protocol that largely depends on the quality of the connection, security and privacy that VPNs provide. In this article we will try to explain and explain the most important features of each protocol used in VPN.
What is a communication protocol?
Before we go into the description and comparison of VPN protocols, it is important to explain what this protocol is and what it suits for the Internet. It can be defined as a group of strictly defined rules and rules , the execution of which in the appropriate order allows the exchange of information between two devices. For each protocol, a standard is defined which fully defines all operations related to the protocol.
Use of the Internet is based on the work of many different protocols, which are responsible for the exchange of information. You have probably heard of such names as HTTP, HTTPS, FTP, POP3, SMTP, IMAP, IP, TCP or UDP - these are just some of the protocols you use every day.
VPN functionality is also based on protocols. They allow user authentication, data encryption, secure transfer, and destination pickup. There are some differences between the protocols, which are based on which most VPNs work, which we will try to explain. Some features of VPNs, depending on the needs and expectations of the service, may be a disadvantage for some users and for others.
To begin with, we will also explain two important concepts that will scroll through the text, namely the length of the key and the encryption algorithm .
Key length is the number of bits used by the encryption algorithm. In non-technical > The key length determines the security level of the algorithm. The longer the key, the better the encryption algorithm (the longer the key requires more computing power to break). Also note that the longer the key, the more encrypted and decrypted the information takes.
The most common key lengths are 128, 192, and 256-bit. True 128-bit keys are considered to be unbreakable at currently available computing resources, but more and more security-related people suggest using 256-bit keys. The undoubted advantage of shorter keys is faster encryption and decryption of data, but this is at the expense of security.
The cryptographic algorithm is a mathematical mechanism by which the information is encrypted using a cryptographic key. In most VPNs, the most commonly used encryption algorithm is AES ( Advanced Encryption Standard ). SHA-1 or SHA-2 is used for authentication, allowing you to generate a short string that allows you to verify that the content has not been modified. ), and key encryption is done using the RSA algorithm. The AES algorithm is currently considered the most secure and is a kind of standard.
In the description of the VPN offer or application configuration, you can often find the following parameters
- Data encryption: AES-256
- Data authentication: SHA-1
- Handshake: RSA-4096
This means that the VPN for data encryption uses the 256-key AES key algorithm, the SHA-1 shortcut key, and RSA-4096 encryption and key encryption.
PPTP is a development of Point-to-Point Tunneling Protocol. This is the basic protocol for connecting via VPN. Using PPTP is not currently recommended. It is considered to be a broken protocol and does not guarantee security.
The PPTP standard was developed in 1999 by a group of technology companies led by Microsoft, and therefore Windows supports it from Windows 98 and NT. Thanks to its simplicity of operation and its implementation, it was a protocol that for some time was supported by practically all systems and devices. However, its default availability on systems and devices is slowly degraded (the latest versions of Apple's systems - macOS Sierra and iOS 10 no longer support PPTP).
Unfortunately, simplicity and universality do not go hand in hand with security. Microsoft itself does not recommend using this protocol. If you are seriously thinking about network security, it is better to choose more secure protocols like OpenVPN, L2TP / IPsec, IKEv2 or SSTP to connect to VPN.
For PPTP, encryption is performed using MPPE (Microsoft Point-to-Point Encryption), based on a 128-bit RC4 algorithm, while authentication can be performed by MS-CHAP v2 or EAP-TLS.
- The fastest protocol, simplicity has little effect on the speed of the connection
- Simple to operate, configure and run
- By default, it is available on most systems and devices
- no strong, secure encryption
L2TP / IPSec
L2TP / IPSec is a combination of two separate protocols that together make it possible to establish a secure and encrypted VPN connection. L2TP (Layer 2 Tunneling Protocol) alone does not provide encryption and data transmission security, it only serves to establish a connection and data transmission. For encryption and authentication, an additional set of protocols is needed. As a result, L2TP is most often associated with IPSec , a set of protocols responsible for authenticating and encrypting packets sent using L2TP. The L2TP role is to create a tunnel between two points, while IPSec provides security by encrypting the transmitted data.
L2TP / IPSec operates on the UDP 500 port, so it can be more easily blocked by the firewall than with the protocols that allow the port to operate or connect through port 443 (SSL-compliant). This can be a serious disadvantage of this protocol if our ISP blocks the VPN or if we want to mask the use of this type of service. L2TP / IPSec is sometimes the only option for using VPNs for old systems and devices where we can not connect to newer and better solutions like IKEv2 or OpenVPN.
In terms of encryption, L2TP / IPSec can secure data transmission using AES-256, AES-192, AES-128 or 3DES algorithms, thus providing a high security standard.
L2TP / IPSec is considered a secure protocol. However, along with information from Edward Snowden and recent spills of CIA data, there are some suspicions that IPSec may have been compromised or exerted pressure to deliberately weaken it. To this day it has not been confirmed and is still in the sphere of speculation, but it is worth keeping in mind.
- easy to configure
- It is widely available on most systems, so it does not require the installation of additional applications
- There are suspicions that the IPSec security provider could have been compromised by the NSA
- It works on UDP port 500, which makes it more difficult to hide the use of it and can be easily blocked by firewalls
IKEv2 (Internet Key Exchange version 2) was developed jointly by Microsoft and Cisco. Like L2TP / IPSec, IKEv2 is based on IPSec to provide encryption and data security. It is the second version of the IKE protocol, with significant improvements and improvements to its predecessor. There are many IKEv2 implementations based on open-source such as OpenIKEv2. Like L2TP / IPSec, IKEv2 runs on UDP port 500 so it can be easily blocked by firewalls.
IPSec encryption enables secure data transfer using AES-256, AES-192, AES-128 or 3DES algorithms. The encryption level is strong, but as mentioned earlier, there are doubts about the security of IPSec.
IKEv2 allows you to permanently maintain a VPN connection with MOBIKE . This is especially useful for mobile devices that may lose connection or change network temporarily (for example, from Wi-Fi to 3G).
IKEv2 is available on Windows starting with Windows 7, and for Apple, MacOS and iOS. If we use Android, we need to install a suitable application that will allow us to connect using this protocol.
- Simple to configure on the user side
- It works on UDP port 500, which makes it harder to hide its use and can be blocked by firewalls
- There are doubts about the security of IPSec
The SSTP (Secure Socket Tunneling Protocol) was created entirely by Microsoft and was first included in the Windows Vista operating system. Despite the fact that it is Microsoft technology (which can be considered as an advantage and disadvantage), there are available applications that support SSTP on both Linux and Apple. On computers supported by Microsoft production systems, we will use SSTP with Windows Vista SP1 or later, without having to install additional programs.
By default, an SSTP-based connection uses SSL / TLS communication on TCP port 443 so that it can pass through most of the firewalls that block VPN activity. SSL is encrypted and EAP-TLS or MS-CHAP is used for authentication. Unlike OpenVPN, SSTP does not have an open source, and there is no certainty that the back doors are not located there.
- Available on Windows systems starting with Windows Vista SP1 without the need for additional software
- supported by Microsoft
- can bypass most firewalls
- created and developed by Microsoft, lack of open source and external audit capabilities
- Works mainly in Windows environment (need to install external applications on other systems)
OpenVPN is the latest fully open-source protocol for connecting to a VPN. Its basic functionality is based on the OpenSSL library and SSLv3 and TLSv1 protocols. Unlike IKEv2 and L2TP / IPSec, IPSec is not used for encryption, only the previously mentioned SSL and TLS. OpenVPN can be configured to work on any port, including TCP 443, and thus the port on which SSL is running. This allows us to mask the fact that we connect through VPNs and bypass firewalls that can block VPN connections.
Because OpenVPN relies on the OpenSSL library, it can use to encrypt all of its algorithms, such as AES, 3DES, RC5, and Blowfish, giving you great configuration capabilities. The most common solution is to use the AES algorithm, which is currently considered the safest. Authentication can be done using keys, certificates or user names and passwords.
When using OpenVPN most often, we will have encryption using the AES-256 bit or AES-128 bit algorithm. The first option is safer, but slightly slower than encryption with a 128-bit key.
OpenVPN is not available by default on any system, but supported applications exist on virtually all systems: Windows starting with XP, MacOS, Solaris, Linux, OpenBSD, FreeBSD, NetBSD, and QNX. For mobile devices, we can install client apps for iOS and Android. OpenVPN can also be configured to work on selected routers so that the entire network connects via VPN and will not need to be configured on individual devices.
Most VPN vendors base their own client applications on OpenVPN. The default OpenVPN application is not very user-friendly in configuration, as the software itself still has to download the appropriate configuration files from the service provider, which can be difficult for less advanced users. Therefore, most VPN providers provide the ability to download a user-friendly and easy-to-use application and the corresponding data and configuration files to the original OpenVPN application .
There is no indication that any OpenVPN solution to secure the connection has been compromised for the time being and is still the safest of all available VPN protocols.
- open source code
- very safe
- Allows for a wide selection of encryption algorithms
- gives you great configuration possibilities
- Configuration (if we do not use the application provided by the VPN provider) is much more demanding than other protocols
- To use it, you need to install an additional client application
If you care about maximum protection and privacy, OpenVPN will be your obvious choice. From the other protocols, after the OpenVPN, IKEv2 , which is easy to use for the user, has no need for additional applications and a high degree of security, also provides effective protection on the Internet. L2TP / IPSec and SSTP are not bad, but the two protocols mentioned above do it much better.
Do not use PPTP if you want to protect your privacy and use it securely - it is a protocol that is not considered secure. Unless the VPN is only needed to change IP to watch a video blocked in the country you are in, then the security level of the VPN does not matter.