VPN is a big help for people using the Internet, especially those of us who live or work in China. Many first-time VPN users are thrilled to find out they can access blocked sites such as Google, Twitter, Facebook and Youtube again. At the same time, however, many new VPN users are puzzled by the choices of VPN protocols provided by their VPN providers, such as: PPTP, OpenVPN (including UDP and TCP) and L2TP/IPSec etc.
In this article, we hope to help our readers have a better understanding about the differences between these VPN protocols. Also, we hope to answer an additional question: which VPN protocol works best for VPN users in China?
To answer these questions, we decided to seek professional advices. Therefore, we consulted experts from the following 4 VPN providers: ExpressVPN, VyprVPN, 12VPN and SwitchVPN. We received good advices from all of them (Thanks a lot!). Below is a summary of what’ve learned from VPN experts.
The Basics: PPTP vs. L2TP vs. OpenVPN vs. SSTP
The most commonly used VPN protocols are: PPTP, L2TP/IPsec and OpenVPN. Some VPN providers offer another VPN protocol called SSTP. Also, a number of VPN providers offers their customized version of VPN protocols.
PPTP is a basic VPN protocol and very easy to set up and use. It’s supported natively by most operating systems such as Windows, Mac, Linux, iOS and Android etc. To get connected, it only asks for a server address, a username and a password. The speed is usually fast. However, in terms of security, PPTP is not the best choice, due to its encryption algorithm (max 128 bit).
OpenVPN is an open source VPN solution using the SSL/TLS encryption protocol. As a result, it’s more secure than PPTP and it’s recommended by many experts. However, OpenVPN is not natively supported by major operating systems. To use OpenVPN, users have to install some special software (either provided by their VPN providers or a third-party software for OpenVPN).
The L2TP (Layer 2 Tunnel Protocol) protocol offers no encryption, but when used along with the IPsec encryption, it’s secure (definitely more secure than PPTP). Compared to OpenVPN, L2TP is natively supported by major operating systems (including mobile devices), but it’s not as fast as OpenVPN and might run into problems with firewalls.
The SSTP (Secure Socket Tunneling Protocol) was introduced by MacroSoft and thus supported well and works well on Windows. Maybe SSTP can be thought of as MicroSoft’s version of OpenVPN. It’s secure and can bypass most firewalls. In terms of security, it’s also better than PPTP and arguably better than L2TP/IPsec.
Which VPN Protocol to Use: PPTP vs. L2TP vs. OpenVPN vs. SSTP
For this question, let us quote what we were told by the VPN providers.
PPTP is the least secure and should only be used if you have a specific reason for it. OpenVPN (UDP) usually offers the best combination of speed and security, but may not work on all networks. OpenVPN (TCP) is more likely to function on all types of networks, but might by slower than UDP. For L2TP/IPSec, only a subset of ExpressVPN’s server locations might be available for this protocol.
We distinguish 3 different use-cases, which will affect the choice of protocol:
1) Maximum privacy: choose IKEv2, OpenConnect or OpenVPN/StealthVPN. These protocols support the latest ecnryption standards and are widely regarded as secure. If you’re a mobile user, IKEv2 and OpenConnect are the more battery-friendly choices.
2) Avoiding so-called “geo” restrictions: use our SmartDNS, OpenWEB or Chrome extension. These get the job done with the least amount of overhead. Using any of the other VPN protocols will work too, but those may unnecessarily impact internet services/sites that don’t need VPN.
3) Escaping censorship: choose OpenWEB or our Chrome extension. While these aren’t true VPN solutions, they get the job done without too much overhead. If you prefer to use a true VPN protocol you can use any VPN protocol that isn’t blocked or throttled in your area.
PPTP: Provides basic encryption, and is fast due to the lower encryption level. Native in most desktop, mobile device and tablet operating systems. PPTP is a fast, easy-to-use protocol. It is a good choice if OpenVPN isn’t supported by your device.
L2TP/IPsec: Provides the highest encryption, checks data integrity and encapsulates the data twice. It requires more CPU processing to encapsulate data twice. Native in most desktop, mobile device and tablet operating systems. L2TP/IPsec is a good choice is OpenVPN isn’t supported by your device and security is th top priority.
OpenVPN: Provides the highest encryption, and authenticates data with digital certificates. This is the best performing protocol. OpenVPN provides fast speeds, even on connections with high latency and across great distances, and is the most reliable and stable. Supported by most desktop computer operating systems and Android mobile and tablet devices. OpenVPN is the recommended protocol for desktops including Windows, Mac OS X and Linux.
Which VPN Protocol Works Best in China: PPTP vs. L2TP vs. OpenVPN vs. SSTP
Again, Let’s quote the answers from the VPN providers we have asked:
In our experience, generally OpenVPN works best from China (usually UDP and sometimes TCP)
For China that means you should use IKEv2, OpenConnect, StealthVPN (Editor’s Note: StealthVPN is a protocol developed by 12VPN), L2TP or PPTP. Regular OpenVPN and SSTP tend to run into blocking or throttling issues. This changes from time to time; check with your VPN provider if you’re unsure.
There is no accurate answer to following questions, as blocking works different in different parts of China. For some users PPTP may work best while for some users L2TP may work best. OpenVPN UDP and TCP are completely blocked in China. We are working on workaround to offer OpenVPN based protocol which works in China which should be ready very soon. SSTP is a protocol which is guaranteed to work on almost any condition. As SSTP works over Port 443, SSL Protocol. As SSTP is pure SSL VPN, Chinese Authorities cannot detect SSTP connections yet. Protocol also depends on users environment. If user is trying to connect to VPN from office network, its more likely to fail on PPTP or L2TP. While it will connect fine on SSTP. The only draw back on SSTP is latency and performance. PPTP and L2TP offers faster speeds compared to SSTP.
So in conclusion , The protocol solely depends upon users location, from where they are connecting to eg. Home, Work, School/University, etc..
PPTP works for users in China occasionally, but the connection is unstable because PPTP connections can be easily decrypted due to low security. Similar to PPTP, L2TP is not entirely blocked in China but the connection is not stable either. The Great Firewall of China has strong computing power and is able to decrypt VPN traffic by brute force attack (generating a large number of consecutive guesses until the correct key is found). The Great Firewall uses Deep Packet Inspection (a method from machine learning, which profiles data packets) to identify VPN traffic, and OpenVPN is easily identified and blocked in the first handshake, which has been suffering from severe blocking since January 2015.
Chameleon is a proprietary VPN technology developed by Golden Frog. Chameleon technology uses the unmodified OpenVPN 256-bit protocol for the underlying data encryption, but scrambles OpenVPN packet metadata to ensure it’s not recognizable via Deep Packet Inspection, while still keeping it fast and lightweight. The result is that VyprVPN users are able to bypass restrictive networks put in place by governments, corporations and ISPs to achieve an open Internet experience without sacrificing the proven security for which OpenVPN has long been known. Chameleon provides the highest level of encryption, and authenticates data with digital certificates. It includes the features of OpenVPN, but with superior function of going through DPI. Available in the VyprVPN Apps for Windows, Mac and Android.
We recommend users in China choose Chameleon to bypass Internet restrictions. Chameleon is great for users being blocked in countries such as China.
Recently many people reported Shadowsocks is a good alternative to VPN. Currently Shadowsocks is still new and it’s not offered by most VPN providers. We will keep you updated about the development.
We hope this article can help you have a better understanding on the different VPN protocols and have a better idea on which VPN protocol(s) to use in China. If you are looking for a reliable VPN to be used in China, please make sure to take a look at our list of the best VPNs for China. Also, please consider signing up our VPN newsletter to receive regularly updated VPN news, VPN recommendations and VPN discount offers!
Bonus: VPN Recommendations
Below are some VPNs that we recommend:
Reason for recommending: Reliable connection, fast speed. Good customer support.
Starting Price: $8.32/mo. Free Trial: 30-day money-back.
Simultaneous Connections: 1 computer and 1 handheld device
Reason for Recommending: Reliable connection, fast speed.
Starting Price: $2.08/mo. Free Trial: 7-day money-back
Simultaneous Connections: 5 devices
Reason for Recommending: Reliable connection, fast speed. Can apply filtering so that some websites don’t have to go through VPN.
Starting Price: $4.08/mo. Free Trial: 14 days.
Simultaneous Connections: Can be used on multiple devices simultaneously, but should avoid connecting to the same server