- What is a VPN protocol?
- The Good: Established and upcoming VPN protocols
- The Bad: Outdated VPN Protocols you should avoid
As the Internet (and the world) become a scarier place, Virtual Private Networks (VPNs) provide a safe, secure and fast way to browse the world wide web while leaving a minimal digital footprint, if one at all.
Various VPN providers support different VPN protocols, making a real difference in each provider's performance, privacy, and security. Before we discuss what sets each VPN protocol apart from the rest, let's clarify what a VPN protocol is.
What is a VPN protocol?
A VPN protocol is a blueprint, a set of rules and guidelines that describe how the communication between your VPN client on your device and the VPN server must be performed. Each VPN provider needs to follow in their implementation to support a VPN protocol and its characteristics. VPN providers depend on VPN protocols to provide secure, private, and fast connections based on each protocol's specifications.
These specifications may extrapolate one characteristic while slightly or heavily compromising others, depending on circumstance. When you use your VPN for streaming speed is usually the priority, while security and privacy may take the backseat. Meanwhile, when you transfer privacy-critical or security-critical data to the other end, such as your credit card or bank account, the priority should be privacy and security. VPN providers support a set of different protocols to provide that flexibility according to your needs.
When choosing a VPN provider, it is best to know the characteristics and strengths, and weaknesses of each VPN protocol they support to make the best choice.
We established that VPN protocols define how the VPN client communicates with the VPN server. The handshake, the encryption, and routing.
The Good: Established and upcoming VPN protocols
OpenVPN is an open-source VPN protocol established in 2001, and it is based on the OpenSSL implementation of HTTPS. It runs either on the TCP or the UDP internet protocol, with TCP being the more reliable option and UDP being the faster option. OpenVPN is pretty much the default protocol for most modern paid VPN providers.
OpenVPN uses port 1194 TCP/UDP and port 443 TCP.
- Since OpenVPN is open source and its code available to the public eye, you don't have to worry about backdoors, and you can expect vulnerabilities to be fixed as soon as possible.
- OpenVPN is modular and flexible. You can use it with separate encryption and traffic protocols, depending on whether you want maximum security or faster performance.
- OpenVPN bypasses most firewalls, so in that regard, it is easy to set up on any operating system.
- The far too many options and available configurations can make OpenVPN hard to setup and configure on your own, and mistakes can be costly for security. In this scenario, I am referring to setting up an OpenVPN server by yourself as a system administrator for instance, not using a VPN provider whose client offers OpenVPN out of the box.
OpenVPN is the best choice for maximum security in public Wi-Fi or bank transactions.
Internet Protocol Security – IPSec/Internet Key Exchange – IKEv2
Microsoft and Cisco developed IKEv2 with the aim of a fast, stable, and secure VPN protocol. IKEv2 is indeed that and a very reliable and durable VPN protocol. Its biggest downside is that it is not compatible with every system, although it is compatible with Windows, and that is what a lot of users need. A second and potentially massive downside is that it uses the Diffie-Hellman key exchange.
IPSec/IKEv2 uses port 500 UDP and port 4500 UDP.
- IKEv2 usually uses an IPSec tool called the Mobility and Multi-homing Protocol, which ensures a VPN connection as you move between internet connections. This makes IKEv2 the most dependable and stable protocol for mobile devices.
- As part of the IPSec suite, IKEv2 works with most leading encryption algorithms, making it one of the most secure VPNs.
- It takes up little bandwidth when active, and its NAT traversal makes it connect and communicate faster. It also helps to get through firewalls.
- The lack of support for IKEv2 in many operating systems, as already mentioned.
- NSA may have its number. Edward Snowden revealed in the past that NSA has found a way to break the DH encryption, due to a bug. For that reason, you need to make sure that your VPN provider has patched the vulnerability (NordVPN has, for instance).
To oversimplify things, IKEv2 provides as much security and reliability as OpenVPN-TCP while being as fast as OpenVPN-UDP, so it is a perfect choice when you are on the road or streaming.
Wireguard is the latest and fastest tunneling protocol the entire VPN industry is talking about. It uses state-of-the-art cryptography that outshines the current leaders – OpenVPN and IPSec/IKEv2. However, it’s still considered experimental, so VPN providers need to look for new solutions (like NordLynx by NordVPN) to overcome Wireguard’s current limitations. Several other providers offer Wireguard out of the box.
- The WireGuard® protocol features a much lighter code base than most VPN protocols (at least open-source ones). It consists of just around 4000 lines, which vastly contrasts strongSwan/IPsec and OpenVPN®/OpenSSL, which have 400,000 and 600,000 lines of code correspondingly.
- Such a light build means WireGuard® is much easier to audit for security vulnerabilities. Audit of WireGuard® may be done by a single individual, whereas auditing enormous IPSec or OpenVPN®’s codebases is difficult even for a whole team of security experts. WireGuard®’s smaller codebase also implies a minimal attack surface that cybercriminals can exploit.
- Wireguard is still experimental. While it is super fast, it does not properly provide anonymity yet, and industry-leading VPN providers have resorted to developing custom solutions to enhance it (remember, it's only a few thousand lines of code).
Speed. Streaming, gaming, and downloading are areas where Wireguard thrives. Just avoid torrenting with it.
You can think of NordLynx as Wireguard without the privacy/anonymity concerns. However, since it is based on Wireguard, which is still experimental, there is no guarantee that there won't be any bugs. Regardless, it is encouraging to see VPN providers diverting from the norm, and with an industry leader behind it, NordLynx has a bright future ahead of it. I don't know the specific pros and cons of NordLynx yet, other than the fact that it is a high-speed VPN protocol.
Streaming for sure, possibly torrenting and anonymous browsing.
I really want to mention Lightway since it is a new VPN protocol offered by ExpressVPN, a VPN provider that is synonymous with top-notch performance and privacy. Quite possibly by Wireguard's simplicity and performance, ExpressVPN is the first provider that developed its own protocol. I had the chance to review ExpressVPN with Lightway available, and it was quite impressive.
- Lightway is blistering fast, quite possibly the fastest VPN protocol you can get your hands on.
- Lightway combined with ExpressVPN's automatic Kill Switch, which so far is the most responsive I have seen, guarantees that your privacy remains intact when switching networks, and you will be back online in no time. It seems that ExpressVPN really optimized the handshake process with Lightway.
- Lightway is still in Beta, and it is not open source yet, but it will be.
Streaming and mobile devices since it is very lightweight and fast. I would consider it a good choice for torrent downloads.
SSTP (Secure Socket Tunnelling Protocol)
Secure Socket Tunneling Protocol (SSTP) is a fairly secure and capable VPN protocol created by Microsoft. It has its upsides and downsides, meaning that each user has to decide whether this protocol is worth using. Despite being a primarily Microsoft product, SSTP is available on other systems besides Windows.
SSTP uses the TCP port 443.
- You will find it in Windows systems, either built-in or easy to install and set up since Microsoft owns it.
- Similar to other leading VPNs, SSTP supports the AES-256 encryption protocol.
- SSTP can get through most firewalls without interrupting your communications.
- SSTP's code is proprietary, so there is potential for backdoors in the code as Microsoft has an ongoing relationship with the NSA and law enforcement.
SSTP is good for bypassing geo-restrictions and enhancing privacy while browsing the internet.
The Bad: Outdated VPN Protocols you should avoid
L2TP (Layer Two Tunneling Protocol)/IPSec (Internet Protocol Security)
Layer 2 tunneling protocol (L2TP) doesn’t actually provide any encryption or authentication – it’s simply a VPN tunneling protocol that creates a connection between you and a VPN server. It relies on the IPSec suite's other tools to encrypt your traffic and keep it private and secure.
L2TP uses port 1701 TCP, Port 500 UDP, and port 4500 UDP.
- Without security out of the box, L2TP offers a lot of flexibility as it can accept encryption options provided by IPSec and allowing configurations that prioritize speed or security.
- L2TP is widely available on almost all modern consumer systems, meaning that admins will have no trouble finding support and setting it up.
- Potentially compromised by the NSA. Like IKEv2, L2TP is usually used with IPSec. Therefore it presents the same previously mentioned vulnerabilities, and VPN providers probably haven't gone through the trouble of patching it if they support it.
- The protocol encapsulates data twice, which can be useful for some applications but makes it slower than other protocols that only encapsulate your data once.
- Has difficulties with firewalls. Unlike other VPN protocols, L2TP doesn’t have any clever ways to get through firewalls. Surveillance-oriented system administrators use firewalls to block VPNs, and people who configure L2TP themselves are an easy target.
Anything that requires security while not prioritizing speed. However, there are better options in that department.
PPTP (Point-to-Point Tunneling Protocol)
Point to Point Tunneling Protocol (PPTP) was created in 1999 and was the first widely available VPN protocol. It was first designed to tunnel dial-up traffic, and it is limited to very weak encryption options. Ideally, it shouldn't be supported by VPN providers, and system administrators shouldn't use it.
PPTP uses the TCP port 1723.
Since PPTP is very outdated and uses weak encryption, it is speedy, and since it was the first standard, you will find it in most modern systems.
Highly insecure with many unpatched vulnerabilities and cracked by the NSA. Since it is ancient and full of holes, modern firewalls will have it blocked.
Pretty much nothing, but if you have a slow internet connection and a slow computer, maybe you can use it for streaming and geo-blocking. Avoid by all means using it for anything else!
What VPN protocol should I use?
OpenVPN should be your go-to protocol. It's the most well-rounded option, delivering a perfect balance between speed, security, and reliability. Most VPN providers use OpenVPN by default.
However, in many cases, IKEv2 is faster than OpenVPN since it is less CPU-intensive. There are, however, numerous variables that affect speed, so this may not apply in all use cases.
For mobile device performance, IKEv2 may be the best option because it does well establishing a reconnection.
What are 3 types of VPN tunnels?
VPNs fall into three main categories:
- intranet-based site-to-site
- and extranet-based site-to-site
Individual users are most likely to encounter remote-access VPNs. Meanwhile, big businesses often implement site-to-site VPNs for corporate purposes.
Is TCP or UDP better for VPN?
UDP provides significantly better speed than TCP, so it is the preferred protocol for steaming and peer-to-peer downloading (such as torrents). On, the other hand UDP does not guarantee packet delivery so in some cases TCP may be more reliable.
What is the safest VPN protocol?
The recommended and most secure VPN protocol is OpenVPN. It uses 256-bit encryption as a default but also offers other ciphers such as 3DES (triple data encryption standard), Blowfish, CAST-128, and AES (Advanced Encryption Standard).
What is the fastest VPN protocol?
If you want to stream at high-speeds, PPTP is the fastest VPN protocol because of its weak encryption. However, keep in mind that it is the most insecure protocol out there. L2TP and IKEv2 are also fast, while OpenVPN and SSTP are slower than other VPN protocols.
I recommended using IKEv2 for speed, unless you have access to WireGuard, Lightway, or NordLynx.
Which VPN providers support WireGuard?
Only five VPN providers have implemented WireGuard as of February 2021.
- ExpressVPN (WireGuard variation named Lightway)
- NordVPN (WireGuard variation named NordLynx)
- Private Internet Access