A VPN provides a way for data transmission over internet through a public or shared network in such a way that the computing device seems to be actually connected to a private network. This is achieved by creating virtual tunneling protocols, dedicated connections, or encrypting the traffic. As a user you can enjoy many benefits of VPN such as managing network, providing security and hiding your identity on any network.
A VPN relies on encryption of data for safely and securely achieving the wireless transactions performed by a user. This can be done by encrypting the transmitted data at one end of the tunnel and then decrypting it at other end of the tunnel. This is where encryption protocols comes handy as only pair of keys can’t be used for a completely secured encryption.
If a user is outside office and he wants to access office intranet then the employee can securely access it using virtual private network. Even if an organization faces issues of having offices in various countries, then the distance can be reduced giving rise to a cohesive and coordinated network. This solves many issues faced due to remote locations. Any individual making wireless transactions can safely and securely achieve it through VPNs. Users can circumvent censorship, prohibited accesses to particular sites and many geographically restricted sites. In case of identity protection and location hideout connection using proxy servers can really help.
The Point-to-Point Tunneling Protocol (PPTP) is one of the encryption protocols used for implementing virtual private networks. Point-to-Point Tunneling Protocol was founded by Microsoft using the idea of VPN over dialup networks. It has been a standard protocol for internal business since a long time. PPTP uses TCP and GRE tunnels to allow PPP packets to pass through them.
The PPTP encryption protocol specification does not include encryption or authentication features and security functionality is achieved by tunneling Point-to-Point Protocol. It is mainly used to provide remote access levels and security levels suited to VPN products. Though it is a VPN protocol it uses various authentication methods for security with MS-CHAP v2 being the most common.
- It is easy to set up, requires no additional software for installation and works on every single VPN platform and device. This makes it popular among all the businesses and VPN providers.
- It has a very quick turnaround time as it uses low computational overheads for implementation.
- It can be used to run applications remotely which are dependent on selected network protocols. All the validations and security checks will be performed by the tunnel server, therefore the information is much safe and secure to be sent over networks which are not completely secure.
- Security still remains the key issue here as it uses MS CHAP v2 which is not very secure and vulnerability exists for dictionary attacks as tools are available for capturing the transmitted information.
- RC4 (Rivest Cipher 4) is being used by MPPE for encryption. Since no method exists for authenticating the RC4 ciphertext stream, thus vulnerability exists for a bit-flip attack. It is very easy for an attacker to modify a single bit in the stream in order to change the expected output without even getting detected.
L2TP (Layer 2 Tunneling Protocol) is a tunneling protocol which is used to support the VPN services. VPNs doesn’t provide any confidentiality or encryption to the traffic that passes through it themselves and rely on encryption protocol for providing privacy to the user. Therefore, it depends on an encryption protocol such as IPSec encryption suite for privacy and security issues.
A single packet of L2TP consists of a payload and the L2TP header which is transmitted through a UDP (User Datagram Protocol). It is a very common thing to carry PPP sessions in an L2TP tunnel. L2TP is not able to provide confidentiality or strong authentication by itself and IPSec is being used to make sure that L2TP packets remains secure by providing authentication and confidentiality.
It can be installed on all modern operating systems and devices which support VPN. This makes it easy and simple to set up. It is reliable only for control packets. Either for an entire session or a part of it, L2TP tunnel can work on both. It faces a serious issue as it uses UDP port 500 which gets blocked by firewalls. Hence, it requires advanced configuration (port forwarding) when it has to be used behind a firewall.
- It caters to security and privacy issues by using IPSec encryption protocol. Hence, it is considered a very secure option.
- It is easy to set up and can be configured on all modern platforms and devices.
- L2TP/IPSec offers multi-threading. The process of encryption/decryption takes place in the kernel so it makes it faster than OpenVPN.
- It is the ultimate option if a quick VPN setup is needed and non-criticality is of utmost importance.
- For mobile devices it is observed that OpenVPN has only satisfactory performance whereas L2TP/IPSec proves out to be more useful.
- It is weakened by NSA and compromises the performance.
- It has the biggest drawback of struggling against restricted firewalls as it uses UDP 500 port which is blocked by firewalls. So, to overcome this issue advance porting has to be configured.
OpenVPN has been designed as an open source technology application providing a secure and reliable VPN technique. It is an amalgamation of OpenSSL library and a custom security SSLv3/TLSv1 protocol for key exchange. It has the capability to maintain secured point-to-point or site-to-site connections in routed configurations and facilities providing remote access.
It can traverse NAT (Network Address Translators) as well as restrictive firewalls. OpenVPN offers authentication with the help of a pre-shared secret key, username/password and certificates. In a configuration having multi-client server, it lets the server to have an authentication certificate being released for each and every client using the certificate authority and signature.
Extensive usage of OpenSSL encryption library enhances its security features to a great extent. It offers encryption for both data as well as control channels. It uses both TCP and UDP protocols so it is far better where particular VPN protocols may be blocked. Hence, user can avoid high priced IPSec in those cases.
Its greatest strength is it can run on any port (TCP Port 443) though runs best on UDP port. This makes it highly configurable. It has been ported to many systems like DD-WRT and Soft Ether VPN.
- OpenVPN uses OpenSSL library and it provides 256-bit encryption which improves security and authentication.
- It is far better than L2TP and PPTP as it uses a security protocol having a combination of both TCP and UDP.
- The use of PKCS#11 based cryptographic tokens makes it compatible to smart cards.
- To prohibit theft of sensitive data to disk it has got a mlockall feature. OpenVPN also has the ability to drop root privileges.
- It has enhanced authentication by using keys, passwords, certificates and encryption algorithms.
- It is highly configurable and offers dynamic updates from firewalls. So, a firewall can’t block it easily.
- Most importantly, it is reliable, secured even against NSA, is very fast and ultimately Open Sourced.
- OpenVPN has TCP meltdown problem i.e. it offers good performance only when there is sufficient bandwidth till tunneled TCP timers don’t expire.
- It can be difficult to set up and requires additional software for installation.
- It is best suited for desktop and still lags behind in mobile support such as Palm OS.
- Moreover, it is not compatible with VPN clients which use the IPSec over L2TP or PPTP protocols.
SSTP (Secure Socket Tunneling Protocol) uses SSL/TLS channel to transmit L2TP or PPP data through a VPN tunnel. By using SSL/TLS channel transport-level security is enhanced. It also keeps a check on data authentication through encryption, maintains traffic integrity and provides key negotiation features. SSTP is configured for Windows, Linux, and BSD.
- SSTP is faster than its counterparts PPTP and L2TP eliminating overheads of PPP.
- It transmits through all proxies and firewalls as it uses SSL/TLS over TCP port 443. Being compatible with windows and use of SSL v3 makes it easier to use and more stable avoiding firewall issues.
- While switching a network or reconnecting to a site it offers stable performance.
- As it supports AES 128, AES 192, AES 256 and 3DES encryption keys it is highly secure.
- It is easy to set up at user end and compatible with blackberry devices.
- It is used for remote client access, smart card authentication, and the L2TP VPN client for Windows.
- SSTP also suffers from TCP meltdown problem i.e.it will perform satisfactorily only in presence of excess bandwidth on the un-tunneled network link.
- It needs additional software for installation as it lacks native in built VPN client.
- Though available for Linux, SEIL and RouterOS it is best configured for Windows platform.
- However, SSTP is not an open source VPN like OpenVPN instead it is a proprietary standard owned by Microsoft.
IKE or IKEv2 (Internet Key Exchange) combines both Oakley protocol as well as ISAKMP. It derives cryptographic keys from a shared session by Diffie–Hellman key exchange. X.509 certificates are being used for authentication which are distributed with the help of DNS. This protocol sets up a security association (SA) in the IPSec suite. In addition to this, a security policy has to be maintained manually for every connected peer. In Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 IKE is available as part of the IPSec.
- Use of fewer RFCs: IKEv2 advanced version of IKE uses only one RFC to cover its specifications and improvements for NAT traversal & firewall traversal which are more in case of original version.
- Standard Mobility support: It uses a standard extension so that mobile users can utilize IKEv2 and IPSec protocols.
- SCTP support: It allows usage of SCTP in VoIP.
- It provides UDP port configuration to allow transmission through restrictive firewalls.
- It has Simple message exchange system where there are a total of 8 completely distinct initial exchange mechanisms. It also uses a few cryptographic mechanisms for data authentication.
- It uses sequence numbers and acknowledgments for enhancing reliability, lack of which may lead to dead state.
- It only performs cryptographic processing if actual requester exists otherwise service is denied in case of spoofing.
- It is a secure, fast, open source protocol for mobile users due to its improved ability to reconnect. It is the only option for blackberry users.
- It needs little trick to implement IKEv at the server side which led to certain problems.
- IKE doesn’t provide a general configuration facility for a default case which results in mutual agreement on both sides for security failure which leads to no connection.
- If a debug output was present it was difficult to comprehend it which resulted in non conformation to a common security association.
Nowadays, many governments, corporations and ISPs worldwide are inspecting, diverting and blocking the VPN traffic. Mainly, countries like China and Iran tops the list as they prohibit freedom of internet and connection to the world. To overcome these issues, Golden Frog’s engineers have created a remarkable VPN technology named Chameleon. It is not open sourced. It is present in VyprVPN apps which is available for Windows, Android and Mac.
Chameleon scrambles OpenVPN packets via deep packet inspection (DPI) making it unrecognizable yet being lightweight without compromising on speed. For the data encryption, Chameleon technology uses the unmodified OpenVPN 256-bit protocol. This helps the users to bypass blocked networks and thus VyprVPN users are able to bypass restrictive networks put in place by governments, corporations and ISPs.
- Chameleon VPN provides an open, fast and uncensored internet worldwide.
- It helps in resolving speed concerns occurring due to bandwidth throttling.
- It can bypass censorship and helps you in accessing restrictive sites.
- It offers deep packet inspection (DPI) to make it unnoticeable while bypassing blocked networks.
- Chameleon is not present for VyprVPN facing restrictions by iOS.
- It is blocked in China, Russia, Iran, Thailand and Syria due to speed concerns.