[colug-432] VPN types

Rob Funk rfunk at funknet.net
Wed Dec 16 17:37:52 EST 2015 

Rick Hornsby wrote:
> There are multiple VPN types out there - PPTP, L2TP, SSTP, OpenVPN
> (and subtypes UDP, TCP, "Proxy", and IPSec).

That's mixing up a few different things, but I'm not familiar with
everything you mention.

> >From what I've read:
> 
> * Stop using PPTP, it is based on very old Windows-era stuff that's
> weak and cryptographically broken

True. The major advantage to PPTP is the simplicity of per-user
usernames and passwords, without generating certificates of any kind.
But that simplicity comes at the expense of security, both at the
password level and at the PPTP encryption level.

> * OpenVPN is the new hotness, and uses some kind of SSL tunneling.  I
> don't understand the subtypes or why one subtype is better than the
> other.

OpenVPN is basically wrapping your network connection in SSL/TLS
tunneled through UDP or TCP.

UDP is theoretically better when packets may get dropped and you're
using TCP on top of the VPN. That's because UDP behaves the same as
the underlying IP packets would without the VPN, while using OpenVPN
over TCP means that when packets are dropped you have two nested TCP
connections trying to handle the retransmission.

On the other hand, in real-world public wifi situations, I've often
found that UDP OpenVPN won't make a connection at all, while the TCP
version will work fine. (The network behavior of OpenVPN over TCP
should be similar to tunneling over SSH.) Using tcp/443 or other
carefully-chosen ports, you may be able to use OpenVPN to get past
fairly restrictive firewalls that might not otherwise allow VPNs
through.

> One of the downsides with OpenVPN is that it requires the StrongVPN
> client.  There's no native support for OpenVPN in OS X.

True. Or some other client - the openness of OpenVPN means there can
be more than one implementation.

> Otherwise, I don't really understand the different types or subtypes
> or why I would choose one over the other?

IPSec is an official internet standard, which makes many people prefer
it, and it's well-supported in operating systems. However, it's
pretty complex to get working. (Or at least it was when I looked into
it around 15 years ago.)

Most VPN types talk on the network using a special IP packet type
("egrep -i encap\|tunnel /etc/protocols" for some possibilities),
which firewalls and NAT boxes might not pass. OpenVPN is the major
exception, running on top of everyday UDP or TCP packets that
everybody understands. That gives OpenVPN an advantage in network
interoperability, despite its disadvantage in operating system
interoperability.


-Rob

More information about the colug-432 mailing list