Although VPN software has gained immense popularity in this post-Snowden era, the underlying framework of VPN and how it works is often confusing. There are too many protocols to choose from and each one offers a different use with a different level of security. Not to mention, the naming scheme of any VPN protocol is quite intimidating and geeky for those who have little interest in computer networks and simply want to use a good VPN.

In this post, we will take a look at a few common VPN security protocols, simplify them and understand when and how we can use them. However, if you are an absolute beginner with VPNs, here is an excellent article to learn what a VPN is and why we should use a virtual private network in the first place.

What is the Need for a Separate VPN Protocol?

We all grew up watching and typing HTTP (Hyper Text Transfer Protocol) into browsers as part of web URLs.​ Incidentally, the number of worldwide secure servers has increased threefold over the past decade. There are over 1.5 million third party certificates being used across hundreds of millions of websites. However, the Internet does not simply operate out of a browser and straight into a website.

vpn-protocol-tunneling

A lot happens underneath in the various layers of the Internet network and at every such layer, there is a scope for added security and protection. In the absence of VPN software, these security features remain unused and your data travels over unsafe protocols. Regrettably, even SSL secures only your communication. Hence, you and your machine can be uniquely identified by anyone snooping on your traffic. However, once you start using VPN, your data travels over secure protocols designed much deeper into the network stack. 

What Happens When We Type a URL in a Browser?

Step

Layer

Interaction

  URL: www.google.com

1

Application

Browser

Identifies the domain from your entered URL as google.com

2

Application

Browser

Checks the browser cache, the system DNS resolver cache and the DNS server for the IP address of www.google.com

3

Application

Browser

Creates an HTTP GET request to www.google.com

4

Transport

System

Creates packets out of the request, marks the packets with sequence numbers and starts a connection to www.google.com

5

Internet

System

Receives the TCP packets, further creates IP datagrams adding the IP address of www.google.com and your machine. The packet is ready to send.

6

Network

Internet

Breaks IP datagram packet into frames to hop over routers on the Internet and reach google servers.

After step 6 in the table above, Google server receives the frames and sends them back up to create an HTTP request packet, after which it starts preparing a response following the same steps.

To maintain a good level of online privacy and anonymity, there is a need for security throughout the network stack. Since you are connecting to an ISP somewhere, your IP address is always available for the ISP to see. However, when you use a VPN software, you get added security. Although your ISP can see you are using a VPN, it is blind about what websites you are visiting. This renders any snooping useless.

Common VPN Protocols for Tunneling

different vpn protocols

VPN protocols have emerged to serve incremental security needs and different VPN software use different protocols. However, the most common protocols are supported by all VPN software by design. Here are some of those common VPN tunneling protocols.

PPTP- Point to Point Tunneling Protocol

PPTP or Point-to-point Tunneling Protocol is the most unsecured and obsolete VPN protocol. It was designed strictly to be a tunneling protocol, which Microsoft later modified to add encryption capabilities with MPPE. The PPTP protocol is riddled with security vulnerabilities starting with a support for poor 56-bit RC4 encryption until Windows Vista.

PPTP now supports 128-bit RC4 encryption and is ideal for streaming online content when connected to a relatively secure network.

IPSec

IPSec is a slightly better VPN protocol than PPTP as it encrypts IP packets besides establishing secure channels from host to host or network to network. While PPTP is a tunneling protocol, IPSec is an encryption protocol. Hence, IPSec compares to MPPE which is used with PPTP to bring a basic level of security.

IPSec uses 256-bit AES encryption and can also be used standalone as a secure tunneling protocol.

L2TP/IPSec- Layer 2 Tunneling Protocol

L2TP is an improved version of PPTP and is strictly a tunneling protocol. When used with IPSec, it creates a strong VPN tunnel with secured packets. The encryption standard of L2TP/IPSec is the same as the underlying IPsec at 256-bit AES making the implementation of this VPN protocol fairly secure.

There are two encapsulations that happen in L2TP/IPSec- once over L2TP and the other over IPSec, which can make this VPN protocol slower in theory.

SSTP- Secure Socket Tunneling Protocol

SSTP is another secure tunneling protocol that is available only on Windows. SSTP creates a secure SSL v3 tunnel over port 443 and can send L2TP traffic. Compared to L2TP/IPSec, the encryption has moved to the Transport layer from the Internet layer. This makes SSTP ideal for bypassing firewalls. However, SSTP is proprietarily owned by Microsoft, which makes it difficult to research, study or modify.

We are at the mercy of Microsoft when using this VPN protocol, and Microsoft has a bad history with security.

IKEv2

The IKEv2 protocol, although developed by Microsoft and Cisco is a relatively open tunneling protocol with a very different philosophy from the rest of its family. It is designed for mobility using UDP 4500 and 500 ports, and the security is at par with L2TP/IPSec. Incidentally, this is the preferred VPN protocol to use on 3G and 4G LTE networks, where mobility and seamless connectivity is a priority. Also, IKEv2 is probably what Google VPN is based on too.

The shared session secret used throughout by IKEv2 makes it pretty secure, the only caveat being that blocking UDP port 500 breaks IKEv2.

OpenVPN

OpenVPN is the most secure and open VPN protocol. It is similar to SSTP and uses SSL v3/TLS v1 for key exchange and transferring data thereafter. The benefit with OpenVPN is that it operates in the userspace, unlike L2TP/IPSec that needs to interfere with the IP stack in the kernel space. OpenVPN supports 256-bit encryption and has been ported to various hardware, thanks to the open specification.

Notably, the temporary key exchange makes OpenVPN nearly impossible to snoop into, making it the most secure VPN protocol available currently.

VPN Protocol Comparison Chart

​Features

PPTP

L2TP/IPSec

SSTP

IKEv2

OpenVPN

Encryption

128-bit

256-bit

256-bit

256-bit

256-bit

Speed

Fast

Slow

Slow

Fastest

Fast

Security

Low

High

High

Highest

Highest

Bypass firewall

No

No

Yes

No

Yes

Setup ease

Easy

Easy

Easy

Moderate

Moderate

System support

All

All

All

All

All

Streaming content

Fastest

Slowest

Slow

Fastest

Fastest

Vulnerability

Vulnerable

NSA Involved

​Microsoft Proprietary

Secure

Secure

Bypass DPI

No

No

No

No

No

Apart from these traditional protocols, VPN services have their own spin-offs that are often proprietary and go above and beyond OpenVPN. Most of these proprietary protocols focus on bypassing DPI (Deep Packet Inspection) and use Obfsproxy to scramble the TLS handshake.

  1. Vypr VPN has a Chameleon protocol which masks VPN traffic as regular internet traffic and bypasses DPI (Deep Packet Inspection).
  2. Nord VPN has a custom implementation of IKEv2 over IPSec and uses PFS (Perfect Forward Secrecy) with 3072-bit Diffie-Hellman keys, which is as secure and stable as Open VPN.
  3. Pure VPN has a Stealth mode similar to Chameleon from Vypr VPN, which masks VPN traffic to look like regular traffic.
  4. SoftEther is an upcoming open-source protocol build on top of OpenVPN which bypasses DPI and is available with Cactus VPN.

Conclusion: The Best VPN Protocol

Choosing the best VPN protocol is a difficult task, as not everyone uses a VPN for the same reason. However, Open VPN strikes an impressive balance between speed, reliability, open implementation and security. Tom's VPN recommends Open VPN for serious security needs and PPTP for streaming online content.

It is important to note that VPNs add some metadata to the packets that go out of your computer and these metadata have a identifiable pattern. This has allowed countries like China to block OpenVPN as well. Although some users are forwarding OpenVPN over SSL to bypass this, the easy and faster solution to this problem is to use Stealth VPN protocols like Chameleon and SoftEther which scramble this SSL handshake metadata in OpenVPN. This can successfully bypass the Great Firewall of China.

About the author

Chinmoy

I take a deep interest in finding out why things work the way they work. I also write about VPN services, anonymity tools, and privacy tools here at Tom's VPN.

Leave a Comment

1 Comment