# [solved]Which of these VPN protocols is the safest?

## Marlo

Hello@,

for a vpn connection I have the choice between:

PPTP

L2TP

SSTP

IKEv2

OpenVPN UDP

OpenVPN TCP

My question is: Which of these protocols is the safest?

Is it possible to rank them in terms of security? Like 1. 2. 3.

On the Internet, there are the most diverse views on this. 

Sometimes had I think it's like a question of faith.

I am grateful for every hint and thank you already now.

Ma

----------

## NeddySeagoon

Marlo,

VPN products usually use a combination. 

L2TP provides a tunnel, with no security at all, so its used with something else to provide security.

Who will be running the remote VPN endpoint?

You need to be able to trust them, since they will be decrypting all your VPN traffic.  You didn't ask about that.

----------

## Marlo

 *NeddySeagoon wrote:*   

> 
> 
> Who will be running the remote VPN endpoint?
> 
> You need to be able to trust them, since they will be decrypting all your VPN traffic.  You didn't ask about that.

 

It is a commercial provider. 

NeddySeagoon I realize that the endpoint operator can see everything. I do not want to protect anything from state secret services. (is this seriously possible at the present time?). i just want good protection against normal internet crime. A VPN for desktop, notebook and smartphone.

For my smartphone, I now have an SSH connection to my desktop and go from there to the internet. But that is slow. So I want to spend some money and rent a service from a VPN provider. I found a provider that offers the above protocols.

I may be able to set up these protocols, but not evaluate them professionally.

That's why my question. And thank you for your suggestion.

----------

## 1clue

The only one of those things which is an encryption cipher is ikev2. The rest of them are protocols which may or may not be coupled with encryption.

Which cipher you use depends on who you don't trust, who (that you don't trust) has access to the route you're sending packets through, and whether the cipher is known to be hacked, or how easy it will likely to be to hack it.

The reason for the diverse opinions is that different people want to hide information from different groups, and there is no consensus as to who the biggest threat might be.

Your only way out of this is research and informed choice.

----------

## Marlo

 *1clue wrote:*   

> The only one of those things which is an encryption cipher is ikev2.

 

Yes, thank you. That would be a solution with Openswan or StrongSWAN or LibreSWAN? Installed on a small rented  Xen VPS . The costs to a commercial VPN provider are the same.

I still have to find out if and how to install it on my Android before I buy something.

Thank you very much 1clue. Good idea.

Of course, the question raised by NeddySeagoon remains open.

Can I trust the endpoint provider?

----------

## NeddySeagoon

Marlo,

Your android will offer a choice. Loox under Settings/Wireless &/Networks.  One of the options is VPN

I get PPTP and L2TP/IPSec with various secret sharing systems.

If you want Windows compatibility you need L2TP/IPSec, probably with a Pre Shared Key (PSK).

IPSec provides the security and L2TP provides the tunnel.

----------

## 1clue

PPTP has been tagged as unsafe by some software.

I use OpenVPN in tap mode. You said udp or tcp, that's not how it works.

OpenVPN has two main modes:  TUN vs TAP.

TUN is a conventional tunnel implemented in TCP. Your client looks like a computer from another network.

TAP is an emulation of a network card on the remote network. Your client looks like a computer directly attached to the remote network. You have access to pretty much anything that a local system would have access to, unless specifically barred by firewall rules for the vpn connection.

Some software refuses to allow connections from a remote network in spite of what your firewall says.  For example, IPMI server control, or ESXi management (I think) has this limit. If you use TUN you can't access those devices. If you use TAP you can.

----------

## 1clue

 *Marlo wrote:*   

>  *1clue wrote:*   The only one of those things which is an encryption cipher is ikev2. 
> 
> Yes, thank you. That would be a solution with Openswan or StrongSWAN or LibreSWAN? Installed on a small rented  Xen VPS . The costs to a commercial VPN provider are the same.
> 
> I still have to find out if and how to install it on my Android before I buy something.
> ...

 

You need to read a bunch before you buy anything.

With most VPN arrangements you can specify what ciphers to use separately of your choice of tunnel protocols. Most people probably just use whatever the default is, which is much easier but less safe.

----------

## Marlo

 *1clue wrote:*   

> 
> 
> You need to read a bunch before you buy anything.
> 
> 

 

On my Android, I have installed the app "OpenVPN Connect". This is possible via TCP. But I do not know so fast now, whether about TUN or TAP.

I think I have to invest more time.

Many thanks for the suggestions

----------

## 1clue

TAP is slower.

----------

## Marlo

Ah, here. I got it:

```
client

dev tun

proto tcp

remote XXX-XXXX.net 80

persist-key

persist-tun

ca ca.crt

tls-auth my.key 1

cipher AES-256-CBC

comp-lzo

verb 1

mute 20

route-method exe

route-delay 2

route 0.0.0.0 0.0.0.0

float

auth-user-pass

auth-retry interact
```

----------

## havana8

I also consider PPTP as unsafe. Perhaps this article might be beneficial as to give you a brief info on different network protocols and some of the disadvantages they have. There is also a paragraph for the perks of UDP and TPC. Personally, I would suggest using an OpenVPN  :Smile: 

----------

## chiefbag

 *1clue wrote:*   

> I use OpenVPN in tap mode. You said udp or tcp, that's not how it works.

 

OpenVPN can run over either UDP or TCP protocol.

TAP or TUN are the devices presented on the client/server host.

----------

## Marlo

 *havana8 wrote:*   

> ... Perhaps this article might be beneficial ...I would suggest using an OpenVPN 

 

thanks havana8,

The link was very useful to me. In the meantime, I had opted for OpenVPN.  :Smile: 

By the way: I did not know that 1 & 1 has such a good know-how side. There are many useful hints. Thanks for that too!

Ma

----------

## 1clue

 *chiefbag wrote:*   

>  *1clue wrote:*   I use OpenVPN in tap mode. You said udp or tcp, that's not how it works. 
> 
> OpenVPN can run over either UDP or TCP protocol.
> 
> TAP or TUN are the devices presented on the client/server host.

 

I didn't know that.

WRT UDP or TCP, I would recommend UDP then. TCP is a 'guaranteed delivery' protocol, and if a packet is dropped then the entire stream is halted until that packet can be correctly delivered. In real life situations where there is packet loss, UDP can continue happily when one packet has gone missing, the client can request that packet again while still receiving other packets.

This is regardless of what's being transferred.

Back in the 90s I worked at IBM. They had this guaranteed network protocol, I think it was called anynet or something like that. It was 'always on' supposedly under any circumstances. It was much faster to send data over regular tcp/ip, and with some experimentation we found that UDP was fastest of all but you had to code for the resending of packets yourself. The event that caused us to experiment was our "always on" network was down for like a day and a half.

Of course regular ethernet-to-ethernet without any ip addresses would be faster still, but not practical unless everything is on the same lan.

----------

## toofied

 *Marlo wrote:*   

> Hello@,
> 
> My question is: Which of these protocols is the safest?
> 
> Ma

 

OpenVPN. (UDP is faster than TCP) It has been recently audited by OSTIF

You also forgot to mention wireguard which is likely more secure, but needs more testing in the wild.

----------

## depontius

 *1clue wrote:*   

>  *chiefbag wrote:*    *1clue wrote:*   I use OpenVPN in tap mode. You said udp or tcp, that's not how it works. 
> 
> OpenVPN can run over either UDP or TCP protocol.
> 
> TAP or TUN are the devices presented on the client/server host. 
> ...

 

The real problem with TCP for your tunnel is that you may then be tunneling TCP through it.  At that point you have two "reliable" protocols running at the same time, and they can work against each other.  Run your tunnel over UDP, and then you can tunnel TCP through it without that kind of problems.  I run my own OpenVPN endpoint, and have the Android OpenVPN client that can attach to it.  I only route my local server traffic through it, not all of my traffic.  I also have https-everywhere installed, so count on that to keep most of my traffic safe, though of course the metadata is still exposed.  I should look into routing all traffic through OpenVPN, I know it's an option.

----------

## krullis

Avoid pptp and l2tp, they have been unsecure for long time and should not be used anymore. Even apple have remove support for them in there OS as they not secure.

OpenVPN should be most secure if its configured properly.

SSTP should be OK aswell but is only supported in Windows I think

----------

## szatox

l2tp is not supposed to be secure. That's why it's usually coupled with ipsec.

What's so bad about pptp? I'm curious

----------

