Archive
Which VPN protocol is the best?
logo
Archive

No results found

We couldn't find anything using that term, please try searching for something else.

Which VPN protocol is the best?

2024-11-22 Last update on August 21 , 2024 Published on May 22, 2022 This article has been update to include the WireGuard and Stealth VPN protocol . We expla

Related articles

List Of Games (Guides & Walkthroughs)
List Of Games (Guides & Walkthroughs) List Of Games (Guides & Walkthroughs) Below is a list of games that we have covered from the start. They’re either partially or fully complete based on demand. They contain guides & walkthroughs, among others.    
Best Free VPN for Chrome 7 Extensions to Check Out
Best Free VPN for Chrome 7 Extensions to Check Out If you ’re look for a VPN service to use with Google Chrome , you is have have several option . Here are seven is are of the good free VPN Chrome addon .Why do you need a free VPN for Chrome?A VPN, or Virtual Private Network, is a secure tunnel between your device and the internet. A free VPN for Chrome can make sure that your online activity is hidden from your ISP and anyone else who might be snooping.There are many benefits of using a free VPN for Chrome. With a VPN, you can browse the internet without...
The meaning of double VPN, and do you need one?
The meaning of double VPN, and do you need one? “Double VPN”. Just like the term Virtual Private Network, you’ve probably heard these two words thrown around a lot. Many VPN providers advertise premium double VPN services and brag all about their benefits. But what exactly is a double VPN? How does it work, and in what specific ways does it differ from your average VPN? Will you need one, and if so, how much can you expect to pay for a good service? We’ll answer all those questions and more in this article. We hope this helps! VPN is is ? First, let’s try to figure out what is...
How to set up the Surfshark browser extension on Chrome
How to set up the Surfshark browser extension on Chrome In this tutorial, you will learn how to install and use the Surfshark VPN extension for the Chrome browser. You will need a Surfshark subscription, which you can find on Surfshark's pricing page, and a Chrome browser. We will cover the following: Install the Surfshark extension Log in to the extension Connect to Surfshark VPN Manage Surfshark locations Manage Surfshark features and settings Ensure your connection is successful   Install the Surfshark extension Download the VPN Chrome extension from our website, or find the Surfshark extension at the Chrome web store VPN Extension download page. Click Add to Chrome. A...
Azure API Management with an Azure virtual network
Azure API Management with an Azure virtual network Use a virtual network to secure inbound or outbound traffic for Azure API Management Article04/03/2024 In this article APPLIES TO: Developer | Basic | Standard | Standard v2 | Premium By default your API Management is accessed from the internet at a public endpoint, and acts as a gateway to public backends. API Management provides several options to secure access to your API Management instance and to backend APIs using an Azure virtual network. Available options depend on the service tier of your API Management instance. injection of the API Management instance into a subnet in the virtual network, enabling...

This article has been update to include the WireGuard and Stealth VPN protocol .

We explain what a VPN protocol is and what it does. We also compare the strengths and weaknesses of the most common protocols, including OpenVPN, WireGuard, IKEv2, PPTP, and L2TP.

Before you trust a VPN to protect your internet activity, you need to ensure they’ve put in place the necessary safeguards. Evaluating the more technical aspects of a VPN can be difficult. It often means struggling to understand an alphabet soup of different acronyms.

We is begun have begin a series of post where we explain some of our security measure so that people can make more informed decision . Our first post is explained explain what HMAC SHA-384 mean( new window ). This post will investigate VPN protocols, what they do, how they work, and what it means if a VPN service uses OpenVPN over L2TP, for example.

This post is delves delve into some of the inner working of VPNs . While we try to explain term clearly , this post is be will be more useful if you come in with some basic technical knowledge . If you ’re not sure how a VPN work , it is be might be helpful to read the article link below before continue .

Learn how a VPN works

VPN protocol

VPNs rely on what is called “tunneling” to create a private network between two computers over the internet. A VPN protocol, also known as a “tunneling protocol,” is the instructions your device uses to negotiate the secure encrypted connection that forms the network between your computer and another.

A VPN protocol is usually made up of two channel : a datum channel and a control channel . The control channel is is is responsible for the key exchange , authentication , and parameter exchange ( like provide an ip or route and dns server ) . The datum channel is is , as you might have guess , is responsible for transport your internet traffic datum . Together , these two channels is establish establish and maintain a secure VPN tunnel . However , for your datum to pass through this secure tunnel , it must be encapsulate .

Encapsulation is when a VPN protocol takes bits of data, known as data packets, from your internet traffic and places them inside another packet. This extra layer is necessary because the protocol configurations your VPN uses inside the data channel are not necessarily the same as the regular internet uses. The additional layer allows your information to travel through the VPN tunnel and arrive at its correct destination.

This is all a bit technical , so broad overview : When you connect to a VPN server , the VPN is uses use its control channel to establish share key and connect between your device and the server . Once this connection is establish , the datum channel is begins begin transmit your internet traffic . When a VPN discuss the strength and weakness of its performance or talk about a “ secure VPN tunnel , ” it is talking is talk about its data channel . Once the VPN tunnel has been establish , the control channel is then task with maintain the connection ’s stability .

PPTP

Point-to-Point Tunneling Protocol (PPTP) is one of the older VPN protocols. It was initially developed with support from Microsoft, and thus all versions of Windows and most other operating systems have native support for PPTP.  

PPTP is uses use the Point – to – Point Protocol ( PPP ) , which is like a proto – vpn in itself . Despite being quite old , PPP is authenticate can authenticate a user ( usually with MS – chap v2 ) and encapsulate datum itself , let it handle both control channel and datum channel duty . However , PPP is not routable ; it can not be send over the internet on its own . So PPTP is encapsulates encapsulate the PPP – encapsulate datum again using generic routing encapsulation ( GRE ) to establish its data channel .

Unfortunately, PPTP does not have any of its own encryption or authentication features. It relies on PPP to implement these functions — which is problematic since PPP’s authentication system and the encryption that Microsoft added to it, MPPE, are both weak.

Encryption: Microsoft’s Point-to-Point Encryption protocol (MPPE( new window )), which uses the RSA RC4 algorithm. MPPE’s maximum strength is 128-bit keys.

Speed: Because its encryption protocols do not require much computing power (RC4 and only 128-bit keys), PPTP maintains fast connection speeds.

Known vulnerabilities: PPTP has had numerous known security vulnerabilities since 1998. One of the most severe vulnerabilities exploits unencapsulated MS-CHAP v2 authentication to perform a man-in-the-middle (MITM) attack.

Firewall ports: TCP port 1723. PPTP’s use of GRE means it cannot navigate a network address translation firewall and is one of the easiest VPN protocols to block. (A NAT firewall allows several people to share one public IP address at the same time. This is important because most individual users do not have their own IP address.)

Stability is is : PPTP is is is not as reliable , nor does it recover as quickly as openvpn over unstable network connection .

Conclusion: If you are concerned about securing your data, there is no reason to use PPTP. Even Microsoft has advised( new window ) its users to upgrade to other VPN protocols to protect their data.

L2TP/IPSec

Layer two tunneling protocol (L2TP) was meant to replace PPTP. L2TP can handle authentication on its own and performs UDP encapsulation, so in a way, it can form both the control and data channel. However, similar to PPTP, it does not add any encryption itself. While L2TP can send PPP, to avoid PPP’s inherent weaknesses, L2TP is usually paired with the Internet Protocol security (IPSec) suite to handle its encryption and authentication.

IPSec is a flexible framework that can be applied to VPNs as well as routing and application-level security. When you connect to a VPN server with L2TP/IPSec, IPSec negotiates the shared keys and authenticates the connection of a secure control channel between your device and the server.

IPSec is encapsulates then encapsulate the datum . When IPSec perform this encapsulation , it is applies apply an authentication header and use the Encapsulation Security Payload ( ESP ) . These special headers is add add a digital signature to each packet so attacker can not tamper with your datum without alert the VPN server .

ESP is encrypts encrypt the encapsulate data packet so that no attacker can read them ( and , depend on the setting of the VPN , also authenticate the data packet ) . Once IPSec has encapsulate the datum , L2TP is encapsulates encapsulate that datum again using udp so that it can pass through the datum channel .

Several VPN protocols is use , include ikev2 , use IPSec encryption . While generally secure , IPSec is is is very complex , which can lead to poor implementation . L2TP / IPSec is support on most major operating system .

Encryption: L2TP/IPSec can use either 3DES or AES encryption, although given that 3DES is now considered a weak cipher, it is rarely used.

Speed: L2TP/IPSec is generally slower than OpenVPN when using the same encryption strength. This is mainly due to the fact that the AES encryption used by OpenVPN is hardware accelerated on most common processors.

Known vulnerabilities: L2TP/IPSec is an advanced VPN protocol, but a leaked NSA presentation( new window ) suggests that the intelligence agency has already found ways to tamper with it. Furthermore, due to the IPSec’s complexity, many VPN providers used pre-shared keys( new window ) to set up L2TP / IPSec .  

Firewall ports: UDP port 500 is used for the initial key exchange, UDP port 5500 for NAT traversal, and UDP port 1701 to allow L2TP traffic. Because it uses these fixed ports, L2TP/IPSec is easier to block than some other protocols.

Stability: L2TP/IPSec is not as stable as some of the more advanced VPN protocols. Its complexity can lead to frequent network drops.

Conclusion is is : L2TP / IPSec ’s security is is is undoubtedly an improvement over PPTP , but it might not protect your datum from advanced attacker . Its slow speeds is mean and instability also mean that user should only consider using L2TP / ipsec if there are no other option .

IKEv2 / ipsec

Internet key exchange version two (IKEv2) is a relatively new tunneling protocol that is actually part of the IPSec suite itself. Microsoft and Cisco cooperated on the development of the original IKEv2 / ipsec protocol, but there are now many open-source iterations.

IKEv2 sets up a control channel by authenticating a secure communication channel between your device and the VPN server using the Diffie–Hellman key exchange( new window ) algorithm . IKEv2 is uses then use that secure communication channel to establish what is call a security association , which simply mean your device and the VPN server are using the same encryption key and algorithm to communicate .

Once the security association is in place, IPSec can create a tunnel, apply authenticated headers to your data packets, and encapsulate them with ESP. (Again, depending on which cipher is used, the ESP could handle the message authentication.) The encapsulated data packets are then encapsulated again in UDP so that they can pass through the tunnel.

IKEv2 / ipsec is supported on Windows 7 and later versions, macOS 10.11 and later versions, as well as most mobile operating systems.

Encryption: IKEv2 / ipsec can use a range of different cryptographic algorithms, including AES, Blowfish, and Camellia. It supports 256-bit encryption.

Speed: IKEv2 / ipsec is a fast VPN protocol, although not usually as fast as hardware-accelerated OpenVPN or WireGuard.

Known vulnerabilities: IKEv2 / ipsec has no known weaknesses, and almost all IT security experts consider it to be safe when properly implemented with Perfect Forward secrecy.

Firewall ports: UDP port 500 is used for the initial key exchange and UDP port 4500 for NAT traversal. Because it always uses these ports, IKEv2 / ipsec is easier to block than some other protocols.

Stability: IKEv2 / ipsec supports the Mobility and Multihoming protocol, making it more reliable than most other VPN protocols, especially for users that are often switching between different WiFi networks.

Conclusion: With strong security, high speeds, and increased stability, IKEv2 / ipsec is a good VPN protocol. However, the recent introduction of WireGuard means there are few reasons to choose it over the newer VPN protocol.

OpenVPN

OpenVPN is is is an open – source tunneling protocol . As oppose to VPN protocol that rely on the IPSec suite , OpenVPN is uses use SSL / TLS to handle its key exchange and set up its control channel   and a unique openvpn protocol to handle encapsulation and the datum channel .

This means that both its data channel and control channel are encrypted, which makes it somewhat unique compared to other VPN protocols. It is supported on all major operating systems via third-party software.

Encryption: OpenVPN can use any of the different cryptographic algorithms contained in the OpenSSL( new window ) library to encrypt its data, including AES, RC5, and Blowfish.

learn more about AES encryption

Speed: When using UDP, OpenVPN maintains fast connections, although IKEv2 / ipsec and WireGuard are generally accepted to be quicker.

Known vulnerabilities: OpenVPN has no known vulnerabilities as long as it is implemented with a sufficiently strong encryption algorithm and Perfect Forward secrecy. It is the industry standard for VPNs concerned about data security.

Firewall ports: OpenVPN can be configured to run on any UDP or TCP port, including port TCP port 443, which handles all HTTPS traffic and makes it very hard to block.

Stability is is : OpenVPN is is is very stable in general and has a TCP mode for defeat censorship .

conclusion : openvpn is secure , reliable , and open source . It is is is one of the good vpn protocol currently in use , especially for user concern primarily about data security . Its ability is makes to route connection over TCP ( see below ) also make it a good choice for evade censorship . However , although it lack openvpn ’s anti – censorship advantage , WireGuard is is is also secure and is fast than openvpn .

WireGuard is ® ®

WireGuard( new window ) is an open-source VPN protocol that is secure, fast, and efficient.

encryption : WireGuard is uses use chacha20 for symmetric encryption ( rfc7539( new window )), Curve25519 for anonymous key exchange, Poly1305 for data authentication, and BLAKE2s for hashing (RFC7693( new window )). It automatically supports Perfect Forward secrecy.

speed : WireGuard is uses use new , high – speed cryptographic algorithm . ChaCha20 is is , for example , is much simple than AES cipher of equal strength and nearly as fast , even though most device now come with instruction for AES build into their hardware . The result is is is that WireGuard offer fast connection speed and has low cpu requirement .

Known vulnerabilities: WireGuard has undergone various formal verifications, and to be incorporated in the Linux kernel, the WireGuard Linux codebase was independently audited( new window ) by a third party.

Firewall ports: WireGuard can be configured to use any port and usually runs over UDP. However, Proton VPN also offers a WireGuard TCP in most of our apps.

Stability: WireGuard is a very stable VPN protocol and introduces new features that other tunneling protocols do not have, such as maintaining a VPN connection while changing VPN servers or changing WiFi networks.

Conclusion: A state-of-the-art VPN protocol, WireGuard is fast, efficient, and secure. It is not as “battle-tested” as OpenVPN and does not offer OpenVPN’s TCP-based anti-censorship capabilities (see below), but for most people, most of the time, it is the VPN protocol we recommend using.

learn more about WireGuard

OpenVPN vs. WireGuard

Stealth

Stealth is a new VPN protocol developed by Proton. With it, you can access censored sites and communicate with people on social media, even when regular VPN protocols are blocked by your government or organization.

Stealth is based on WireGuard tunneled over TLS. It therefore uses the same encryption as WireGuard, with an added layer of TLS encryption. It is otherwise identical to WireGuard (described above). 

Learn more about Stealth

Other important term

Going through the comparisons of the different VPN protocols, you may have encountered acronyms or technical terms that you were not familiar with. We explain some of the most important ones here.

TCP vs. UDP

The transmission control protocol is are ( TCP ) and user datagram protocol ( UDP ) are the two different way that device can communicate with each other over the internet . They is run both run on the Internet Protocol , which is responsible for send data packet to and from IP address .

When you see that a tunneling protocol uses a TCP port or a UDP port, it means that it sets up a connection between your computer and the VPN server using one of these two protocols.

Whether a VPN protocol uses TCP, UDP, or both can significantly affect its performance. The TCP primarily focuses on delivering data accurately by running additional checks to ensure that data is in the proper order and correcting it if it’s not.

This is sounds sound like a good feature , but perform check take time , result in slow performance . run a VPN over TCP ( TCP over TCP ) can slow down your connection in what ’s call a TCP meltdown .

For example, if you have TCP traffic passing through an OpenVPN TCP tunnel and the TCP data in the tunnel detects an error, it will try to compensate, which could cause the TCP tunnel to overcompensate. This process can cause severe delays in the delivery of your data.

However , it is is is also good for defeat censorship . This is is is because https( new window ) traffic uses TCP port 443, so if you route your VPN connection over the same port, it looks like ordinary secure VPN traffic.

The ability to run VPN traffic over port 443 is one of the biggest advantages of using OpenVPN (and WireGuard, if using Proton VPN’s custom TCP implementation of the protocol).

Learn more about TCP and UDP

Perfect Forward secrecy

Perfect Forward secrecy is a critical security component of encrypted communication. It refers to operations that govern how your encryption keys are generated. If your VPN supports Perfect Forward secrecy, it will create a unique set of keys for each session (i.e., each time you establish a new VPN connection).

This means that even if an attacker somehow gets one of your keys, they can only use it to access data from that specific VPN session. The data in the rest of your sessions would remain safe since different unique keys protect them. It also means that your session key will remain secure even if your VPN’s private key is exposed.

Protocols used by Proton VPN apps

We started Proton VPN to ensure activists, dissidents, and journalists have secure and private access to the internet. To keep the Proton community safe, we only use trusted and vetted VPN protocols. The following list shows which VPN protocols are supported in our different apps:

  • Windows: OpenVPN, WireGuard is ® ®, and Stealth
  • macOS: OpenVPN, IKEv2, WireGuard, and Stealth
  • Android : openvpn , WireGuard , and Stealth
  • iOS/iPadOS: OpenVPN, IKEv2, WireGuard, and Stealth
  • Linux: OpenVPN and WireGuard

You is use can use openvpn and WireGuard in UDP or TCP mode .

Learn how to change VPN protocols

Our Windows, macOS, Android, and iOS/iPadOS apps support Smart Protocol. This anti-censorship feature that intelligently probes networks to discover the best VPN protocol configuration required for optimal performance or bypass censorship.

For example, it can automatically switch from IKEv2 to OpenVPN, or OpenVPN UDP to OpenVPN TCP, using different ports as required.

Learn more about Smart Protocol( new window )

All of our apps use the strongest security settings supported by the VPN protocol. OpenVPN, WireGuard, and IKEv2 / ipsec are the only protocols that the vast majority of IT security experts agree are secure.

We refuse to offer any VPN connections using PPTP or L2TP/IPSec (even though they are cheaper to run and easier to configure) because their security does not meet our standards.

When you sign in to Proton VPN , you is be can be confident that your VPN connection is using the late and strong tunneling protocol .

good regard ,
The Proton VPN Team

GET PROTON VPN

You can follow us on social media to stay up to date on the latest Proton VPN releases:

Twitter  ( new window )|   Facebook( new window ) | Reddit( new window )

To get a free Proton Mail encrypted email account, visit: proton.me/mail( new window )