This article has been updated to include the WireGuard and Stealth VPN protocols.
We explain what a VPN protocol is and what it does. We also compare the strengths and weaknesses of the most common protocols, including OpenVPN, WireGuard, IKEv2, PPTP, and L2TP.
Before you trust a VPN to protect your internet activity, you need to ensure they’ve put in place the necessary safeguards. Evaluating the more technical aspects of a VPN can be difficult. It often means struggling to understand an alphabet soup of different acronyms.
We have begun a series of posts where we explain some of our security measures so that people can make more informed decisions. Our first post explained what HMAC SHA-384 means(nouvelle fenêtre). This post will investigate VPN protocols, what they do, how they work, and what it means if a VPN service uses OpenVPN over L2TP, for example.
This post delves into some of the inner workings of VPNs. While we try to explain terms clearly, this post will be more useful if you come in with some basic technical knowledge. If you’re not sure how a VPN works, it might be helpful to read the article linked below before continuing.
VPN Protocols
VPNs rely on what is called “tunneling” to create a private network between two computers over the internet. A VPN protocol, also known as a “tunneling protocol,” is the instructions your device uses to negotiate the secure encrypted connection that forms the network between your computer and another.
A VPN protocol is usually made up of two channels: a data channel and a control channel. The control channel is responsible for the key exchange, authentication, and parameter exchanges (like providing an IP or routes and DNS servers). The data channel, as you might have guessed, is responsible for transporting your internet traffic data. Together, these two channels establish and maintain a secure VPN tunnel. However, for your data to pass through this secure tunnel, it must be encapsulated.
Encapsulation is when a VPN protocol takes bits of data, known as data packets, from your internet traffic and places them inside another packet. This extra layer is necessary because the protocol configurations your VPN uses inside the data channel are not necessarily the same as the regular internet uses. The additional layer allows your information to travel through the VPN tunnel and arrive at its correct destination.
This is all a bit technical, so broad overview: When you connect to a VPN server, the VPN uses its control channel to establish shared keys and connect between your device and the server. Once this connection is established, the data channel begins transmitting your internet traffic. When a VPN discusses the strengths and weaknesses of its performance or talks about a “secure VPN tunnel,” it is talking about its data channel. Once the VPN tunnel has been established, the control channel is then tasked with maintaining the connection’s stability.
PPTP
Point-to-Point Tunneling Protocol (PPTP) is one of the older VPN protocols. It was initially developed with support from Microsoft, and thus all versions of Windows and most other operating systems have native support for PPTP.
PPTP uses the Point-to-Point Protocol (PPP), which is like a proto-VPN in itself. Despite being quite old, PPP can authenticate a user (usually with MS-CHAP v2) and encapsulate data itself, letting it handle both control channel and data channel duties. However, PPP is not routable; it cannot be sent over the internet on its own. So PPTP encapsulates the PPP-encapsulated data again using generic routing encapsulation (GRE) to establish its data channel.
Unfortunately, PPTP does not have any of its own encryption or authentication features. It relies on PPP to implement these functions — which is problematic since PPP’s authentication system and the encryption that Microsoft added to it, MPPE, are both weak.
Encryption: Microsoft’s Point-to-Point Encryption protocol (MPPE(nouvelle fenêtre)), which uses the RSA RC4 algorithm. MPPE’s maximum strength is 128-bit keys.
Speed: Because its encryption protocols do not require much computing power (RC4 and only 128-bit keys), PPTP maintains fast connection speeds.
Known vulnerabilities: PPTP has had numerous known security vulnerabilities since 1998. One of the most severe vulnerabilities exploits unencapsulated MS-CHAP v2 authentication to perform a man-in-the-middle (MITM) attack.
Firewall ports: TCP port 1723. PPTP’s use of GRE means it cannot navigate a network address translation firewall and is one of the easiest VPN protocols to block. (A NAT firewall allows several people to share one public IP address at the same time. This is important because most individual users do not have their own IP address.)
Stability: PPTP is not as reliable, nor does it recover as quickly as OpenVPN over unstable network connections.
Conclusion: If you are concerned about securing your data, there is no reason to use PPTP. Even Microsoft has advised(nouvelle fenêtre) its users to upgrade to other VPN protocols to protect their data.
L2TP/IPSec
Layer two tunneling protocol (L2TP) was meant to replace PPTP. L2TP can handle authentication on its own and performs UDP encapsulation, so in a way, it can form both the control and data channel. However, similar to PPTP, it does not add any encryption itself. While L2TP can send PPP, to avoid PPP’s inherent weaknesses, L2TP is usually paired with the Internet Protocol security (IPSec) suite to handle its encryption and authentication.
IPSec is a flexible framework that can be applied to VPNs as well as routing and application-level security. When you connect to a VPN server with L2TP/IPSec, IPSec negotiates the shared keys and authenticates the connection of a secure control channel between your device and the server.
IPSec then encapsulates the data. When IPSec performs this encapsulation, it applies an authentication header and uses the Encapsulation Security Payload (ESP). These special headers add a digital signature to each packet so attackers cannot tamper with your data without alerting the VPN server.
ESP encrypts the encapsulated data packets so that no attacker can read them (and, depending on the settings of the VPN, also authenticates the data packet). Once IPSec has encapsulated the data, L2TP encapsulates that data again using UDP so that it can pass through the data channel.
Several VPN protocols, including IKEv2, use IPSec encryption. While generally secure, IPSec is very complex, which can lead to poor implementation. L2TP/IPSec is supported on most major operating systems.
Encryption: L2TP/IPSec can use either 3DES or AES encryption, although given that 3DES is now considered a weak cipher, it is rarely used.
Speed: L2TP/IPSec is generally slower than OpenVPN when using the same encryption strength. This is mainly due to the fact that the AES encryption used by OpenVPN is hardware accelerated on most common processors.
Known vulnerabilities: L2TP/IPSec is an advanced VPN protocol, but a leaked NSA presentation(nouvelle fenêtre) suggests that the intelligence agency has already found ways to tamper with it. Furthermore, due to the IPSec’s complexity, many VPN providers used pre-shared keys(nouvelle fenêtre) to set up L2TP/IPSec.
Firewall ports: UDP port 500 is used for the initial key exchange, UDP port 5500 for NAT traversal, and UDP port 1701 to allow L2TP traffic. Because it uses these fixed ports, L2TP/IPSec is easier to block than some other protocols.
Stability: L2TP/IPSec is not as stable as some of the more advanced VPN protocols. Its complexity can lead to frequent network drops.
Conclusion: L2TP/IPSec’s security is undoubtedly an improvement over PPTP, but it might not protect your data from advanced attackers. Its slower speeds and instability also mean that users should only consider using L2TP/IPSec if there are no other options.
IKEv2/IPSec
Internet key exchange version two (IKEv2) is a relatively new tunneling protocol that is actually part of the IPSec suite itself. Microsoft and Cisco cooperated on the development of the original IKEv2/IPSec protocol, but there are now many open-source iterations.
IKEv2 sets up a control channel by authenticating a secure communication channel between your device and the VPN server using the Diffie–Hellman key exchange(nouvelle fenêtre) algorithm. IKEv2 then uses that secure communication channel to establish what is called a security association, which simply means your device and the VPN server are using the same encryption keys and algorithms to communicate.
Once the security association is in place, IPSec can create a tunnel, apply authenticated headers to your data packets, and encapsulate them with ESP. (Again, depending on which cipher is used, the ESP could handle the message authentication.) The encapsulated data packets are then encapsulated again in UDP so that they can pass through the tunnel.
IKEv2/IPSec is supported on Windows 7 and later versions, macOS 10.11 and later versions, as well as most mobile operating systems.
Encryption: IKEv2/IPSec can use a range of different cryptographic algorithms, including AES, Blowfish, and Camellia. It supports 256-bit encryption.
Speed: IKEv2/IPSec is a fast VPN protocol, although not usually as fast as hardware-accelerated OpenVPN or WireGuard.
Known vulnerabilities: IKEv2/IPSec has no known weaknesses, and almost all IT security experts consider it to be safe when properly implemented with Perfect Forward Secrecy.
Firewall ports: UDP port 500 is used for the initial key exchange and UDP port 4500 for NAT traversal. Because it always uses these ports, IKEv2/IPSec is easier to block than some other protocols.
Stability: IKEv2/IPSec supports the Mobility and Multihoming protocol, making it more reliable than most other VPN protocols, especially for users that are often switching between different WiFi networks.
Conclusion: With strong security, high speeds, and increased stability, IKEv2/IPSec is a good VPN protocol. However, the recent introduction of WireGuard means there are few reasons to choose it over the newer VPN protocol.
OpenVPN
OpenVPN is an open-source tunneling protocol. As opposed to VPN protocols that rely on the IPSec suite, OpenVPN uses SSL/TLS to handle its key exchange and set up its control channel and a unique OpenVPN protocol to handle encapsulation and the data channel.
This means that both its data channel and control channel are encrypted, which makes it somewhat unique compared to other VPN protocols. It is supported on all major operating systems via third-party software.
Encryption: OpenVPN can use any of the different cryptographic algorithms contained in the OpenSSL(nouvelle fenêtre) library to encrypt its data, including AES, RC5, and Blowfish.
Learn more about AES encryption
Speed: When using UDP, OpenVPN maintains fast connections, although IKEv2/IPSec and WireGuard are generally accepted to be quicker.
Known vulnerabilities: OpenVPN has no known vulnerabilities as long as it is implemented with a sufficiently strong encryption algorithm and Perfect Forward Secrecy. It is the industry standard for VPNs concerned about data security.
Firewall ports: OpenVPN can be configured to run on any UDP or TCP port, including port TCP port 443, which handles all HTTPS traffic and makes it very hard to block.
Stability: OpenVPN is very stable in general and has a TCP mode for defeating censorship.
Conclusion: OpenVPN is secure, reliable, and open source. It is one of the best VPN protocols currently in use, especially for users concerned primarily about data security. Its ability to route connections over TCP (see below) also makes it a good choice for evading censorship. However, although it lacks OpenVPN’s anti-censorship advantage, WireGuard is also secure and is faster than OpenVPN.
WireGuard®
WireGuard(nouvelle fenêtre) is an open-source VPN protocol that is secure, fast, and efficient.
Encryption: WireGuard uses ChaCha20 for symmetric encryption (RFC7539(nouvelle fenêtre)), Curve25519 for anonymous key exchange, Poly1305 for data authentication, and BLAKE2s for hashing (RFC7693(nouvelle fenêtre)). It automatically supports Perfect Forward Secrecy.
Speed: WireGuard uses new, high-speed cryptographic algorithms. ChaCha20, for example, is much simpler than AES ciphers of equal strength and nearly as fast, even though most devices now come with instructions for AES built into their hardware. The result is that WireGuard offers fast connection speeds and has low CPU requirements.
Known vulnerabilities: WireGuard has undergone various formal verifications, and to be incorporated in the Linux kernel, the WireGuard Linux codebase was independently audited(nouvelle fenêtre) by a third party.
Firewall ports: WireGuard can be configured to use any port and usually runs over UDP. However, Proton VPN also offers a WireGuard TCP in most of our apps.
Stability: WireGuard is a very stable VPN protocol and introduces new features that other tunneling protocols do not have, such as maintaining a VPN connection while changing VPN servers or changing WiFi networks.
Conclusion: A state-of-the-art VPN protocol, WireGuard is fast, efficient, and secure. It is not as “battle-tested” as OpenVPN and does not offer OpenVPN’s TCP-based anti-censorship capabilities (see below), but for most people, most of the time, it is the VPN protocol we recommend using.
Stealth
Stealth is a new VPN protocol developed by Proton. With it, you can access censored sites and communicate with people on social media, even when regular VPN protocols are blocked by your government or organization.
Stealth is based on WireGuard tunneled over TLS. It therefore uses the same encryption as WireGuard, with an added layer of TLS encryption. It is otherwise identical to WireGuard (described above).
Other important terms
Going through the comparisons of the different VPN protocols, you may have encountered acronyms or technical terms that you were not familiar with. We explain some of the most important ones here.
TCP vs. UDP
The transmission control protocol (TCP) and user datagram protocol (UDP) are the two different ways that devices can communicate with each other over the internet. They both run on the Internet Protocol, which is responsible for sending data packets to and from IP addresses.
When you see that a tunneling protocol uses a TCP port or a UDP port, it means that it sets up a connection between your computer and the VPN server using one of these two protocols.
Whether a VPN protocol uses TCP, UDP, or both can significantly affect its performance. The TCP primarily focuses on delivering data accurately by running additional checks to ensure that data is in the proper order and correcting it if it’s not.
This sounds like a good feature, but performing checks takes time, resulting in slower performance. Running a VPN over TCP (TCP over TCP) can slow down your connection in what’s called a TCP meltdown.
For example, if you have TCP traffic passing through an OpenVPN TCP tunnel and the TCP data in the tunnel detects an error, it will try to compensate, which could cause the TCP tunnel to overcompensate. This process can cause severe delays in the delivery of your data.
However, it is also good for defeating censorship. This is because HTTPS(nouvelle fenêtre) traffic uses TCP port 443, so if you route your VPN connection over the same port, it looks like ordinary secure VPN traffic.
The ability to run VPN traffic over port 443 is one of the biggest advantages of using OpenVPN (and WireGuard, if using Proton VPN’s custom TCP implementation of the protocol).
Perfect Forward Secrecy
Perfect Forward Secrecy is a critical security component of encrypted communication. It refers to operations that govern how your encryption keys are generated. If your VPN supports Perfect Forward Secrecy, it will create a unique set of keys for each session (i.e., each time you establish a new VPN connection).
This means that even if an attacker somehow gets one of your keys, they can only use it to access data from that specific VPN session. The data in the rest of your sessions would remain safe since different unique keys protect them. It also means that your session key will remain secure even if your VPN’s private key is exposed.
Protocols used by Proton VPN apps
We started Proton VPN to ensure activists, dissidents, and journalists have secure and private access to the internet. To keep the Proton community safe, we only use trusted and vetted VPN protocols. The following list shows which VPN protocols are supported in our different apps:
- Windows: OpenVPN, WireGuard®, and Stealth
- macOS: OpenVPN, IKEv2, WireGuard, and Stealth
- Android: OpenVPN, WireGuard, and Stealth
- iOS/iPadOS: OpenVPN, IKEv2, WireGuard, and Stealth
- Linux: OpenVPN and WireGuard
You can use OpenVPN and WireGuard in UDP or TCP modes.
Learn how to change VPN protocols
Our Windows, macOS, Android, and iOS/iPadOS apps support Smart Protocol. This anti-censorship feature that intelligently probes networks to discover the best VPN protocol configuration required for optimal performance or bypass censorship.
For example, it can automatically switch from IKEv2 to OpenVPN, or OpenVPN UDP to OpenVPN TCP, using different ports as required.
Learn more about Smart Protocol(nouvelle fenêtre)
All of our apps use the strongest security settings supported by the VPN protocol. OpenVPN, WireGuard, and IKEv2/IPSec are the only protocols that the vast majority of IT security experts agree are secure.
We refuse to offer any VPN connections using PPTP or L2TP/IPSec (even though they are cheaper to run and easier to configure) because their security does not meet our standards.
When you sign in to Proton VPN, you can be confident that your VPN connection is using the latest and strongest tunneling protocols.
Best regards,
The Proton VPN Team
You can follow us on social media to stay up to date on the latest Proton VPN releases:
Twitter (nouvelle fenêtre)| Facebook(nouvelle fenêtre) | Reddit(nouvelle fenêtre)
To get a free Proton Mail encrypted email account, visit: proton.me/mail(nouvelle fenêtre)