Home » Articles » L2TP vs OpenVPN. The Ultimate Battle
Click Here To Hide Tor

L2TP vs OpenVPN. The Ultimate Battle

Over the last couple of years, a great number of VPN users have started using OpenVPN. You can find a lot of positive feedback online about this VPN protocol and why it’s superior to any other VPN implementation. But what is the force behind OpenVPN and do you really need to switch over from your standard L2TP/Ipsec option? In this article the Privatoria team will investigate which one is better for specific cases.

–> Click here to see the best VPN’s for privacy <–

OpenVPN has been around for a long time but it has only received prominence in recent years mostly because of multiple surveillance scandals in the US. Most users then started promoting the idea of open source software stressing the fact that surveillance is impossible in the open source world because any attempt to hide a tracking program inside a source code will be easily spotted. Things like Linux-based OS’s and Chromium Web browser have become a lot more popular. Open Source has unintentionally become a must-have (or a least a must-try) for every security enthusiast.

1

VPN, being a security-oriented technology, has also increased its popularity among casual personal users who want to hide and preserve their private info. In the world of VPNs, however, you don’t really have a choice; most protocols are proprietary (owned by a certain company) and therefore have closed source code. But there’s one exception and that’s OpenVPN. Users have rushed out and switched to OpenVPN but is L2TP/Ipsec better simply because you can find a standard option on MS Windows and Mac OS X? Let’s find out.

Encryption and Security

L2TP as a standard has been around since the late 90s and so has the IETF RFC 3193 certification. During the 2000s Microsoft fully replaced their allegedly compromised PPTP with this VPN implementation. It also goes almost without saying that in 99% of cases L2TP is used to ensemble with Ipsec encryption technology as L2TP only offers tunneling. Ipsec can use different encryption algorithms including 3DES and AES. As the result of recent revelations in the security domain, some messages were leaked revealing certain governmental agencies are looking for potential vulnerabilities in IKE/Ipsec implementation. This automatically gives birth to the controversy around L2TP/Ipsec implementation. Concrete proofs of the protocol’s vulnerability (if they in fact exist) are yet to be made public though; but as it always happens, one negative comment triggers a chain of events.

2

OpenVPN uses SSL/TLS encryption protocol, namely OpenSSL library. This library supports different encryption algorithms including Blowfish, AES, RC5 and 3DES. OpenVPN being de facto open source standard obviously has no known or even alleged vulnerabilities. At this point, it is hardly possible to choose a winner but users often choose OpenVPN simply because it’s open.

Speed and Stability

L2TP uses fixed protocols and ports for connection, namely UDP 500 for initial key exchange, 50 for Ipsec encrypted data, UDP 1701 for initial L2TP configuration and UDP 4500 for NAT traversal. Most users consider this a weak point stating that such configuration can be easily blocked by firewall settings.

OpenVPN can be easily configured to use either UDP or TCP on any port. It is often advised to use TCP/443 configurations to bypass firewalls.

Both L2TP/Ipsec and OpenVPN offer relatively the same connection speeds. However, L2TP being more standardized (and henceforth easier to support for a VPN provider) may offer more stable connections and less configuration issues.

Configuration

This is a tricky one. In general, L2TP/Ipsec is easier to configure than OpenVPN and it also comes

pre-installed with major computing platforms including MS Windows and Mac OS X (Android and IOS also feature L2TP/Ipsec as a default VPN solution). However, it is different on the Open Source side of things. Most Linux or BSD distribution, including Ubuntu and Debian, will only come

pre-installed with insecure PPTP (even Microsoft openly admitted its poor security at one point; issuing a fix later) or no VPN support at all.

If you rush out and try to get L2TP/Ipsec up and running on Linux you will inevitably face a number of issues and a fairly complex configuration process which requires installing xl2tpd daemon and openswan/strongswan ipsec implementation. Furthermore, you will have to manually configure traffic routing and make sure your l2tp tunnel is used for that.

Below is just a part of the L2TP/Ipsec configuration process on Linux:

Ipsec (OpenSwan package) config

3

xl2tp daemon config

4

Routing traffic via VPN

5

Arch Linux has a nice set-up tutorial on their wiki

L2TP is also natively supported by most network routers which means you can easily connect a router directly to the VPN server and not tweak your computer settings at all.

OpenVPN is not natively supported by any platform. Installing it, though, is a fairly brief affair and only requires downloading a client app for Windows, Mac, Android and IOS. Linux and BSD users can get ‘openvpn’ package from the official repositories and use the command-line interface to run it. Many VPN clients do not allow manual configuration and require a config file with all the settings and CA certificates inside. Most VPN providers (assuming they support OpenVPN) offer those files as a free download. Therefore, there should be few to no configuration issues, still most casual users might find the configuration process too difficult and unintuitive. OpenVPN is also much easier to configure on Linux/BSD systems. To use it you are only required to install the package and point it the correct VPN config file; traffic routing is done automatically.

This is how a config file may look like:

6

There is a way to enable OpenVPN support on a network router as well but it requires installing a custom firmware known as DD-WRT (assuming your router is compatible with it).

Conclusion

At the end of the day each user has a choice of VPN protocols and that’s a great thing. L2TP/IPsec is a more solid, standard choice with built-in support on every commercial computing platform. It is also quite secure and has no known vulnerabilities. All of the above makes it a great choice for most casual VPN users who want their VPN to be simple and stable.

OpenVPN is a new Open Source standard with the ability to use a wide range of port and protocols. It does not come pre-installed on any platform but can be installed on any modern OS both desktop and mobile. It is also much easier to configure on Linux/BSD systems than L2TP/Ipsec. OpenVPN is great choice for security nerds who want versatility and more control over their VPN. Nowadays most VPN providers support OpenVPN and L2TP. So, there shouldn’t be a problem connecting to a VPN server if you have the client configured correctly.

6 comments

  1. I prefer L2TP. First of all for its simplicity

  2. I am slightly inclined to using L2TP since it’s supported on most of the routers I own. Most VPN services set a limit to the number of devices that can simultaneously access their service and as a result I prefer setting up the VPN directly on my router. And since most routers have built-in support for L2TP and not OpenVPN, I think it should be anyone’s choice :)

  3. You can’t go wrong with either, and both protocols are way better than PPTP. I opt for OpenVPN whenever possible, especially for Linux as the article eludes to. But I also completely agree with the Saksham’s comment that for routers, L2TP is the way to go.

  4. Isn’t L2TP one protocol. Then IPsec a second protocol encapsulating L2TP/IPsec over layer 2. The A user can implement L2TP on its own or combine it with IPsec. Slightly misleading article.

    • L2TP/IPSec is automatically combined on Windows though. Separating L2TP and preparing it for use with another encryption package would be non-trivial.

      Also pointless since no VPN provider currently supports L2TP in combination with anything but IPSec. Normally users would want more than one provider for competitive and backup availability reasons. Only private networks without public access and owning both end of the VPN link would currently consider such options.

  5. I suggest jumping on OpenVPN simply because its got powerful crowd-sourcing which WILL eventually force L2TP out. This will happen faster due to royalty free aspects which encourages vendors to add OpenVPN into routers as a standard feature. More importantly OpenVPN is also cheaper for providers who can avoid the MS tax with total Linux-GPL VPN server solutions.

    DD_WRT is not alone. Tomato has OpenVPN too. More importantly modified versions of original commercial router firmware like Merlin have long ago imported OpenVPN packages. Open source feautures proven and popular in modified versions of commercial software quite often eventually make their way into GPL using commercial router software.

    Thus several commercial router companies have already OpenVPN including on high end routers – ASUS on its ASUSWRT versions (yes it sort of derives from DD-WRT but with a much nicer GUI interface and not quite such a dizzying array of features).

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Captcha: *