New VPN protocols, which is the best for me?

Today we added a lot of protocols to our VPN service. But what is the difference between these protocols and which one is the best for you?

I’ll try to explain these protocols a little bit and hopefully simplify the decision making process for you.

 

OpenVPNOpenVPN

OpenVPN has been around for a long time and is based on open-source technology. It uses OpenSSL and SSL v3/TLS v1. OpenVPN is supported by more or less all systems like Windows, Linux, MacOS, Android, iOS, but also devices like routers, satellite receivers, tv boxes and more. Unfortunately OpenVPN is not normally included by default, so you usually need to download additional software to connect. Your connection is secured by strong encryption (AES 256 bit). The network speed is good, due to using UDP on port 1194, however it may be blocked by some networks, such as free wifi.

Pro:

  • Fast
  • Widely supported
  • Secure encryption
  • Open-Source, so it can be checked for backdoors

Con:

  • No native support
  • Mobile apps are not as good as the desktop clients
  • Blocked by some networks.

 

Softether

Softether is quite a new VPN solution developed at the University of Tsukuba in Japan. It is similar to OpenVPN as it is also open-source based, uses OpenSSL and has a very good encryption. It supports a new type of encryption method, ECDHE, which is thought to be more secure than RSA. In comparison with SSTP/IPSec and PPTP it may be much faster but unfortunately is only available on Windows right now. A big pro is that port 443 is used, which is the HTTPS port and commonly open in many networks, such as free wifi and corporate environments, and it also uses automatic UDP acceleration if your supported by your network.

Pro:

  • Very fast
  • Secure encryption
  • Open-Source, so it can be checked for backdoors
  • Uses HTTPS port 443 for compatibility with most firewalls and UDP for speed if available.
  • Authenticated Proxy Server support

Con:

  • No native support
  • Only available for Windows

 

L2TP / IPSec

L2TP does not have any encryption by default, that’s why we use it in combination with IPSec. Setup is very easy and the protocol is supported by all major operating systems (unfortunately our VPN service does not work with Windows and L2TP). If you want “perfect privacy” you should not use L2TP because there are some concerns that the NSA could have weakened the standard, but no one knows for sure and even so, this shouldn’t be a problem for normal usage. If you are behind a firewall you might have to set portforwarding to port udp 500. Furthermore the speed is quite lower than with OpenVPN because the traffic must be converted into L2TP form, and then encryption added on top with IPsec. It’s a two-step process.

Pro:

  • Widely native support by all major operating systems and devices
  • Secure for now
  • Easy setup

Con:

  • Slower
  • Might be weakened by NSA
  • Might not work behind a firewall (depends on configuration of the firewall)

 

PPTP

PPTP is a common protocol because it has been implemented in Windows in various forms since Windows 95. Unfortunately there are a lot of security bugs so Apple have already removed PPTP from their latest macOS and iOS. On the other side PPTP has native support by nearly all major operationg systems, it is easy to setup and fast. If you just want to change your IP address to watch a clip on Youtube or a stream on CBS or Zattoo PPTP is still good. If you want to secure your connection, we cannot recommend this protocol.

Pro:

  • Fast
  • Widely native support by all major operating systems and devices
  • Easy setup

Con:

  • Insecure
  • Definitely compromised by the NSA
  • Obsolescent

 

SSTP

SSTP, like PPTP is a protocol developed by Microsoft and there are no open-source clients. Because it uses SSLv3 it has more or less the same advantages as OpenVPN. SSTP uses the HTTPS port 443, so this protocol is perfect if you are behind a firewall. It is very secure due to using SSL underneath (besides the client being proprietary code owned by Microsoft) and is very easy to setup.

Pro:

  • Secure
  • Built into Windows systems, easy to set up.
  • Microsoft support
  • Uses HTTPS port 443 to bypass firewalls

Con:

  • Only really works in Windows
  • Proprietary standard owned by Microsoft so clients cannot be independently audited for backdoors and such

 

 

Conclusion

To conclude you can say that OpenVPN is still one of the best protocols and widely supported. If you are using Windows, Softether is also a very good tool. As you can see we cannot just say: “Use protocol xyz, this one is the best”. That doesn’t work out. You need to check your requirements and operating system and select a protocol on your own.

But if you are still not sure and doesn’t care about all the encryption stuff, etc, we would recommend the following:

Softether (or OpenVPN) for desktop clients and OpenVPN or L2TP/IPSec for mobile devices

 

If you have any questions, do not hesitate to contact our customer support. We are happy to answer your questions. And read here more about our VPN service.

About Robert 28 Articles
Manager

19 Comments

  1. None of the new info (certs, url changes) is posted. Trying to click for info on the VPN page just dead-ends at the vpn server address instead of giving zip file with connection info.

      • I am trying to set it up in my Asus Router, I just did it last week and it was really easy, just took me 2 minutes.

        After your update unfortunately I cannot get it working anymore. Last time it was so easy, but now I spend so much time already and cannot get it working.

        It get this error message, can you please tell me what I need to change?

        May 17 08:47:25 openvpn[2246]: Restart pause, 2 second(s)
        May 17 08:47:27 openvpn[2246]: Socket Buffers: R=[118784->131072] S=[118784->131072]
        May 17 08:47:27 openvpn[2246]: UDPv4 link local: [undef]
        May 17 08:47:27 openvpn[2246]: UDPv4 link remote: [AF_INET]62.113.194.88:1194
        May 17 08:47:27 openvpn[2246]: TLS_ERROR: BIO read tls_read_plaintext error: error:140830B5:SSL routines:ssl3_client_hello:no ciphers available
        May 17 08:47:27 openvpn[2246]: TLS Error: TLS object -> incoming plaintext read error
        May 17 08:47:27 openvpn[2246]: TLS Error: TLS handshake failed
        May 17 08:47:27 openvpn[2246]: SIGUSR1[soft,tls-error] received, process restarting
        May 17 08:47:27 openvpn[2246]: Restart pause, 2 second(s)

        • Maybe your router cannot work with the .ovpn files where the certificate is included. You can try to cut the cert between and and paste it in a new file ca.crt and add “ca ca.crt” to the .ovpn file.

  2. Hi! Thanks for the awesome VPN service.
    I was trying to update the connection from the old to the new configuration files on my Debian-machine (headless – no Network Manager).
    I get the following error when I try to run “openvpn .ovpn”:
    TLS_ERROR: BIO read tls_read_plaintext error: error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available

    any idea where the problem could be?
    Info about OpenVPN and OpenSSL
    OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015
    OpenSSL 1.0.1t 3 May 2016, LZO 2.08
    AES-256-CBC is present when I run “openvpn –show-ciphers”

    Thank you very much in advance for any help!

    • Unfortunately we do not support Debian, but maybe it does not work with the certificate included in the configuration file. You can try cut the certificate between and and paste it to a new file ca.crt. Then add “ca ca.crt” to the configuration file.

      • Hi! Thank you for your reply.
        Debian should not have any problem with the ca.crt being included in the config file.
        I found out that adding this line to the configuration file solves the problem:
        tls-version-min 1.2
        Cheers,
        Michele

    • You can cut the certificate between and and paste it to a new file ca.crt. Then add “ca ca.crt” to the .ovpn file. Or you can upgrade to Ubuntu 16.04.

  3. Hello,
    i’ve got a problem with the new VPN protocols. Since changing the protocols the connection speed via VPN service became lower on all provided servers (Speed decreased by half). Could you please answer shortly if this is a general problem or a individual problem and i have to open a ticket?

  4. If I use the NL server with L2TP, the system says server not found, with DE everything works.

    • Softether does not recommend to use it on Mac but of course you can. Unfortunately there are higher skills required for this so 99% of our users would be overstrained with it 😉

Comments are closed.