A VPN protocol is the underlying technology that encapsulates data packets within one protocol into another protocol. For VPNs based on the Internet, the data packets in any of the applicable VPN protocols are encapsulated within the Internet Protocol (IP).
VPN tunneling technology utilizes a number of protocols to encrypt and authentic data traffic whilst being transmitted. There are a number of protocols that were specifically created for implementation with VPN tunnels. Among those are four of the most commonly implemented protocols for Internet-based VPNs, including OpenVPN, PPTP, L2TP/IPSec, and SSTP.
Below are the details for each of the aforementioned protocols.
OpenVPN is built on the open-source architecture and developed by the OpenVPN project (OpenVPN Technologies Inc.). OpenVPN runs a custom secure protocol that uses SSL/TLS to exchange security keys. OpenVPN can traverse firewalls as well as network address translators (NATs).
OpenVPN allows authentication between peers using a pre-shared key, username and passwords, or certificates.
When in use, data encryption as well as that of the control channels is effected using the OpenSSL library. By letting OpenSSL perform all the encryption and authentication functions, OpenVPN gets access to all the ciphers in the OpenSSL package. OpenVPN can go further and add an extra security layer by using HMAC packet authentication. To extract enhanced encryption performance, OpenVPN can make use of hardware acceleration.
There are many ways through which OpenVPN can authenticate peers with each other, including certificate-based authentication, username and password-based authentication, and pre-shared keys. The easiest authentication type is pre-shared secret keys, but certificate-based authentication offers more robustness and features.
OpenVPN runs on a wide range of platforms including Windows, Mac OSX, FreeBSD, OpenBSD, NetBSD, Linux, QNX, and Solaris. It’s also available on a number of mobile platforms, notably iOS (on 3GS+ models), Windows Mobile, and Maemo.
The Point-to-Point Tunneling Protocol (PPTP) utilizes the standard Point to Point protocol (PPP) in the classic dial-up networks. PPTP is best suited to remote access VPN applications, but can also be used within LAN settings. PPTP works at Layer 2 of the OSI suite.
Although the origin of PPTP is commonly attributed to Microsoft (since nearly all Windows flavors natively support PPTP), several bodies were involved in its creation. Originally, PPTP was weak security-wise, but it has been gradually strengthened by Microsoft.
When in use, PPTP bundles data into PPP packets before encapsulating the PPP packets within IP datagrams, which are then transmitted through a VPN tunnel over the Internet. PPTP enables encryption and compression of the packets, and it also uses a type of General Routing Encapsulation to fetch data from and to its destination.
By far, remote access VPNs based on the Internet are the most common type of PPTP VPN for personal use. In this setting, VPN tunnels are setup in a two-step process:
I. First, the PPTP client establishes a connection with their ISP via dial-up networking.
II. A TCP control connection is then established by the PPTP between the VPN client and server.
Layer 2 Tunneling Protocol (L2TP) was created by combining the finest features of L2F with those of PPTP. L2F was originally implemented mostly in Cisco systems. Just PPTP, L2TP works at Layer 2 of the OSI model (data link layer).
IPSec (Internet Protocol Security), on the other hand, comprises a series of related protocols and can be used on its own as a complete VPN solution. However, IPSec is commonly used as the encryption and authentication system for L2TP because the latter doesn’t provide any encryption or authentication.
L2TP/IPSec is supported on various platforms although in some cases, users may require custom-built client terminals to use all features that the protocol avails.
Setting up L2TP/IPSec follows these basic steps:
I. First, you acquire an IP address from your Internet Service Provider.
II. Next, the Internet Key Exchange (IKE) initiates a security association (SA) between the user’s device and the VPN server (or router).
- SAs are created to secure data traffic.
- The L2TP traffic is secured by the IPSec connection.
III. An L2TP tunnel is created between the user machine and the VPN server.
Almost all major VPN services offer L2TP/IPSec. Although PPTP is the most used VPN protocol for personal connections, users who want increased security choose L2TP/IPSec over PPTP.
SSTP is another increasingly popular VPN protocol that was released in 2007. SSTP encapsulates Layer 2 frames on HTTP over an SSL connection. TCP is the transport protocol used in this case. SSTP servers are authenticated in the SSL phase while SSTP clients may or may not be authenticated during the SSL phase, but they have to be authenticated in the PPP phase. SSTP is supported on Windows (Vista SP1 and beyond), Linux, and BSD systems.
SSTP was specifically built for client remote access connections. It mostly doesn’t support site-to-site VPN networks although some routers allow it.
As with most IP-over-TCP tunnels, SSTP has several performance limitations. General, reasonable performance levels are only attainable when there is enough excess bandwidth on the link that is untunneled to ensure that the tunneled TCP do not expire. Otherwise performance will dramatically fall if the aforementioned conditions are not in place. That being said, SSTP is faster than other SSL-based protocols including OpenVPN, among others.
Because SSTP uses 2048-bit certificates and enhanced encryption (256-bit), it is currently the most secure protocol. SSTP is hard to block through filters and, therefore, is ideal for use when accessing censored websites.