Home / Blogs

What Is the Most Secure VPN Protocol?

VPN products vary greatly in convenience, efficiency, and security. If security is a serious concern, an organization needs to pay close attention to the protocols a service supports. Some widely used protocols have significant weaknesses, while others offer state-of-the-art security. The best of the lot today include OpenVPN and IKEv2.

Understanding VPN protocols

What's called a VPN protocol is actually a collection of protocols. There are several functions which every VPN has to manage:

  • Tunneling. A VPN's basic function is to deliver packets from one point to another without exposing them to anyone on the path in between. To do this, it encapsulates all data in a format which the client and server understand. The side sending the data puts it into the tunneling format, and the receiving side extracts it.
  • Encryption. By itself, tunneling provides no protection. Anyone can extract the data. It also has to be encrypted over the transmission path. The receiving side knows how to decrypt data from a given sender.
  • Authentication. To be secure, a VPN has to confirm the identity of any client that tries to communicate with it. The client needs to confirm that it has reached the intended server. Here's a guide if you want to learn more about what is a vpn protocol.
  • Session management. Once a user is authenticated, the VPN needs to maintain the session so that a client can continue communicating with it over a period of time.

Generally VPN protocols treat tunneling, authentication, and session management as a package. Encryption is a specialized art, so they incorporate trusted protocols rather than devising new ones. Weaknesses in any of the functions are potential security flaws in the protocol.

Weaker protocols

The oldest protocol which is still in use is PPTP, or Point-to-Point Tunneling Protocol. It first came into use in 1995, and it shows its age. It doesn't specify an encryption protocol but can use several, including the strong MPPE-128. The lack of standardization on a strong protocol is a risk, since it can only use the strongest one which both ends support. The connection may use weaker encryption than the user expects.

The real problem with PPTP, though, is the authentication process. It uses a protocol called MS-CHAP, which is subject to cracking given today's levels of computing power. A determined attacker could log in and impersonate an authorized user.

The L2TP protocol usually works with the IPSec encryption algorithm. It's considerably stronger than PPTP but still raises concerns. The main area of vulnerability in L2TP/IPSec is the method of exchanging public keys. The Diffie-Hellman public key exchange is a way for two parties to agree on a key for subsequent encryption, which no one else knows about. A method of cracking this exists. It requires a one-time huge amount of computing power, but then it allows access to all communication on a given VPN. Edward Snowden and others believe that the NSA has accomplished this. If it can, so can other state actors.

Protocols with better security

IKEv2 (Internet Key Exchange) ranks high in security among the current protocols. It uses IPSec tunneling and a broad choice of encryption protocols. Used with AES-256 encryption, it is extremely hard to crack, even with serious computing resources. It uses strong certificate-based authentication and can use the HMAC algorithm to verify the integrity of transmitted data. It supports fast communication and is especially strong at maintaining a session, even if the Internet connection is interrupted. Windows, MacOS, iOS, and Android support it. Several open-source implementations are available.

Version 1 of the protocol was introduced in 1998, and version 2 in 2005. It's not one of the newest protocols, but it has held up well.

SSTP (Secure Socket Tunneling Protocol) is a Microsoft product, supported mostly on Windows. When used with AES encryption and SSL, it provides good security in theory. However, it uses a proprietary implementation, so it isn't subject to independent verification. While there are no known vulnerabilities, undetected ones or backdoors could exist.

A practical issue with SSTP is the limited support on non-Windows systems. This makes it questionable for a general-purpose VPN.

OpenVPN is an open suite of protocols which offers strong security and has become very popular. It was first released in 2001 under the GPL license. Being open source, it's available to many eyes for vulnerability checking. Encryption normally uses the OpenSSL library. OpenSSL supports many cryptographic algorithms, including AES.

There isn't any support for OpenVPN at the operating system level, but many packages include their own OpenVPN clients.

To get the most security with a protocol, administrators have to handle it correctly. The OpenVPN community provides recommendations for hardening OpenVPN.

SoftEther (Software Ethernet) is a more recent entry, having first become available in 2014. Like OpenVPN, it is an open-source specification and implementation. It supports the strongest encryption protocols, including AES-256 and RSA 4096-bit. It provides greater communication speed for a given data rate than most protocols, including OpenVPN. It doesn't have native OS support but can be installed on many operating systems, including Windows, Mac, Android, iOS, Linux, and Unix.

As a newer protocol, it doesn't have as much support as some of the alternatives. It hasn't been around as long as OpenVPN, so people haven't had as much time to check it for possible weaknesses. Still, it's a strong candidate for anyone who needs top-quality security.

Choosing the winner

Which protocol is the most secure? That's a difficult call.

IKEv2, OpenVPN, and SoftEther are all strong contenders. OpenVPN and SoftEther have the advantage of being open source. IKEv2 has open-source implementations but also proprietary ones. The main security advantage of IKEv2 is that it's easy to set up, reducing the chance of configuration errors. SoftEther offers very good security, but users don't have as many years of experience with it as with the other two. That could mean a higher chance of an undetected problem.

OpenVPN gets the nod by a hair. Its code has been around for many years for security experts to inspect, it's widely used, and it supports the strongest encryption protocols. However, these three rank so close together that you might consider other factors, such as convenience and speed, without having significant security fears.

By Christopher Nichols, Tech Writer
Follow CircleID on
Related topics: Cybersecurity, Internet Protocol
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

No mention of Wireguard? Chip Marshall  –  Feb 22, 2019 1:38 PM PDT

No mention of Wireguard?

To post comments, please login or create an account.

Related

Topics

New TLDs

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

DNS Security

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign