What is the VPN protocol and why do you need to know different options?
Since most VPN providers offer a variety of VPN protocols to choose from, it’s a good idea to understand the pros and cons of these different options so that you can choose the unique one that best suits your needs.
In this guide, we will compare the two most popular VPN protocols – OpenVPN and IPSec – and L2TP/IPSec, IKEv2/IPSec, WireGuard, PPTP and SSTP. This is to give a brief overview of the pros and cons of each VPN protocol.
So let’s sneak in.
What is a VPN protocol?
The VPN protocol is a set of instructions for establishing a secure and encrypted connection between a device and a VPN server to transfer data.
Most commercial VPN providers offer a variety of different VPN protocols that you can use in your VPN client. For example, in the screenshot below, I am testing ExpressVPN and can choose OpenVPN UDP, OpenVPN TCP, SSTP, L2TP / IPSec and PPTP.
Now we will carefully study various VPN protocols.
OpenVPN is a versatile open source VPN protocol developed by OpenVPN Technologies. It can be said to be the safest and most popular VPN protocol currently used and has passed various third-party security audits.
OpenVPN is often considered an industry standard when implemented correctly and uses SSL / TLS for key exchange. It provides complete confidentiality, authentication and integrity, and is flexible for a variety of use cases.
Settings : OpenVPN requires special client software instead of being built into a different operating system. Most VPN services offer custom OpenVPN applications that can be used on different operating systems and devices. Installation is usually quick and easy. OpenVPN can be used on all major platforms through third-party clients: Windows, Mac OS, Linux, Apple iOS, Android and various routers (check firmware compatibility).
Encryption : OpenVPN uses the OpenSSL library and the TLS protocol to provide encryption. OpenSSL supports many different algorithms and passwords, including AES, Blowfish, Camellia and ChaCha20.
Security : OpenVPN is considered the most secure VPN protocol, provided it is implemented correctly. It does not have any major vulnerabilities known.
Performance : OpenVPN provides good performance, especially when running UDP (User Datagram Protocol) instead of TCP (Transmission Control Protocol). Whether used on a wireless network or a cellular network, OpenVPN is very stable and reliable. If you are experiencing connectivity problems, you can use OpenVPN and TCP, which will acknowledge all packets sent, but at a slower rate.
Port : OpenVPN can be used on any port that uses UDP or TCP.
Judgment : Strongly recommended.
What is IPSec?
IPSec is a secure suite of network protocols that authenticates and encrypts packets sent over an IP network. It stands for Internet Protocol Security (IPSec) and was developed by the Internet Engineering Task Force. Unlike SSL running at the application level, IPSec runs at the network level and can be used locally on many operating systems. Since most operating systems natively support IPSec, they can be used without third-party applications (unlike OpenVPN).
When paired with L2TP or IKEv2, IPSec has become a very popular protocol for use with VPNs, as we will discuss more below.
IPSec uses the following methods to encrypt the entire IP packet:
- Authentication header (AH), placing a digital signature on each packet; and
- Encapsulating Security Protocol (ESP), which performs confidentiality, integrity, and authentication of packets during transmission.
Leaked NSA Demonstration – If you don’t refer to the leaked NSA presentation and discuss the NSA Hazardous IPSec protocol (L2TP and IKE), the discussion of IPSec will not be complete. Based on the ambiguous references in this date statement, it is difficult to draw any concrete conclusions. However, if your threat model includes target monitoring from complex state-level participants, you may want to consider a more secure protocol, such as OpenVPN. However, if the IPSec protocol is implemented correctly, they are still widely considered to be secure.
Now we will look at how IPSec works with VPN when paired with L2TP and IKEv2.
IKEv2 / IPSec
What is IKEv2 / IPSec?
IKEv2 is a tunneling protocol standardized in RFC 7296 and stands for Internet Key Exchange Version 2 (IKEv2). It was developed as a joint project between Cisco and Microsoft. To be used with a VPN for maximum security, IKEv2 will be paired with IPSec.
The first version of IKE (Internet Key Exchange) was released in 1998, and the second version 7 years later was released in December 2005. Compared with other VPN protocols, IKEv2 has advantages in terms of speed, security, stability, and CPU usage. The ability to rebuild connections. This makes it an ideal choice for mobile users, especially for iOS (Apple) devices that natively support IKEv2.
Setup : The installer is usually quick and easy and requires you to import the configuration file of the server you want to use from the VPN provider. (See the full privacy example of this setup.) IKEv2 natively supported on Windows 7+, Mac OS 10.11+, Blackberry and iOS (iPhone and iPad) and some Android devices. Some operating systems also support the “always on” feature, which forces all Internet traffic through the VPN tunnel to ensure that no data leakage occurs.
Encryption : IKEv2 uses a number of encryption algorithms, including AES, Blowfish, Camellia and 3DES.
Security : One disadvantage of IKEv2 / IPSec is that it is a closed source code developed by Cisco and Microsoft (but there is an open source version). On the positive side, IKEv2 is widely considered to be one of the fastest and most secure protocols, making it a popular choice for VPN users.
Performance : In many cases, IKEv2 is faster than OpenVPN because of its lower CPU density. However, there are many variables that affect speed, so this may not work for all use cases. From the perspective of mobile user performance, IKEv2 may be the best choice because it is a good way to reconnect.
Port : IKEv2 uses the following ports: UDP 500 for initial key exchange and UDP 4500 for NAT traversal.
Judgment : Recommended.
L2TP / IPSec
Layer 2 Tunneling Protocol (L2TP) paired with IPSec is also a popular VPN protocol that is supported by many operating systems. L2TP / IPSec is standardized in RFC 3193 and provides confidentiality, authentication and integrity.
Settings : Setting up L2TP / IPSec is usually quick and easy. It is natively supported on many operating systems, including Windows 2000 / XP +, Mac OS 10.3+ and most Android operating systems. Just like IKEv2 / IPSec, you only need to import the configuration file from the VPN provider.
Encryption : L2TP / IPSec encrypts data twice using the standard IPSec protocol.
Security : L2TP / IPSec is generally considered safe and does not have any major known issues. However, like IKEv2 / IPSec, L2TP / IPSec was also developed by Cisco and Microsoft, which raised questions about trust.
Performance : In terms of performance , L2TP / IPSec does change. On the one hand encryption/decryption takes place in the kernel, it also supports multithreading, which should increase the speed. On the other hand, because it double-packages the data, it may not be as fast as other options.
Port : L2TP / IPSEC uses UDP 500 for initial key exchange, UDP 1701 for initial L2TP configuration, and UDP 4500 for NAT traversal. It is more likely to block than OpenVPN due to its dependence on fixed protocols and ports.
Conclusion : L2TP / IPSec is not a bad choice, but you may want to choose IKEv2 / IPSec or OpenVPN (if available).
WireGuard is a new experimental VPN protocol designed to provide better performance and security than existing protocols.
As we stated in the main WireGuard VPN guide, this protocol has some interesting benefits in terms of performance, but it also brings some notable shortcomings. The main disadvantages are as follows:
- WireGuard is still in a significant development stage and has not been audited.
- Some VPN services raise concerns about the ability of WireGuard to use no logs (privacy defects).
- The adoption of the VPN industry is very limited (at least for now).
- TCP is not supported.
Settings : WireGuard is not included in any operating system. When it is included in the kernel of Linux, Mac OS and mobile devices, this may change over time. A very limited number of VPNs support WireGuard – please consult the provider for setup instructions.
Encryption : WireGuard uses Curve25519 for key exchange, ChaCha20 and Poly1305 for data authentication, and BLAKE2 for hashing.
Security : The main security issue with WireGuard is that it has not been reviewed and is still in significant development. Some VPNs already offer WireGuard for their users for “testing” purposes, but WireGuard should not be used when privacy and security are important, given the state of the project.
Performance : In theory, WireGuard should have excellent performance in terms of speed, reliability and battery consumption. It may be an ideal protocol for mobile users because it allows you to switch between network interfaces without losing connectivity. Reconnection should also be much faster than OpenVPN and IPSec.
Port : WireGuard uses UDP and can be configured on any port. Unfortunately, there is no support for TCP, which makes it easier to block.
Conclusion : Not recommended yet, but we will pay close attention to project development.
PPTP stands for Point-to-Point Tunneling Protocol and is one of the oldest VPN protocols still in use today. It runs on TCP port 1723 and was originally developed by Microsoft.
Due to serious security breaches, PPTP is now largely obsolete. We won’t spend too much time discussing PPTP because most people no longer use it.
PPTP is supported on all versions of Windows and most operating systems themselves. Although it is relatively fast, PPTP is not as reliable and cannot restore connections as fast as OpenVPN.
In general, PPTP should not be used in any situation where security and privacy are important. If you just use VPN to unblock content, PPTP may not be a bad choice, but there are more security options to consider.
Judgment : not recommended
Like PPTP, SSTP is not widely used in the VPN industry, but unlike PPTP, it has no major known security issues.
SSTP stands for Secure Socket Tunneling Protocol and is a Microsoft product that is only available for Windows. Although SSTP is also considered to be very secure, the fact that it is a closed source product from Microsoft is an obvious drawback.
SSTP transmits traffic over the SSL (Secure Sockets Layer) protocol on TCP port 443. This makes it a useful protocol for use in restricted network situations, such as in China. In addition to Windows, other operating systems are supported, but it is not widely used.
Since SSTP is closed source and is fully owned and maintained by Microsoft, you may want to consider other options. Of course, if all other protocols are blocked on your network, SSTP may still be the best choice.
In terms of performance, SSTP works well, fast, stable, and secure. Unfortunately, few VPN providers support SSTP. For many years, ExpressVPN has supported SSTP in Windows clients, but it is no longer supported today.
Conclusion : SSTP may be useful if other VPN protocols are blocked, but OpenVPN will be a better choice (if available).
OpenVPN UDP and OpenVPN TCP
Since OpenVPN is the most popular VPN protocol, you can usually choose between two types: OpenVPN UDP or OpenVPN TCP. So which one to choose? Below I am testing NordVPN, which allows me to choose TCP or UDP protocol.
The following is a brief overview of the two protocols:
- TCP (Transmission Control Protocol): TCP is a more reliable choice between the two, but it brings some performance flaws. With TCP, packets are sent only after the last packet is acknowledged, slowing down. If no confirmation is received, only the packet will be resent – the so-called error correction.
- UDP (User Datagram Protocol): UDP is the fastest of the two options. Packets are sent without any acknowledgment, which can increase speed, but it may not be as reliable.
By default, OpenVPN UDP is a better choice because it provides superior performance over OpenVPN TCP. However, if you are experiencing connectivity issues, switch to TCP for greater reliability.
TCP is often used to confuse VPN traffic to make it look like regular HTTPS traffic. This can be done by using OpenVPN TCP on port 443, where traffic is routed in TLS encryption. Many VPN providers offer various forms of confusion to defeat VPN blocks, and most use OpenVPN TCP.
What is the best VPN protocol?
As we discussed in the Best VPN Service Guide, no matter whether you choose a VPN service or a VPN protocol, everyone has no solution for everyone. The best agreement for your situation will depend on several different factors:
- The device you are using – different devices support different protocols.
- Your network – Some protocols may not pass if you are in a restricted network environment, such as in China or in schools and work networks. Some VPN providers offer a designated VPN protocol for these situations – for more discussion on this topic, see the VPN for China guide.
- Performance – Some protocols offer significant performance advantages, especially on mobile devices that are connected to and from the connection.
- Threat model – Some protocols are weaker and less secure than others. Choose the best VPN protocol for your security and privacy needs based on your threat model.
However, as a general rule of thumb, OpenVPN can be said to be the best all-around VPN protocol. It is very secure, trustworthy, widely used in the industry and provides good speed and reliability. If OpenVPN is not suitable for your situation, just consider an alternative.
For most VPN services, OpenVPN is usually the default protocol used in its applications, although L2TP / IPSec and IKEv2 / IPSec are common in mobile VPN clients.
Conclusion of the VPN protocol
This VPN protocol guide is intended as a basic overview of the major VPN protocols currently in use: OpenVPN, L2TP / IPSec, IKEv2 / IPSec, WireGuard, PPTP and SSTP.
For more in-depth information about each protocol, you can check the references of individual developers.
As these different VPN protocols continue to develop, this guide will continue to be updated.