First, a few general provisions about VPN. VPN usage scenarios can be different, the most popular of them are:
The advantage of a particular VPN protocol depends on a number of factors and conditions of use:
Devices - Different devices support different protocols.
Network - If certain services are not available in your location, some protocols may not work. For example, there are VPN Providers operating in China, while most of the existing providers are blocked.
Performance - Some protocols offer better performance, especially on mobile devices. Others are more convenient for use on large networks.
Threat model - some protocols are less secure than others, so attackers can attack them in different ways.
So, we have finished with the general part, now we turn to a detailed description and comparison of the protocols.
PPTP uses two connections, one for control and the other for encapsulating data. The first works using TCP, in which the server port is 1723. The second works using the GRE protocol, which is a transport protocol (that is, a replacement for TCP / UDP). This fact prevents clients behind NAT from establishing a connection to the server, since for them, establishing a point-to-point connection is not possible by default. However, because the GRE protocol that PPTP uses (namely enhanced GRE) has a Call ID header, routers running the natting can identify and match GRE traffic from a LAN client to an external server and vice versa. This enables clients behind NAT to establish a point-to-point connection and use the GRE protocol. This technology is called VPN PassTrough. It is supported by a large number of modern client networking equipment.
PPTP is supported natively on all versions of Windows and most other operating systems. Despite its relatively high speed, PPTP is not very reliable: after a connection break, it does not recover as quickly as, for example, OpenVPN.
PPTP is now essentially obsolete and Microsoft advises other VPN solutions. We also advise against choosing PPTP if security and privacy are important to you.
Of course, if you are just using a VPN to unblock content, PPTP does take place, but again, there are safer options to look out for.
SSTP sends traffic over SSL over TCP port 443. This makes it useful for limited network situations, such as if you need a VPN for China. Although SSTP is also available on Linux, RouterOS, and SEIL, for the most part it is still used by Windows systems.
From a performance standpoint, SSTP is fast, stable, and secure. Unfortunately, very few VPN providers support SSTP.
SSTP can help out if other VPN protocols are blocked, but again OpenVPN is the better choice (if available).
IPsec has become a very popular protocol to be paired with L2TP or IKEv2, which we will discuss below.
IPsec encrypts the entire IP packet using:
We will now look at how IPsec is paired with L2TP and IKEv2.
L2TP / IPsec is considered secure and has no major known issues (much safer than PPTP). L2TP / IPsec can use 3DES or AES encryption, although given that 3DES is currently considered a weak cipher, it is rarely used.
L2TP sometimes has problems due to its default UDP port 500, which is known to be blocked by some firewalls.
L2TP / IPsec protocol ensures high security of transmitted data, is easy to configure and is supported by all modern operating systems. However, L2TP / IPsec encapsulates the transmitted data twice, making it less efficient and slower than other VPN protocols.
With Mobility and Multi-homing Protocol (MOBIKE) support, IKEv2 is very resilient to network changes. This makes IKEv2 a great choice for smartphone users who regularly switch between home Wi-Fi and mobile connections, or roam between hotspots.
IKEv2 / IPsec can use a number of different cryptographic algorithms , including AES, Blowfish, and Camellia, including 256-bit keys.
IKEv2 supports Perfect Forward Secrecy.
In many cases, IKEv2 is faster than OpenVPN because it is less resource intensive. From a performance standpoint, IKEv2 may be the best option for mobile users because it re-establishes connections well. IKEv2 is natively supported on Windows 7+, Mac OS 10.11+, iOS, and some Android devices.
For most situations where you need a VPN connection, OpenVPN is likely to be the answer. It is stable and offers good data transfer rates. OpenVPN uses the standard TCP and UDP protocols and this allows it to become an alternative to IPsec when the provider blocks some VPN protocols.
OpenVPN requires dedicated client software to work, not one that works out of the box. Most VPN services create their own OpenVPN applications that can be used on different operating systems and devices. The protocol can work on any of the TCP and UPD ports and can be used on all major platforms through third-party clients: Windows, Mac OS, Linux, Apple iOS, Android.
But if it doesn't work for your situation, look for alternative solutions.
All IP packets arriving at the WireGuard interface are UDP encapsulated and safely delivered to other peers. WireGuard uses modern cryptography:
The performance test results can be seen on the official website (as you might guess, they are good). It should be noted that WireGuard will show the best results on Linux systems. there it is implemented as a kernel module.
More recently, was introduced WireGuard 1.0.0 , which marks the shipment of WireGuard components in the main Linux 5.6 kernel. The code included in the Linux kernel has undergone additional security audits by an independent firm, which have not identified any issues. This is great news for many, but independent security research will tell whether WireGuard can become a worthy replacement for IPsec and OpenVPN.
- building a secure channel between two or more remote network segments (for example, between offices in Moscow and Nizhny Novgorod);
- connecting a remote employee to a corporate network (now almost every office employee knows about this);
- virtual change of location using VPN Providers services (requires the least body movements to set up, but all your traffic will go through someone else's server).
The advantage of a particular VPN protocol depends on a number of factors and conditions of use:
Devices - Different devices support different protocols.
Network - If certain services are not available in your location, some protocols may not work. For example, there are VPN Providers operating in China, while most of the existing providers are blocked.
Performance - Some protocols offer better performance, especially on mobile devices. Others are more convenient for use on large networks.
Threat model - some protocols are less secure than others, so attackers can attack them in different ways.
So, we have finished with the general part, now we turn to a detailed description and comparison of the protocols.
PPTP
Point-to-Point Tunneling Protocol (PPTP), one of the oldest VPN protocols still in use, was originally developed by Microsoft.PPTP uses two connections, one for control and the other for encapsulating data. The first works using TCP, in which the server port is 1723. The second works using the GRE protocol, which is a transport protocol (that is, a replacement for TCP / UDP). This fact prevents clients behind NAT from establishing a connection to the server, since for them, establishing a point-to-point connection is not possible by default. However, because the GRE protocol that PPTP uses (namely enhanced GRE) has a Call ID header, routers running the natting can identify and match GRE traffic from a LAN client to an external server and vice versa. This enables clients behind NAT to establish a point-to-point connection and use the GRE protocol. This technology is called VPN PassTrough. It is supported by a large number of modern client networking equipment.
PPTP is supported natively on all versions of Windows and most other operating systems. Despite its relatively high speed, PPTP is not very reliable: after a connection break, it does not recover as quickly as, for example, OpenVPN.
PPTP is now essentially obsolete and Microsoft advises other VPN solutions. We also advise against choosing PPTP if security and privacy are important to you.
Of course, if you are just using a VPN to unblock content, PPTP does take place, but again, there are safer options to look out for.
SSTP
Secure Socket Tunneling Protocol (SSTP) is a proprietary product from Microsoft. Like PPTP, SSTP is not widely used in the VPN industry, but unlike PPTP, it has not been diagnosed with major security issues.SSTP sends traffic over SSL over TCP port 443. This makes it useful for limited network situations, such as if you need a VPN for China. Although SSTP is also available on Linux, RouterOS, and SEIL, for the most part it is still used by Windows systems.
From a performance standpoint, SSTP is fast, stable, and secure. Unfortunately, very few VPN providers support SSTP.
SSTP can help out if other VPN protocols are blocked, but again OpenVPN is the better choice (if available).
IPsec
Internet Protocol Security (IPsec) is a set of protocols for securing data transmitted over an IP network. Unlike SSL, which works at the application layer, IPsec works at the network layer and can be used natively with many operating systems, allowing it to be used without third-party applications (unlike OpenVPN).IPsec has become a very popular protocol to be paired with L2TP or IKEv2, which we will discuss below.
IPsec encrypts the entire IP packet using:
- Authentication Header (AH), which digitally signs each packet;
- Encapsulating Security Protocol (ESP), which provides confidentiality, integrity, and authentication of a packet in transit.
We will now look at how IPsec is paired with L2TP and IKEv2.
L2TP/IPsec
Layer 2 Tunneling Protocol (L2TP) was first proposed in 1999 as an upgrade to L2F (Cisco) and PPTP (Microsoft). Since L2TP itself does not provide encryption or authentication, IPsec is often used with it. L2TP paired with IPsec is supported by many operating systems, standardized in RFC 3193 .L2TP / IPsec is considered secure and has no major known issues (much safer than PPTP). L2TP / IPsec can use 3DES or AES encryption, although given that 3DES is currently considered a weak cipher, it is rarely used.
L2TP sometimes has problems due to its default UDP port 500, which is known to be blocked by some firewalls.
L2TP / IPsec protocol ensures high security of transmitted data, is easy to configure and is supported by all modern operating systems. However, L2TP / IPsec encapsulates the transmitted data twice, making it less efficient and slower than other VPN protocols.
IKEv2/IPsec
Internet Key Exchange version 2 (IKEv2) is an IPsec protocol used to perform mutual authentication, creation, and maintenance of Security Associations (SA), standardized in RFC 7296 . IPsec is just as secure as L2TP, which means they have the same level of security. Although IKEv2 was developed by Microsoft with Cisco, there are open source implementations of the protocol (for example, OpenIKEv2 , Openswan, and strongSwan ).With Mobility and Multi-homing Protocol (MOBIKE) support, IKEv2 is very resilient to network changes. This makes IKEv2 a great choice for smartphone users who regularly switch between home Wi-Fi and mobile connections, or roam between hotspots.
IKEv2 / IPsec can use a number of different cryptographic algorithms , including AES, Blowfish, and Camellia, including 256-bit keys.
IKEv2 supports Perfect Forward Secrecy.
In many cases, IKEv2 is faster than OpenVPN because it is less resource intensive. From a performance standpoint, IKEv2 may be the best option for mobile users because it re-establishes connections well. IKEv2 is natively supported on Windows 7+, Mac OS 10.11+, iOS, and some Android devices.
OpenVPN
OpenVPN is an open source universal VPN protocol developed by OpenVPN Technologies. It is perhaps the most popular VPN protocol today. As an open standard, it has gone through more than one independent security review.For most situations where you need a VPN connection, OpenVPN is likely to be the answer. It is stable and offers good data transfer rates. OpenVPN uses the standard TCP and UDP protocols and this allows it to become an alternative to IPsec when the provider blocks some VPN protocols.
OpenVPN requires dedicated client software to work, not one that works out of the box. Most VPN services create their own OpenVPN applications that can be used on different operating systems and devices. The protocol can work on any of the TCP and UPD ports and can be used on all major platforms through third-party clients: Windows, Mac OS, Linux, Apple iOS, Android.
But if it doesn't work for your situation, look for alternative solutions.
WireGuard
The newest and most unexplored VPN protocol is WireGuard . It is positioned by developers as a replacement for IPsec and OpenVPN for most of their use cases, while being more secure, more productive and easier to use.All IP packets arriving at the WireGuard interface are UDP encapsulated and safely delivered to other peers. WireGuard uses modern cryptography:
- Curve25519 for key exchange,
- ChaCha20 for encryption,
- Poly1305 for data authentication,
- SipHash for hash table keys,
- BLAKE2 for hashing.
The performance test results can be seen on the official website (as you might guess, they are good). It should be noted that WireGuard will show the best results on Linux systems. there it is implemented as a kernel module.
More recently, was introduced WireGuard 1.0.0 , which marks the shipment of WireGuard components in the main Linux 5.6 kernel. The code included in the Linux kernel has undergone additional security audits by an independent firm, which have not identified any issues. This is great news for many, but independent security research will tell whether WireGuard can become a worthy replacement for IPsec and OpenVPN.