I just found on AirVpn's FAQ....(I'm using AirVpn) "UDP is a connectionless protocol, so during the handshake it is not always possible to do an effective error correction. As a result, when there's high ping or low quality line during the OpenVPN login, the handshake may fail, although you could see no significant problem after (if) the connection is established. TCP is capable of handling these problems. On the other hand, UDP is more efficient once the connection is established. OpenVPN also implements a basic packets error correction even in UDP (only after the tunnel is established). If you experience problems with VoIP video/audio conversations when connected to the VPN through a TCP port, a typical case for which a difference may be visible (VoIP over TCP - for example UDP over TCP - is clearly inferior to VoIP over UDP because TCP implements ARQ, UDP does not), then go for an UDP connection. In general, you should always try an UDP connection if your ISP allows it and you don't experience any problem during the handshake. However, TCP is mandatory if you need a proxy to reach the Internet. VPN over TOR connections require a TCP connection. Variety of ports (53, 80, 443) is an additional option to try to bypass country or ISPs blocks, or bandwidth management. When OpenVPN connections are disrupted by your ISP (this happens for sure in China and Iran) then you need OpenVPN over SSL or OpenVPN over SSH supported by every AirVPN server and requiring, again, TCP.
> An introduction to six types of VPN software That's an excellent review, I think, as far as it goes. But he doesn't get into security issues. I mean, he doesn't even point out that PPTP is widely acknowledged as weak, and also IPsec with shared keys. For those who can manage it, using open-source software and firewall rules is the best option.
The NSA doesn't seem to agree. See https://nohats.ca/wordpress/blog/2014/12/29/dont-stop-using-ipsec-just-yet/ The problem is that built-in IPsec clients in some older OS don't use Perfect Forward Secrecy and do use PreSharedKeys.
Not entirely correct what you refer too, since they speaking about IKE which is not IPSec. It's also wrong in the article to say 'IKEcrack' - it was an exploit NSA used. The thing is that every protocol is in theory exploitable. Libreswan is open source and in meantime got several 'fixes'. The real problem is that people still want to use outdated OS + outdated software. This is widely known as dangerous. While all over the world are spread wrong 'information' that MS windows 10 spying on you (telemetry != spying) it also helps the NSA because you might still use 7 which has several known weaknesses. Every known provider I know like PIA, NordVPN and Protonmail VPN (currently) beta are not affected by this and they changed immediately all their configurations after the leaks. The tool which was mentioned as 'cracking tool' also not works anymore. MD5/SHA1 are depreciated. This only shows again user should update their products asap. Even the providers should upgrade asap if there are doubts. I think his conclusion is correct:
