Are you interested in VPN solutions, but don’t know much about terms like IPSec, OpenVPN, and WireGuard? VPNheroes explains what’s behind it!
Many commercial providers of VPN services usually support several VPN protocols to secure the communication between home computer and Internet server. VPN protocols are at the heart of a virtual private network (VPN) and enable secure and anonymous Internet connections.
The multitude of protocols and standards used does not make it easy to keep track. VPNheroes helps and presents the most popular VPN protocols.
The best VPN services
NordVPN Editors Rating: 9.5 /10
Express VPN Editors Rating: 9.3 /10
Surfshark VPN Editors Rating: 9.2 /10
What is a VPN protocol?
For communication between two computers or between client and server, it is necessary to agree on a common language. Commands and processes form different sets of rules, which are combined in a protocol. The protocol thus forms the basis for an orderly conversation between your home PC and, for example, an Internet server.
The special feature of VPN protocols compared to other rule sets is that the “VPN language” provides additional tools to encrypt data using cryptographic methods. As in a tunnel, this makes the mutual communication of the participants invisible to outsiders.
OpenVPN: The industry standard
OpenVPN is free software used by most VPN providers and is one of the most popular VPN protocols. It has established itself as the de facto standard and is suitable for most use cases.
As an open source project, it also benefits from the expertise of a large and, above all, free developer community, which continually checks the very extensive program code for gaps and improves performance. In addition, the process is transparent and allows the lines of code to be checked by third parties.
OpenVPN in iOS
OpenVPN on Windows
To build a virtual private network, OpenVPN uses the OpenSSL library, but also supports connections with TLS. OpenVPN works with various encryption algorithms, including 3DES, AES, RC5 and Blowfish.
Properly implemented, OpenVPN provides a very high level of security and stability in different networks, such as (W)LAN and cellular. For data transport, OpenVPN uses either TCP or UDP, which ensures flexible data transmission. In addition, the VPN protocol works very well with firewalls.
Either passwords or certificates are used as authentication methods. Furthermore, OpenVPN is available on many platforms and is supported by all common operating systems, including Windows, macOS, Linux, Unix, Android and iOS. But before it can be used on a system, additional software and further configurations are usually required.
- Very secure
- Open source
- Available on many platforms and operating systems
- Stable connections
- Firewall compatible
- High effort for troubleshooting
- Not usable “out of the box
IKEv2/IPSec: Stable on the move
The first version of Internet Key Exchange (IKEv1) was co-developed by telecommunications company Cisco Systems, while version 2 (IKEv2) was created in cooperation with Microsoft. Interesting detail: IKEv1 is based in part on the Internet Security Association and Key Management Protocol (ISAKMP), which the U.S. National Security Agency (NSA) also helped develop.
IKEv2 is part of the IPSec protocol collection and ensures the secure exchange of keys used for IPSec. IPSec (Internet Protocol Security) supports a number of different encryption algorithms, including 3DES, AES, Blowfish, and Camellia.
The system configuration of IKEv2/IPSec is complex on the server side and uses a fixed UDP port for communication, which quite often leads to conflicts with firewalls. IPSec is part of the IPv4 and IPv6 Internet protocol and is generally considered a secure and very fast VPN protocol.
However, there have been allegations in the past that the NSA cracked the underlying encryption algorithm as part of the so-called Bullrun program.
This was never confirmed by experts, however, and the underlying vulnerability has since been fixed. IKEv2 is very well suited for mobile connections, as it automatically reconnects if you temporarily lose your Internet connection, for example when entering an elevator or traveling through a tunnel.
- Very fast
- Available on many platforms
- Stable connections, strong in mobile use
- Complex configuration on server side
- Fixed UDP port leads to firewall conflicts
WireGuard: The beacon of hope
Among the current VPN protocols, WireGuard is the youngest and also the most promising representative in the round, but is still in an early stage according to the developer. The open source project claims to provide a particularly simple, secure and, above all, fast VPN protocol.
WireGuard’s special feature is that the protocol is part of the Linux kernel and has a very small code size. The developers expect this to offer significant advantages in terms of maintenance and troubleshooting of the program code, as well as significantly higher processing speeds. In addition, the Linux integration is supposed to noticeably reduce the computing effort and thus the energy requirement, which is particularly interesting for mobile devices.
WireGuard uses an algorithm called ChaCha20 for data encryption. Although the VPN protocol was originally developed for Linux, it is also available for other platforms, including Windows, macOS, Android and iOS. Despite its development status, WireGuard is already used by some commercial VPN providers, including Hide.me, Mullvad VPN, NordVPN, and Surfshark.
NordVPN circumvents the problem of static IP addresses in its WireGuard solution with an additional NAT server that distributes dynamic IP addresses.
At the moment, WireGuard is still a construction site that is being worked on diligently. Nevertheless, you can already get a good idea of what the crypto vehicle will look like in the end.
One problem at the moment is the comparatively worse anonymity, since WireGuard works with fixed IP addresses. The future will show in which direction the newcomer will develop and how it will perform in practice – and whether the advance praise is ultimately justified.
- Very stable, even when changing networks
- Extremely fast
- Open source
- Part of the Linux kernel
- Available for many platforms
- Early stage of development
- Anonymity only guaranteed with additional solutions
SoftEther VPN: Master’s thesis from Japan
SoftEther was developed at the Japanese University of Tsukuba as part of a master’s thesis by student Daiyuu Nobori and has been available for free download since 2013. The VPN protocol overcomes firewalls and is considered immune to so-called deep packet inspection (DPI), a technique also used by authoritarian regimes to screen individual data traffic.
Data packets that pass through a VPN tunnel usually bear the VPN stamp in large letters. Although the data in the packet remains protected, government authorities and Internet providers can easily fish out and block these VPN packets. This is common practice in China, Iran and Russia, for example, where the data stream from VPN services is largely blocked.
The protocol is part of the SoftEther VPN software and, like OpenVPN and WireGuard, is published under an open source license. The software package can handle several VPN protocols and runs on various platforms such as Windows, macOS, Linux, FreeBSD and Solaris.
It is installed as separate client and server software and is also suitable for users who want to operate their own VPN. The Japanese solution is one of the lesser known representatives among VPN protocols. Currently, Hide.me is the only commercial VPN provider that uses SoftEther.
- Open Source
- Overcomes firewallsAvailable for many platforms and versatile
- Not very widespread
Catapult Hydra and Chameleon: The homebrewers
Catapult Hydra, the name sounds dashing and mysterious at the same time and reminds a bit of the secret organization from the Marvel comics. The VPN protocol is a proprietary development of the American software company AnchorFree (now: Aura) and is used in Hotspot Shield, the manufacturer’s VPN service, among others.
Catapult Hydra is based on the widely used encryption protocol Transport Layer Security (TLS). The manufacturer promises a significantly increased speed compared to conventional VPN solutions based on TLS. However, the manufacturer is conspicuously reticent with details about Catapult Hydra.
A transparent audit process, as is common with open source projects like OpenVPN and WireGuard, does not take place with the patent-protected Catapult Hydra. Thus, the VPN protocol remains closed to outsiders for auditing purposes. Nevertheless, other VPN providers like Kaspersky and Bitdefender also use Catapult Hydra in their products.
Like Catapult Hydra, Chameleon belongs to the proprietary VPN protocols and is currently only used by one manufacturer. The developers at Golden Frog promise for their VPN service VyprVPN that VPN data identified via Deep Packet Inspection (DPI) can no longer be blocked.
The Chameleon protocol, which is based on OpenVPN, tries to change its shape at this point and adapt to its environment by appearing as inconspicuous as the unencrypted packets in the large data stream of the Internet. However, these obfuscation features – with alternative proxy-based techniques – are also available from other VPN providers such as NordVPN, Surfshark and Hide.me.
- Optimally tailored to the service
- Fast speeds
- Code cannot be checked for vulnerabilities
L2TP/IPSec, PPTP, SSTP: The old guard
The Layer 2 Tunneling Protocol (L2TP) is often combined with IPSec for encryption, since L2TP does not provide its own crypto procedure for the data stream. Therefore, all statements about the security of IPSec can in principle also be applied to L2TP.
L2TP/IPSec supports very good encryption algorithms with 3DES and AES, but is not necessarily one of the fastest representatives among the VPN protocols. In addition, it often collides with the security settings of the firewall, which blocks the UDP port used by L2TP/IPSec. It is available on many platforms, but is suspected of being compromised by the American intelligence agency NSA.
The Point-to-Point Tunneling Protocol (PPTP) was used for a long time by Microsoft for in-house VPNs and was the first VPN protocol supported by Windows, which is why it was very common. Due to serious security holes in the protocol and the vulnerability of the built-in crypto methods, it is now generally not recommended to use PPTP as a VPN protocol.
The Secure Socket Tunneling Protocol (SSTP) also comes from Microsoft and was specially developed for use in so-called end-to-site scenarios. In this case, an employee’s computer is to be given access to the company network from home, protected by a VPN tunnel.
SSTP relies on the cryptographic methods available in TLS, such as AES and ChaCha20, for encryption. SSTP is considered very secure and allows clients to access a network behind a firewall. It therefore does not suffer from the typical problems of other VPN protocols such as IPSec and PPTP. However, the specialization on a single usage scenario also leads to a rather low importance in the competition of VPN protocols.
VPN protocols: also a matter of trust
VPN services, the protocols and encryption methods used are primarily about trust. You have to trust that the service does exactly what it claims to do, and you have to build on the fact that the protection measures are state of the art. But which VPN protocol is right for you now?
Is the protocol that is subject to a continuous and transparent audit process, as is common with open source projects, more trustworthy? Or do you rely on the proprietary protocol of a single manufacturer, which has been tailored precisely to the respective VPN service, but at the same time is developed, optimized and controlled behind closed doors? If you take pure trustworthiness, open source-based solutions come out on top due to their high level of transparency.
What is the best VPN protocol?
The question of the best protocol is not so easy to answer. In principle, a choice between several protocols is ideal, as this gives the user several options depending on the use case. OpenVPN offers the best compromise of stability, security and speed and is suitable for many application scenarios. It is closely followed by WireGuard, which has bright future prospects and scores with its sophisticated security features and blazing fast speed.
Many VPN providers have already bridged the weak point with static IP addresses. Nevertheless, you should keep in mind that WireGuard is not yet fully mature. IKEv2 is especially suitable for mobile connections, for example with a smartphone. In the long run, however, WireGuard could outperform IKEv2, since one of WireGuard’s strengths is its protection against sudden network changes, such as from WLAN to LTE.