Internet privacy and security course
About translation
Previous Next

Chapter 130

Choose a protocol for VPN. Compare OpenVPN, PPTP, L2TP/IPsec and IPsec IKEv2

Many resources, telling users about VPNs, usually recommend OpenVPN with 256-bit encryption, explaining that this is the most reliable protocol. But in reality it is not exactly a protocol and several indicators influence on the final security of a VPN and each on them is very important.

We start a cycle of chapters on choosing a secure VPN, within which we will look at indicators impacting the final security of a VPN and in their context we will discuss some of the vulnerable points of a VPN tunnel.

Tunneling protocol

As a rule, the choice of VPN begins with the choice of the tunneling protocol (hereinafter TP). Today on the market there are several options for TP for the implementation of a virtual private network: OpenVPN, PPTP, L2TP/IPsec, IPsec IKEv2 and others that are not so widely spread. Straight away I would like to note that it is not quite right for OpenVPN to be called a tunneling protocol, as it is a software for creating a virtual network, but let it be a protocol in order to avoid confusion.

What is protocol? Imagine a situation: you meet a person and want to talk with them, but you speak different languages. Obviously, you will not understand each other and there can be no way any full interaction. The protocol is the language of interaction itself, in this case between the computer and the VPN server.

PPTP

PPTP is the first protocol supported on the Windows platform. The protocol has weak encryption and can be hacked by both special services and skilled malefactors. No need to install additional software and speed of working are worth noting out of the benefits. PPTP VPN requires minimal resources and compared to OpenVPN almost does not consume a charge when is used on mobile devices.

Why is this protocol still in use? Its main problem is weak key transfer protection, but this does not mean that anyone can break the encryption. PPTP has some advantages as well: it is easy to setup and use, good protection and change of IP-address. PPTP probably is not the most protected protocol, nevertheless, it is better than nothing.

L2TP/IPsec

What is important to know about it:

  • it is slower than others due to double encapsulation (an IPsec tunnel is created, and data travels via L2TP);
  • uses standard ports, and therefore an Internet provider or a system administrator can easily block one;
  • operating systems have built-in support for this technology, there is no need to install additional software;
  • when it is properly configured, there is no information about the ability to decrypt data.

We do not recommend it and do not use it because of the speed, therefore we will not talk a lot about it during the course.

IPsec IKEv2

What is IKEv2 in this link? If to speak very simply, it is authorization through a certificate and it, unfortunately, is not supported by all devices.

What is needed to be known about it:

  • works faster than L2TP/IPsec, equally as OpenVPN, slower than PPTP;
  • is not supported by all operating systems (although IPsec itself is supported everywhere);
  • when it is properly configured, neither the special services nor the malefactors can decipher it (at least among IT specialists it is considered to be so).

It is worth noting that there is the support of IPsec on all popular operating systems as a positive thing. But there is another opinion about this: unlike the built-in disk encryption systems, the presence of built-in IPsec systems did not cause disturbances from the special services. It was implemented even in Windows, where they always refrained from data protection tools that were inaccessible to the security services. This fact seems suspicious to many.

OpenVPN

OpenVPN is a free open source solution, which, according to most experts, is the best up-to-date to create a virtual private network (VPN).

What is needed to be known about it:

  • is not included in the standard distributions of modern operating systems, therefore it requires the installation of additional software;
  • if it is properly configured, neither the special services nor the malefactors will be able to decipher it;
  • at non-standard settings it is difficult to be blocked.

Yes, OpenVPN requires the installation of additional software, but it is time-tested open source software, installation and configuration of which will not create problems even for a beginner. OpenVPN works on all modern OS: Windows, macOS, Linux, Android, iOS.

Choosing a transport protocol for OpenVPN. TCP or UDP?

Encrypted information created using OpenVPN can be transmitted via one of two protocols: either UDP or TCP. VPN providers usually offer both options, followed by a comment: "TCP is more reliable, while UDP is faster".

Imagine that you are cutting wood to build a house and you need to move down the felled trees down the river to the construction site. You can just throw them into the water and your assistant will catch them at the construction site, this will be the fastest and easiest way. But if the log gets stuck in the delivery process or is stolen, you will never know it, except that when you do not have enough logs to build a house.

And if you assign a number to each log and your assistant calls after receiving each log, informing you of the successful delivery, in this case, even if some logs are lost, you will know about it immediately and will send another one instead. But let’s agree that this way of sending logs will take more time and, therefore, if the river is wide and not tortuous, it is better to use a simple and fast method.

The similar situation is in the protocol choice: UDP is a fast method without confirming the delivery of packets, we recommend using it on the stable Internet. TCP is not that fast, but the delivery of each package is confirmed, it is recommended for poor connection.

TCP is necessary in those situations when UDP traffic is blocked by the provider or the settings of the router. The alternative OpenVPN TCP on 443 port cannot be blocked, since this port is used for all HTTPS connections and users simply cannot open sites.

We put OpenVPN UDP in our solutions, but if one cannot connect using UDP within 15 seconds, the TCP connection starts automatically.

In the next chapter we will talk about TLS authentication, connection port, the generation of the session key, encryption algorithms, key length, data authentication and other components of a secure VPN connection.

Previous
5550
Next