VPN Protocols: Overview
Nowadays there are many protocols used to create VPN connections. What option to choose and what to take into consideration when setting up the connection? Let us try to answer these questions briefly.
Point-to-Point Tunneling Protocol is a protocol invented by the Cisco Systems Company to organize VPN via access switched networks. PPTP has been a standard protocol for organizing VPN for many years, and first it was supported in such operating systems as Windows NT 4.0 and Windows 95 OSR2.
Now PPTP is a standard VPN protocol that is available in all operating systems and on all communication devices, which allows to use it without having to set up any additional software. Also, its advantage is that it uses a small quantity of computing resources and, as a consequence, has high operating speed.
PPTP works establishing the usual PPP opposite session via the Generic Routing Encapsulation protocol. To initiate and control the GRE connection, the second connection of the TCP 1723 port is used. It can be necessary to set up two networking sessions, due to which the user may have difficulties when setting up PPTP connections behind the firewall. Besides, several Internet service providers block the GRE protocol, which makes the use of PPTP impossible.
PPTP is based on different methods of authentication for providing a secure connection, and among these methods MS-CHAP v.2 is often used. The data transferred via PPTP are encrypted with the MPPE protocol including the encryption RSA RC4 algorithm with a key to 128 bits.
Since its inception, the PPTP protocol implementation has had different drawbacks, the most serious of which is a vulnerability of the MS-CHAP v.2 authentication protocol that allows to reproduce the encryption key within 24 hours. As there is a security problem, the PPTP protocol can be used only for VPN, which does not include requirement for providing transferred data security.
- PPTP Client is supported by all operating systems (except the latest versions of iOS)
- it is easy to set up
- it works fast
- it is insecure
The PPTP protocol is insecure, so it should not be used for transferring important data. However, if VPN is used only to change the current geographical location and to hide the real IP address, PPTP can be a good option due to its cross-platform and high-speed work.
Layer 2 Tunnel Protocol is a network protocol based on the PPP link layer protocol. It was created in 1999 by Cisco and Microsoft companies as a further development of the PPTP protocol and now it is an industry standard (RFC2661).
As L2TP does not provide encryption and confidentiality of traffic, if VPN is based on L2TP for providing transferred data security, the IPSec encryption protocol (IP Security) is usually used. The combination of L2TP and IPSec is called L2TP/IPSec (RFC3193).
For L2TP/IPSec the UDP protocol is used as a transport, and here the 1701 port is used as a sender and receiver port to initiate the tunnel, the UDP-500 port is used to exchange encryption keys, the UDP-4500 is used for NAT addresses and the 50 (ESP) protocol is used to exchange encrypted data via IPSec.
L2TP/IPSec is supported by all operation systems and communication devices and, like PPTP, can be set up easily, but Linux operating systems may have some difficulties with setting up as here additional software packages may be necessary.
As for the security, VPN connections via L2TP/IPSec are secure enough as they provide confidentiality, integrity and verification of the data authenticity.
In comparison with other VPN protocols, L2TP/IPSec is more “whimsical” when it comes to stable and safe work. So, if the VPN Client is based on the network device transforming network addresses or not supporting packages via the 500 UDP port, the L2TP/IPSec connection will not be established. Besides, as L2TP/IPSec encapsulates transferred data twice, it is less effective and slower than other VPN protocols.
- good level of security
- it is easy to set up
- it is available in all modern operating systems
- it works slower than other VPN protocols
- additional setting of the router may be required
The L2TP/IPSec protocol allows to provide a high level of transferred data security, it is easy to set up and is supported by all modern operating systems. However, in comparison with other VPN protocols, it is less stable and less productive.
Internet Key Exchange protocol of the 2nd version is a tunnel protocol included into the IPSec protocol set and developed by Microsoft and Cisco companies. It is presented by Windows 7 and later versions and is supported by Blackberry and Apple mobile devices. There is a solution with an open source code for Linux.
The data are transferred via UDP 500 and/or 4500 ports with the data encrypted with 3DES and AES cryptoalgorithms. UDP provides high-speed work and does not make problems with operating with NAT and network firewalls.
Due to its capacity, IKEv2 is especially pertinent for users of mobile devices: IKEv2 allows to reset the VPN tunnel automatically in case of a temporary connection drop-out, for example, when the user in the subway. Also, the protocol is a sensitive to frequent changes of networks, for example, switching between Wi-Fi access points or between Wi-Fi and mobile network. It is one of the few protocols supported by Blackberry devices.
- high level of security and speed
- greater stability in work
- it is good for mobile devices
- it is easy to set up
- it uses particular ports that simplifies the blocking
Due to its security, stability and speed, now IKEv2 is the best VPN option for mobile users.
OpenVPN is a fully functional option with an open source code for organizing the VPN structure based on OpenSSL and SSL/TSL protocols. Due to its free availability, now OpenVPN is almost a standard of VPN technologies that is flexible in settings and that has plenty of functional capabilities.
In the standard configuration OpenVPN uses the UDP protocol and the 1194 port for data transfer. However, the VPN connection may be easily set for work via the TCP protocol and via any port, for example, via the TCP 443 port, which lets disguise OpenVPN traffic as usual HTTPS and bypass lockouts of network firewalls.
The use of OpenSSL as a base allows to support many cryptographic algorithms (for example, RSA, AES, Blowfish, 3DES and others) for stronger protection of the data transferred. Productivity of OpenVPN depends on the chosen encryption algorithm but, as a rule, it works faster than IPSec.
The opportunity to use the TCP protocol allows to achieve stable and secure work in wireless, mobile and other networks with high loading and a higher level of packet loss. To increase transfer speed, the client can use data compression on the basis of LZO library.
To work with OpenVPN as a client, additional software may be necessary: nowadays, there are a large number of both free and commercial apps for all modern operating systems including mobile platforms.
- flexible setting
- high level of security
- greater stability and security
- additional software is necessary
Today the OpenVPN technology is the best option to organize VPN. The use of this protocol allows to provide the secure and fast VPN connection. It is quite easy to set up the connection as it comes down to installing the free app that is available for any platforms and operating systems.
To sum it up, let us summarize the findings:
- PPTP is an insecure protocol, as your data may be intercepted or deciphered. It can be used only for changing the current geographical location and hiding the real IP address.
- L2TP/IPSec has an acceptable level of protection, is flexible in settings, does not require any additional software (except Linux) and is a good alternative to PPTP.
- IKEv2 is a modern VPN protocol that is secure and fast. It is suitable for users of mobile devices, especially of Blackberry.
- OpenVPN has an open source code and works fast and safe. It has flexible settings and provides a good work stability. Even despite the fact that it may be necessary to install additional software, now it is the best option for VPN.
In other words, use OpenVPN if possible and IKEv2 for mobile devices. If the user needs only to hide his IP address, he can confine himself to L2TP/IPSec or PPTP.