Many people think that the most important factor to look into when choosing a Virtual Private Network (VPN) service is the price; however, there are other things to consider, such as the security protocol and its strength. The kind of data tunnelling protocol a VPN uses can determine how secure it is. We will compare PPTP and OpenVPN, which are two popular technologies for data tunnelling. PPTP is incorporated in MS Windows operating systems in different forms. It’s easy to set up, and the PPTP client works on many platforms. While it offers ease of use, it has known security issues. OpenVPN, on the other hand, is a strong protocol that uses technologies such as OpenSSL encryption in addition to the SSL v3 and TLS v1 protocols.

Understanding PPTP

Point-to-Point Tunnelling Protocol (PPTP) is widely utilised by VPN providers. In addition, most operating systems, including Microsoft Windows, have it preloaded. This data tunnelling protocol is quite old; it was introduced in 1995 during the dial-up era. PPTP was originally developed by a consortium headed by Microsoft, which is why you find it in many Windows operating systems. It uses Transmission Control Protocol (TCP) via a Generic Routing encapsulation (GRE) tunnel within TCP port 1723 to help in facilitating Virtual Private Network tunnel connections. Because of its low level of encryption, PPTP tends to be faster than OpenVPN. Since its release, several security weaknesses in PPTP have been exploited. Today, it has been upgraded and incorporates the 128-bit key encryption protocol. This protocol, while still not so secure, can nevertheless provide some protection.

Due to the security concerns associated with PPTP, Microsoft itself recommends that users requiring higher security standards use L2TP or SSTP. The PPTP VPN protocol’s security may be compromised because PPTP has had issues relating to government interference and deanonymisation or spying. The NSA and other intelligence agencies could likely decrypt the otherwise secure connections, exposing users to possible attacks. Users can strengthen the configuration for PPTP in different ways. For example, they can exclusively use MPPE-128 encryption that utilises RC4 encryption with a 128-bit key, in addition to MS-CHAPv2 authentication using SHA-1. Using strong passwords with a minimum of 128 bits of entropy can also help.

How does PPTP work?

PPTP is mostly used for remotely accessing Virtual Private Networks over the internet. Using PPTP, a user can create VPN tunnels by launching a PPTP client, which connects to the user’s internet provider. After that, PPTP will create a TCP connection from the VPN server to the VPN client. The tunnelling protocol utilises TCP port 1723 to provide the connections. General Routing Encapsulation then establishes the tunnel. You can use PPTP to support VPN connectivity within a local network. There are two kinds of information flow that PPTP supports. These are control messages to manage and tear down the connection, and data packets relayed through the tunnel to and from the VPN client. Not only does PPTP come preloaded in Windows OS, it is also available for Mac OSX and Linux. In addition, the PPTP protocol appears to be the only VPN that is supported by certain devices, for instance the Asus RT-AC66U Wi-Fi router.

PPTP connection on Windows

Users running Windows OS can create VPN connections by setting up PPTP tunnelling. A user will need to open the Network and Sharing Center within the Windows Control Panel. When on the Control Panel, they can click the “Set up a network or connection” link and choose “Connect to a workplace”. After that, they can select “Use My Internet Connection -VPN” and then feed in the details for the VPN server. The server administrator will provide the PPTP VPN address. Microsoft Windows usually gives utility programs to help business network administrators. These programs are pptpclnt.exe and pptpsrv.exe, and they help in verifying whether the PPTP network setup has been established correctly. If a user is using a home network, they can use a broadband router and establish a VPN connection to a remote server.

When should you use PPTP?

Businesses using older infrastructure that just need to have internally secure data may consider PPTP connections. Users who run older versions of Windows OS can also use them, which is better than not using any VPN protocol at all. Some older home routers, however, might not work with PPTP and do not let the tunnelling protocol to pass traffic to allow VPN connections to be established. PPTP should be used when location and speed are your primary goals for utilising a VPN. This means you can still use PPTP to unblock geo-restricted sites; prevent HD video throttling; and stream videos from sites like Hulu, YouTube, and Netflix. If you are seeking a high level of security, you may not want to use PPTP because of the well-known security vulnerabilities.

PPTP security flaws

Although PPTP offers some protection by encrypting data before sending it via public internet, there are many security flaws. Organisations like the NSA are known to capture data passing through the public internet; therefore, they can still decrypt data contained within a GRE, which is not a secure tunnel. Many of the security weaknesses that are linked to PPTP are within its mechanism of authentication involving MS-CHAP and MS-CHAPv2. Microsoft tries to release patches to help prevent decryption of data, for example the Protected EAP or PEAP authentication for the MS-CHAPv2. However, that does not make PPTP a secure VPN protocol. Security experts like Bruce Schneier have shown that PPTP is extremely vulnerable. Internet security experts claim that the problem with Microsoft’s PPTP may not be with the PPTP itself, but with the way Microsoft has implemented the protocol.

Cracking the authentication for MS-CHAPv2 can be just like cracking a single DES 56-bit key, whereby attackers can brute-force it. Attackers can also carry out a man-in-the-middle attack (MITM). This is an eavesdropping attack where the hackers secretly relay and alter communication between individuals that may be communicating directly. An MITM attack would capture the Handshake as well as any PPTP traffic. Once the Handshake is captured, attackers could derive the RC4 key offline. This way, they would be able to decrypt data being carried over a PPTP protocol. Since PPTP does not have forward secrecy, this would mean that by cracking just one PPTP session, it would be sufficient to also crack previous PPTP sessions with the use of the same credentials.

Pros and Cons of PPTP

One positive aspect of PPTP is that it is fast and has been built into most platforms. You will also find it easy to configure and set up. On the other hand, PPTP has many security holes. The encryption has been used in a manner that negates the effectiveness of the VPN protocol. The 128-bit keys claimed to be used may not even be near to the key-length that is actually in use. Security experts have found that Microsoft PPTP has flaws that can allow attacks to get around sniffing passwords within the network, which can break the encryption. This would mean confidential data is read. The attacks can also mount denial of service attacks (DoS) attacks against PPTP services. This data tunnelling protocol can furthermore be blocked by firewalls.

Understanding OpenVPN

Considered a much more secure VPN protocol than PPTP, OpenVPN is an ideal choice for enhancing safety and privacy on the internet. It employs technologies such as OpenSSL as well as SSL/TLSv1 on port 443. It is important to note that it can be possible for a user to disguise their network traffic when using OpenVPN by sending the tunnels through another port. Because port 443 is also the port utilised for secured HTTPS traffic, this means that it is very difficult for third parties to detect if OpenVPN traffic is not HTTPS traffic unless they use Deep Packet Inspection (DPI). A majority of networks and internet service providers rely on HTTPS to help secure web transmissions. It is therefore not easy for them to block OpenVPN connections that are tunnelled through port 443.

Because OpenVPN is an open source software, the source code is available to everyone, and it is inspected and checked by interested third parties. In addition to using TCP as a transport protocol, OpenVPN can also utilise UDP connections. UDP connections are faster and provide a better streaming experience, such as for watching videos, largely because no windowing features are used as in the case of TCP. OpenVPN users in China, however, may experience unstable connections even when on port 443. This may be because the Chinese government is able to detect and distinguish between the usual SSL encryption and the use of VPN. However, users can circumvent this by masking their OpenVPN connection so that it appears to be a regular HTTPS connection. For example, they can use the OpenVPN via an SSL tunnel or SSH tunnel.

How does OpenVPN work?

An OpenVPN connection is established via a virtual network interface that is backed by software. To establish the connection, OpenVPN utilises the TUN and TAP virtual network interfaces. These interfaces are managed and controlled by the kernel. When internet traffic is directed at one of the OpenVPN clients, it is terminated when it arrives at the server. It is then relayed back to the client through a secure channel. Similarly, any request that originates from an OpenVPN client is terminated when it arrives at the server. It is then transmitted back to the internet. This means that an OpenVPN client will be known to the public via the identity of the server. In turn, this helps to maintain a higher privacy level for users, protecting them from possible threats.

AES-256 capabilities for OpenVPN

OpenVPN can use AES-265 encryption, which is highly secure and cannot be easily cracked or broken. 256-bit AES encryption can scramble content to keep the information secure from spying eyes. To crack it, criminals would have to get through 2^256 variations of a key. This creates 1.1579208924e+77 unique keys, which is a number beyond the cracking ability of hackers, and it is the gold standard for encryption protocols. The 256-bit AES encryption used in OpenVPN ensures that the tunnelling protocol meets data security requirements in GDPR, PIPEDA, HIPAA, and similar data laws. Even governments may not be able to decrypt data that is stored using AES-256. This is why people and businesses or organisations needing solid security and privacy when online would want to use OpenVPN.

Pros and Cons of OpenVPN

The OpenVPN data tunnelling protocol works on both UDP and TCP, so users of UDP connections will tend to enjoy faster connections than those using TCP on the VPN. OpenVPN does not require a VPN or NAT traversal pass-through when used on home routers. Again, the protocol can connect from almost any location, provided that the ports are not blocked, and another plus is that an OpenVPN can run on any ports. Relying on PolarSSL/mbed TLS and OpenSSL, it’s a very secure VPN. OpenVPN supports P2P, as well as multi-client server configuration, something that makes it possible to have many VPN topologies, such as host-network, host-host, and network-network. In addition, it supports the creation of a Layer 2 or Layer 3 VPN with the use of TAP and TUN devices, respectively.

A disadvantage of an OpenVPN is that it may be more difficult to set up, especially for a novice. As it is not supported by a majority of operating systems, the VPN tunnel requires the use of a software client to be able to connect. A driver support is also needed, which may not function at times in some PCs because of the driver and other software installation restrictions. An OpenVPN can be slow, especially on Windows if you try running it within the Virtual Machine found in VirtualBox. However, on the Linux and VM environments, OpenVPN is fast. Because it does not validate data, however, it is vulnerable to what’s known as bit-flipping attacks. Basically, OpenVPN is flexible, and users can fine-tune it to get low levels of latency while also not subjecting themselves to the security issues seen with PPTP.

PPTP vs. OpenVPN: the bottom line

One of the reasons why users may want to use PPTP is primarily because of speed. Since this VPN has lightweight encryption, it takes little bandwidth, meaning there is low encryption overhead. PPTP can be effective for use with devices that have low processing power, like old servers and computers. A big drawback that comes with OpenVPN data tunnelling protocol, meanwhile, is that it zis not an option for non-technical users. It does not come as a default within many operating systems, meaning that users will have to download OpenVPN client.

The takeaway is that you should always avoid the use of PPTP if your prime concern is security, as it will expose you to many threats. Although there is some extra work involved in the setup of OpenVPN, the benefits will far outweigh the difficulties of setting it up.