SSTP vs PPTP vs L2TP: What's the difference?

Laptop in home office with stylised letters VPN on the screen
(Image credit: Pixabay / Riekus)

If you want to stay safe online, a virtual private network can be an ideal solution. The best VPNs on the market establish an encrypted connection between your device (the “client”) and a VPN server.

Not all VPNs offer the same level of privacy, especially with free VPNs. You can help inform your choice by checking which VPN protocols your service provider uses. These govern how your VPN client software communicates with the service and what level of security it offers.

In this guide you’ll learn about three of key VPN protocols

PPTP: Peer to Peer Tunnelling Protocol 

Peer to Peer Tunnelling Protocol (PPTP) was one of the very first VPN protocols. It emerged on Windows machines in the mid 90s, but soon spread to other platforms. These days, PPTP support is built-in to virtually every operating system

PPTP uses TCP vs UDP - a more modern counterpart to TCP that usually works faster over VPNs by encapsulating network data and establishing a tunnel to transmit Point to Point Protocol (PPP) data packets.

One advantage of PPTP is that it only needs the server location, username and password to do this. It’s also very fast as it uses minimal levels of authentication and encryption.

This might be useful in situations where you don’t mind if someone can inspect the traffic moving across your VPN, like when accessing video streaming services on a Netflix VPN

However, PPTP is generally considered insecure for anything else. The PPTP version that ships with Microsoft Windows can use MS-CHAP v1 or v2 to authenticate users but this has long been established to be vulnerable to password extraction and dictionary attacks. In 2012 hackers at Defcon 20 demonstrated how such passwords could be cracked in less than 24 hours.

PPTP also uses the RC4 Stream cipher with MPPE (Microsoft Point to Point Encryption), which can easily be subjected to a “bit flipping” attack to alter its data. In other words, by forcing it to use a weaker password. This is because PPTP contains no method to verify messages such as digital signatures

L2TP: Layer 2 Tunneling Protocol 

Layer 2 Tunneling Protocol (L2TP) was originally released in 1999, as a joint creation of work done by both Microsoft and Cisco. Like PPTP, it can be used to establish VPN connections. Also like PPTP it doesn’t authenticate or encrypt any data by itself but can work with IPsec to encrypt data between a VPN client and server.

L2TP was created as an update to PPTP. It addresses some of its vulnerabilities such as weak encryption. It also works over UDP rather than TCP, for faster connection speeds over a VPN.

When used with IPsec, L2TP will not only encapsulate your data to send over a secure tunnel, it also encodes it with AES encryption. This is a huge improvement over PPTP. There’s even resistance to data manipulation during transmission as is the case with PPTP’s “Bit Flipping” vulnerability.

Using L2TP with IPsec effectively involves encapsulating your data twice, which can slow down data processing and transmission speeds relative to more modern protocols. 

L2TP runs on preconfigured ports, making it hard to operate through a firewall, particularly if your network administrator is determined to block it. 

There are also concerns that L2TP has been compromised by the NSA - but there’s no way to be certain. Compromised authentication methods used by IPsec are whispered, particularly by those people using weak passwords, but nothing definite. 

SSTP: Secure Socket Tunneling Protocol 

Secure Socket Tunneling Protocol (SSTP) is also a form of VPN tunnel to allow data to be encapsulated and transmitted. Unlike PPTP/L2TP, this is done through an SSL/TLS Channel. 

One advantage of transmitting data via TCP Port 443 is that it’s easier to disguise VPN traffic as normal HTTPS data, making it much harder to detect and block. This can be useful for people living in countries where VPN usage is monitored and/or banned.

SSTP was originally released with Windows Vista Service Pack 1 in 2008 as yet another update of the outdated PPTP protocol It’s now supported on macOS, Linux and most forms of BSD too. 

As SSTP is a proprietary standard, it's arguably not as secure as a fully open source software protocol which can regularly be examined and improved by the community at large. 

Other security concerns surround the fact that anyone with the correct username and password can log in to a VPN server using SSTP. There's no built-in checks to make sure that someone is using an authorized device. SSTP does, however, make use of the SSL/TLS library to authenticate servers to which it connects. 

SSTP uses SSL 3.0 to authenticate and encrypt connections. And that makes it vulnerable to the POODLE attack, potentially letting attackers decrypt your data. This vulnerability doesn’t exist in more modern VPN protocols like OpenVPN, which only use TLS

Importance of VPN Protocols 

PPTP, L2TP and SSTP are all older VPN protocols. So, while widely supported across various platforms, they don't offer much in the way of security or privacy. As a bare minimum, your VPN service should be able to reliably authenticate your client and server by performing a reliable “handshake”, encrypt all data in transit safely and check against tampering or “man in the middle attacks”.

If your VPN provider offers you software using these protocols, consider asking them to upgrade to a more modern standard such as OpenVPN or Wireguard. These use modern security protocols. Most importantly, the standards are fully open source - security flaws can be quickly detected and patched. If your VPN provider doesn’t offer these methods to establish a channel, it may be time to look elsewhere.   

Nate Drake is a tech journalist specializing in cybersecurity and retro tech. He broke out from his cubicle at Apple 6 years ago and now spends his days sipping Earl Grey tea & writing elegant copy.