Which VPN protocol is best to use? and why?

Nathan House
A free video tutorial from Nathan House
Leading Cyber Security Expert
4.6 instructor rating • 7 courses • 271,139 students

Learn more from the full course

The Complete Cyber Security Course : Anonymous Browsing!

Volume 3 : Become a Cyber Security Specialist, Anonymous Browsing, Hide my IP, Tor, Privacy, Proxy Servers and Best VPNs

13:32:13 of on-demand video • Updated August 2020

  • An advanced practical skill-set in how to stay anonymous online, how to maintain privacy and how to bypass firewalls and proxies.
  • After this course, you will have a detailed understanding of how anonymity online might be achieved against various types of adversaries. From corporations to nation-state adversaries.
  • Start a career in cyber security. Become a cyber security specialist.
  • The very latest up-to-date information and methods.
  • You will learn how to apply effective OPSEC or operational security to maintain anonymity online. OPSEC is the actions and behaviors required to maintain security and anonymity.
  • We look at live operating systems, what they are, which are the best ones, and how they can be used for security, privacy, and anonymity.
  • You will gain a complete understanding of how to use virtual private networks (or VPNs) for security, privacy and to attempt anonymity. Everything from choosing a provider to preventing protocol leaks.
  • We fully explore the anonymising service and darknet known as Tor. What are its weaknesses and what you can do to mitigate those weaknesses to improve your anonymity and security when you are using Tor. Including exploring the use of virtual and hardware routers and gateways.
  • You will learn how proxies servers are used for privacy and hiding your IP address. You will understand the difference between the various types of proxies, what they are suitable for, and importantly learn about their many weaknesses.
  • We cover how to use the extremely versatile SSH protocol for optimal security, privacy, and anonymity. Covering local, remote and dynamic port forwarding. Authentication and hardening.
  • You will understand the i2p darknet and how to best use it with optimal configuration to protect your security and anonymity.
  • We look at other privacy and anonymizing services too such as JonDoNym, botnets, and bulletproof hosting services.
  • We cover in detail how censorship can be circumvented by learning how to bypass firewalls, proxies, deep packet inspection technology and nation state censorship.
  • Then we learn the more advanced methods of anonymization by exploring nesting and chaining anonymizing services together. You will understand their strengths, weaknesses and what each chaining method is suitable for.
  • You will understand how to use off-site connections such as Wi-Fi hotspots and Internet cafes for privacy and anonymity. How to use them securely and anonymously even against a well-resourced adversary with global influence.
  • We cover how to use cellular networks for privacy and anonymity. You will understand the inherent weaknesses of cellular networks and how to use them best for privacy and anonymity.
  • For each section, you will learn both the theory and how to step by step setup each method.
  • A certificate of completion is available signed by the instructor Nathan House so CPE credits can be claimed. An off-site sign-up is required to provide your details for this optional certificate.
English There are a number of VPN protocols which are available so we can get a little bit confusing when it comes to choosing what you should use and why we have things like p p t p l to t p IPs SEC open VPN . SS T.P. version 2. And those are the most common ones. Plus there are some other more obscure ones that use SSL and TLR. Which is open connect and soft ether. So let's go through these as quickly as we can. So you have people ETP which is a point to point protocol. Do not recommend this. The Microsoft implementation has had major security flaws M-S chap version 2 which is often uses the authentication within Piep ETP is vulnerable to dictionary attacks and the RC for algorithm is subject to a bit fliping attack. Even Microsoft does not recommend using it. It does come available within the Windows operating system so it's very easy to set up. That's why people still use it. Nation-State NSA GCH. Q People like that are very very likely to be able to decrypt PPTP and will be able to with previous recorded and stored traffic be able to decrypt that PBT be encrypted VPN. And if you want to look at some cryptanalysis or PBT pay and sort of a classic paper by Bruce Schneier on on why he has broken. So the only reason to use ETP is if all of the options are effectively not possible and the only other option is sending plain text. Next is El-Soo T.P. and the second combination L2 T-P is usually implemented with resect provide encryption privacy because L2 T.P. doesn't provide encryption of the traffic an IP sec does provide encryption and privacy advantage of L2 T.P. IP sec is that most modern operating systems natively support them . A quick and easy to set up Windows Mac Linux I asked Android will support these now LDP and IP sex uses fixed ports and protocols which unfortunately makes it inflexible. So UDP 500 is huge. The initial key exchange protocol 50 for the IP encrypted ISP UDP 17:1 for the initial L2 T.P. configuration and UDP four thousand five hundred four not traversal. It is therefore more easily blocked by net firewalls and may require port forwarding when used behind a firewall. So L2 T-P is much easier to block than open VPN due to its reliance on these fixed protocols and pause the traffic coming encrypted that triple Dare's And yes the preference would be two five six. Yes give them the choice. If you're not concerned about nation state level adversaries then this is a viable VPN option. If you're using a -- and it's not a problem for getting through a firewall. However if you are concerned about nation state adversaries this is not recommended. There is strong evidence that the NSA and probably others GCH Q et cetera are using a flaw in the key exchange in order to decrypt the traffic. Now if you want to know more about this that's being released this top secret document which is where the information is from. And if we scroll down you can read more about what it is that they're actually doing. So the to use VPN capability will implement an operational capability to detect and decrypt selected communication that are encrypted using IP security IP SEC algorithms and protocols. It will forward the encrypted content to follow on processing systems. The T VPN capability will collect metadata about IP sec Internet key exchange events and for the method data to follow on SIGINT. So they're pretty good evidence that's IP PSEC is compromise on a nation state level. Another potential problem is when IP Sec'y is configured to use pre-shared keys and that those pre-shared keys are available publicly. So this can be for example you use a VPN service and they give out a password for you to connect to that VPN service. And that is a known password that everybody uses. Now that's an implementation vulnerability and enables man in the middle attacks. There's nothing wrong with IP set per se. It's just that somebody can implement it incorrectly. Another concern is the IP sec may have been deliberately weakened by the NSA. And there is an interesting post on this which is here and this is by a guy called John Gilmore is a security researcher and he was one of the founding members of the F-F the Electronic Frontier Foundation . An essay may have actually deliberately weakened. So in conclusion on this one it does work natively on most operating systems so it's simple and easy to get to work which is obviously always great. You don't want to be using a two five six. That's pretty solid. And this will protect you against hackers and low level trackers but it isn't going to protect you against nation state level adversaries are best avoided in that case. So onto open VPN. This is an open source project that uses the open SSL library and SSL version 3 anti-alias version 1 protocols one of its main advantages is that the protocols and ports are configurable so it runs fastest over UDP but it can use TZP and sacrifice speed. This means you could set it up for example that emulate normal CPS web traffic by configuring it for poll for 4:03 on TC pay. This makes it very difficult to tell the VPN is being used and not just normal web traffic but if you don't need that level of port protocol obfuscation it works faster over UDP open VPN uses the open SSL library which means it supports lots of encryption algorithms. Sure you here including all of the ASP Blowfish Kamila RSA if he held a key Xchange elliptical curve that kooka helmet together. Perfect Forward Secrecy Yes Blowfish are the most commonly used for trafficking correction and blowfish is the default symmetric encryption algorithm for encrypting the data. I recommend a two five six as usual or Kamila to 5:6 open. VPN is fast but obviously the higher bit Leonti go slow the connection. That's the same with most VPN. Probably the biggest disadvantaged open VPN is is not natively supported by most operating systems. You just click on here. So what you have to do is you have to get free software that you can download and install. So here on the open VPN Web site you can see you can download these various third party software set up these clients isn't straightforward and some non-technical could get lost in a configuration. They are available for all the major operating systems and you can see here but also Linux and what you after end up doing is configuring a config file which does something like this depending on your configuration. So as you can see this can be a little bit confusing for some people. So to alleviate this known problem what VPN providers do is they develop their own VPN clients the ones like I showed you before the site against example. But mostly these is closed source so you can validate if there's any vulnerabilities or implementation errors and then there's no evidence that the NSA or GZA secure the nation state has compromised open VPN only using strong algorithms and ephemeral keys in SSL stroked VLS mode. The session keys are ephemeral i.e. the session keys are periodically changed and if an adversary manages to compromise one of the session keys they can decrypt only that traffic for that short period of time which is what purrfect for secrecy is when it comes to the encryption algorithms. You want to look for 2048 bit or four thousand ninety six bit RSA certificates DHC RSA a two five six Shaw for exchange of open VPN key material. And as I've said a two five six CBC show a data and those should be good enough for most people. Given that there's perfect forward secrecy as well and for most situations so open VPN is the VPN protocol that you should use whenever possible with those configuration settings that I've mentioned. You can get strong algorithms we have do currently recompile open VPN and it's quite complex but that is viable and it's something you can look into. But the algorithms and settings I mentioned should be fine for almost all situations. Now answer the last two. SS TPA this is a proprietary standard owned by Microsoft offers many of the advantages of open VPN but is for Windows only and not well supported by VPN providers. In fact you virtually never see it. The code is not open source. Microsoft does not have a brilliant record when it comes to cooperation certainly with the NSA. So for this reason not recommended. Not worth going into any more detail. You also have another interesting option which is the ICQ version too. Now this is an IP set based tunneling protocol that was jointly developed by Cisco and Microsoft. There could be a situation way you might want to use this. If it's on a mobile platform because it has enhanced ability to reconnect when the connection is dropped which is something that obviously you might want. If you are on a mobile device and it's reasonably secure and fast. So to conclude what we've gone through where possible you should always be choosing open VPN. Version 2 is viable on mobile devices for a quick and easy solution. They open VPN is there. You should be using that unless reconnection is more important than privacy. And better than no VPN. Say for example if you are on a public Wi-Fi and you don't want a hackers or trackers then you can use L2 TPA and IP Seck. If your adversary is not a nation state or news ETP as a total last resort. So that should VPN protocols