Protocols


Read more on all Astrill VPN protocols (OpenWeb, OpenVPN, PPTP, L2TP, Cisco IPSec, SSTP, StealthVPN and RouterPro VPN) on our wiki.


PPTP L2TP/IPSec OpenVPN
Background A very basic VPN protocol based on PPP. PPTP was the first VPN protocol supported on the Microsoft Windows platform. The PPTP specification does not actually describe encryption or authentication features and relies on the PPP protocol being tunneled to implement security functionality. An advanced protocol formally standardized in IETF RFC 3193 and now the recommended replacement for PPTP where secure data encryption is required. OpenVPN is an advanced open source VPN solution backed by the company 'OpenVPN technologies' and which is now the de-facto standard in the open source networking space. It uses uses the mature SSL/TLS encryption protocols.
Data Encryption The PPP payload is encrypted using Microsoft's Point-to-Point Encryption protocol (MPPE). MPPE implements the RSA RC4 encryption algorithm with a maximum of 128 bit session keys. The L2TP payload is encrypted using the standardized IPSec protocol. RFC 4835 specifies either the 3DES or AES encryption algorithm for confidentiality. Astrill uses the AES algorithm with 256 bit keys. (AES256 is the first publicly accessible and open cipher approved by the NSA for top secret information) OpenVPN uses the OpenSSL library to provide encryption.OpenSSL supports a number of different cryptographic algorithms such as 3DES, AES, RC5, Blowfish. As with IPSec, Astrill.com implements the extremely secure AES algorithm with 256 bit keys.
Setup / Configuration All versions of Windows and most other operating systems including mobile platforms have built in support for PPTP. PPTP only requires a username, password and server address making it incredibly simple to setup and configure. All versions of Windows since 2000/XP and Mac OSX 10.3+ have built in support for L2TP/IPSec. Most modern mobile platforms such and iPhone and Android include built in clients. OpenVPN is not included in any operating system release and requires the installation of client software. The software installers are very user friendly and installation typically takes less than 5 minutes.
Speed With 128 bit keys, the encryption overhead is less compared to OpenVPN which may make the VPN feel slightly faster than with 256 bit keys although the difference is negligable. L2TP/IPSEC encapsulates data twice making it less efficient and slightly slower than its rivals. When used in its default UDP mode, OpenVPN provides the best performance.
Ports PPTP uses TCP port 1723 and GRE (Protocol 47). PPTP can be easily blocked by restricting the GRE protocol. L2TP/IPSEC uses UDP 500 for the the initial key exchange, protocol 50 for the IPSEC encrypted data (ESP), UDP 1701 for the initial L2TP configuration and UDP 4500 for NAT traversal. L2TP/IPSec is easier to block than OpenVPN due to its reliance on fixed protocols and ports. OpenVPN can be easily configured to run on any port using either UDP or TCP. To easily bypass restrictive firewalls, OpenVPN can be configured to use TCP on port 443 which is indistinguihasble from standard HTTP over SSL making it extremely difficult to block.
Stability / Compatibility PPTP is not as realiable, nor does it recover as quickly as OpenVPN over unstable network connections. Minor compatibility issues with the GRE protocol and some routers. L2TP/IPSec is more complex than OpenVPN and can be more difficult to configure to work reliably between devices behind NAT routers. However as long as both the server and client support NAT traversal, there should be few issues. In practice L2TP/IPSec has shown itself it be as reliable and stable as OpenVPN for Astrill.com customers. Very stable and fast over wireless, cellular and other non reliable networks where packet loss and congestion is common. OpenVPN has a TCP mode for highly unreliable connections but this mode sacrifices some speed due to the ineffeciency of encapsulating TCP within TCP.
Security weaknesses The Microsoft implementation of PPTP has serious security vulnerabilities. MSCHAP-v2 is vulnerable to dictionary attack and the RC4 algorithm is subject to a bit-flipping attack. Microsoft strongly recommends upgrading to IPSec where confidentiality is a concern. IPSec has no major vulnerabilities and is considered extremely secure when used with a secure encryption algorithm such as AES. OpenVPN has no major vulnerabilities and is considered extremely secure when used with a secure encryption algorithm such as AES.
Client compatibility
  • Windows
  • Mac OSX
  • Linux
  • Apple iOS
  • Android
  • DD-WRT
  • Windows
  • Mac OSX
  • Linux
  • iOS
  • Android
  • Windows
  • Mac
  • Linux
  • DD-WRT
Conclusion Due to the major security flaws, there is no good reason to choose PPTP other than device compatibility. If you have a device on which neither L2TP/IPsec or OpenVPN is supported then it may be a reasonable choice. If quick setup and easy configuration are a concern then L2TP/IPsec should be considered. L2TP/IPSec is an excellent choice but falls slightly short of OpenVPN's high performance and excellent stability. If you are using a mobile device running iOS (iPhone) or Android then it is the best choice as OpenVPN does not currently support these platforms. Additionally if a quick setup is required, L2TP/IPSec may be a better option although this should not be an important consideration. OpenVPN is the best choice for all users of Windows, Mac OSX and Linux desktops. It is extremely fast, secure and reliable. Additionally, the Astrill.com multihop network is only available when connecting via OpenVPN. The only downside is its current lack of support for mobile devices and the requirement to install a 3rd party client.
Rating 1/5 4/5 5/5

Read more on all Astrill VPN protocols (OpenWeb, OpenVPN, PPTP, L2TP, Cisco IPSec, SSTP, StealthVPN and RouterPro VPN) on our wiki.


Questions?
X
click here to chat with us.
We are on-line! talk to us now