VPN Security

A VPN enables devices on different networks to communicate with each other over the internet. The primary purpose of a VPN is to ensure that this communication takes place securely. When a device connects to a VPN, its internet connection is routed through a private VPN server instead of the internet service provider. This means that data is transferred to the internet via the VPN server rather than through the device. Since the internet connection is provided via the VPN server, the IP address and user identity assigned by the internet service provider are masked during communication.

The VPN server creates a private tunnel to transmit user data and sends the data through this tunnel in encrypted form. This protects the transmitted data from both the internet service provider and attackers. The encryption process is carried out using an encryption key known only to the device and the VPN server.

If encrypted data is intercepted by unauthorised parties during transmission, those parties will not be able to decrypt the data or make changes to it. The effectiveness of data encryption and the difficulty of breaking the encryption varies depending on the level of encryption used by the VPN provider. Unless the VPN tunnel is accompanied by a strong encryption method, the tunnel alone cannot be considered private. The level of encryption in a VPN tunnel depends on the tunnelling protocol used. The most commonly used VPN tunnelling protocols are PPTP, L2TP/IPSec, SSTP and OpenVPN, which are described below.

VPN Security

PPTP: PPTP (Point to Point Tunneling Protocol) is one of the oldest protocols used by VPNs. Developed by Microsoft and released with Windows 95, PPTP encrypts data in packets and sends it through a tunnel it creates. PPTP is one of the easiest protocols to configure, requiring only a username, password and server address to connect to the server. It is one of the fastest VPN protocols due to its low level of encryption. Although it has high connection speed, its low encryption level makes PPTP one of the least secure protocols for data protection.

L2TP/IPSec: L2TP (Layer 2 Tunneling Protocol) is used together with IPSec (Internet Protocol Security) to create a more secure tunnel than PPTP. L2TP/IPSec provides AES-256 bit encryption, one of the most advanced encryption standards that can be applied. However, this makes L2TP/IPSec slower than PPTP. L2TP/IPSec is still a very popular protocol given the high level of security it provides.

SSTP: SSTP (Secure Socket Tunneling Protocol) uses the SSL protocol for security. SSL makes internet data passing through SSTP highly secure. SSTP is a Windows-based tunnelling protocol that is not available on other operating systems, and has not been independently audited for potential backdoors built into the protocol.

OpenVPN: OpenVPN is a newer, open-source tunnelling protocol that uses AES 256-bit encryption. It can bypass fixed firewalls without getting stuck in them, and is fast as a result of this capability. Third-party software is required to set up OpenVPN, and the protocol can be configured on Windows, Mac, Android and iOS.

A VPN provider can be chosen based on the protocol it uses. Although PPTP is fast, it should be avoided as it is weak from a security perspective. L2TP/IPSec provides 256-bit encryption but is slower. SSTP, while secure, is only compatible with Windows and security checks against backdoors have been closed. OpenVPN, however, with its open source code, strong encryption and ability to bypass firewalls, is the best tunnelling protocol available for securely transmitting data over the internet.

Other features offered by VPN providers from a security perspective are described below:

No-Log VPN

No-Log VPNs keep no records of any information transmitted over the network. This keeps all active operations private from everyone — including the VPN providers themselves. Therefore, when choosing a VPN provider, consideration should be given to whether logs are kept, whether any logs that are kept are regularly cleared, and whether the provider does not disclose user information.

Kill Switch

If the VPN connection drops, internet access will continue over the normal connection. A Kill Switch automatically closes selected applications when the VPN connection drops. This prevents data from leaking through sensitive applications.

Multifactor Authentication

This method requires users to authenticate themselves in more than one step. An example of this is when, after a username and password have been verified, a code is sent by SMS and that code must be entered into the system. This makes it harder for attackers to carry out attacks against the VPN.

Below, some features of the 5 best-known VPN services are described. All the services on this list provide top-level service in terms of security features and encryption protocols.

ExpressVPN: Applies AES-256 encryption with RSA-4096 handshake and SHA-512 HMAC for OpenVPN. Uses ECDH (Elliptic Curve Diffie–Hellman) for data channel encryption. Additionally prevents DNS and WebRTC leaks with a firewall-based kill switch.

NordVPN: Implements a zero-log policy for those requiring a high level of privacy. Uses OpenVPN as the tunnelling protocol. NordVPN applies AES-256 encryption with RSA-2048 handshake and SHA-256 HMAC for OpenVPN. Data communication confidentiality is provided via the DHE-4096 key exchange algorithm. However, NordVPN does not apply OpenVPN for iOS; instead it uses IKEv2 with AES-256-GCM encryption and HMAC SHA2-384 data authentication.

PIA: PIA (Private Internet Access) uses OpenVPN as its tunnelling protocol. It uses AES-256 bit encryption with HMAC SHA256 for authentication, AES-256 bit encryption with RSA-4096 handshake for the data channel, and AES-256 bit encryption with HMAC SHA384 for the control channel. PIA also provides a kill switch for DNS leaks and supports port forwarding.

CyberGhost: CyberGhost is a service provider that offers easy-to-use software and very strong encryption. Using OpenVPN as the tunnelling protocol, CyberGhost uses AES-256-CBC encryption with SHA256 HMAC for the data channel, and AES-256 bit encryption with RSA-4096 key encryption and SHA384 HMAC for the control channel. Perfect forward secrecy is provided via the ECDH-4096 key exchange algorithm.

AirVPN: AirVPN allows users to connect to VPN servers via the Tor service and has an excellent reputation for security. It ranks first in terms of VPN security and speed. However, its technology-heavy focus and very strict support style can alienate many users. AirVPN uses OpenVPN as its tunnelling protocol. It uses AES-256 bit encryption with RSA-4096 handshake, HMAC SHA1 data channel authentication, HMAC SHA384 control authentication, and DHE-4096 key exchange algorithm. It blocks DNS leaks with a kill switch, and blocks WebRTC leaks both with a kill switch and at server level.