VPN Protocols - What They Are and The Differences Explained

When looking for Virtual Private Networks (VPN), you may come across the term “tunneling protocol.” What does this technical term mean, and why should you care? This article will explain the basics of VPN protocols.

What Is a VPN?

A VPN, or Virtual Private Network, is an international network of servers designed to hide your physical location and encrypt your data when using the internet. A VPN protocol creates secure tunnels that make your online activity extremely difficult to track from the outside.

We explained how VPNs work at length in this article.

What Are VPN Protocols?

A VPN protocol is a set of instructions on how to send data between networks.

VPN protocols establish safe passages between your devices and remote servers by mixing transmission protocols and encryption algorithms. They use authentication techniques to ensure a legitimate VPN server on the other end of the tunnel.

As a result, VPN servers mask your real IP (Internet Protocol) address and help defeat geo-restrictions. But not all tunneling protocols are equal. Especially since they all have unique characteristics, it’s impossible to find one solution that works for torrenting, streaming, gaming, or browsing.

Before choosing a particular VPN tunneling protocol, it important to know any possible trade-offs to set your expectations accordingly.

Types of VPN Protocols

There are many different VPN protocols, but you can put them into two categories: the common protocols and the proprietary ones. Let’s take a look at the various options.

Common Protocols

As follows are the generic protocols that most leading VPN vendors have used/use.

OpenVPN

OpenVPN is arguably the best protocol for VPN. It uses the cryptographic protocols Transport Layer Security (TLS) with Secure Sockets Layers (SSL)/TLS for private key exchange. It leverages an index of crypto algorithms called OpenSSL to enhance the security of tunnels.

The OpenVPN protocol can break through firewalls, for it uses Transmission Control Protocol (TCP) port 443. This is the standard port for secure Hypertext Transfer Protocol (HTTP).

Another desirable quality of OpenVPN is that it’s easy to customize. It’s not uncommon to see two distinct OpenVPN protocols: User Datagram Protocol (UDP) and TCP.

OpenVPN UDP is known for its speed, but it doesn’t perform extra data verification to deliver faster connections. OpenVPN TCP promises better security, but expect the exchange of information to be slower.

Point to Point Tunneling Protocol (PPTP)

The PPTP protocol is among the oldest, which is why it’s compatible with all platforms. Unfortunately, it’s considered unsafe by today’s standards.

When used on a modern device, PPTP security is doubtful. It has no means of verifying how legitimate the data source is. And it performs encryption in transit, which means that hackers can exploit to intercept and modify sent data packets.

Although you may still see the PPTP protocol as an option, which would hardly drive down your average internet speed, think twice before using it for tunneling VPN servers and your devices.

Internet Protocol Security (IPSec)

The IPSec protocol is more complicated to deploy than OpenSSL-based protocols, but it’s way more secure.

Layer 2 Tunneling Protocol (L2TP)

The L2TP protocol is a cross between Layer 2 Forwarding Protocol and PPTP. Together with IPSec, L2TP can deliver military-grade 256-bit AES encryption.

While the stability of the L2TP/IPSec combination is indisputable, its privacy is somewhat questionable. The National Security Agency helped in its development, which is why some experts suspect that the traffic passing through its tunnels may be leaking to the US government.

Secure Socket Tunneling Protocol (SSTP)

SSTP has been around for quite some time but remains one of the most secure tunnel VPN protocols today. For encryption, SSTP uses the 256-bit SSL cipher. For authentication, it relies on 2048-bit certificates.

Experts see it as a significant improvement over the L2TP and PPTP protocols, as it supports encryption measures and data integrity checks.

Like the OpenVPN protocol, SSTP leverages the TCP port 443 to unblock Netflix shows and other locally banned content. You can also use it to get around the restrictions set by your network administrator.

Like L2TP/IPSec, SSTP’s relevance suffers because Microsoft developed it. As the tech giant is occasionally accused of spying on its users, the privacy is somewhat dubious. There hasn’t been any evidence of any backdoors to SSTP traffic, though.

Internet Key Exchange v2 (IKEv2)

IKEv2 is a fairly recent VPN protocol and works well on smartphones and tablets.

Celebrated for its incredible speed and stability, IKEv2 seamlessly reconnects you to the VPN service if the connection drops. That’s why you can safely switch between mobile data and WiFi.

This protocol supports Triple-DES and AES encryption algorithms. Since it uses UDP port 500, IKEv2 can help you defeat most firewalls.

Configurability is the biggest drawback to IKEv2 as it lacks native support for Linux. Also, auditing this VPN tunnel protocol isn’t easy. We recommend looking for a VPN vendor that embraces its open-source implementation to help ensure its integrity.

WireGuard

One of the newest major VPN protocols is WireGuard and offers an impressive mix of fast speed, stable connection, and sophisticated encryption. WireGuard is open-source and uses the UDP 51820 port by default. Built to solve the inadequacies of IPSec and OpenVPN protocols, it is lightweight and easy to implement.

WireGuard is a diamond in the rough. It addresses the weaknesses of other common VPN tunnel protocols, but it could still be buggy. The main downside to WireGuard is its tendency to assign the same IP address to every connected user.

Shadowsocks

While it’s technically not a VPN protocol, Shadowsocks does appear on the list of protocol options of some of the vendors we’ve reviewed, including Surfshark and VeePN. Private Internet Access also offers this proxy.

Shadowsocks is a popular tool for bypassing the Great Firewall of China. It encrypts and camouflages traffic data so that it can hide in plain sight. One downside is that it can only send some of your traffic through a server. But it’s possible to choose which apps you want to secure with Shadowsocks.

Proprietary Protocols

Some vendors go a step further and offer their own tunneling protocols. Some are built from scratch, and others are modified iterations of common protocols to deliver enhanced performance in certain areas.

Here are some examples.

Lightway

ExpressVPN built this VPN tunnel protocol with efficiency in mind. Lightway is lightweight by design. The British Virgin Islands–based vendor developed it without unnecessary features to deliver super-fast and secure connections.

Lightway uses wolfSSL to meet the FIPS 140-2 standard. It authenticates the exchange of data through TLS, runs on the UDP protocol, and supports TCP to boot.

This VPN security protocol is well-suited for mobile platforms and enables seamless reconnection when switching networks or experiencing unstable internet connectivity.

Lightway looks exceptional on paper, but its track record is too thin to judge its quality correctly at this point.

Catapult Hydra

The TLS-based security of this patented protocol from Hotspot Shield is consistent with the National Institute of Standards and Technology recommendations. For server authentication, Catapult Hydra relies on RSA certificates with 2048-bit keys. It generates encryption keys for every new session and erases them once it ends.

Many tech pundits credit the VPN protocol for Hotspot Shield’s speedy service. Industry observers are left in the dark about Catapult Hydra’s inner workings, though. But its developer claims that it has gone through the evaluation of 60% of the largest security companies.

SmartUDP and SmartTCP

Although we haven’t had the chance to use these proprietary VPN protocols, VeePN continues to talk about them. According to the available information, the SmartUDP and SmartTCP protocols are based on the UDP and TCP OpenVPN protocols and use the XOR encryption algorithm.

KeepSolid Wise

KeepSolid has engineered this stealth VPN technology to defeat the Great Firewall of China and other state-sponsored internet censorships.

KeepSolid Wise uses TCP 443 and UDP 443 ports to masquerade your data as secure HTTP traffic. Since it was built around the OpenVPN protocol, it can also experience a TCP meltdown. But luckily, you have other VPN tunnel protocols to choose from when using KeepSolid VPN Unlimited.

NordLynx

This proprietary VPN tunneling protocol from NordVPN is a WireGuard version that randomizes IP address assignment. NordLynx technology uses double NAT (Network Address Translation) to pull it off.

Wrap Up

It’s important to understand the differences between tunneling protocols, even if you’re just a casual VPN user. But you don’t have to master how each of them works, for VPN vendors usually decide what’s best for you automatically.