The most widely used VPN protocols are PPTP, IPSec and OpenVPN. We are being asked about the differences between these protocols almost every day. This article is meant to help shed some light on the situation and offer a comparison between the VPN protocols without getting too technical. Let’s go!
PPTP is the “dinosaur” among the VPN protocols. It has been part of almost every operating system for more than 20 years and is very easy to set up. Everything you need to connect is the address of the PPTP server, a username and a password.
Unfortunately, time has taken its toll on PPTP: Vulnerabilities have been discovered that allow cracking the encryption used by PPTP, making the encrypted data visible to hackers. In order to successfully attack PPTP, quite a lot of computing resources are needed. Nowadays, these resources can be easily supplied by the “cloud”.
For powerful secret services like the NSA or GCHQ, decrypting PPTP data should be a piece of cake. Due to the lack of possiblities to authenticate the remote partner, man-in-the-middle attacks (mitm) can easily be set up. A succesful mitm attack exposes the entire encrypted data transfer to the attacker.
Another downside of PPTP is that it is nowadays often blocked by routers and firewalls by default. This often happens unintentionally. Users with so called dual stack lite (ds-lite) internet connections are unable to use PPTP at all.
- Very easy setup
- Supported “out of the box” by almost any OS
- No additional software required
- Unsafe encryption!
- No protection against mitm attacks!
- Poor compatibility with firewalls and routers
- Easily blocked by network providers
IPsec is a whole family of connection protocols. Most of the time, IPSec is used with the key exchange protocols ikev1 (aka Cisco IPSec) or ikev2. L2TP/IPSec is less common nowadays. Like PPTP, IPSec is available “out of the box” in most modern operating systems. IPSec tries to fix the known weaknesses of PPTP, which works well most in most cases. There is, however, a huge amount of possibilities to configure the connection, making the setup process quite complicated for non-experts. You can easily end up with a working IPSec connection that turns out to be unsafe!
Some IPSec considerations:
- Pre-shared keys (PSK) authentification is only secure as long as your PSK stays secret. With commercial VPN providers, this is usually not the case. Each customer has access to the PSK which is identical for everyone. This makes mitm attacks possible! Certificate based authentification offers a much better security but is more complicated to set up. Most commercial VPN providers offer PSK authentication, thus reducing the security of your connection!
- IPSec supports a multitude of encryption algorithms with different key lengths. Not all of these are still considered secure nowadays!
IPSec is usually not blocked by the default settings of firewalls and users with ds-lite connections are able to use IPSec. However, if your network provider or government (e.g. China) outlaws the usage of IPSec, it is very easy to block.
- Strong encryption (on correct setup!)
- Good protection against mitm attacks (on correct setup!)
- Usually no additional software required
- Complicated setup process
- Danger of unsafe connections if not well configured
- Easily blocked by network providers
OpenVPN is an open source project and is thus only supported by few operating systems by default. This means that the installation of a software client is required to connect in most cases. Configuration of these clients is usually easy, commercial VPN providers offer downloadable configuration packages that can be imported by the software client to set up the connection. This means there is not much that can go wrong: your secured connection with certificate based authentication is set up in just a few seconds. Setting up certificate based authentication is much simpler with OpenVPN than with IPSec, which is why it is widely used by commercial VPN providers, thus offering a much better security.
There are, however, some caveats: As with IPSec, PSK authentication is not secure if the PSK is not secret, certificates are much more secure!
OpenVPN is also flexible: The connection can be set up in a way that makes the data traffic look like it originates from a regular https connection of your browser. That makes it hard for network providers to detect and block OpenVPN connections. Due to its ease of setup, firewall compatibility and high security, many commercial VPN clients such as Shellfire VPN are based on OpenVPN.
- Easy setup
- Strong encryption
- Good protection against mitm attacks
- Very good firewall compatibility, difficult to block
- Additional software client required
PPTP should only be used if no other means of encryption are available. You should never send sensitive data over a PPTP connection, unless you are using additional layers of encryption such as https!
IPSec connections should only be used if they have been set up by an expert. If set up correctly, IPSec offers the highest possible level of security. When connecting to a commercial VPN provider, avoid PSK authentication.
OpenVPN is the weapon of choice for most users. The setup process is easy and flexible, the security is comparable to IPSec. Many commercial VPN clients offer additional features such as built-in server change or automatic reconnect.
With Shellfire VPN, you can switch between all three VPN protocols any time.