Which VPN Protocol is Right for your Business Organization?
Back in the 1990s, businesses had a serious problem. It was that they had no reliable way to connect their remote employees to their on-premises computing infrastructure. To solve that problem, Microsoft led a consortium of computing and networking firms to develop a secure remote access solution. The result of their efforts was the point-to-point tunneling protocol (PPTP).
For the first time, remote workers could establish a secured, private link with their employers’ networks from anywhere with an internet connection or a phone line. The secret to PPTP was the combination of an authentication system for access control and encryption capabilities to protect data while in transit. If this idea sounds familiar, there is a good reason for that.
PPTP was the first publicly available virtual private network (VPN) protocol.
Today, businesses everywhere rely on VPN technology. They use it to link geographically separated business networks together. They use it to provide computing access to remote employees. VPNs are a core component of modern cybersecurity best practices.
Of course, PPTP is now antiquated — cryptographically vulnerable — and no longer up to the task of protecting business data. In its place, a variety of newer protocols now secure the majority of VPNs. That doesn’t mean, however, that they’re all interchangeable. Therefore, to help business decision-makers make sense of their choices, here is a guide to modern VPN protocols. It will provide all the information necessary to make an informed business technology decision.
1. L2TP With IPsec
As the primary successor to PPTP, layer-two tunneling protocol (L2TP) with IP security (IPsec) is the most common VPN protocol used by businesses around the world. There is a good reason for that. Compared to other VPN protocols, L2TP/IPsec works with almost every internet-connected device built since the late 1990s. Also, even though IPsec is a resource-heavy encryption standard, it works relatively quickly on modern hardware.
The downside of L2TP/IPsec is its configuration complexity. Configuring a typical business-grade firewall or router to function as an L2TP/IPsec endpoint isn’t something a novice can handle. Additionally, setting up clients to negotiate connections with the business endpoint is no easy feat, either. Then, there is also the matter of network interoperability. Since many firewalls block connections to the standard L2TP/IPsec ports by default, remote workers can struggle to get connected depending on who is providing their internet connection.
When To Use L2TP/IPsec
L2TP with IPsec is an excellent VPN protocol choice in a few specific scenarios. It is perfect for providing a secure link between office branches because most business-grade firewalls and routing hardware support it out of the box. Additionally, when maximum compatibility is necessary — like supporting bring-your-own-device initiatives — L2TP/IPsec works well. Bear in mind, though, its configuration complexity means that supporting L2TP/IPsec users will require expertise the average organization may lack.
OpenVPN, as its name implies, is an open-source VPN protocol originally meant as an alternative to black-box commercial VPN protocols. It is built from the ground up to be a potential successor to L2TP/IPsec. The encryption used in the OpenVPN protocol comes courtesy of another open-source project called OpenSSL. It is essentially the same type of encryption used by secure websites, denoted by their HTTPS prefixes. As far as data protection goes, it is about as safe as it gets.
Critically, OpenVPN is also among the fastest VPN protocols available and is far more flexible than L2TP/IPsec. It can, for example, operate on whichever ports it is configured to listen on. That means remote workers won’t find their connections blocked except in the rarest of circumstances — think business trips to China, for example.
However, OpenVPN isn’t much easier to set up than L2TP/IPsec. Its biggest advantage stems from the fact that there are no licensing costs associated with using it — except for commercial variants of the server software. Also, not all network hardware supports it, so it is not a great fit for most site-to-site applications without investing in some additional equipment.
When To Use OpenVPN
OpenVPN is a great fit for businesses that need to support remote workers using recent laptops, desktops, and mobile devices. It is fast, secure, and cost-effective. Plus, its flexible configuration options mean not having to troubleshoot connections as often as might be necessary with L2TP/IPsec VPN solutions. That all assumes, of course, that an organization invests in the expertise necessary to get an OpenVPN server running in the first place.
3. Secure Socket Tunneling Protocol (SSTP)
Designed by Microsoft as a replacement for the now-deprecated PPTP, the secure socket tunneling protocol (SSTP) is a native part of every Windows device since Windows Vista. Cryptographically, it also relies on SSL encryption, just like OpenVPN. On top of that, SSTP uses the same port that secured websites use, so it’ll work from almost anywhere with internet access.
The problem with SSTP, though, is that it is not available on many non-Windows devices. That means users with iOS, Android, Linux, or macOS-powered devices can’t use it — with rare exceptions. So, for all its strengths, SSTP remains a niche VPN protocol that doesn’t see much use.
When To Use SSTP
SSTP is an excellent option for businesses that rely on Windows-powered devices. For those businesses with little need for connecting mobile devices to their network and who have a Windows-centric laptop, desktop, and server base, it is perfect. It is built-in, free to use, and as secure as any other major VPN protocol in use today.
In the world of VPN protocols, WireGuard is an upstart. It is an open-source protocol that began its life in 2016, making it the newest VPN protocol in this guide. It is also the protocol with the longest list of advantages and relatively few disadvantages. For starters, the WireGuard VPN protocol contains just 4,000 lines of code. The previous protocols on our list come from codebases with 400,000 or more lines of code.
That simplicity means there is less room for errors and that auditing it for security is easy. It also means that WireGuard is resource-light and blazing fast. In some tests, WireGuard’s data throughput came in at more than double any of the previous protocols we’ve discussed. It is also worth noting that, since it is based on the latest cryptography, it is believed to be among the safest VPN protocols available today.
The only problem is, it is so new that not many business-grade network devices support it currently. While that is sure to change in the years to come, it is an issue that makes WireGuard a non-starter for most businesses right now. On the bright side, however, WireGuard already has free clients for most major operating systems, and the tools available to configure and manage WireGuard VPNs continue to evolve. That means WireGuard is on its way to being one of the most user-friendly VPN solutions available — but it is not there yet.
When To Use WireGuard
From a business perspective, the only reason to avoid WireGuard is its relative newness compared to its competitors. Also, its lack of network hardware support makes it a tough sell for site-to-site VPN applications. However, since it comes with advantages the other protocols can’t match, WireGuard may be the optimal choice for businesses building a VPN solution from scratch.
5. FortiClient SSL VPN
There are also VPN solutions which utilize SSL encryption. One common variant of those is the FortiClient SSL VPN. Fortinet, an Outsource IT partner, developed FortiClient and is a leading provider of business firewall and authentication solutions. As a result, FortiClient is used by businesses all over the world to connect their remote employees to business resources within their networks.
Another reason it is so popular is its flexibility and ease of use. Though it uses SSL encryption by default, it can use IPsec as well. Additionally, the software works on Windows, macOS, iOS, Linux, and Android—so it is a one-VPN-fits-all solution.
Some versions of FortiClient offer additional security features businesses love. One of those features is built-in endpoint protection to ensure systems connecting to the network are up to date with patches as well as protected against viruses, malware, and spyware. Other available add-ons include web and video filtering, DNS security, intrusion prevention, and USB device control. In other words, it is possible to use FortiClient as a VPN and a fully featured endpoint security solution at the same time.
When To Use FortiClient SSL VPN
FortiClient SSL VPN makes an excellent choice for businesses, especially those who already own Fortinet hardware. It is highly secure, easy to configure, and extremely fast. FortiClient is also great for supporting bring-your-own-device (BYOD) programs. Since it works with every major operating system, businesses can use it to secure and connect all types of user-owned hardware without any hassle. The fact that it is commercially supported by Fortinet and can also bring endpoint security features to the table, makes it one of the best VPN options and is highly recommended by Outsource IT.
Which VPN is Best?
For businesses, deciding between today’s most common VPN protocols, it all comes down to their needs. For site-to-site connections, many businesses will find that L2TP/IPsec is a natural choice. For supporting remote users on a variety of devices, OpenVPN provides a reliable and inexpensive solution. Windows-only options like SSTP or the do-it-all WireGuard options are also tempting for use in the right scenarios. Finally, Fortinet’s FortiClient provides a commercially supported and backed solution that is secure, scalable and cost effective, especially if implemented as part of a broader network infrastructure refresh.
Outsource IT is eager and ready to help any business needing assistance with deciding on the best VPN solution for their network. Our experienced technicians know VPN protocols inside and out and can help any business regardless of size or industry. Contact us today for help getting up and running with a secure and reliable VPN solution.