If you’re unable to access content on the Internet due to government censorship, using a VPN might solve the problem, but the sluggish Internet speeds accompanied by using a VPN makes the experience less rewarding. Changing the routing protocol of your VPN might solve the problem but should you?
The routing protocol which connects your device to the VPN server can increase the speed of your connection, but at the same time using a less secure protocol to increase your connection speed can expose your data to malicious entities.
Due to the reasons mentioned above, using the right VPN protocol while connecting to your VPN server is essential. Here we’re going to talk about how VPN tunnelling protocols work and compare the six most popular VPN protocols — PPTP, IPsec, SSTP, IKEv2, OpenVPN, WireGuard and L2TP
How do VPN tunnelling protocols work?
Enabling users to connect two private networks through a secure logical tunnel using the Internet, Virtual Private Networks (VPNs) are encrypted gateways to the Internet.
To achieve this security VPNs use a routing protocol/tunnelling protocol. This protocol defines a set of rules which both the client and the server must follow to create a secure connection between each other. If the server thinks that the communication channel is compromised, it drops that tunnel/route and creates a new one for secure communications.
Any VPN protocol uses two main principles to create a secure communication tunnel between the client and the server, which are Encapsulation and Encryption.
- Encapsulation: The data that you send on the Internet is like a letter in an envelope. Here the letter is analogous to the data you send to a website (requests) and the envelope has both the senders and receiver’s IP address. When you are not using a VPN, these addresses can be read by your ISP and the websites you visit to keep logs on the traffic that went through their networks. In case of a VPN, your letter gets an extra envelope of security which changes the receivers IP address to the VPNs server IP address. Due to this, your ISP thinks that the request you made was for the VPN server and not for the intended website. Thus, your ISP does not know the real destination of your data. Once the letter reaches the VPN server, it removes the extra envelope revealing the right destination of the data. After this, it changes the senders address on the envelope to the VPNs servers IP address and sends the data to the intended website. Once the website processes the request, it sends the data back to the VPN, which then sends the data back to the client.
This process of encapsulation anonymises your IP address for both your ISP and the website you are visiting. Due to this reason the restrictions placed by your ISP when using a VPN are rendered useless
- Encryption: When a connection is established between the client and the VPN server, the data travelling on the tunnel is secured using encryption algorithms. Each protocol uses different mechanisms for encryption varying the security they offer. Using a more robust encryption mechanism provides more protection, decreasing network speed at the same time
Also read: Are free VPNs secure? Should you use them?
Comparing VPN protocols
There are a lot of VPN protocols which are used by VPN providers. To select the right protocol, we will be going over the most used VPN protocols out there and comparing them based on the several parameters including security and speed.
PPTP (Point to Point Tunnelling Protocol) is the oldest VPN and was released in the late nineties by Microsoft. This protocol was embedded in operating systems using Windows 95 and above in Microsoft devices and can be seen bundled with Linus and Android devices. Due to this, you can use PPTP without installing any third-party applications on your device and it is easy to configure on most client devices.
As the protocol was created in the 90s it does not offer the level of security which is required in today’s day and age. Due to this reason, it has some security vulnerabilities and Apple devices using iOS 10 and macOS Sierra and above do not support this protocol.
To encapsulate data, PPTP uses Generic Routing Encapsulation(GRE) and for encryption, it uses Microsoft Point-to-Point Encryption (MPPE). The MPPE protocol uses RSA RC4 (40 bit/56 bit/ 128bit) encryption to encrypt data and can be broken using a bit flipping attack. The algorithm uses MS-CHAP for authentication which is also not secure and can be broken if the user passwords are not secure enough.
All these security vulnerabilities show that the protocol is not secure enough and can be broken. In fact, the NSA has broken this protocol by exploiting all these vulnerabilities.
Due to the early implementation of this protocol, it uses Dial-up connections which use Call IDs for establishing a connection. The use of this technique can cause problems with VPN passthrough when performing Network Address Translation.
When it comes to speed, the connections established using this protocol can be fastest when compared with other protocols. This is due to the lack of encryption and the use of a less resource-hungry encapsulation protocol.
Should you use PPTP?
Looking at the security vulnerabilities of the protocol most people would advise not to use this protocol at all. Although if you are using an HTTPS protocol to connect to your resources, the data will be encrypted using the same and coupled with the fast speed of the PPTP protocol the browsing experience can be rewaeding
If you are using an HTTP protocol you should not use PPTP as it can be dangerous. Also using PPTP on a public WiFi can be dangerous due to the lack of security it offers
The L2TP(Layer 2 Tunneling Protocol) protocol is an update to the PPTP protocol and was developed by Cisco and Microsoft. The L2TP protocol is an encapsulation/tunnelling protocol which does not offer encryption hence it is coupled with the IPSec(Internet Protocol Security) protocol for encryption and authentication.
The L2TP/IPsec protocol can be used with most operating systems and comes bundled with macOS, Windows and Android. It is easy to configure and provides adequate security measures.
The L2TP protocol, which builds on PPTP offers more security while encapsulating the data between the client and the server. The amalgamation of L2TP with IPSec makes it a very secure protocol. With the use of IPSec in ESP tunnel mode, the data can be encrypted using AES encryption and authentication can be carried out using the Internet Key Exchange(IKE) protocol.
The L2TP protocol along with IPsec offers multiple layers of security but there has been speculation that the protocol can be broken by NSA. Also, security vulnerabilities were discovered when using IKE with Cisco pix servers which can break the security of protocol.
When it comes to speed the L2TP protocol along with IPSec in ESP tunnel mode offers a lot of encryption which compromises on speed. Also, the IPSec protocol is very resource hungry and can reduce network speeds. That being said using IPSec with AH mode could increase the network speed as it does not encrypt data and only authenticates it. This reduces security but can be used to increase data speeds if sensitive data is not being transferred
Should you use L2TP with IPSec?
The L2TP protocol, along with IPSec, can offer a lot of security when appropriately configured. As the protocols used rely on the network layer of the OSI model (third layer), they offer more control over your data and provide lesser abstraction when compared to other protocols that use the transport layer(fourth layer).
The L2TP protocol uses port 1701 for creating the tunnel and transferring the data. This port can be blocked by firewalls and can also cause some problems when used along with Network Address Translation.
All in all, L2TP/IPSec offers more security when compared to PPTP, but reduces the speed of the connection when using a lot of encryption. The speed might be increased by lowering the encryption, which in turn could compromise data.
SSTP or Secure Socket Transfer Protocol is a propitiatory algorithm created by Microsoft. Offering more security when compared to PPTP and L2TP/IPSec it is used in a lot of VPNs nowadays but due to the propitiatory nature of the protocol, it can be only used on Windows, routers, Android, and Linux.
Embedded within Microsoft Vista and above SSTP can be configured easily without using any third-party software on the client which supports SSTP
In terms of security, SSTP offers top-notch security. Using SSL/TLS encryption protocols to establish a secure connection between the client and server this protocol will keep your data secure. Due to the use of this protocol data is encrypted using AES encryption and authentication is performed using 2048-bit SSL/TLS certificates.
For transferring the data, SSTP uses the HTTP protocol using port 443 allowing the protocol to pass through firewalls making it hard to block using firewall protection
The SSTP protocol offers fast data transfers when the encryption protocols used use smaller bit lengths. If 256 bit AES encryption is used for encryption the data speed can be slower due to the resource hungry nature of the encryption.
Should you use SSTP?
The SSTP protocol offers a lot of security, but it is created by Microsoft and the company has been known to collaborate with NSA in the past. SSTP is also prone to TCP meltdown which can cause issues which using peer to peer sharing like torrents.
All in all, SSTP is a secure protocol when compared to PPTP and L2TP/IPSec, but could have loopholes due to its proprietary nature.
IKEv2(Internet key exchange version 2) is a part of the IPSec stack and is used to establish secure communications between the client and server in a VPN protocol. Developed by Microsoft and Cisco. IKEv2 supports IPSecs’ latest encryption algorithms.
The protocol uses MOBIKE which resists network changes and keeps the client connected to the VPN server even when network changes occur.
This protocol is really versatile and can run on most devices. With various open-source implementations, available IKEv2 is a widely used VPN protocol
In terms of security, IKEv2 can be used with various encryption algorithms like AES, 3DES, and ChaCha20. For authentication, IKEv2 can use pre-shared keys, digital signatures, and public-key encryption using Diffie–Hellman key exchange.
IKEv2 also supports Perfect Forward Secrecy which generates new private keys for each session making the protocol even more secure
When it comes to speed. IKEv2 is one of the fastest protocols out there. This is due to its new architecture and efficient request response mechanism. Also the use of UDP port 500 reduces the latency but makes the protocol susceptible to firewalls and can be blocked
Should you use IKEv2?
Offering a wide range of security protocols along with fast data connections, IKEv2 is one of the best VPN protocols out there. That being said, the protocol has some vulnerabilities which can be broken using a Logjam attack against Diffie–Hellman key exchange. Also, the use of weak passwords while using IPSec/IKEv2 can raise some security vulnerabilities
Also read: Why and how to encrypt your Android device?
As the name suggestsrobust OpenVPN is an open-source VPN protocol which was created by James Yonan and made public in 2001. Due to the open-source nature of the protocol, it can be scrutinised by anyone, which makes it very secure. The protocol uses strong encryption protocols which have made OpenVPN popular.
As the protocol is open source it does not come bundled with any operating systems and needs a client-side application for connecting to the VPN server.
OpenVPN does not use an open-source version of tunnelling protocols like IKEv2 or PPTP; instead, it uses the OpenSSL library for implementing an SSL/TLS protocol. Due to the use of OpenSSL, various authentication mechanisms like username passwords, certificate authentication and pre-shared keys can be implemented with OpenVPN. For encryption 256-bit OpenSSL encryption can be used to keep data secure when it is transferred
OpenVPN can be implemented over TCP, which offers more robust error connection mechanisms. It can also be configured over UDP for faster connections as it does not provide error correction for data transfer.
The speed of the OpenVPN protocol depends on how it is configured and the kind of cryptographic tools it uses for encryption. Using stronger encryption along with TCP will slow down your connection due to the resource-hungry nature of both TCP and data encryption.
Using OpenVPN over UDP with lower encryption could offer faster data transfers offering a better browsing experience.
Should you use OpenVPN?
Being open-source in nature and offering strong encryption OpenVPN is one of the best VPN protocols out there. That being said, there are some vulnerabilities with TLS compression in OpenVPN, which can be exploited to carry out attacks like VORACLE. When it comes to setting up an OpenVPN server or a client, things can get a little complicated due to the large number of configuration files it needs.
Also read: How TCP/IP works and what is UDP?
Wireguard is the newest addition to the open-source VPN protocol available in the market. With its stable version released in March 2020, Wireguard is a VPN protocol which focuses on simplicity and ease of use. Using only 4000 lines of code to implement the whole protocol, Wireguard is really small in size when compared to other protocols like OpenVPN which have a 1,00,000 line of code.
The small size of code makes it easy to audit by any security professional and can make finding security vulnerabilities easy. Also, the small line of code can provide faster speeds when compared to other protocols.
The protocol was developed for the Linux kernel but can now be implemented on Windows, macOS, iOS and Android.
In terms of security Wireguard does not allow configuring different cryptographic solutions, instead offers a set of different protocols which are know to provide good security. If a security flaw is detected in the implementation, the users will have to wait for a new update to solve the problem.
The Wireguard protocol uses ChaCha20 for encryption and Poly1305 for message authentication. This combination of protocols can be up to three times faster on mobile devices when compared to AES-128.
It also uses Crypto routing which binds the public key to a list of VPN tunnel IP address and is used as an authentication mechanism. This mechanism is a new development and makes VPN authentication much easier.
As the protocol is implemented using a very small line of code it can be faster when compared to other protocols. Also, the use of ChaCha20 encryption can make the protocol function faster on mobile devices.
All that being said Wireguard is a new protocol and could show some great results but nothing can be said as of now
Should you use Wireguard?
Being a new open-source VPN protocol Wireguard could have some serious security flaws which could be discovered later in time. That being said according to the paper A Cryptographic Analysis of the Wireguard protocol the protocol has an interesting design but can be susceptible to key recovery attacks in the KCI setting.
Also read: Top 7 free VPN apps for iPhone
A tech enthusiast, driven by curiosity. A bibliophile who loves to travel. An Engineering graduate who loves to code and write about new technologies. Can’t sustain without coffee.
You can contact Nischay via email: [email protected]