With the rise of privacy threats and constant internet restrictions, using a VPN has become the norm for many users. However, behind the simplicity of connecting lie technical features that can significantly impact the user experience. One of the key factors is the choice of VPN protocol, which determines the speed, stability, and security level of the connection.

This article will provide a detailed breakdown of the most popular VPN protocols, their features, advantages, and disadvantages, and will also offer examples of how to use each of them.

By the way, I took all the pictures from those, you know, the internets, but I analyzed and explained them myself, just for you :)

What are VPN protocols?

VPN protocols are technologies that manage the creation and encryption of VPN connections. They ensure the protection of data transmitted between your device and the server and determine how fast and securely the connection will operate.

Key functions of VPN protocols:

  • Encrypting data to protect it from interception.

  • Establishing a tunnel for information transfer.

  • Authenticating the device and server to prevent attacks.

  • Connection stability under various network conditions.

A breakdown of popular VPN protocols

1. OpenVPN

OpenVPN is an open-source protocol that is the gold standard in the VPN industry. It uses SSL/TLS technologies for encryption, making it one of the most secure solutions.

  • Encryption algorithms: AES-256, support for Perfect Forward Secrecy (PFS), RSA 2048/4096.

  • Port usage: Works on UDP and TCP, making it flexible for bypassing network restrictions.

  • Features:

    • Suitable for most tasks: streaming, bypassing blocks, data protection.

    • Supports customizable encryption parameters to optimize security or speed.

Use case example:

  • Corporate networks where high data protection is required.

  • Users who need a universal protocol for different devices and networks.

How it works:

  1. The client initiates a VPN connection over the internet, creating a tunnel between itself and the server. Data transmitted through the tunnel is encrypted for protection.

  2. The OpenVPN server receives the encrypted traffic, decrypts it, and forwards it to devices on the local area network (LAN).

  3. The client gains access to internal resources as if it were physically on that network, including file servers, databases, or corporate applications.

2. WireGuard

WireGuard is a new protocol that is rapidly gaining popularity due to its speed and efficiency. It was developed as a lightweight alternative to OpenVPN and IPSec.

  • Encryption algorithms:

    • ChaCha20 for encryption.

    • Poly1305 for authentication.

    • Curve25519 for key exchange.

    • SipHash24 for hash table keys.

    • HKDF for key derivation.

    • BLAKE2s for hashing.

  • Lines of code: ~4,000 (for comparison, OpenVPN has 100,000 lines), which makes it less prone to errors. (Optimization, ladies and gentlemen!)

  • Features:

    • Fast connection and low latency.

    • Built-in support in the Linux kernel since version 5.6.

Use case example:

  • Gamers who need minimal latency.

  • Businesses that need high-performance VPNs for remote employees.

How it works:

*By the way, I couldn't steal this picture*

  1. The client sends its public key to the WireGuard server. The server adds the client to its list of peers, setting the allowed IP addresses for traffic routing.

  2. The client creates a tunnel via the UDP protocol, using ChaCha20 for data encryption and Poly1305 for message authentication. The tunnel is activated only when there is traffic.

  3. The client sends data through the tunnel. Packets are encrypted using the server's public key and include tags for routing and authentication.

  4. The WireGuard server receives encrypted data from the client. The tags are checked to confirm authenticity, after which the server decrypts the data using the client's key.

  5. The decrypted data is forwarded to the target devices on the local area network (LAN) or to the internet if the client is routing all its traffic through the VPN.

  6. If the client is inactive for a long time, WireGuard automatically "forgets" the peer to reduce the load on the server. When activity resumes, the client re-establishes the tunnel, transmitting updated keys.

WireGuard, thanks to its speed and security, is an excellent choice for most VPN services. However, other protocols exist, such as Trojan, which offer additional features. Trojan combines the functionality of a VPN and a proxy, using HTTPS traffic for disguise, which makes it an effective tool under conditions of strict traffic filtering. For example, PQ.Hosting uses Trojan in its services to ensure stable and secure access even in complex network conditions.

3. IKEv2/IPSec

IKEv2 (Internet Key Exchange version 2) works in tandem with IPSec to create secure connections. This protocol is often used on mobile devices due to its ability to quickly reconnect when changing networks.

  • Encryption algorithms: AES-256, HMAC-SHA2.

  • Features:

    • Supports roaming (e.g., when switching between Wi-Fi and a cellular network).

    • Easy to configure, which makes it popular for mobile platforms.

Use case example:

  • Mobile users who travel frequently.

  • In a corporate environment for connecting employees to remote offices.

How it works:

  1. The MN connects to the pAR via an IPSec tunnel. All data is transmitted through this tunnel using IKEv2 for encryption and connection management.

  2. The MN loses its connection to the pAR (e.g., by leaving the Wi-Fi zone) and attempts to connect to the nAR.

  3. MOBIKE automatically switches the MN's connection to the nAR, creating a new IPSec tunnel.

  4. The IKEv2/IPSec context is transferred from the pAR to the nAR to maintain the current VPN state. This avoids re-authentication and minimizes disruptions.

  5. The MN begins transmitting data through the nAR. The HA continues to route traffic for the MN as if the connection had not been interrupted.

4. L2TP/IPSec

L2TP (Layer 2 Tunneling Protocol) is combined with IPSec to enhance security. This protocol is less efficient than modern solutions but is still used in some networks.

  • Encryption algorithms: 3DES, AES.

  • Features:

    • Ease of setup.

    • Prone to being blocked as it uses standard ports.

Use case example:

  • Networks that require basic protection without complex configuration.

  • Services that do not require high speed.

How it works:

  1. A remote user initiates a connection to the NAS via PSTN or another provider gateway.

  2. The NAS (or LAC) creates an L2TP tunnel over the internet to the LNS, protecting the transmitted data.

  3. The LNS receives the data, terminates the tunnel, and forwards it to the local area network (LAN).

  4. The remote user gains access to the network's internal resources as if they were inside it.

5. PPTP

PPTP (Point-to-Point Tunneling Protocol) is one of the first VPN protocols. Today, it is considered obsolete due to weak encryption and vulnerabilities.

  • Encryption algorithms: MPPE (Microsoft Point-to-Point Encryption).

  • Features:

    • High speed due to minimal encryption.

    • Low level of security.

Use case example:

  • Connecting to legacy corporate networks.

  • Streaming content where security is not a priority.

How it works:

  1. The client establishes a connection with the VPN gateway over the internet using PPTP.

  2. After successful authentication, a tunnel is created that encrypts and transmits data between the client and the gateway.

  3. The VPN gateway routes the client's traffic to devices and resources on the local area network (LAN), providing access to them.

Comparison of VPN protocols

Table with key characteristics:

Protocol

Encryption

Speed

Security

Compatibility

Recommended use

OpenVPN

AES-256, TLS

Medium

High

All platforms

Universal, corporate networks

WireGuard

ChaCha20, Poly1305

High

High

Linux, Windows, Mac

Gaming, high-performance VPNs

IKEv2/IPSec

AES-256, HMAC-SHA2

High

High

Mobile devices

Mobile networks, corporate VPNs

L2TP/IPSec

3DES, AES

Medium

Medium

All platforms

Basic protection

PPTP

MPPE

High

Low

Legacy platforms

Fast access without security

Use cases for VPN protocols

VPN protocols are chosen depending on the tasks that need to be solved. Different protocols provide optimal conditions for business, personal use, or specialized needs. Let's look at the examples in more detail.

For business

  1. OpenVPN
    It is used by many large companies due to its reliability, flexibility, and high security. This protocol allows for the creation of secure corporate networks, which is especially important for organizations working with confidential data.
    For example: A company creates a centralized network for its branches, where employees securely exchange data over a single VPN network using OpenVPN on corporate devices.

  2. IKEv2/IPSec
    An excellent choice for companies with mobile employees. The protocol supports fast switching between Wi-Fi and cellular networks, making it indispensable for traveling workers.
    For example: An IT company provides its employees with access to corporate email and a CRM system via IKEv2, allowing them to maintain a stable connection even when changing access points.

  3. WireGuard
    It is emerging in corporate networks as a solution for high-performance connections. Its ease of setup and low server load make WireGuard a promising choice for businesses.
    For example: A startup with limited resources sets up WireGuard for secure employee connections, minimizing hardware costs.

For personal use

  1. WireGuard
    The protocol offers an ideal combination of speed and security, making it an excellent choice for streaming, online gaming, and accessing content without delays.
    For example, you can watch Netflix in another country via WireGuard, enjoying high speed and low latency.

  2. OpenVPN
    Suitable for users who value versatility and customization options. It is often used to bypass blocks and protect data on public Wi-Fi networks.
    For example, you are traveling and connect to public Wi-Fi hotspots via OpenVPN for secure internet surfing.

  3. PPTP
    Although this protocol is outdated, it is still used for quick access to content where security is not critical.
    For example, you connect to PPTP to access regionally blocked websites or streaming services. (Sound familiar?)

  4. L2TP/IPSec
    Preferred for basic tasks where a simple and accessible solution with moderate security is required.
    For example, You have your own small business and you use L2TP/IPSec for remote access to your warehouse management system.

Encryption reliability

Data encryption is the foundation of VPN security. Different protocols use their own encryption algorithms, which differ in their level of reliability and data processing speed. Let's look at the most popular algorithms:

  1. AES (Advanced Encryption Standard)
    The standard for most modern protocols, including OpenVPN, IKEv2, and L2TP/IPSec. It uses 128-bit or 256-bit encryption. AES-256 provides a high level of protection and is suitable for banking transactions or transmitting confidential data.

  2. ChaCha20
    A fast and secure algorithm used in WireGuard. It works faster than AES on low-performance devices like smartphones or tablets.

  3. MPPE (Microsoft Point-to-Point Encryption)
    An outdated algorithm used in PPTP. It is only suitable for tasks where security is not important.

Popularity of encryption algorithms:

Encryption Algorithm

Protocols

Popularity

AES-256

OpenVPN, IKEv2

60%

ChaCha20

WireGuard

30%

MPPE

PPTP

10%

For developers and IT administrators

  1. WireGuard for test environments
    The protocol allows for the rapid deployment of a VPN network for testing applications or network settings. Its small codebase and high performance make it a convenient tool for developers.

  2. OpenVPN for hosting
    Used to secure remote access to servers and cloud platforms. For example, for managing a VPS or web hosting.
    Example: An administrator connects to a hosting server via OpenVPN to perform configuration without the risk of data leakage.

For entertainment and media consumption

  1. PPTP for regional content
    Despite its outdated architecture, PPTP remains popular for unblocking content in regions with restrictions.
    Example: A user from Europe uses PPTP to watch regional sports broadcasts from the USA.

  2. WireGuard for gaming
    Thanks to its minimal latency and high speed, WireGuard has become popular among gamers, especially in games where reaction time is important (e.g., shooters or MMORPGs).
    Example: A gamer connects to a WireGuard server for a stable connection to game servers in another country.

Conclusion

VPN protocols are designed for various tasks, from high security to ensuring maximum speed. Understanding their features and use cases will help you choose the right protocol for your needs, whether for business, gaming, or basic data protection. OpenVPN and WireGuard remain the universal leaders, but protocols like IKEv2 and even the outdated PPTP find their place in specific scenarios.