Popular Protocols: 3 VPN Connections Explained

So you’ve spent some time on Privacy Shell and you’ve decided it’s time to take your online security to the next level. You fire up your browser, navigate to your search engine, and start looking up information on VPN providers.

“We employ the Diffie-Hellman protocol for key exchange”. Fantastic!

“We support PPTP, L2TP/IPsec, and OpenVPN connections”. Cool!

“You can choose from AES-256 or RSA-2048 encryption”. Great… I think? Wait, what’s a Diffie-Hellman protocol? I should use RSA-2048 encryption, right? And what the heck is the difference between PPTP and L2TP?

If you’ve ever asked yourself these questions, you’re not alone. A journey into the world of privacy brings along enough names and acronyms to leave your head spinning and with no real answers to your questions. Sure, you can consult Wikipedia but then you’re left with this:

Not very helpful, is it? Not to worry though. If you’re reading this you’ve come to the right place! At Privacy Shell we’ve always got your back. Today we’ll be breaking down the differences between three main VPN protocols so you can better choose the one that fits your needs.

1.PPTP: The Point-To-Point Tunneling Protocol

PPTP is an old and widely supported standard for delivering VPN service. If you own any internet-capable device made in the last 15 years, chances are excellent that PPTP is supported. It was created by a consortium of companies, most notable of which is Microsoft who bundled PPTP support into Windows back in the days of Windows 95. Today you’ll see PPTP support built into a variety of desktop and mobile operating systems, including iPhones and all Androids, thus VPN providers act accordingly and offer support for PPTP in their services. This allows for easy set up as well, requiring no extra software to get up and running. Step-by-step guides like this one are readily available; the process boils down to going into your connection settings, inputting the server you’re connecting to, and filling in your username and password. Easy!

Things aren’t all rosy for PPTP, however. PPTP relies on MS-CHAP (v2) for authentication. MS-CHAP is a very common method of doing a “handshake”, or comparing codes with the server you’re connecting to, to ensure that your data is encrypted and reaching the right people securely. Unfortunately, PPTP, along with MS-CHAP, have long been cracked due to their built-in cryptographic weaknesses and susceptibility to man-in-the-middle attacks. Even Microsoft recommends not to use PPTP/MS-CHAP and advocates newer, more secure protocols instead.

That said, PPTP generally allows for faster speeds than other VPN solutions due to using less (maximum of 128 bit) encryption, alongside using less system resources to encrypt/decrypt traffic, making it a decent choice for browsing public WiFi spots. Presently it is quite easy to break the encryption (and this can only get easier for attackers as time goes on), however, meaning that if you’re looking for bulletproof security it is best to look elsewhere for your encryption needs.

2. L2TP: The Layer 2 Tunneling Protocol

L2TP is another VPN tunnelling protocol, very much similar in function to PPTP, though on it’s own it provides no encryption. Again, chances are good that your internet-capable device has L2TP support built right in, making setup relatively pain-free as it’s just a matter of inputting your login credentials in the right forms. You’ll often hear L2TP and IPsec mentioned in the same breath and for good reason; L2TP relies on IPsec to provide authentication and encryption which is more secure in it’s implementation than PPTP/MS-CHAP; as of yet there are no known vulnerabilities in IPsec. Part of the reason is that it encapsulates, or obscures, data twice over before sending it off and relies on well-known hashing algorithms like MD5 to ensure that data has not been tampered with in transit.

That means times are good for L2TP, right? Not necessarily. In light of documents revealed through the Snowden leaks, there is reason to believe that IPsec has been deliberately weakened by the NSA when the protocol was still undergoing formation, meaning there may be a built-in backdoor to enable man-in-the-middle attacks or to intercept encryption/decryption keys. Further, because of the double encapsulation employed when data is transmitted, internet speeds tend to be lower than other VPN implementations.

Again, there are no known vulnerabilities meaning you’re conceivably fine using L2TP for your encryption; at any rate it is much more secure than PPTP and generally preferred in usage. If government surveillance isn’t a main concern then L2TP is a fine choice and one that will protect you against hackers attempting to tamper with or intercept your internet traffic.

3. OpenVPN: The Free and Open-Source VPN Protocol

Unlike the previous two protocols we’ve explored, OpenVPN is a standalone client that needs to be downloaded and installed on your desktop/laptop or mobile device. If you’re someone using a Blackberry OS phone or a Windows Phone, however, you’re out of luck as there is no support for OpenVPN built in to these platforms. OpenVPN operates as an open source project, meaning all of its code is open for modification or scrutiny by experts, pundits and anyone with curiosity at how it works. Rather than using the broken MS-CHAP or the (possibly) dubious IPsec it employs SSL/TLS for authentication and encryption, as well as providing support for stronger cryptographic ciphers, meaning your communications will be shielded completely against prying eyes.

Furthermore, OpenVPN is quite robust and configurable. Though it operates over a UDP connection by default, it can be easily configured to operate on TCP connections instead. This is great for two reasons: first, if you’re in a place where VPN access is blocked by your ISP or company you can shift it to run on a TCP port which is indistinguishable from regular HTTPS traffic and therefore unblockable. Second, TCP connections guarantee that no packets are dropped and that connections are secured the whole way through; data will not be send without your device receiving confirmation that previous sent data packets were received. UDP connections are the default for good reason, however. Unlike TCP, UDP connections do not wait for confirmation before sending out data, resulting in faster speeds and much less processing overhead. This makes UDP more suitable for sustained downloads, such as video streaming or VOIP. Generally, the rule here is to use a UDP connection unless you experience connectivity problems or really need to bypass a firewall.

As OpenVPN is open source, VPN providers tend to use the OpenVPN client as a base for their own custom clients. On its own OpenVPN requires extra setup apart from a username and password; custom VPN clients include all the extra setup as well as employing welcomed extras like kill-switches and server lists. With a good custom VPN client your connection will be terminated as soon as the connection drops, ensuring your IP address and communications do not leak out, and server changes are as easy as selecting a new location in a drop-down list, making the whole process quite user-friendly.

Which One Is Right For You?

For the most part you’re going to want to use OpenVPN to connect to your VPN provider if it’s available. It’s more secure than the other protocols, though this security does come at the cost of speed as heavy encryption is employed. For mobile connections and general secured browsing, however, L2TP and PPTP are quite fine choices; the crux of the issue lies in your unique usage case. Are you a spy on the run from government agencies around the world? You’re going to want OpenVPN for sure. Are you trying to browse securely and conveniently at the airport? L2TP will get the job done well while PPTP provides quick protection with minimal speed impact.

And don’t worry, we haven’t forgotten about AES, SSL or good old Diffie-Hellman. Our aim right now, though, is to shed some light on the front-facing connection protocols and outline the differences for you. Rest assured, as long as you’re employing at least 128 bit encryption, you’re quite well protected.

About Ravi Persaud

I am interested in the intersections between the Internet and the real world; that is, how technology fundamentally shifts personal data and our private lives to become more accessible, effecting our privacy in a digital age.