Put simply, a VPN works by using tunnels that provide anonymity and security when using the internet by encrypting the data that your computer sends to the VPN server at the other end.
However, as we know from the older WEP protocol for Wi-Fi encryption, outdated protocols can be compromised, and may not offer enough in terms of data security.
Therefore, users need to be aware of the various VPN protocols, in order to make sure that their provider supports the newer, more secure ones, while avoiding the older, less secure protocols.
These VPN protocols – including PPTP, L2TP and SSTP – all draw upon the mechanics of the original Point-to-Point Protocol (PPP). PPP encapsulates the IP packets of data, and then transmits them to the server at the other end. PPP is an older protocol, made to establish a VPN tunnel between a dial-up client for connection to a network access server.
So, which are the best VPN protocols, and which are best avoided – and why? Read on to find out.
- Discover today's very best VPN providers
- We’ve debunked 6 common myths concerning VPNs
- Don't want to pay a penny? Here are the best free VPNs
The Point-to-Point Tunneling Protocol (PPTP) is an older method of VPN encryption designed by Microsoft, which goes all the way back to Windows 95. It is still popular today, despite a known susceptibility to the ASLEAP dictionary attack tool dating back to 2004 that pretty much rendered it obsolete (or should have).
So why is it still popular? That’s mainly because PPTP is integrated into Windows, as well as Linux and macOS. PPTP enables the encrypted tunnel between the PC and VPN server using TCP port 1723 and General Routing Encapsulation (GRE). Despite the advantages of simple setup, and fast speeds, this protocol is spoiled by major security concerns which date back as far as 1998. In short, PPTP is best avoided for modern users.
L2TP is the Layer Two Tunneling Protocol, an extension of PPTP, which combines the latter with L2F (Layer 2 Forwarding Protocol) that was designed by Cisco. L2TP does not have integrated encryption, so this gets added via IPSec (Internet Protocol Security).
Unlike PPTP which uses a 128-bit key, L2TP/IPSec has a 256-bit key, and this is considered complex enough for top-secret communications. L2TP is a more recent protocol, and has been supported in Windows since XP, as well as macOS 10.3 or better, and mobile operating systems.
L2TP requires more overhead for the more complicated 256-bit encryption and double encapsulation. It can also be more difficult to set up and configure. It is generally felt to be secure, although more recent NSA leaks would suggest that L2TP is vulnerable to attacks when the encryption is using pre-shared keys.
- Don’t forget there are 7 good reasons why a VPN isn't enough
The Secure Socket Tunneling Protocol (SSTP) is directly owned and controlled by Microsoft. That explains its other name – Microsoft Secure Socket Tunneling Protocol (MS-SSTP) – so unsurprisingly, it follows that this is only available on Windows.
The name is derived from the traffic being routed through the Secure Sockets Layer (SSL) protocol, which uses TCP port 443, and makes it pass through firewalls and proxy servers, so it is much less likely to be blocked. As it is not open source, SSTP is one of the most secure of these VPN protocols.
SSTP is more modern than the previously discussed protocols, and it’s available in Windows Vista SP1 and later. SSTP was designed for remote client access, and does not generally support site-to-site VPN tunnels.
OpenVPN is a popular security protocol created by James Yonan. Unlike the previous proprietary VPN protocols, OpenVPN is open source and published under a GNU General Public License. This gives the community access to the source code so that any security flaws are identified and dealt with, rather than allowing potential flaws and backdoors to exist in the code.
SSL/TLS is used for pre-shared key exchange, adding to the security. The encryption utilized for OpenVPN is also open source, as it uses OpenSSL which supports up to 256-bit encryption.
OpenVPN comes in two main flavors: OpenVPN TCP and OpenVPN UDP. Not all VPN providers give you a choice between these two OpenVPN protocols, but some certainly do – although they may offer little guidance on what’s different between them, and which you should choose. We’re explaining the TCP variant here, and UDP in the next section.
OpenVPN TCP is based on TCP (unsurprisingly), the Transmission Control Protocol, which combined with the Internet Protocol (IP) creates a set of rules for how computers exchange data back and forth. TCP is a protocol that is connection oriented, and it creates and keeps this connection going while applications perform the exchange of their data.
TCP is the most used connection protocol on the internet. One of its advantages is that it’s a ‘stateful protocol’ in that it has integrated error correction. This means that with each packet of data transmitted, a confirmation of the packet’s arrival is needed before the next one is sent – and if no confirmation is received the current packet gets resent.
All of this built-in redundancy means OpenVPN TCP is considered a highly reliable protocol, with all data being delivered. The downside of this is that all of the sends, confirmations, and resends, require a larger amount of overhead, which drags the network speed down. OpenVPN TCP is an ideal protocol for higher security where latency is not the priority, such as general web surfing and emails.
The alternative protocol to OpenVPN TCP is OpenVPN UDP. UDP stands for User Datagram Protocol, which is another communications protocol for transmitting data between a client and the internet.
Unlike OpenVPN TCP, which is designed to maximize reliability of data transmission, OpenVPN UDP is targeted at low-latency transmission of data, without the emphasis on the guaranteed delivery of data (so therefore reliability is sacrificed).
UDP just transmits the packets of data without all the redundancy and checks, so it has less overheads, and therefore lower latency. These characteristics make OpenVPN UDP well suited for audio and video streaming tasks, and indeed gaming.
Better VPN services support both OpenVPN TCP and UDP, and allow the user to choose between them as needed, depending on the application.
WireGuard is an upcoming open source VPN protocol which is easier to set up than OpenVPN, has a much smaller and simpler code base, and offers all kinds of technical advantages: up-to-date encryption standards, faster connection times, greater reliability and much faster speeds.
VPN providers have expressed interest, but with some reservations. In 2019 ExpressVPN said WireGuard was still very much a work in progress, and although NordVPN has been testing WireGuard, we're still waiting for support from the official apps.
A few VPNs have decided to add WireGuard to their line-up, though. Mullvad was an early adopter, with VPC.ac and TorGuard also offering some support – and we expect others to be joining the party very soon.
- Check out our list of the best VPN services