Such a different VPN. Analyze alternative VPN protocols.

[Carder]

Ideally, the VPN Protocol should be secure, functional, and fast. But there is another factor: popularity. An unpopular Protocol is harder to implement and maintain: its software needs to be installed and configured, and users and administrators need to be trained.

Sometimes protocols become popular despite their technical shortcomings, simply because of aggressive promotion by a large company. Sometimes, on the other hand, the Protocol of independent developers solves such a pressing problem of some part of users that it quickly gains popularity by itself. This is what happened with OpenVPN or WireGuard.

Some protocols are losing popularity. Some never become widely known, sometimes deservedly, sometimes not. In this article, we will talk about several such protocols.

PPTP​

The Point-to-Point Tunneling Protocol (PPTP) is quite rightly on the back burner. I would like to believe that young readers have not encountered it yet, but ten years ago it was a textbook example of an undeservedly popular Protocol.

Its popularity was ensured by the monopoly of its developer, Microsoft Corporation. From the mid-nineties to the late 2000s, the vast majority of client devices were Windows computers. Obviously, the presence of a built-in client in Windows automatically made the Protocol at least common.

Microsoft wouldn't be itself if it didn't take advantage of this to maintain and strengthen its monopoly position. The PPTP Protocol used standard PPP and GRE for data transmission, but a non-standard, proprietary set of protocols was used for authentication and encryption: MPPE (Microsoft Point-to-Point Encryption) and MS-CHAP.

Because of this, free implementations of both the client and PPTP servers were once as much a sore subject as GIF and MP3. Then the patents expired, and poptop for Linux and MPD for FreeBSD became popular alternatives to proprietary products.

However, warnings about the security issues of homemade cryptography were not unfounded. THE mmpe and MS-CHAP durability ratings were repeatedly lowered, and in 2012 the Protocol was finally discredited: researchers proved that the MS-CHAP-v2 durability is no better than DES. After that, it became impossible to perceive PPTP as a secure Protocol, and it quickly lost the last remnants of popularity.

Should I use PPTP?​

Obviously, it is strongly discouraged.

SSTP​

SSTP (Secure Socket Tunneling Protocol) is Microsoft's second attempt to create its own VPN Protocol. This time, they did not invent their own cryptographic algorithms, but used standard SSL/TLS. They also no longer prevent the creation of free implementations.

SSTP is PPP over HTTPS. The obvious advantage is that it passes perfectly through NAT and theoretically even through a proxy. The advantage is far from unique, OpenVPN was able to work on top of TCP / 443 long before that.

OpenVPN, however, does not just use UDP by default, not TCP. TCP tunnels have serious performance problems - they can be dozens of times slower on the same hardware.

Windows obviously has a built-in client-starting with Windows Vista. For Linux, there are client implementations and plugins for NetworkManager. There are also third-party clients for macOS, such as EasySSTP. For mobile devices, you will also have to search for and install third-party apps.

If you need to deploy an SSTP server, some of the free projects support it accel-pppd and SoftEther.

Should I use SSTP?​

Unless it is forced by corporate policy.

SOFTETHER​

SoftEther - Multiprotocol VPN server, similar to MPD or accel-ppp. It supports L2TP/IPsec, PPTP, SSTP, OpenVPN and the non-standard SoftEther Protocol of the same name. This is a fairly young project, its first version was released in 2014.

The SoftEther Protocol is Ethernet over HTTPS. Since standard SSL is responsible for encryption and authentication, security does not raise any special questions.

The authors claim performance ten times higher than OpenVPN. It's hard to believe, but I don't have the opportunity to verify their statements. The client is available only for Linux and Windows, so you will have to use other protocols on other platforms.

Should I use SoftEther?​

If the authors claims about performance are correct, maybe you should.

OPENCONNECT​

The term SSL VPN without context is often used, but completely meaningless. "Supports SSL VPN" can mean both SSTP and OpenVPN, and many incompatible proprietary protocols.

Almost every vendor has its own Protocol. Например, Cisco AnyConnect, Juniper Pulse Connect, Palo Alto GlobalProtect. If your organization has a widely used client for this Protocol, it can be very difficult to change the VPN hub hardware - which is exactly what vendors are trying to achieve.

Free project OpenConnect provides server and client implementations for the Cisco, Juniper, and Palo Alto protocols. The OpenConnect client runs on Windows and many UNIX-like systems: not only Linux and macOS, but also BSD systems and even Solaris.

An OCServ server can save an organization a lot of money, since proprietary implementations often license these protocols per user.

Should I use OpenConnect?​

If your organization has implemented one of these protocols and is now not happy about it, then it should definitely do so. Since none of these protocols are protected by patents (and there is not much to patent in them), the only real risk to the project's existence is trademark lawsuits. Registered trademarks do not appear in the project name, so the risk is low. In addition, the project has existed since 2009, and so far none of the vendors have sued the authors.

VARIATIONS ON THE IPSEC THEME​

It would seem that IPsec is the most standardized Protocol of all, and it is supported by all network equipment vendors. But with a standardized Protocol, you can't lure users into the vendor lock-in trap, so proprietary variations are regularly invented on the topic of IPsec.

Sometimes they solve a very real problem that is difficult to solve with pure IPsec. For example, Cisco GETVPN (Group Encrypted Transport) simplifies the deployment of a secure network for MPLS users, since MPLS itself does not provide any protection against traffic interception.

In other cases, as with EZVPN, vendors try to bribe users with the relative ease of configuration compared to "normal" IPsec.

Should I use proprietary variations of IPsec?​

If the prospect of being permanently tied to one vendor doesn't scare you... In the case of EZVPN, for example, some devices support only the server, and some only the client, so the choice may also be limited to a specific model.

CLIENT-SIDE IPSEC​

Speaking of IPsec. It is usually used for fixed site-to-site tunnels, or as a secure transport for another Protocol like L2TP. The old IKEv1 Protocol was indeed poorly adapted for client connections. However, the modern IKEv2 copes much better. Moreover, native support for this type of tunnel is available on all systems, including Windows, macOS, and mobile devices.

There are no problems with free server implementations either, and StrongSWAN officially supports client connections.

Should I use client-side IPsec?​

If you are setting up a server from scratch and want built-in client support in all common operating systems, at least consider this option along with L2TP/IPsec is definitely worth it.

TINC​

Most VPN protocols rely on point - to-point or star topologies. Mesh networks are still quite an exotic scenario. Nevertheless, protocols for these purposes exist and are being developed. The TINC project has been developed since 1998. This means that it is older than OpenVPN, which released its first version in 2001. It supports Windows and all UNIX-like operating systems, but it doesn't have mobile OS versions.

The main feature is the automatic construction of a mesh network. Even if there are many nodes in the network, traffic between them will be transmitted directly, and not through a Central server. This can make TINC a working alternative to Dynamic Multi-Point VPN and the aforementioned GETVPN for enterprise networks. Well, or it could, if network hardware vendors and popular free network operating systems supported it.

Should I use TINC?​

At the very least, it will definitely be interesting to experiment.

CONCLUSION​

There are a great many VPN protocols in the world. Even if you prefer to use only the most popular ones, knowing about others is not useless the choice will be more informed.

 

[Carding 4 Carders]

Understand VPN protocols​

To begin with, a few General provisions about VPNs. There may be different scenarios for using a VPN, and the most popular ones are:

• building a secure channel between two or more remote network segments (for example, between offices in Moscow and Nizhny Novgorod);
• connecting a remote employee to the corporate network (now almost every office employee knows about it);
• virtual location change using VPN Providers (requires the least amount of movement to set up, but all your traffic will pass through someone else's server).

To implement these scenarios, there are various types of VPN protocols for communication, for traffic encryption, and others. And already on the basis of a suitable Protocol, you can "build" your own solution. Two of the most well known and widely used protocols are OpenVPN and IPSec, and relatively recently WireGuard appeared, which caused some controversy. There are other alternatives that are already outdated, but they are quite capable of solving certain tasks.

The advantage of a particular VPN Protocol depends on a number of factors and conditions of use:

Devices - different devices support different protocols.

Network - if certain services are not available in your location, some protocols may not be suitable. For example, there are VPN Providers that operate in China, while most existing providers are blocked.

Performance - some protocols have better performance, especially on mobile devices. Others are more convenient for use in large networks.

Threat model - some protocols are less secure than others, so attackers can also affect them in different ways.

So, with the General part finished, now we move on to a detailed description and comparison of protocols.

PPTP
Point-to - Point Tunneling Protocol (PPTP) - one of the oldest VPN protocols used so far, was originally developed by Microsoft.

PPTP uses two connections - one for management, the other for data encapsulation. The first one works using TCP, in which the server port is 1723. The second one works using the GRE Protocol, which is a transport Protocol (i.e. a replacement for TCP / UDP). This fact prevents clients behind NAT from establishing a connection to the server, as point-to-point connectivity is not possible by default. However, since the GRE Protocol that uses PPTP (namely enhanced GRE) has a Call ID header, routers that perform caching can identify and match GRE traffic going from the local network client to the external server and Vice versa. This allows clients behind NAT to establish a point-to-point connection and use the GRE Protocol. This technology is called VPN PassTrough. It is supported by a large number of modern client network equipment.

PPTP is supported natively on all versions of Windows and most other operating systems. Despite the relatively high speed, PPTP is not very reliable: after a connection is dropped, it does not recover as quickly as, for example, OpenVPN.

Currently, PPTP is essentially deprecated and Microsoft recommends using other VPN solutions. We also don't recommend choosing PPTP if security and privacy are important to you.

Of course, if you are just using a VPN to unblock content, PPTP is the case, but again, there are more secure options that you should pay attention to.

SSTP
Secure Socket Tunneling Protocol (SSTP) is a proprietary product from Microsoft. Like PPTP, SSTP is not widely used in the VPN industry, but unlike PPTP, it has not been diagnosed with serious security issues.

SSTP sends traffic over SSL on TCP port 443. This makes it useful for use in limited network situations, such as if you need a VPN for China. Although SSTP is also available on Linux, RouterOS, and SEIL, it is still mostly used by Windows systems.

In terms of performance, SSTP is fast, stable, and secure. Unfortunately, very few VPN providers support SSTP.

SSTP can help out if other VPN protocols are blocked, but again, OpenVPN will be a better choice (if available).

IPsec
Internet Protocol Security (IPsec) is a set of protocols for ensuring the protection of data transmitted over an IP network. Unlike SSL, which works at the application level, IPsec works at the network level and can be used natively with many operating systems, which allows it to be used without third-party applications (unlike OpenVPN).

IPsec has become a very popular Protocol for use in conjunction with L2TP or IKEv2, as we'll discuss below.

IPsec encrypts the entire IP packet using:

• Authentication Header (AH), which digitally signs each packet;
• Encapsulating Security Protocol (ESP), which provides confidentiality, integrity, and authentication of the packet during transmission.

The IPsec discussion would be incomplete without mentioning the presentation leak The us National Security Agency, which discusses IPsec (L2TP and IKE) protocols. It's hard to come to definitive conclusions based on the vague references in this presentation, but if the threat model for your system includes targeted surveillance by curious foreign colleagues, this is a reason to consider other options. Yet IPsec protocols are still considered secure if implemented properly.

Now we will look at how IPsec is used in conjunction with L2TP and IKEv2.

L2TP/IPsec
The Layer 2 Tunneling Protocol (L2TP) was first proposed in 1999 as an upgrade to the l2f (Cisco) and PPTP (Microsoft) protocols. Since L2TP itself does not provide encryption or authentication, IPsec is often used with it. L2TP paired with IPsec is supported by many operating systems and is standardized in RFC 3193.

L2TP/IPsec is considered secure and has no major identified problems (much safer than PPTP). L2TP / IPsec can use 3DES or AES encryption, although given that 3DES is currently considered a weak cipher, it is rarely used.

The L2TP Protocol sometimes has problems due to the default use of UDP port 500, which is known to be blocked by some firewalls.

The L2TP/IPsec Protocol ensures high security of transmitted data, is easy to configure, and is supported by all modern operating systems. However, L2TP / IPsec encapsulates the transmitted data twice, which makes it less efficient and slower than other VPN protocols.

IKEv2/IPsec
Internet Key Exchange version 2 (IKEv2) is an IPsec Protocol used to perform mutual authentication, create and maintain Security Associations (SA), standardized in RFC 7296. It is also protected by IPsec, as well as L2TP, which may indicate that they have the same level of security. Although IKEv2 was developed by Microsoft in collaboration with Cisco, there are open source implementations of The Protocol (for example, OpenIKEv2, Openswan, and strongSwan).

With Mobility and Multi-homing Protocol (MOBIKE) support, IKEv2 is very resilient to network changes. This makes the IKEv2 a great choice for smartphone users who regularly switch between their home Wi-Fi and mobile connection or move between access points.

IKEv2 / IPsec can use a number of different cryptographic algorithms, including AES, Blowfish, and Camellia, including those with 256-bit keys.

IKEv2 supports Perfect Forward Secrecy.

In many cases, IKEv2 is faster than OpenVPN, as It is less resource-intensive. In terms of performance, IKEv2 may be the best option for mobile users, because It is good at re-establishing connections. IKEv2 is natively supported on Windows 7+, Mac OS 10.11+, iOS, and some Android devices.

OpenVPN
OpenVPN is an open-source universal VPN Protocol developed by OpenVPN Technologies. Today, this is probably the most popular VPN Protocol. As an open standard, it has passed more than one independent security review.

In most situations, when you need to connect via a VPN, OpenVPN is most likely suitable. It is stable and offers a good data transfer rate. OpenVPN uses standard TCP and UDP protocols and this allows it to become an alternative to IPsec when the provider blocks some VPN protocols.

For OpenVPN to work, you need special client software, not one that works out of the box. Most VPN services create their own applications for working with OpenVPN, which can be used on different operating systems and devices. The Protocol can work on any of the TCP and UPD ports and can be used on all major platforms via third-party clients: Windows, Mac OS, Linux, Apple iOS, Android.

But if it is not suitable for your situation, you should pay attention to alternative solutions.

WireGuard
The newest and most unknown VPN Protocol is WireGuard. It is positioned by developers as a replacement for IPsec and OpenVPN for most of their use cases, while being more secure, more productive and easier to use.

All IP packets coming to the WireGuard interface are encapsulated in UDP and safely delivered to other peers. WireGuard uses state-of-the-art cryptography:

• Curve25519 for key exchange,
• ChaCha20 for encryption,
• Poly1305 for data authentication,
• SipHash for hash table keys,
• BLAKE2 for hashing.

The WireGuard code looks much more modest and simple than the OpenVPN code, which makes it easier to investigate for vulnerabilities (4 thousand lines of code against several hundred thousand). Many people also note that it is much easier to deploy and configure.

The results of performance tests can be found on the official website (as it is not difficult to guess, they are good). It is worth noting that WireGuard will show the best results on Linux systems, because there It is implemented as a kernel module.

Most recently, WireGuard 1.0.0 was introduced, which marked the delivery of WireGuard components in the main part of the Linux 5.6 kernel.the code Included in the Linux kernel passed an additional security audit performed by an independent company, which did not reveal any problems. For many, this is great news, but whether WireGuard can become a worthy replacement for IPsec and OpenVPN will be shown by time and independent security studies.