How can we help you?

Which protocol should I choose?

Here at NordVPN, we support a number of different security protocols to provide our VPN service. We encourage you to take a closer look and explore the strengths and weaknesses of each and every one of them. The security levels and purposes of these protocols are different, but so are the needs of our customers. We want you to be able to choose freely, but also advise you of what might suit you best.

1. OpenVPN – (Recommended by NordVPN and used by default in most of our apps)

 OpenVPN is a mature and robust piece of open source software which enables us to provide a reliable and secure VPN service. It is a versatile protocol and can be used on both TCP and UDP ports. It supports a great number of strong encryption algorithms and ciphers – to ensure the protection of your data we use AES-256-CBC with a 2048bit DH key. OpenVPN is currently used by default in NordVPN apps. We recommend it for the most security-conscious.

2. IKEv2/IPsec – (Highly recommended)

The latest addition to NordVPN security protocol family, which is also protected by IPsec, just as L2TP often is, however IKEv2/IPsec significantly increases security and privacy of the user by employing very strong cryptographic algorithms and keys. NordVPN uses NGE (Next Generation Encryption) in IKEv2/IPsec. The ciphers used to generate Phase1 keys are AES-256-GCM for encryption, coupled with SHA2-384 to ensure integrity, combined with PFS (Perfect Forward Secrecy) using 3072-bit Diffie Hellmann keys. IPsec then secures the tunnel between the client and server using the strong AES256. This is the protocol, which provides the user with peace of mind security, stability and speed. For these reasons, it is highly recommended by NordVPN and has been adopted as a default in the NordVPN apps for iOS and Mac OS.

3. L2TP/IPsec – (Not recommended for general use. Use with caution)

The first protocol ever used by NordVPN, L2TP/IPsec is a Layer-2 tunneling protocol encapsulated within IPsec. It’s mostly used where newer protocols aren’t supported, or security is far less important than the ability to use a VPN at all. We have had cases where our customers have old hardware or are based in countries where this is the only protocol that can penetrate Governmental/ISP firewalls. L2TP/IPsec uses the legacy IKEv1 Internet Key Exchange protocol, which is widely supported in many operating systems and mobile devices, however it has limitations when compared to the newer IKEv2. One of those limitations is the fact that the authentication methods must match on both the client and the VPN server. To simplify the process of connecting to this VPN service we use a shared secret key for authentication in Phase 1 of an establishment of VPN tunnel as opposed to providing every client with their own certificate, and since the secret key is shared, there is always a potential for your data to be intercepted. Managing certificates is often time consuming and cumbersome for the end user, so we only support this protocol to enable you to connect to VPN when you need it most, but have no time to set it up – or if other protocols are blocked by a government or an ISP, which is when we ask to switch back to another protocol when VPN connection established. A great use case of L2TP/IPsec would be for someone at a coffee shop with an unprotected WiFi access. Use at your own risk and only as a temporary measure or last resort.

4. PPTP – (Not recommended for general use. Use with caution)

Point-to-Point Tunnelling Protocol is one of the first encryption protocols that came into existence. It is quite simple to set up and runs on a lot of Windows versions, right from Windows 95 to Windows 7. However, the reason that more protocols came into existence is because PPTP is not nearly as secure as it should be. We recommend this only in those rare cases where security isn’t a priority and where legacy support is required.

Related Articles