VPN Protocols Explained – Which One Should You Use?

What is a VPN Protocol?

A VPN protocol is a set of instructions/rules that outline how a connection should be made between your device and the VPN server. The protocol determines the speed and may use encryption algorithms to help keep your data secure.

Different protocols have different parameters and specifications when in use. These include authentication techniques, error correction types, address format, and data packet size, among other things.

This guideline will focus more on security, privacy, speed, and stability.

Notable VPN protocols supported by most commercial VPN providers include PPTP, L2TP/IPSec, SSTP, OpenVPN, IKEv2/IPSec, and WireGuard.

Without further ado, let’s get started!

A brief comparison of various standard VPN protocols:

Commonly Used VPN Protocols

These are protocols most reputable VPN providers prefer to offer. They are secure with fast speeds and stability and are not easily compromised.

They are as follows:

OpenVPN

OpenVPN is the gold-industry standard of VPN protocols. OpenVPN is open source and utilizes the OpenSSL library alongside other security technologies.

OpenSSL is a toolkit for SSL/TLS and cryptography – what is needed for secure end-to-end communications.

OpenVPN is the most secure VPN protocol and is also highly configurable. OpenSSL provides all the necessary encryption and authentication needed.

OpenVPN can therefore use various ciphers offered by the OpenSSL library. Most VPN providers prefer to use the Blowfish and AES cipher.

VPN encryption is done on the data channel as well as the control channel. Data channel encryption secures your data, while control channel encryption secures the connection.

This makes sure your VPN connection and your data are never at risk. However, most VPN providers use the highest encryption on the control channel rather than the data channel.

Most commonly, OpenVPN uses the highest encryption available. That is a cipher with 256 encryption, RSA-4096 handshake, and SHA-512 hash authentication. Sometimes it can throw in HMAC authentication and Perfect Forward Secrecy.

It even uses hardware acceleration for improved performance.

Being open-source, OpenVPN has been audited by various entities and has been found secure with no severe vulnerabilities.

Often, when vulnerabilities are discovered, they are patched quickly. Additionally, it cannot be weakened even by government agencies, especially when Perfect Forward Secrecy is used.

OpenVPN TCP and OpenVPN UDP

Besides impeccable security, OpenVPN offers speed and reliability via its two communication protocols. OpenVPN TCP for reliability and OpenVPN UDP for speed.

OpenVPN TCP and UDP can run on a single TCP/UDP port 443. UDP can be set to run on another port. The same port is used for secure HTTP web traffic. This makes it hard to block OpenVPN connections.

It is recommended to use OpenVPN when security and privacy are of utmost importance. Due to the encryption overhead, OpenVPN might not be suitable for low-latency tasks such as gaming. However, if you have a high-speed connection, this won’t matter.

OpenVPN uses third-party software to be compatible with most VPN-capable devices. Almost all VPN providers also offer this protocol.

Moreover, the OpenVPN project has custom OpenVPN clients/apps that can be used individually. Manual configurations are involved.

We have a complete guide on OpenVPN over TCP vs UDP if you are interested in a detailed description.

Advantages

• Open-source.
• Impeccable security using Perfect Forward Secrecy.
• Compatible with a range of ciphers (configurable).
• It easily bypasses firewalls/restrictions.
• Almost every VPN provider offers it.
• It has been tested, audited, and proved.
• It includes UDP and TCP.
• Hard to be weakened.

Disadvantages

• High encryption overhead.
• Not very fast.
• Heavy code base.
• It needs third-party software for compatibility.

IKEv2

This protocol is also known as IKEv2/IPsec. Internet Key Exchange version 2 (IKEv2) is a tunneling protocol and, from its name, is used to exchange keys securely.

It needs another protocol for encryption and authentication to be used as a VPN protocol. This is why it is paired with IPSec.

As mentioned earlier (L2TP/IPSec), IPSec offers a secure channel and allows various encryption algorithms. Hence, you can get up to 256-bit encryption on this protocol.

Since IKEv2 is a key exchange protocol, it uses Diffie-Hellman key exchange and allows Perfect Forward Secrecy to protect its data.

The protocol is reliable as it uses acknowledgments, error processing, transmission control, and a built-in Network address translation traversal.

It is also stable as it automatically re-establishes dropped VPN connections more efficiently than other protocols.

Moreover, it supports normal mobility via the mobility and multihoming Protocol (MOBIKE). This allows users to change networks while still maintaining a secure connection.

Therefore, IKEv2 is suitable for mobile phones as they regularly switch between WIFI and mobile network internet connections. This is also why IKEv2 is the built-in protocol in most VPN-capable mobile phones.

Due to an improvement from IKEv1, IKEv2 is faster and more efficient, consumes less bandwidth, and has no known vulnerabilities. Vulnerabilities arise when VPN providers poorly implement it.

Originally, IKEv2 was developed from a joint effort between Microsoft and Cisco. It was compatible with Blackberry, iOS, and Windows 7.

However, many iterations of IKEv2 are now open-source and support other platforms.

A good VPN that uses IKEv2 is NordVPN.

Advantages

• Seamless fast speeds.
• Maximum protection via AES.
• Stable auto-reconnections.
• You can change networks without worries.
• Secure without vulnerabilities.
• Supports Blackberry devices and other platforms.

Disadvantages

• Poor implementation can lead to problems.
• Closed-source version.
• Can suffer from firewall restrictions.

Check out our guide on IKEv2 VPN protocol for a detailed description.

WireGuard

WireGuard is a relatively new open-source protocol that is simple and easy to use. It was designed to be faster than IPSec and more efficient than OpenVPN.

Although still under development, most reputable VPN providers have adopted WireGuard as one of their main protocols. Others offer a tweaked version of it under a different name.

WireGuard uses state-of-the-art cryptography to keep your internet traffic safe. It uses new ciphers that are not adopted by other protocols.

For encryption, it uses the ChaCha20. ChaCha20 is secure and performs faster than the common AES, even on mobile devices.

This state-of-the-art cryptography even ensures quantum computing won’t break the encryption easily.

Its base code is also light to ensure a minimal attack surface.

The code can be quickly reviewed even by individuals, unlike OpenVPN, which has a bulky code. The smaller the code, the easier it is to audit and identify vulnerabilities and weaknesses.

Since even its encryption mechanism is faster in mobile phones, WireGuard boasts high performance. It also uses a simple network interface that can be configured easily.

With efficient encryption, WireGuard uses the least bandwidth. Its connections rely on UDP. Due to its high performance, WireGuard offers the fastest speeds.

Besides all the good, WireGuard’s default configuration keeps your static IP address logs. This is a significant privacy concern for most users.

Also, being relatively new and under development, it still needs more testing.

WireGuard is compatible with almost all computing platforms. It is suitable for speed-intensive tasks, doesn’t consume much power, and offers secure encryption.

Advantages

• Open-source.
• High performance with Very fast speeds.
• Light base code.
• Works well even with mobile phones.
• Low bandwidth consumption.
• Excellent security.
• No known vulnerability.

Disadvantages

• Only uses UDP.
• Easy to block.
• It is still under development.
• Risky default configuration – IP logging.

Check out our guide on OpenVPN vs. WireGuard for a detailed breakdown of these two protocols.

Outdated VPN Protocols

These are protocols that most reputable VPN providers stopped offering due to their vulnerabilities. However, you can still get them on a majority of VPN providers.

The protocols include:

PPTP

Point-to-Point Tunneling Protocol (PPTP) is one of the oldest VPN protocols. This protocol does not specify how security should be implemented.

It relies on various authentication methods to provide security, such as the MS-CHAP v2. This authentication method is not secure and has several known weaknesses and vulnerabilities.

Regarding encryption, PPTP relies on the RC4 encryption cipher with 128-bit encryption. This RC4 cipher is fast and lightweight. It is also vulnerable to dictionary attacks, brute-force attacks, and even bit-flipping.

Over a decade ago, PPTP was cracked within two days due to an exploit on MS-CHAP v2. Newer tools boasted cracking it in less than 24hrs by then. Coupling this with MS-CHAP v2, PPTP is not recommended for privacy and security.

Nonetheless, you can use PPTP for high-speed tasks. It is easy to set up (no additional software) and has a very low computational overhead.

Hence, up to date, PPTP is still a standard for corporate and commercial VPN services. It is also a built-in VPN protocol in most VPN-capable devices.

PPTP uses the TCP port 1723, making it easier to block.

Advantages

• Very fast speeds.
• Very easy to set up.
• A majority of VPN providers support it.
• Compatible with most platforms.

Disadvantages

• Weak security and encryption.
• Doesn’t increase your privacy.
• Government agencies or even tech-savvy individuals easily crack it.
• Cannot bypass restrictions/easy to block.
• Multiple known vulnerabilities.

L2TP/IPsec

This protocol comprises two parts, even though, at times, it is referred to as L2TP. They are Layer 2 Tunneling Protocol (L2TP) and Internet Protocol Security (IPsec).

L2TP is just a tunneling protocol – it creates a secure connection for data exchange but doesn’t encrypt it. Hence, it needs to be paired with a protocol allowing data encryption. That’s the work for IPSec.

IPSec is responsible for encryption, key exchange, and authentication. It allows the use of various encryption algorithms. IPSec provides a secure channel when used together, while L2TP is responsible for the tunnel.

L2TP/IPSec can use 256-bit encryption, which is very secure. However, most VPNs don’t implement this protocol as they should. They use pre-shared keys, which can be easily found. Hence, they make it weak.

Additionally, most experts strongly suggest that NSA weakened IPsec when it was under development.

L2TP/IPSec is relatively slower than other protocols. This is because of the double encapsulation. Like PPTP, this protocol also uses fixed ports, making blocking easier.

You can use it when other protocols fail, offering good stability. It is easier to set up and is supported by almost all VPN-capable devices.

Advantages

• Secure compared to its predecessor PPTP.
• Relatively stable.
• Easy to set up.
• Most VPN providers support it.
• Available on most computing platforms.

Disadvantages

• Reliance on fixed ports.
• It can be blocked.
• It can be compromised.
• Relatively slower.
• The poor implementation makes it weak.

SSTP

Secure Socket Tunneling Protocol (SSTP) is a secure protocol that provides encryption using the SSL/TLS encryption standards.

These standards are also used to provide secure HTTP traffic. SSTP can secure the Point-to-Point Protocol (PPP – a communication protocol) and, in some cases, L2TP.

With tight integration, SSTP can be strong and stable like other secure protocols. Through the SSL/TSL channel, SSTP can use various ciphers that can offer 256-bit encryption. However, SSL is susceptible to POODLE Man-in-the-middle (MITM).

The unique thing about SSTP is the use of port 443. This port is used for HTTPS traffic, essentially most of your web activities.

This makes SSTP a stealth VPN protocol. It can bypass geo-blocks and is hard to block on firewalls unless no one wants web traffic to follow.

If other better protocols are unavailable, SSTP can help bypass restrictions. When implemented correctly, it can offer good speeds. But it can sometimes suffer from TCP meltdown, hindering reliability and performance.

SSTP is a Microsoft protocol and is only supported by a few platforms. They include Windows, Linux, and BSD. As a Microsoft protocol, SSTP is not available for public audits.

Also, Microsoft’s cooperation with NSA may prevent you from this protocol. That is, if privacy and security are your top priority.

Advantages

• Stealth, can bypass firewalls.
• Secure.
• Great Windows integration.

Disadvantages

• Closed source.
• SSL is susceptible to MITM.
• It can be compromised.
• Not widely supported/compatible.

Note: Avoid outdated protocols unless you are not concerned about your privacy and security. They can be your last resort when everything else is not working.

Rarely Used VPN Protocols

These are VPN protocols only used by a few VPN providers.

SoftEther

SoftEther is an open-source VPN protocol for its excellent security and fast speeds. It started as part of a Master’s thesis at the University of Tsukuba.

Although it has not gained industry-wide traction, it has already showcased excellent results on VPN providers that have adopted it.

SoftEther relies on OpenSSL for encryption and authentication. This gives it access to powerful ciphers, including the AES-256 and RSA-4096.

Also, SoftEther tunnels traffic through TCP port 443, like OpenVPN. This port guarantees that SoftEther traffic won’t be blocked easily as it is the port for HTTPS traffic.

This protocol boasts one of the best connection speeds. It has a built-in Network address translation traversal and an embedded dynamic DNS.

It also supports data compression, and priority is given to VoIP due to the quality of service.

Only two commercial VPNs offer SoftEther protocol; Hide.me and CactusVPN. Unlike other protocols, it is not natively supported by computing platforms.

Advantages

• Open-source.
• Secure.
• Fast speeds.
• Anti-restricted Firewall Solution.
• Can apply a range of ciphers.

Disadvantages

• Relatively new.
• Used by very few VPN providers.
• Doesn’t support any platform natively.

Proprietary VPN Protocols

These are protocols that are owned and controlled by a given VPN provider. They are solely created and customized to be used within their VPN services.

Other VPN providers cannot use these protocols since they are closed-source.

Proprietary VPN protocols are usually built to offer better connection speeds, security, and stability and overcome challenges available in commonly used protocols.

Some providers may create their own, while others build upon existing open-source protocols.

Since they are not open-source, no one knows what’s under the hood except the providers. Some providers state that their protocol has been independently audited with no flaws to inspire confidence.

Nonetheless, offerings from these protocols include light code to minimize the attack surface, well-established cryptography with Perfect Forward Secrecy, UDP and TCP support, excellent stability, high-performance advantage, and other features.

Some of the most commonly known proprietary VPN protocols from reputable VPNs include; Catapult Hydra, Chameleon, Lightway, and NordLynx.

Advantages of proprietary VPN Protocols

• Impeccable encryption.
• Fast connection speeds.
• High performance.
• Low bandwidth consumption.
• Ability to bypass censorship/firewall restrictions.

Disadvantages of proprietary VPN Protocols

• Closed source.
• A single provider only uses them.
• One cannot know about vulnerabilities.

Wrap Up

VPN protocols provide guidelines and specifications on how a VPN connection should be made. A VPN connection can be faster, more secure, or more stable, depending on the protocol.

Many VPN provider prefers the OpenVPN protocol as it is all round. It has the best security, good connection speeds, and reliability.

It also bypasses firewalls and other restrictions easily. If this protocol is not working well, you can use other protocols, such as WireGuard for fast speeds and IKEv2/IPSec for stability.

You also get good security. IKEv2/IPSec also works best with mobile phones and handles network changes efficiently.

If your VPN provider offers SoftEther, you can also use it. It is an excellent balanced option, such as the OpenVPN protocol.

If you can, avoid outdated protocols. Unless privacy and security are not your top priority.