With all the spying and malicious activity on the Internet these days, VPNs are becoming more popular by the day. This applies not only in the corporate world but for individuals and families too. Our focus in this article is on the kinds of VPNs that individuals and families use, not those designed to interconnect corporate offices or secure archives.
Today we are going to talk about one of the more mysterious aspects of this field: VPN Protocols. If you’ve ever looked at the settings of a modern VPN, you’ve probably seen protocols with names like OpenVPN or L2TP/IPsec. We’re going to look at the most popular of these and get a working idea of what they do and why you might want to choose one over the other.
Specifically, we will:
- Discuss the job of a VPN Protocol
- Learn about OpenVPN and some competing protocols
- Learn about a promising newcomer to the VPN Protocol competition
- Compare OpenVPN to each competitor to see why you might use one of them instead of OpenVPN
By the end of this article, you should have a good handle on the basics of how a VPN Protocol works, why OpenVPN is so popular, and when you might opt to use one of the competitors.
The Job of a VPN Protocol
At the most abstract level, the main job of a VPN protocol is to keep communications between your device and the VPN private and secure. How does a VPN do this? Through two technologies: Tunneling and Encryption. Let’s look at each of these now.
Tunneling is a way to protect messages as they travel back and forth between your device and the VPN. To understand how this works, you need to remember that messages passing through the Internet take the form of “packets” of data.
These packets consist of the data they are carrying (known as the payload), and additional data such as the protocol of the payload (HTTP, HTTPS, or BitTorrent, for example) and the IP Address of your device as well as that of the website you are visiting.
If you are not using a VPN, messages going back and forth between your device and the website may not be secure and private. At minimum your device’s IP Address and that of the website will be exposed, meaning that your privacy is not protected.
A VPN creates a virtual tunnel through the Internet to protect you from this problem. The virtual tunnel makes it harder for snoops to see those IP Addresses or read the contents of the messages going back and forth.
To create the virtual tunnel, the VPN software takes the data packets that comprise the messages going back and forth and puts them inside its own packets. This process is called encapsulation.
Packets leaving your device are encapsulated before crossing the Internet and arriving at a VPN server. Once they are received at the server, the original packets are extracted from their protective shell. The server modifies the packets by replacing your IP Address with the IP address of the server.
This process, called obfuscation, hides your IP Address from the outside world to protect your privacy. The VPN server then sends the modified packet to its final destination. As far as the website receiving the packet can tell, it originated at the VPN server, not your device.
Packets going from the website to your device get a similar treatment. When the website sends a packet to the VPN server, it gets encapsulated and sent to the VPN software on your device. There it is extracted from its protective shell and goes to your web browser or whatever app is talking to the website.
Unfortunately, tunneling by itself is not enough.
If packets are simply encapsulated, there are ways that a determined snoop may be able to read them. All the information you want to be kept secure and private would be visible to such a snoop, leaving your data exposed and your privacy violated.
This is why most VPNs go one step further and add encryption.
With encryption, the VPN software encrypts the entirety of your packets then embeds then encapsulates them and sends them on their way. Whichever encryption algorithm the VPN service uses (there are several possibilities), it is designed so that only the VPN server can decrypt what the VPN software on your computer encrypts, and vice versa.
This way, even if someone breaks into the tunnel, they won’t be able to make any sense of what they see.
Isn’t there an easier way?
At this point, you may be wondering why a VPN has to go through all these steps to protect your messages. Couldn’t it just encrypt the payload of the original message and skip all the tunneling and encapsulation?
There are protocols that work this way, and they are excellent for what they do. The HTTPS protocol is a good example. An HTTPS connection doesn’t do any tunneling, but it is secure in that the payload of the packets is protected with strong encryption. Your bank account number, or whatever information is in the payload will remain safe.
However, because the header of the packets must be exposed so the packets reach their destinations, you have no privacy. Your ISP and anyone else watching your connection can easily see the IP Address of your device as well as the IP Address of the website you are connected to. They will know who you are talking to, even if they don’t know exactly what the messages say.
Now think about a VPN again. The tunnel works by encapsulating your entire packet inside another packet. The outer packet is the one that must expose its header information. And that header information says basically, I am transferring packets between your device at your IP Address, and the VPN server at its IP Address.
No information from your packets needs to be exposed at all for the messages to pass back and forth between your device and the VPN server. The VPN can encrypt the entirety of your packets, including the headers.
Even if someone hacks their way into the tunnel, all they will see is that the VPN service is moving messages between your device and the VPN server. With your entire packet encrypted, there is no way for a snoop to see the final destination of your messages, or read the content of those messages.
Now that you know about the most important requirements for successful VPN Protocols: tunneling (encapsulation), and encryption, let’s talk about the VPN Protocols you are likely to run into in 2019.
The Current Leader: OpenVPN
Today, OpenVPN is the most-widely used of the VPN protocols.
OpenVPN is an SSL VPN. An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be used with a standard Web browser. The design of OpenVPN is such that it can transport data through NATs (Network Address Translators) and firewalls. It also supports a range of encryption algorithms, including AES-256, the same encryption algorithm used by the US government to protect classified data.
OpenVPN is a fast protocol and is very secure and stable. In addition, it is open-source software. That means anyone can see and inspect the source code. And lots of people do, looking to make sure that there are no bugs and no one is inserting malicious code. Many VPN Protocols are proprietary, meaning you can’t inspect the code and have to trust whoever owns it to maintain it properly and not do anything sneaky.
OpenVPN can use the secure port 443/HTTPS for communication. The administrator of the VPN server can any UDP or TCP port which doesn’t conflict with other in-use ports (see the “port” and “proto” commands for OpenVPN configuration). When used with a VPN service that has a stealth mode (formats data in such a way that it looks like standard Internet traffic), this makes it hard for censors or other snoops to even know that you are using a VPN.
Another nice thing about OpenVPN is that it is implemented in user space. That is, the code for OpenVPN runs in the memory reserved for applications. This means that you can download and install it yourself, separately from whichever VPN service you are using. This video illustrates the process:
Why would you do this? One reason is if the VPN service you are using doesn’t provide a client for the device or operating system you are using. A perfect example of this is the fact that many VPN services support OpenVPN, but don’t provide a client for the Linux operating system. By downloading OpenVPN and configuring it properly, you can get your Linux box (a desktop or even some routers) connected to the VPN without a proprietary client.
When you combine all of the above characteristics, it isn’t surprising that OpenVPN is the most popular VPN Protocol in use today.
Now that you have a basic knowledge of OpenVPN, let’s take a look at some other popular VPN protocols.
Other Popular Protocols: IPsec, L2TP/IPsec, IKEv2/IPsec
OpenVPN runs in user space, but that is not the only place VPN code can run. A VPN can also run in kernel space, the space reserved for core operating system functions. One drawback of protocols that run in kernel space is that they must be implemented by the operating system manufacturer. If a particular protocol is not pre-installed on your device, you can’t simply download and install it yourself, like you can with OpenVPN.
Let’s start this section by looking at IPsec.
IPsec is a kernel space protocol that runs in the IP layer of the Internet Protocol Suite. It covers all aspects of providing security at this level. TechTarget defines IPsec this way:
IPsec can implement VPNs through two modes: Tunnel Mode and Transport Mode. Tunnel Mode is the default and creates a tunnel as described at the top of this article. Transport Mode is useful for things like running a Remote Desktop session.
While there are still some iOS VPNs that use IPsec by itself, you are most likely to encounter this protocol paired with either L2TP or IKEv2. We will look at these pairings in a moment. But first, we need to discuss something called VPN SPIN 9. VPN SPIN 9 is an NSA system for decrypting VPN data.
Described in a leaked document titled, “Fielded Capability: End-to-End VPN SPIN 9 Design Review,” it talks about the ability to “detect and decrypt selected communications that are encrypted using IP security (IPsec) algorithms and protocols.”
The document also claims a variety of capabilities to exploit elements of IPsec key exchange to gather metadata for analysis.
What does this mean to you? We’re not sure. Many experts claim that IPsec is secure, while the VPN SPIN 9 Design Review seems to be saying that the NSA had at least partially broken IPsec back in 2014. More recently, Hackernoon reported that security flaws have been found in the IKEv2 protocol that is often used with IPsec in consumer VPNs.
As the saying goes, “caveat emptor” (let the buyer beware).
And with that out of the way, let’s move on to L2TP/IPsec.
L2TP (Layer 2 Tunneling Protocol) is a tunneling protocol published in 2000. It was designed to combine the best of two earlier tunneling protocols: PPTP and L2F. While it is an improvement over earlier protocols, it is important to understand that L2TP by itself provides no security. A separate security protocol must be combined with L2TP to secure the packets that it transports.
This is why L2TP is almost always combined with IPsec. The combination is written as L2TP/IPsec and is spoken as, “L2TP over IPsec.”
When used together, L2TP encapsulates the packets to be transferred. IPsec provides encryption and a second layer of encapsulation, making the combination secure. While this might seem like a clumsy way to do things, L2TP/IPsec is still pretty popular. One reason is that it is built right into many operating systems, including Windows, macOS, Linux, iOS, and Android.
On the downside, the double encapsulation in this protocol tends to make it slower than protocols like OpenVPN. You may also have to manually open firewall ports on your device to allow L2TP/IPsec connections.
IKEv2 (Internet Key Exchange version 2) is a protocol for setting up a Security Association between two systems. As the name implies, it is the replacement for IKE, which was part of early versions of IPsec. The combination of IKEv2 and IPsec is a natural one since IKEv2 is part of recent versions of the IPsec specification. IKEv2/IPsec is supported on most recent versions of Windows, macOS, iOS, and Android, as well as Blackberry devices.
Since IKEv2 and L2TP both get their security features from IPsec, they both are about equally secure. But IKEv2/IPsec does have some advantages over L2TP/IPsec, particularly for mobile users. These include:
- IKEv2/IPsec doesn’t double-encapsulate data so it is usually faster than L2TP/IPsec.
- IKE2v/IPsec handles network changes better thanks to its MOBIKE This is important for mobile devices since they change networks as you travel about.
- There are some open source implementations of IKEv2 if you prefer to use them.
On the downside, as with L2TP/IPsec you may need to manually open firewall ports to enable the IKEv2/IPsec connection.
A Promising Challenger: WireGuard
While the protocols we have just looked at provide a quality VPN connection, there are always challengers looking to improve on the status quo. One promising challenger is WireGuard. According to the designers, the WireGuard protocol is:
WireGuard is FOSS (free and open-source software) that currently runs in the Linux kernel. Designed to have fewer lines of code (making it easier to maintain and harder to hack without getting spotted), easier to set up, and using stronger cryptographic algorithms, it has caught the attention of the Internet community.
Potentially, this could be the star VPN Protocol one day.
On the downside, WireGuard is still under heavy development and the developers warn that it is still a work in progress. This is not yet a VPN Protocol you would use for anything other than experimentation. Another negative is that the current design requires the VPN service to log each user’s IP Address. This would be a non-starter for the many VPN services (and VPN users) that insist on keeping no logs.
We will be keeping our eyes on this project.
How OpenVPN Stacks Up Against the Competition
Now that we have a basic understanding of each of these protocols, it is time to see how they stack up against OpenVPN.
OpenVPN vs IPsec
IPsec by itself is still used as a VPN protocol in a few cases, but you are far more likely to encounter it in combination with either L2TP or IKEv2. Keep reading to see how those combinations stack up against OpenVPN.
OpenVPN vs L2TP/IPsec
OpenVPN is generally faster, and because it uses the same Ports as HTTPS, is harder to block than L2TP/IPsec. OpenVPN is also open source software as opposed to the proprietary L2TP/IPsec.
And while there are reports that L2TP/IPsec may have been compromised by the NSA, we’ve seen no such claims for OpenVPN. You might want to avoid this protocol if you will be using your VPN to transport sensitive information.
In favor of L2TP/IPsec, it is built into the kernel of many operating systems and may run on some older devices that don’t support OpenVPN.
OpenVPN vs IKEv2/IPsec
OpenVPN’s open source nature is a plus compared to IKEv2/IPsec’s closed nature (although there are some open source implementations). OpenVPN is also much harder for firewalls to block since it uses the same Port as HTTPS does. IKEv2/IPsec also suffers from that 2014 presentation claiming that the NSA has compromised IPsec and IKE.
In favor of IKEv2/IPsec, it is fast, in most cases faster than OpenVPN. Running in the kernel, it is built into many modern operating systems, including BlackBerry. It is also particularly suited to mobile devices, with its ability to continue functioning smoothly while the device transitions from network to network.
OpenVPN vs WireGuard
Right now, OpenVPN wins by default, since WireGuard isn’t ready for prime time yet. While we will have to wait for a full comparison until WireGuard hits version 1.0, we are concerned about the logging/privacy issue with WireGuard.
For most users in most situations, OpenVPN is the protocol to use. It is fast and secure, and its open-source nature means that it should be less buggy and less vulnerable to hacks than its closed source rivals.
Protocol Comparison Table
Here is a quick summary of the VPN protocols we’ve discussed in this article:
|Encryption||Security||Speed||User or Kernel Space||Open Source|
|IKEv2/IPsec||AES-256||High||Very Fast||Kernel||Some Implementations|