VPN Protocols

A VPN creates a secure ‘tunnel’ around your internet sessions.

It’s also private so that your browsing activities are kept away from prying eyes like said lurkers, your internet service provider, or even government agencies (for the most part).

A protocol simply describes how each ‘tunnel’ works.

On the one hand, they ‘encapsulate’ or encrypt the session so it’s kept safe. And on the other, they hide or mask the original source of who’s sending and receiving the little bits of data.

PPTP, L2TP, SSTP, IKEV2, and OpenVPN are different protocols options for a VPN connection. You can, theoretically, choose whichever one you want. But each packs their own pros and cons. And some, you want to avoid at all costs.

Here’s a complete breakdown of PPTP vs. L2TP vs. SSTP vs. IKEV2 vs. OpenVPN:

  1. PPTP
  2. IPSec/L2TP
  3. SSTP
  4. IKEv2
  5. OpenVPN

1. PPTP (Point-To-Point Tunneling Protocol)

The Point-to-Point Tunneling Protocol (PPTP) was originally developed by Microsoft in the ‘90’s.

(Alarm bells should be ringing in your head right now.)

First, the good.

It’s still commonly used today though to ‘secure’ many business networks. That’s because it’s relatively easy to setup and doesn’t require a lot of extra software or maintenance (shipping standard with most Windows machines of old), while also offering decent connection speeds.

For example, if you’re in a large office building with tons of other people and you want to keep your financial or client-sensitive information under wraps. Or if you have employees out of the office and in different locations around the world, they can securely log in to your network to access documents and communicate with everyone else.

Many times, consumers might also be forced to rely on PPTP because of old technology at your disposal or poor internet connectivity. Not much you can do otherwise in those cases.

Ok. Fine. Here’s the bad part.

Wikipedia refers to PPTP as “an obsolete method”. Ouch. Let’s not blame them though. It was intended for use on dial-up modems. You know, that unforgettable sound like the bastard child of a rotary telephone and fax machine. The biggest problem with PPTP? It’s barely secure. Just barely. Someone who knows what they’re doing can break a PPTP “encryption” in less than a single day.

Resilient Chief Technology Officer and Harvard Berkman Center fellow, Bruce Schneier, cracked PPTP with a group of researchers. Over fifteen years ago…

These problems have existed forever. People knew about them. And yet many of them haven’t been addressed. (Wait… are we talking about Internet Explorer?) Here’s how to break it.

1. Use an MS-CHAPv2 network handshake in order to lower the security standard used.

This is kinda like greasing the bouncer at the front of a club to let you and ten of your best guy friends in (better be a C-note with that many bros).

It says, “Hey. You know me. We’re good people. Gimmie a shot here.”

That effectively lowers security down to a single Data Encryption Standard (DES) 56-bit key, which Wikipedia calls a “relatively low level of security”.

2. Run a simple brute-force attack.

These cycle through letters and numbers – often a single digit at a time before progressing to two-integer combinations – until they eventually find the ‘key’ to unlock the proverbial doors.

Back in the day, when this protocol was first created, it would take a few months to crack. Then a few days. And today, only a few hours.

Most entry-level hackers can do it with one of the widely available, free tools out there. Online Hash Crack for starters.

And that’s it! Literally only two steps.

PPTP is OK in some cases. Where security or safety might not be an issue.

Wanna catch the latest shows on US Netflix that aren’t available in your area yet? Go for it. You’ll get some of the other basic VPN benefits.

Trying to protect your bank account? Move to another option below.

2. L2TP/IPsec (Layer 2 Tunneling Protocol)

The Layer 2 Tunneling Protocol is a mashup between the aforementioned PPTP and Cisco’s equally dated Layer 2 Forwarding Protocol (L2F).

VPN ‘tunnels’ have two endpoints. These connections link your device (no matter if it’s a desktop, laptop, tablet, or browser) with a remote server.

L2TP can “isolate” traffic sessions with a funnel so that you can even have “multiple virtual networks across a single tunnel”, according to Wikipedia.

Authentication and ‘keys’ are used to create secure connections on each end of the tunnel. That way, nobody (except only those that should) can gain access to the tunneled data.

At least, that’s how it should work in theory.

Let’s just get it out of the way at the beginning: L2TP, by itself, isn’t secure. At all.

Which is why it’s often paired with Internet Protocol Security (IPsec) to provide at least some measure of encryption. IPsec is mostly secure. There are no major workarounds or hacks known. Except one reported. In the treasure trove of documents Edward Snowden leaked to the world (before his Russian summer vacation), was a little detail about how the NSA was aggressively going after both SSL and IPsec data.

So while IPsec is mostly safe, there’s a slight chance that some security agencies (like the NSA) can access it. Which may be good for bad, because L2TP and IPsec is the default VPN protocol for that iPhone you’re holding and the iPad at home on the couch.

Apple (in their infinite wisdom and dictatorial approach) has set up iOS to only allow a few VPN options. Which by default, makes the L2TP/IPsec combo the strongest currently available for their suite of mobile devices.

Bottom line: L2TP + IPsec is secure. Especially when you’re primarily concerned with ‘eavesdropping’ on public WiFi networks in coffee shops, airports, or hotels.

It also, like PPTP, is relatively easy to setup and ships on many different devices or platforms. The bad news is that some of this additional security comes at a cost. Namely, speed.

3. SSTP (Secure Socket Tunneling Protocol)

The Secure Socket Tunneling Protocol (SSTP) is another Microsoft product originally created for Windows.

This time though, they use the same SSL/TLS encryption that we now know and love from all of our favorite websites on the internet.

The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are a one-in-the-same (TLS is basically the new and improved SSL) “cryptographic protocol that provides communications security over a computer network”.

That ‘cryptography’ part has been around for years. Like, centuries; used to encrypt secret messages since Ancient Greece and Sparta.

Today, SSL/TLS is the security layer added to HTTP to create secure connections between your device and popular websites when entering credit card information or trying to access sensitive data (like your email or even Facebook).

Its strength relies on a “symmetric-key cryptography” that only the two parties (your device and the website’s server) share. Before any data is transmitted either way, both parties are authenticated based on that secret key. The creates a secure, impenetrable connection.

So you’re sitting in a coffee shop. You connect to their network. Access a website using SSL/TLS on top of HTTP (or, HTTPS), and their network can no longer see what happens on that site.

Most reputable, modern websites already use HTTPS. And Google is making sure of it by recently announcing that it would basically force all websites on their Chrome browser to start using HTTPS. Or else an ugly warning sign would pop up, surely scaring off most website visitors from ever entering the website.

This, in a nutshell, is the same approach used by SSTP (but applied to an entire internet connection and not just a single website). That means SSTP is SUPER SECURE. (Maybe that would be a catchier “SS” in the name?) Because it’s a Microsoft product, it also works seamlessly on Windows devices. Others? Less so. They have rolled out versions for other platforms like Linux. However, it’s best suited to default Windows devices.

And generally speaking, the more secure an option (which SSTP ranks near the top), the slower performance can be.

4. IKEv2 (Internet Key Exchange, Version 2)

The Internet Key Exchange, version 2 (IKEv2) is another IPsec-based protocol from Microsoft and Cisco.

It’s a new and improved option on some of their earlier collaborations (fresh with that new protocol smell), created specifically for Windows 7+ devices. It’s still available for MacOS “Sierra” (and above) users.

IKEv2 is a state-of-the-art protocol option that’s faster than most options listed so far, without sacrificing stability or security either.

A unique aspect of IKEv2 lies in its ability to hop between connections. For example, it can automatically jump from WiFi to your cell network without losing or dropping the secure VPN connection.

That (A) provides a better experience for you because it just ‘works’ in the background, while also (B) providing an additional layer of security so there’s not a way for someone to get in or eavesdrop while a connection temporarily goes down.

Why would this last point be important on mobile devices?

Because believe it or not, mobile intrusion and malware are on the rise. Here’s why – Last year, former US President Obama introduced an updated cybersecurity plan that urged citizens to start using ‘two-factor authentication’. When enabled, it adds an additional layer of security to make sure whoever’s trying to gain access to a sensitive website (like Gmail or your bank account) is the right person.

So you log in online like you would with any other website, first entering a username and then a (hopefully) random password. BUT, before gaining access, you see a new screen. It’s another required login, but this time an expiring code will be sent to your mobile device.

After a few seconds a brand new text message should pop up, containing a random key code that needs to be inputted within a short amount of time. Otherwise, it expires. That’s the “two-factor” part: you essentially need to login twice and have access to at least two unique devices in order to gain access.

But guess what? Hackers aren’t dumb (newsflash). So they’ve reacted accordingly.

One million Android devices were injected with malware by just a single strain! The catchy-sounding Gooligan infected devices when people tried to download apps from suspicious sources (outside the normal app store). Many times this malware will lay dormant. You won’t even know it exists.

But it’s there, watching and recording all data transmitted from that device. Including, SMS or text messages that contain special passcodes for your two-factor authentication.

IKEv2’s ability to maintain a secure VPN connection, even if your WiFi signal drops, significantly reduces that risk though. Which can make a BIG difference for Windows-based mobile devices.

5. OpenVPN (Most Recommended)

No need to bury the lead at this stage of the game.

OpenVPN is the default (and recommended) choice by top VPN providers. It’s your all-around option. The winner in aggregate.

Here’s why.

It’s based on the same underlying technology used in the aforementioned SSL/TLS security layer. This technology is Open Sourced, so it’s constantly being scrutinized, maintained, and updated by the security community (and not just a single company or two).

That means each side of the virtual tunnel, your device, and a server, uses a key and cipher to establish a secure connection. That keeps out ‘man in the middle’ attacks which put hackers in between you and the intended server (so they can intercept and change everything – like deposit amounts – being sent back and forth).

And it’s able to bypass restrictive firewalls from companies or governments, too.

China, as just one example, has a firewall used to control what happens through their state-owned internet service providers. That means their government can dictate what is seen or not seen. While also policing when people try to bypass this firewall. People within China commonly use VPN’s to bypass this firewall. Except, China’s obviously aware of this and is trying to stop it.

So the never-ending cat-and-mouse game continues. For instance, VyprVPN has introduced Chameleon as a response. It uses OpenVPN versatility and flexibility to “scramble” your “packet metadata” to make it unsusceptible to ‘deep packet inspection’ (or DPI, one of the primary ways governments, corporations and internet service providers identify who’s using a VPN).

OpenVPN’s crowning achievement though is security.

Earlier, you saw how weak PPTP’s encryption was with a single, 56-bit key.

Even modern-day encryption is still just simple math at the end of the day. The stronger the key, the more variations required in order to figure out what it is. The possible combinations you’d need to guess in order to hack PPTP isn’t very many (using today’s souped-up computers). That’s why it only takes a few hours to crack.

Now compare that to the Advanced Encryption Standard (AES) 256-bit encryption used by both OpenVPN and IKEv2 protocols. This is the strongest encryption available today, relied on by both governments and top security pros to keep safe stuff, safe.

“AES 256-bit” refers to 2256, which is the number of combinations required to eventually crack. Spelled out, that equals 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,560,000,000,000,000,000,000,000,000.

Which is… a few more than a million? (I can’t even count that high.)

That means brute-force attacks, which are so common that there were “6,611,909 attacks targeting 72,532 individual WordPress websites” in a 16-hour window a few months ago, are virtually useless. There’s no point. No shot.

It does all of this without sacrificing speed and performance.

So it works across all devices and platforms. It’s secure. Flexible. And fast.

Conclusion: PPTP vs. L2TP vs. IPsec vs. OpenVPN

That was a lot of technical stuff.

Still unsure of what to choose? Here are the Cliff Notes:

  • Never choose PPTP. Unless you have to. In which case, stick to basic activities like streaming Netflix which don’t require security or safety.
  • Use L2TP/IPsec when you have to. Like on iOS devices, which don’t work with other popular methods that might be faster or more secure.
  • SSTP is a good alternative to those two for Windows devices who want stronger security.
  • While IKEv2 is the latest and greatest offering that’s perfect for new Windows mobile devices because it won’t drop a secure VPN connection when switching between a WiFi network or cell connection.

When in doubt, or if you’re unable to use those other options, always default to OpenVPN. It combines the best of all categories and is widely available across any device or platform.

View Comments (11)

  • Great article. I notice your last update is Feb 15, 2017; even then, IKEv2 had been added to macOS as an option in Sierra, and is there in today's High Sierra as well.. And while I don't have an older iOS device to check on, IKEv2 is definitely available and the default VPN connection type on iOS 11 as well. FYI.

    Otherwise fantastic article - thanks!

    • Hey Steve,

      Thanks for pointing this out. I've edited the article. P.S. If you're interested in contributing, send me an email - john(at)thebestvpn(dot)org

  • Hi Brad...

    You missed SoftEtherVPN... (https://www.softether.org/)

    been fiddling with it for a few days,
    basically to solve some problems I had with other VPN(s)
    (namely passing NETBIOS/L2 packets between networks)

    and it seems to be a great solution...

  • That should be "...refers to 2^256..." and not "...refers to 2256...". If that's indeed what you wrote, it's not showing up properly in the latest Safari, Chrome or Firefox browsers. FYI.

  • Is there a way that iPhones can connect to SSTP ? As we have a number of people with iPhones who want to connect to our VPN. I was wondering if it is supported or not

  • How does the SoftEther VPN (SSL-VPN) compare to OpenVPN and the others? Where would that come in the list?

    Also, in your list, are you basically saying OpenVPN is the top? It wasn’t clear in the summary.