VPNs (Virtual Private Networks) are nothing new. With the recent pandemic and the increasing demand for a remote workforce, many have at least heard the term VPN, if not used one. However, do you know what makes the VPN work? Invented in the 90s, the technology was an upgrade of a tunneling protocol. When working on the PPTP protocol, the then Microsoft engineer devised the VPNs we use today.
Although businesses have been using the primary model of the technology since the 80s, it was only the implementation of suitable protocols that made VPNs a household name. Commercial vendors promote their VPNs by underlying their protocol superiority. Why? Because the security protocol of the VPN is responsible for the tunneling process that makes VPNs secure and private. That is why, today, we will be taking a closer look at the different VPN protocols. You’ll also learn more about what it is and how it works.
What is a VPN protocol?
Security protocols or VPN protocols, as we know them, are a set of rules that determine how the data packets will be encrypted and sent over a private network. Thus, not only are they responsible for the encapsulation of data, but also represent the driving factors behind the whole tunneling method that makes VPNs popular.
When the VPN client connects to a VPN server, it uses the protocol to determine the mode of exchange. Both of them, while adhering to the protocol, decide: how the data will travel, which encryption to use and security policies to implement, and more. The client will then set up a virtual tunnel based on the security policies and rules contained within a protocol. The tunnel will connect to the server as if you’re using a wire to set up a LAN (Local Area Network).
That is why people often refer to VPNs as VLANs (virtual LANs). By establishing this tunnel, a VPN will ensure your network remains inaccessible to outsiders. Even if somehow data gets intercepted, due to the encryption, it will remain secure.
Protocols are what make it possible. They:
- Establish a safe tunnel for your data to reach the server — Your connection remains separate from the public internet, making your data difficult to hijack. It also allows for remote accessing the internet by hiding behind the server, making you (nearly) anonymous on the internet.
- Bypass firewall restrictions — Since the traffic is subject to encryption, firewalls can’t distinguish what you are doing online. It helps you to bypass geo-restrictions.
Thus, at the core of a VPN, you will find protocols, also known as security or tunneling protocols.
How does it work?
A protocol defines how the data will travel. It encapsulates the packets and defines parameters like
- Packet size
- Error correction types
- Authentication techniques
- Address format (header)
Numerous protocols are in use today. While some are adept at speed, others provide robust security. When you use a VPN, the following events take place behind the scenes:
- The client intercepts the “interesting” traffic and initiates the encapsulation process.
- This process dictates what encryption will be used on the data packets by relying on the protocols.
- Now, the data packets with the modified header will get encapsulated within another one.
- It is what we call encryption, and VPN protocols define it.
- Now the client and server will exchange keys accordingly.
- The exchange is also pre-meditated according to the security protocols.
- Then the data will travel to the server via the tunnel.
- The tunnel is nothing but the security policies based on the SA (Security Association) or other authentication factors.
- The server will decrypt the data using keys and send it along to the destination.
Different VPN protocols
First, varying VPNs use different protocols. Why, and isn’t there one everyone could use? Let’s answer that.
Why use a variety of protocols?
No two protocols offer the same thing. Also, some protocols are outdated but cheaper to implement, while others may be secure but slow. Thus, according to the need of the users, vendors employ different protocols. However, there are two main approaches to this functionality:
- They either use two protocols on top of one other.
- They use a single one proficient in two tasks.
Some protocols do not excel as standalone versions. Although you can use them separately, it will render the VPN moot. As such, they are often paired up to make up for each other’s deficiency.
- Generally, a protocol good at moving the packets gets paired with a separate protocol for tunnel establishment. Prime examples are IKEv2/IPsec and L2TP/IPsec.
- Some protocols are good enough to be used alone, as they make up for both the security and transferability. OpenVPN, WireGuard, and SoftEther are such protocols.
Which protocols are in use today?
Given below is a list of commonly used VPN protocols:
PPTP
It is one of the oldest VPN protocols available but severely outdated, though. Developed by Microsoft back in the 90s, dial-up connections used this protocol extensively. It can connect both the internet and the intranet. PPTP is undoubtedly one of the most used protocols in VPN history but is no longer secure. It uses a weaker, outdated 128-bit encryption that offers nothing to security. It is often monitored by NSA, too. Since it is one of the early iterations of a protocol, it has native support on most platforms and is easy to set up.
Despite being extremely vulnerable, many still use PPTP. That’s because it is one of the fastest VPN protocols available. Since it has nothing going on in the security department and uses lightweight encryption, it is considerably faster. It is the go-to protocol for streaming if security is not your concern.
- Fast speed
- Wide support
- Next to no security
L2TP/IPsec
Alone, L2TP doesn’t provide strong authentication, hence it is combined with others. More specifically, it oftentimes draws from the advantages of IPsec. The L2TP/IPsec protocol is decently fast and secure and suitable for a mobile application. Most regard it as a replacement for PPTP as it has no known vulnerability. Fun fact — L2TP is two protocols combined: Layer 2 Forwarding Protocol (L2FP) and Point to Point Tunneling Protocol (PPTP).
- A decently rounded protocol
- Slower than the predecessor PPTP
- Works on mobile and smartphones
- Uses IPsec to ensure privacy and security
- Easy to block due to the reliability of UDP on a single port
IKEv2/IPsec
It is another protocol that is bundled together with IPsec for best results. It is a protocol that most commercial VPNs use. Likewise, it is very secure and offers versatility, making IKEv2 one of the latest and advanced protocols. Jointly developed by Microsoft and Cisco, it is the second version of the Internet Key Exchange. It is fast, stable, secure, and very easy to set up. However, since it is new, there is a lack of support for older platforms. IKEv2 is one of those few protocols that are good at re-establishing a dropped VPN connection. Finally, it’s a primary candidate for use on mobile devices.
- Faster than most protocols
- Best for mobile use
- Network switching capabilities
- Great support for native and third-party applications
OpenVPN
The uncrowned king of protocols. Due to its open-source nature, it is one of the extensively used protocols available. Additionally, it is also one of the most secure ones. It can be manually configured and supports almost every known platform of today. Since it can run on any port, it can bypass most firewalls. OpenVPN uses AES-256 bit key encryption with 2048-bit RSA authentication and a 160-bit SHA1 hash algorithm. It is the only protocol that offers a choice between speed and security. It can run on both TCP/IP and UDP. Therefore, on TCP, it grants penultimate protection while on UDP it sacrifices additional security checks for a retentive speed boost.
- Most secure protocol
- Slower but can run on UDP to make up for it
- Open-source
- Uses the OpenSSL crypto library
WireGuard
It is a relatively new protocol that offers a balance between speed and security. Many believe it to be the replacement for IKEv2/IPsec, although it is too early to tell. After all, only a select few vendors offer this protocol. However, it is lighter and faster than most OpenVPN included. And above all, it is an open-source protocol that guarantees transparency. But as it is now, it doesn’t support many platforms.
WireGuard uses the public-domain cryptography package. Poly1305 for authentication and ChaCha20 for encryption. Additionally, it also has a built-in hashing ensured by the BLAKE2s function. It further offers tools for developers to add their extensions and scripts, making it a lot safer than it already is. All this while maintaining premium speed.
- More secure than OpenVPN but still in development, thus not considered for a wider use
- Based on OpenVPN but with fewer lines of codes
- No cross-platform support
- Works on Linux
SSTP
Developed by Microsoft, SSTP is only available on Windows, FreeBSD, and Linux, but a compelling protocol that offers top-notch security nonetheless. Standing for Stock Socket Tunneling Protocol, users can consider it as a powerful replacement for PPTP and L2TP. It sends PPTP and L2TP traffic over SSL channel 3.0, making them secure with added encryption.
- Good security
- Difficult to block
- Great native support on Windows applications and clients
SoftEther
It started at Tsukuba University, Japan, as a pet project. Steadily it grew into a massive open-source, multi-protocol VPN software. SoftEther is fast secure and uses SSL for secure communication. What makes it popular is the support for other protocols such as SSTP, OpenVPN, IPsec, etc. It works with most operating systems, unlike WireGuard, and has functionality that has OpenVPN beat such as GUI Management and RPC over HTTPS.
Compare different VPN protocols:
| Protocol | Speed | Security | Stability | Compatibility | Streaming |
|---|---|---|---|---|---|
| PPTP | It is pretty fast but provides almost no protection. | Uses MPPE with RSA RC4 encryption algorithm. | Has serious security vulnerabilities. | Native support on most platforms. | Best |
| L2TP/IPsec | It varies depending on implementation. | AES or 3DES encryption. Added via IPSec. | Closed source, no known vulnerabilities. | Supports most platforms. | OK |
| IKEv2/IPsec | Not very CPU-intensive. Fast for most usage cases. | Can use Blowfish, Camellia, 3DES, ChaCha20, or AES. | Open source, few vulnerabilities. | Best for mobile platforms but active support on most OS. | Good |
| OpenVPN | UDP version is faster as it skips some data checks, TCP will be slower but less prone to issues. | TLS combined with DES, RC2, DESX, BF, CAST, AES. | Open-source. Low number of vulnerabilities. | Requires configuration files. | OK |
| WireGuard | One of the fastest modern tunneling protocols. | Uses ChaCha20, Curve25519, HKDF, BLAKE2, SipHash24. | Open-source. No known major security vulnerabilities. | Native support on Linux-based OSes only. | OK |
| SSTP | About as fast as L2TP but is better at bypassing firewall blocks. | AES encryption | Closed source, few vulnerabilities. | Native Windows support and some Linux OSes. | Good |
| SoftEther | Claims to be the fastest. | AES-256 and RSA-4096 | Open source, relatively new so nothing accurate yet. | Supports most but requires configuration files. | Untested |
What are proprietary VPN protocols?
The various market leaders of the VPN industry have spared no effort to one-up each other. As such, they often sell and compete based on unique features and value-added services in a bid to topple competitors. It is this drive that led some of them towards developing their exclusive VPN protocols. Although these are only the modified versions of familiar iterations such as OpenVPN or WireGuard, millions use them daily. Let’s take a closer look at these few premiums yet exclusive protocols.
- Catapult Hydra — Property of Hotspot Shield VPN, Catapult Hydra is based on TLS 1.2 and uses RSA certificates with 2048-bit keys for authentication with ephemeral keys, purging them after each session.
- NordLynx — As the name implies, this NordVPN exclusive is a modified WireGuard. All they did was to add a feature, which they call “double NAT” (Network Address Translation). It randomizes your IP address without keeping data logs.
- KeepSolid Wise — Only available in VPN Unlimited, the KeepSolid Wise is a modded version of OpenVPN. It uses TCP 443 and UDP 443 ports, which can help you to bypass most firewalls. Nothing new, however.
- Lightway — It is a proprietary VPN protocol of ExpressVPN. Lightway uses the wolfSSL cryptography library that meets the FIPS 140-2 standard. The protocol is very fast when switching networks. Since it is very new, we will not comment on it yet.
Picking a suitable protocol
Although many claim WireGuard to be the best protocol (runner-up is OpenVPN), it is not as simple as that. Some devices and platforms do not support every protocol. Other than that, most providers also do not offer a large selection of protocols. Users have to make decisions based on various considerations like cost, compatibility, and usage. Thus, we have short-listed a few protocols that are specific to particular online activities.
- Streaming — PPTP, WireGuard, IKEv2, L2TP/IPsec OpenVPN (UDP)
- Downloads — WireGuard or OpenVPN (UDP). If security is of no concern, consider PPTP.
- Gaming — IKEv2/IPsec or WireGuard
- Privacy — WireGuard, OpenVPN (TCP), or IKEv2/IPsec