At the moment, there are three main types of VPNs that can be used to encrypt the transmitted information in order to protect it from eavesdropping and logging. If you think that a VPN is needed in order to hide your IP, then you are wrong, since this is a secondary property of a VPN, there are all kinds of proxy servers to hide your IP address, which are highly recommended to be used in conjunction with a VPN. Ideally, your bundle should look like this: socks proxy -> vpn -> http / socks proxy (although this bundle can only be organized using OpenVPN).
Type one - Normal Windows... The most common among the services provided, is based on the PPTP protocol, the MPPE protocol is used to encrypt traffic (a modification of the RC4 streaming font), the GRE protocol for data transfer, and TCP traffic control. This protocol is a wretched piece of work from the company NEKROSOVTM, which she herself does not recommend using "due to birth defects." Each component of this protocol individually is vulnerable to various types of attacks, for example, the PPP connection session is not encrypted, since the encryption parameters have not yet been set, which means that anyone who controls any host on the way to the VPN gateway will know and will be able to change the settings that your VPN server gives you, that is, for example, give you your DNS server, I think there is no need to explain what will happen in this case. Now about the servers, all pptp servers known to me work with root or administrator rights in the case of windows, that is, they seriously reduce the overall level of server security, and the developers of poptop - pptp servers for Linux recommend using OpenVPN or IPSec instead. Another point - if you want to use authorization using x.509 certificates, this can only be done if the server is running windows, which no normal person in their right mind would do. The only advantage of this type is the simplicity of setup and use, I hammered in the server, login and password, pressed the "Connect" button and order, no additional software needed to be installed, in general, for people called users in certain circles, this is it. seriously reduce the overall level of server security, and the developers of poptop - pptp server for Linux recommend using OpenVPN or IPSec instead. Another point - if you want to use authorization using x.509 certificates, this can only be done if the server is running windows, which no normal person in their right mind would do. The only advantage of this type is the simplicity of setup and use, I hammered in the server, login and password, pressed the "Connect" button and order, no additional software needed to be installed, in general, for people called users in certain circles, this is it. seriously reduce the overall level of server security, and the developers of poptop - pptp server for Linux recommend using OpenVPN or IPSec instead. Another point - if you want to use authorization using x.509 certificates, this can only be done if the server is running windows, which no normal person in their right mind would do. The only advantage of this type is the simplicity of setup and use, I hammered in the server, login and password, pressed the "Connect" button and order, no additional software needed to be installed, in general, for people called users in certain circles, this is it. 509 code, this can only be done if the server is running windows, which no normal person in their right mind would do. The only advantage of this type is the simplicity of setup and use, I hammered in the server, login and password, pressed the "Connect" button and order, no additional software needed to be installed, in general, for people called users in certain circles, this is it. 509 code, this can only be done if the server is running windows, which no normal person in their right mind would do. The only advantage of this type is the simplicity of setup and use, I hammered in the server, login and password, pressed the "Connect" button and order, no additional software needed to be installed, in general, for people called users in certain circles, this is it.
Type two - L2TP / IPSecthe least common, IPSec is used for encryption, for udp data transmission. The decision, I must say, is competent, because the patent for it is not owned by NEKRASOV tm, but by the much more respected office of Cisco Systems. This protocol is devoid of all the shortcomings of PPTP and, at the same time, does not require the installation of third-party software, however, for clients with dynamic IP addresses, we can only use authentication using x.509 certificates, which in itself is quite progressive and convenient, but it makes users yearning. The main problems here are with the server side, for IPSec to work with clients due to NAT, it is necessary to use NAT-T technology, which, for example, in Linux, is currently experimental. There is no reliable, well-proven l2tp server solution for UNIX. Besides, this is not the best option for people which save on their traffic, since the size of each transmitted is added, the IPSEC header is about 56 bytes, the L2TP header is 16 bytes, and NAT-T will add a little more. From the point of view of client security, not everything is all right here either, there is a possibility of one DOS client attacking another. Server security has the same problems as PPTP servers, and even more, because we already have two network services running under the ISAKMP and L2TP root.
Type three - OpenVPN... For encryption, the TLS protocol is used; for data transmission, you can use both TCP and UDP. The solution uses only open technologies and is distributed under the GPL license. This type of VPN is devoid of all the disadvantages inherent in the first two types. A huge advantage of this type over the first two is the ability to connect to a VPN server through a socks server, that is, if you want, for example, to test a VPN service without revealing your IP address, you can do it with OpenVPN. No problem with NAT. Authentication is possible both using passwords and using x.509 certificates. In addition, the security of the server side is one order higher than in the previous two types, since the OpenVPN server runs under a dedicated account, and in addition, additional protection is provided in the form of HMAC signatures of packets at the stage of establishing a connection (if the HMAC does not match, the packet is dropped without any response), which significantly reduces the threat of such types of attacks as DOS or floods, buffer overflows in the SSL / TLS implementation, and also makes it difficult to detect the service with a port scan. I saw here on the seklab in the comments some "special" wrote that they say many vulnerabilities were found in OpenVPN, so you need to use poptop, but any information security specialist will tell you that product security is determined not by the number of vulnerabilities found, but by how the manufacturer reacts (the response of the OpenSource developers is always faster - look at the speed of patching holes in Windows and Oracle), as well as whether the principle of minimizing the rights of the network service is observed, i.e. if the network service is running under the root, it is no longer secure. As for vulnerabilities, you need to monitor messages and patch in time, and this applies not only to VPN. The only drawback of this type is the need to install a third-party client, but this should not confuse those who use Opera instead of a donkey or Light Alloy instead of Windows Media Player, because M $ solutions have always been famous for their poor functionality. VPN is no exception. after all, solutions from M $ have always been famous for their poor functionality. VPN is no exception. after all, solutions from M $ have always been famous for their poor functionality. VPN is no exception.
The conclusion from all this disgrace can be made as follows, if a person has his hands in place and if he thinks about his safety, then he will choose OpenVPN.
Type one - Normal Windows... The most common among the services provided, is based on the PPTP protocol, the MPPE protocol is used to encrypt traffic (a modification of the RC4 streaming font), the GRE protocol for data transfer, and TCP traffic control. This protocol is a wretched piece of work from the company NEKROSOVTM, which she herself does not recommend using "due to birth defects." Each component of this protocol individually is vulnerable to various types of attacks, for example, the PPP connection session is not encrypted, since the encryption parameters have not yet been set, which means that anyone who controls any host on the way to the VPN gateway will know and will be able to change the settings that your VPN server gives you, that is, for example, give you your DNS server, I think there is no need to explain what will happen in this case. Now about the servers, all pptp servers known to me work with root or administrator rights in the case of windows, that is, they seriously reduce the overall level of server security, and the developers of poptop - pptp servers for Linux recommend using OpenVPN or IPSec instead. Another point - if you want to use authorization using x.509 certificates, this can only be done if the server is running windows, which no normal person in their right mind would do. The only advantage of this type is the simplicity of setup and use, I hammered in the server, login and password, pressed the "Connect" button and order, no additional software needed to be installed, in general, for people called users in certain circles, this is it. seriously reduce the overall level of server security, and the developers of poptop - pptp server for Linux recommend using OpenVPN or IPSec instead. Another point - if you want to use authorization using x.509 certificates, this can only be done if the server is running windows, which no normal person in their right mind would do. The only advantage of this type is the simplicity of setup and use, I hammered in the server, login and password, pressed the "Connect" button and order, no additional software needed to be installed, in general, for people called users in certain circles, this is it. seriously reduce the overall level of server security, and the developers of poptop - pptp server for Linux recommend using OpenVPN or IPSec instead. Another point - if you want to use authorization using x.509 certificates, this can only be done if the server is running windows, which no normal person in their right mind would do. The only advantage of this type is the simplicity of setup and use, I hammered in the server, login and password, pressed the "Connect" button and order, no additional software needed to be installed, in general, for people called users in certain circles, this is it. 509 code, this can only be done if the server is running windows, which no normal person in their right mind would do. The only advantage of this type is the simplicity of setup and use, I hammered in the server, login and password, pressed the "Connect" button and order, no additional software needed to be installed, in general, for people called users in certain circles, this is it. 509 code, this can only be done if the server is running windows, which no normal person in their right mind would do. The only advantage of this type is the simplicity of setup and use, I hammered in the server, login and password, pressed the "Connect" button and order, no additional software needed to be installed, in general, for people called users in certain circles, this is it.
Type two - L2TP / IPSecthe least common, IPSec is used for encryption, for udp data transmission. The decision, I must say, is competent, because the patent for it is not owned by NEKRASOV tm, but by the much more respected office of Cisco Systems. This protocol is devoid of all the shortcomings of PPTP and, at the same time, does not require the installation of third-party software, however, for clients with dynamic IP addresses, we can only use authentication using x.509 certificates, which in itself is quite progressive and convenient, but it makes users yearning. The main problems here are with the server side, for IPSec to work with clients due to NAT, it is necessary to use NAT-T technology, which, for example, in Linux, is currently experimental. There is no reliable, well-proven l2tp server solution for UNIX. Besides, this is not the best option for people which save on their traffic, since the size of each transmitted is added, the IPSEC header is about 56 bytes, the L2TP header is 16 bytes, and NAT-T will add a little more. From the point of view of client security, not everything is all right here either, there is a possibility of one DOS client attacking another. Server security has the same problems as PPTP servers, and even more, because we already have two network services running under the ISAKMP and L2TP root.
Type three - OpenVPN... For encryption, the TLS protocol is used; for data transmission, you can use both TCP and UDP. The solution uses only open technologies and is distributed under the GPL license. This type of VPN is devoid of all the disadvantages inherent in the first two types. A huge advantage of this type over the first two is the ability to connect to a VPN server through a socks server, that is, if you want, for example, to test a VPN service without revealing your IP address, you can do it with OpenVPN. No problem with NAT. Authentication is possible both using passwords and using x.509 certificates. In addition, the security of the server side is one order higher than in the previous two types, since the OpenVPN server runs under a dedicated account, and in addition, additional protection is provided in the form of HMAC signatures of packets at the stage of establishing a connection (if the HMAC does not match, the packet is dropped without any response), which significantly reduces the threat of such types of attacks as DOS or floods, buffer overflows in the SSL / TLS implementation, and also makes it difficult to detect the service with a port scan. I saw here on the seklab in the comments some "special" wrote that they say many vulnerabilities were found in OpenVPN, so you need to use poptop, but any information security specialist will tell you that product security is determined not by the number of vulnerabilities found, but by how the manufacturer reacts (the response of the OpenSource developers is always faster - look at the speed of patching holes in Windows and Oracle), as well as whether the principle of minimizing the rights of the network service is observed, i.e. if the network service is running under the root, it is no longer secure. As for vulnerabilities, you need to monitor messages and patch in time, and this applies not only to VPN. The only drawback of this type is the need to install a third-party client, but this should not confuse those who use Opera instead of a donkey or Light Alloy instead of Windows Media Player, because M $ solutions have always been famous for their poor functionality. VPN is no exception. after all, solutions from M $ have always been famous for their poor functionality. VPN is no exception. after all, solutions from M $ have always been famous for their poor functionality. VPN is no exception.
The conclusion from all this disgrace can be made as follows, if a person has his hands in place and if he thinks about his safety, then he will choose OpenVPN.
