Virtual private networks (VPN) allow us to connect safely to our office or home, and also to the Internet through the VPN server to encrypt all traffic, and avoid problems in public WiFi networks. Currently there are many VPN protocols that we can use to connect safely, however, depending on the type of protocol and its configuration, we will have greater security or less security. Today in this article we are going to make a summary of the different VPN protocols that exist, and which are the safest.
What is a VPN and what is it for?
A VPN (Virtual Private Network) or also known as a virtual private network, allows us to connect to the Internet privately, even though we are connecting to a public WiFi network. All traffic will be routed from the VPN client to the VPN server, and subsequently out to the Internet. Most importantly, the VPN traffic goes from the client to the fully encrypted and authenticated VPN server.
Depending on how the VPN is configured, we have remote access VPNs , also known as “Roadwarrior” or “Mobile Clients”. This VPN configuration will allow us to connect remotely to a server and access shared resources and the company’s local network, the same happens if we have it in our home, we can easily access printers and shared resources at home. Another very important feature is that it will also allow us to access the Internet through the VPN server to encrypt all traffic and navigate safely from hotels, coffee shops or any public WiFi network.
Another way that we can configure are Site-To-Site VPNs , this configuration will allow us to interconnect different company headquarters to be able to access all shared resources through an insecure network such as the Internet. Thanks to Site-to-Site VPNs, we will be able to connect one office to another in a totally secure way, since all traffic is encrypted, authenticated and the integrity of the data is checked.
If we decide to hire a paid VPN, these VPNs allow us to browse the Internet safely, anonymously and also allow us to evade different regional filters without limits. These types of services make use of the same VPN protocols that a home or professional VPN can have, but thanks to the fact that the VPN server is located in other countries, we can impersonate citizens who are located there.
What is a VPN protocol and which ones exist?
The VPN protocol is what defines how all data should be treated, it must determine exactly how the data is encrypted, how the data is authenticated and also the authentication of both parties (the VPN clients in the remote access VPN, and each of sites in Site-to-Site VPNs), in addition, VPN protocols also take care of how to route all network traffic through the virtual private network itself. Depending on the VPN protocol used, we will have different characteristics, some of them prioritize the authentication possibilities, others prioritize the actual speed of the VPN connection, and others focus on security.
We currently have a large number of VPN protocols on the market that are widely used, then we are going to explain the main characteristics of each of them, talking about their security and also about their speed.
OpenVPN
OpenVPN is one of the most popular and used VPNs, both at home and professionally (in small and medium-sized companies). OpenVPN is open source and cross-platform (it is available for Windows, Linux, Mac, Android, iOS and Unix), it has become one of the most important VPN protocols that we currently have, in addition, it is one of the most secure. OpenVPN uses two “channels” to carry out communications, we have a control channel that uses the TLS 1.2 or TLS 1.3 protocol, therefore, we will have the maximum possible security of the last two TLS standards, we also have a data channel , where We can use different symmetric encryption algorithms, although the safest one we can use is AES-GCM, both in its 128-bit version (AES-128-GCM) and 256-bit (AES-256-GCM).
At the authentication level, we can authenticate through a pre-shared key, although it is not recommended for security reasons, the safest thing is to configure a public key infrastructure with a CA, and later issue digital certificates based on different elliptic curve algorithms such as secp521r1, or also use RSA of 4096 bits or superior to the VPN clients that want to connect. Additionally, we can have a user / password authentication, combining it with a CA or combining it with the clients’ certificates, to have greater security in user authentication. Finally, we have the possibility to configure a pre-shared key to mitigate the possible DoS attacks that we receive, in this way, OpenVPN will protect itself against this type of attack that could leave our VPN server unusable.
We have this protocol available in some brands of home routers, such as ASUS, NETGEAR or TP-Link, in addition, currently this protocol is quite fast, although it will depend on the hardware we have. In this article we have achieved a speed of around 500Mbps real with this VPN, therefore, it is worth giving this protocol a try.
WireGuard
This VPN protocol is the newest of all, one of the safest and the fastest that we have tested in this article. WireGuard is an open source and cross-platform protocol, it is compatible with all operating systems, and it is much easier to configure than other VPNs such as OpenVPN. One of the main characteristics of WireGuard is that it is integrated into the Linux Kernel, so speed will be guaranteed. WireGuard always uses the best asymmetric and symmetric encryption that exists, there is no option to modify this type of encryption for less secure ones, we have security by default. The symmetric encryption and authentication it uses is ChaCha20-POLY1305, so it is really fast, especially on low-resource devices.
Another very important characteristic is that this protocol is ideal for portable devices such as laptops, smartphones and tablets, because it consumes very few resources and allows us to roam, ideal for changing networks quickly and continuing to maintain communication. With this protocol, in principle, the battery life should be clearly greater. WireGuard can also be used as a remote access VPN, but it continues to expand to firewall-oriented operating systems such as pfSense, over time we believe it will be one of the most used, due to its security, speed and ease of use. configure.
L2TP / IPsec
The L2TP (Layer 2 Tunnel Protocol) protocol over IPsec is a very popular VPN protocol, it is integrated into the main operating systems such as Windows, Linux, MacOS, Android and iOS. This L2TP protocol by itself does not provide security, but it does provide authentication, but because it is used together with IPsec, we will have all encrypted and authenticated traffic. This protocol also allows the use of 256-bit AES encryption, and vulnerabilities are not yet known, an important detail is that it does have some slight defects in its implementations in operating systems. For example, some weak points are that most VPN clients do not allow the use of AES-GCM encryption which is more secure than the popular AES-CBC, in addition, it also does not allow the use of robust and secure hashing algorithms such as SHA-512, nor Diffie -Hellmann 2048 bits or higher, nor of course PFS (Perfect Forward Secrecy). Depending on the version of the operating system used, we will have more or less security, so the server must also support insecure configurations so that all clients can connect without problems.
We have this protocol available in some brands of home routers such as D-Link, it is also quite fast and in our speed tests we have achieved around 500Mbps of performance, which is very good for this VPN. However, our recommendation is to opt for other VPNs that we have seen previously, because they will provide you with maximum security. It only makes sense to use this protocol when we are establishing a remote access VPN connection, if you are going to use Site-to-Site it is better to use IPsec directly to interconnect the sites.
IPsec IKEv2
The IKEv2 protocol (Internet Key Exchange V2) is a secure key exchange protocol, it is commonly used together with the IPsec protocol, therefore, we will always see it as IPsec IKEv2 in different operating systems and servers. The main characteristics of IKEv2 are that it is much faster than other protocols when it comes to connecting, it has native support in Windows 10, iOS and also in some Android such as Samsung smartphones. IKEv2 is a highly recommended protocol for smartphones, because the reconnection is really fast when we change networks.
This protocol allows us to authenticate by means of a pre-shared key or RSA certificates, in addition, it allows us to use a safe and fast symmetric encryption such as AES-128-GCM and AES-256-GCM, it also allows us to use long keys in RSA of more than 8192 bits, and we have the possibility to use Diffie-Hellmann (DH) and even ECDH for greater safety, as well as being able to choose which type of elliptical curve to choose. Finally, this protocol allows you to configure PFS (Perfect Forward Secrecy) to provide the data with additional security against future attacks, in case someone is able to crack the current authentication.
IPsec IKEv2 is a standard, and has multiple open source implementations, such as StrongsWAN or Openswan among others. This protocol is widely used in Site-to-Site VPNs to interconnect sites, but it can be used perfectly for remote access VPNs.
SSTP
The SSTP (Secure Socket Tunneling Protocol) protocol is another very popular VPN, especially on Windows operating systems. This protocol has been integrated into all Microsoft operating systems since Windows Vista SP1, therefore, we can use this protocol with Windows authentication to improve security, including authentication with a USB dongle. It only makes sense to use this protocol when we are establishing a remote access VPN connection, if you are going to use a Site-to-Site, better to use IPsec IKEv2 or another protocol.
Many VPN providers have this protocol available, it makes use of 2048-bit SSL / TLS certificates for authentication, and it uses symmetric 256-bit AES encryption, the standard, therefore, this protocol is quite secure. The negative part is that it is a proprietary protocol developed by Microsoft, therefore, the source code cannot be audited as it happens with OpenVPN or WireGuard among others. In some operating systems we will need to use an SSTP client to use this VPN.
As you have seen, we currently have a large number of VPN protocols, some are usually used for home or small office environments, and others, at a business level thanks to their advanced configuration possibilities.
