The strengths and weaknesses of different VPN protocols

Pierluigi Paganini April 26, 2019

One in four internet users use a VPN regularly, but how much does the average user know about what goes on behind the software?

Pulling back the curtain, a VPN runs on various VPN protocols that govern the way a VPN client communicates with a VPN server. Different protocols create different ways that connect your device and the internet through encrypted tunnels.

The history of VPN protocols dates back to 1996 when a Microsoft employee came up with Peer-to-Peer Tunneling Protocol (PPTP). The protocol, though not perfect, allowed people to work from home through a secure internet connection.

Since then, VPN protocol technology has evolved and, at the moment, there are five widely used VPN protocols. A breakdown of these five VPN protocols complete with their pros and cons is key to understanding VPN protocols in depth.



As noted above, Peer-to-Peer Tunneling Protocol was the first to be developed, and it is over 20 years old. The protocol relies on encryption, authentication and peer-to-peer protocol (PPP) negotiation. In essence, that means it only needs a username, password, and server address to create a connection.

Most devices support PPTP and because of how easy it is to set-up and is rather popular among VPN companies. PPTP is incredibly fast, and as a result, people who want to circumvent geo-restricted content prefer the protocol.

However, the speed comes at the cost of encryption. Of all the protocols, PPTP has the lowest level of encryption. Even Microsoft recommends that people stay away from PPTP because, from a security standpoint where encryption is key, PPTP is extremely unsafe.

That said, if your only concern is speed, then PPTP is the protocol for you.


  • Super-fast
  • Easy to set up and use
  • Nearly all platforms support the protocol


2. OpenVPN

First released in 2001, the OpenVPN protocol has become one of the most popular and widely used protocols. It is an open-source protocol which means coders can add to or edit the protocol, scrutinize the source code for vulnerabilities, and solve identified issues immediately.

OpenVPN uses SSL technology, and it is available on nearly all platforms, including Windows, Linux, iOS, Android, macOS, Blackberry, and routers. It operates on both Layer 2 and 3, and it contains extra features that facilitate the transport of IPX packets and Ethernet frames. Moreover, it has NetBIOS functionality and depending on the setup; it can share port 443 with HTTPS.

OpenVPN is incredibly secure thanks to the fact that it uses a 160-bit SHA1 hash algorithm, AES 256-bit key encryption (in addition to others), and 2048-bit RSA authentication.

That said, OpenVPN has a significant weakness—the amount of latency or rather the considerable delay during operation. With the use of more powerful computers and the use of SSL certificates, one can get around this weakness.


  • Secure
  • Easily bypasses firewalls
  • Supports a variety of cryptographic algorithms
  • It is open-source which means it’s easy to vet
  • Supports Perfect Forward Secrecy


  • Needs a third-party software for set-up
  • It can be difficult to configure
  • Potentially higher latency periods

3. L2TP/IPsec

To fully understand Layer 2 Tunneling Protocol (L2TP), it is essential first to mention Layer 2 Forwarding (L2F). Cisco developed L2F soon after the release of PPTP to try and improve on the flaws of PPTP. Unfortunately, L2F wasn’t perfect either.

Therefore, in 1999, they concerned released L2TP as an improvement on both PPTP and L2F. L2TP combines the best of both L2F and PPTP to provide a more secure and reliable tunneling protocol.

However, note that L2TP is simply a tunneling protocol and provides neither encryption nor privacy. Due to the lack of encryption, L2TP cannot function as a secure protocol alone and must be paired with IPsec which is a security protocol that carries with it the required encryption. The bundling of L2TP and IPsec protocols leads to the use of something known as double encapsulation.

In double encapsulation, the first encapsulation will create a PPP connection to a remote host and the second encapsulation will contain IPsec.

L2TP supports AES 256 encryption algorithms—some of the most secure—and it prevents man-in-the-middle attacks because data cannot be altered when in transit between the sender and receiver.

Bear in mind that due to the double encapsulation, the protocol has reduced speed. Moreover, the L2TP protocol can only communicate via User Datagram Protocol (UDP). The restriction to UDP means it is easy to block.


  • Secure according to most
  • Works in almost all platforms
  • Easy to set up
  • Supports multithreading which increases performance


  • Both Edward Snowden and John Gilmore noted that NSA might have deliberately weakened IPSec which means it can be compromised.
  • Firewalls can easily block it because it only communicates over UDP.
  • Slower than OpenVPN due to double encapsulation


Secure Socket Tunneling Protocol (SSTP) is very similar to OpenVPN with the only difference being that it is proprietary software that Microsoft developed and introduced in Windows Vista.

Just like OpenVPN, SSTP supports AES 256-bit key encryption, and it uses 2048-bit SSL/TSL certificates for authentication. The protocol has native support for Linux, Windows, and BSD systems. The rest, e.g., Android and iOS only have support via third-party clients.


  • Provides support for a wide range of cryptographic algorithms
  • Supports Perfect Forward Secrecy
  • Easy to use especially because the protocol is already integrated into Windows


  • Does not do as well on other systems as it does on Windows
  • It is impossible to audit underlying code because the protocol is proprietary

5. IKEv2

Internet Key Version 2 (IKEv2) is a tunneling protocol that provides a secure key exchange session. The protocol was a collaboration between Microsoft and Cisco. Similar to L2TP, it is often paired with IPsec to provide for authentication and encryption.

IKEv2 is uniquely suited to mobile VPN solutions. That is because it is very good at reconnecting anytime there is a temporary loss of internet connection. Second, it is adept at reconnecting during a network switch (e.g. from mobile data to Wi-Fi).

IKEv2 is not as popular as OpenVPN, PPTP or L2TP/IPsec but a good number of VPNs, especially those that specialize in mobile VPNs use it. Because it is proprietary software, it only has native support for Windows, iOS, and Blackberry.


  • Extremely stable and does not drop the VPN connection when switching networks
  • Incredibly fast
  • Supports Perfect Forward Secrecy
  • Supports a variety of cryptographic algorithms
  • Easy to set-up


  • Suffers from the same IPsec drawbacks (NSA tampering)
  • Does not support a considerable number of platforms
  • Firewalls can block the protocol


From the discussion above; the one clear thing is that no one VPN protocol can satisfy all the user requirements. Some VPN protocols prioritize speed while other prioritize security.

Consequently, it is not a surprise to find a VPN provider that has found a way to incorporate all five in a bid to provide the best possible service.

About the author: Susan Alexandra

Susan Alexandra is is a cybersecurity and privacy enthusiast. She is a small business owner, traveler and investor of cryptocurrencies. Susan’s inbox is open for new ideas and stories, you can share the story ideas to [email protected]

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – VPN, privacy)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment