If you're taking your online privacy and security seriously, then you probably already know the basics of what a VPN does and how to use one.
However, there's one important aspect of VPN use that many people may not understand: and that's protocols.
Many VPN providers even let you choose your protocol, but what exactly is the difference between Wireguard, OpenVPN, IKEv2, SSTP, L2TP/IPSec, and PPTP?
Figure: Screenshot from PureVPN's VPN Protocol selection menu
In this article, we'll give you the rundown on what these protocols are, what they do, and which one you should use.
VPN Protocols: Bottom Line
The protocols listed below are organized from weakest to strongest in terms of security.
>> When available, use the Wireguard or OpenVPN protocols,
since they'll provide the most protection. <<
SSTP and IKEv2 are generally safe as well, but should probably be avoided if you're looking for maximum privacy and security.
Even PPTP and L2TP/IPsec are fine for keeping your true IP address hidden when engaged in non-sensitive web browsing or content streaming. However, we wouldn't rely on them for things like torrenting, Usenet, or other sensitive activities.
In a hurry? Jump right to the best everyday, all-round VPN service on the market today.
Summary of VPN Protocols
Here's a quick rundown of the different protocols, for those of you don't care to read the longer version below:
- PPTP – fast and most widely supported protocol, but it offers bare bones security/encryption – suitable for online streaming and every day web browsing
- L2TP/IPsec – widely supported and offering good encryption protection, but easily detected & blocked – suitable for online streaming and every day web browsing
- SSTP – difficult to detect by third parties (such as your ISP) and offering good security, but proprietary (may contain backdoors) – suitable for online streaming, every day web browsing, torrent file-sharing and Usenet protection
- IKEv2 – fast, mobile-friendly, and partially open source using strong encryption, but easily detected & thus blocked by third parties (such as your ISP) – suitable for online streaming, web browsing and all manner of activities on mobile devices
- OpenVPN – open source and offering some of the strongest encryption – suitable for all activities, including sensitive ones such as downloading from torrents and Usenet
- Wireguard – a new open-source protocol with strong, efficient encryption and fast speeds – suitable for all activities, including sensitive ones such as downloading from torrents and Usenet
VPN Protocols in Detail
Here's a more in-depth look at the protocols, along with what their strengths and weaknesses are and how to use them.
PPTP
Point-to-Point Tunneling Protocol (PPTP) is one of the oldest and most widely used standards in the industry, developed in the 1990s by a consortium led by Microsoft.
The PPTP protocol lacks strong security and encryption measures. Perhaps this shouldn’t be a surprise as the protocol was developed during the time of dial-up Internet! As a result, PPTP relies on add-on components for encryption, such as PPP and MS-CHAPv2, but even these employ only 128-bit encryption (compared to the 256-bit encryption provided by stronger protocols). As a result, these protocols are rather insecure and have been cracked in the past. The NSA would have no trouble bypassing the PPTP protocol.
The main advantage of PPTP is its speed and ease of setup, as it is widely supported and already built into many modern platforms. Of course, setup is not something you normally need to worry about anyways, as your VPN provider will take care of all of this in their app.
L2TP/IPsec
Layer 2 Tunnel Protocol (L2TP) is another commonly supported VPN protocol. It's built into virtually all modern systems, making it widely supported and as easy to set up as PPTP.
L2TP does not encrypt traffic on its own accord, so it usually comes bundled with the IPsec encryption suite; that’s why you usually see this protocol shown as “L2TP/IPsec”.
IPsec is more secure than PPTP, but it's also somewhat slower given the way it handles traffic.
L2TP does have some other weaknesses. Firstly, because it uses UDP port 500, this makes it relatively easy to identify and block, for example, by firewalls. Secondly, the software is proprietary (not open source), which raises security questions since the code is not openly available for public scrutiny. Furthermore, many versions of IPsec were meddled with by the NSA and may have had intentional backdoors introduced for “national security” reasons.
SSTP
Secure Socket Tunneling Protocol (SSTP) was developed by Microsoft and introduced with Windows Vista. While it is available for a number of operating systems, Apple users will have to look for a different solution.
SSTP uses SSLv3 library and can be configured to use TCP port 443. This is an important advantage as port 443 is used by the HTTPS protocol that is commonly used to establish a secure connection. In other words, your VPN traffic routed through this port will be indistinguishable from regular HTTPS traffic, and therefore admitted by most firewalls and able to bypass other blocking measures.
SSTP can also be configured to use the strongest encryption ciphers available, including AES, which makes it very secure. Again, remember that the configuration is generally handled by your VPN provider, not you.
However, like L2TP/IPsec, SSTP is also proprietary (not open source) which makes it vulnerable to backdoors or other weaknesses.
IKEv2
Internet Key Exchange version 2 (IKEv2) is a tunneling protocol which was developed by Microsoft and Cisco, based on IPsec and built into Windows 7 and higher. While it is proprietary, there are a number of open source implementations available for Linux and other operating systems. It’s also one of the few choices supported by Blackberry devices.
IKEv2 is an excellent solution for mobile device users, because it is adept at reconnecting when temporary loss of internet connection occurs or networks are switched.
This protocol is considered quite stable and faster than L2TP, SSTP and PPTP. In addition, it supports the strongest encryption ciphers in the industry. Unfortunately, it uses UDP port 500, which makes it easier to detect and thus block.
OpenVPN
OpenVPN is an open source protocol, meaning its source code can be scrutinized for any backdoors or similar security vulnerabilities. It is just as good as SSTP at bypassing firewalls, because it utilizes TCP port 443 making its traffic indistinguishable from HTTPS traffic.
OpenVPN can be paired with the best encryption ciphers in the industry, including AES and Blowfish, making it a robust solution and offering the most protection even from NSA-style surveillance.
Its main disadvantage is that it requires third party software and can be more complicated to set up properly. However, most VPN providers save you from the hassle of having to set up protocols, as they provide easy-to-use apps that are preconfigured to take care of all the technical aspects for you.
Wireguard
Wireguard is an open-source protocol with arguably the strongest encryption available. Not only is it strong, it's very efficient, using fewer lines of code than OpenVPN, which means in turns makes it easier to check for vulnerabilities and less likely to contain them.
This efficiency also makes Wireguard very fast. In fact, it's the fastest protocol on this list, at times by quite a large margin.
However, while Wireguard is the fastest and most secure protocol at the moment, it's still under development and has some kinks to be worked out. For instance, the way it handles IP addresses isn't ideal for privacy.
Fortunately, the VPN providers that currently support Wireguard have made the necessary tweaks on their end to further enhance the protocol. And this requires no further effort on your part, since it's built into their apps.
This includes our most recommended VPN, PureVPN, which supports Wireguard, OpenVPN, and IKEv2/IPsec.
Their custom app makes it easy to choose and use the protocol that's right for you.