In a previous post, I discussed WHAT a VPN is and WHY you need a VPN. If you missed it, it’s called, “VPN and you“.
So now that you know WHAT and WHY, let’s talk about the HOW.
A VPN Protocol is HOW the connection from you to the server is created and encrypted. It’s really important as this will determine how FAST and SECURE your connection will be.
Old and Useless Protocols:
- PPTP2: Written in 1995, it has been cracked by nearly everyone.
- LPT2/IPSEC: Written by Microsoft, LPT2 provides ZERO encryption and requires IPSEC for the encryption part. But even that is useless as it’s rumored that the NSA has cracked the encryption. The default port is UDP 500 making easy to spot and block if you’re in a country that actively blocks VPNs, like China or the United Arab Emirates.
- IKEV2: Another Microsoft classic, another NSA cracked. See a trend here?
- OpenVPN: An open source project, it has yet to be cracked and is considered the model of security. Most VPNs use this, as you can change ports, use UDP or TDP, and change encryption methods (but just don’t use Blowfish).
- RouterPro: This is only available as a JFIF applet installed on a customized firmware router and connecting to Astrill. Why do I mention this obscure protocol? Because when I lived in a part of the world where they blocked every VPN connection, and OpenVPN connections were unreliable*, this worked like a champ.
There’s a new protocol and it’s awesome:
WireGuard. WireGuard is a new protocol written using a fraction of the code that OpenVPN uses and even Linus Torvalds approves of the code. For a super deep dive into WireGuard, check out the Ars Technica initial write up.
I tested WireGuard at home and found it to 3x to 4x faster than my OpenVPN connection. It blew my socks off and forced me to re-think my VPN configuration for 2019.
You can even run WireGuard on your router if you have OpenWRT firmware.
As of this writing, there are only TWO VPN (Update: Many providers now offer WireGuard) providers who offer the WireGuard protocol.
- Mullvad. Based in Sweden, they offer a free trial for 3 hours. They are also the perfect choice if you are SUPER paranoid. Example, you can create an account with them, SEND THEM AN ENVELOPE WITH CASH and your account number, and you’re good to go. No names, no e-mail addresses, no paper trail. You can pay with Bitcoin, or credit card as well. They have very simple documentation on connecting using WireGuard. Mullvad also donates to the WireGuard project, so your subscription helps WireGuard (indirectly). While they cost a bit more, they offer 48 WireGuard servers to connect to, with 13 in the US and 2 being in New York. €60 Euros/$68 USD for a year.
- AzireVPN. Another Swedish company, they also offer a “pay in cash” model for ultimate security. While they are less expensive than Mullvad, they only offer 5 WireGuard servers. €45 Euros/$51 USD for a year.
- UPDATE: iVPN. They offer a three day free trial, have an easy to use app, and seem to have plenty of Wireguard servers. $100 a year.
- You can roll your own WireGuard server on DigitalOcean or any other cloud computing host.
…and now for some bad news:
It’s still early days for WireGuard. When you connect, you will get a warning that this is still considered ‘alpha’ software. It’s not fully tested, could disconnect unexpectedly, and isn’t for people who are afraid of the command line. (this wasn’t my experience, but your milage may vary).
Eventually, someone may write GUI interface (could be me!) that will make this easy for everyone. (Update: many providers now offer a GUI)
But I think we need to give WireGuard a try.
I wish everyone a safe and healthy holidays and hope 2019 brings you all the things you wish for.
* While OpenVPN was not initially blocked, Etisalat was clearly scanning for OpenVPN connections and terminating them whenever it found them. So you would make your connection, and 15 to 30 minutes later, it would terminate.