Most VPN services give you the choice of multiple VPN protocols, but which protocol is the best choice? Each protocol does have it’s own advantages (and drawbacks) so the one you choose will likely depend on a few factors, including:
- Your intended use for the VPN
- Whether you’re willing to trade security for speed
- What device you’re connecting from (some devices/platforms don’t support every protocol.)
This article will compare the 4 major VPN protocols in depth, which are:
We’ll show you the strengths and weaknesses of each (mostly in layman’s terms) and help you have a better understanding of which protocols are best suited for specific needs or purposes.[mwm-box color=”gray”]When in doubt, OpenVPN is usually the safest choice (assuming you have the option)[/mwm-box]
VPN Protocol Comparison
Here’s a quick comparison of the four VPN protocols (PPTP, L2TP/IPSEC, SSTP, and OpenVPN). It will give you a good idea of the advantages of each, and when to choose each option.
|All Major: PC, Mac, Linux, iPhone, Android, some routers.
|All Major: PC, Mac, Linux, iPhone, Android, some routers
|Windows PC's only
|All major platforms (requires software installation). Routers (with custom firmware)
|Weak. Considered broken by NSA
|Strong. Data is double encrypted and authenticated
|Strongest. Data is encrypted and verified using certificates.
|Very fast (because of light encryption)
|Medium (double encryption/validation is slow)
|Very Fast. Faster than PPTP over long distances.
|Low-security uses (media streaming, Netflix, etc).
|Any. Most secure option if OpenVPN is not available.
|Getting through firewalls. SSTP disguises traffic as regular SSL traffic.
|Everything. OpenVPN is extremely strong, fast, and flexible.
PPTP stands for ‘Point to Point Tunneling Protocol’. It is one of the early VPN algorithms developed by Microsoft, and is natively supported on nearly all computer and smartphone platforms. iOS and Android devices both have native PPTP VPN support.
The PPTP protocol uses up to 128-bit session keys encrypted with the RC4 encryption algorithm. While RC4 is fast, versatile, and lightweight, it also has several known vulnerabilities.
Recent NSA documents leaked by Edward Snowden, and published by the German magazine Der Spiegel show just how vulnerable the PPTP protocol is, with one slideshow (shown below) highlighting numerous PPTP decryption successes by the agency.
PPTP’s primary advantage is it’s speed. Because it uses lightweight encryption, it takes up little bandwidth (low encryption overhead) and is effective even on devices with low processing power. Over short to moderate distances (up to several thousand miles) it will usually outperform OpenVPN on speed tests.
PPTP should be considered extremely vulnerable, and as such, is not a viable alternative for any use that requires high security, especially when there are better options available (almost every device that supports PPTP also supports the much stronger L2TP/IPsec).
PPTP should only be used for purposes where speed and location are the primary goals of VPN use (as opposed to encryption). This means PPTP may still be useful for unblocking geo-restricted websites, preventing HD video throttling, and streaming videos from websites like Netflix, Youtube, Hulu, etc.
It’s fast, but only useful for low-security purposes like media streaming/unblocking or bittorrent.
- Fast (because of low-strength encryption)
- Natively supported on most platforms
- Easy to set up (only requires username/password/server location)
- Low encryption strength
- Doesn’t natively validate data. Vulnerable to bit-flipping attacks.
- Multiple known vulnerabilities/attack vectors
- Confirmed to be compromised by the NSA
Learn even more: A closer look at the PPTP protocol
L2TP/IPsec is the combination of two protocols to create a VPN tunnel.
L2TP (or ‘Layer 2 Tunneling Protocol’) is a tunneling protocol that allows the transport of data packets between two end points. L2TP does not include any encryption capabilities on its own, so it is often combined with an encryption protocol. The most common encryption protocol used with L2TP is IPsec (short for ‘Internet Protocol Security’).
IPsec supports multiple encryption algorithms, including AES, and CBC with 256-bit session keys. When using an L2TP/IPsec VPN, IKEv2 is usually used to exchange secret keys between client and server for each new VPN connection.
L2TP/IPsec is a very stable protocol and is natively supported on most major platforms, including Windows, Mac, Linux, iOS, and Android.
L2TP/IPsec uses 256-bit session encryption (very strong). It also supports data authentication, which helps prevent man-in-the-middle attacks and other active VPN attacks. Data authentication uses cryptographic hash functions, to verify that the payload each data packet has not been changed in-transit.
L2TP/IPsec is considered quite secure, and benefits from its flexibility to employ a range of cryptographic algorithms from the IPsec security suite. There is recent evidence that L2TP/IPsec may be vulnerable to NSA decryption, though this weakness is probably only exploitable by organizations with massive funding (national security agencies) as opposed to casual hackers.
Because L2TP VPN data is double encrypted and authenticated, it will usually be slower than the same data transmitted via PPTP or OpenVPN.
L2TP/IPsec is a highly flexible VPN protocol and can be used for most VPN applications. It is natively supported on most devices and should be your default option if OpenVPN isn’t an option.
Advantages of L2TP/IPsec
- Strong encryption
- Flexible, useful for a wide range of applications
- Data authentication
- Widely supported by most computers, OS’s, and smartphones
Disadvantages of L2TP/IPsec
- Not as fast as OpenVPN
- May be vulnerable to NSA (but still much stronger than PPTP)
SSL is the same technology used to secure https websites. The advantage of using a VPN over SSL is that you can disguise VPN traffic as regular https traffic (using TCP port 443) which makes SSTP very useful for getting through firewalls that block other VPN protocols. OpenVPN has this ability as well.
SSTP is only to the windows platform and is not supported by Mac, iOS or Android devices. As a result it is not widely used, and is only supported by a few consumer VPN services.
When to use SSTP
The most common use for SSTP is as a ‘Stealth’ VPN protocol, in order to unblock content that is otherwise restricted by a network firewall. Some routers/networks attempt to block VPN traffic, so SSTP may be a useful option for gaining access.
- Can disguise VPN traffic as SSL/Https (hard to block)
- Only available on Windows platforms (Vista SP1 and newer)
- Not widely supported by VPN companies
- Closed-source (can’t be independently audited by security experts)
OpenVPN is quickly becoming the most popular VPN protocol among subscribers to consumer-grade personal VPN services. Most top VPN providers offer a custom branded OpenVPN client for windows/mac which allows users to easily create VPN connections and switch servers with no manual setup required.
OpenVPN can transport data via both TCP and UDP protocols (discussed later).
OpenVPN is an open-source VPN technology based on the OpenSSL library. While not natively supported by any devices (except DD-WRT routers) you can easily add OpenVPN support to Mac/Windows/Linux/iOS/Android devices simply by installing free OpenVPN software. You can use an all-in-one client like OpenVPN’s own free client software, or use the custom desktop openVPN software included with VPN subscriptions from many of the top VPN companies.
By integrating OpenVPN into custom software, VPN providers are able to build extra custom features into their software, such as:
- IP address monitoring
- Easy server switching
- Automated IP rotation
- Smart server selection
- IP leak protection
- and more…
OpenVPN is the most flexible VPN protocol, and can be used with a vast library of encryption algorithms and authentication methods. It also offers adjustable encryption strength, configurable at the server level. For most users, OpenVPN is the best all-around protocol option (assuming your device supports it).
So far there is no evidence that the NSA has been able to reliably break OpenVPN encryption.
OpenVPN servers are highly configurable, and can use any combination of the OpenSSL library’s available encryption and authentication ciphers. This includes NIST standard algorithms like AES (Advanced Encryption Standard) which is trusted by the U.S. government and military for secure communications.
The library also includes non NIST-approved algorithms like Camellia and SEED. These algorithms may be preferable to extremely privacy-aware individuals, as there is some suspicion that the NSA may have attempted to deliberately weaken encryption standards. So far very few VPN providers have integrated these non-standard algorithms into their software.
OpenVPN supports up to 256-bit session encryption, and 4096-bit keys
As a point of reference, 2048-bit RSA keys are considered safe until 2030. 4096-bit keys are 2^2048 times as strong as 2048-bit keys.
Perfect Forward Secrecy
OpenVPN is capable of Perfect Forward Secrecy, which means that unique encryption keys are generated for every new VPN session. The advantage of this, is that even if an individual session key is stolen/discovered, it won’t compromise the security of either past or future VPN sessions. Each VPN session has its own key, which can only be used to decrypt data for that session.
This makes OpenVPN highly secure, and is a large part of why it’s the protocol of choice for the U.S. government.
This is in stark contrast to PPTP or L2TP, where just knowing your VPN password would compromise all future VPN sessions.
OpenVPN device compatibility
While not natively supported by any platform, 3rd party software has added OpenVPN support for multiple platforms including:
OpenVPN for routers
Many modern wifi routers can now support direct OpenVPN connections by installing (free) 3rd-party router firmware such as:
The advantage if connecting your router directly to an OpenVPN server is that you can give your entire network of wifi devices access to the VPN, simply by connecting them to the wireless router.
Installing 3rd-party firmware on your router does come with the slight risk of bricking your device, but there are tons of good tutorials showing you exactly how to install DD-WRT on your router, which will add tons of functionality including VPN access and bandwidth management.
TCP vs UDP for OpenVPN
Each protocol does have it’s own advantages, so here’s a quick explanation:
TCP verifies the delivery of each data packet, UDP doesn’t.
While you might assume that delivery confirmation is always a good thing, realize that TCP connections must wait for delivery confirmation before sending the next packet (or resending the current packet.
Over short distances this is fine, but if you’re connecting to a VPN server halfway around the world, your speed will slow dramatically while waiting for each delivery response.
UDP on the other hand is much faster because it doesn’t check for data errors, packet ordering, or delivery confirmation.
The speed difference you experience between TCP and UDP over OpenVPN will depend on several factors including:
- How far away the VPN server is
- Your connection bandwidth
- What sort of data you’re transmitting
If 100% accurate data transmission is important to you (like if you’re transferring large files via http) then TCP is a better choice. If speed is more important than an occasional dropped packet, then opt for UDP. I find myself using UDP ports most often.
TCP port# 443 (Stealth Mode)
OpenVPN can use TCP port 443 to disguise VPN traffic as regular SSL traffic. This is useful for getting through firewalls that block VPN traffic on other ports.
Choose OpenVPN TCP if:
- Speed isn’t important
- You want data verification/error checking
Choose OpenVPN UDP for:
All high-bandwidth activities where you want the most speed possible. Examples include:
- Video streaming such as Netflix, Skype, or Youtube
OpenVPN for Smarphones (iOS/Android)
There is increasing support for OpenVPN on both iOS and Android devices (though support is still stronger on Android).
There are two options for using OpenVPN on your mobile device:
- Use the official OpenVPN client for iOS or Android (and import the correct settings from your VPN provider)
- Use your VPN provider’s own mobile app (if they have one).
The OpenVPN connect client is a solid option, and it allows you to import OpenVPN certificates from multiple VPN providers, so you can access multiple VPN services from the same application.
The setup is a bit more complicated than 1-click custom VPN apps, but you only have to do it once (and there are good guides available).
Custom VPN Clients for iOS/Android
Developing a standalone VPN client for mobile is expensive, so only the most popular VPN services are willing to spend money on mobile development. There are several excellent mobile VPN clients available from high quality VPN providers, including:
We’ve discussed the strengths and weaknesses of the 4 major VPN protocols, and you should now have a pretty good idea of when to use each protocol.
Hint: When available, use OpenVPN.
Let’s recap what we learned about each:
It’s supported on most devices, and offers fast speeds, but it’s highly vulnerable and the NSA is almost certainly capable of decrypting PPTP traffic. Use it only for low-security applications like media streaming, web browsing, and light filesharing.
This protocol is widely supported (natively on windows, mac, iOS/Android) and allows data encryption up to 256-bit AES. It is robust and includes data authentication capability. The downside is it’s slower than OpenVPN, and may be vulnerable to NSA attacks
This microsoft-developed protocol can disguise VPN traffic as regular SSL traffic, making it useful for evading firewalls and other censorship technology. It is well integrated with the windows platform, but is not supported on other (non-windows) devices.
It is useful primarily for it’s stability in windows devices, and SSL ‘stealth’ ability, though OpenVPN can offer the same functionality.
OpenVPN is the one-size-fits all VPN solution, and will be most users’ first choice (as long as you’re using a supported device). OpenVPN requires special software to connect, but that software can also add extra functionality and security features beyond what other manual VPN setups offer.
Even unsupported devices/platforms can still use OpenVPN connections by connecting them to an OpenVPN-enabled router or network.
OpenVPN offers excellent security, custom encryption configurations, UDP & TCP protocols, Stealth mode, and more.
So far OpenVPN has the best track record of resisting NSA decryption methods, and is the VPN protocol of choice for high-security applications and organizations worldwide.
References and further reading:
Final Thoughts and Questions
Thank you so much for taking the time to read this article. If you have any questions related to the topics I’ve covered, please feel free to leave them in the comments, and we’ll answer them as best we can.
Be well, and stay encrypted!