PPTP vs L2TP vs OpenVPN vs SSTP
I recently searched for information on the differences between existing VPN technologies and came across this article. Here are briefly described the advantages and disadvantages of basic VPN, very easy and accessible. I offer the community a translation of the article.
VPN providers usually offer a choice of several types of connection, sometimes as part of different tariff plans, and sometimes as part of a single tariff plan. The purpose of this article is to review available VPN options and help you understand the basics of the technologies used.
Roughly speaking, the length of the key used to create the cipher determines how long it will take to crack using direct brute force. Ciphers with longer keys require significantly more time to search than shorter ones (“brute force” means going through all possible combinations until the correct one is found).
')
Now, it is almost impossible to find VPN encryption using a key less than 128 bits long and it is becoming increasingly difficult to find 256-bit encryption in the proposed OpenVPN solutions, the keys of which are even 2048 bits. But what do these numbers mean in practice, is 256-bit encryption really more secure than 128-bit encryption?
The short answer is: in practical use, no. It is true that breaking a 256-bit key will require 2128 more processing power than breaking a 128-bit key. This means that you will need 3.4x10 ^ 38 operations (the number of combinations in a 128-bit key) - a feat for existing computers and even in the near future. If we used the fastest supercomputer (according to 2011, its computing speed is 10.51 petaflops), it would take us 1.02x10 ^ 18 (about 1 billion) years to crack the 128-bit AES key by iterating.
Since in practice a 128-bit cipher cannot be cracked by iterating, it would be correct to say that a key of such length is more than enough for most applications. Only true paranoids (for example, government officials dealing with top-secret documents that must remain secret for the next 100 years or more) can use 256-bit encryption (the US government, for example, uses a NIST certified 256-bit AES cipher ).
So why are all the more frequent VPN providers offering 256-bit encryption (not to mention 2048-bit)? Especially when you consider that the use of encryption with 256-bit or longer key requires more computational resources. The answer is simple - marketing. Easier to sell VPN services with a longer encryption key.
Large corporations and governments may need additional security provided by long keys, but for an average home VPN user with a key of 128 bits is more than enough.
Different ciphers have vulnerabilities that can be used for quick hacking. Special programs such as keyloggers can also be used. Summarizing, we can say that the use of encryption with a key of more than 128 bits in fact hardly matters to most users.
Point-to-Point Tunneling Protocol is a protocol invented by Microsoft for organizing VPN over dial-up access networks. PPTP has been the standard protocol for building VPNs for many years. This is only a VPN protocol and it relies on various authentication methods to ensure security (MS-CHAP v.2 is most often used). Available as a standard protocol in almost all operating systems and devices that support VPN, which allows it to be used without the need to install additional software. PPTP remains a popular choice for both enterprises and VPN providers. Its advantage is also that it uses less computing resources, therefore it has a high speed of work.
Although PPTP is commonly used with 128-bit encryption, in the next few years after the inclusion of this protocol in Windows 95 OSR2 in 1999, a number of vulnerabilities were found. The most serious of which was the MS-CHAP v.2 authentication protocol vulnerability. Using this vulnerability, PPTP was hacked for 2 days. And although Microsoft has fixed this error (due to the use of the PEAP authentication protocol, and not MS-CHAP v.2), she herself recommended using L2TP or SSTP as VPN punctures.
Pros:
Minuses:
Layer 2 Tunnel Protocol (Layer 2 Tunnel Protocol) is a VPN protocol that by itself does not provide encryption and privacy of traffic passing through it. For this reason, IPsec encryption is typically used for security and privacy.
L2TP / IPsec is built into all modern operating systems and VPN-compatible devices, and can be configured as easily as PPTP (usually the same client is used). Problems can arise in that L2TP uses UDP port 500, which can be blocked by a firewall if you are behind NAT. Therefore, additional configuration of the router may be required (port forwarding). By the way, the SSL protocol, for example, uses TCP port 443 to be indistinguishable from normal HTTPS traffic.
IPsec currently has no major vulnerabilities and is considered very secure when using encryption algorithms such as AES. However, since it encapsulates data twice, it is not as efficient as SSL solutions (for example, OpenVPN or SSTP), and therefore works a little slower.
Pros:
Minuses:
OpenVPN is a fairly open source technology that uses the OpenSSL library and SSLv3 / TLSv1 protocols, along with many other technologies to provide a reliable VPN solution. One of its main advantages is that OpenVPN is very flexible in settings. This protocol can be configured to work on any port, including the 443 TCP port, which allows you to mask traffic inside OpenVPN under normal HTTPS (which uses, for example, Gmail) and therefore it is difficult to block it.
Another advantage of OpenVPN is that the OpenSSL libraries used for encryption support many cryptographic algorithms (for example, AES, Blowfish, 3DES, CAST-128, Camelia, and others). The most common algorithms used by VPN providers are AES and Blowfish. AES is a new technology, and although both are considered safe, the fact that it has a 128-bit block size, and not 64-bit block size, means that it can work with larger (more than 1GB) files better. The differences, however, are rather minor. How fast OpenVPN works depends on the encryption algorithm chosen, but is usually faster than IPsec.
OpenVPN has become the # 1 technology when using VPN, and although it is not initially supported by operating systems, this protocol is widely supported through third-party software. More recently, it was impossible to use OpenVPN on iOS and Android without jailbreak and root, and now there are third-party applications that partially solved this problem.
Another OpenVPN issue is related to this — flexibility can make it inconvenient to configure. In particular, when using a typical OpenVPN software implementation (for example, a standard OpenVPN open client under Windows), you must not only download and install the client, but also download and install additional configuration files. Many VPN providers solve this problem by using pre-configured VPN clients.
Pros:
Minuses:
The Secure Socket Tunneling Protocol was introduced by Microsoft on Windows Vista SP1, and although it is now available on Linux, RouterOS and SEIL, it is still largely used only by Windows systems (there is a very small chance that it will appear on Apple devices). SSTP uses SSL v.3 and therefore offers similar advantages as OpenVPN (for example, the ability to use TCP port 443 for NAT traversal), and since it is integrated into Windows, it is easier to use and more stable than OpenVPN.
Pros:
Minuses:
PPTP is not secure (even its creators at Microsoft abandoned it), so its use should be avoided. While ease of installation and cross-platform compatibility are attractive, L2TP / IPsec has the same advantages and is safer.
L2TP / IPsec is a good VPN solution, but not as good as OpenVPN. However, for a quick VPN setup without the need to install additional software remains the best solution, especially for mobile devices, where OpenVPN support is still low.
OpenVPN is the best VPN solution despite the need for third-party software in all operating systems. It is a reliable, fast and secure protocol, although it requires a bit more effort than other protocols.
SSTP offers most of the benefits of OpenVPN, but only in the Windows environment. This means that it is better integrated into the OS, but because of this it is poorly supported by VPN providers.
Most users can use OpenVPN on their desktops, possibly adding L2TP / IPsec on their mobile devices.
VPN providers usually offer a choice of several types of connection, sometimes as part of different tariff plans, and sometimes as part of a single tariff plan. The purpose of this article is to review available VPN options and help you understand the basics of the technologies used.
Note about the length of the encryption key
Roughly speaking, the length of the key used to create the cipher determines how long it will take to crack using direct brute force. Ciphers with longer keys require significantly more time to search than shorter ones (“brute force” means going through all possible combinations until the correct one is found).
')
Now, it is almost impossible to find VPN encryption using a key less than 128 bits long and it is becoming increasingly difficult to find 256-bit encryption in the proposed OpenVPN solutions, the keys of which are even 2048 bits. But what do these numbers mean in practice, is 256-bit encryption really more secure than 128-bit encryption?
The short answer is: in practical use, no. It is true that breaking a 256-bit key will require 2128 more processing power than breaking a 128-bit key. This means that you will need 3.4x10 ^ 38 operations (the number of combinations in a 128-bit key) - a feat for existing computers and even in the near future. If we used the fastest supercomputer (according to 2011, its computing speed is 10.51 petaflops), it would take us 1.02x10 ^ 18 (about 1 billion) years to crack the 128-bit AES key by iterating.
Since in practice a 128-bit cipher cannot be cracked by iterating, it would be correct to say that a key of such length is more than enough for most applications. Only true paranoids (for example, government officials dealing with top-secret documents that must remain secret for the next 100 years or more) can use 256-bit encryption (the US government, for example, uses a NIST certified 256-bit AES cipher ).
So why are all the more frequent VPN providers offering 256-bit encryption (not to mention 2048-bit)? Especially when you consider that the use of encryption with 256-bit or longer key requires more computational resources. The answer is simple - marketing. Easier to sell VPN services with a longer encryption key.
Large corporations and governments may need additional security provided by long keys, but for an average home VPN user with a key of 128 bits is more than enough.
Different ciphers have vulnerabilities that can be used for quick hacking. Special programs such as keyloggers can also be used. Summarizing, we can say that the use of encryption with a key of more than 128 bits in fact hardly matters to most users.
PPTP
Point-to-Point Tunneling Protocol is a protocol invented by Microsoft for organizing VPN over dial-up access networks. PPTP has been the standard protocol for building VPNs for many years. This is only a VPN protocol and it relies on various authentication methods to ensure security (MS-CHAP v.2 is most often used). Available as a standard protocol in almost all operating systems and devices that support VPN, which allows it to be used without the need to install additional software. PPTP remains a popular choice for both enterprises and VPN providers. Its advantage is also that it uses less computing resources, therefore it has a high speed of work.
Although PPTP is commonly used with 128-bit encryption, in the next few years after the inclusion of this protocol in Windows 95 OSR2 in 1999, a number of vulnerabilities were found. The most serious of which was the MS-CHAP v.2 authentication protocol vulnerability. Using this vulnerability, PPTP was hacked for 2 days. And although Microsoft has fixed this error (due to the use of the PEAP authentication protocol, and not MS-CHAP v.2), she herself recommended using L2TP or SSTP as VPN punctures.
Pros:
- PPTP client is built into almost all operating systems.
- very easy to set up
- running fast
Minuses:
- insecure (vulnerable MS-CHAP v.2 authentication protocol is still widely used)
L2TP and L2TP / IPsec
Layer 2 Tunnel Protocol (Layer 2 Tunnel Protocol) is a VPN protocol that by itself does not provide encryption and privacy of traffic passing through it. For this reason, IPsec encryption is typically used for security and privacy.
L2TP / IPsec is built into all modern operating systems and VPN-compatible devices, and can be configured as easily as PPTP (usually the same client is used). Problems can arise in that L2TP uses UDP port 500, which can be blocked by a firewall if you are behind NAT. Therefore, additional configuration of the router may be required (port forwarding). By the way, the SSL protocol, for example, uses TCP port 443 to be indistinguishable from normal HTTPS traffic.
IPsec currently has no major vulnerabilities and is considered very secure when using encryption algorithms such as AES. However, since it encapsulates data twice, it is not as efficient as SSL solutions (for example, OpenVPN or SSTP), and therefore works a little slower.
Pros:
- very safe
- easy to set up
- available on modern operating systems
Minuses:
- runs slower than OpenVPN
- may require additional configuration of the router
Openvpn
OpenVPN is a fairly open source technology that uses the OpenSSL library and SSLv3 / TLSv1 protocols, along with many other technologies to provide a reliable VPN solution. One of its main advantages is that OpenVPN is very flexible in settings. This protocol can be configured to work on any port, including the 443 TCP port, which allows you to mask traffic inside OpenVPN under normal HTTPS (which uses, for example, Gmail) and therefore it is difficult to block it.
Another advantage of OpenVPN is that the OpenSSL libraries used for encryption support many cryptographic algorithms (for example, AES, Blowfish, 3DES, CAST-128, Camelia, and others). The most common algorithms used by VPN providers are AES and Blowfish. AES is a new technology, and although both are considered safe, the fact that it has a 128-bit block size, and not 64-bit block size, means that it can work with larger (more than 1GB) files better. The differences, however, are rather minor. How fast OpenVPN works depends on the encryption algorithm chosen, but is usually faster than IPsec.
OpenVPN has become the # 1 technology when using VPN, and although it is not initially supported by operating systems, this protocol is widely supported through third-party software. More recently, it was impossible to use OpenVPN on iOS and Android without jailbreak and root, and now there are third-party applications that partially solved this problem.
Another OpenVPN issue is related to this — flexibility can make it inconvenient to configure. In particular, when using a typical OpenVPN software implementation (for example, a standard OpenVPN open client under Windows), you must not only download and install the client, but also download and install additional configuration files. Many VPN providers solve this problem by using pre-configured VPN clients.
Pros:
- flexibly configured
- very secure (depends on the encryption algorithm chosen, but they are all secure)
- can work through firewalls
- can use a wide range of encryption algorithms
Minuses:
- need third party software
- may be inconvenient in customization
- limited support for portable devices
Sstp
The Secure Socket Tunneling Protocol was introduced by Microsoft on Windows Vista SP1, and although it is now available on Linux, RouterOS and SEIL, it is still largely used only by Windows systems (there is a very small chance that it will appear on Apple devices). SSTP uses SSL v.3 and therefore offers similar advantages as OpenVPN (for example, the ability to use TCP port 443 for NAT traversal), and since it is integrated into Windows, it is easier to use and more stable than OpenVPN.
Pros:
- very secure (depends on encryption algorithm, very strong AES is usually used)
- fully integrated into Windows (starting with Windows Vista SP1)
- has Microsoft support
- can work through firewalls
Minuses:
- only works in Windows environment
Conclusion
PPTP is not secure (even its creators at Microsoft abandoned it), so its use should be avoided. While ease of installation and cross-platform compatibility are attractive, L2TP / IPsec has the same advantages and is safer.
L2TP / IPsec is a good VPN solution, but not as good as OpenVPN. However, for a quick VPN setup without the need to install additional software remains the best solution, especially for mobile devices, where OpenVPN support is still low.
OpenVPN is the best VPN solution despite the need for third-party software in all operating systems. It is a reliable, fast and secure protocol, although it requires a bit more effort than other protocols.
SSTP offers most of the benefits of OpenVPN, but only in the Windows environment. This means that it is better integrated into the OS, but because of this it is poorly supported by VPN providers.
Most users can use OpenVPN on their desktops, possibly adding L2TP / IPsec on their mobile devices.
Source: https://habr.com/ru/post/191874/
All Articles