Although VPN software has gained immense popularity in this post-Snowden era, the underlying framework of VPN and how it works is often confusing. There are too many protocols to choose from and each one offers a different use with a different level of security. Not to mention, the naming scheme of any VPN protocol is quite intimidating and geeky for those who have little interest in computer networks and simply want to use a good VPN.
In this post, we will take a look at a few common VPN security protocols, simplify them and understand when and how we can use them. However, if you are an absolute beginner with VPNs, here is an excellent article to learn what a VPN is and why we should use a virtual private network in the first place.
What is the Need for a Separate VPN Protocol?
We all grew up watching and typing HTTP (Hyper Text Transfer Protocol) into browsers as part of web URLs. Incidentally, the number of worldwide secure servers has increased threefold over the past decade. There are over 1.5 million third party certificates being used across hundreds of millions of websites. However, the Internet does not simply operate out of a browser and straight into a website.
A lot happens underneath in the various layers of the Internet network and at every such layer, there is a scope for added security and protection. In the absence of VPN software, these security features remain unused and your data travels over unsafe protocols. Regrettably, even SSL secures only your communication. Hence, you and your machine can be uniquely identified by anyone snooping on your traffic. However, once you start using VPN, your data travels over secure protocols designed much deeper into the network stack.
What Happens When We Type a URL in a Browser?
Identifies the domain from your entered URL as google.com
Checks the browser cache, the system DNS resolver cache and the DNS server for the IP address of www.google.com
Creates an HTTP GET request to www.google.com
Creates packets out of the request, marks the packets with sequence numbers and starts a connection to www.google.com
Receives the TCP packets, further creates IP datagrams adding the IP address of www.google.com and your machine. The packet is ready to send.
Breaks IP datagram packet into frames to hop over routers on the Internet and reach google servers.
After step 6 in the table above, Google server receives the frames and sends them back up to create an HTTP request packet, after which it starts preparing a response following the same steps.
To maintain a good level of online privacy and anonymity, there is a need for security throughout the network stack. Since you are connecting to an ISP somewhere, your IP address is always available for the ISP to see. However, when you use a VPN software, you get added security. Although your ISP can see you are using a VPN, it is blind about what websites you are visiting. This renders any snooping useless.
Common VPN Protocols for Tunneling
VPN protocols have emerged to serve incremental security needs and different VPN software use different protocols. However, the most common protocols are supported by all VPN software by design. Here are some of those common VPN tunneling protocols.
PPTP- Point to Point Tunneling Protocol
PPTP or Point-to-point Tunneling Protocol is the most unsecured and obsolete VPN protocol. It was designed strictly to be a tunneling protocol, which Microsoft later modified to add encryption capabilities with MPPE. The PPTP protocol is riddled with security vulnerabilities starting with a support for poor 56-bit RC4 encryption until Windows Vista.
IPSec is a slightly better VPN protocol than PPTP as it encrypts IP packets besides establishing secure channels from host to host or network to network. While PPTP is a tunneling protocol, IPSec is an encryption protocol. Hence, IPSec compares to MPPE which is used with PPTP to bring a basic level of security.
L2TP/IPSec- Layer 2 Tunneling Protocol
L2TP is an improved version of PPTP and is strictly a tunneling protocol. When used with IPSec, it creates a strong VPN tunnel with secured packets. The encryption standard of L2TP/IPSec is the same as the underlying IPsec at 256-bit AES making the implementation of this VPN protocol fairly secure.
SSTP- Secure Socket Tunneling Protocol
SSTP is another secure tunneling protocol that is available only on Windows. SSTP creates a secure SSL v3 tunnel over port 443 and can send L2TP traffic. Compared to L2TP/IPSec, the encryption has moved to the Transport layer from the Internet layer. This makes SSTP ideal for bypassing firewalls. However, SSTP is proprietarily owned by Microsoft, which makes it difficult to research, study or modify.
The IKEv2 protocol, although developed by Microsoft and Cisco is a relatively open tunneling protocol with a very different philosophy from the rest of its family. It is designed for mobility using UDP 4500 and 500 ports, and the security is at par with L2TP/IPSec. Incidentally, this is the preferred VPN protocol to use on 3G and 4G LTE networks, where mobility and seamless connectivity is a priority. Also, IKEv2 is probably what Google VPN is based on too.
OpenVPN is the most secure and open VPN protocol. It is similar to SSTP and uses SSL v3/TLS v1 for key exchange and transferring data thereafter. The benefit with OpenVPN is that it operates in the userspace, unlike L2TP/IPSec that needs to interfere with the IP stack in the kernel space. OpenVPN supports 256-bit encryption and has been ported to various hardware, thanks to the open specification.
VPN Protocol Comparison Chart
Apart from these traditional protocols, VPN services have their own spin-offs that are often proprietary and go above and beyond OpenVPN. Most of these proprietary protocols focus on bypassing DPI (Deep Packet Inspection) and use Obfsproxy to scramble the TLS handshake.
- Vypr VPN has a Chameleon protocol which masks VPN traffic as regular internet traffic and bypasses DPI (Deep Packet Inspection).
- Nord VPN has a custom implementation of IKEv2 over IPSec and uses PFS (Perfect Forward Secrecy) with 3072-bit Diffie-Hellman keys, which is as secure and stable as Open VPN.
- Pure VPN has a Stealth mode similar to Chameleon from Vypr VPN, which masks VPN traffic to look like regular traffic.
- SoftEther is an upcoming open-source protocol build on top of OpenVPN which bypasses DPI and is available with Cactus VPN.
Conclusion: The Best VPN Protocol
Choosing the best VPN protocol is a difficult task, as not everyone uses a VPN for the same reason. However, Open VPN strikes an impressive balance between speed, reliability, open implementation and security. Tom's VPN recommends Open VPN for serious security needs and PPTP for streaming online content.
It is important to note that VPNs add some metadata to the packets that go out of your computer and these metadata have a identifiable pattern. This has allowed countries like China to block OpenVPN as well. Although some users are forwarding OpenVPN over SSL to bypass this, the easy and faster solution to this problem is to use Stealth VPN protocols like Chameleon and SoftEther which scramble this SSL handshake metadata in OpenVPN. This can successfully bypass the Great Firewall of China.