Protocol Showdown: PPTP vs OpenVPN
While most people assume the biggest factor to consider when selecting a VPN provider is the price, it’s also important to take into consideration the strength of the security protocols that are available–for each service. Two of the most popular technologies that VPN providers offer are PPTP and OpenVPN.
But without understanding the strengths and weaknesses of each technology, it is challenging to select a service that will offer the strongest security. After all, the last thing anyone wants is their data to be intercepted and read by complete strangers.
However, users shouldn’t take security protocols for granted. Not all security protocols were created equally, and some contain flaws that will make you think twice about trusting a VPN connection. Unfortunately, things aren’t so black and white when it comes to the security provided by PPTP and OpenVPN.
Certain algorithms are weaker than others, and though they still offer some degree of protection online, it is inadvisable to use them unless they are your only option.
PPTP (Point-to-Point Tunneling Protocol) is almost always offered by the vast majority of VPN providers. In fact, you’ll find that many operating systems – such as Microsoft Windows – comes pre-loaded with a PPTP application. PPTP is an attractive option because it is generally easier to setup than other protocols, making it popular with novice users and geeks.
Originally created by a consortium led by Microsoft, PPTP has its roots in the dial-up era of Internet technology, coming to light during the release of Windows 95. To help facilitate VPN tunnel connections, PPTP uses TCP (Transmission Control Protocol) through a GRE (Generic Routing Encapsulation) tunnel on TCP port 1723.
However, it is incredibly important to note that GRE is not considered to be a secure transmission medium, since it doesn’t use encryption technologies like IPsec does. Though GRE doesn’t provide encryption services on its own, PPTP does secure data with 128-bit encryption.
While that sounds good at first, understand that the 128-bit encryption used in PPTP is widely viewed as a weak tunneling option.
PPTP Security Flaws
PPTP does offer some small manner of protection by first encrypting your data before it is sent through the public Internet, but there are a smattering of security flaws that cause most people to prefer other security algorithms. Most of the flaws and vulnerabilities are related to the underlying PPP (Point-to-Point Protocol) code.
If an organization such as the NSA has the means to capture data as it flows through the public Internet, you can bet that they have the means to decrypt data to read the information contained within GRE. Considering that the security flaws of PPTP are old and well-known, it isn’t surprising that the NSA can break PPTP encryption.
But part of the weaknesses associated with PPTP are actually contained in its authentication mechanisms, like MS-CHAP and MS-CHAPv2.
The reason so many people are drawn to it – despite its vulnerabilities – are because it’s available on just about every operating system, it’s easy to use, no need to install additional software, doesn’t add unreasonable overhead and it’s a fairly fast VPN technology.
Even though many of the past authentication issues have been patched, PPTP remains a protocol to try and avoid. Microsoft released a patch for the MS-CHAPv2 flaw (which led to the unrestrained ability to decrypt data by using PEAP authentication), but they still recommend that users turn to other protocols, such as L2TP/IPsec.
Remember that when selecting VPN technologies, an ounce of prevention is worth a pound of cure.
There are so many factors outside our scope of control, so you should always opt for technologies that are known to be secure. Even if it seems like trivial information, we have a right to privacy and our data shouldn’t end up in the hands of the government or a hacker. As such, try to avoid PPTP like the plague – unless you really don’t have any other options to secure data.
Instead, OpenVPN is a much better choice.
- Easy to setup
- Doesn’t usually require extra software
- Fairly fast protocol with low overhead
- Weak encryption
- Rampant security flaws
- Shouldn’t be used unless it is an only option
- Can be blocked easily by ISPs & networks
Conversely, OpenVPN is considered to be a much more secure technology. It employs technologies like OpenSSL and SSL/TLSv1 on port 443. Note, however, that it is entirely possible to disguise network traffic by sending OpenVPN tunnels through a different port. Port 443 is the same port used for secured HTTPS traffic, so it becomes very challenging for third-parties to notice that OpenVPN traffic isn’t HTTPS traffic without DPI (Deep Packet Inspection).
Because most ISPs and networks rely on HTTPS for secure web transmissions, it is nearly impossible for them to block OpenVPN connections that utilize port 443 – it just isn’t feasible. Also, OpenVPN also has the advantage of being open source software, meaning that the source code is openly available, so it can be inspected by third-parties.
Furthermore, OpenVPN isn’t bound to only using TCP as its transport protocol. It can actually take advantage of UDP connections, which are generally faster and better for streaming applications (such as video) because they don’t use acknowledgements or windowing features like TCP.
It may be true that PPTP is a fast VPN protocol with little overhead, but OpenVPN is more flexible because it can be fine-tuned to introduce lower amounts of latency–without the horrendous security issues associated with PPTP. In addition, it has the added benefit of using a much stronger encryption algorithm as opposed to PPTP.
OpenVPN can use AES-256 encryption, which is one of the strongest encryption methods in the world. In fact, it still cannot be broken or cracked. It is reasonable to assume that one day, far in the future, technology will advance far enough to break AES-256. However, we are extremely far away from having the ability to crack AES-256, due to the sheer number of unique keys.
As the name implies, there are 256 bits in the AES-256 key, or 2^256. This creates 1.1579208924e+77 unique keys, a number that is beyond fathoming for most people.
Even governments and large organizations simply don’t have the computing firepower it would take to try to crack such a long key, so when data is secured with AES-256, you have peace of mind knowing no one on the planet can read it.
One of the largest drawbacks to OpenVPN is that it isn’t always available as an option for non-technical users. You see, it is a little bit more difficult to setup and configure.
And because it isn’t offered by default with most operating systems, users first typically need to download an OpenVPN client. In addition, OpenVPN can actually be a little slower than other connection options such as L2TP/IPsec (and even PPTP in some cases).
OpenVPN vs PPTP Speed & Latency
However, even though OpenVPN can be a little bit slower, don’t let that sway you towards using PPTP. OpenVPN doesn’t add an unreasonable amount of overhead or latency to a connection, as long as your computer and Internet connection are reasonable by today’s standards. Read our speed vs latency guide to learn how they differ.
Besides, most users who want to offload the small amount of memory and processing overhead from their computer or mobile device, should choose to terminate their VPN connection at the router. That way, the router will do all the heavy lifting regarding data encryption and decryption.
To do so, all a user needs is a router that has been flashed with DD-WRT or Tomato firmware (check out our guide on how to install DD-WRT on your router).
- Exceptional data security using AES-256 encryption
- Can be sent to other ports to circumvent network restrictions
- Uses port 443 by default (looks like HTTPS traffic)
- Most VPN providers have step-by-step guides
- Open source software
- Takes advantage of both TCP & UDP connections
- A little more challenging for nontechnical users to setup without a guide
- Typically requires downloading an extra software client
- Can be slightly slower than PPTP & introduce more overhead
The key takeaway to keep in mind is to always avoid using PPTP. It might feel a little more challenging compared setting up an OpenVPN client, but try to refrain from taking the path of least resistance. Internet security is no laughing matter, and the use of an inferior security protocol could easily compromise the integrity of personal information.
Even though it may take a little extra work setting up OpenVPN, since you will likely need to download an additional client, the benefits far outweigh the small amount of extra effort it takes to setup the tunnel. Even if you aren’t too technically inclined, most VPN providers have how-to guides that show the step-by-step configuration process with screenshots to simplify the matter.
Check out our ExpressVPN review for an example of a service that’s easy-to-use. Lastly, remember that you should always use OpenVPN instead of PPTP for stronger security and peace of mind.