VPN Protocol Comparison: PPTP vs SSTP vs OpenVPN vs L2TP vs IKEv2
VPN protocols may sound like a complicated matter, but don't worry - we've explained them all in detail and made them easy to understand. Learn all about the pros and cons of PPTP, L2TP, OpenVPN, SSTP, and IKEv2. Share
A VPN’s first duty is to protect your privacy, which is why encryption is undoubtedly the most important aspect of any VPN service. And VPN encryption is all about protocols.
Simply put, the extent to which your traffic is protected depends heavily on the VPN protocol you’re using. Currently, five popular protocols can be found in most commercial VPN services – PPTP, SSTP, OpenVPN, L2TP/IPsec, and IKEv2.
So how do you choose the best VPN protocol for your needs? The answer seems simple enough: you need to compare them. This comparison, however, can be a bit difficult if you don’t have a lot of technical expertise.
We’d love to help you out – below, you’ll find a detailed overview of each of the widely used VPN protocols. Our goal is to give you the benefits and drawbacks, as well as advice on when to use or avoid a particular protocol, in a way that’s easily understandable.
Keep in mind, though, that VPN encryption is an extremely complex topic. No single article can serve as a “crash course” on this subject, and some degree of technical understanding is required. If you’re making your first steps into the world of VPN technology, we invite you to start with our beginner’s guide before continuing with this article.
VPN Protocol Comparison: Quick Answer
If you simply want to use the VPN protocol recommended by industry experts and VPN providers alike, here’s a very quick summary for you:
- Use OpenVPN when available.
- Stay as far from PPTP as you can.
- Avoid SSTP if possible.
- L2TP is a good choice if implemented correctly, but not recommended.
- IKEv2’s open source iterations are a decent alternative to OpenVPN.
OpenVPN is currently considered the most secure VPN protocol – as such, it has become the industry standard. Premium VPN providers offer full support for OpenVPN with native clients and valuable features, as well as support for other popular VPN protocols. We’ve rounded up the best VPN services with OpenVPN support in the following chart:
And now, we offer our detailed VPN protocol comparison, with both a brief summary and a thorough analysis of each protocol.
VPN Protocol Comparison: The Basics
What sets apart one VPN protocol from the rest? In short, it’s security. In this case, security has two different but equally important meanings.
First, there are the steps a protocol implements to protect your traffic – encryption strength, ciphers, hash authentication, and more. Then, there is the protocol’s resistance to cracking. This depends on both the protocol’s features and external factors, such as where it was created and whether it has been compromised by the US NSA.
Each of the five protocols in this comparison has its advantages and flaws, but for overall security, there are clear favorites. Let’s have a deeper look.
In a sentence: The veteran VPN protocol – corporate standard, available on virtually any device, but has a lot of issues
PPTP in Detail
Point-to-Point Tunneling Protocol has been around since 1999, which makes it the first real VPN protocol to become available to the public.
Today, PPTP is still widely used in corporate VPNs. A big reason for this is the fact it comes built-in on pretty much any platform. This also makes it very easy to set up, since it doesn’t require any additional software.
PPTP was created by a consortium led by Microsoft. It utilizes Microsoft Point-to-Point Encryption (MPPE), along with MS-CHAP v2 authentication. While these days you’ll rarely find anything other than 128-bit encryption with this protocol, it still suffers from alarming security risks.
In the past, it was demonstrated that PPTP could be cracked in just two days – a problem that has since been patched by Microsoft. But even Microsoft itself recommends using SSTP or L2TP/IPSec, which says enough about how reliable PPTP is nowadays.
There are other glaring issues with this protocol. The biggest one by far is the NSA – by now, there’s no doubt that the agency can decrypt data encrypted via PPTP, and have been doing since long before such issues were common knowledge. In short, PPTP isn’t a challenge for the NSA, and it will hardly stop anyone from breaking the code and collecting your data.
Speed can be considered the only advantage of PPTP, but even that’s debatable. While the protocol doesn’t require too much processing power (meaning your speed isn’t heavily affected), there’s a big drawback – PPTP can be easily blocked. It can’t work without port 1723 and the General Routing Encapsulation (GRE) protocol, and the latter can simply be firewalled to prevent any PPTP connections.
What’s more, PPTP can be very ineffective if your connection suffers from packet loss. In such situations, the protocol attempts numerous re-transmissions. Since PPTP tunnels TCP (Transmission Control Protocol) through TCP, these attempts to re-transmit happen on both levels and often result in a massive slowdown. The only solution is to reset your connection, which is both frustrating and time-consuming.
Overall, PPTP is a dated, horribly insecure VPN protocol by today’s standards. It’s widely regarded as obsolete, and its flaws heavily outweigh its benefits.
Summary: Avoid PPTP at all costs if you care about your privacy. That said, it can be useful for unblocking content, provided the protocol itself isn’t blocked.
In a sentence: A stable protocol that works great with Windows, but you have to trust the people behind it a bit too much
SSTP in Detail
If PPTP was Microsoft’s first attempt at creating a secure, reliable VPN protocol, then SSTP is the newer, better version.
First seen in Windows Vista SP1, Secure Socket Tunneling Protocol uses SSL 3.0 and provides much higher levels of security than PPTP. Over the years, this VPN protocol has made it to Linux, SEIL, RouterOS, and even Apple’s Mac OS X – however, it’s still mainly centered on Windows.
This shouldn’t be a surprise, as SSTP is a proprietary encryption standard owned by Microsoft. Is that a good or bad thing? Well, that depends on your opinion of the tech giant.
Here are the facts: SSTP is fully integrated into Windows, which makes it incredibly easy to set up. It also enjoys support from Microsoft, so it’s one of the most dependable protocols to run if you have a Windows machine. Moreover, SSTP deals pretty well with firewalls, and as with OpenVPN (see below), you can use TCP port 443 if you’re struggling with extensive censorship.
On the downside, SSTP is only as secure as your trust in Microsoft. Since the code isn’t available to the public, no one besides the owner knows the details behind this protocol. And given Microsoft’s past dealings with the NSA, as well as serious rumors about backdoors existing in the Windows OS, there are good reasons why users are suspicious about how secure SSTP actually is.
There’s more: SSL 3.0 is now deprecated by the Internet Engineering Task Force (IETF), after it was successfully targeted by POODLE attacks. Currently, no one but Microsoft knows if SSTP is susceptible to such attacks, but since it’s largely built upon SSL 3.0, we (and many others) recommend not using this VPN protocol anymore.
Summary: SSTP does much better than PPTP, and it has functional advantages over other VPN protocols on Windows. However, it comes with a couple of potentially serious issues, and its owners shouldn’t be trusted blindly by the privacy-conscious.
In a sentence: The industry standard VPN protocol – transparent, regularly updated, and your best bet for guaranteed security.
OpenVPN in Detail
OpenVPN is favored and recommended by most VPN experts, and there are several good reasons for that.
Let’s start with the most important aspect – security. The OpenVPN protocol comes in many different shapes and sizes, but even its “weakest” configuration can be impressive. Whether you’re using the default Blowfish-128 cipher for casual purposes, or you’re enjoying top-shelf AES-256 encryption, OpenVPN offers solid protection.
The best part about OpenVPN is the configuration options available. These allow you to customize it for extra security or speed, and to reliably evade censorship. While OpenVPN performs best on User Datagram Protocol (UDP) ports, it can run on virtually any port – including TCP 443, which essentially masks your VPN connection as HTTPS traffic and prevents blocking. That is a major benefit in countries with heavy censorship.
Another great thing about OpenVPN is its open source code. Developed and supported by the OpenVPN project, this protocol has a strong community behind it that keeps everything up to date. The open source nature of the technology has also allowed for various audits to be conducted – and none of them has found serious security risks so far.
While the OpenVPN protocol isn’t natively available, there are third-party clients to make it run on any major platform. Many of the best VPN providers offer their own OpenVPN-supporting interfaces, which usually come with numerous handy features.
Summary: Use OpenVPN as your preferred protocol whenever you can, but make sure your VPN service has implemented it well. If your VPN provider doesn’t support OpenVPN, consider canceling your VPN service and looking for a better one.
In a sentence: A multi-platform VPN protocol that offers adequate security and better speed in theory, but is often poorly implemented in practice.
L2TP in Detail
Layer 2 Tunneling Protocol was developed around the same time as PPTP. The two share a few similarities; both are widely available and easy to run on major platforms.
L2TP, however, doesn’t encrypt anything by itself. This is why you almost always find it in tandem with IPSec. You might see this combination listed as just “L2TP” or “IPSec,” but if you’re looking at a VPN, these protocol names always mean L2TP/IPsec.
Nowadays, secure L2TP comes with AES ciphers only. In the past, 3DES ciphers were employed, but various collision attacks have put them out of use.
Even though L2TP encapsulates data twice, it’s still faster than OpenVPN – at least in theory. In reality, the difference isn’t worth the extra headaches.
What headaches, you ask? Here’s the thing: L2TP isn’t exactly versatile. Like PPTP, it suffers from limited ports. This can make your situation very difficult if you’re using the protocol behind a NAT firewall. Even if you aren’t, a limited number of ports means L2TP can be blocked effortlessly.
What’s more concerning is the fact L2TP may be compromised – and even tampered with – by the NSA. While there’s no concrete proof for these claims, Edward Snowden has strongly implied that L2TP has been cracked.
Lastly, L2TP often suffers from an issue that’s more related to VPN providers than the protocol itself. Usually, to run L2TP on your VPN, you’ll use a pre-shared key (PSK). Here’s the big problem: most of the time, these keys can be easily grabbed from your provider’s website. While this isn’t a direct security risk (your AES-encrypted data will be safe), it can give hackers the opportunity to eavesdrop on a VPN server, opening the door to potential data theft and malware planting.
Summary: If done right, L2TP/IPsec is a good enough protocol for casual use. However, we recommend avoiding it if possible, due to the worrisome NSA-related speculation around it.
In a sentence: A strong, secure protocol that’s ideal for mobile devices – but not the most popular around.
IKEv2 in Detail
Internet Key Exchange version 2 is the product of Microsoft and Cisco’s joint efforts to create a secure, flexible tunneling protocol.
That’s right – IKEv2 by itself is just a tunneling protocol. Much like L2TP, it becomes a VPN protocol when paired with IPSec. And similarly, the IKEv2/IPSec pair is often shortened to just “IKEv2”.
You can find native support for IKEv2 on any Windows platform after Windows 7. It’s also available on iOS and Blackberry. Multiple open source versions of IKEv2 exist, independent of Microsoft/Cisco and supported by other platforms like Linux and Android. However, you might need to install third-party software in order to run those.
IKEv2 is a robust VPN protocol when using AES encryption, but its biggest advantage is stability. It automatically resumes working as normal after a temporary interruption of your connection, such as a power outage if you’re on your laptop or entering a real-world tunnel if you’re on your mobile device.
IKEv2 also supports the Mobility and Multihoming protocol (MOBIKE), which makes it very useful if you’re constantly switching connections – like if you’re bouncing between internet cafés and mobile network data usage as you explore a new city.
As a more recently developed protocol, IKEv2 doesn’t enjoy the same popularity as L2TP, but it’s much more dependable in all categories.
Summary: Choose IKEv2 if you travel often and/or have a Blackberry device. It’s a viable alternative to OpenVPN if you’re on mobile, but we recommend using open source versions instead of the Microsoft/Cisco one.
VPN Protocol Comparison: Summary
There you have it – our in-depth VPN protocol comparison. We hope we’ve given you a better idea of what each VPN protocol offers, and how it stacks up against the rest. But if you want to dive even deeper into these issues, we can happily accommodate that desire with our ultimate guide to VPN tunneling.
Did you know that you can get wonderful discounts on premium VPNs that support all major protocols? Take a look at the best VPN deals happening right now, and check back often because there are new offers coming in all the time!