If you are taking your online privacy and security seriously, it’s likely that you have already read our materials covering the different approaches to the subject, including our information on using a VPN.
In this article, we look at the various VPN protocols available, including PPTP vs L2TP/IPsec vs SSTP vs IKEv2 vs OpenVPN. It turns out that they vary in terms of security and should be chosen carefully depending on what activities you want to use your VPN for.
Top Tip - While it is interesting to debate and examine the intricacies of each VPN protocol, it is important to note that for everyday use all of these protocols will mask your true IP address and let you hide behind one provided by your VPN provider.
You will see VPN provider websites touting different protocols that they support. Many VPN apps will let you choose the protocol you wish to use, whether directly in their menus or through the settings.
From the information below, you’ll note that the protocols are generally listed in order from weakest to strongest in terms of security.
>> When you have a choice, use the OpenVPN protocol when available,
even for your most sensitive online activities. <<
SSTP and IKEv2 are also good and safe, if you are not particularly worried about your activities coming under maximum scrutiny (for example, if you are an activist).
Even PPTP and L2TP/IPsec are fine for keeping your true IP address hidden when engaging in non-sensitive web browsing or content steaming (but probably best not used for more sensitive activities such as torrent file-sharing or Usenet).
Summary of VPN Protocols
- PPTP – fast and most widely supported protocol, but it offers bare bones security/encryption – suitable for online streaming and every day web browsing
- L2TP/IPsec – widely supported and offering good encryption protection, but easily detected & blocked - suitable for online streaming and every day web browsing
- SSTP – difficult to detect by third parties (such as your ISP) and offering good security, but proprietary (may contain backdoors) - suitable for online streaming, every day web browsing, torrent file-sharing and Usenet protection
- IKEv2 – fast, mobile-friendly, and partially open source using strong encryption, but easily detected & thus blocked by third parties (such as your ISP) - suitable for online streaming, web browsing and all manner of activities on mobile devices
- OpenVPN – open source and offering the strongest encryption - suitable for all activities including sensitive ones such as content gathering by torrent file-sharing and Usenet
VPN Protocols in Detail
Point-to-Point Tunneling Protocol (PPTP) is one of the oldest and most widely used standards in the industry, developed in the 1990s by a consortium led by Microsoft.
The PPTP protocol lacks strong security and encryption measures. Perhaps this shouldn’t be a surprise as the protocol was developed during the time of dial-up Internet! As a result, PPTP relies on add-on components for encryption, such as PPP and MS-CHAPv2, but even these employ only 128-bit encryption. As a result, these protocols are rather insecure and have been cracked in the past. The NSA would have no trouble bypassing the PPTP protocol.
The main advantage of PPTP is its speed and ease of setup, as it is widely supported and already built into many modern platforms. Of course, setup is not something you normally need to worry about as your VPN provider will have taken care of all this in the app it provides to you.
Layer 2 Tunnel Protocol (L2TP) is another commonly supported VPN protocol. It is built into virtually all modern systems, making it widely supported and as easy to set up as PPTP.
L2TP does not encrypt traffic on its own accord, so it usually comes bundled with the IPsec encryption suite; that’s why you usually see this protocol shown as “L2TP/IPsec”.
IPsec is more secure than PP2P, but is somewhat slower given the way it handles traffic.
However, L2TP does have some weaknesses. Firstly, because it uses UDP port 500 this makes it relatively easy to identify and block, for example, by firewalls. Secondly, the software is proprietary which raises security questions as the code is not openly available for public scrutiny. Furthermore, many versions of IPsec were meddled with by the NSA and may have had intentional backdoors introduced for “national security” reasons.
Secure Socket Tunneling Protocol (SSTP) was developed by Microsoft and introduced with Windows Vista. While it is available for a number of operating systems, Apple users will have to look for a different solution.
SSTP uses SSLv3 library and can be configured to use TCP port 443. This is an important advantage as port 443 is used by the HTTPS protocol that is commonly used to establish a secure connection. In other words, your VPN traffic routed through this port will be indistinguishable from regular HTTPS traffic, and therefore admitted by most firewalls and able to bypass other blocking measures.
SSTP can also be configured to use the strongest encryption ciphers available, including AES, which makes it very secure. Again, remember that the configuration is generally done by your VPN provider, not you.
However, like L2TP/IPsec, SSTP is also proprietary which makes it vulnerable to backdoors or other weaknesses.
Internet Key Exchange version 2 (IKEv2) is a tunneling protocol which was developed by Microsoft and Cisco, based on IPsec and built into Windows 7 and higher. While it is proprietary, there are a number of open source implementations available for Linux and other operating systems. It’s also one of the few choices supported by Blackberry devices.
IKEv2 is an excellent solution for mobile device users, because it is adept at reconnecting when temporary loss of internet connection occurs or networks are switched.
This protocol is considered quite stable and faster than L2TP, SSTP and PPTP. In addition, it supports the strongest encryption ciphers in the industry. Unfortunately, it uses UDP port 500, which makes it easier to detect and thus block.
OpenVPN is an open source protocol, meaning its source code can be scrutinized for any backdoors or similar security vulnerabilities. It is just as good as SSTP at bypassing firewalls, because it utilizes TCP port 443 making its traffic indistinguishable from HTTPS traffic.
OpenVPN can be paired with the best encryption ciphers in the industry, including AES and Blowfish, making it a robust solution and offering the most protection even from NSA-style surveillance.
Its main disadvantage is that it requires third party software and can be more complicated to set up properly. However, most VPN providers save you from the hassle of having to set up protocols as they provide easy-to-use apps that are preconfigured to take care of all the technical aspects for you.