Attention: You need to "Allow Scripts Globally" in your browser to purchase any VPN.image

VPN Encryption and Protocols – How Do They Work?

This guide brings you everything there is to know about VPN encryption and VPN protocols that you should and should not use.

Encryption is pretty much at the center of what we know today as VPN technology.

It’s the exact thing that protects the user’s privacy from intrusive surveillance programs.

Not only that, but encryption also prevents online hackers from sniffing the user’s personal data when they’ve connected to a public network.

We have written this guide in order to break down everything you need to know about how encryption is applied in VPN technology to protect users.

In essence, encryption is a process that encodes data. And because of that, no unauthorized party can access that data.

Even before the advent of computer encryption, humans throughout history have communicated using cryptography when they wanted secrecy. Encryption still carries out its duties the same way.

The process uses specific codes which make use of numbers and letters to transform messages from meaningful phrases to gibberish.

The only way to make any sense of them is by using the correct cipher. Only after that can someone correctly decode the message’s contents.

Now, modern computers have great processing power. That’s why human-based ciphers have become useless.

Cybersecurity experts today make use of powerful computer algorithms in order to come up with different methods of encryption.

Using the same algorithms, they also generate a dedicated key that’s required by anyone who wants to decrypt a given piece of data.

Encryption involves using a combination of key-length and cipher. The most popular example of this is AES 256-bit encryption. Here, AES is a cipher that makes use of a 256-bit key length.

Types of Encryption

Public-Key Encryption

Private keys and public keys are generated via software.

Moving forward from that, the public key comes in handy when the time comes to encrypt data. Then the public key is transferred to the private key holder.

In other words, the public key allows the private key holder to decode a given message.

Journalists are the first people who make use of such a system.

Right now, the most respected of public key encryption systems is Pretty Good Privacy (or PGP). This system was developed in 1991 and was acquired by software firm Symantec in 2010.

You can search online for more tools that make use of OpenPGP, which is just an open standard version of PGP.

Symmetric-Key Encryption

In this system, the decryption and encryption keys stay the same. If two parties want to communicate, they must possess the same decryption and encryption keys.

Modern VPN technology makes use of this encryption technique.

Due to the constantly evolving world of cybercrime and security threats, professionals in the cybersecurity field are using longer and longer keys. This prevents attacks via brute force methods, in which hackers use tools to try out each and every combination of the decryption and encryption keys until they get the right match.

Currently, the industry gold standard is the 256-bit key, which is considered the ultimate security vault because it’s virtually impossible to crack.


The vast majority of online consumers have experienced at least one type of encryption, maybe without even realizing it.

More specifically, they use encryption whenever they access a website that makes use of HTTPS (or Hypertext Transfer Protocol Secure).

Websites also make use of Transport Layer Security (or TLS), another security protocol.

The TLS, in turn, incorporates SSL or Secure Sockets Layer, an older security protocol. TLS actually combines symmetric and public-key encryption in order to properly protect user data.

On the other hand, web browsers usually make use of public-key encryption in order to communicate with various web servers. Then they securely share symmetric encryption keys.

These come into play when data is about to go through the transportation process and hence needs encryption.

Some might think of this process as complicated but it is actually pretty efficient. Public-key encryption, in reality, requires significant computer power if it wants to encrypt every piece of important data in a given user session.

One problem that we would like to mention here is when a given server is only able to use a single private key in order to generate the entire secure session. In such a session, if a hacker is able to compromise the key, they have all the opportunity in the world to decrypt the given session (supposedly secure) on the given server.

Fortunately, now most of the private keys that are generated are unique. These keys are also discarded when a session is over.

This system is usually known as PFS or Perfect Forward Secrecy.

VPN Protocols

VPN clients usually rely on a set of instructions and processes to establish secure connections between a given VPN server and device.

These are known as VPN protocols. Without them, there would be no safe transmission of data.

VPN protocols partly represent encryption standards and partly represent transmission protocols.

Here are the major ones:


With its fast and secure system, OpenVPN is currently the gold standard among all VPN protocols.

If you’re a beginner in the VPN space, then we recommend you start with OpenVPN.

OpenVPN, as the same suggests, is also open source. This means it is absolutely transparent and has the advantage of the public testing it and improving it.

OpenVPN is also fairly configurable. With that said, we should also mention that natively, there is not a single platform that has support for OpenVPN. However, that doesn’t mean you can’t use it.

Many good VPN services offer free VPN apps that support OpenVPN on a wide variety of platforms.

More importantly though, OpenVPN is able to work on TCP 443 ports and UDP ports.

HTTPS traffic uses the TCP 443 port, so it is essential for anyone who wants to keep their web traffic secure.

Perhaps the most common connection protocol is OpenVPN TCP. The reason for that is its integrated error correction feature, which makes use of a confirmation mechanism while transferring data—ensuring the arrival of a specific data packet before the next data packet starts its journey from the other end.

If there is no arrival confirmation, then the current data packets keep going through the resent process.

Then there is OpenVPN UDP, which does not require any such confirmation. Since there are no checks, it offers lower latency. Gamers and streamers should use OpenVPN UDP for obvious reasons.

OpenVPN also makes use of the OpenSSL library. This library supports a wide range of encryption standards.

When we mention the term encryption, you should know that encryption has a total of two elements: Control channel encryption and data channel encryption.

Data channel encryption is the mechanism that protects the user’s information when it is being transferred.

Control channel encryption is the function that secures the present connection between the VPN server and the user’s device.


Microsoft logo company on the window facade of the new Microsoft headquarter (1)
Even though it is safe, our research shows that it is rather slow. But since Microsoft has developed it, maybe you’re fine with that.

LT2P stands forLayer 2 Tunneling Protocol. Even though it is safe, our research shows that it is rather slow. But since Microsoft has developed it, maybe you’re fine with that.

In the vast majority of cases, L2TP is implemented alongside IPSec authentication because L2TP doesn’t provide encryption on its own.

L2TP also has a limited number of fixed ports. This is why it’s so easy to block L2TP.

As for speed, theoretically speaking, it is faster than OpenVPN even though it makes use of double encapsulation.

OpenVPN does not support multi-threading, while L2TP does.

L2TP is also faster than OpenVPN because it carries out the decryption and encryption process in the kernel itself.

Our research shows that when L2TP is used with AES, it has no security vulnerabilities—though some reports say that the U.S. National Security Agency has compromised it and that during the process of its creation, researchers deliberately weakened it.


SSTP or Secure Socket Tunneling Protocol is another proprietary protocol from Microsoft. Compared to L2TP, it is faster and more secure. Perhaps the reason for that is that SSTP is based on version 3.0 of SSL.

That fact means SSTP, just like OpenVPN, has the ability to make use of TCP 443 port. Although, SSTP is not as transparent as OpenVPN.

Because of that, it’s hard to say if SSTP has any vulnerabilities or backdoors. This is the reason why some feel SSTP is risky to use with the Windows platform.

One other problem with SSTP is that some feel it cannot stand up against POODLE, a type of man-in-the-middle attack. Although, no one has proven anything with certainty yet.

But to be on the safe side, you should stay away from SSTP and stick with OpenVPN.


IKEv2 stands for Internet Key Exchange. This is another closed standard, and yes, it too has been developed by Microsoft, but only in collaboration with Cisco.

The platforms that natively support IKEv2 are as follows:

  • Blackberry
  • Windows 7
  • iOS

For Linux, there is a separate version which is open-source and hence does not have the trust problems that the proprietary version has.

IKEv2 has the further advantage of being very adaptable with the changing networks.

If a user drops their internet connection, IKEv2 is likely the best at reconnecting them. For now, the only problem we see with IKEv2 is that it is closed source. Apart from that, IKEv2 is secure and very fast which makes it ideal for mobile users.

Perhaps this is a good time to mention that if you want to use IKEv2 in a restrictive country, then that’s probably a bad choice as IKEv2 is not made for censorship circumvention.


The WireGuard protocol is the latest in a long line of tunneling protocols.

The main aim of this protocol is to be more performant and faster than the current king of protocols, which is OpenVPN.

For now, WireGuard is aiming to solve all the common issues that people face with IPsec and OpenVPN. Both these protocols, though good, are complex to set up and suffer from disconnections along with extended reconnection times.

Both these protocols also have large codebases consisting of up to 600,000 lines of code. That makes it very hard for researchers to find meaningful bugs.

WireGuard tries to improve on them by making use of up-to-date ciphers along with a smaller codebase that has not crossed 4,000 lines of code.

We should add here that WireGuard is still in development, but early tests show it can effectively reconnect the user instantly. It is also fast and secure.

WireGuard still has a long way to go if it wants to prove itself against the likes of OpenVPN and L2TP but things are looking promising for now.


PPTP stands for Point-to-Point Tunneling Protocol.

All research indicates that this is an outdated protocol. It came into existence in 1999 when Microsoft funded a team to create a VPN which would work over a dial-up connection.

PPTP does have some positives, though. It has great support for almost all platforms and does not require the user to have additional software. It’s also fast.

However, we cannot ignore the fact that PPTP is not secure. Hackers find it easiest to crack among all protocols. Also, since PPTP relies on the GRE protocol, administrators can easily block it via standard firewalls.

Again, we recommend you stay away from PPTP unless you absolutely have to use it to change your current IP address.

Even then, we suggest to only use it for non-sensitive tasks.


Ciphers are algorithms that protocols use to decrypt and encrypt data. Here are the most common ones:


Currently, OpenVPN uses the Blowfish cipher as its default cipher.

Even though users have the option of using another cipher with OpenVPN, that does not change the fact that Blowfish is generally secure.

Typically, VPNs implement the Blowfish 128-bit cipher even though options range from 448 bits to just 32 bits.

Blowfish does come with some security flaws that would take too long for us to mention here. All you need to know for now is that you should go with AES 256-bit as your primary cipher and Blowfish as your secondary option.


AES stands for Advanced Encryption Standard. The U.S. established this symmetric-key cipher in 2001 via the National Institute of Standards and Technology (NIST).

Like OpenVPN, AES is a very well-respected standard in the VPN industry.

The fact that AES makes use of a block size of 128-bit means it has the ability to handle much larger file sizes when compared to other ciphers like Blowfish.

Security researchers still consider AES 128-bit very secure. However, most VPN service providers prefer to offer AES 256-bit to their premium customers because it provides an extra element of protection.


AES and Camellia are very similar in the way they work.

The major difference between the two is that Camellia does not have the stamp of approval from the National Institute of Standards and Technology, which created AES.

Some would make the argument that one should not use any cipher in which the U.S. government has played a part, but Camellia is still very rare in terms of availability.

We do not know of any major VPN service that makes use of this cipher.

Moreover, since no one is ready to test Camellia, it is also not as secure as AES.

Handshake Encryption

If you want to form a secure connection with your VPN server, you will have to make use of the previously mentioned public-key encryption.

Web icon DATA against the background of handshake of business partners (1)
This is the same encryption process that a user has to make use of when their web browser tries to form a secure session with an HTTPS website.

Not only that, but a connection with a VPN server also requires public-key encryption with the use of a TLS handshake.

Most of the time, the public-key encryption comes in the form of RSA cryptosystem. It’s worth noting here that recent reports suggest that the NSA has finally managed to crack RSA-1024.

We believe this is just one reason why a lot of VPN service providers have started to move away from RSA 1024.

You can find VPNs still using it, but those aren’t reliable VPN services anymore. In other words, you should avoid VPNs that make use of RSA-1024. Instead, we recommend you look for VPN services that use the RSA-2048 encryption since it is secure.

In an ideal situation, a VPN service would make use of an additional encryption system in order to create PFS or Perfect Forward Secrecy.

Most of the time, VPN services would achieve this with the inclusion of Elliptic Curve Diffie-Hellman (ECDH) or Diffie-Hellman key exchange.

No one is stopping anyone from using ECDH on its own for the purposes of creating a secure handshake, but our research shows that one should never use DH alone.

It is vulnerable to attacks by hackers with the right resources.

Of course, if a VPN service is making use of either DH or ECDH with RSA, the level of security is improved.

Leave a Reply

Name (required)

Email (required)


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share via
Share via
Send this to a friend