• Introduction
  • PPTP
  • L2TP and L2TP/IPsec
  • OpenVPN
  • SSTP
  • Conclusions
• Using a VPN
• VPN Providers

Introduction

VPNs are your overall best choice for anonymizing yourself on the internet. It's fairly easy to setup, there are wide variety and selection of providers from countries across the world. Basically, VPNs are private networks utilized for plenty of privatizing purposes but for our purposes, you will connect to the internet through your chosen VPN's server(s) and to the rest of the world your IP address and internet identity will be from the server's location. Some adjustments to your settings may be required as some websites use GeoIP to determine languages, currency units, time zones, etc.
VPN providers usually offer a choice of connection types, sometimes as part of different price plans, and sometimes all included in a single-price package. This guide is intended to provide an overview of the options available and to help you understand the basics of the underlying technologies used.

A note about encryption key length

In crude terms, the length of a key used when making a cypher determines how long it will take to crack using a brute force attack, with longer keys requiring exponentially more time than shorter ones (a brute force attack is also known an exhaustive key search and involves trying every possible combination until the correct one is found).

It is almost impossible to find VPN of less than 128-bit key length, and it is increasingly common to find 256-bit encryption on offer, sometimes going up to 2048-bit. SSTP uses 2048-bit encryption as standard for example. But what do these numbers mean in practice, and is 256-bit encryption really more secure than 128-bit encryption?

The short answer is that to all practical intents and purposes, no. While it is true that a 256-bit key would require 2¹²⁸ times more computational power to break than a 128-bit key, that still means 3.4 x10³⁸ operations would be required (the number of combinations in a 128-bit key) – a feat beyond conventional computing techniques for the foreseeable future. It would currently take the fastest supercomputer (figures from 2011, capable of 10.51 pentaflops peak speed) 1.02 x 10¹⁸ (around 1 billion) years to crack a 128-bit AES key by force.

As a 128-bit cypher cannot in any practical terms be cracked (through brute strength), it is fair to say that this more than strong enough for most purposes. Only those truly paranoid about security (such as governments when handling ultra-sensitive classified data that needs to remain secret for the next 100 years or so) may have a practical use for 256-bit encryption (the United States government for example uses NIST certified 256-bit AES encryption).

So why is it increasingly common to see VPN providers offering 256-bit encryption (let alone 2048-bit encryption)? Particularly when you consider that it takes computers considerably longer to encrypt information with 256-bit or greater keys? The simple answer is marketing. It sounds more impressive when trying to sell a product.

Large corporations and governments may feel the need for the added security margin afforded by longer key lengths, but for the average home VPN user 128-bits is more than sufficient.

Different cyphers do have vulnerabilities which may allow for faster key deduction, and sideways attacks using software such as key loggers can be used to get around encryption. However the point stands that when it comes to key length, sizes over 128-bits really are unlikely to matter for most users.

PPTP

Point-to-Point Tunnelling Protocol is a Microsoft invention for creating VPN over dialup networks, and as such has long been the standard protocol for internal business VPN for many years. It is a VPN protocol only, and relies on various authentication methods to provide security (with MS-CHAP v2 being the most common). Available as standard on just about every VPN capable platform and device, and thus being easy to set up without the need to install additional software, it remains a popular choice both for businesses and VPN providers. It also has the advantage of requiring a low computational overhead to implement (i.e. it’s quick).

However, although now usually only found using 128-bit encryption keys, in the years since it was first bundled with Windows95 OSR2 in 1999 a number of security vulnerabilities have come to light, the most serious of which is the possibility of unencapsulated MS-CHAP v2 Authentication. Using this exploit, PPTP has been cracked within 2 days, and although Microsoft has patched the flaw (through the use of PEAP rather than MS-CHAP v2 authentication), it has itself issued a recommendation that VPN users should use L2TP, IPsec or SSTP instead.

Pros

• Client built-in to just about all platforms
• Very easy to set up
• Fast

Cons

• Not very secure (the vulnerable MS CHAPv2 authentication is still the most common in use)

L2TP and L2TP/IPsec

Layer 2 Tunnel Protocol is a VPN protocol that on its own does not provide any encryption or confidentiality to traffic that passes through it. For this reason it is usually implemented with the IPsec encryption protocol to provide security and privacy.

L2TP/IP sec is built-in to all modern operating systems and VPN capable devices, and is just as easy and quick to set up as PPTP (in fact it usually uses the same client). Problems can arise however because the L2TP protocol uses UDP port 500, which is more easily blocked by NAT firewalls, and may therefore require advanced configuration (port forwarding) when used behind a firewall (this unlike SSL which can use TCP port 443 to make it indistinguishable from normal SHTTP traffic).

IPsec encryption has no major vulnerabilities and is considered extremely secure when using a secure algorithm such as AES. However, because it encapsulates data twice, it is not as efficient as SSL based solutions (such as OpenVPN and SSTP) and is therefore slightly slower.

Pros

• Very secure
• Easy to set up
• Available on all modern platforms

Cons

• Slower than OpenVPN
• Can struggle with restrictive firewalls

OpenVPN

OpenVPN is a fairly new open source technology that uses the OpenSSL library and SSLv3/TLSv1 protocols, along with an amalgam of other technologies, to provide a strong and reliable VPN solution. One of its major strengths is that it is highly configurable, and although it runs best on a UDP port, it can be set to run on any port, including TCP port 443. This makes it traffic on it impossible to tell apart from traffic using standard HHTP over SSL (as used by for example Gmail), and it is therefore extremely difficult to block.

Another advantage of OpenVPN is that the OpenSSL library used to provide encryption supports a number of cryptographic algorithms (e.g. AES, Blowfish, 3DES, CAST-128, Camellia and more), with most common algorithms seen in use by VPN providers being AES and Blowfish. AES is the newer technology, and although both are considered secure, the fact that it has a 128-bit block size rather than Blowfish’s 64-bit block size means that it can handle larger (over 1 GB) files better. The differences are however pretty minor. How fast OpenVPN performs depends on the level of encryption employed, but it is generally faster than IPsec.

OpenVPN has become the default VPN connection type, and while natively supported by no platform, is widely supported on most through third party software. Until very recently it was impossible to run OpenVPN on non jailbroken/ rooted iOS and Android portable devices, although third party apps have now appeared to at least partially address this problem*.

This relates to another problem with OpenVPN; that its flexibility can make it a bit fiddly to set up. When using generic OpenVPN software in particular (such as the standard open source OpenVPN client for Windows), it is necessary to not only download and install the client, but also to download and setup additional configuration files. Many VPN providers get around this configuration problem by supplying customized VPN clients.

Pros

• Highly configurable
• Very secure (technically depends on encryption algorithm but all are very strong)
• Can bypass firewalls
• Can use a wide range of encryption algorithms

Cons

• Needs third party software
• Can be difficult to set up
• Limited support on portable devices

*OpenVPN for Android and Open Connect for iOS and Android provide third party OpenVPN support on iOs and Android (4.0 or higher only) devices. These solutions still require a similar downloading and setting up process to the open source desktop OpenVPN clients. Note also that most VPN providers do not offer any support for setting up OpenVPN on mobile devices (although this is changing). The only custom OpenVPN client for mobile devices we have yet to come across is the Kepard app for Android (all versions).

SSTP

Secure Socket Tunneling Protocol was introduced by Microsoft in Windows Vista SP1, and although it is now available for Linux, RouterOS and SEIL, it is still largely a Windows only platform (and there is a snowball’s chance in hell of it ever appearing on an Apple device!). SSTP uses SSL v3, and therefore offers similar advantages to OpenVPN (such as the ability to use to TCP port 443 to avoid NAT firewall issues), and because it is integrated into Windows may be easier to use and more stable.

Pros

• Very secure (depends on algorithm usually very strong AES)
• Completely integrated into Windows (Windows Vista SP1, Windows 7, Windows )
• Microsoft support
• Can bypass most firewalls

Cons

• Only really works in a Windows only environment

Conclusion

• PPTP is too insecure (even its creator Microsoft has abandoned it) and should therefore be avoided. While its ease of setup and cross platform compatibility are attractive, L2PT/IPsec has the same advantages and is much more secure
• L2TP/IPsec is a good VPN solution, but is not quite as good as OpenVPN. However, for a quick VPN setup without the need to install extra software it remains useful, particularly for mobile devices where OpenVPN support is still very patchy
• OpenVPN is the best all round VPN solution despite needing third party software on all platforms. It is reliable, fast and secure, although it usually needs a bit more setting up than the other protocols
• SSTP offers most of the advantages of OpenVPN but only in a Windows environment. This does mean that it is better integrated into the OS, but it is poorly supported by VPN providers thanks to this limitation.

Most users should therefore go with using OpenVPN on their desktop computers, perhaps supplementing it with L2TP/IPsec on their mobile devices.

Using VPNs

WARNING
If you don't have to pay for a product, you are the product being sold.

Free VPNs are available online, but we strongly recommend you do not go this route. They could be logging your IP address or browser information and selling it to advertising companies and are inherently more likely to bend easily and immediately under any kind of legal pressure. Before you use a free VPN you might as well look in the Security Handbook for other options you could take to anonymize yourself.

To learn more about how VPNs protect your privacy, please see this frequently updated survey about how customer data is handled by various providers. https://torrentfreak.com/vpn-services-that-take-your-anonymity-seriously-2013-edition/

VPN Providers

Following is a list of paid VPN providers. A VPN is a Internet Connection that creates an encrypted tunnel through your ISP and masks your real IP address. Payment methods vary widely with some requiring a PayPal account, verifiable personal information whereas others allow the use of bitcoin and prepaid credit cards to ensure higher levels of anonymity.
It is advised that you carefully read the Terms of Service and Privacy Policies for any provider you are considering. Laws vary from country to country and what may be legal in one, is not in another so you need to make your decision based on your own situation. Contact the provider and ask them if you are in doubt.

The following list was gathered from simple web searches and is not an endorsement for their use. Any recommendations are based on actual/anecdotal experience. Please read the Terms of Service and the Privacy policy of any you are considering using. Join #opnewblood for help with VPNs.

https://www.vpntunnel.se/en/ prepaid cards, paypal
https://www.ibvpn.com/ - many services, many payment options, allows torrents.
https://airvpn.org/ - A VPN based on OpenVPN and (purportedly) operated by activists and hacktivists in defence of net neutrality, privacy and against censorship. Accepts Bitcoin.
https://www.relakks.com - Based in Sweden and launched in co-operation with the Swedish Pirate Party in 2006. Very affordable.
https://perfect-privacy.com - Accepts Bitcoin.
https://www.ipredator.se - keeps some logs but state they encrypt them.
https://www.swissvpn.net - 6 CHF/month keeps some logs.
https://www.steganos.com - They have some interesting security tools and seem very commited to protecting privacy.
https://www.bananavpn.net > logs IPs, does not allow P2P (torrents).
https://www.strongvpn.com > logs IPs
https://www.vpngates.com
https://www.trilightzone.org - VPN, secure shells, and many other services - Accepts Bitcoin, cash, Litecoin, and other common payment types.
https://www.vpnaccounts.com
https://www.securstar.de
https://www.witopia.net
https://www.tiggerswelt.net
https://anonine.com/en - Anonine has changed hands several times and the current, true owner is unclear. Therefore Anonine is no longer recommended at this time.