EnglishFrenchGermanPolishSpanishTurkishRussianItalianDutchDutch

What is the difference between OpenVPN and PPTP?


Note that PPTP is considered completely insecure and in SecurityKISS it was discontinued


OpenVPN vs PPTP comparison
OpenVPN PPTP
Summary OpenVPN is for you if:
  • you are blocked by an internet provider or behind a restrictive firewall
  • you are looking for an advanced, high security solution
  • you need additional features like Exclusive Tunneling
PPTP is for you if:
  • you need an easy-to-setup VPN
  • you want to connect from a mobile device
  • you don't want to install additional software
Overview OpenVPN was started by James Yonan in 2002 and since then it has evolved into a feature-rich and advanced VPN solution based on OpenSSL. PPTP is a basic protocol created by Microsoft and Ascend Communications in 1999. It relies on other quite old protocols like PPP and GRE.
Development Open source developed by OpenVPN Technologies. Very dynamic and active, new releases occur every several months. Multiple implementations - at least one per platform. Both open source and proprietary.
Encryption
OpenSSL
OpenVPN relies on OpenSSL, so it can use any of the encryption algorithms available in that library which makes it very flexible.
MPPE
IP traffic is encapsulated into PPP and then encrypted with MPPE. MPPE supports 40-bit, 56-bit and 128-bit session keys. For today's standards only 128-bit is acceptable.
Authentication
Strong server authentication is given by certificates. The possibility of 'man-in-the-middle' attacks is significantly reduced.
PAP, CHAP, Microsoft CHAP v1/v2 or EAP-TLS.
PAP is trivial to break while Microsoft CHAPv2 is more commonly used but less than OpenVPN methods anyway.
Compression
Fast LZO
Fast LZO (Lempel-Ziv-Oberhumer) compression. OpenVPN also supports adaptive compression mode which tries to optimize the case where you are sending predominantly uncompressible packets over the tunnel.
MPPC
MPPC (Microsoft Point-to-Point Compression). According to the Hifn company, MPPC is patent-encumbered which has ramifications for PPTP software that is sometimes not fully compatible or has errors because of the lack of open specification.
Operating ports flexibility
OpenVPN may send encrypted packets via UDP or TCP using any port (e.g. to bypass throttling or firewalls).
PPTP uses s fixed TCP port 1723 connection which is used to initiate and manage a second GRE (Generic Routing Encapsulation) tunnel.
Cross-platform compatibility
The software comes from the common codebase which is good for compatibility however with more complexity and dynamic development compatibility bugs are inevitable.
Although PPTP is much simpler than OpenVPN, the configuration where client and server implementations come from different providers may make it difficult to work 100%.
Firewall traversal
OpenVPN may work on any port both TCP and UDP so there is a greater chance to find a back door entrance in the firewall.
Since PPTP uses a GRE (Generic Routing Encapsulation) tunnel it may cause problems on older NAT routers that reject the GRE-47 protocol.
ISP blocking traversal
For the same reason as above it is much more difficult to block OpenVPN connections (but feasible).
It is really easy for an internet provider to block PPTP and there is no workaround so in such a case you need OpenVPN.
Speed
For long distance connections OpenVPN may have the advantage of setting up a UDP tunnel which has lower delays on congested networks.
In a typical network environment the protocol overhead on speed is negligible however, since we cannot use UDP the TCP overhead may be sometimes the limiting factor for speed.
Required software
There is no need to install additional software. With SecurityKISS no additional configuration is needed. Just install and connect.
Usually built-in into the operating system
Ability to work with DD-WRT
May be difficult
On a router that supports DD-WRT you can connect it to a PPTP server and share a single VPN connection with the entire local network.
Exclusive Tunneling
Yes
Exclusive Tunneling protects against compromised data on an unstable connection.
No
No such option
Ease of configuration
Normally OpenVPN set up is quite complex because it has many options that although unused, may confuse the user. It also requires generating certificates and deploying them to the user. With SecurityKISS you are getting a ready to use program with individually generated and deployed certificate and multiple destination servers pre-configured. You only need to click 'Connect'.
PPTP client configuration is quite simple. You need to name the VPN connection, enter the server IP address, username and password. There are also other options like disabling MPPE encryption but they are rarely used.
Stability
Very stable and reliable. OpenVPN does not have to rely on TCP congestion control so it may be optimized for VPN needs.
PPTP connection is built on top of TCP so if a TCP connection fails the PPTP tunnel hangs up or disconnects.
Multi-platform support
Many platforms are supported, however only a few mobile devices support OpenVPN.
PPTP is a basic VPN connection type and the built-in PPTP software is ubiquitous even on small handheld devices.
Overall security
Very good and depends on configuration.
Microsoft's early implementation has been criticized for being poorly designed and not secure. Current PPTP implementations are secure enough for most applications.