VPN protocols explained and compared

This is a quick reference guide for the lay-person who wants to explore the different VPN protocols available. For those who want a quick answer as to which one they should use:

  • OpenVPN is always a solid option, especially when the setup is handled by a third-party app
  • L2TP/IPSec is probably the most widely available alternative that offers decent security
  • SSTP is also a solid option for Windows users, assuming you trust proprietary tech from Microsoft
  • IKEv2 is a fast and secure alternative for devices that support it, particularly mobile devices
  • Only use PPTP as a last resort
  • Wireguard is a newer protocol that promises to be faster and more efficient, but has some privacy drawbacks
  • Only use open-source and professionally audited custom protocols

OpenVPN

What is it?

An open-source VPN protocol that’s highly configurable for a variety of ports and encryption types. OpenVPN is one of the newer protocols with an initial release in 2001.

What’s it used for?

Third-party VPN clients often utilize the OpenVPN protocol, as OpenVPN isn’t built into computers and mobile devices. It’s become increasingly mainstream for general purpose VPN use, and is now the default protocol used by most paid VPN providers.

Is it fast?

Not as fast as PPTP, about the same speed as L2TP depending on the device and configuration.

Is it secure?

Yes. OpenVPN uses a custom security protocol that relies heavily on OpenSSL, similar to the encryption used on HTTPS websites. Because it can be configured to use any port, it can easily be disguised as normal internet traffic and is therefore very difficult to block. It supports several encryption algorithms, the most common being AES and Blowfish.

Is it easy to set up?

If you plan on setting it up manually, no. Many native VPN clients from consumer VPN providers, however, make it much easier to install and run. In those cases, OpenVPN usually requires no manual configuration, as the provider’s app takes care of that for you.

L2TP/IPSec

What is it?

Layer 2 Tunnel Protocol is the VPN protocol, and it’s usually paired with IPSec for security. L2TP was developed by Cisco and Microsoft in the 90s.

What’s it used for?

Accessing the internet through a VPN when security and privacy are concerns.

Is it fast?

Sort of. There’s some debate out there about whether it’s faster than OpenVPN or not. The average user probably won’t notice a difference in speed between the two. L2TP/IPSec is slower than PPTP.

Is it secure?

Yes, L2TP/IPSec has no known major vulnerabilities. Some experts have voiced concerns that the protocol might have been weakened or compromised by the NSA, though. The NSA helped develop IPSec.

Is it easy to set up?

That depends. Like PPTP, L2TP/IPSec support is built-in to most modern computers and mobile devices today. The setup process is similar, but the port that L2TP uses is easily blocked by firewalls. If you need to get around these firewalls, you’ll need to forward the port, which requires a more complicated configuration.

PPTP

What is it?

The oldest widely-used VPN protocol, originally developed by Microsoft for dial-up networks. PPTP stands for point-to-point-tunneling.

What’s it used for?

PPTP is used for both connecting to internet and intranet (i.e. accessing a corporate office building’s internal network).

Is it fast?

Yes. Due to the lower encryption standard, PPTP is one of the fastest VPN protocols.

Is it secure?

No. PPTP hasn’t aged well, and many security vulnerabilities have arisen over the years. The NSA actively decrypts and monitors PPTP traffic. Even though it normally uses 128-bit encryption, it effectively offers no security benefits.

Is it easy to set up?

Yes. PPTP is the most common protocol built into many computers and mobile devices today, making it on of the simplest–if not the simplest–to manually set up.

SSTP

What is it?

Secure Socket Tunneling Protocol was developed by Microsoft and first built into to Windows Vista. The proprietary (read: not open-source) protocol works on Linux but is primarily thought of as a Windows-only technology.

What’s it used for?

Not much. SSTP might be used by a few hardcore Windows fans because it comes built-in, but it has no real advantages over OpenVPN. It’s better than L2TP for getting around firewalls without a complicated configuration.

Is it fast?

About the same as OpenVPN.

Is it secure?

Yes, assuming you trust Microsoft (questionable). It is usually configured using strong AES encryption.

Is it easy to set up?

Manual setup is fairly easy on Windows machines. Macs won’t run it and probably never will. Linux and a few other systems will have a harder time.

IKEv2

What is it?

Internet Key Exchange version 2 isn’t exactly a VPN protocol, but can be treated as such. It was jointly developed by Microsoft and Cisco.

What’s it used for?

It’s especially useful for mobile devices on 3G or 4G LTE because it’s good at reconnecting whenever the connection drops out. This can happen when the user drives through a tunnel and temporarily loses service or when they switch from the mobile connection to wifi. Support for IKEv2 is built into Blackberry devices.

Is it fast?

IKEv2 throughput is comparable to OpenVPN, but one advantage is that it establishes a connection much quicker.

Is it secure?

Yes, again, if you trust Microsoft. IKEv2 supports several levels of AES encryption and, like L2TP, uses the IPSec encryption suite. Some open-source versions are also available for those who prefer to avoid Microsoft’s proprietary version.

Is it easy to set up?

IKEv2 is not widely supported, but for those devices that are compatible, it’s quite easy to set up.

IPSec

What is it?

Internet protocol security, or IPSec, is a protocol used for several purposes, one of them being VPNs. It operates at the the network level as opposed to the application level (used by SSL).

What’s it used for?

IPSec is often paired with other VPN protocols like L2TP to provide encryption, but it can also be used by itself. It’s frequently used for site-to-site VPNs, and many iOS VPN apps also utilize IPSec in lieu of OpenVPN or some other protocol.

Is it fast?

IPSec is generally considered faster than SSL, but your results may vary depending on configuration and intended use.

Is it secure?

Yes, IPSec is secure, although in 2013 the Snowden leaks revealed that the NSA was actively working to insert vulnerabilities.

Is it easy to set up?

Depending on what you plan to use it for, configuring an IPSec VPN can be complex. For the average user with an iPhone just trying to connect to their VPN provider’s servers, it shouldn’t be a problem.

SSL/TLS

What is it?

Transport Security Layer (TLS) and its predecessor secure socket layer (SSL) are the most common cryptographic protocols in use today. Any time you connect to an HTTPS website, your connection to the server is protected with SSL. It is used in some VPN protocols but is not in itself a VPN protocol.

What is it used for?

When it comes to VPNs, OpenVPN’s encryption is built on the OpenSSL library, and OpenVPN is considered an SSL VPN.

SSL is also be used to create HTTPS proxies, which are passed off as VPNs by some companies. These are often advertised as browser-based VPNs that run as Chrome or Firefox extensions and do not provide the full security benefits of a true VPN.

Is it fast?

This depends more on the VPN protocol and the level of encryption used.

Is it safe?

To maximize security, TLS is newer and better protects against attacks than SSL.

Is it easy to set up?

SSL VPNs are generally considered easier to configure than IPSec VPNs for remote client connections.

Wireguard

What is it?

Wireguard is a secure VPN tunnel protocol that aims to improve on the other protocols in this list in terms of speed, ease of deployment, and overhead. It is the newest protocol on this list.

What’s it used for?

Wireguard is still in development, but it’s available for several platforms. It’s lightweight enough to run on embedded interfaces but is also appropriate for containers like Docker all the way up to high performance devices and networks.

Wireguard is finding its way into more and more VPN apps these days, largely thanks to speed improvements over OpenVPN and IKEv2.

Is it fast?

Yes. Wireguard does away with a lot of the bloat found in other protocols and runs from the Linux kernel to improve speed.

Our speed tests have shown massive improvements across almost every provider that has adopted Wireguard, with download bandwidth doubling and in some cases tripling what was previously achieved by other protocols.

Is it secure?

Yes, though we remind readers that Wireguard is still in development. Wireguard uses state-of-the-art cryptography, can easily be audited, and uses a concept called “cryptokey routing” to handle network management and access control in lieu of complicated firewall rules.

However, Wireguard assigns IP addresses statically and not dynamically, which means some user data needs to be stored on the server.

Is it easy to set up?

Yes, though it’s not widely implemented yet. The creators liken Wireguard to configuring SSH, a very simple secure protocol. It allows roaming between IP addresses. Wireguard’s website states, “There is no need to manage connections, be concerned about state, manage daemons, or worry about what’s under the hood.”

Custom protocols

A few VPN providers opt to write their own protocols instead of using an existing one. Hotspot Shield’s Catapult Hydra, ExpressVPN’s Lightway, and NordVPN’s NordLynx are a few examples.

These protocols vary in their performance and security, and sometimes their code is not public. We recommend only using protocols that are open source.

Some custom protocols are built from the ground up, but many of them are just forks of open-source protocols. NordLynx, for example, is just Wireguard with a double-NAT system to prevent logging of IP addresses.

Types of VPNs: Secure vs Trusted

All of the VPNs we review at Comparitech are considered “secure” VPNs. This means the traffic sent and received through them is encrypted and authenticated. Being a secure VPN also means that both the server and client agree on the security properties, and no one outside the VPN can affect these properties. Secure VPNs use one of the protocols listed above.

A “trusted” VPN is distinct from a secure VPN. Trusted VPNs may not use any encryption. Instead, users “trust” the VPN provider to make sure that no one else can use the same IP address and pathway. No one other than the provider can change data, inject data, or delete data on a path in the VPN.

Trusted VPNs are far less common nowadays. They were typically used by corporations for staff to remotely access internal company resources, not to connect to the world wide web. But the threats to security became to great for most companies to risk using an non-encrypted connection.

VPNs that combine the encryption properties of a secure VPN and the dedicated line properties of a trusted VPN are sometimes called “hybrid” VPNs. Hybrid VPNs are common today, particularly for corporations. But most commercial VPN providers that offer unrestricted access to the internet do not give customers a dedicated IP address, so they are not considered hybrids.