Comparison of VPN protocols

Intro

A very basic VPN protocol based on PPP. The PPTP specification does not actually describe encryption or authentication features and relies on the PPP protocol being tunneled to implement security functionality. IKEv2 (Internet key exchange version 2) is part of the IPSec protocol suite. Standardized in RFC 7296. IPSec has become the defacto standard protocol for secure Internet communications, providing confidentiality, authentication and integrity. Open-source VPN protocol developed by OpenVPN technologies. Very popular however not based on standards (RFC). Uses a custom security protocol and SSL/TLS for key exchange. Provides full confidentiality, authentication and integrity. WireGuard® is an extremely fast VPN protocol with very little overhead and state-of-the-art cryptography. It has the potential to offer a simpler, more secure, more efficient, and easier to use VPN over existing technologies.

Encryption

The PPP payload is encrypted using Microsoft's Point-to-Point Encryption protocol (MPPE). MPPE implements the RSA RC4 encryption algorithm with a maximum of 128 bit session keys. IKEv2 implements a large number of cryptographic algorithms including 3DES, AES, Blowfish, Camellia. YVPN implements IKEv2 using AES with 256 bit keys. OpenVPN uses the OpenSSL library to provide encryption. OpenSSL implements a large number of cryptographic algorithms such as 3DES, AES, RC5, Blowfish.
As with IKEv2, YVPN implements AES with 256 bit keys.
Built atop ChaCha20 for symmetric encryption (RFC7539), Curve25519 for Elliptic-curve Diffie–Hellman (ECDH) anonymous key agreement, BLAKE2s for hashing (RFC7693), SipHash24 for hashtable keys, and HKDF for key derivation (RFC5869). Makes use of a UDP-based handshake and the key exchange uses perfect forward secrecy while avoiding both key-compromise impersonation and replay attacks.

Security weaknesses

The Microsoft implementation of PPTP has serious security vulnerabilities. MSCHAP-v2 is vulnerable to dictionary attack and the RC4 algorithm is subject to a bit-flipping attack. Microsoft strongly recommends upgrading to IPSec where confidentiality is a concern. IPSec has no known major vulnerabilities and is generally considered secure when implemented using a secure encryption algorithm and certificates for authentication. However Leaked NSA presentations indicate that IKE could be exploited in an unknown manner to decrypt IPSec traffic. OpenVPN has no known major vulnerabilities and is generally considered secure when implemented using a secure encryption algorithm and certificates for authentication. WireGuard® has no known major vulnerabilities. It is relatively new and has not seen the thorough vetting of OpenVPN, though the code-base is extremely small, so full audits are possible by individuals and not just large organizations. WireGuard® is in-tree with Linux Kernel 5.6 and has been reviewed by a 3rd party auditor.

Speed

With RC4 and 128 bit keys, the encryption overhead is least of all protocols making PPTP the fastest. IPSec with IKEv2 should in theory be the faster than OpenVPN due to user-mode encryption in OpenVPN however it depends on many variables specific to the connection. In most cases it is faster than OpenVPN. When used in its default UDP mode on a reliable network OpenVPN performs similarly to IKEv2. WireGuard® benefits from extremely high-speed cryptographic primitives and deep integration with underlying operating system kernel, so speeds are very high with low overhead. Most customers report higher speeds than OpenVPN.

Firewall ports

PPTP uses TCP port 1723 and GRE (Protocol 47). PPTP can be easily blocked by restricting the GRE protocol. IKEv2 uses UDP 500 for the initial key exchange, protocol 50 for the IPSEC encrypted data (ESP) and UDP 4500 for NAT traversal.
IKEv2 is easier to block than OpenVPN due to its reliance on fixed protocols and ports.
OpenVPN can be easily configured to run on any port using either UDP or TCP thereby easily bypassing restrictive firewalls. WireGuard® uses the UDP protocol and can be configured to use any port. May succumb to traffic shaping more easily than OpenVPN due to lack of support for TCP.

Setup / Configuration

All versions of Windows and most other operating systems (including mobile) have native support for PPTP. PPTP only requires a username, password and server address making it incredibly simple to setup and configure. Windows 7+, macOS 10.11+ and most mobile operating systems have native support for IPSec with IKEv2. OpenVPN is not included in any operating system release and requires the installation of client software. Installation typically takes less than 5 minutes. WireGuard® is in-tree with Linux Kernel 5.6. Other non-linux operating systems require the installation of a WireGuard® client app. Installation typically takes less than 5 minutes.

Stability / Compatibility

PPTP is not as reliable, nor does it recover as quickly as OpenVPN over unstable network connections. Minor compatibility issues with the GRE protocol and some routers. IPSec is more complex than OpenVPN and can require additional configuration between devices behind NAT routers. However as long as both the server and client support NAT traversal there shouldn't be any issues. Very stable and fast over wireless, cellular and other non reliable networks where packet loss and congestion is common. OpenVPN has a TCP mode for highly unreliable connections but this mode sacrifices significant performance due to the inefficiency of encapsulating TCP within TCP. Extremely stable and robust. More stable than OpenVPN when roaming across networks. Uses an initial endpoint for connections and can switch servers while maintaining the connection. Client can also change networks without dropping the connection.

Verdict

Due to the major security flaws, there is no good reason to choose PPTP other than device compatibility. If you have a device on which only PPTP is supported then you should consider how to encrypt data at other layers e.g. HTTPS. IKEv2 is an excellent choice, it is extremely fast, secure and reliable. In addition unlike OpenVPN it requires no additional software to be installed (in most cases) and is therefor the quickest to configure. If you have a threat model that includes sophisticated adversaries then you may want to consider OpenVPN due to the leaked NSA presentations discussed above. OpenVPN is an excellent choice for all platforms. It is extremely fast, secure and reliable. WireGuard® is an excellent choice and may be the best protocol for high speeds. WireGuard® promises better security and faster speeds compared to existing solutions. Since its merge into Linux Kernel (v5.6) and the release of v1.0, we consider WireGuard® to be ready for wide-scale use.

PPTP

Intro

A very basic VPN protocol based on PPP. The PPTP specification does not actually describe encryption or authentication features and relies on the PPP protocol being tunneled to implement security functionality.

Encryption

The PPP payload is encrypted using Microsoft’s Point-to-Point Encryption protocol (MPPE). MPPE implements the RSA RC4 encryption algorithm with a maximum of 128 bit session keys.

Security weaknesses

The Microsoft implementation of PPTP has serious security vulnerabilities. MSCHAP-v2 is vulnerable to dictionary attack and the RC4 algorithm is subject to a bit-flipping attack. Microsoft strongly recommends upgrading to IPSec where confidentiality is a concern.

Speed

With RC4 and 128 bit keys, the encryption overhead is least of all protocols making PPTP the fastest.

Firewall ports

PPTP uses TCP port 1723 and GRE (Protocol 47). PPTP can be easily blocked by restricting the GRE protocol.

Setup / Configuration

All versions of Windows and most other operating systems (including mobile) have native support for PPTP. PPTP only requires a username, password and server address making it incredibly simple to setup and configure.

Stability / Compatibility

PPTP is not as realiable, nor does it recover as quickly as OpenVPN over unstable network connections. Minor compatibility issues with the GRE protocol and some routers.

Verdict

Due to the major security flaws, there is no good reason to choose PPTP other than device compatibility. If you have a device on which only PPTP is supported then you should consider how to encrypt data at other layers e.g. HTTPS.

IPSec IKEv2

Intro

IKEv2 (Internet key exchange version 2) is part of the IPSec protocol suite. Standardized in RFC 7296. IPSec has become the defacto standard protocol for secure Internet communications, providing confidentiality, authentication and integrity.

Encryption

IKEv2 implements a large number of cryptographic algorithms including 3DES, AES, Blowfish, Camellia. YVPN implements IKEv2 using AES with 256 bit keys.

Security weaknesses

IPSec has no known major vulnerabilities and is generally considered secure when implemented using a secure encryption algorithm and certificates for authentication. However Leaked NSA presentations indicate that IKE could be exploited in an unknown manner to decrypt IPSec traffic.

Speed

IPSec with IKEv2 should in theory be the faster than OpenVPN due to user-mode encryption in OpenVPN however it depends on many variables specific to the connection. In most cases it is faster than OpenVPN.

Firewall ports

IKEv2 uses UDP 500 for the initial key exchange, protocol 50 for the IPSEC encrypted data (ESP) and UDP 4500 for NAT traversal.
IKEv2 is easier to block than OpenVPN due to its reliance on fixed protocols and ports.

Setup / Configuration

Windows 7+, macOS 10.11+ and most mobile operating systems have native support for IPSec with IKEv2.

Stability / Compatibility

IPSec is more complex than OpenVPN and can require additional configuration between devices behind NAT routers. However as long as both the server and client support NAT traversal there shouldn’t be any issues.

Verdict

IKEv2 is an excellent choice, it is extremely fast, secure and reliable. In addition unlike OpenVPN it requires no additional software to be installed (in most cases) and is therefor the quickest to configure. If you have a threat model that includes sophisticated adversaries then you may want to consider OpenVPN due to the leaked NSA presentations discussed above.

OpenVPN

Intro

Open-source VPN protocol developed by OpenVPN technologies. Very popular however not based on standards (RFC). Uses a custom security protocol and SSL/TLS for key exchange. Provides full confidentiality, authentication and integrity.

Encryption

OpenVPN uses the OpenSSL library to provide encryption. OpenSSL implements a large number of cryptographic algorithms such as 3DES, AES, RC5, Blowfish.
As with IKEv2, YVPN implements AES with 256 bit keys.

Security weaknesses

OpenVPN has no known major vulnerabilities and is generally considered secure when implemented using a secure encryption algorithm and certificates for authentication.

Speed

When used in its default UDP mode on a reliable network OpenVPN performs similarly to IKEv2.

Firewall ports

OpenVPN can be easily configured to run on any port using either UDP or TCP thereby easily bypassing restrictive firewalls.

Setup / Configuration

OpenVPN is not included in any operating system release and requires the installation of client software. Installation typically takes less than 5 minutes.

Stability / Compatibility

Very stable and fast over wireless, cellular and other non reliable networks where packet loss and congestion is common. OpenVPN has a TCP mode for highly unreliable connections but this mode sacrifices significant performance due to the inefficiency of encapsulating TCP within TCP.

Verdict

OpenVPN is an excellent choice for all platforms. It is extremely fast, secure and reliable.

WireGuard

Intro

WireGuard® is an extremely fast VPN protocol with very little overhead and state-of-the-art cryptography. It has the potential to offer a simpler, more secure, more efficient, and easier to use VPN over existing technologies.

Encryption

Built atop ChaCha20 for symmetric encryption (RFC7539), Curve25519 for Elliptic-curve Diffie–Hellman (ECDH) anonymous key agreement, BLAKE2s for hashing (RFC7693), SipHash24 for hashtable keys, and HKDF for key derivation (RFC5869). Makes use of a UDP-based handshake and the key exchange uses perfect forward secrecy while avoiding both key-compromise impersonation and replay attacks.

Security weaknesses

WireGuard® has no known major vulnerabilities. It is relatively new and has not seen the thorough vetting of OpenVPN, though the code-base is extremely small, so full audits are possible by individuals and not just large organizations. WireGuard® is in-tree with Linux Kernel 5.6 and has been reviewed by a 3rd party auditor.

Speed

WireGuard® benefits from extremely high-speed cryptographic primitives and deep integration with underlying operating system kernel, so speeds are very high with low overhead. Most customers report higher speeds than OpenVPN.

Firewall ports

WireGuard® uses the UDP protocol and can be configured to use any port. May succumb to traffic shaping more easily than OpenVPN due to lack of support for TCP.

Setup / Configuration

WireGuard® is in-tree with Linux Kernel 5.6. Other non-linux operating systems require the installation of a WireGuard® client app. Installation typically takes less than 5 minutes.

Stability / Compatibility

Extremely stable and robust. More stable than OpenVPN when roaming across networks. Uses an initial endpoint for connections and can switch servers while maintaining the connection. Client can also change networks without dropping the connection.

Verdict

WireGuard® is an excellent choice and may be the best protocol for high speeds. WireGuard® promises better security and faster speeds compared to existing solutions. Since its merge into Linux Kernel (v5.6) and the release of v1.0, we consider WireGuard® to be ready for wide-scale use.