VPN Protocols Comparison | NordLayer Learn (2024)

A VPN (or a Virtual Private Network) is a technology that creates a secure "tunnel" over the internet. It allows users to connect to corporate networks securely, affordably, and flexibly, while also restricting access for unauthorized individuals.

Instead of costly hardware setups, a VPN utilizes the open internet to transfer data. The connection is encrypted, protecting data from unauthorized access on the public internet.

VPN technology is not complex, but there are many VPN setups and tunneling protocols to choose from. This can get very technical, so here's a quick rundown of which VPN and tunneling protocols are right for your business.

Different types of VPNs and when to use them?

Remote access VPN

Remote access VPN is a temporary encrypted connection between the business's data center and the user's device. It becomes active only when the user enables it. Otherwise, it doesn't have a permanent link. Businesses use this type to securely access the applications and data in a central hub via a VPN tunnel. You can think of it as a VPN connection, making a secure pathway from your device to access sensitive documents or company materials on the other end.

The main issue with this approach is that your programs are often not in the same place as your main office. Many organizations use remote software services (SaaS) that are stored in large data centers far away. This means that using a remote access VPN may not be the best choice in these situations. In such cases, your data has to travel from your devices to a central location, then to the data center, and finally back. This can cause significant delays and slow down your network.

This solution is useful for self-hosted apps or highly confidential documents you don't want to store elsewhere. Keep in mind that the hardware requirements increase with more users.

Site-to-site VPN

Site-to-site VPN is a permanent connection between multiple offices to create a unified network that is always on. It needs separate configuring for both networks and works best for cases with multiple remote sites. It can be configured on-premises routers or on firewalls.

This solution won't help you much if your users want to connect from home. Administrators usually don't allow connections from networks they cannot control for safety reasons. Essentially, they're sacrificing accessibility in favor of security.

The good news is that this is one of the most affordable ways to combine different networks into a single intranet. With this setup, every device can act as if it's on the same local area network. This makes it easier for devices to share data securely and prevents unauthorized access from the outside.

Most common VPN protocols

VPNs are using tunneling protocols that act as rules for sending the data. It provides detailed instructions on packaging the data and what checks to perform when it reaches its destination. These different methods directly affect the process's speed and security. Here are the most popular ones.

Internet Protocol Security (IPSec)

IPSec is a VPN protocol that keeps your data safe by allowing connections only from authorized parties. It employs two layers of encryption to protect your messages. Moreover, it smoothly works with other security tools and is frequently used to secure connections between locations.

Layer 2 Tunneling Protocol (L2TP)

L2TP works by generating a secure tunnel between two L2TP connection points. Once established, it uses an additional tunneling protocol to encrypt the sent data, i.e., IPSec. L2TP's complex architecture helps to ensure high security of the exchanged data. It's another popular choice for site-to-site setups, especially when higher security is needed.

Point-to-Point Tunneling Protocol (PPTP)

PPTP (Point-to-Point Tunneling Protocol) is a tunneling method that employs a PPTP cipher. However, the PPTP cipher was developed back in the '90s, and since then, computing power has grown exponentially. This means that attempting to break the cipher through brute force wouldn't take much time to expose the exchanged data. Due to this security vulnerability, PPTP is seldom used in modern technology. Instead, more secure tunneling protocols with advanced encryption are favored.

SSL and TLS

Secure Socket Layer and Transport Layer Security protocols are the same standard that encrypts HTTPS web pages. That way, the web browser acts as the client, and user access is limited to specific applications rather than the entire network. Since almost all browsers come equipped with SSL and TLS connections, no additional software is usually required. Usually, remote access VPNs use SSL/TLS.

OpenVPN

OpenVPN is an open-source enhancement of the SSL/TLS framework with additional cryptographic algorithms to make your encrypted tunnel even safer. It's the go-to tunneling protocol for its high security and efficiency. However, compatibility and setup can be a bit hit or miss as you won't be able to install it natively on many devices to form router-to-router VPN networks. So, the performance may vary.

It comes in User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) versions. UDP is faster because it uses fewer data checks, while TCP is slower but better protects data integrity. Overall, OpenVPN is a well-rounded and secure tunneling protocol and is popular for remote access and site-to-site virtual private network uses.

Secure Shell (SSH)

SSH creates a secure encrypted connection and enables port forwarding to remote machines through a protected channel. It's handy for accessing your office desktop from your home laptop. However, SSH channels should be closely monitored because it opens a potential entry point for breaches. This is why it's best suited mainly for remote access setups.

WireGuard

The most recent widely available tunneling protocol is less complex but much more efficient and safer than IPSec and OpenVPN. It relies on highly streamlined code to squeeze the best possible performance with a minimal margin of error. While it is still in the early adoption stage, you could find offices using Site-to-site connections based on WireGuard. There even are proprietary WireGuard implementations like NordLynx.

Which VPN protocol is the best for your business?

You can look into your network needs after carefully considering your business needs and setup method. Look into your risk model, what traffic load you expect, what data you want to make available, and whom. The clearer the picture, the easier it will be to drive the setup cost down and pick the right tunneling protocol for your case.

As a rule of thumb, WireGuard, L2TP, SSL/TLS, and OpenVPN will be the safest options for remote access setups. The best VPN protocols can depend entirely on your hardware from a site-to-site perspective. I.e., if you're already using routers that natively support OpenVPN, it might make more sense to use them rather than throwing them out to get ones that can handle WireGuard.

FAQ

What is the primary difference between remote access VPN and site-to-site VPN?

Remote access VPN connects individual users to a remote network, while site-to-site VPN connects two entire networks together.

Why should businesses monitor SSH channels?

Businesses should monitor SSH channels closely to ensure security, detect unauthorized access, and maintain the integrity of data and systems.

Which VPN protocols are recommended for remote access setups?

Recommended VPN protocols for remote access setups are: OpenVPN, L2TP/IPsec, and IKEv2/IPsec.