• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Digital ID
  • The strengths and weaknesses of different VPN protocols

The strengths and weaknesses of different VPN protocols

Pierluigi Paganini April 26, 2019

One in four internet users use a VPN regularly, but how much does the average user know about what goes on behind the software?

Pulling back the curtain, a VPN runs on various VPN protocols that govern the way a VPN client communicates with a VPN server. Different protocols create different ways that connect your device and the internet through encrypted tunnels.

The history of VPN protocols dates back to 1996 when a Microsoft employee came up with Peer-to-Peer Tunneling Protocol (PPTP). The protocol, though not perfect, allowed people to work from home through a secure internet connection.

Since then, VPN protocol technology has evolved and, at the moment, there are five widely used VPN protocols. A breakdown of these five VPN protocols complete with their pros and cons is key to understanding VPN protocols in depth.

VPN

1. PPTP

As noted above, Peer-to-Peer Tunneling Protocol was the first to be developed, and it is over 20 years old. The protocol relies on encryption, authentication and peer-to-peer protocol (PPP) negotiation. In essence, that means it only needs a username, password, and server address to create a connection.

Most devices support PPTP and because of how easy it is to set-up and is rather popular among VPN companies. PPTP is incredibly fast, and as a result, people who want to circumvent geo-restricted content prefer the protocol.

However, the speed comes at the cost of encryption. Of all the protocols, PPTP has the lowest level of encryption. Even Microsoft recommends that people stay away from PPTP because, from a security standpoint where encryption is key, PPTP is extremely unsafe.

That said, if your only concern is speed, then PPTP is the protocol for you.

Pros

  • Super-fast
  • Easy to set up and use
  • Nearly all platforms support the protocol

Cons

  • Does not support Perfect Forward Secrecy
  • One of the least secure protocols
  • Firewalls can block PPTP

2. OpenVPN

First released in 2001, the OpenVPN protocol has become one of the most popular and widely used protocols. It is an open-source protocol which means coders can add to or edit the protocol, scrutinize the source code for vulnerabilities, and solve identified issues immediately.

OpenVPN uses SSL technology, and it is available on nearly all platforms, including Windows, Linux, iOS, Android, macOS, Blackberry, and routers. It operates on both Layer 2 and 3, and it contains extra features that facilitate the transport of IPX packets and Ethernet frames. Moreover, it has NetBIOS functionality and depending on the setup; it can share port 443 with HTTPS.

OpenVPN is incredibly secure thanks to the fact that it uses a 160-bit SHA1 hash algorithm, AES 256-bit key encryption (in addition to others), and 2048-bit RSA authentication.

That said, OpenVPN has a significant weakness—the amount of latency or rather the considerable delay during operation. With the use of more powerful computers and the use of SSL certificates, one can get around this weakness.

Pros

  • Secure
  • Easily bypasses firewalls
  • Supports a variety of cryptographic algorithms
  • It is open-source which means it’s easy to vet
  • Supports Perfect Forward Secrecy

Cons

  • Needs a third-party software for set-up
  • It can be difficult to configure
  • Potentially higher latency periods

3. L2TP/IPsec

To fully understand Layer 2 Tunneling Protocol (L2TP), it is essential first to mention Layer 2 Forwarding (L2F). Cisco developed L2F soon after the release of PPTP to try and improve on the flaws of PPTP. Unfortunately, L2F wasn’t perfect either.

Therefore, in 1999, they concerned released L2TP as an improvement on both PPTP and L2F. L2TP combines the best of both L2F and PPTP to provide a more secure and reliable tunneling protocol.

However, note that L2TP is simply a tunneling protocol and provides neither encryption nor privacy. Due to the lack of encryption, L2TP cannot function as a secure protocol alone and must be paired with IPsec which is a security protocol that carries with it the required encryption. The bundling of L2TP and IPsec protocols leads to the use of something known as double encapsulation.

In double encapsulation, the first encapsulation will create a PPP connection to a remote host and the second encapsulation will contain IPsec.

L2TP supports AES 256 encryption algorithms—some of the most secure—and it prevents man-in-the-middle attacks because data cannot be altered when in transit between the sender and receiver.

Bear in mind that due to the double encapsulation, the protocol has reduced speed. Moreover, the L2TP protocol can only communicate via User Datagram Protocol (UDP). The restriction to UDP means it is easy to block.

Pros

  • Secure according to most
  • Works in almost all platforms
  • Easy to set up
  • Supports multithreading which increases performance

Cons

  • Both Edward Snowden and John Gilmore noted that NSA might have deliberately weakened IPSec which means it can be compromised.
  • Firewalls can easily block it because it only communicates over UDP.
  • Slower than OpenVPN due to double encapsulation

4. SSTP

Secure Socket Tunneling Protocol (SSTP) is very similar to OpenVPN with the only difference being that it is proprietary software that Microsoft developed and introduced in Windows Vista.

Just like OpenVPN, SSTP supports AES 256-bit key encryption, and it uses 2048-bit SSL/TSL certificates for authentication. The protocol has native support for Linux, Windows, and BSD systems. The rest, e.g., Android and iOS only have support via third-party clients.

Pros

  • Provides support for a wide range of cryptographic algorithms
  • Supports Perfect Forward Secrecy
  • Easy to use especially because the protocol is already integrated into Windows

Cons

  • Does not do as well on other systems as it does on Windows
  • It is impossible to audit underlying code because the protocol is proprietary

5. IKEv2

Internet Key Version 2 (IKEv2) is a tunneling protocol that provides a secure key exchange session. The protocol was a collaboration between Microsoft and Cisco. Similar to L2TP, it is often paired with IPsec to provide for authentication and encryption.

IKEv2 is uniquely suited to mobile VPN solutions. That is because it is very good at reconnecting anytime there is a temporary loss of internet connection. Second, it is adept at reconnecting during a network switch (e.g. from mobile data to Wi-Fi).

IKEv2 is not as popular as OpenVPN, PPTP or L2TP/IPsec but a good number of VPNs, especially those that specialize in mobile VPNs use it. Because it is proprietary software, it only has native support for Windows, iOS, and Blackberry.

Pros

  • Extremely stable and does not drop the VPN connection when switching networks
  • Incredibly fast
  • Supports Perfect Forward Secrecy
  • Supports a variety of cryptographic algorithms
  • Easy to set-up

Cons

  • Suffers from the same IPsec drawbacks (NSA tampering)
  • Does not support a considerable number of platforms
  • Firewalls can block the protocol

Summary

From the discussion above; the one clear thing is that no one VPN protocol can satisfy all the user requirements. Some VPN protocols prioritize speed while other prioritize security.

Consequently, it is not a surprise to find a VPN provider that has found a way to incorporate all five in a bid to provide the best possible service.

About the author: Susan Alexandra

Susan Alexandra is is a cybersecurity and privacy enthusiast. She is a small business owner, traveler and investor of cryptocurrencies. Susan’s inbox is open for new ideas and stories, you can share the story ideas to susanalexandra67@gmail.com

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – VPN, privacy)

[adrotate banner=”5″]

[adrotate banner=”13″]



facebook linkedin twitter

Cybersecurity Pierluigi Paganini privacy Security Affairs VPN

you might also like

Pierluigi Paganini July 11, 2025
U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 10, 2025
UK NCA arrested four people over M&S, Co-op cyberattacks
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 11, 2025

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Cyber Crime / July 10, 2025

    PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

    Hacking / July 10, 2025

    Qantas data breach impacted 5.7 million individuals

    Data Breach / July 10, 2025

    DoNot APT is expanding scope targeting European foreign ministries

    APT / July 10, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT