What are VPN protocols and why do you need to understand the different options?
With most VPN providers offering a variety of VPN protocols to choose from, it is good to know the pros and cons of these different options so you can select the best fit for your unique needs.
In this guide we will compare the two most popular VPN protocols – OpenVPN vs IPSec – as well as L2TP/IPSec, IKEv2/IPSec, WireGuard, PPTP, and SSTP. This is meant to give you a brief overview of the pros and cons of each VPN protocol.
So let’s dive in.
What are the different VPN protocols?
What is a VPN protocol?
A VPN protocol is a set of instructions to establish a secure and encrypted connection between your device and a VPN server for the transmission of data.
Most commercial VPN providers offer a variety of different VPN protocols that you can use within the VPN client. For example, in the screenshot below, I am testing ExpressVPN and have the option to select OpenVPN UDP, OpenVPN TCP, SSTP, L2TP/IPSec, and PPTP.
These are the different VPN protocols in the ExpressVPN client.
Now we will take a closer look at various VPN protocols.
OpenVPN is a versatile, open source VPN protocol developed by OpenVPN Technologies. It is arguably the most secure and most popular VPN protocol in use today and has passed various third-party security audits.
OpenVPN is generally considered to be the industry standard when it is properly implemented and uses SSL/TLS for key exchange. It provides full confidentiality, authentication, and integrity and is also very flexible with various use cases.
Setup: OpenVPN requires special client software to use, rather than being built into different operating systems. Most VPN services provide custom OpenVPN apps, which can be used on different operating systems and devices. Installation is usually fast and simple. OpenVPN can be used on all major platforms through third-party clients: Windows, Mac OS, Linux, Apple iOS, Android, and various routers (check the firmware for compatibility).
Encryption: OpenVPN uses the OpenSSL library and TLS protocols to provide encryption. OpenSSL supports a number of different algorithms and ciphers, including AES, Blowfish, Camellia, and ChaCha20.
Security: OpenVPN is considered to be the most secure VPN protocol available, provided that it is properly implemented. It does not have any known major vulnerabilities.
Performance: OpenVPN offers good performance, especially if run over UDP (User Datagram Protocol), rather than TCP (Transmission Control Protocol). OpenVPN is also stable and reliable whether used over wireless or cellular networks. If you are having connection problems you can use OpenVPN with TCP, which will confirm all packets sent, but it will be slower.
Ports: OpenVPN can be used on any port using UDP or TCP.
Verdict: Highly recommended.
IPSec – Internet Protocol Security
What is IPSec?
IPSec is a secure network protocol suite that authenticates and encrypts data packets sent over an IP network. It stands for Internet Protocol Security (IPSec) and was developed by the Internet Engineering Task Force. Unlike with SSL, which works on the application level, IPSec operates on the network level and can be used natively with many operating systems. Because most operating systems support IPSec natively, it can be used without third-party apps (unlike OpenVPN).
IPSec has become a very popular protocol to use with VPNs when paired with L2TP or IKEv2, which we will discuss more below.
IPSec encrypts the entire IP packet using:
- Authentication Header (AH), which places a digital signature on each packet; and
- Encapsulating Security Protocol (ESP), which confidentiality, integrity, and authentication of the packet in transmission.
Leaked NSA presentation – A discussion of IPSec would not be complete without referencing a leaked NSA presentation that discusses the NSA compromising IPSec protocols (L2TP and IKE). It’s difficult to come to any concrete conclusions based on vague references in this dated presentation. Nonetheless, if your threat model includes targeted surveillance from sophisticated state-level actors, you may want to consider a more secure protocol, such as OpenVPN. On a positive note, IPSec protocols are still widely considered to be secure if they are implemented properly.
Now we will examine how IPSec is used with VPNs when paired with L2TP and IKEv2.
What is IKEv2/IPSec?
IKEv2 is a tunneling protocol that is standardized in RFC 7296 and it stands for Internet Key Exchange version 2 (IKEv2). It was developed as a joint project between Cisco and Microsoft. To be used with VPNs for maximum security, IKEv2 is paired with IPSec.
The first version of IKE (Internet Key Exchange) came out in 1998, with version 2 being released seven years later in December 2005. In comparison to other VPN protocols, IKEv2 offers advantages in terms of speed, security, stability, CPU usage, and the ability to re-establish a connection. This makes it a good choice for mobile users, particularly with iOS (Apple) devices which natively support IKEv2.
Setup: Setup is generally quick and easy, requiring you to import the configuration files for the servers you want to use from your VPN provider. (See this setup example with Perfect Privacy.) IKEv2 is natively supported on Windows 7+, Mac OS 10.11+, Blackberry, and iOS (iPhone and iPad), and some Android devices. Some operating systems also support an “always on” function, which forces all internet traffic through the VPN tunnel, therefore ensuring no data leaks.
Encryption: IKEv2 uses a large selection of cryptographic algorithms, including AES, Blowfish, Camellia, and 3DES.
Security: One drawback with IKEv2/IPSec is that it is closed source and was developed by Cisco and Microsoft (but open source versions do exist). On a positive note, IKEv2 is widely-considered to be among the fastest and most secure protocols available, making it a popular choice with VPN users.
Performance: In many cases IKEv2 is faster than OpenVPN since it is less CPU-intensive. There are, however, numerous variables that affect speed, so this may not apply in all use cases. From a performance standpoint with mobile users, IKEv2 may be the best option because it does well establishing a reconnection.
Ports: IKEv2 uses the following ports: UDP 500 for the initial key exchange and UDP 4500 for NAT traversal.
Layer 2 Tunneling Protocol (L2TP) paired with IPSec is also a popular VPN protocol that is natively supported by many operating systems. L2TP/IPSec is standardized in RFC 3193 and provides confidentiality, authentication, and integrity.
Setup: Setting up L2TP/IPSec is generally fast and easy. It is natively supported on many operating systems, including Windows 2000/XP+, Mac OS 10.3+, as well as most Android operating systems. Just like with IKEv2/IPSec, you simply need to import the configuration files from your VPN provider.
Encryption: L2TP/IPSec encapsulates data twice with encryption coming via the standard IPSec protocol.
Security: L2TP/IPSec is generally considered secure and does not have any major known issues. Just like with IKEv2/IPSec, however, L2TP/IPSec was also developed by Cisco and Microsoft, which raises questions about trust.
Performance: In terms of performance L2TP/IPSec can really vary. One the one hand encryption/decryption occurs in the kernel and it also supports multi-threading, which should improve speeds. But on the other hand, because it double-encapsulates data, it may not be as fast as other options.
Ports: L2TP/IPSEC uses UDP 500 for the initial key exchange as well as UDP 1701 for the initial L2TP configuration and UDP 4500 for NAT traversal. Because of this reliance on fixed protocols and ports, it is easier to block than OpenVPN.
Verdict: L2TP/IPSec is not a bad choice, but you may want to opt for IKEv2/IPSec or OpenVPN if available.
WireGuard – A new and experimental VPN protocol
WireGuard is a new and experimental VPN protocol that seeks to provide better performance and more security over existing protocols.
As we covered in the main WireGuard VPN guide, the protocol has some interesting benefits in terms of performance, but it also comes with a few noteworthy drawbacks. The main drawbacks are as follows:
- WireGuard remains under heavy development and has not yet been audited.
- Many VPN services have raised concerns over WireGuard’s ability to be used without logs (privacy drawbacks).
- Very limited adoption by the VPN industry (at least for now).
- No support for TCP.
Setup: WireGuard is not included in any operating system. This will likely change over time when it is included in the kernel for Linux, Mac OS, and perhaps with some mobile operating systems. A very limited number of VPNs support WireGuard – check with the provider for setup instructions.
Encryption: WireGuard utilizes Curve25519 for key exchange, ChaCha20 and Poly1305 for data authentication and BLAKE2s for hashing.
Security: The major security issue with WireGuard is that it is not yet audited and remains under heavy development. There are a handful of VPNs already offering WireGuard to their users for “testing” purposes, but given the state of the project, WireGuard should not be used when privacy and security are important.
Performance: WireGuard should theoretically offer excellent performance in terms of speed, reliability, and also battery consumption. It may be the ideal protocol for mobile users because it allows you to switch between network interfaces without losing the connection. Re-connecting is also supposed to happen much faster than with OpenVPN and IPSec.
Ports: WireGuard uses UDP and can be configured on any port. Unfortunately, there is no support for TCP, which makes it easier to block.
Verdict: Not (yet) recommended, but I’ll keep an eye on the project’s development.
PPTP – Outdated and not secure
PPTP stands for Point-to-Point Tunneling Protocol and is one of the oldest VPN protocols still in use today. It runs on TCP port 1723 and was initially developed by Microsoft.
PPTP is now essentially obsolete due to serious security vulnerabilities. We won’t spend too much time discussing PPTP because most people are not even using it anymore.
PPTP is supported natively on all versions of Windows and most operating systems. While it is relatively fast, PPTP is not as reliable and does not recover as quickly from a dropped connections as OpenVPN.
Overall, PPTP should not be used in any situation where security and privacy are important. If you are just using a VPN to unblock content, PPTP may not be a bad choice, but there are more secure options worth considering.
Verdict: Not recommended
SSTP – A VPN protocol for Windows, but not very common
Like PPTP, SSTP is not widely used in the VPN industry, but unlike PPTP, it does not have major known security issues.
SSTP stands for Secure Socket Tunneling Protocol and is a Microsoft product that is available for Windows only. The fact that it is a closed source product from Microsoft is an obvious drawback, although SSTP is also considered to be quite secure.
SSTP transports traffic through the SSL (Secure Socket Layer) protocol over TCP port 443. This makes it a useful protocol to use in restricted network situations, such as if you need a VPN for China. There is also support for other operating systems, aside from Windows, but it is not widely used.
Because SSTP is closed source and remains entirely under the ownership and maintenance of Microsoft, you may want to consider other options. Of course, SSTP may still be the best option if all other protocols are getting blocked on your network.
In terms of performance, SSTP does well and is fast, stable, and secure. Unfortunately, very few VPN providers support SSTP. For many years ExpressVPN supported SSTP in the Windows client, but it is no longer supported today.
Verdict: SSTP may be useful if other VPN protocols are getting blocked, but OpenVPN would be a better choice (if available). Most VPNs do not offer any support for SSTP.
OpenVPN UDP vs OpenVPN TCP
With OpenVPN being the most popular VPN protocol, you can usually select between two varieties: OpenVPN UDP or OpenVPN TCP. So which to choose?
Below I’m testing out NordVPN, which gives me the option to select TCP or UDP protocols.
Here’s a brief overview of both protocols:
- TCP (Transmission Control Protocol): TCP is the more reliable option of the two, but it comes with some performance drawbacks. With TCP, packets are sent only after the last packet is confirmed to have arrived, therefore slowing things down. If confirmation is not received, a packet will simply be resent – what is known as error-correction.
- UDP (User Datagram Protocol): UDP is the fastest of the two options. Packets are sent without any confirmation, which improves speed but also may not be as reliable.
By default, OpenVPN UDP would be the better choice because it offers superior performance over OpenVPN TCP. If you are having connection problems, however, switch to TCP for more reliability.
TCP is often used for obfuscating VPN traffic to look like regular HTTPS traffic. This can be done by using OpenVPN TCP on port 443, with the traffic routed in TLS encryption. Many VPN providers offer various forms of obfuscation to defeat VPN blocks, and most utilize OpenVPN TCP.
What is the best VPN protocol?
As noted in my overview of the best VPN services, there is no one-size-fits all solution for every person. This applies to choosing a VPN service and also selecting a VPN protocol. The best protocol for your situation will depend on a few different factors:
- The device you are using – different devices support different protocols.
- Your network – if you are in a restricted network situation, such as in China or with school and work networks, some protocols may not get through. Some VPN providers offer designated VPN protocols for these situations – see the VPN for China guide for more of a discussion on this topic.
- Performance – Some protocols offer big advantages in terms of performance, especially on mobile devices that go in and out of connectivity.
- Threat model – Some protocols are weaker and less secure than others. Choose the best VPN protocol for your security and privacy needs, given your threat model.
As a general rule of thumb, however, OpenVPN is arguably the best all-around VPN protocol. It is very secure, trusted, widely-used in the industry, and it offers good speed and reliability. If OpenVPN is not an option for your situation, simply consider the alternatives.
With the majority of VPN services, OpenVPN is generally the default protocol used in their apps, although L2TP/IPSec and IKEv2/IPSec are common with mobile VPN clients.
VPN protocols conclusion
This VPN protocols guide is meant to serve as a basic overview of the main VPN protocols in use today: OpenVPN, L2TP/IPSec, IKEv2/IPSec, WireGuard, PPTP, and SSTP.
For more in-depth information on each protocol, you can examine references from the respective developers.
This guide will continue to be updated as development continues with these different VPN protocols.
Lasted updated on August 13, 2019.
About Sven Taylor
Sven Taylor is the founder of Restore Privacy. With a passion for digital privacy and online freedom, he created this website to provide you with honest, useful, and up-to-date information about privacy, security, and related topics.
September 30, 2019
Sven, Thank you for your interesting, succinct article.
I have just installed ExpressVPN on my high spec Windows 10 laptop.
I have installed the Speedtest app by Ookla on to my laptop. My unsecured broadband (BB) speed is 220 Mbps DL / 22 Mbps UL. When I use the default ExpressVPN settings (Smart Location, OpenVPN (UDP)) to secure my connection, the maximum BB speed I can achieve is 108 Mbps DL / 19 Mbps UL.
I raised this with ExpressVPN customer services and they have suggested changing the protocol from OpenVPN to L2TP-IPsec. Their customer services said to ignore the warning generated by the app when I select L2TP-IPsec that L2TP-IPsec is a weak protocol because it is, in fact, completely secure. I have therefore changed ExpressVPN’s protocol to L2TP-IPsec and the secured BB speed has increased significantly to 175 Mbps DL / 20 Mbps UL. It does, therefore, seem that customer service is correct that changing from OpenVPN to L2TP-IPsec significantly reduces the amount of BB speed I lose as a result of securing my connection.
I am, however, concerned about using L2TP-IPsec as my default protocol. There seems to be plenty of recommendations on reputable websites that L2TP-IPsec should be avoided unless absolutely necessary. Even ExpressVPN’s own website says, “L2TP-IPsec provide weak security benefits and should only be used for anonymization or for changing locations” and “ExpressVPN does not recommend using L2TP or PPTP unless absolutely necessary. These protocols offer only minimal security.”. You can see these at https://www.expressvpn.com/support/troubleshooting/failed-connection/?redir=www.exp2redir2.com&#change-protocol.
Setting my VPN protocol to L2TP-IPsec does not, therefore, fill me with confidence.
One of the reasons I decided to buy a subscription to ExpressVPN, despite it being the one of the most expensive VPN providers on the market, is because I value quality and want a high-speed VPN connection. I pay for a high-speed BB connection and there is no point in buying a lower-quality VPN service if I end up forgoing most of the BB speed that I am paying for. Understandably, I would like to maintain as much of this BB speed as possible. The UL speeds are comparable for unsecured and the two different VPN protocols, so are not a problem. The DL speeds, on the other hand, are being hugely reduced from their unsecured speed of 220 Mbps to a little over 100 Mbps for the generally accepted most secure VPN (OpenVPN (UDP)), and moderately reduced from unsecured DL speed to L2TP-IPsec speed of 175 Mbps.
For both protocols, as well as accepting the software’s default “Smart” location for the server, I have also manually connected to alternative ExpressVPN servers. I have run the speed test multiple times and quote the maximum speeds I have achieved. I am therefore being fair to ExpressVPN by quoting the maximum achievable speeds.
I have three questions:
1. I understand that securing a connection with a VPN causes a drop in BB speed but is such a drop expected? What reduction in BB 220 Mbps DL & 20 Mbps UL speeds should one expect when using a high-quality VPN service?
2. Are there any ways to mitigate the reduction of BB speeds when using a VPN so that encrypted speeds approaching the unsecured speeds are achievable?
3. How concerned about setting the default protocol to L2TP-IPsec should I be? I understand that it is clearly better than no encryption but the whole point of using a professional VPN is that I can be confident that all of my connections are completely secure and unable to be intercepted.
Sven Taylor says
September 30, 2019
Hello, this all comes down to your threat model, what you need a VPN for, and what you are comfortable with. These speeds are pretty good and you probably won’t find much better anywhere else. I discuss about ten tips for speed optimization in my best VPN guide, but it sounds like you’re doing everything right. So maybe stick with L2TP/IPSec if you really need lots of bandwidth and less security, but then use OpenVPN for when security is more of a priority than speed.Reply
September 30, 2019
Sven, Thank you for your swift reply.
Yes, I have seen your 16/09/2019 review of ExpressVPN and see that, on your 160 Mbps connection (I assume that 160 Mbps was the actual unsecured speed at the time of comparison?) that you achieved 140 – 150 Mbps using ExpressVPN’s default OpenVPN protocol. This demonstrates that the reduction in broadband speed caused by securing the connection does not, therefore, have to be great when using the ideal protocol of OpenVPN. You even achieved 147 Mbps from the “UK- Docklands” server, despite being based in Germany. This is why I am at a loss. I am based in London, UK, and have connected to various servers around UK. I have also connected to servers abroad. I am physically close to the London servers of “UK – Docklands”, “UK – East London”, “UK – London” yet I have not once achieved anywhere near the OpenVPN speeds that you have, despite being physically closer to the servers than you. The 108 Mbps using OpenVPN was the maximum speed I have achieved but the average speed tends to be closer to 80 Mbps. I have even tried the “Switzerland – 2” server, which provided you with an avalanche of 150 Mbps. Using the Switzerland server I achieve 99 Mbps using OpenVPN and 176 Mbps using L2TP-IPsec (the difference between the two protocols really is remarkable). How are you able to achieve speeds which are 50% greater than I can, when you are further away from the servers? The software is the current version and when I disconnect the VPN, my unsecured BB speed is still ~220 Mbps. It is highly unlikely to be due to my ISP throttling my bandwidth as 1) they state that they don’t throttle VPN connections and 2) ISPs and websites are normally able to identify L2TP-IPsec traffic as being a VPN more easily than OpenVPN traffic, yet my L2TP-IPsec connection is apparently not being throttled. It doesn’t make sense. What am I missing?!Reply
Sven Taylor says
October 1, 2019
There are many variables affecting speed, it’s difficult to narrow down exactly what’s going on.
October 1, 2019
Interestingly, I have reviewed the log of speed tests I have run and I see that for:
Unsecured connections, packets lost average 0%;
OpenVPN connections, packets lost average 1%;
L2TP-IPsec connections, packets lost range from 12% – 25%, with an average in the high teens.
What could be the reason why L2TP-IPsec suffers from such high packet loss (I have looked for answers online but haven’t discovered a good explanation)? I guess this would mean that the high BB speed I achieve with an L2TP-IPsec connection is less reliable, so making the apparent high speeds less relevant.
Jesus António says
September 4, 2019
WireGuard was audited, math proofed and was included in the Linux kernel.Reply
Sven Taylor says
September 4, 2019
I’ve seen a “security analysis” and “partial audit” – but not a full security audit the likes of which OpenVPN has already undergone.Reply
August 23, 2019
Fastestvpn does not offer OpenVPN within their Windows client but it has to be configured manually. That being said, they offer TCP or UDP wirh AES. So the question is whether selecting TCP or UDP with AES is sufficient without OpenVPN or they must always be used with it?Reply
Sven Taylor says
August 23, 2019
Marc, that is OpenVPN TCP and OpenVPN UDP.Reply
March 16, 2019
There is formal proof for Wireguard vpn protocol. You don’t develop any argument over the benefits of Wireguard which makes this article suspicious.Reply
Sven Taylor says
March 17, 2019
Perhaps the main WireGuard article will alleviate you “suspicions” – whatever they are.Reply
May 24, 2019
Obviously you are in the pocket of Big-UDPReply
Sven Taylor says
May 24, 2019
What’s that supposed to mean? Who is “Big-UDP”?
Hard Sell says
September 28, 2019
JZ – your in the pocket comment or aka on the pay roll is not true – – Sven is not in with any promotion of that (Big-UDP) thing or a business listed of the site as his ‘Mission’ states –
– No paid rankings, paid content, or paid links
Restore Privacy will never be paid to rank/recommend certain products or services over others.
Paid rankings seem to be a problem with most “review” sites of all kinds. The internet is increasingly becoming a “pay to play” ecosystem – and this is a trend we hate to see unfolding.
*Restore Privacy will also never publish paid content. While the site does highlight a number of different privacy tools, we are never paid to do so.
**And finally, we will never participate in any kind of paid link scheme – another popular trend with most – With Restore Privacy, all products/services are reviewed independently and we are never paid to conduct a review or test the service. We will never be paid to change or modify any review.
Restore Privacy has a select few affiliates that align with our mission and commitment to transparency. If you purchase a router on Amazon or a VPN subscription through a link on this site, we may earn a small commission – at no additional cost to you. As a general rule, we refuse to work with companies that have bad track records and/or dishonest practices.
August 21, 2019
The *implementation* needs to be stabilized and audited. A formal proof does not an implementation make.Reply
Hard Sell says
January 22, 2019
@Basil, here’s some general help or knowledge.
First I’ll try to answer your questions.
Q- What protocol does the default Windows VPN client use?
I don’t know your specific OS version but, covering the things I think would be helpful to you.
> Built-in VPN client > Tunneling protocols
The Automatic option means that the device will try each of the built-in tunneling protocols until one succeeds.
It will attempt from most secure to least secure.
(see listed – IKEv2, L2TP, PPTP, SSTP)
The order here is not defined as to which one Windows 10 considers most to least secure.
(This blog only talks about the native (Microsoft) VPN client.)
> Tunnel Type
The Tunnel Type is set to ‘Automatic’ which results in IKEv2, SSTP, PPTP and L2TP tunnel types being negotiated (in that order).
Once the tunnel is negotiated, the VPN client remembers it for the subsequent connections.
User cannot change tunnel type through PC Settings.
You’ve replied – “The default windows vpn client is set for auto.”
And in your original comment “If I use the IP address and VPN configuration (userid/pw) and enter that into the native Windows VPN client, my speeds are usually really good.”
@- I can’t help but think the native Windows VPN client is going with a lower built-in tunneling protocol (a less secure one) in your case of the Win OS version your using.
So with using the native Win. VPN client, your speeds would seem far better to you in your comparison of both, that you realized with the third-party VPN client was much slower to you.
The Windows 10 VPN client process works for the easier VPN protocol types such as PPTP and L2TP, but if you want to use IKEv2 that requires installing a root certificate from your VPN provider.
Keeping in mind that not every VPN service supports IKEv2 so using this method depends greatly on your VPN service provider.
Besides you have most likely made use of a stronger tunneling protocol given with a downloaded third-party VPN client.
That’s possibly being the OpenVPN protocol.
-But, I noted as you’ve said – “regardless of what protocol I use”, to me that seems like your talking about the encryption tunneling protocol type used by any third-party VPN clients.
-Have you tried switching to a different Internet protocol in your use of the third-party VPN clients, most offer the UDP as well of the TCP internet transmission protocols.
Best I understand this–
UDP stands for User Datagram Protocol. Though it can be configured to run on any port, OpenVPN runs best on a UDP port, which is generally faster.
TCP stands for Transmission Control Protocol. Unlike UDP, TCP is error-checked, meaning that dropped packets result in a retransmission.
This results in an increased reliability at the expense of transmission latency.
– These are entirely different protocols methods in most third-party VPN clients, as one protocol deals with your internet transmission connections, and the other protocol deals with your encryption types of your data.
Are you currently subscribed to any VPN service provider and which one would that be ?
If not, this might be a limiting factor in any trial or try out period offered to you as a free VPN user in your testing it’s paid VPN service out.
Other factors may play a roll here too, as the time of day it’s used, with a particular VPN servers location and in it’s users load in any given time period.
As well that a VPN provider may simply oversell it’s service and can’t handle it’s customer base demands to certain servers locations.
Then also understanding the speed and connection type your given from your own ISP and in their own network user loads to it.
-It may be a good ideal to run some tests and check your Internet connections speed with and without a third-party VPN client being used.
A third-party VPN client will always slow your internet speeds to a degree using it. That’s a reality – though it won’t make your connection speed crawl or it shouldn’t in any VPN’s case.
-In regards to your own ISP, is that a wired connection ?
Maybe trying from a friends location in their wired ISP’s connection with your third-party VPN client’s service and relate in differences of your speeds to your home location.
If that’s not possible invite a friend over to your place using a different VPN service or the same, and relate the speed differences that the both of you get – one on VPN and one without, then both on or both off the VPN.
The downside to using the built-in Windows VPN client is that you have to give it a specific servers IP to use as opposed to easily jumping between the different server locations the way you can with a commercial third-party VPN’s service of it’s installed client.
Then by understanding how is your DNS translation processed within the Windows built-in VPN client or even being handled, will that be performed by your ISP instead ?
-Most VPN providers run their own dedicated DNS servers in order to perform this DNS translation task themselves, but some make use of public DNS services such as Google DNS instead.
*Will using a third-party VPN servers IP address and your (userid/pw) configuration with the Windows built-in VPN client allow you to use your VPN providers own dedicated DNS servers, or will that require it’s own dedicated VPN client being installed ?
If the Windows built-in VPN client defaults to the Windows system for it’s DNS use – that’s not ideal by any standard means.
-It appears a new feature in Windows 10 means that DNS requests are directed not just through your VPN tunnel, but also through your ISP and the local network interface.
This is because by default Windows 10 attempts to improve web performance by sending DNS requests in parallel to all available resources at once, and (at least in theory) using the fastest one.
-This problem has led the United States Computer Readiness Team (US-CERT), an official department of the US Department of Homeland Security, to issuing an alert.
ALERT – https://www.us-cert.gov/ncas/alerts/TA15-240A
Also see > “Smart Multi-Homed Name Resolution”, mainly a Windows 10 problem.
I can only hope this to helps you and others : )
January 25, 2019
Thanks Hardsell. I have manually selected IKEv2 through my native VPN client. I have used Express VPN, NordVPN, PIA, IP Vanish. Now I’m using Windscribe. I’ve had similar results with all the VPN provider’s clients that I mentioned. Additionally, my CPU load is quite low too so it’s not a CPU issue causing the substantial reduction in speeds.
I appreciate your effort and your explanation! Unfortunately, all that information is overwhelming for me. I’m sure it will help others who are savvier with VPNs though.Reply
Hard Sell says
January 25, 2019
Hi Basil, I’m not trying to be mean, just informative as I’m not a tech-savvy person either.
I can very well smell a stink in the air or see a fog over the landscape, as I hope you can.
So when your ready and have the time please come back to my posts on this site expanding your knowledge.
Foremost, I was hoping to inform you enough to leave your VPN operations to a dedicated third-party commercial VPN’s client and it’s service located outside the ol’ USA.
Where you’ll most likely find a community and/or forum behind a VPN provider to assist other users with like problems as yours – hopefully giving you the correct answers sought.
And/or in finding out about any specific problems within it’s VPN service to their user base already established by them.
Where to, of lowly rated user comments left on some VPN review sites concerning a VPN provider would be helpful to inform future customers, if the mediums above don’t exist there of a VPN provider.
Ultimately in my trying by swaying you away from any use of the default Windows VPN client, after all this is a restore privacy site – isn’t it…
Excessive System CPU expenditures (I’d hardly think so), more a matter of the VPN encryption protocols used and of your choice in it’s servers locations that are killing your latency (speed and connection time).
Windows OS’s already has a bad reputation of telemetry (sending loads of your machine’s info to Microsoft), updates to older OS versions catch up on the telemetry game with some updates.
Please read a few, in why I don’t trust the use of Win’s default VPN client (in-built of the system base)-
(if a popup appears over the article – just use the X to close it…)
Followings – probably should be located in https://restoreprivacy.com/privacy-tools/
But I’ll post them here for you, Sir.
About Windows updates in general please read-
And for current updates-
Monthly Security-only updates for Win 7 and 8.1-
The site has a lot to offer on updates in general for a Windows system user.
Blackbird is a Windows security tool which improves your privacy on your Windows PC.
The program comes in a zipped file and requires no installation.
“Understanding a short rundown” – Blackbird Privacy Tool will tweak Windows 10 and older versions in Privacy & Telemetry settings.
Thank you Basil : )Reply
January 15, 2019
What protocol does the default Windows VPN client use?
The reason I ask is I found with most VPN provided clients (that you download), my speeds all suck regardless of what protocol I use. If I use the IP address and VPN configuration (userid/pw) and enter that into the native Windows VPN client, my speeds are usually really good…at least with the major VPN providers anyways.Reply
Sven Taylor says
January 20, 2019
Windows natively supports a few different protocols: PPTP, L2TP/IPSec, SSTP, IKEv2/IPSec… So see what protocol config you are importing from your VPN service and you’ll have the answer.Reply
January 21, 2019
How would I “see” what protocol configuration I’m using? The only information I have, as I said above is my user ID, password and server ip address…nothing else. The default windows vpn client is set for auto.Reply
Sven Taylor says
January 21, 2019
Unfortunately I don’t have a Windows testing machine available right now to look at the native VPN options more, I’d just ask your VPN service.
Leave a Reply Cancel reply
Your email address will not be published. Required fields are marked *
*Unless you get an error message, your comment has been successfully submitted and should appear within 24 hours. You can use any name and email address for the comment form (real or fake).