Looking for the best VPN tool is not just a matter of downloading and installing the first application that crosses your path. Otherwise, the advertisements alone win when the product is taken at face value. It is also a matter of tracking down all features that make a VPN service excellent. Perhaps you are interested in a user-friendly graphical interface that has intuitive buttons spread out across the main application window. Maybe you do not want to spend a lot of money and prefer a cheaper solution. Or maybe you just want something fast that is capable of unblocking Netflix. However, the most important aspect of a VPN utility is, by far, the way it connects to the internet to send and receive data. These rules and conditions are configured in VPN protocols.
What are the pros and cons of VPN protocols
There are many types of VPN protocols out there, each with its own advantages and disadvantages. Thankfully, it is common practice for applications to implement multiple VPN protocols, so that you can frequently switch them depending on what you need. Nevertheless, you should know what hides behind each acronym and not just opt for the default VPN protocol when connecting to the internet.
We have already established that, depending on which VPN protocol is being used, the program might slow down your internet connection or lead to connection drops, to name a couple of examples. Therefore, it is essential to understand how common VPN protocols work. Consequentially, we have prepared a list of VPN protocols adopted by many VPN service providers: PPTP, L2TP/IPsec, IKEv2/IPsec, OpenVPN, SSTP, SSL/TLS, TCP and UDP.
Besides finding out how each protocol works, you can also check out a bit of background history and how easy the VPN tool is to configure. We have also focused on efforts on inspecting encryption, authentication, firewall, network speed, security leaks (if any), as well as compatibility with multiple operating systems and platforms. In some cases, there is evidence to confirm or deny reliability when there are multiple connected devices using the same VPN configuration. All of this is accompanied by a summary of pros and cons for each protocol, together with our personal conclusion.
PPTP (aka Point-to-Point Tunneling Protocol) is one of the most recognizable VPN protocols out there, even among users with limited networking knowledge. Based on PPP (Point-to-Point Protocol), PPTP works with virtual private networks only. It has been shipped with Windows editions ever since its release back in 1995 by Microsoft, making it the oldest protocol on our list. It uses TCP port 1723 and GRA port 47 to encapsulate PPP packets ready for transport.
Official specification details about PPTP were published in 1999 as RFC 2637. These include the protocol’s goals and technical info about how it works. However, PPTP was never proposed as a standard by IETF (Internet Engineering Task Force) and its document remained purely informational (we can only assume this happened because of the security risks).
Encryption and speed
PPTP mostly uses 128-bit MMPE (Microsoft Point-to-Point Encryption) for encrypting data, which is a pretty insecure. It is definitely not recommended for corporations or commercial use. This is because it is necessary to use a NAT interface (Network Address Translation) and set up a firewall for GRE (Generic Routing Encapsulation) when attempting to reach external servers from an internal network.
Although it can still be found in newer operating systems (including Windows 10), PPTP is widely regarded to be obsolete among VPN protocols. It is not intended for users who put privacy above all else, due to the fact that it has many security flaws. On the bright side, thanks to the low privacy level and stable internet connections, PPTP is great for accessing online streaming, like Netflix, BBC iPlayer and Amazon Prime. Since it is very fast, it can also be used on older computers with limited CPU power, especially routers when security is no longer a problem.
Firewall, security leaks, authentication, OS compatibility
Besides the fact that PPTP connections can be easily blocked by the remote server when the configuration is incorrect, they may lead to drops when there are more devices in the internal network trying to simultaneously reach the same destination. Furthermore, because PPTP has a history of exploit risks (back when it used MS-CHAP v2 instead of 128-bit AES), the protocol is certainly being supervised and can be easily hacked by the NSA. Sadly, MS-CAP v2 is still being used, too.
People who still use PPTP are usually the ones who do not want to go through the trouble of learning how to configure a modern protocol, like OpenVPN, thanks to the fact that it is one of the easiest VPN protocols to setup. When it comes to authentication, it only requires a server name, username and password. Another upside is that, because it is been around for so long, it has native support for most operating systems and platforms. It includes Windows, Linux, Mac OS, Android, iOS, and Tomato. This means that you don’t have to install any additional software to be able to use PPTP.
- Great speed, but slower than IKEv2/IPSec
- Easy to configure, no advanced skills required
- Great compatibility with multiple operating systems and platforms
- Native support, no third-party installations required
- Stable internet connections, great for online streaming
- Needs low processing power, ideal for older computers
- Can be installed on routers when security is not an issue
- Very low security, worst on this list
- History of security exploits
- Hackable by the NSA
- Weak against firewalls, easy to block by the remote server you want to reach
- Unreliable for multiple devices with identical VPN configuration
- Not recommended for corporations or commercial use
If you are not keen on security and do not plan on using a VPN for shady business (like downloading illegal torrents), you can go with PPTP. However, if you want to play it safe, it is recommended to look for another VPN protocol
Considered the successor of PPTP, L2TP (Layer Two Tunneling Protocol) is based on PPTP (by Microsoft) and L2F (Layer Two Forwarding Protocol, by Cisco). But it is one of the VPN protocols that do not have built-in features for ensuring encryption and protecting privacy. This is covered by a separate encryption protocol, and the most common one for L2TP is IPsec (Internet Protocol Security), which can encrypt data sent over an IPv4 network.
Therefore, L2TP provides the tunnel while IPsec takes care of security. Another conclusion we can draw from this is that L2TP is not actually the protocol susceptible to hacking (since it has zero shields), but IPsec is the real target. How it works is that IPsec authenticates and encrypts the data packets individually while you are connected to the VPN.
Encryption, authentication, firewall
IPSec is one of the VPN protocols that uses multiple encryption modes. It supports 128-bit AES, 256-bit AES and 3DES. These offer a pretty great level of security but only with the right kind of authentication (nothing public). In most cases, L2TP/IPsec authentication is done using pre-shared keys, public keys or certificates, although there are other methods, too. This type of authentication makes the protocol simpler to configure, so no coding skills are necessary.
L2TP uses UDP port 500 to get passed the first step and exchange keys between the server and client. Unfortunately, this means that your connection can be blocked by the remote firewall when using the NAT interface. Unlike OpenVPN, it cannot be masked by switching to another port. Afterward, IPsec uses protocol 50 to encrypt information, UDP port 1701 to configure L2TP settings, and UDP port 4500 for NAT traversal.
Security leaks, OS compatibility, speed
The L2TP/IPsec combination was a protocol standard proposed by IETF in 2001 in RFC 3193. Unfortunately, there have been strong suggestions of NSA cracking IPsec-based VPN connections, so it is safe to assume that, besides PPTP, IPsec is also on the NSA watchlist.
L2TP/IPsec has native support for most major operating systems, like Windows, Mac OS and Android. But it is not as good as PPTP when it comes to extensive compatibility. Thanks to the fact that it uses UDP (kernel-based acceleration), it ensures good internet speed. At the same time, because more CPU processing power is needed to encapsulate data twice, speed is hampered. Therefore, it ensures medium security when compared to other VPN protocols on this list.
- Medium security, better than PPTP
- Easy to configure
- No known security flaws (unless public shared keys or certificates are used)
- Good compatibility with multiple operating systems, native support
- Reliable for multiple devices with identical VPN configuration
- Medium speed, worse than PPTP and OpenVPN due to double encapsulation
- Not recommended for computers with limited CPU processing power
- Can be easily blocked by firewalls via the NAT interface
- Can probably be hacked by the NSA
- Security flaws: if public keys or certificates are used, the system is susceptible to MITM (Man-In-The-Middle) attacks
- Fair reliability on networks experiencing stability issues
Practically, L2TP/IPsec takes PPTP to a new level by adding more security but by losing speed. It is better than PPTP but worse than OpenVPN.
Based on IPSec and resulted from a collaboration between Microsoft and Cisco, IKEv2 (Internet Key Exchange version 2) became an Internet Standard in 2014 when it was published in RFC 7296. It was not originally destined to be a VPN protocol, but it successfully mimics one nonetheless.
Unlike L2TP that relies on double encapsulation, which has a negative impact on internet speed, IKEv2 is one of the many VPN protocols that do not have this kind of issue. How it works is that an IKE daemon (background process) runs in the user space (outside the OS kernel) to gain access to configuration info, like IPsec keys and certifications. Meanwhile, an IPsec stack from the kernel handles IP packet processing.
Speed, encryption, authentication, security leaks
Since these two tasks are taken care of separately, network performance is not affected, resulting in great speed. Compared to PPT2P and L2TP/IPsec, IKEv2/IPsec provides better security, ensuring support for 128-bit AES, 192-bit AES and 256-bit AES encryption modes. When it comes to authentication, IKEv2 uses pre-shared keys or X.509 certificates, making it easy to configure. It also creates and maintains a security policy for every connected peer.
As far as security flaws go, the IKEv2/IPsec combination sadly inherits IPsec’s security drawbacks, which we previously mentioned when describing L2TP/IPsec (strong suggestions of IPsec being monitored by the NSA). Furthermore, recent reports indicate that IPsec with IKEv2 are susceptible to security risks.
Firewall, OS compatibility, connection reliability
Similar to L2TP, IKEv2 uses UDP with port 500 (usually), which means it can be easily blocked by firewalls when using a NAT interface. When it comes to compatibility with operating systems, IKEv2/IPsec has native support for Windows 7, along with implementations for Linux, BlackBerry, Android, iOS and others. Unfortunately, it does not excel in this department since it has limited support beyond Windows and BlackBerry.
On the upside, it puts emphasis on mobile compatibility, featuring support for MOBIKE (Mobility and Multihoming protocol). The protocol can quickly reconnect to the internet on connection drops. It ensures stable connections even if you want to jump from one network type to another, like from wireless to data, or from one hotspot to another.
- Great speed, best on this list (surpassing OpenVPN, PPTP, L2TP/IPSec and SSTP)
- Great security, better than PPT2P and L2TP/IPsec
- Quick reconnection on drops
- Great compatibility with mobiles
- Stable connections even when you are switching network types (e.g. from wifi to data)
- Limited compatibility with operating systems
- Can be blocked by firewalls
- Known history of security flaws
- Probably monitored and already hacked by the NSA (allegedly since nothing has been confirmed)
If it weren’t for the disadvantages inherited from IPsec, IKEv2/IPsec would be excellent. Nevertheless, it is safer than L2TP/IPSec and faster than OpenVPN.
Widely considered the best out of all VPN protocols, OpenVPN (Open Source VPN) has leverage over others when it comes to advanced security and customization features. It comes in two flavors: free and open-source (OpenVPN Community Edition) and premium (OpenVPN Access Server). On top of what the free edition offers, the premium subscription adds web UI management features, SMP server support and LDAP integration, to name a few examples.
Firewall, authentication, encryption
OpenVPN uses a custom security protocol and SSL/TLS to exchange keys over the internet. It supports IPv6, both TCP (better chance than UDP to get passed firewalls) and UDP (faster than TCP). In fact, this VPN protocol can be configured to run on any port, which has many advantages over firewalls. For instance, if OpenVPN uses TCP with port 443 (same protocol and port used by SSL websites), then your connection becomes increasingly difficult to block by remote servers since it will be seen as a typical HTTPS connection. There are several authentication options available: username and password, pre-shared secret keys (not public), and certificates. The username and password combination can be used even with certificates to boost security.
Speaking of security, OpenVPN is compliant with AES encryption up to 256-bit, thanks to the fact that it heavily relies on OpenSSL and TLS for data security and control. It can also use 2048-bit RSA authentication and 160-bit SHA1 hashing. If you still have concerns over security, you can top it off with another layer using HMAC packets.
Security leaks, speed, setup
What’s more, if you want to set up a VPN server to be used by multiple clients, then OpenVPN can release distinct authentication certificates for each client. There are no known security flaws, not even involving the NSA. It is mostly thanks to the open-source architecture that permits any developer to chip in and patch leaks as soon as they are spotted. The protocol used to be slow but the community worked hard in enhancing speed in newer implementations, all without losing sight of strong security.
On the downside, OpenVPN cannot be used as a standalone product, and it is not built into systems like PPTP or L2TP. Instead, it depends on third-party applications (like SoftEther VPN), which may have their own particularities besides facilitating a simple GUI. In fact, it is not easy to configure OpenVPN, so extensive investigation is necessary if you want to set up a virtual private connection correctly, without security leaks, connection drops or speed issues.
OS compatibility and customization features
On the bright side, you can install OpenVPN on routers to create a virtual private network for all devices connecting to those routers, without having to separately install a OpenVPN client. Supported router firmware packages include Tomato, OpenWrt, DD-WRT, OPNsense, PfSense, Gargoyle, D-Link and MikroTik. It is also compatible with many OSes and platforms: Windows XP and newer, macOS, Linux, NetBSD, Solaris, OpenBSD, QNX and mobile OSes like Android (even those with Cyanogenmod), jailbroken iOS, BlackBerry, Maemo or Windows Mobile. Palm OS isn’t supported.
OpenVPN is fully customizable due to plugins. There is an extensive range of plugins that can be downloaded and installed to optimize the VPN tool, whether you are interested in dynamic firewall updates, enhanced authentication and data logging, or something else. Plus, if you are not pleased with any VPN client, then you can become adventurous, learn how to build a VPN client with OpenVPN, and make it your own. OpenVPN is not based on any standards (RFC).
- Great security and encryption (up to 256-bit AES)
- Excellent firewall: use any port on TCP or UDP (easy to “blend” with the public internet)
- Great speed
- Steady connections, even over wireless, mobile and other unreliable networks
- No issues when used by multiple devices to connect to the same VPN network from the same location (thanks to separate certificates)
- Can be installed on routers to eliminate the need of installing VPN clients
- Extendable functionality, thanks to plugins
- Great compatibility with operating systems and platforms
- No reported security leaks or NSA surveillance
- Recommended for corporations or commercial use
- No native support with operating systems
- Depends on third-party software
- Can be difficult to configure
Once skilled into OpenVPN configuration, it becomes easy to see why it is not worth switching to other VPN protocols.
SSTP (Secure Socket Tunneling Protocol) is designed to transport PPP-based traffic with the help of an SSL protocol. SSL/TLS handles the security aspects when it comes to negotiating keys with the remote server, encrypting data, and verifying the integrity of the network traffic. It is widely regarded as one of the most secure VPN protocols that comes bundled with Windows.
Authentication, encryption, firewall
A server using SSTP has to pass authentication while the SSL/TLS channel is busy with its assignments. This is optional for SSTP clients, however, as long as they are authenticated before data reaches its destination. Thanks to PPP, SSTP supports common authentication methods like EAP-TLS and MS-CHAP.
When it comes to security, SSTP uses 2048-bit SSL certificates (military grade) for authentication as well as 256-bit SSL keys for data encryption. Suffice it to say, SSTP surpasses other VPN protocols when it comes to security (comparable to OpenVPN). It uses TCP port 443, which we mentioned earlier when talking about OpenVPN: connections are more difficult to block since they are disguised as typical HTTPS connections (unlike L2TP/IPSec or IKEv2/IPSec).
OS compatibility and speed
Because it is proprietary to Microsoft, SSTP was originally available only for Windows-based operating systems, such as Windows Vista SP1 and newer, Linux, BSD and RouterOS (runs on MikroTik routers). However, it now has variations for other operating systems like Android and iOS. It’s also supported by SoftEtherVPN Server. Nevertheless, compatibility is limited.
Made for remote-client access, the protocol has limited support with site-to-site VPN. But it tries to overcome this issue by adopting SSL instead of IPSec since, besides site-to-site VPN, SSL adds support for roaming. On top of that, it shares the speed performance issues of IP/TCP tunnels: if there isn’t enough extra bandwidth on the normal network (without tunnels), then the tunneled TCP timers will expire.
- Excellent, military-grade security, best on this list
- Native support for Windows-based operating systems
- Connections are difficult to block by firewalls
- Stable internet connections
- No reported security flaws or NSA hacks
- Recommended for corporations or commercial use
- Medium-to-low speed, may vary depending on the VPN configuration
- Limited compatibility with operating systems and platforms
- Limited support for site-to-site VPN
- Performance problems due to insufficient extra bandwidth on untunneled networks
SSTP is excellent if you are looking for the top of the line in VPN protocols when it comes to security, as long as you do not mind reduced speed.
Back in the 1990s, SSL (Secure Sockets Layer) used to be protocol that permitted Netscape-based clients to use HTTP when establishing a secure connection with Netscape web servers. However, it eventually developed security flaws and was put out of commission, being superseded by TLS (Transport Layer Security) in 1999. They are virtually one and the same since TLS is an updated version of SSL, taking over its name.
The architecture of TLS is pretty easy to digest. It provides bi-directional security that consists of two layers: one for making sure the connection is private and stable (TLS Record Protocol) and another for encrypting data before transporting it (TLS Handshake Protocol). On the other hand, it is important to understand that security is ensured only while it is being transported from one machine to another (no privacy is offered before or after that time).
OS and platform compatibility
VPNs with SSL provide remote-access connections using a web browser only, without any other programs. The best example for this are VPN browser extensions available for Mozilla Firefox, Google Chrome, Opera, Safari, Microsoft Edge and others. Plus, it is already built into some web browsers, like Opera.
Another key aspect that we can draw from this is that SSL-based VPN addons work on any operating system that supports the web browser in question. Since it is a VPN protocol used at a global level, it ensures compatibility between operating systems and platforms.
Encryption, authentication, speed, firewall
As far as encryption is concerned, TLS uses E2EE (End-to-End-Encryption), which facilitates a high level of security thanks to the fact that data is protected from other parties, including ISPs and hackers. Meanwhile, authentication can be done using pre-shared keys or digital certificates for symmetric encryption. On the downside, SSL demands a lot of CPU processing power, leading to reduced speed and performance, in general. There are workarounds for this, though, like using SSL accelerators or setting traffic priorities.
Since SSL uses the standard HTTPS port 443, it makes VPN connections look like they are routed through the public internet, so they are difficult to block by firewalls (unlike L2TP/IPSec or IKEv2/IPSec). Unfortunately, recent reports indicate TLS security leaks when certain (unlikely) conditions are met.
- Great security, better than PPT2P and L2TP/IPsec
- Strong against firewalls: difficult to block connections
- Excellent compatibility with operating systems and platforms via web browsers
- Easy to configure
- Reduced speed
- Reported security leaks
SSL/TLS is a secure protocol for using VPNs with web browsers. As it turns out, more and more web browsers have pushed for strong TLS implementation in newer releases. It is a pretty good VPN protocol when using VPN browser extensions.
TCP and UDP
Along with IP (Internet Protocol), TCP (Transmission Control Protocol) is part of the Internet protocol suite, also known as TCP/IP. The role of TCP is to transport data from one host to another over an IP, making sure it reaches its destination undamaged. It is used by World Wide Web (www) and other major web-based platforms.
TCP focuses on reliability and it is best to use it when the main goal is to deliver the data in whole, without losing any packets along the way. It relies on handshaking to exchange data and it keeps track of all sent data. When sending a packet, it waits for confirmation from the other side before sending the next on. This is also known as acknowledgment. On the downside, this takes a toll on internet speed. Therefore, when attention is shifted from reliability to speed, users can switch to UDP instead.
UDP (User Datagram Protocol) is also a core member of the Internet protocol suite, next to TCP/IP. It became a standard in 1980, published in RFC768. The main difference between UDP and TCP is that UDP takes advantage of connectionless datagrams when transferring information over the internet. This means that it’s not necessary to recall previous communications when creating the data paths. Because it doesn’t depend on handshaking, acknowledgment and error checking like TCP, UDP cannot guarantee that the data will be delivered to its destination. On the bright side, it ensures very fast network connections. This protocol is frequently used by service advertisements and streaming apps, for example.
Pros and cons:
- TCP is more reliable but slower than UDP.
- UDP is faster but not as reliable as TCP.
Many VPN applications let you pick between TCP and UDP mode when it comes to establishing the type of internet connection. Go with TCP if you want guarantees that your data is transferred, or choose UDP if you are in a hurry and not interested in data integrity.
So, which VPN protocol should you use?
Under normal circumstances, it would be difficult to pinpoint the ideal VPN protocol, considering how many options are there. Surprisingly enough, the choice does not come difficult for us. Taking into account all VPN protocols that we have investigated, we think that OpenVPN is a Jack-of-all-trades-master-of-some type of deal that deserves all the attention. We fail to see actual scenarios where internet speed becomes so important that it’s okay to lose sight of security. Besides, OpenVPN is already integrated into major VPN applications like ExpressVPN, Cyberghost, NordVPN, Private Internet Access, and SaferVPN, among others.