Why do VPN providers keep making their own protocols?
Can VPN providers improve what already exists?
The VPN market is pretty competitive. It's long evolved past the point where being considered a "top-tier" VPN meant running a speedy OpenVPN-based service with a good spread of server locations. Now, to offer real value for money, the best VPN providers need to innovate or get left behind in the dust.
With this in mind, it's easy to be cynical about "custom" VPN protocols. You might dismiss them as a branding exercise to lure unsuspecting customers into paying for a VPN service – and this might be the case for unscrupulous VPNs. However, the reality is that there are a few VPN providers out there that genuinely push the boundaries of what we consider peak VPN performance for better speeds, improved privacy, and smaller resource footprints.
Read on and I'll discuss the innovations NordVPN and ExpressVPN are bringing to the market, and why they're so different from the VPN protocols available today.
Are current VPN protocols not good enough?
The internet of today looks very different from the internet of ten years ago – and that means VPN standards have to evolve to keep up. The PPTP and L2TP/IPSec protocols were once considered "good enough" until it became apparent that they have huge security issues. Then, as a result, they quickly fell by the wayside.
Most of today's popular VPN solutions are considered highly secure because they offer OpenVPN as their main protocol. It's considered the gold standard when it comes to VPN security, after all. However, it's not without its issues.
While OpenVPN is compatible with most computing devices, including mobile phones, the code base is huge, making it pretty slow and resource-intensive.
While there's now a kernel implementation of OpenVPN, for the longest time OpenVPN was a user-space-only VPN program. Without getting too deep into the weeds about what this means, OpenVPN needs to talk back and forth with the operating system to encrypt and decrypt network packets instead of being able to access them directly.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
This is slower and more resource-intensive than it could be – and it's where WireGuard comes into play.
OpenVPN's creation also dates back to a time when internet usage was primarily desktop-based, and it wasn't optimized for the mobile-first world we live in today.
The wireless revolution and the widespread use of mobile devices require protocols that are lightweight and adaptable to devices with smaller CPUs and battery constraints, as well as ones that can deal with constantly switching between different networks on the fly.
Occasionally, you'll encounter a VPN provider that uses a completely unique protocol that you won't find anywhere else. These are proprietary VPN protocols developed by the provider using their expertise in VPN technology.
But isn't OpenVPN sufficient? Improvements can certainly be made to enhance performance and efficiency. Stick around, and I'll tell you more about these advancements and the different VPN providers.
Should every VPN build a new protocol?
Let's be clear: not every VPN protocol is an entirely new creation. Some providers take an existing protocol, like OpenVPN, and make slight adjustments before rebranding it as their own.
This is particularly common when talking about obfuscation techniques, such as applying the OpenVPN Scramble patch to obfuscate the headers that indicate you're using OpenVPN.
I wouldn't say this is a particularly unscrupulous practice but, if in doubt, you should contact your provider to get a better idea of how its custom protocol differs from established ones.
On the other hand, there are providers like ExpressVPN and NordVPN that have outgrown what can be done with off-the-shelf implementations of WireGuard and OpenVPN. For them, the benefits of developing their own VPN protocols far outweigh the time and money costs involved.
Some protocols are outdated and some are plain dangerous – check out our guide to find out which protocols aren't safe anymore.
The biggest challenge involved in developing a VPN protocol is the massive time and cost involved. Plus, without the expertise to write proper documentation and code, it can be quite difficult.
Securing coding is crucial, too. The VPN protocol must protect your end users sufficiently – which may not be the case if you made errors when coding the application.
Cryptography is notoriously hard to get right. There are countless examples of hacking attacks carried out because an over-confident security developer decided they could roll their own crypto code.
There are two main factors to consider if you want to win the trust of the public with a VPN protocol:
- First, your VPN protocol needs to be open source. It's not enough to say: "trust us; we know what we're doing," when there are excellent open-source implementations of OpenVPN and WireGuard that have been audited thousands of times by security firms (and everyday users).
- Second, the code base needs to be audited by a reputable firm. Just because a protocol is open source doesn't mean that security flaws haven't been spotted. It's difficult to justify that a VPN is secure if the provider hasn't scheduled a third-party audit for the protocol.
Given that crafting a protocol is such a challenge, I'd be wary of most VPN providers that claim to have built their own VPN protocols. However, I'm going to dive into the exciting things NordVPN and ExpressVPN have been doing with their own custom protocols to give you a better idea of the benefits.
NordVPN and NordLynx
NordVPN was impressed when WireGuard hit the scene. It's a revolutionary way of handling VPN connections – but it has its downsides.
For one, WireGuard assumes that you can trust the VPN server you connect to. This might be true for the enterprise VPNs you find in the workplace, but commercial VPNs utilize a very different threat model.
When you connect to a WireGuard server, it authenticates your traffic against a table of public keys and the IP addresses associated with them. If your public key (used in the encryption handshakes) matches up with where you're connecting from, the WireGuard server authorizes you and accepts your traffic.
This is highly secure – but not very private. The approach requires your VPN to keep a list, in memory, of all the IP addresses that connect to the server. Naturally, it also goes against the fundamental "no-logging" tenet all reliable VPN providers follow.
The approach isn't all that scalable, either, since you end up with huge key tables in the server memory when you're trying to handle connections for thousands of users simultaneously.
To solve this problem, NordVPN took the base WireGuard implementation and built a solution on top of it that we now know as NordLynx.
Simply put, NordVPN's WireGuard implementation separates all authentication into a separate server that handles identifiable data, while anyone connecting to the VPN server receives the same anonymous identity.
Anyone reading logs on the VPN server wouldn't be able to identify an individual user – all while allowing each user on the VPN server to send and receive unique traffic.
Of course, since then, NordVPN has continued to improve NordLynx, boosting speeds and support for its unique features (like MeshNet) without breaking core WireGuard compatibility.
Given that the WireGuard project has been dormant for a while, it's likely that NordLynx will be one project leading the way in terms of extending and improving WireGuard.
ExpressVPN and Lightway
WireGuard solved a lot of the issues ExpressVPN had when using OpenVPN as its primary protocol. It's fast, efficient, and easily maintained.
On the flip side, however, there were lingering concerns. As I mentioned earlier, WireGuard shares a table of all keys transmitting data over the VPN, which creates a mess of issues from a commercial VPN standpoint.
ExpressVPN wasn't happy with this privacy violation – and Lightway operates similarly to OpenVPN, where authentication is handled when a client connects instead of being pre-authorized.
Unlike NordVPN, however, ExpressVPN wasn't as concerned about maintaining compatibility with the WireGuard codebase.
Obfuscation can help services get around bans, blocks, and censors imposed by stricter governments. Our guide to VPN obfuscation explains how.
Maintaining the privacy of its user base was a key priority, of course, but the main issue that drove the development of a separate VPN protocol was the lack of key features that WireGuard couldn't provide.
ExpressVPN wanted a mobile-first approach to its protocol – so it split away from WireGuard to get it done.
Take, for instance, the issue of obfuscation – there's no Deep Packet Inspection protection built into WireGuard. Just as WireGuard doesn't make any attempt to hide who's using the service, it doesn't make any attempt to hide the fact that it's in use.
Considering that so many ExpressVPN customers access the service from countries where DPI is used routinely to sniff out VPN usage, it's plain to see why the service would take the lessons it learned from OpenVPN and WireGuard to build something from the ground up.
Then, there's TCP support. WireGuard only supports UDP, making it difficult to use in environments where the connection is inconsistent. Building TCP into Lightway allowed ExpressVPN to offer a seamless connection when switching between multiple wireless hotspots and mobile data – and they wouldn't have achieved this simply by extending WireGuard.
As such, while ExpressVPN was heavily inspired by the WireGuard approach, Lightway is a truly unique VPN protocol built from scratch.
The bottom line
OpenVPN will dominate the VPN market for a long time – it's trusted, audited, and secure.
WireGuard has some significant advantages, sure, but it's a relatively new piece of software that's being adopted at a rapid pace into the VPN sphere.
Neither protocol is a perfect solution for today's VPN providers. For most, they're good enough, but for the titans of the industry (like NordVPN and Express), good enough simply isn't good enough.
Sam Dawson is a cybersecurity expert who has over four years of experience reviewing security-related software products. He focuses his writing on VPNs and security, previously writing for ProPrivacy before freelancing for Future PLC's brands, including TechRadar. Between running a penetration testing company and finishing a PhD focusing on speculative execution attacks at the University of Kent, he still somehow finds the time to keep an eye on how technology is impacting current affairs.