This page gives a comparison between several popular VPN protocols: IPSec/L2TP, OpenVPN and DarkWire’s Premium VPN service which uses a customized version of OpenVPN. First is a quick comparison of key features followed by a more detailed listing.
Feature | IPSec | OpenVPN |
Compatibility | All desktops, laptops and handhelds |
All desktops, laptops and handhelds |
Ease-of-Use | ||
Can Use Certificates | ||
Can Use Static Keys | ||
Secure Key Exchange | ||
Per-packet HMAC Authentication | ||
Encryption Algorithms | Highest available |
Highest available |
Key/User Management | Very time consuming |
Very easy |
Open Implementation on all devices | Each OS vendor has their own, closed-source implementation of IPSec. These implementations are known to contain backdoors for governmental agencies. |
Open and peer-reviewable for all devices except Apple iOS. |
Multiple devices on the same network? | IPSec does not support multiple devices behind a single IP. |
Supports unlimited devices behind a single IP. |
Can bypass governmental filtering systems? | IPSec is trivially easy for governmental agencies to block. |
DW OpenVPN has been specially customized and tested in some of the harshest censorhip environments in the world. |
Here are some more details on each of the protocols along with notes on our Premium VPN service.
PREMIUM | |||
---|---|---|---|
Background | An advanced protocol formally standardized in IETF RFC 3193 and now the recommended replacement for PPTP where secure data encryption is required. | OpenVPN is an advanced open source VPN solution backed by the company ‘OpenVPN technologies’ and which is now the de-facto standard in the open source networking space. It uses uses the mature SSL/TLS encryption protocols. | DarkWire VPN’s PREMIUM service uses a customized version of OpenVPN. This allows us to provide more extensive services to companies and individuals while still maintaining 100% compatibility with the basic OpenVPN featureset. |
Data Encryption | The L2TP payload is encrypted using the standardized IPSec protocol. RFC 4835 specifies either the 3DES or AES encryption algorithm for confidentiality. IVPN uses the AES algorithm with 256 bit keys. (AES256 is the first publicly accessible and open cipher approved by the NSA for top secret information) | OpenVPN uses the OpenSSL library to provide encryption. OpenSSL supports a number of different cryptographic algorithms such as 3DES, AES, RC5, Blowfish. DarkWire VPN implements the extremely secure AES algorithm with 256 bit keys. | |
Setup / Configuration | All versions of Windows since 2000/XP and Mac OSX 10.3+ have built in support for L2TP/IPSec. Most modern mobile platforms such and iPhone and Android include built in clients. | OpenVPN is not included in any operating system release and requires the installation of client software. The software installers are very user friendly and installation typically takes less than 5 minutes. | |
Speed | L2TP/IPSEC encapsulates data twice making it less efficient and slightly slower than its rivals. | When used in its default UDP mode, OpenVPN provides the best performance. | |
Ports | L2TP/IPSEC uses UDP 500 for the the initial key exchange, protocol 50 for the IPSEC encrypted data (ESP), UDP 1701 for the initial L2TP configuration and UDP 4500 for NAT traversal. L2TP/IPSec is easier to block than OpenVPN due to its reliance on fixed protocols and ports. | OpenVPN can be easily configured to run on any port using either UDP or TCP. To easily bypass restrictive firewalls, OpenVPN can be configured to use TCP on port 443 which is indistinguihasble from standard HTTP over SSL making it extremely difficult to block. | |
Stability / Compatibility | L2TP/IPSec is more complex than OpenVPN and can be more difficult to configure to work reliably between devices behind NAT routers. However as long as both the server and client support NAT traversal, there should be few issues. | Very stable and fast over wireless, cellular and other non reliable networks where packet loss and congestion is common. OpenVPN has a TCP mode for highly unreliable connections but this mode sacrifices some speed due to the ineffeciency of encapsulating TCP within TCP. | |
Security weaknesses | IPSec has no major vulnerabilities and is considered extremely secure when used with a secure encryption algorithm such as AES. | OpenVPN has no major vulnerabilities and is considered extremely secure when used with a secure encryption algorithm such as AES. | |
Client compatibility |
|
|
|
Conclusion | L2TP/IPSec is an excellent choice but falls slightly short of OpenVPN’s high performance and excellent stability. If you are using a mobile device running iOS (iPhone) or Android then it is the fastest to setup and configure as it is supported natively (no software to install), but this should not override the benefits which OpenVPN brings. | OpenVPN is the best choice for all platforms. It is extremely fast, secure and reliable. Additionally, DarkWire VPN can provide organizations with customized private routing with OpenVPN (available as an add-on). The 3rd party client only takes a few minutes to install on most platforms. | Using DarkWire VPN’s customized OpenVPN client is the best choice for most platforms. It is extremely fast, secure and reliable. Our Premium service allows us to customize and tailor the VPN client in order to access our VPN service from behind a number of different firewall scenarios. |
Rating |