| View previous topic :: View next topic |
| Author |
Message |
Marlo
Veteran
Joined: 26 Jul 2003
Posts: 1591
|
 Posted: Thu Dec 21, 2017 1:21 pm Post subject: [solved]Which of these VPN protocols is the safest? |
 |
|
Hello@,
for a vpn connection I have the choice between:
PPTP
L2TP
SSTP
IKEv2
OpenVPN UDP
OpenVPN TCP
My question is: Which of these protocols is the safest?
Is it possible to rank them in terms of security? Like 1. 2. 3.
On the Internet, there are the most diverse views on this.
Sometimes had I think it's like a question of faith.
I am grateful for every hint and thank you already now.
Ma
_________________
------------------------------------------------------------------
http://radio.garden/
Last edited by Marlo on Fri Jan 05, 2018 2:00 pm; edited 1 time in total |
|
| Back to top |
|
 |
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54216
Location: 56N 3W
|
| Posted: Thu Dec 21, 2017 1:30 pm Post subject: |
|
|
Marlo,
VPN products usually use a combination.
L2TP provides a tunnel, with no security at all, so its used with something else to provide security.
Who will be running the remote VPN endpoint?
You need to be able to trust them, since they will be decrypting all your VPN traffic. You didn't ask about that.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
Marlo
Veteran
Joined: 26 Jul 2003
Posts: 1591
|
| Posted: Thu Dec 21, 2017 2:30 pm Post subject: |
|
|
| NeddySeagoon wrote: |
Who will be running the remote VPN endpoint?
You need to be able to trust them, since they will be decrypting all your VPN traffic. You didn't ask about that. |
It is a commercial provider.
NeddySeagoon I realize that the endpoint operator can see everything. I do not want to protect anything from state secret services. (is this seriously possible at the present time?). i just want good protection against normal internet crime. A VPN for desktop, notebook and smartphone.
For my smartphone, I now have an SSH connection to my desktop and go from there to the internet. But that is slow. So I want to spend some money and rent a service from a VPN provider. I found a provider that offers the above protocols.
I may be able to set up these protocols, but not evaluate them professionally.
That's why my question. And thank you for your suggestion.
_________________
------------------------------------------------------------------
http://radio.garden/ |
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Thu Dec 21, 2017 3:04 pm Post subject: |
|
|
The only one of those things which is an encryption cipher is ikev2. The rest of them are protocols which may or may not be coupled with encryption.
Which cipher you use depends on who you don't trust, who (that you don't trust) has access to the route you're sending packets through, and whether the cipher is known to be hacked, or how easy it will likely to be to hack it.
The reason for the diverse opinions is that different people want to hide information from different groups, and there is no consensus as to who the biggest threat might be.
Your only way out of this is research and informed choice. |
|
| Back to top |
|
|
Marlo
Veteran
Joined: 26 Jul 2003
Posts: 1591
|
| Posted: Thu Dec 21, 2017 5:18 pm Post subject: |
|
|
| 1clue wrote: | | The only one of those things which is an encryption cipher is ikev2. |
Yes, thank you. That would be a solution with Openswan or StrongSWAN or LibreSWAN? Installed on a small rented Xen VPS . The costs to a commercial VPN provider are the same.
I still have to find out if and how to install it on my Android before I buy something.
Thank you very much 1clue. Good idea.
Of course, the question raised by NeddySeagoon remains open.
Can I trust the endpoint provider?
_________________
------------------------------------------------------------------
http://radio.garden/ |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54216
Location: 56N 3W
|
| Posted: Thu Dec 21, 2017 5:54 pm Post subject: |
|
|
Marlo,
Your android will offer a choice. Loox under Settings/Wireless &/Networks. One of the options is VPN
I get PPTP and L2TP/IPSec with various secret sharing systems.
If you want Windows compatibility you need L2TP/IPSec, probably with a Pre Shared Key (PSK).
IPSec provides the security and L2TP provides the tunnel.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Thu Dec 21, 2017 6:16 pm Post subject: |
|
|
PPTP has been tagged as unsafe by some software.
I use OpenVPN in tap mode. You said udp or tcp, that's not how it works.
OpenVPN has two main modes: TUN vs TAP.
TUN is a conventional tunnel implemented in TCP. Your client looks like a computer from another network.
TAP is an emulation of a network card on the remote network. Your client looks like a computer directly attached to the remote network. You have access to pretty much anything that a local system would have access to, unless specifically barred by firewall rules for the vpn connection.
Some software refuses to allow connections from a remote network in spite of what your firewall says. For example, IPMI server control, or ESXi management (I think) has this limit. If you use TUN you can't access those devices. If you use TAP you can. |
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Thu Dec 21, 2017 6:19 pm Post subject: |
|
|
| Marlo wrote: | | 1clue wrote: | | The only one of those things which is an encryption cipher is ikev2. |
Yes, thank you. That would be a solution with Openswan or StrongSWAN or LibreSWAN? Installed on a small rented Xen VPS . The costs to a commercial VPN provider are the same.
I still have to find out if and how to install it on my Android before I buy something.
Thank you very much 1clue. Good idea.
Of course, the question raised by NeddySeagoon remains open.
Can I trust the endpoint provider? |
You need to read a bunch before you buy anything.
With most VPN arrangements you can specify what ciphers to use separately of your choice of tunnel protocols. Most people probably just use whatever the default is, which is much easier but less safe. |
|
| Back to top |
|
|
Marlo
Veteran
Joined: 26 Jul 2003
Posts: 1591
|
| Posted: Thu Dec 21, 2017 6:27 pm Post subject: |
|
|
| 1clue wrote: |
You need to read a bunch before you buy anything.
|
On my Android, I have installed the app "OpenVPN Connect". This is possible via TCP. But I do not know so fast now, whether about TUN or TAP.
I think I have to invest more time.
Many thanks for the suggestions
_________________
------------------------------------------------------------------
http://radio.garden/ |
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Thu Dec 21, 2017 6:29 pm Post subject: |
|
|
| TAP is slower. |
|
| Back to top |
|
|
Marlo
Veteran
Joined: 26 Jul 2003
Posts: 1591
|
| Posted: Thu Dec 21, 2017 6:36 pm Post subject: |
|
|
Ah, here. I got it:
| Code: | client
dev tun
proto tcp
remote XXX-XXXX.net 80
persist-key
persist-tun
ca ca.crt
tls-auth my.key 1
cipher AES-256-CBC
comp-lzo
verb 1
mute 20
route-method exe
route-delay 2
route 0.0.0.0 0.0.0.0
float
auth-user-pass
auth-retry interact |
_________________
------------------------------------------------------------------
http://radio.garden/ |
|
| Back to top |
|
|
havana8
n00b
Joined: 17 Nov 2017
Posts: 16
|
| Posted: Fri Jan 05, 2018 9:41 am Post subject: |
|
|
I also consider PPTP as unsafe. Perhaps this article might be beneficial as to give you a brief info on different network protocols and some of the disadvantages they have. There is also a paragraph for the perks of UDP and TPC. Personally, I would suggest using an OpenVPN  |
|
| Back to top |
|
|
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
| Posted: Fri Jan 05, 2018 11:47 am Post subject: |
|
|
| 1clue wrote: | | I use OpenVPN in tap mode. You said udp or tcp, that's not how it works. |
OpenVPN can run over either UDP or TCP protocol.
TAP or TUN are the devices presented on the client/server host. |
|
| Back to top |
|
|
Marlo
Veteran
Joined: 26 Jul 2003
Posts: 1591
|
| Posted: Fri Jan 05, 2018 1:58 pm Post subject: |
|
|
thanks havana8,
The link was very useful to me. In the meantime, I had opted for OpenVPN.
By the way: I did not know that 1 & 1 has such a good know-how side. There are many useful hints. Thanks for that too!
Ma
_________________
------------------------------------------------------------------
http://radio.garden/ |
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Fri Jan 05, 2018 4:12 pm Post subject: |
|
|
| chiefbag wrote: | | 1clue wrote: | | I use OpenVPN in tap mode. You said udp or tcp, that's not how it works. |
OpenVPN can run over either UDP or TCP protocol.
TAP or TUN are the devices presented on the client/server host. |
I didn't know that.
WRT UDP or TCP, I would recommend UDP then. TCP is a 'guaranteed delivery' protocol, and if a packet is dropped then the entire stream is halted until that packet can be correctly delivered. In real life situations where there is packet loss, UDP can continue happily when one packet has gone missing, the client can request that packet again while still receiving other packets.
This is regardless of what's being transferred.
Back in the 90s I worked at IBM. They had this guaranteed network protocol, I think it was called anynet or something like that. It was 'always on' supposedly under any circumstances. It was much faster to send data over regular tcp/ip, and with some experimentation we found that UDP was fastest of all but you had to code for the resending of packets yourself. The event that caused us to experiment was our "always on" network was down for like a day and a half.
Of course regular ethernet-to-ethernet without any ip addresses would be faster still, but not practical unless everything is on the same lan. |
|
| Back to top |
|
|
toofied
n00b
Joined: 26 Oct 2016
Posts: 28
|
| Posted: Sat Jan 06, 2018 4:39 pm Post subject: Re: [solved]Which of these VPN protocols is the safest? |
|
|
| Marlo wrote: | Hello@,
My question is: Which of these protocols is the safest?
Ma |
OpenVPN. (UDP is faster than TCP) It has been recently audited by OSTIF
You also forgot to mention wireguard which is likely more secure, but needs more testing in the wild. |
|
| Back to top |
|
|
depontius
Advocate
Joined: 05 May 2004
Posts: 3509
|
| Posted: Sat Jun 23, 2018 4:26 pm Post subject: |
|
|
| 1clue wrote: | | chiefbag wrote: | | 1clue wrote: | | I use OpenVPN in tap mode. You said udp or tcp, that's not how it works. |
OpenVPN can run over either UDP or TCP protocol.
TAP or TUN are the devices presented on the client/server host. |
I didn't know that.
WRT UDP or TCP, I would recommend UDP then. TCP is a 'guaranteed delivery' protocol, and if a packet is dropped then the entire stream is halted until that packet can be correctly delivered. In real life situations where there is packet loss, UDP can continue happily when one packet has gone missing, the client can request that packet again while still receiving other packets.
This is regardless of what's being transferred.
Back in the 90s I worked at IBM. They had this guaranteed network protocol, I think it was called anynet or something like that. It was 'always on' supposedly under any circumstances. It was much faster to send data over regular tcp/ip, and with some experimentation we found that UDP was fastest of all but you had to code for the resending of packets yourself. The event that caused us to experiment was our "always on" network was down for like a day and a half.
Of course regular ethernet-to-ethernet without any ip addresses would be faster still, but not practical unless everything is on the same lan. |
The real problem with TCP for your tunnel is that you may then be tunneling TCP through it. At that point you have two "reliable" protocols running at the same time, and they can work against each other. Run your tunnel over UDP, and then you can tunnel TCP through it without that kind of problems. I run my own OpenVPN endpoint, and have the Android OpenVPN client that can attach to it. I only route my local server traffic through it, not all of my traffic. I also have https-everywhere installed, so count on that to keep most of my traffic safe, though of course the metadata is still exposed. I should look into routing all traffic through OpenVPN, I know it's an option.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
krullis
n00b
Joined: 17 Jun 2018
Posts: 5
|
| Posted: Sun Jun 24, 2018 7:32 am Post subject: |
|
|
Avoid pptp and l2tp, they have been unsecure for long time and should not be used anymore. Even apple have remove support for them in there OS as they not secure.
OpenVPN should be most secure if its configured properly.
SSTP should be OK aswell but is only supported in Windows I think |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3131
|
| Posted: Sun Jun 24, 2018 10:05 am Post subject: |
|
|
l2tp is not supposed to be secure. That's why it's usually coupled with ipsec.
What's so bad about pptp? I'm curious |
|
| Back to top |
|
|
|
Networking & Security
