The army of VPN users has grown significantly in recent months. And we are not talking about those who like to bypass locks and visit prohibited sites, but about those who use VPN for safe work (yes, remote work). This is an occasion to take another look at the arsenal of available protocols and compare them in terms of security.
First, a few general provisions about VPN. VPN usage scenarios can be different, the most popular ones are:
- building a secure channel between two or more remote network segments (for example, between offices in Moscow and Nizhny Novgorod);
- connecting a remote employee to a corporate network (now almost every office employee knows about this);
- virtual change of location using VPN Providers services (requires the least body movements to configure, but all your traffic will go through someone else’s server).
To implement these scenarios, there are various types of VPN protocols – for communication, for encrypting traffic, and others. And already on the basis of a suitable protocol, you can “build” your solution. The two most famous and widely used protocols are OpenVPN and IPSec, and more recently, WireGuard has emerged, causing some controversy . There are other alternatives, already outdated, but quite capable of solving certain problems.
The advantage of a particular VPN protocol depends on a number of factors and conditions of use:
Devices – Different devices support different protocols.
Network – If certain services are not available in your location, some protocols may not work. For example, there are VPN Providers operating in China, while most of the existing providers are blocked.
Performance – Some protocols offer better performance, especially on mobile devices. Others are more convenient for use on large networks.
Threat Model – Some protocols are less secure than others, so attackers can attack them in different ways.
So, we have finished with the general part, now we turn to a detailed description and comparison of protocols.
Point-to-Point Tunneling Protocol (PPTP), one of the oldest VPN protocols still in use, was originally developed by Microsoft.
PPTP uses two connections, one for control and the other for encapsulating data. The first works using TCP, in which the server port is 1723. The second works using the GRE protocol, which is a transport protocol (that is, a replacement for TCP / UDP). This fact prevents clients behind NAT from establishing a connection to the server, since they cannot establish a point-to-point connection by default. However, because the GRE protocol that PPTP uses (namely enhanced GRE) has a Call ID header, routers running the natting can identify and match GRE traffic from a LAN client to an external server and vice versa. This enables clients behind NAT to establish a point-to-point connection and use the GRE protocol. This technology is called VPN PassTrough.It is supported by a large number of modern client networking equipment.
PPTP is supported natively on all versions of Windows and most other operating systems. Despite its relatively high speed, PPTP is not very reliable: after a connection break, it does not recover as quickly as, for example, OpenVPN.
PPTP is now essentially obsolete and Microsoft advises other VPN solutions. We also advise against choosing PPTP if security and privacy are important to you.
Of course, if you are just using a VPN to unblock content, PPTP does take place, but again, there are safer options to look out for.
Secure Socket Tunneling Protocol (SSTP) is a proprietary product from Microsoft. Like PPTP, SSTP is not widely used in the VPN industry, but unlike PPTP, it has not been diagnosed with major security problems.
SSTP sends traffic over SSL over TCP port 443. This makes it useful for use in limited network situations, such as if you need a VPN for China. Although SSTP is also available on Linux, RouterOS and SEIL, for the most part it is still used by Windows systems.
From a performance standpoint, SSTP is fast, stable, and secure. Unfortunately, very few VPN providers support SSTP.
SSTP can help out if other VPN protocols are blocked, but again OpenVPN is the better choice (if available).
Internet Protocol Security (IPsec) is a set of protocols for securing data transmitted over an IP network. Unlike SSL, which works at the application layer, IPsec works at the network layer and can be used natively with many operating systems, allowing it to be used without third-party applications (unlike OpenVPN).
IPsec has become a very popular protocol to be paired with L2TP or IKEv2, which we’ll talk about below.
IPsec encrypts the entire IP packet using:
- Authentication Header (AH), which digitally signs each packet;
- Encapsulating Security Protocol (ESP), which provides confidentiality, integrity, and authentication of a packet in transit.
An IPsec discussion would be incomplete without mentioning a leaked NSA presentation discussing the IPsec protocols (L2TP and IKE). It is difficult to come to a definite conclusion from the vague references in this presentation, but if the threat model to your system includes targeted surveillance by nosy foreign colleagues, this is a reason to consider other options. However, IPsec protocols are still considered secure if they are properly implemented.
We now look at how IPsec is paired with L2TP and IKEv2.
L2TP / IPsec
Layer 2 Tunneling Protocol (L2TP) was first proposed in 1999 as an upgrade to L2F (Cisco) and PPTP (Microsoft). Since L2TP itself does not provide encryption or authentication, IPsec is often used with it. L2TP paired with IPsec is supported by many operating systems, standardized in RFC 3193 .
L2TP / IPsec is considered secure and has no major known issues (much more secure than PPTP). L2TP / IPsec can use 3DES or AES encryption, although given that 3DES is currently considered a weak cipher, it is rarely used.
L2TP sometimes has problems due to its default UDP port 500, which is known to be blocked by some firewalls.
L2TP / IPsec protocol ensures high security of transmitted data, is easy to configure and is supported by all modern operating systems. However, L2TP / IPsec encapsulates the transmitted data twice, making it less efficient and slower than other VPN protocols.
IKEv2 / IPsec
Internet Key Exchange version 2 (IKEv2) is an IPsec protocol used to perform mutual authentication, creation, and maintenance of Security Associations (SA), standardized in RFC 7296 . IPsec is just as secure as L2TP, which means they have the same security level. Although IKEv2 was developed by Microsoft with Cisco, there are open source implementations of the protocol (for example, OpenIKEv2 , Openswan, and strongSwan ).
With Mobility and Multi-homing Protocol (MOBIKE) support, IKEv2 is very resilient to network changes. This makes IKEv2 a great choice for smartphone users who regularly switch between home Wi-Fi and mobile connections, or move between hotspots.
IKEv2 / IPsec can use a number of different cryptographic algorithms including AES, Blowfish and Camellia, including 256-bit keys.
IKEv2 supports Perfect Forward Secrecy.
In many cases, IKEv2 is faster than OpenVPN as it is less resource-intensive. From a performance standpoint, IKEv2 may be the best option for mobile users because it re-establishes connections well. IKEv2 is natively supported on Windows 7+, Mac OS 10.11+, iOS, and some Android devices.
OpenVPN is an open source universal VPN protocol developed by OpenVPN Technologies. It is arguably the most popular VPN protocol today. As an open standard, it has gone through more than one independent security review.
For most situations where you need a VPN connection, OpenVPN is likely to be the answer. It is stable and offers good transfer rates. OpenVPN uses the standard TCP and UDP protocols and this allows it to become an alternative to IPsec when the provider blocks some VPN protocols.
OpenVPN requires dedicated client software to work, not one that works out of the box. Most VPN services create their own OpenVPN applications that can be used on different operating systems and devices. The protocol can work on any of the TCP and UPD ports and can be used on all major platforms through third-party clients: Windows, Mac OS, Linux, Apple iOS, Android.
But if it doesn’t work for your situation, look for alternative solutions.
The newest and most unexplored VPN protocol is WireGuard . It is positioned by developers as a replacement for IPsec and OpenVPN for most of their use cases, while being more secure, more productive and easier to use.
All IP packets arriving at the WireGuard interface are UDP encapsulated and safely delivered to other peers. WireGuard uses modern cryptography:
- Curve25519 for key exchange,
- ChaCha20 for encryption,
- Poly1305 for data authentication,
- SipHash for hash table keys,
- BLAKE2 for hashing.
WireGuard code looks much more modest and simpler than OpenVPN code, which makes it easier to investigate for vulnerabilities (4 thousand lines of code versus several hundred thousand). Also, many people note that it is much easier to deploy and configure.
The performance test results can be seen on the official website (as you might guess, they are good). It should be noted that WireGuard will show the best results on Linux systems. there it is implemented as a kernel module.
More recently, WireGuard 1.0.0 was introduced, which marks the shipment of WireGuard components in the core Linux 5.6 kernel. The code included in the Linux kernel has undergone an additional security audit by an independent firm that has not identified any issues. This is great news for many, but independent security research will tell whether WireGuard can become a worthy replacement for IPsec and OpenVPN.
We tried to describe the most popular VPN protocols, we hope you find the review useful. As a summary, we present a comparative table, where the important, in our opinion, indicators are once again indicated.
|L2TP / IPsec
|IKEv2 / IPsec
|L2TP – a joint development of Cisco and Microsoft, IPsec – The Internet Engineering Task Force
|IKEv2 – a joint development of Cisco and Microsoft, IPsec – The Internet Engineering Task Force
|Jason A. Donenfeld
|Proprietary, but there are open source protocol implementations
|Windows, macOS, iOS, GNU / Linux for a while.
Works out of the box, no additional software required
Works out-of-the-box, no additional software required
|Windows, Mac OS X, Linux, iOS, Android.
Many OS (including Windows 2000 / XP +, Mac OS 10.3+) have built-in support, no need to install additional software
|Windows 7+, macOS 10.11+ and most mobile operating systems have built-in support
|Windows, Mac OS, GNU / Linux, Apple iOS, Android and routers.
It is necessary to install specialized software that supports work with this protocol
|Windows, Mac OS, GNU / Linux, Apple iOS, Android.
Install WireGuard itself and then configure according to the manual
|Uses Microsoft Point-to-Point Encryption (MPPE), which implements RSA RC4 with a maximum of 128-bit session keys
|SSL (all parts are encrypted except TCP and SSL headers)
|3DES or AES
|Implements a wide variety of cryptographic algorithms including AES, Blowfish, Camellia
|Uses the OpenSSL library (implements most of the popular cryptographic standards)
|Key exchange over 1-RTT, Curve25519 for ECDH, RFC7539 for ChaCha20 and Poly1305 for authentication encryption, and BLAKE2s for hashing
|TCP port 1723
|TCP port 443
|UDP port 500 for initial
key exchange and UDP port 1701 for initial L2TP configuration, UDP port 5500 for NAT traversal
|UDP port 500 for initial key exchange and UDP port 4500 for NAT traversal
|Any UDP or TCP port
|Any UDP port
|Possesses serious vulnerabilities.
MSCHAP-v2 is vulnerable to dictionary attack and RC4 algorithm is exposed to Bit-flipping attack
|No major security flaws identified
|3DES is vulnerable to Meet-in-the-middle and Sweet32, but AES has no known vulnerabilities.
However, it is believed that the IPsec standard has been compromised by the US NSA.
|Could not find information on existing security flaws other than the incident with leaked NSA reports regarding IPsec
|No major security flaws identified
|No major security flaws identified