What is VPN protocol and what are they

Hello, my name is Nicholas Cuts. I am an employee of Switcherry VPN company. My new article focuses entirely on modern data protection techniques used in VPNs. I will tell you what techniques and technologies are used to create cryptographic protocols, I will give a general description of them, listing their advantages and disadvantages. After reading the article, you will learn how VPN protocols differ from each other, which of them are better suited for solving certain problems, which are considered reliable and secure, and which should not be trusted. Before starting the description of cryptographic protocols, I will briefly remind you of what a VPN is, what types of VPNs are there, and what a particular version of a VPN is for..

About VPNs and VPN types

VPN or Virtual Private Networks is a modern technology that allows secure data transmission over open (“public”) networks. VPNs create secure communication channels (so-called “tunnels”) within an insecure network, such as the Internet. Currently, VPN technology is widely used by both enterprises and organizations, and ordinary Internet users. Businesses use VPNs to establish secure connections between headquarters and branch offices, and to provide remote workers with secure access to a company’s local network. Ordinary users use VPN primarily to protect personal data and ensure anonymity and confidentiality when working on the network. In addition, a VPN protects ordinary users from being tracked by the ISP and government authorities and makes it possible to bypass censorship restrictions in order to gain access to Internet resources blocked in the country of residence. You can use VPN for torrenting to download music, movies, games and other content that is not freely available.

Basic VPN types

According to the method of deployment, VPN networks are divided into

  • VPN-networks with direct remote access (Remote access VPN);
  • VPN-networks between servers based on the Intranet (Intranet-based site-to-site VPN);
  • Extranet-based site-to-site VPN between servers.

Direct dial-up VPNs (Remote access VPN) are deployed by VPN providers to serve ordinary Internet users. Also, such networks are created by commercial enterprises and government organizations to provide remote workers with access to the servers of the company (organization). In these networks, VPN tunnels are created between the server of the enterprise (or organization) and computers (or other devices) of clients or remote workers.

VPN between servers based on Intranet (Intranet-based site-to-site VPN) are created to combine two or more local area networks (LAN) into one wide area network (WAN). An example of an Intranet-based site-to-site VPN would be a network created between a central office and branch offices. VPN tunnels run from the head office server to the branch office servers. Remote office workers gain secure access to the company’s central server and can exchange files with it just as securely as if they were inside their local network.

VPN between servers based on Extranet (Extranet-based site-to-site VPN) are created to connect wide area (WAN) networks. That is, Extranet-based site-to-site VPNs connect networks belonging to different enterprises (or organizations) to each other, which allows them to securely exchange information with each other.

Trusted (dedicated) VPNs and secured VPNs (Trusted VPN vs Secure VPN)

According to the method of data protection, VPN networks are divided into

  • trusted (dedicated) VPN (Trusted VPN),
  • secure VPN (Secure VPN) and
  • hybrid VPN (Hybrid VPN).

Secure («Secure») VPNs are deployed over open networks. Data transmitted over secure VPN networks is tunneled and encrypted. A typical example of a secure VPN is a set of VPN tunnels that connect a company’s headquarters to remote offices. Also, it is these networks that VPN providers create to serve ordinary Internet users. OpenVPN is the most commonly used protocol on secure VPNs these days.

Providers provide secure networks to residential users
Providers provide secure networks to residential users

Trusted («Trusted») VPN networks are built on dedicated communication channels. An enterprise’s own corporate network deployed in a secure building is a good example of a trusted VPN. It is assumed that hackers, attackers, competitors, and any other third-party users are unable to access secure communication channels and therefore cannot intercept data transmitted over a trusted VPN network. (Trusted VPNs are protected from outside intrusion by firewalls.) For this reason, encryption is not used on trusted VPNs; traffic is only tunneled using VPN protocols such as PPTP and L2TP.

Hybrid («Hybrid») Trusted VPN networks are called, in which encryption of transmitted data is practiced. Hybrid VPNs are the modern standard for corporate networks. Hybrid VPNs can use a variety of encryption protocols, but Windows-based networks typically use L2TP / IPSec or SSTP.

What are VPN protocols

VPN protocols are a type of network protocol. As you know, network protocols are a set of rules and instructions on the basis of which data is transmitted over a network. The most widespread network protocol TCP / IP now (in its pure form, without add-ons and extensions) is not intended for the transfer of confidential information, since data packets transmitted over this protocol are not protected from interception and reading in any way. VPN protocols provide the maximum protection of data transmitted in open networks. Using VPN protocols, secure communication channels are created – the so-called VPN tunnels. When developing VPN protocols, two technologies are used: tunneling itself and encryption.

Tunneling – what it really is

You probably know that data is transmitted over the network in the form of so-called packets. Each packet has a header area, which contains service information (such as the IP address and port of the source and destination, the packet size, its checksum, etc.) and the data area itself. Tunneling is the encapsulation of network packets, that is, when one packet is “hidden” inside another. In practice, a ready-made packet formed using one network protocol is placed in the data area of ​​another packet created using a different network protocol. In other words, the first network protocol is encapsulated in the second, which is actually tunneling.

Tunneling by itself does not protect data from being intercepted and read. In order to maximally protect the created “tunnel” from unauthorized access, it is necessary to additionally apply encryption.
Tunneling scheme
Tunneling scheme


The more secure the encryption you use, the more difficult it is to crack the VPN tunnel. Currently, AES-256 encryption is generally accepted and widely used by various secure network protocols, including the most commonly used SSL / TLS protocol on the Internet (secure HTTPS protocol is a common HTTP network protocol using SSL / TLS encryption). However, some VPN protocols still use outdated encryption algorithms (such as DES) and are therefore considered insecure. By the way, you can check your VPN for security yourself – here are the instructions.

Transport layer protocols TCP and UDP

VPN protocols operate over (over) the transport layer protocols TCP or UDP. The main difference between them is as follows:

  • in TCP (Transmission Control Protocol), data packets are sent sequentially, the sender sends the next packet after receiving confirmation from the receiver about the delivery of the previous packet. If the sender has not received confirmation of delivery, then the packet is resent;
  • In UDP (User Datagram Protocol), data packets are sent in a continuous stream, no confirmation of packet delivery is required.

From the point of view of the average user, TCP is reliable but slow, while UDP is less reliable but very fast.

Ports used to create VPN connections

It should be borne in mind that VPN protocols use strictly defined ports. And these ports do not always coincide with the most commonly used ports 80 and 443 (used by default by HTTP and HTTPS, respectively). Therefore, when setting up a VPN connection yourself, you must open (unblock) these ports in the firewall of your device’s operating system. It should also be borne in mind that in countries where Internet censorship is rampant, traffic originating from unusual ports may be blocked by the ISP. Before setting it up, it is worth reading about common mistakes when using a VPN.

Best VPN Protocols Comparison

Let’s take a look at some of the protocols used around the world.

PPTP (Point-to-Point Tunneling Protocol)

PPTP is currently the oldest VPN protocol in widespread use. The protocol was developed by Microsoft Corporation with the participation of other companies. PPTP uses two connections – control, which uses TCP-1723, and transport, which uses the GRE tunneling protocol. By itself, PPTP does not encrypt data, but only tunnels traffic by encapsulating the Point-to-Point Protocol (PPP). At the same time, PPP uses unreliable and outdated encryption methods, therefore PPTP is considered the most insecure VPN protocol of all currently used. The advantages of PPTP are the low requirements for the computing power of the device and the widespread use.


  • the fastest VPN protocol currently in use;
  • PPTP protocol is supported by most operating systems, all existing versions of Windows have built-in support for it;
  • this protocol is very easy to configure.


  • this protocol uses very weak, outdated encryption methods;
  • PPTP protocol is easily identified and therefore a user using this protocol may be blocked by an ISP in countries where there are censorship restrictions.

Where is it recommended to use

The PPTP protocol should only be used where data transfer speed is critical and security takes a back seat, for example, when watching streaming video, downloading files from torrents, playing online games, etc.

L2TP (Layer 2 Tunnel Protocol), L2TP / IPSec

L2TP is essentially an enhanced PPTP protocol. It was developed by Cisco and Microsoft to replace the legacy, insecure PPTP protocol. This protocol also does not encrypt data, but only tunnels and therefore in practice is used in conjunction with the IPSec protocol (see below) and in this form is called L2TP / IPSec.

L2TP Architecture
L2TP Architecture


  • supported by most operating systems;
  • quite easy to set up;
  • L2TP / IPSec protocol uses strong AES-256 encryption.


Data transfer rate is lower than other protocols of the same security level;

  • uses unusual ports: UDP-500, UDP-5500, UDP-1701 and therefore, if desired, can be easily detected and blocked by an Internet provider;
  • according to unconfirmed rumors, the L2TP / IPSec protocol was hacked by specialists from the US National Security Agency.

Where is it recommended to use

L2TP / IPSec is a great alternative to the legacy PPTP protocol. But due to the relatively low data transfer rate, this protocol has limited application (used mainly in corporate networks).

IPSec (Internet Protocol Security)

IPSec is a set of cryptographic protocols that provide a high level of protection for transmitted data. Despite the fact that the first versions of IPSec appeared in the mid-90s of the last century, this protocol is still considered reliable and widely used. IPSec has two modes of operation: transport and tunnel. In transport mode, no packet encapsulation is applied, only the data area of ​​the packet is encrypted, and the header remains unchanged. In tunnel mode, the entire packet is encrypted and encapsulated inside another packet, and layered encapsulation can be used. It can also be used in conjunction with other VPN protocols such as L2TP.


  • old, reliable, well-proven protocol;
  • supported by all popular operating systems.


  • as mentioned above, the IPSec protocol may have vulnerabilities discovered by the US National Security Agency;
  • the protocol is quite difficult to configure for inexperienced users.

Where is it recommended to use

In practice, this protocol is widely used in conjunction with L2TP and in the form of IKEv2 (see below).

IPSec Protocol
IPSec Protocol

IKEv2 (Internet Key Exchange version 2), IKEv2/IPSec

IKE was developed by Microsoft and Cisco. IKEv2 is the second, improved version of the IKE protocol, released in 2005. IKEv2 can be thought of as a subset of IPSec, a secure extension of it, and is therefore commonly referred to as IKEv2 / IPSec.


  • high speed of data transfer;
  • low demands on the computing power of the device;
  • most mobile operating systems have built-in support for the protocol;
  • for mobile devices, the protocol has a useful extension – MOBIKE (Mobility and Multihoming protocol), which allows the user to switch from one Wi-Fi network to another without breaking the current VPN connection.


  • IKEv2 / IPSec is the property of Microsoft and Cisco, the source code of the protocol is not available, so we cannot exclude the presence of backdoors in the protocol, which enable intelligence agencies to monitor and read traffic of users using this protocol;
  • for the same reason, this protocol is not supported by free operating systems;
  • the protocol is relatively new and is not supported by older versions of popular operating systems (Windows supports IKEv2 / IPSec starting from version 7, macOS starting from version 10.11);
  • This protocol always uses only two ports – UDP-500 and UDP-4500, so devices using the IKEv2 / IPSec protocol to connect to the Internet can be easily blocked by the ISP.

Where is it recommended to use

The protocol works fine with all popular proprietary operating systems, but due to its low requirement for computing power, it should be primarily used with mobile devices.

SSTP (Secure Socket Tunneling Protocol)

SSTP is developed by Microsoft Corporation. Integrated into Windows starting with Windows Vista Service Pack 1. Also supported on Linux and some router operating systems, but no native support on macOS. The protocol is developed based on the secure SSL 3.0 protocol (from the SSL / TLS family). This is an uncommon protocol, mainly used in corporate networks with servers and computers running Windows OS.


  • relatively reliable and safe;
  • SSTP protocol uses TCP-443 port (the one through which HTTPS traffic goes), due to which VPN traffic is masqueraded as HTTPS;


  • SSTP is a proprietary closed source protocol and therefore potentially contains backdoors;
  • SSL 3.0, on the basis of which SSTP was developed, is deprecated;
  • high demands on the processing power of the processor;
  • low prevalence;
  • low data transfer rate.

Where is it recommended to use

Windows desktops only.

SSTP protocol is used only to protect computers with Windows operating systems
SSTP protocol is used only to protect computers with Windows operating systems


OpenVPN is an open source protocol. It was created by American programmer James Yonan in collaboration with Iraqi-born programmer Francis Dinha. OpenVPN was developed using the OpenSSL open source library. OpenVPN is based on improved versions of the SSL / TLS family of protocols. To transport data, OpenVPN uses the TCP or UDP protocols, so it is usually subdivided into the OpenVPN protocols over (over) TCP and OpenVPN over (over) UDP. The OpenVPN over UDP protocol is very fast and secure; of all the above VPN protocols, it is second only to PPTP in speed.


  • reliable and secure open source protocol;
  • probably the most widely used VPN protocol;
  • actively developed and improved by the community of enthusiastic programmers;
  • OpenVPN over TCP uses TCP-443 port and masks VPN traffic as HTTPS.


  • requires a sufficiently high computing power, therefore it is poorly suited for mobile devices;
  • since most operating systems do not have built-in support for this protocol, you need to download and install third-party software;
  • self-configuration of the protocol is rather complicated;
  • OpenVPN over TCP has a relatively low data transfer rate.

Where is it recommended to use

OpenVPN is without a doubt the best VPN protocol for desktops and laptops.


Wireguard is a new but already popular VPN protocol. Created by Jason A. Donenfeld, an independent developer. Free open source protocol. Uses the new ChaCha20 encryption algorithm. According to the developer, Wireguard’s security level is no worse or even better than that of OpenVPN. Of all the protocols described here, Wireguard is the “lightest” one, and in terms of speed it is second only to PPTP. The protocol is supported by all popular operating systems and is integrated into the Linux OS kernel. It is one of the few protocols suitable for work in China.


  • high speed of data transfer with the maximum level of security;
  • Wireguard is easier to configure for a newbie than OpenVPN;
  • low demands on the computing power of the device;
  • supported by all popular operating systems.


  • Wireguard is a new VPN protocol and is still under development;
  • ChaCha20 encryption algorithm is not well understood and has potential vulnerabilities;
  • Wireguard only works over UDP, so if your ISP blocks UDP traffic, the protocol will stop working..

Where is it recommended to use

Everywhere, but especially on mobile devices, since the protocol does not load the processor and saves battery power.

Custom (custom) VPN Protocols

Individual VPN providers, not content with out-of-the-box solutions, create their own VPN protocols. However, one should not think that such “proprietary” VPN protocols are some completely new, innovative technology. In fact, all proprietary VPN protocols are clones, or at best, forks of long-standing VPN protocols. Proprietary VPN protocols are built using well-established open source protocols, typically OpenVPN and Wireguard..


1. Which VPN protocol is better?

1. Which VPN protocol is better?

OpenVPN undoubtedly ranks first in terms of reliability, security, and stability. But this protocol is too “heavy” for mobile devices, therefore, apparently, Wireguard will come out on top in the future.

2. What is the most popular VPN protocol in the world?

2. What is the most popular VPN protocol in the world?

The exact statistics are unknown, but it’s safe to say that:

  • among home VPN users, the most popular protocol is OpenVPN;
  • IKEv2 / IPSec is the most popular among mobile users.

3. Which protocol is the fastest and which is the slowest?

3. Which protocol is the fastest and which is the slowest?

The maximum achievable data rate for a particular VPN protocol depends on your settings. The higher the selected security level, the more the Internet will slow down. Here is a sample list of the VPN protocols described, ranked by speed (fastest at the top to slowest at the bottom):

  1. PPTP
  2. Wireguard
  3. IKEv2 / IPSec
  4. OpenVPN over UDP
  5. OpenVPN over TCP
  6. SSTP
  7. L2TP / IPSec

Author: Nicolas Cuts

Product Managers at SwitcherryVPN. Have 5 years background in management and marketing. I never stop learning!

Leave a Reply

Your email address will not be published. Required fields are marked *