NordVPN Help Center
One place for all the information you need

Choosing between VPN protocols

Updated

Here at NordVPN, we support a number of different security protocols to provide our VPN service. We encourage you to take a closer look and explore the strengths and weaknesses of each and every one of them. The security levels and purposes of these protocols are different, but so are the needs of our customers. We want you to be able to choose freely, but also advise you of what might suit you best.

1. IKEv2/IPsec – (Highly recommended)

The latest addition to NordVPN security protocol family, which is also protected by IPsec, just as L2TP often is, however IKEv2/IPsec significantly increases security and privacy of the user by employing very strong cryptographic algorithms and keys. NordVPN uses NGE (Next Generation Encryption) in IKEv2/IPsec. The ciphers used to generate Phase1 keys are AES-256-GCM for encryption, coupled with SHA2-384 to ensure integrity, combined with PFS (Perfect Forward Secrecy) using 3072-bit Diffie Hellmann keys. IPsec then secures the tunnel between the client and server using the strong AES256. This is the protocol, which provides the user with peace of mind security, stability and speed. For these reasons, it is highly recommended by NordVPN and has been adopted as a default in the NordVPN apps for iOS and Mac OS. 

2. OpenVPN – (Recommended by NordVPN and used by default in most of our apps)

OpenVPN is a mature and robust piece of open source software which enables us to provide a reliable and secure VPN service. It is a versatile protocol and can be used on both TCP and UDP ports. It supports a great number of strong encryption algorithms and ciphers – to ensure the protection of your data we use AES-256-CBC with a 2048bit DH key. OpenVPN is currently used by default in NordVPN apps. We recommend it for the most security-conscious.

3. L2TP/IPsec – (Not recommended for general use. Use with caution)

The first protocol ever used by NordVPN, L2TP/IPsec is a Layer-2 tunneling protocol encapsulated within IPsec. It’s mostly used where newer protocols aren’t supported, or security is far less important than the ability to use a VPN at all. We have had cases where our customers have old hardware or are based in countries where this is the only protocol that can penetrate Governmental/ISP firewalls. L2TP/IPsec uses the legacy IKEv1 Internet Key Exchange protocol, which is widely supported in many operating systems and mobile devices, however it has limitations when compared to the newer IKEv2. One of those limitations is the fact that the authentication methods must match on both the client and the VPN server. To simplify the process of connecting to this VPN service we use a shared secret key for authentication in Phase 1 of an establishment of VPN tunnel as opposed to providing every client with their own certificate, and since the secret key is shared, there is always a potential for your data to be intercepted. Managing certificates is often time consuming and cumbersome for the end user, so we only support this protocol to enable you to connect to VPN when you need it most, but have no time to set it up – or if other protocols are blocked by a government or an ISP, which is when we ask to switch back to another protocol when VPN connection established. A great use case of L2TP/IPsec would be for someone at a coffee shop with an unprotected WiFi access. Use at your own risk and only as a temporary measure or last resort.

4. PPTP – (Not recommended for general use. Use with caution)

Point-to-Point Tunnelling Protocol is one of the first encryption protocols that came into existence. It is quite simple to set up and runs on a lot of Windows versions, right from Windows 95 to Windows 7. However, the reason that more protocols came into existence is because PPTP is not nearly as secure as it should be. We recommend this only in those rare cases where security isn’t a priority and where legacy support is required.

5. SSTP (Not recommended for general use – in rare cases recommended to clients using Windows-family OS)

Secure Socket Tunnelling Protocol is a protocol introduced by Microsoft and was first launched in Windows Vista Service Pack 1. Due to its integration with Windows operating system, Windows users find it much more stable than any other protocol. Recently started the use of AES encryption by SSTP. That said, SSTP has not been independently audited and is advisable to be used at your own risk.

Please Note: Although technically you can use the L2TP / PPTP protocols, they have serious security flaws. Whenever possible, we recommend choosing OpenVPN or IKEv2/IPSec instead.

This summary of VPN protocols should be used as a reference point when moving away from default native app settings. We want to provide you with freedom to choose and tinker, but also keep you informed about our motivation in offering and recommending certain protocols. If you have any questions or comments, please do not hesitate to express them by contacting us: https://nordvpn.com/contact-us/