Recently, in our blog, we touched on the topic of data storage, or rather technologies that can change our understanding of data centers with you. Today we want to talk about technologies that are directly related to data transfer.
Today, many people use a VPN to solve corporate or personal problems and know that there are a fairly large number of different VPN implementations – each with its own pros and cons. This post is devoted to a brief comparative analysis of the most common software solutions for creating virtual private networks.
Before proceeding to the comparison, we outline the range of tasks that VPN solves:
- Addressing packages targeted at specific customers.
- Effective and at the same time not very resource-hungry encryption on the fly, eliminating the passage of information in an open form.
- Authentication of participants when connecting to the network and verification of data sources to protect the network from unauthorized nodes and packets getting into it.
Since VPN technology is primarily intended for corporate use, to assess the implementation of this technology, safety, speed and stability indicators should be taken into account.
However, today VPN is also used to solve simpler, mundane tasks, which makes features such as its cross-platform and ease of setup no less important criteria for choosing an implementation.
We will evaluate the flexibility, security, speed and stability of the following implementations:
- PPTP (Point-to-Point tunneling protocol),
- IPSec (IP Security),
- L2TP (Layer 2 Tunneling Protocol) and L2TP + IPSec,
- SSTP (Secure Socket Tunneling Protocol).
PPTP (POINT-TO-POINT TUNNELING PROTOCOL)
PPTP was created by Microsoft and released back in 1999, but, despite its considerable age, it is still used today. It uses TCP to establish a connection and the MPPE protocol (from the same Microsoft) to encrypt the transmitted data. Client authentication is typically provided by the MS-CHAPv2 mechanism .
The prevalence of PPTP VPN is associated with ease of configuration and cross-platform – its support is built into most modern operating systems (including mobile OS and OS for routers) by default. Among other reasons for the popularity of this solution, it is worth highlighting the minimum load on computing resources, high speed, stability.
But from the point of view of security, PPTP has compromised itself – to date, it has detected a large number of vulnerabilities both in the MMPE protocol device (for example, changing the outgoing RC4 stream) and in the MS-CHAP authentication element (in 2012, an online service appeared, MS-CHAPv2 matching key in 23 hours). Although the latter problem is resolved by changing the authentication mechanism from MS-CHAP to PEAP , Microsoft itself now recommends using L2TP or SSTP.
IPSEC (IP SECURITY)
IPSec is a group of protocols that ensure the confidentiality of data transmitted over IP networks by verifying their authenticity and integrity, as well as encrypting packets. IPsec can operate in transport and tunnel modes. If in the first case only the data of the transmitted packet is encrypted, and the original header is saved, then in the second all the transmitted traffic is encrypted, which is then encapsulated in the data field of the new IP packet.
When creating VPN networks, the IPsec transport mode is used in conjunction with other implementations (usually L2TP), the tunnel mode itself is a method of creating a VPN tunnel.
IPsec connection encryption is provided by such protocols and algorithms as IKE (Internet Key Exchange Protocol), ISAKMP (Internet Security Association and Key Management Protocol), AH (Authentication Header Protocol), STS (Station-to-Station protocol), SHA-1 ( Security Hash Algorithm) and others.
The peculiarity of IPsec, which somewhat distances it from the definition of VPN, is that it does not create an additional virtual network adapter in the system, but uses a standard external interface, and in general it is not even an implementation of virtual private network technology, but a protection tool against spoofing IP packets. Deployment of virtual tunnels is rather its “side” property.
IPsec is supported by all modern operating systems (server, desktop, mobile), as well as a number of routers, and when setting up a VPN on the latter there is no need to conduct any manipulations with clients located behind the routers. Due to the features described above, IPsec is considered one of the best VPN deployment solutions.
However, there were some vulnerabilities. It is known that when operating in transport mode, this implementation may be subjected to attacks aimed at the ISAKMP protocol. In addition, when IPsec works without AH headers, an attacker can inject his own data into transmitted packets, which, of course, will have adverse consequences for the recipient. Also known is an attack method in which a packet transmission route is replaced. Moreover, there is an exploit that can decrypt IPsec traffic through an IKE vulnerability.
L2TP (LAYER 2 TUNNELING PROTOCOL)
L2TP is a tunneling protocol for virtual private networks. It is a symbiosis of the L2F protocol (Layer 2 Forwarding) from Cisco and the PPTP described above. It allows you to create VPN-networks with differentiation of access rights, but it has one drawback – it does not encrypt traffic.
It takes responsibility for the confidentiality and integrity of L2TP packets inside the tunnel, and at the same time requires encryption for all traffic passing through it at the packet level. For this task, IPsec is typically used.
L2TP / IPsec is present in all modern operating systems and is easily configured on the client side. However, it is worth remembering that L2TP uses a UDP port of 500, which is sometimes blocked if you are behind NAT. In this regard, additional configuration of a firewall or router (port forwarding) may be required, which is not required for solutions using the standard TCP 443 port for HTTPS.
LT2P / IPsec is currently considered a very safe solution when using encryption algorithms such as AES, but since it encapsulates data twice, it works somewhat slower than implementations that use SSL (for example, OpenVPN or SSTP).
In terms of stability, L2TP / IPsec is worthy of an excellent assessment. The downside of LT2P / IPsec is that it uses almost twice as much processing power of the processor to provide double encapsulation.
SSTP (SECURE SOCKET TUNNELING PROTOCOL)
Secure Socket Tunneling Protocol is another Microsoft brainchild introduced with the release of Windows Vista. Today, not only Windows Server 2008/2012, but also a machine running Linux or RouterOS can act as an SSTP server, although in the latter cases this solution cannot be called fully functional.
Thanks to SSL v.3 support, SSTP can work without configuring a router / firewall, and Windows integration simplifies configuration and ensures stable operation. A strong AES is used for encryption.
Despite the fact that SSTP has many advantages and is a young developing technology, it works best on Windows-based networks – in other cases, you may encounter limitations.
OpenVPN is a relatively young (saw the light in 2002) open VPN implementation, distributed under the GNU GPL. The security of the deployed tunnels here is provided by the OpenSSL library , which, in turn, offers a wide range of encryption tools (Blowfish, AES, Camelia, 3DES, CAST). The speed of OpenVPN depends on the chosen algorithm, but, as a rule, this implementation is faster and consumes less resources than L2TP / IPsec.
Another significant advantage of OpenVPN is the ability to pass through NAT and the firewall without additional configuration over the standard TCP 443 port for HTTPS thanks to SSL / TLS encapsulation. UDP protocol is also provided – this is the default option.
TCP provides better reliability of data transmission, however, it has large delays compared to UDP, which wins in speed due to the lack of confirmation of packet delivery. When using the TCP protocol, OpenVPN is the slowest implementation presented.
OpenVPN also provides an LZO tool for data compression. Due to its wide configuration capabilities and support for most OS, OpenVPN has become a very popular solution. The only caveat is that you need to install third-party software.
The flexibility of OpenVPN can give rise to only one problem – to make the configuration very tiring, but this issue is solved by preparing pre-configured installation client packages or, for example, using OpenVPN Remote Access Server .
Among our manuals you will find step-by-step instructions on how to configure OpenVPN server on Ubuntu / Debian , CentOS , Windows . To deploy a virtual private network, you can use our cloud VPS server . This implementation also provides a number of additional private network security features. You can find an overview of the main ones in our knowledge base .
To summarize a small article. PPTP is stable and easy to use, but very vulnerable, so it is suitable for situations in which tunnel privacy does not play a special role. If this is important, then the L2TP + IPsec bundle has all the advantages of PPTP, but at the same time it offers a significantly higher level of security.
IPsec can work with a large number of encryption and authentication algorithms for VPNs, although in itself it is not an implementation of virtual private network technology, but a protocol stack to protect IP packets during transmission. At the same time, IPsec is quite suitable for deploying a virtual private network, “sharpened” for security.
Previously, for these purposes, as a rule, IPsec was used in conjunction with L2TP, but today the situation is beginning to change . In general, the broad capabilities of IPsec make it one of the best VPN solutions.
L2TP in conjunction with IPsec performs well both in terms of security and in terms of compatibility with popular operating systems. Here, however, additional port configuration may be required. The second minus is double encapsulation, which slows down the tunnel.
SSTP is convenient in configuration, stable and quite safe, but at the same time it is a Microsoft product, because its work is strongly tied to the Windows OS. On other systems, SSTP functionality is often not so attractive.
OpenVPN can be called a very reasonable choice due to the balance of such indicators as speed (due to LZO compression and work through UDP by default), stability (especially when working through TCP), configuration flexibility, cross-platform (client applications for most modern OSs), security (thanks to working with all the tools of the OpenSSL library).
However, the wide possibilities give rise to a drawback – in comparison with other implementations, the initial setup can be more difficult. However, this problem is partially mitigated by using standard configurations and the server’s ability to automatically transfer a significant part of the connection parameters to clients. One way or another, the OpenVPN implementation seems to us to be the most balanced software solution.
To implement a VPN into your infrastructure, you can use the services of numerous VPN providers, but this solution is usually expensive, especially if you need to connect a large number of clients to the network. Moreover, you are forced to entrust your corporate or personal data with the provider.
A more reliable and flexible scenario is the self-configuration of a VPN on a physical or virtual server (VPS / VDS) . For example, you can create an OpenVPN virtual private network according to one of our step-by-step instructions ( Windows , Linux ) using a cloud-based VPS / VDS server from 1cloud.
The minimum hardware configuration of the server will be sufficient for this task, and the cost of equipment per month is lower than the market average when providing a VPN for several devices. In addition, this solution is easily scalable to the current load on the virtual private network.