Which is the Best VPN Protocol? PPTP vs. OpenVPN vs. L2TP/IPsec vs. SSTP
Don’t use PPTP. Point-to-point tunneling protocol is a common protocol because it’s been implemented in Windows in various forms since Windows 95. PPTP has many known security issues, and it’s likely the NSA (and probably other intelligence agencies) are decrypting these supposedly “secure” connections. That means attackers and more repressive governments would have an easier way to compromise these connections.
Yes, PPTP is common and easy to set up. PPTP clients are built into many platforms, including Windows. That’s the only advantage, and it’s not worth it. It’s time to move on.
In Summary: PPTP is old and vulnerable, although integrated into common operating systems and easy to set up. Stay away.
OpenVPN uses open-source technologies like the OpenSSL encryption library and SSL v3/TLS v1 protocols. It can be configured to run on any port, so you could configure a server to work over TCP port 443. The OpenSSL VPN traffic would then be practically indistinguishable from standard HTTPS traffic that occurs when you connect to a secure website. This makes it difficult to block completely.
It’s very configurable, and will be most secure if it’s set to use AES encryption instead of the weaker Blowfish encryption. OpenVPN has become a popular standard. We’ve seen no serious concerns that anyone (including the NSA) has compromised OpenVPN connections.
OpenVPN support isn’t integrated into popular desktop or mobile operating systems. Connecting to an OpenVPN network requires a a third-party application — either a desktop application or a mobile app. Yes, you can even use mobile apps to connect to OpenVPN networks on Apple’s iOS.
In Summary: OpenVPN is new and secure, although you will need to install a third-party application. This is the one you should probably use.
Layer 2 Tunnel Protocol is a VPN protocol that doesn’t offer any encryption. That’s why it’s usually implemented along with IPsec encryption. As it’s built into modern desktop operating systems and mobile devices, it’s fairly easy to implement. But it uses UDP port 500 — that means it can’t be disguised on another port, like OpenVPN can. It’s thus much easier to block and harder to get around firewalls with.
IPsec encryption should be secure, theoretically. There are some concerns that the NSA could have weakened the standard, but no one knows for sure. Either way, this is a slower solution than OpenVPN. The traffic must be converted into L2TP form, and then encryption added on top with IPsec. It’s a two-step process.
In Summary: L2TP/IPsec is theoretically secure, but there are some concerns. It’s easy to set up, but has trouble getting around firewalls and isn’t as efficient as OpenVPN. Stick with OpenVPN if possible, but definitely use this over PPTP.
Secure Socket Tunneling Protocol was introduced in Windows Vista Service Pack 1. It’s a proprietary Microsoft protocol, and is best supported on Windows. It may be more stable on Windows because it’s integrated into the operating system whereas OpenVPN isn’t — that’s the biggest potential advantage. Some support for it is available on other operating systems, but it’s nowhere near as widespread.
It can be configured to use very secure AES encryption, which is good. For Windows users, it’s certainly better than PPTP — but, as it’s a proprietary protocol, it isn’t subject to the independent audits OpenVPN is subject to. Because it uses SSL v3 like OpenVPN, it has similar abilities to bypass firewalls and should work better for this than L2TP/IPsec or PPTP.
In Summary: It’s like OpenVPN, but mostly just for Windows and can’t be audited as fully. Still, this is better to use than PPTP. And, because it can be configured to use AES encryption, is arguably more trustworthy than L2TP/IPsec.
OpenVPN seems to be the best option. If you have to use another protocol on Windows, SSTP is the ideal one to choose. If only L2TP/IPsec or PPTP are available, use L2TP/IPsec. Avoid PPTP if possible — unless you absolutely have to connect to a VPN server that only allows that ancient protocol.
Image Credit: Giorgio Montersino on Flickr