VPN Types explained
James Patterson | Last Updated:
Online Privacy & Internet Security Expert
VPNs have risen in popularity over the last few years as governments, advertisers, and ISPs are more actively monitoring your browsing habits. VPNs offer a convenient way to get around this monitoring and protect your privacy by hiding your usage so that it’s not visible to anyone who might be spying on your connection. While most VPNs offer the same end goal of protecting your privacy, there are many types of VPNs that accomplish this goal in different ways. Below is a summary of the various VPN types and a description of which ones may be suitable for you.
Point-to-Point Tunneling Protocol (PPTP)
The earliest type of VPN was called a Point-to-Point Tunneling Protocol and is now obsolete, as it contains significant security issues that jeopardize data sent over this type of connection. It was originally built into early Windows operating systems to allow a remote PC to connect to corporate networks without being physically present at the facility. While PPTP does allow the user to encrypt data as it passes through the tunnel, there are security vulnerabilities which make it very easy to discover the encryption key and therefore decrypt and read the information.
MS-CHAP-v1 (MicroSoft Challenge-Handshake Authentication Protocol) was the authentication method built in to Windows and was the primary underlying protocol in PPTP connections on that operating system. The encryption it uses (56-bit DES) is incredibly weak and can be easily cracked with only a few packets captured from a data exchange. Microsoft attempted to remedy this with MS-CHAP-v2, the second version of the protocol, but it is vulnerable to dictionary attacks which can be easily brute-forced with any modern PC. Our recommendation is to avoid this protocol wherever possible.
Layer 2 Tunneling Protocol (L2TP)
L2TP is another type of VPN protocol which is primarily used for communication between websites. It is different from PPTP in that it requires a shared key or trusted certificate between the two devices in order to establish a communication channel. L2TP does not actually utilize any encryption or confidentiality on its own, but often incorporates IPsec (described below) to provide these security features.
L2TP was originally designed in 1999 and was included as the backbone in Windows Vista’s VPN function. The protocol sends data over a UDP connection, which emphasizes speed at the cost of occasionally causing inaccurate data transmission. As such, L2TP may not be a good choice for users who use VPNs to transfer files frequently, or who require complete accuracy in their network communications. While L2TP has not been deemed insecure (since it doesn’t actually have any security features which could be compromised), it remains an older protocol which should only be used on legacy devices that do not support newer standards such as IPsec.
TLS and SSL
Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are very similar protocols which allow for secure, encrypted communication across a network. The TLS standard has gone through several revisions and is currently on version 1.3 at the time of this writing. TLS is a very flexible protocol as it allows many different methods for encrypting data, exchanging keys, and authenticating data integrity. Each message sent over TLS includes a built-in accuracy check because it includes a message authentication code, which can be verified by the receiving device to confirm that no data has been lost or altered.
SSL was another type of encryption protocol which has been deprecated as of June 2015, when the notorious POODLE attack demonstrated a vulnerability in every SSL block cipher, making it possible to decrypt information without the encryption key. While some legacy devices are still in service and using this protocol, it is recommended that businesses and users avoid encryption solutions which rely on SSL. Note that some organizations and service providers call a solution “SSL,” such as an SSL certificate on a website, when it is actually TLS, since TLS is the backbone of SSL. Be sure to ask your provider whether their software is actually SSL.
IPsec is currently the most widely-adopted protocol for VPNs and encrypted communications. It exists at the Network Layer in the OSI model and is considered superior to TLS/SSL because it encrypts information at a lower level than those protocols (TLS operates on the Transport Layer, and SSL on the Application Layer).
Similar to TLS, IPsec includes built-in authentication headers in its data transmissions so that both devices can independently verify the integrity of the message and ensure it has not been altered. IPsec can be configured to run in one of two modes: transport mode, or tunnel mode.
To properly understand the difference between these modes, realize that a packet sent via IPsec contains more than just the information that each device is sending (called a “payload”). In addition to the payload, an IPsec packet also contains an authentication header as mentioned above, and an Encapsulating Security Payload (ESP) which is used to encrypt the payload. In transport mode, only the payload portion of the packet is encrypted, and these extraneous parts remain in cleartext. In tunnel mode, the entire packet is encrypted, including the extra headers on top of the payload. While tunnel mode is preferable for sensitive communications, it can also result in slower speeds as each device must decrypt the entire packet on the fly. Transport mode offers slightly improved speed since there is not as much information to decrypt.
When it comes to encryption, IPsec is flexible and can be used with several modern algorithms including SHA1 and SHA2, 3DES, AES-CBC, or AES-GCM. SHA2 is the most widely-used algorithm, with 3DES also being used in applications where SHA2 is not supported.
As you can see, there are many types of VPNs and many types of the backbone protocols that they rely on. VPNs aren’t a new technology, and have gone through several redesigns to become as robust and secure as they are today. If you’re considering using a VPN to protect your online privacy, be sure to examine the VPN solution and find out what makes it tick, as not all protocols are created equal!