Over the last few years, privacy and security have been at the center of many discussions. Internet users around the world have become aware of the extent of the surveillance and attacks on privacy, that are carried by government organizations and cyber criminals. As a result, there is a high demand for security solutions such as VPNs. If are looking for a VPN, you will find that protocols are one of the main aspects that providers refer to when they describe their service.
Security is an essential part of the VPN experience and protocols play a very important role when it comes to securing your online traffic. There are multiple protocols available and you may be wondering, which one is the best option. The simple answer is that it depends on your needs. Every protocol has its own advantages and downsides, so in order to help you to understand better how they work and what they offer, we will list and compare the main encryption technologies available.
If security is your main concern, OpenVPN would be the right choice. This open source protocol uses OpenSSL library and SSLv3/TLSv1 protocols along with other technologies that make it a secure solution for data protection. OpenVPn is also known for its flexibility and it can be set up on practically any port, although it is particularly effective on UDP. Since it is very difficult to differentiate between traffic that runs through OpenVPN and traffic that uses standard HTTPS over SSL, the task of blocking OpenVPN is not an easy one.
OpenVPN also offers versatility in terms of encryption, due to the fact that the OpenSSL library that it uses, can support a variety of cryptographic algorithms such as Blowfish, AES 3DES, CAST-128 and Camellia. AES and Blowfish are the options that the majority of VPN services use and the standard cipher in OpenVPN is 128-bit Blowfish. In general, Blowfish offers good security, but its reliability is affected by some vulnerabilities. New options like Twofish and Threefish, have addressed many of the weaknesses of their predecessor and are more secure.
Considered by many as the strongest encryption technology AES (Advanced Encryption Standard), is also the latest solution and it works better than Blowfish when it comes to handling heavy data. OpenVPN is widely used by VPN services and although there is no native support for it on any platform, the protocol is compatible with many operating systems. It works better on desktop, but it can be set up on mobile devices as well. Apart from being the top pick for users who need a high level of security, OpenVPN is ideal for evading censorship and blocks since it can bypass most firewalls.
In addition, the fact that it is open source means that it is less likely to include backdoors, since it can be audited independently. The main downside of OpenVPN is that although it can be configured on many platforms, the process is not simple. Third-party software is required and new users can find the set up challenging. In order to make things easier, many VPN providers offer their own VPN software. OpenVPN can also be slower in some cases, but this will depend on different factors such as the encryption used.
L2TP and L2TP/IPSec
Layer 2 Tunnel Protocol, known as L2TP can be used on its own but in that case, it doesn’t encrypt the traffic that passes through it. This is why it is combined with the IPsec encryption suite, which enhances the privacy and security of the traffic. Setting up L2TP/IPsec is easy since it is supported by all platforms and devices that are currently available. The problem is that L2TP it is not the most effective solution to bypass restrictions and censorship. It uses UDP port 500, which can be blocked by NAT firewalls. In order to address this issue and be able to overcome firewalls, advanced configuration like port forwarding has to be implemented.
While IPSec encryption provides a good level of protection, if it is implemented correctly, there are concerns about the integrity of the protocol. The NSA has probably already cracked L2TP/IPsec and many security experts even believe that the spying agency had intervened during the design of the protocol to make it easier to break. Apart from the security issues, it should be noted that L2TP/IPSec may offer slow performance due to the fact that the data is encapsulated twice.
SoftEther is a new technology developed as an academic project that was started in 2014 by software engineer Daiyuu Nobori, from the University of Tsukuba in Japan. This free, open source VPN protocol supports multiple platforms including Windows, Mac, Linux, Android, iOS, Solaris and FreeBSD. It is easy to set up and provides remarkable compatibility. IT is set to be faster than OpenVPN and it uses SSL-VPN Tunneling on HTTPS to bypass NATs and firewalls effectively. In terms of security, SoftEther applies AES 256-bit and RSA 4096-bit encryptions. Although SoftEther is set to be a powerful alternative to OpenVPN, the technology is still very new and it is not supported by many VPN providers.
Originally launched in Windows Vista SP1, SSTP (which stands for Secure Socket Tunneling Protocol) is focused on the Microsoft platform. However, it can also be used on Linux, SEIL and RouterOS. The protocol uses SSL v3 and it relies TCP port 443 to defeat NAT firewalls. In general, it offers a good level of security (depending on the cipher) and an effective solution to bypass firewalls. It is also a practical choice for Windows users and it is supported by Microsoft. The issue is precisely that since it is a proprietary standard owned by Microsoft, it can’t be openly audited to make sure that it doesn’t contain backdoors. It is also not a versatile solution since it is mainly designed for Windows, although an open source SSTP GUI client for Mac is also available.
Internet Key Exchange version 2 (or VPN Connect as Microsoft named it) is based on IPsec and it is the result of a collaboration between Cisco and Microsoft. Window 7 and later versions, implement this tunneling protocol by default and it is practically the only option for BlackBerry. Some independent versions have been created for Linux and other operating systems. IKEv2 supports multiple ciphers including AES and 3DES and it offers stable performance.
It can re-establish a connection automatically when your internet connection drops temporarily, or when you switch networks. This feature makes it a good solution for mobile devices. The disadvantages of IKEv2 include the fact that being a proprietary technology, it is more likely to feature backdoors. In addition, it uses UDP port 500, which makes it is easier to block than technologies that rely on SSL.
Point-to-Point Tunneling Protocol, or simply PPTP is a solution created by a group of companies supported by Microsoft. Although it is outdated and considered as weak, it is still in use, thanks in large part to the fact that it is supported on pretty much any device that is VPN enabled. Plus, it was originally set up to create VPN over dial-up networks, which makes it convenient for internal business needs. PPTP uses different authentication methods for security, including as MS-CHAP v2, which is the most popular option. PPTP is easy to configure and it doesn’t require additional software. This makes it a popular solution that is widely available.
However, as previously mentioned, it is known that there are many vulnerabilities that make PPTP an unreliable solution when it comes to security. It is likely that MS-CHAP v2 authentication is not being encapsulated, which means that the protocol could be (at least in theory) be compromised in just a matter of days. In fact, Microsoft itself has advised users to opt for alternatives like SSTP over PPTP or L2TP/IPsec for better protection. The bottom line is that, in spite of its convenience and good speed, PPTP has been broken and it doesn’t offer a good level of security, which is why it should only be considered if nothing else is available.
OpenVPN is a great choice for security and it hasn’t been compromised by the NSA. However, its set up is not simple and requires additional software. SoftEther is a technology that offers fast performance and great compatibility, although it is still new and not widely available. L2TP/IPsec is compatible with a wide range of platforms and devices, but it may have been deliberately weakened by the NSA. SSTP offers good security and can bypass firewalls, but it focuses on Windows and it can’t be checked for backdoors. IKEv2 offers good security and speed, and it is a good option for mobile devices. The downside is that it offers limited compatibility when compared with other options and it may be easier to block. PPTP is fast and very easy to set up. However, it is the weakest protocol and doesn’t provide a good level of security.