The use of a VPN connection is becoming more and more commonplace. This is understandable, given the increase in (mass) surveillance, hackers and online tracking and chasing by advertising companies. Also, the use of VPN services is no longer just for computer technicians. However, to make the most of your VPN connection, choosing the right VPN protocol is very important in finding the best VPNs.
What is a VPN protocol?
A VPN encrypts your internet traffic before it is sent to the VPN server. For this encryption, there is often a choice of different protocols, so-called encryption protocols (also known as VPN protocols). Each VPN protocol has its pros and cons. The most common VPN protocols are:
- OpenVPN with UDP
- OpenVPN with TCP
- Wireguard (an experimental protocol still under development)
|Overall||Popular open-source VPN protocol with cross-platform capabilities||Basic VPN protocol. This is the first VPN protocol supported by Windows.||Tunneling protocol that uses IPSec for security and encryption. L2TP works over UDP.||Another tunneling protocol that uses IPSec for encryption. However, this protocol is less commonly supported.||A new, experimental open-source protocol. The protocol is praised for its speed, efficiency and small (and therefore more manageable) amount of code.|
|OpenVPN uses strong encryption through OpenSSL. Algorithms used: 3DES, AES, RC5, Blowfish. 128 bit encryption with 1024 bit keys, 256 bit encryption for connection control.||PPTP uses the MPPE protocol for encryption. The algorithm used is the RSA RC4 algorithm with 128 bit keys.||L2TP uses IPSec for encryption with 256 bit key, 3DES/AES algorithm.||IKEv2 uses IPSec for encryption. IKEv2 can use the following encryption algorithms: 3DES, AES, Blowfish, Camellia.||Wireguard uses the ChaCha20 algorithm for encryption. A Wireguard audit in June 2019 found no serious security issues. However, according to the researchers there is room for improvement. It is important to realize that Wireguard is still in the development phase and therefore an experimental protocol.|
|Use||Via separately installed software and uses *.ovpn configuration files combined with a username and password.||Can be set directly in the operating system. Separate software can also be used.||Set directly in the operating system. Can also be used via supplied software.||Set directly in the operating system. Can also be used via supplied software.||Since Wireguard is still in development, it is not yet supported by the vast majority of VPN providers. However, the protocol is compatible with most operating systems.|
|Speed||Depends on many factors including the speed of your computer and server. OpenVPN over UDP is generally faster than OpenVPN over TCP.||Depends on many factors including the speed of your computer and server. However, in general PPTP is known as a fast protocol, mainly because of the relatively simple and less strong encryption, compared to, for example, OpenVPN.||Depends on many factors, including the speed of your computer and server. Due to the necessary addition of IPSec for good encryption, L2TP/IPSec is slower than OpenVPN.||IKEv2 (like L2TP) uses a UDP port (UDP port 500) and is therefore a fast protocol. According to some sources, IKEv2 is even faster than OpenVPN.||According to the developers of Wireguard, the efficient and compact code, combined with the fact that Wireguard nestles in the core of the Linux operating system, should mean that the protocol results in fast speeds.|
|Stability||Very good stability with all types of networks (WLAN (wireless), LAN (wired), mobile etc.).||PPTP is relatively more unstable. This is mainly caused by compatibility issues.||Similar to OpenVPN, but is sometimes network dependent.||IKEV2 is a more complex protocol than OpenVPN. As a result, IKEV2 sometimes requires a more advanced configuration to function properly.||Since Wireguard is still under development, it’s hard to say much about stability.|
|Safety & Privacy||OpenVPN has few security vulnerabilities. Want maximum privacy and VPN security? Then in many cases this is the best protocol.||There are several known security vulnerabilities in Windows.||L2TP in combination with IPsec is known to be very secure. However, according to Snowden, L2TP/IPSec was once hacked by the NSA (US National Security Agency)||Often, IKEv2 is considered to be as secure as L2TP/IPSec because they use the same encryption model. However, according to leaked presentations from the NSA, IKEv2 has also been hacked.||The advantage of Wireguard is that the code of the protocol is relatively small (less than 4000 lines compared to hundreds of thousands of lines with OpenVPN and L2TP/IPSec for example). This makes the “attack surface” smaller for hackers, for example. This also makes it easier to detect security holes.|
|Benefits||Very good speed and best security. Keeps around most firewalls and network/ISP restrictions.||Easy to set up Good speeds Supported by the largest number of devices||Easy to set up Pass network and ISP restrictions||Easy to set up Good speeds||Small, manageable amount of code (easier to evaluate) An easy-to-use, fast protocol according to the developers and many critics.|
|Disadvantages||In order to use, installation of separate supplied software is often required.||Varying stability Less secure Use is easy to block by sites, governments and ISPs||Slow and easier to block||Relatively often blocked by firewalls Less supported than OpenVPN, L2TP/IPSec and PPTP.||Still under development (no guarantees regarding the security of the protocol) In its current state, Wireguard is not compatible with a no-logging policy (more on this later)|
|Conclusion||OpenVPN is the preferred VPN protocol in most cases. OpenVPN is fast, stable and secure.||PPTP is easy to set up, but less stable and less secure. In short, an option that you would rather only choose if the other protocols do not work.||L2TP/IPSec is often slower but can sometimes bypass blocks that the other two protocols cannot. We see it as an alternative if OpenVPN is not sufficient.||IKEv2 seems to offer the same level of security as L2TP/IPSec, but faster speeds, according to many. However, the latter depends on many variables. In order to guarantee good stability, a complex configuration is sometimes necessary. That is why, especially for beginners, we only recommend this protocol if OpenVPN does not work, for example.||Wireguard is without a doubt promising. However, the protocol is still under development. Therefore, like the developers and VPN providers, we only recommend using it for experimental purposes or when privacy and anonymity are not critical (e.g. for unblocking).|
OpenVPN (which stands for open source virtual private network) is the most well-known VPN protocol. OpenVPN owes its popularity to its strong encryption and open-source code. OpenVPN is now supported by all known operating systems, including Windows, MacOS and Linux. Mobile operating systems such as Android and iOS also support OpenVPN.
One of the main goals of a VPN protocol is to provide rock solid encryption. OpenVPN scores very well in this area. OpenVPN uses 265-bit encryption via OpenSSL. In addition, there is a lot of separate VPN software available that supports OpenVPN.
- OpenVPN supports the use of two types of ports, TCP and UDP.
- OpenVPN-TCP is the most widely used and most reliable protocol. Each sent data packet must first be confirmed by the receiving computer before a new packet is sent. This makes the connection very reliable, but slower.
- OpenVPN-UDP is a lot faster. The data packets are sent without the need for feedback of receipt. This leads to a faster VPN connection, somewhat at the expense of reliability.
Pros and cons of OpenVPN
- + OpenVPN is very secure
- + Support by most software
- + Can be used on almost all operating systems
- + Frequently tested for safety
- – Often need additional software
PPTP VPN protocol
The Point-to-Point Tunneling Protocol (PPTP) is one of the oldest VPN protocols. PPTP was the first protocol supported by Windows. The NSA has cracked the protocol making it unsafe. PPTP is very fast because of the weak encryption. The difference can be noticeable, especially on slow computers. PPTP is the most supported protocol due to its age. Firewalls that try to block VPN traffic have little trouble recognizing PPTP.
Pros and cons of the PPTP protocol
- + PPTP is very fast
- + is simple to use
- + works on almost all operating systems
- – offers very weak encryption
- – PPTP traffic can be easily recognized and blocked
- – hackers often exploit the weaknesses in PPTP
The Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol for setting up a VPN connection. L2TP does not encrypt internet traffic itself. Therefore, L2TP is almost always combined with IPSec to encrypt data. IPSec stands for Internet Protocol Security and ensures the end-to-end encryption of the data in the L2TP tunnel. The L2TP/IPSec combination as a VPN protocol is much more secure than PPTP.
- A disadvantage of L2TP/IPSec is that firewalls sometimes block this connection. L2TP uses UDP port 500 and some providers and companies block this port. In terms of speed, L2TP is very fast, but that is due to the lack of encryption. Adding IPSec increases the load on the computer and can decrease the connection speed. OpenVPN is faster than L2TP/IPSec.
Pros and cons of L2TP/IPSec
- + Better encryption than PPTP
- + directly supported in many operating systems
- – slower than OpenVPN
- – Snowden says L2TP/IPSec has been hacked by the NSA
- – L2TP can be blocked by firewalls
IKEv2 VPN protocol
IKEv2 stands for Internet Key Echange Version 2. As the name suggests, IKEv2 is the successor of IKE. When using IKEv2, internet traffic is first encrypted using IPSec. After that, a VPN tunnel is constructed in which the encrypted data is sent.
- The IKEv2 protocol, like L2TP, uses UDP port 500, which means that it is sometimes blocked by firewalls. Due to its use of IPSec, IKEv2 is often considered as secure as L2TP/IPSec. When using a weak password, IKEv2 is extra sensitive to hackers. IKEv2 is a very fast VPN protocol.
Pros and cons of IKEv2
- + IKEv2 is very fast
- + fairly strong encryption
- + can recover lost connections
- + IKEv2 is simple to use
- – can be blocked quite easily by firewalls
- – possibly cracked by the NSA
- – insecure when using a weak password
- – less supported protocol compared to OpenVPN and L2TP/IPSec
Wireguard is a new tentative experimental VPN protocol written by Jason A. Donenfeld. The protocol is still under development. Nevertheless, various VPN providers offer this protocol. The protocol distinguishes itself by a much smaller amount of code compared to its competitors.
- This makes the protocol and its security easier to evaluate (audit) and, in combination with the code itself, should make for a simpler, faster, more efficient and easier to use VPN protocol.
However, because this protocol is still under development, the developers and most VPN providers recommend using it only for experimental purposes or when privacy is not absolutely necessary (for now). Furthermore, it is important to note that the current version of Wireguard only works with static IP addresses. According to many IT authorities, this means that using Wireguard is not compatible with a no-logging VPN policy.
Pros and cons of Wireguard
- + Wireguard is very fast in theory and according to benchmarks on its own website
- + The small amount of code means the protocol is easier to audit
- – Most VPN providers do not (yet) support this protocol.
- – Wireguard uses static IP addresses and is therefore not compatible with a no-logging policy.
It is important to choose the right VPN protocol. Each VPN protocol has its own advantages and disadvantages. In most cases, OpenVPN is the best choice. PPTP is almost never a good idea to use because of its weak encryption. If OpenVPN is not supported or does not work properly, L2TP/IPSec or IKEv2 can be considered.