We explain what a VPN protocol is and what it does. We also compare the strengths and weaknesses of the most common protocols, including OpenVPN, WireGuard, IKEv2, PPTP, and L2TP.
Before you trust a VPN to protect your Internet activity, you need to make sure they’ve put in place the necessary safeguards. Evaluating the more technical aspects of a VPN can be difficult, especially for the average user. It often means users are struggling to understand an alphabet soup of different acronyms.
We have begun a series of posts where we explain some of our security measures so that people can make more informed decisions. Our first post explained what HMAC SHA-384 means. This post will investigate VPN protocols, what they do, how they work, and what it means if a VPN service uses OpenVPN over L2TP, for example. This post delves into some of the inner workings of VPNs. While we try to explain terms clearly, this post will be more useful if you come in with some basic technical knowledge. If you don’t already know how a VPN works, click here.
VPNs rely on what is called “tunneling” to create a private network between two computers over the Internet. A VPN protocol, also known as a “tunneling protocol,” is the set of instructions your device uses to negotiate the secure encrypted connection that forms the network between your computer and another.
A VPN protocol is usually made up of two channels: a data channel and a control channel. The control channel is responsible for the key exchange, authentication, and parameter exchanges (like providing an IP or routes and DNS servers). The data channel, as you might have guessed, is responsible for transporting your Internet traffic data. Together, these two channels establish and maintain a secure VPN tunnel. However, for your data to pass through this secure tunnel, it must be encapsulated.
Encapsulation is when a VPN protocol takes bits of data, known as data packets, from your Internet traffic and places them inside another packet. This extra layer is necessary because the protocol configurations your VPN uses inside the data channel are not necessarily the same as the ones that the regular Internet uses. The additional layer allows your information to travel through the VPN tunnel and arrive at its correct destination.
This is all a bit technical, so broad overview: When you connect to a VPN server, the VPN uses its control channel to establish shared keys and set up a connection between your device and the server. Once this connection is established, the data channel begins transmitting your Internet traffic. When a VPN discusses the strengths and weaknesses of its performance or talks about a “secure VPN tunnel,” it is talking about its data channel. Once the VPN tunnel has been established, the control channel is then tasked with maintaining the connection’s stability.
Point-to-Point Tunneling Protocol (PPTP) is one of the older VPN protocols. It was initially developed with support from Microsoft and, thus, all versions of Windows and most other operating systems have native support for PPTP.
PPTP uses the Point-to-Point Protocol (PPP), which is like a proto-VPN in itself. Despite being quite old, PPP can authenticate a user (usually with MS-CHAP v2) and encapsulate data itself, letting it handle both control channel and data channel duties. However, PPP is not routable; it cannot be sent over the Internet on its own. So PPTP encapsulates the PPP-encapsulated data again using generic routing encapsulation (GRE) to establish its data channel.
Unfortunately, PPTP does not have any of its own encryption or authentication features. It relies on PPP to implement these functions — which is problematic since PPP’s authentication system and the encryption that Microsoft added to it, MPPE, are both weak.
Encryption: Microsoft’s Point-to-Point Encryption protocol (MPPE), which uses the RSA RC4 algorithm. MPPE’s maximum strength is 128-bit keys.
Speed: Because its encryption protocols do not require much computing power (RC4 and only 128-bit keys), PPTP maintains fast connection speeds.
Known vulnerabilities: PPTP has had numerous known security vulnerabilities since 1998. One of the most severe vulnerabilities includes exploiting unencapsulated MS-CHAP v2 authentication to perform a man-in-the-middle (MITM) attack.
Firewall ports: TCP port 1723. PPTP’s use of GRE means it cannot navigate a network address translation firewall and is one of the easiest VPN protocols to block. (A NAT firewall allows several people to share one public IP address at the same time. This is important because the majority of individual users do not have their own IP address.)
Stability: PPTP is not as reliable, nor does it recover as quickly as OpenVPN over unstable network connections.
Conclusion: If you are concerned about securing your data, there is no reason to use PPTP. Even Microsoft has advised its users to upgrade to other VPN protocols to protect their data.
Layer two tunneling protocol (L2TP) was meant to replace PPTP. L2TP can handle authentication on its own and performs UDP encapsulation, so in a way, it can form both the control and data channel. However, similar to PPTP, it does not add any encryption itself. While L2TP can send PPP, to avoid PPP’s inherent weaknesses, L2TP is usually paired with the Internet protocol security (IPSec) suite to handle its encryption and authentication.
IPSec is a flexible framework that can be applied to VPNs as well as routing and application-level security. When you connect to a VPN server with L2TP/IPSec, IPSec negotiates the shared keys and authenticates the connection of a secure control channel between your device and the server.
IPSec then encapsulates the data. When IPSec performs this encapsulation, it applies an authentication header and uses the Encapsulation Security Payload (ESP). These special headers add a digital signature to each packet so attackers cannot tamper with your data without alerting the VPN server. ESP encrypts the encapsulated data packets so that no attacker can read them (and, depending on the settings of the VPN, also authenticates the data packet). Once IPSec has encapsulated the data, L2TP encapsulates that data again using UDP so that it can pass through the data channel.
Several VPN protocols, including IKEv2, use IPSec encryption. While generally secure, IPSec is very complex, which can lead to poor implementation. L2TP/IPSec is supported on most major operating systems.
Encryption: L2TP/IPSec can use either 3DES or AES encryption, although given that 3DES is now considered a weak cipher, it is rarely used.
Speed: L2TP/IPSec is generally slower than OpenVPN when using the same encryption strength.
Known vulnerabilities: L2TP/IPSec is an advanced VPN protocol, but a leaked NSA presentation suggests that the intelligence agency has already found ways to tamper with it. Furthermore, due to the IPSec’s complexity, many VPN providers used pre-shared keys to set up L2TP/IPSec.
Firewall ports: UDP port 500 is used for the initial key exchange, UDP port 5500 for NAT traversal, and UDP port 1701 to allow L2TP traffic. Because it uses these fixed ports, L2TP/IPSec is easier to block than some other protocols.
Stability: L2TP/IPSec is not as stable as some of the more advanced VPN protocols. Its complexity can lead to frequent network drops.
Conclusion: L2TP/IPSec’s security is undoubtedly an improvement over PPTP, but it might not protect your data from advanced attackers. Its slower speeds and instability also mean that users should only consider using L2TP/IPSec if there are no other options.
Internet key exchange version two (IKEv2) is a relatively new tunneling protocol that is actually part of the IPSec suite itself. Microsoft and Cisco cooperated on the development of the original IKEv2/IPSec protocol, but there are now many open source iterations.
IKEv2 sets up a control channel by authenticating a secure communication channel between your device and the VPN server using the Diffie–Hellman key exchange algorithm. IKEv2 then uses that secure communication channel to establish what is called a security association, which simply means your device and the VPN server are using the same encryption keys and algorithms to communicate.
Once the security association is in place, IPSec can create a tunnel, apply authenticated headers to your data packets, and encapsulate them with ESP. (Again, depending on which cipher is used, the ESP could handle the message authentication.) The encapsulated data packets are then encapsulated again in UDP so that they can pass through the tunnel.
IKEv2/IPSec is supported on Windows 7 and later version, macOS 10.11 and later versions, as well as most mobile operating systems.
Encryption: IKEv2/IPSec can use a range of different cryptographic algorithms, including AES, Blowfish, and Camellia. It supports 256-bit encryption.
Speed: IKEv2/IPSec is faster than most VPN protocols currently available, especially ones that offer comparable security.
Known vulnerabilities: IKEv2/IPSec has no known weaknesses, and almost all IT security experts consider it to be safe when properly implemented with Perfect Forward Secrecy.
Firewall ports: UDP port 500 is used for the initial key exchange and UDP port 4500 for NAT traversal. Because it always uses these ports, IKEv2/IPSec is easier to block than some other protocols.
Stability: IKEv2 / IPSec supports the Mobility and Multihoming protocol, making it more reliable than most other VPN protocols, especially for users that are often switching between different WiFi networks.
Conclusion: Given its strong security, high speeds, and increased stability, IKEv2/IPSec is one of the best VPN protocols currently in use.
OpenVPN is an open source tunneling protocol. As opposed to VPN protocols that rely on the IPSec suite, OpenVPN uses SSL/TLS to handle its key exchange and set up its control channel, and a unique OpenVPN protocol to handle encapsulation and the data channel. This means that both its data channel and control channel are encrypted, which makes it somewhat unique compared to other VPN protocols. It is supported on almost all major operating systems.
Encryption: OpenVPN can use any of the different cryptographic algorithms contained in the OpenSSL library to encrypt its data, including AES, RC5, and Blowfish. OpenVPN supports 256-bit encryption.
Speed: When using UDP, OpenVPN maintains fast connections, although IKEv2/IPSec is generally accepted to be slightly quicker.
Known vulnerabilities: OpenVPN has no known vulnerabilities as long as it is implemented with a sufficiently strong encryption algorithm and Perfect Forward Secrecy. It is the industry standard for VPNs concerned about data security.
Firewall ports: OpenVPN can be configured to run on any UDP or TCP port, including port TCP port 443 that handles all HTTPS traffic, making it very hard to block.
Stability: OpenVPN is very stable in general and has a TCP mode for weak or unreliable WiFi networks for extra reliability. This extra stability comes at the price of diminished speed because of the possibility of a TCP meltdown.
Conclusion: OpenVPN is one of the best VPN protocols currently in use, especially for users concerned primarily about data security. It is secure, reliable, and open source. The only category where it is not the best option is speed, where IKEv2/IPSec is generally slightly faster.
WireGuard® is an open source VPN protocol that is currently under development. Its goal is to make a much simpler and more streamlined tunneling protocol, which should lead to a faster, more efficient, more secure, and easier-to-use VPN.
Encryption: WireGuard uses ChaCha20 for symmetric encryption (RFC7539), Curve25519 for anonymous key exchange, Poly1305 for data authentication, and BLAKE2s for hashing (RFC7693). It automatically supports Perfect Forward Secrecy.
Speed: WireGuard uses new, high-speed cryptographic algorithms. This means that ChaCha20 is much simpler than AES ciphers of equal strength and nearly as fast, even though most devices now come with instructions for AES built into their hardware. While it is impossible to be sure until the final version is ready, WireGuard promises to have fast connection speeds and low CPU requirements.
Known vulnerabilities: WireGuard is still under development and should be considered as an experimental protocol. It has not been subjected to the same security assessments as other VPN protocols, so there still may be undiscovered vulnerabilities. It should only be used for tests or in situations where data security is not critical.
Firewall ports: WireGuard uses UDP and can be configured to use any port. However, it does not currently support the use of TCP.
Stability: WireGuard is a very stable VPN protocol, and introduces new features that other tunneling protocols do not have, such as being able to maintain a VPN connection while changing VPN servers or changing WiFi networks.
Conclusion: While we are closely following the development of WireGuard, it is not yet ready for implementation. Once it has undergone a thorough security audit and there is a stable release, WireGuard’s strong encryption, high speeds, and simplicity will make it a very competitive VPN protocol.
Other important terms
Going through the comparisons of the different VPN protocols, you may have encountered acronyms or technical terms that you were not familiar with. We explain some of the most important ones here.
TCP vs. UDP
The transmission control protocol (TCP) and user datagram protocol (UDP) are the two different ways that devices can communicate with each other over the Internet. They both run on the Internet Protocol, which is responsible for sending data packets to and from IP addresses. When you see that a tunneling protocol uses TCP port or a UDP port, it means that it is setting up a connection between your computer and the VPN server using one of these two protocols.
Whether a VPN uses TCP, UDP, or both can make a significant difference in its performance. The TCP primarily focuses on delivering data accurately by running additional checks to ensure that data is in the proper order and correcting it if it’s not.
This sounds like a good feature, but running one TCP on top of another can slow down your connection in what’s called a TCP meltdown. For example, if you have TCP traffic passing through an OpenVPN TCP tunnel and the TCP data in the tunnel detects an error, it will try to compensate, which in turn could cause the TCP tunnel to overcompensate. This process can cause severe delays in the delivery of your data.
The UDP is primarily focused on delivering data swiftly and helps users avoid the meltdown problem. To read more about TCP, UDP, and ProtonVPN, click here.
Perfect Forward Secrecy
Perfect Forward Secrecy is a critical security component of encrypted communication. It refers to a set of operations that govern how your encryption keys are generated. If your VPN supports Perfect Forward Secrecy, it will create a unique set of keys for each session (i.e., each time you establish a new VPN connection). This means that even if an attacker somehow gets one of your keys, they can only use it to access data from that specific VPN session. The data in the rest of your sessions would remain safe since different unique keys protect them. It also means that your session key will remain secure even if your VPN’s private key is exposed.
Protocols used by ProtonVPN
We started ProtonVPN to make sure that activists, dissidents, and journalists have secure and private access to the Internet. To keep our users safe, we only use trusted and vetted VPN protocols. Our Windows client and Linux command line tool are built on the OpenVPN protocol, while our Android, iOS, and macOS apps use the IKEv2/IPSec protocol. All of our apps employ AES 256-bit encryption, 4096-bit RSA key exchange, HMAC SHA384 message authentication, and Perfect Forward Secrecy.
OpenVPN and IKEv2/IPSec are the two protocols that the vast majority of IT security experts agree are secure. We refuse to offer any VPN connections using PPTP or L2TP/IPSec (even though they are cheaper to run and easier to configure) because their security does not meet our standard. Although it’s too soon to endorse WireGuard®, we support its development as an innovative and open source VPN protocol. Once a stable version is released, we will consider adding it to our apps.
When you sign in to ProtonVPN, you can be confident that your VPN connection is using the latest and strongest tunneling protocols.