The PPTP VPN protocol is not secure, try these alternatives instead
If you’ve ever manually set up a VPN using a device’s built-in protocols, there’s a good chance you at least considered using PPTP. PPTP is one of the easiest types of VPN to set up and comes pre-installed on most Windows, Mac OSX, Android, and iOS devices. Not only is it easier, it’s faster than other built-in protocols like L2TP/IPSec, SSTP, and IKEv2.
But PPTP is widely regarded as obsolete. Microsoft developed and implemented it as far back as Windows 95 and Windows NT. Researchers first found flaws in the protocol’s cryptography in 1998. By 2012, several vulnerabilities had surfaced and the encryption could be broken with relative ease using widely available tools.
As one expert put it, “At this point nobody who cares in the least about the communications they intend to protect should be using [PPTP].”
The list of vulnerabilities has grown to encompass several unfixable problems. These problems leave users open to several types of attacks. The details of these issues get quite technical, but you can find a list on Wikipedia.
In short, don’t use PPTP if you care at all about security when setting up a VPN. Instead, opt for a more secure protocol: OpenVPN, L2TP/IPSec, SSTP, or IKEv2.
Alternatives to PPTP
Other VPN protocols are either not as easy to set up as PPTP or do not come pre-installed on popular operating systems. Even so, the added security makes a few extra steps worth the trouble.
OpenVPN is our recommended VPN protocol. The only problem is that it isn’t supported by default on most devices. Rather than using built-in tools on your computer or smartphone, you must download and install it.
OpenVPN is most widely used by commercial VPN services, particularly paid subscription providers including any of these VPN services. When you download and install the provider’s app, OpenVPN is usually installed along with it.
If you have to set up OpenVPN manually, be prepared for a much more complicated endeavor.
OpenVPN, as the name implies, is open source. That means it can be freely audited by anyone for security flaws. It supports 256-bit SSL connection by default, which is considered military-grade. It has no known security flaws, but expect it to slow down download speeds by about 10 percent.
Second to OpenVPN, L2TP/IPSec is a strong runner-up for the best VPN protocol. If your smartphone, tablet, or laptop comes with a built-in protocol that isn’t PPTP, this is probably it. It’s available on Windows, Mac OSX, iOS, and Android, among others.
Technically, L2TP is the protocol and IPSec is the encryption, but they are almost always paired together. Avoid “raw” L2TP, which lacks the IPSec encryption. Both are secure with no known vulnerabilities, but L2TP/IPSec is not open source like OpenVPN. Instead, L2TP was jointly developed by Microsoft and Cisco.
When it comes to setup, L2TP/IPSec adds an extra step onto the standard domain, username, and password necessary for PPTP. You’ll also need a pre-shared key, which you’ll get from your VPN provider.
Like PPTP, Microsoft developed SSTP. But this time they made a far more secure protocol. It’s usually only supported by Windows devices, but is otherwise just as secure as L2TP/IPSec.
It’s easier to set up than L2TP/IPSec as well–on par with PPTP when it comes to simplicity. You just need a username, password, and server domain. Because of the device restrictions, however, many VPN providers simply don’t support it.
This protocol is even less common than SSTP, and is another brainchild of Cisco and Microsoft. Device compatibility is spotty but the handful of BlackBerry users still out there will find a lot to love. It’s also available on some newer versions of iOS.
IKEv2’s greatest strength is the ability to quickly reconnect if a connection is dropped. That makes it great for mobile devices that frequently lose service in tunnels and basements, for instance, or when switching from wifi to 3G/4G.
IKEv2 uses IPSec for encryption, the same as L2TP/IPSec. Setup usually requires a username, password, server domain, and a remote ID.
Read more: VPN protocols comparison cheat sheet