OpenWeb

OpenWeb

Overview

OpenWeb is a proprietary protocol developed by Astrill in 2009. It is based on TCP and is encrypted in multiple security encryption and authentication layers. It is a connection-less protocol, so you can switch between servers within seconds, without waiting for VPN software to reconnect. It is very lightweight and performs well in countries with elevated censorship.

Security

OpenWeb is very hard to detect by DPI (deep packet inspection). Traffic looks like regular website browsing, so nobody can say you are using Internet over VPN. OpenWeb traffic is encrypted with AES-256, which is an industry standard.

Client compatibility
  • Windows
  • macOS
  • Linux
  • iOS
  • Android
StealthVPN

StealthVPN

Overview

StealthVPN is another proprietary protocol by Astrill. It is inspired by OpenVPN and performs an additional obfuscation of traffic which makes it undetectable for automated firewall systems. StealthVPN is very stable and it can work with both UDP and TCP modes. Just like OpenWeb, it is only available with official Astrill VPN software.

Security

StealthVPN data streams are protected with AES-256 and authentication is done with certificates. This makes the protocol not only very secure, but also very stable. Connection is kept alive throughout the duration of a session and all traffic from your computer is routed through Astrill VPN, so there are no IP or DNS leaks.

Client compatibility
  • Windows
  • macOS
  • Linux
  • Android
  • Routers
Wireguard

Wireguard

Overview

WireGuard is an extremely simple yet fast and modern VPN protocol that utilizes very strong cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be more performant than OpenVPN. WireGuard is designed as a general purpose VPN, fit for many different circumstances.

Security

WireGuard uses state-of-the-art cryptography, like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions. It makes conservative and reasonable choices and has been reviewed by cryptographers. WireGuard is the result of a lengthy and thoroughly considered academic process, resulting in the technical whitepaper, an academic research paper which clearly defines the protocol and the intense considerations that went into each decision.

Client compatibility
  • Windows
  • macOS
  • Linux
OpenVPN

OpenVPN

Overview

OpenVPN is a very flexible protocol that is widely supported across platforms. It can work over UDP, which provides fast speed, or TCP, which provides higher reliability and stability. You can connect to OpenVPN with 3rd party clients and set up VPN connection without the need of any Astrill software. Since OpenVPN does not aim to hide its traffic, it is easily detectable by automated firewall systems and frequently blocked and throttled. E.g. it is often blocked in China.

Security

OpenVPN is an open-source protocol which is often analysed by security experts from all around the world for vulnerabilities and exploits and it is frequently updated and improved. It can use wide range of encryption algorithms like AES, BlowFish, Camelia and others. The protocol is very secure.

Client compatibility
  • Windows
  • macOS
  • Linux
  • iOS
  • Android
  • Routers
Cisco IPSec

Cisco IPSec

Overview

Cisco IPSec is a modification of IKEv1/IPSec made by Cisco and Microsoft. It is a secure and fast protocol that works very well on iOS devices and Linux. IPSec operates in two modes - transport mode and tunneling mode. The transport mode encrypts the contents of the data packet and the tunneling mode encrypts the entire data packet.

Security

Cisco IPSec uses strong key exchange algorithms (up to 2048 bit) and also a very strong AES-256bit encryption after encryption key is established. IPSec is not designed to mask VPN connection, so it can be susceptible to firewall filtering.

Client compatibility
  • macOS
  • Linux
  • iOS
  • Android
  • Routers
IKEv2/IPSec

IKEv2/IPSec

Overview

IKEv2/IPSec is an evolution of the IKEv1 standard developed by Microsoft and Cisco. It provides improved ability to reconnect when changing networks. For Blackberry users this is the only official way to connect your device to VPN.

Security

Our configuration of IKEv2/IPSec combines strong key exchange over 2048bit Diffie-Hellman groups, AES-256bit encryption and SHA256 hashes for integrity checks. IKEv2 is considered a high VPN security standard but just as any other IPSec implementation it does not aim to hide VPN activity, therefore it may be prone to firewall filtering

Client compatibility
  • Windows
  • macOS
  • Linux
  • iOS
  • Android
  • Routers
  • Blackberry
L2TP/IPSec

L2TP/IPSec

Overview

L2TP stands for Layer 2 Tunneling Protocol. It is an evolution of PPTP (Point-to-Point Tunneling Protocol - now considered unsafe) and works on many devices. We suggest use of L2TP only on devices which cannot run Astrill software and do not support any other more suitable VPN protocol.

Security

L2TP is most often used together with IPSec (Internet Protocol security) which guarantees very strong encryption on packet level at the expense of speed. L2TP operates on a fixed UDP ports 500/4500 which makes it easily blockable by firewalls (e.g. in China)

Client compatibility
  • Windows
  • macOS
  • Linux
  • iOS
  • Android
  • Routers
  • Blackberry
  • Chromium
SSTP

SSTP

Overview

SSTP stands for Secure Socket Tunneling Protocol. It is Microsoft proprietary protocol and used to be available for Windows only. Recently Linux and Android 3rd party clients were released. As it uses TCP over TCP it doesn't provide very fast speeds.

Security

SSTP uses SSL (Secure Sockets Layer) over a fixed TCP port 443 which makes it appear as general HTTPS traffic and hard to block by firewalls. SSTP is considered to be a very safe protocol.

Client compatibility
  • Windows
  • Android
  • Linux
PPTP

PPTP

Overview

A very basic VPN protocol based on PPP. PPTP was the first VPN protocol supported on the Microsoft Windows platform. The PPTP specification does not actually describe encryption or authentication features and relies on the PPP protocol being tunneled to implement security functionality.

Security

Due to the major security flaws, there is no good reason to choose PPTP other than device compatibility. If you have a device on which neither L2TP/IPSec or OpenVPN is supported then it may be a reasonable choice. If quick setup and easy configuration are a concern then L2TP/IPSec should be considered.

Client compatibility
  • Windows
  • macOS
  • Linux
  • iOS
  • Android
  • Routers