Best VPN Protocols: OpenVPN vs PPTP vs L2TP vs Others

Brad Smith

Brad Smith

I wrote this article to help you understand the difference between VPN tunneling protocols, such as OpenVPN, IKEv2, PPTP, and others.

Best VPN ProtocolsA VPN will help to protect your privacy and secure your data whenever you’re using the internet. But, beyond choosing the best VPN, you’ll also need to choose the best VPN protocol for your needs.

The VPN protocol is how your VPN will secure the transferring of data. There’s a multitude of different protocols that are based on the operating system, platform, performance, and lot more.

Below we explore the most popular VPN protocols, so you can decide which one is best for you.

Here’s a quick breakdown of the seven biggest VPN protocols today:

OpenVPNPPTPL2TP/IPsecSoftEtherWireGuardSSTPIKEv2/IPSec
Encryption160-bit, 256-bit128-bit256-bit256-bitChaCha20256-bit256-bit
SecurityVery highWeakHigh security (might be weakened by NSA)HighHighHighHigh
SpeedFastSpeedy, due to low encryptionMedium, due to double encapsulationVery fastFastFastVery fast
StabilityVery stableVery stableStableVery stableNot yet stableVery stableVery stable
CompatibilityStrong desktop support, but mobile could be improved. Requires third-party software.Strong Windows desktop support.Multiple device and platform support.Multiple desktop and mobile OS support. No native operating system support.Linux, being built for other platforms and operating systems.Windows-platform, but works on other Linux distributions.Limited platform support beyond Windows and Blackberry
Final WordMost recommended choice. Fast and secure.Native on Windows. Weak security. Useful for geo-restricted content.Versatile and secure. A decent alternative to OpenVPN.Up and coming. Flexible, fast, and secure. A great alternative to OpenVPN.Has promise to be fast and efficient. Still in development.Faster and more secure alternative to PPTP and L2TP.Secure, stable, and mobile-oriented.

1. OpenVPN – Recommended, Most Popular

OpenVPN is the VPN protocol you’ll want to be using. It’s the most recommended choice by leading VPN providers today. Kind of a no-brainer. It’s one of the newer VPN protocols, but it’s flexibility and security have made it one of the most commonly used.

It relies upon open source technologies like the OpenSSL encryption library and SSL V3/TLS V1 protocols. The open source nature of OpenVPN means the technology is maintained, updated, and inspected by a community of supporters.

When traffic passes through an OpenVPN connection it’s hard to differentiate between an HTTPS over SSL connection. The ability to hide in plain sight makes it less vulnerable to hacking, and more difficult to block.

Plus, it can run on any port, using both UDP and TCP protocols, so getting around firewalls won’t be a problem. However, if you’re looking for speed, then using the UDP port will be the most efficient.

In terms of security, it has a variety of methods and protocols like OpenSLL and HMAC authentication and shared keys. To take the security standards even further it’s commonly coupled with AES encryption. Other VPN protocols have been subject to NSA and other hacking, but so far, OpenVPN has managed to stay in the clear.

The additional cryptic algorithms it supports are:

  • 3DES
  • AES
  • Camellia
  • Blowfish
  • CAST-128

It’s recommended to use AES encryption if security is your main concern. This is essentially the “gold standard”, and currently has no known weaknesses. It’s 128-bit block size also gives it solid capabilities to handle larger files, without a reduction in performance.

Still, OpenVPN isn’t perfect:

You’ll still need to install a third-party application to use this type of connection. It still isn’t supported by any platforms, but most third party software providers, like Android and iOS, are supported.

Setting up OpenVPN on your own can be a bit tricky. Especially, when compared to PPTP or L2TP. However, most VPN clients are able to offer a customized setup, which gets you around any configuration difficulties.

If you do want to set up OpenVPN yourself, the high level of configuration can be disadvantageous as you’ll be less secure if it’s set up the wrong way.

Plus, you can even use OpenVPN to connect over the mobile Apple iOS. Say hello to an encrypted and private mobile connection.

The Pros of OpenVPN:

  • The protocol can bypass most firewalls
  • It’s open source and vetted by third-parties
  • It has a very high level of security
  • It works with multiple methods of encryption
  • It can be configured and customized to your liking
  • It can bypass firewalls
  • It supports a variety of cryptic algorithms

The Cons of OpenVPN:

  • The setup process can be technical
  • It relies upon third-party software to operate
  • Desktop support and functionality are strong, but mobile is lacking

2. PPTP

Think about the security standards of the web back in 1995. Did those even exist? Well, that’s when PPTP became a VPN protocol. It was developed by a consortium founded by Microsoft and was the standard for VPN connections back in the dial-up days.

PPTP, also known as point-to-point tunneling protocol, is over 20 years old by now. Even being that old, it’s still the standard for internal business VPNs. It’s a popular choice since it’s already installed on most devices and platforms, is easy to setup, it’s efficient, and no additional software is needed. To establish a secure connection all you need is a username, password, and server address.

For example, office buildings with older infrastructure, who need to internally secure data could use this connection. Or users who are running an older Windows operating system. If it’s all you have, it’s better than nothing.

When it was first released with Windows 95 there were a number of security weaknesses that were exploited. Today it’s upgraded it’s encryption protocols to 128-bit key encryption, which isn’t awful, but if security is a concern you could do better. Even Microsoft recommends that users looking for higher security standards should use SSTP or L2TP.

Still, this low level of encryption does help to make it one of the fastest VPN protocols.

It’s also been known to be easily decrypted and hacked by the NSA and other intelligence agencies. This decryption also took place at the time when security experts considered PPTP secure.

PPTP is usually only used today due to its high performance and stability. Think accessing geo-restricted content, or getting access to Netflix. Overall, it’s an old and outdated VPN protocol, but still serves a small purpose for users who aren’t concerned with security.

The Pros of PPTP:

  • It’s very fast
  • It’s already built into most platforms
  • It’s easy to configure and setup

The Cons of PPTP:

  • It has security holes (one of the least secure VPN protocols)
  • It’s been compromised by the NSA
  • It can be blocked by firewalls

3. L2TP/IPsec

L2TP is a VPN protocol that doesn’t offer any encryption or protection from the traffic that passes through the connection. For this reason, it’s usually paired with IPSec, which is an encryption protocol.

It’s an extension of the PPTP protocol and utilizes a process called double encapsulation (which led to its initial rise in popularity). The first encapsulation establishes a PPP connection, while the second contains IPSec encryption.

It does have support for AES-256 encryption algorithms, which are some of the most secure. But, the stronger encryption protocols you use the slower your performance will be.

This protocol is built into most desktop and mobile operating systems, which makes it easier to implement. But, it can only use UDP port 500 for a connection, which makes it pretty easy to block by NAT firewalls. So, additional configuration is needed if this is going to be used behind a firewall.

It does have an advantage in that this style of connection prevents the data from being accessed between the sender and receiver. So, this can help to prevent any middle-man hacking attempts.

IPSec encryption is secure. Yet, both Edward Snowden and John Gilmore, a founding member of the EFF, suggest that the protocol has been deliberately weakened by the NSA.

It’s a slower connection because traffic must first be converted into the L2TP form, and you have an additional layer of encryption on top of that. It’s not as an efficient solution as OpenVPN, but it is easy to set up.

The Pros of L2TP/IPsec:

  • It’s available on nearly all devices and operating systems
  • The setup process is easy
  • It has high (yet weakened) levels of security
  • It does support multithreading for improved performance

The Cons of L2TP/IPsec:

  • It can be blocked by firewalls
  • The NSA might have weakened the protocol, making it less secure
  • It doesn’t have the fastest speeds, due to double encapsulation

4. SoftEther

SoftEther is an open-source multi-protocol VPN software. What began as an academic project at the University of Tsukuba has grown into a VPN technology that’s used by millions of people worldwide.

The biggest reason for its widespread growth is that it’s free, and it works across the Windows, Mac, Linux, Android, FreeBSD, and Solaris operating systems. Not only that it supports multiple different protocols, like OpenVPN, EtherIP, SSTP, L2TP/IPSec, and a lot more.

Basically, you can set it up to run on your operating system of choice and use whichever VPN protocol you desire. This unparalleled flexibility and support across multiple platforms have led to its insane growth.

It utilizes 256-bit AES encryption, which is one of the most secure forms of encryption available.

With SoftEther you get a flexible and fast VPN, that utilizes the latest encryption protocols. It’s newer, so it doesn’t have the same legacy as OpenVPN, but it’s an up and coming alternative. It offers you a nice blend of performance and security.

The Pros of SoftEther:

  • It supports a multitude of desktop and mobile operating systems
  • It’s entirely open source
  • It can bypass most firewalls
  • It’s fast but doesn’t compromise on security

The Cons of SoftEther:

  • It’s relatively new
  • It doesn’t have native operating system support
  • A lot of existing VPNs don’t offer it, yet

5. WireGuard

WireGuard is an innovative and cutting-edge VPN protocol that’s been developed to optimize performance. The implementation is small, making it a much more lightweight project in terms of the code base. By having a simpler codebase it’s easier for developers to integrate.

The goal of the project is to create an alternative to IPSec, that’s lighter, faster, and leaner. It was originally released on the Linux platform, but it’s on its way towards cross-platform compatibility and can be deployed across a variety of different distributions.

WireGuard shines in its simplicity.

It only supports a single cryptographic suite, which keeps the design simple and leads to fewer security holes. The algorithm choice is also incredibly simple, which helps to reduce any security bugs, now and in the future.

However, keep in mind that WireGuard is not yet complete. It’s still a work in progress and the team is working towards a stable release.

Early signs point towards it being a widely used, fast and efficient VPN protocol in the future. If you want to deploy it keep in mind there may be some security vulnerabilities, and it won’t be as secure as other stable VPN protocols highlighted in this list.

The Pros of WireGuard:

  • It’s simple and lightweight
  • It’s fast and secure
  • It takes a minimalist approach to a VPN protocol
  • It has potential to become the VPN of the future

The Cons of WireGuard:

  • It doesn’t have a stable release
  • Only technical Linux users can effectively implement
  • It’s not as flexible as other VPN protocols

6. SSTP

SSTP was developed by Microsoft and introduced with the Windows Vista release. It is still considered Windows-only even though there is support for other operating systems. Since it’s integrated into Windows it is a very stable VPN protocol.

There is support for other systems, like Linux, SEIL, and RouterOS, but the adoption isn’t as widespread.

It’s typically configured with AES encryption, so it’s incredibly secure and a much better option than the PPTP protocol. It also uses the SSL v3 connection (similar to OpenVPN), which will help to prevent any NAT firewall issues and blocking.

The SSTP protocol uses a similar authentication method to an SSL/TLS connection. In order for any data or traffic to be transmitted both ends of the connection must be authenticated with a secret key. This helps to create an incredibly secure connection.

However, SSTP is still owned and maintained entirely by Microsoft. Although no security holes have been reported, they do have a history of cooperating with the NSA. So, it hasn’t been proven, but there is speculation that there may be backdoors built in.

Overall, it offers a similar connection as OpenVPN but is more oriented towards Windows. It has better security than the L2TP connection and is all around better than PPTP.

The Pros of SSTP:

  • It can bypass most firewalls
  • It has a high level of security
  • Integrated into the Windows platform with Microsoft support
  • It supports a wide range of cryptic algorithms
  • It’s easy to use

The Cons of SSTP:

  • It’s entirely owned and maintained by the Microsoft Corporation
  • It only works well on Windows platforms
  • It hasn’t been audited by an independent third-party

7. IKEv2/IPSec

IKEv2 is based upon IPSec and was created as a joint project between Microsoft and Cisco. Although it’s not technically a VPN protocol, it behaves like one and helps to control IPSec key exchange.

It currently comes installed on any generation of Windows, starting with Windows 7. Plus, there is an existing implementation for Linux, Blackberry devices, and other platforms. If you’re a Blackberry user, it’s one of the few supported VPNs.

If you want a consistent VPN connection, even while switching networks, then this protocol can be very useful.

It’ll make sure you keep a VPN connection, even if your internet or connection drops. Plus, it’s stable, secure, and has high performance.

The core focus is for mobile users who demand a secure and private connection. Since it offers support for MOBIKE, it’s very resistant to any network changes. So, as you switch from a wifi connection to a data connection the VPN connection will remain throughout.

It’s not widely supported but does offer better security levels than L2TP, as well as improved speeds and stability.

The Pros of IKEv2/IPSec:

  • It’s very secure and supports a wide range of encryption protocols
  • It’s very stable, even when the network connection is lost
  • It’s easy to setup
  • One of the fastest VPN protocols

The Cons of IKEv2/IPSec:

  • Its support for platforms is limited
  • It has the same drawbacks as IPSec
  • It can be blocked by firewalls

How Do The Different VPN Protocols Stack Up?

how do different vpon protocols stack up

All the VPN protocols above have various strengths and weaknesses. Some are more widely used, while others serve more specific niches and problems.

Here’s a quick breakdown of how each VPN protocol stands out:

OpenVPN is the most often recommended, and widely used VPN protocol. It’s fast, secure, and open source, so it can be vetted and improved by third-parties. The only real downside is the difficulty in setup and configuration. Failing to set it up the right way could lead to security holes and lackluster performance.

PPTP is already installed on most older Windows operating systems, making it an attractive option. But, it’s generally very insecure and should be avoided, if privacy is a concern. It stands out with its compatibility, ease of setup, and speed. It can work for accessing geo-restricted content, but if you’re doing anything else, you should at the very least opt for L2TP/IPSec.

L2TP/IPSec is a solid VPN choice if you’re not exchanging sensitive data. It’s basically an improved version of PPTP. Some older devices and platforms won’t support OpenVPN, so this could be an attractive option. The only real downside is it’s security standards, which have been weakened and compromised by the NSA.

SoftEther is a newer VPN protocol, but don’t let its youth fool you. It offers similar features to OpenVPN but offers even greater levels of flexibility. With the ability to integrate across multiple different platforms and operating systems it’ll be hard to find a setup where this protocol can’t be used. Plus, it’s fast and secure. It doesn’t have the legacy and stability of OpenVPN but is a contender in its own right.

WireGuard is an up and coming VPN protocol. The current release is best suited for technical Linux users, but support for other platforms and operating systems is in the works. It shines in its lean nature, speed, and security. By having less moving parts and selection it’s easier to maintain and catch any security issues. It’s currently working towards a stable release, so it’s not recommended for non-technical users, but the future of this VPN protocol is bright.

SSTP is a solid choice for Windows users. It offers you similar security and speed as OpenVPN, but there is one big downside. Since it’s created by Microsoft there is no vetting by any outside third-parties. This means there could be backdoors built into the code, which compromises the overall security. Other platforms and operating systems can implement SSTP, but it’s poorly supported.

IKEv2/IPSec is a solid fast and secure VPN protocol. It stands out in its ability to maintain a secure VPN connection, even while the connection is lost, or you’re switching networks. Its primary use is for mobile networks. Also, if you’re a Blackberry user then this VPN protocol will be your protocol of choice.

Which VPN Protocol to Use?

which vpn protocol to use

By now your head is probably spinning trying to decide which VPN protocol to use.

Overall, it depends on your needs, and why you’re using a VPN. But, to keep things simple—you can’t go wrong when using OpenVPN.

Still not sure?

Here’s a breakdown that’ll help you choose the best VPN protocol:

  • OpenVPN is fast, flexible, and secure. No matter your operating system or platform, you’re covered.
  • PPTP should almost never be used. It’s easy to setup and fast, but it’s incredibly insecure.
  • L2TP/IPSec is a step up from PPTP, but it’s also one of the slowest connections, and its security is questionable.
  • SSTP is pretty good for Windows users. It’s fast and easy to setup, but once again you don’t know how secure and private your connection is.
  • IKEv2/IPSec is a pretty good choice for mobile users and a must-have for Blackberry users. But, beyond that go with OpenVPN.
  • SoftEther is good OpenVPN contender. If you’re willing to use a newer VPN protocol, instead of the legacy of OpenVPN, then this a great second choice.
  • WireGuard should really only be used by technical Linux users. Once the release is stable it may gain more traction, but general VPN users should wait it out.

Hopefully, you have more clarity on choosing the right VPN protocol for your needs. Currently, OpenVPN still reigns supreme as the best VPN protocol. But, with up and coming protocols like SoftEther, it’s hard to say how long it’ll be number one.

Still, have questions about which VPN protocol is right for you? Please share your comments, concerns, and questions in the comments below.

12 thoughts on “Best VPN Protocols: OpenVPN vs PPTP vs L2TP vs Others

  1. Great article. I notice your last update is Feb 15, 2017; even then, IKEv2 had been added to macOS as an option in Sierra, and is there in today’s High Sierra as well.. And while I don’t have an older iOS device to check on, IKEv2 is definitely available and the default VPN connection type on iOS 11 as well. FYI.

    Otherwise fantastic article – thanks!

    1. Hey Steve,

      Thanks for pointing this out. I’ve edited the article. P.S. If you’re interested in contributing, send me an email – john(at)thebestvpn(dot)org

  2. That should be “…refers to 2^256…” and not “…refers to 2256…”. If that’s indeed what you wrote, it’s not showing up properly in the latest Safari, Chrome or Firefox browsers. FYI.

  3. Is there a way that iPhones can connect to SSTP ? As we have a number of people with iPhones who want to connect to our VPN. I was wondering if it is supported or not

  4. How does the SoftEther VPN (SSL-VPN) compare to OpenVPN and the others? Where would that come in the list?

    Also, in your list, are you basically saying OpenVPN is the top? It wasn’t clear in the summary.

  5. No mention of the disadvantages of tunneling TCP through TCP as you are forced to do with PPTP.
    In my experience this means PPTP is only fast on connections with very low packet loss. As soon as a few packets get lost somewhere it tends to get bogged down with multiple re-transmissions occurring in both levels of TCP which can make it unusable until you disconnect and reconnect.

Leave a Reply

Your email address will not be published. Required fields are marked *