EnglishFrenchGermanPolishSpanishTurkishRussianItalianDutchDutch

What is the difference between OpenVPN and PPTP?


Note that PPTP is considered completely insecure and in SecurityKISS it was discontinued


OpenVPN vs PPTP comparison
OpenVPN PPTP
Summary OpenVPN is for you if:
  • you are blocked by Internet Provider or behind restrictive firewall
  • you are looking for high security advanced solution
  • you need additional features like Exclusive Tunneling
PPTP is for you if:
  • you need an easy-to-setup VPN
  • you want to connect from mobile devices
  • you don't want to install additional software
Overview OpenVPN was started by James Yonan in 2002 and since then it evolved into a feature-rich advanced VPN solution based on OpenSSL. PPTP is a basic protocol created by Microsoft and Ascend Communications in 1999. It relies on other quite old protocols like PPP and GRE.
Development Open source developed by OpenVPN Technologies. Very dynamic and active, new releases every several months. Multiple implementations - at least one per platform. Both open source and proprietary.
Encryption
OpenSSL
OpenVPN relies on OpenSSL, so it can use any of the encryption algorithms available in that library. Very flexible.
MPPE
IP traffic is encapsulated into PPP and then encrypted with MPPE. MPPE supports 40-bit, 56-bit and 128-bit session keys. For today's standards only 128-bit is acceptable.
Authentication
Strong server authentication thanks to certificates. The possibility of man-in-the-middle attacks is significantly reduced
PAP, CHAP, Microsoft CHAP v1/v2 or EAP-TLS.
PAP is trivial to break while Microsoft CHAPv2 is commonly used which is much weaker than OpenVPN methods anyway.
Compression
Fast LZO
Fast LZO (Lempel-Ziv-Oberhumer) compression. OpenVPN also supports adaptive compression mode which tries to optimize the case where you are sending predominantly uncompressible packets over the tunnel.
MPPC
MPPC (Microsoft Point-to-Point Compression). According to Hifn company, MPPC is patent-encumbered which has ramifications for PPTP software that sometimes is not fully compatible or has errors because of lack of open specification.
Operating ports flexibility
OpenVPN may send encrypted packets via UDP or TCP using any port (e.g. to bypass throttling or firewalls).
PPTP uses fixed TCP port 1723 connection which is used to initiate and manage a second GRE (Generic Routing Encapsulation) tunnel.
Cross-platform compatibility
The software comes from the common codebase which is good for compatibility however with more complexity and dynamic development the compatibility bugs are inevitable.
Although PPTP is much simpler than OpenVPN, the configuration where client and server implementations come from different providers may be difficult to make it 100% work.
Firewall traversal
OpenVPN may work on any port both TCP and UDP so there is a greater chance to find the window in the firewall.
Since PPTP uses GRE (Generic Routing Encapsulation) tunnel it may cause problems on older NAT routers that reject GRE-47 protocol.
ISP blocking traversal
For the same reason as above it is much more difficult to block OpenVPN connections (but feasible).
It is really easy for Internet Provider to block PPTP and there is no workaround so in such case you need OpenVPN.
Speed
For long distance connections OpenVPN may have the advantage of possibility of setting up the tunnel on UDP which has lower delays on congested network.
In typical network environment the protocol overhead on speed is negligible however, since we cannot use UDP the TCP overhead may be sometimes the limiting factor for speed.
Required software
Need to install additional software. With SecurityKISS no additional configuration needed. Just install and connect.
Usually built-in into the operating system
Ability to work with DD-WRT
May be difficult
On a router that supports DD-WRT you can connect it to PPTP server and share a single VPN connection to the entire local network.
Exclusive Tunneling
Yes
Exclusive Tunneling protects against compromising your data on unstable connection
No
No such option
Ease of configuration
Normally OpenVPN set up is quite complex because it has many options that although unused they may confuse the user. It also requires generating certificates and deploying to the user. With SecurityKISS you are getting a ready to use program with individually generated and deployed certificate and multiple destination servers configured. You only need to click 'Connect'.
PPTP client configuration is quite simple. You need to name the VPN connection, enter server IP address, username and password. There are also other options like disabling MPPE encryption but they are rarely used.
Stability
Very stable and reliable. OpenVPN does not have to rely on TCP congestion control so it may be optimized for VPN needs.
PPTP connection is built on top of TCP so if TCP connection fails PPTP tunnel hungs up or disconnects.
Multiplatform support
Many, however only a few mobile devices support OpenVPN.
PPTP is a basic VPN connection type and the built-in PPTP software is ubiquitous even on small handheld devices.
Overall security
Very good and depends on configuration.
Not secure. See PPTP discontinued