Virtual Private Network (VPN) is probably the most popular method to set up connections to share sensitive data. The technology works by linking your device to a VPN server creating a secure tunnel. Before you can initiate the VPN connection, there has to be a shared definition of how it should look.
A VPN protocol is what provides clear instructions on how you should handle this connection. It specifies all the details that your device and server on the receiving end must know. The protocols also come in all shapes and sizes, as some require additional data integrity checks while others add more robust encryption. The variety is immense, and there’s plenty of room for customization.
Let’s dive into the most popular VPN protocols — their benefits, differences, and use cases.
What are the main VPN protocols?
When your data passes through the tunneling protocol, it’s split up into pieces and placed inside encrypted data packets. After reaching their intended destination, the server decrypts them with its configured private key and unpacks the sent data. The process goes back and forth between your device and a VPN server for the whole session.
While the core principle of how tunneling works remains constant, there can be specific properties that distinguish tunneling protocols from one another. Most hardware devices natively support them, and some are also considered standard.
Here’s a brief rundown of some of the most popular tunneling protocols (you’ll find all of them in the NordLayer app).
WireGuard is an open-source tunneling protocol with streamlined code to minimize the attack surface and drastically improve maintenance. It relies on User Datagram Protocol (UDP), which skips handshaking to benefit from significantly increased speeds.
Another problem is that it can’t dynamically assign IP addresses to everyone connected to a server. To challenge this and to make connections possible, the server has to have an internal ledger to register each user not to mix up their packets. In a data breach, this could backfire as it would be easy to identify the user’s identity assigned by the server.
The Nord Security team took the core of WireGuard’s code and improved it to solve this issue, and its result — NordLynx. It’s different from the stock WireGuard protocol because it adds a double Network Address Translation system. It creates a local interface for each session, assigning a unique IP address to users and their tunnels. That solves the ledger problem without logging current users to trace where each data packet should go. The IP addresses remain assigned only when the session is active, providing unparalleled performance and security when connected to a VPN server.
Only Nord Security products like NordVPN and NordLayer have this tunneling protocol.
Internet Key Exchange version 2 is a VPN encryption protocol that handles request and response actions. It relies on two mechanisms for authentication and encryption. For the latter, it uses Diffie–Hellman key exchange protocol to set up a shared session. IKEv2’s authentication is processed by X.509 public key infrastructure certificate, based on the International Telecommunications Union (ITU) standard.
IKEv2 belongs to an Internet Security Protocol suite that handles security associations (SA). Their job is to find mutually agreed conditions to establish a VPN tunnel. As IKEv2 uses UDP, it has relatively low latency and will be a speedy option for most use cases. It also isn’t very demanding for performance, so it is possible to set it up on weaker hardware devices.
The protocol can also maintain the connection when switching between wi-fi and mobile data. Therefore, it could be a good option for portable devices that rely on cellular data but can switch to wi-fi. In addition, IKEv2 also implements features like auto-connect when the connection drops.
OpenVPN is an open-source tunneling protocol and system that allows the establishment of secure point-to-point and site-to-site connections. Transport Layer Security, combined with OpenSSL cryptographic library algorithms, handles private key exchange to increase the safety of your tunnel.
From a networking perspective, the OpenVPN protocol can operate in two modes: UDP or Transmission Control Protocol (TCP).
UDP — doesn’t use handshaking, meaning sending data packets without receiving the confirmation that they have reached their destination. It’s the same method used by WireGuard, and IKEv2 prioritizing speed rather than connection stability.
TCP — use a three-way handshake between the initiator and the receiver. The client sends a request, the server acknowledges receipt, and the client replies with a confirmation. While this may seem like many extra steps, this helps to achieve a reliable connection at the downside of more considerable latency.
Both UDP and TCP slice your data into smaller packets when sending. They include the sender’s and receiver’s IPs, the actual data, and other configuration data. So, while it’s a much more advanced itineration, OpenVPN still relies on the same tunneling principles.
NordLynx vs IKEv2 vs OpenVPN
Whether you’re self-hosting a VPN server or turning to a VPN provider, you’ll have to pick a tunneling protocol for your connection. It’s one of the essential components of a VPN connection.
Here’s an overview of how NordLynx, IKEv2, and OpenVPN compare. Choosing the proper protocol can benefit your internet activity and won’t waste your resources when it’s not needed.
Nord Security recently performed in-depth research into tunneling protocol speeds. They’ve found that the NordLynx protocol can ramp up to 1200 Mbps, while IKEv2 only reaches 600 Mbps, and OpenVPN is the slowest, with only 400 Mbps as the best-recorded speed. The same tendencies repeat across the board no matter the distance between the VPN server and the client’s location.
Based on their findings, if you’re looking for the fastest tunneling protocol, you should go with NordLynx (or WireGuard). The second fastest will be IKEv2, which can confidently hold its own even when connecting to the other side of the world. While it would be unfair to call OpenVPN slow, compared with NordLynx and IKEv2, its speeds seem moderate when using UDP. OpenVPN’s connection speeds become very slow in TCP mode, so keep this in mind.
When it comes to encryption, OpenVPN takes the edge as it uses the OpenSSL library. It supports various cryptographic algorithms like AES, ChaCha20, Poly1305, etc. OpenVPN can also use hashing algorithms for credentials like MD5, BLAKE2, and others. RSA, DSA, and many other algorithms can process the protocol’s private key derivation. The extent of customization options makes OpenVPN a very adaptable tunneling protocol for many use cases that could be relevant to your VPN setup.
Neither NordLynx nor WireGuard won’t be as flexible regarding its encryption setup. Its encryption rests on ChaCha20, and there’s no option, but it’s not a dealbreaker as it’s considered safer than AES. The protocol’s authentication is processed by the Poly1305 cryptographic function using BLAKE2 for hashing. Its Transport Layer provides only the UDP option.
Much of OpenVPN’s customization also applies to IKEv2. It also provides a variety of robust encryption algorithms to choose from, like AES, Blowfish, and others. The main difference will be that it only has a UDP setting.
Considering its flexibility, OpenVPN should be the safest choice due to the sheer number of options. NordLynx and, by extension, WireGuard isn’t as flexible as they rely on specific algorithms. IKEv2 sits somewhere between them and can still be considered a secure tunneling protocol.
While WireGuard is open-source, NordLynx is proprietary, which can be a problem if you always need to know what’s in their code. Still, NordLynx’s WireGuard has no known security vulnerabilities. The same applies to OpenVPN.
However, since OpenVPN was around longer, independent testers had more time to iron out most of the bugs, meaning that it could be considered the safest option of all. The opinion of WireGuard is that it is still a work in progress, so it will take time before it’s as polished as OpenVPN.
However, IKEv2 is a bit of a different story. According to the leaked NSA presentation, exploiting its protocol vulnerabilities resulted in successful encryption. While viewed as speculation, OpenVPN and WireGuard will be better options when aiming for maximum security.
Network port requirements
You might run into connectivity issues if your network doesn’t support a specific port used by your chosen tunneling protocol. Some network administrators or ISPs may close them to limit the attack surface, which can ruin your day if you’re trying to connect to your work resources with a VPN.
NordLynx and WireGuard use only UDP — regular internet traffic doesn’t. The network’s administrator can therefore disable it. If the port is closed, the VPN protocol won’t be able to initiate a connection, which can be a problem. The same applies to IKEv2.
OpenVPN is one of the best options we have for compatibility. It’s the only one that can use TCP port 443, the same as HTTPS. Therefore, even if limited web browsing is allowed, you should be able to pass through with OpenVPN. Therefore, OpenVPN provides the best compatibility and will likely work in most cases when others might struggle.
Numerous reports confirm that your data consumption increases when using a VPN. It shouldn’t be surprising since each exchanged packet is repacked, adding additional data on top of it advances its size. Over time this can add up, and when working on a metered connection, you can reach your monthly data cap faster.
However, not all protocols will have the same overhead. For instance, OpenVPN adds up to 20%, while WireGuard (and NordLynx) will add only 4% more. IKEv2 is in between, with added 7%, which is still a good result. So, if you want to minimize your user data, you should stick with NordLynx.
If you want to set up a VPN on devices like routers, you will have to hope that they support your chosen tunneling protocol. Otherwise, you’ll have to flash their firmware to set it up. The tunneling protocols that have been around the longest are in a better position, which gives IKEv2 and OpenVPN the edge.
Most devices natively support IKEv2, and it will be relatively easy to set up manual connections on them. Usually, you’ll have to pick the protocol from the list and enter specific addresses and credentials.
However, while it’s true that OpenVPN has been around for two decades, it relies on supplementary cryptographic libraries. Most manufacturers for consumer products don’t include them by default, so you may be required to look into firmware flashing if you’re setting it up on a router.
NordLynx and WireGuard are in the worst position in this regard. You’ll be able to use them only via their apps, meaning every primary operating system is supported—most VPN providers’ apps support both IKEv2 and OpenVPN.
Which VPN protocol should you use and when?
Here’s a summary of each protocol’s benefits and drawbacks.
How can NordLayer help?
NordLayer develops a secure access service edge to enable a distributed workforce without confining it to any location. Our solution includes all the VPN tunneling protocols mentioned previously.
IKEv2 — uses 3072-bit Diffie-Hellman key exchange and uses UDP.
OpenVPN — uses 4096-bit Diffie Hellman key exchange with different ports for UDP and TCP.
NordLynx — uses ChaCha20 for symmetric encryption and Poly1305 for authentication, creating accessibility with associated data that instantly assures confidentiality and authenticity of the data. It also includes a custom double NAT translation system.
You can switch VPN protocols at any time to constantly adapt, no matter how your circumstances change.
In addition, NordLayer allows you to manage your users via a centralized control panel with activity monitoring and network segmentation controls. A user-friendly interface and tech-minded customer support are also readily available to help you out.