Which VPN Protocol Should You Use

So you just signed up for the fastest VPN service you could find. The next step is to figure out what protocol you’re going to use to connect. Most VPN services will provide you with multiple options.

This post will help you pick the one that will best suit your needs. It’s not meant to be the final word on VPN protocols by any means. But it will tell you the basics about each common option, how they relate to each other and which you should use to connect.

Various VPN protocol options

PPTP

Right off the bat, we’re going to say this: do not use PPTP. It is a protocol that has been around since the days of Windows 95, and while it is a very popular option, it is also full of security holes. While this fact has never been confirmed, it is very likely the NSA and other government agencies can decrypt what should be secure PPTP connections. If you value your privacy or live in a country with a repressive government, beware.

On the plus side, other than being very commonly implemented, as we have mentioned, PPTP is also easy to set up. Many platforms and operating systems ship with PPTP clients. But, that is the sole advantage. On the whole, using PPTP is not recommended.

OpenVPN

This VPN protocol is built on open-source technologies like the SSL v3/TLS v1 protocols, as well as the OpenSSL encryption library. It is highly configurable and can run on any port. You could, for example, set it up to connect to TCP port 443, which is the standard HTTPS port. Doing so would make your VPN traffic virtually indistinguishable from a connection to a secure website. This feature makes OpenVPN tough to block.

As part of its configurability, you can select the type of encryption you want to use. We recommend using AES over the weaker Blowfish option. We are also confident that OpenVPN has not been compromised by either the NSA or any other agency.

On the downside, OpenVPN support is not widely integrated into mobile or computer operating systems. A connection to a VPN server using OpenVPN will, therefore, require a third party client. Most if not all VPN services will, however, provide you with one.

Logo for OpenVPN protocol

L2TP/IPsec

L2TP stands for Layer 2 Tunnel Protocol and is a protocol that by default does not use encryption. That is the reason it usually comes bundled with IPsec encryption. L2TP is integrated into all modern mobile and computer operating systems, which makes it easy to configure and run. But, unlike OpenVPN, the port over which it establishes a connection is fixed to UDP port 500. This inflexibility makes it a lot easier to block.

In theory, IPsec encryption is secure. Some have voiced concerns that government organizations, the NSA included, could have ways of getting in. However, no one knows this for sure. In any case, OpenVPN is faster because L2TP/IPsec is a two step process. First, the transmitted data needs to be converted into L2TP and then encrypted using IPsec.

SSTP

SSTP is an acronym for Secure Socket Tunneling Protocol. It first made an appearance in Windows Vista SP1. Being a protocol proprietary to Microsoft, support for SSTP is, of course, best in a Windows environment. Compared to our favorite thus far, OpenVPN, because if its integration into the operating system, SSTP may be more stable in Windows. OpenVPN, as you may recall, requires a client application. But, that is the only advantage SSTP has going for it. Support on platforms other than Windows is available but not extensive.

SSTP support AES encryption, which makes it very secure. It also uses SSL v3, making it equally as hard to block as OpenVPN. If you run Windows, you should unquestionably pick it over PPTP. However, because SSTP is a protocol proprietary to Microsoft, its code is not open for independent security reviews and audits.

What to Use

If you have been keeping score, you will already know that OpenVPN is our winner. Most, if not all, high-speed VPN providers will offer it as one of the connection options. If you run into a service that does not, choose SSTP for Windows and L2TP/IPsec for all other platforms. Use PPTP only if you’re out of other options.