OpenVPN
OpenVPN is a widely used, open-source VPN protocol supported on Windows, macOS, Linux, Android, and iOS. It uses the OpenSSL library and TLS for encryption and authentication, giving you modern cryptography and strong security. Key points:- Transport: UDP (preferred for performance) or TCP (useful for traversing restrictive networks).
- Encryption/authentication: TLS via OpenSSL.
- Azure specifics: Configure the Azure VPN Gateway to accept OpenVPN connections and distribute the generated OpenVPN client profile to users. You must also configure a client IP address pool so connected devices receive private IPs from your virtual network.
SSTP (Secure Socket Tunneling Protocol)
SSTP is a Microsoft-developed protocol that tunnels PPP traffic over SSL/TLS and uses TCP port 443 (HTTPS). Because it uses standard HTTPS, SSTP is effective at traversing firewalls and web proxies that block other VPN types. SSTP is natively supported on Windows clients, so Windows users often require no additional client software.
SSTP is primarily supported natively on Windows. Relying on SSTP for a mixed-device environment may require additional client software for macOS, Linux, Android, and iOS.
IKEv2 (Internet Key Exchange v2)
IKEv2 is a modern, standards-based protocol used with IPsec to negotiate security associations and keying material. It excels at reliability and mobility—supporting MOBIKE (Mobility and Multihoming), which helps clients maintain or quickly reestablish VPN sessions when they change networks (for example, switching from Wi‑Fi to cellular). Key points:- Ports: UDP 500 for IKE, UDP 4500 for NAT traversal (NAT-T).
- Strengths: Fast reconnection, stability on unstable links, strong IPsec encryption.
- Ideal for: Mobile users and scenarios requiring low latency and robust reconnection behavior.
Protocol Comparison
| Protocol | Typical Ports | Transport | Platform Support | Strengths | When to Use |
|---|---|---|---|---|---|
| OpenVPN | UDP (default), TCP (fallback) | TLS over UDP/TCP | Windows, macOS, Linux, Android, iOS | Modern TLS-based crypto, flexible transport, broad client support | Cross-platform clients; need to traverse restrictive NATs with TCP fallback |
| SSTP | TCP 443 | TLS over TCP (HTTPS) | Native Windows; third-party clients on others | Excellent firewall/proxy traversal (HTTPS), native Windows support | Environments with strict firewall rules or Windows-only clients |
| IKEv2 | UDP 500, UDP 4500 (NAT-T) | IPsec/IKEv2 | Windows, macOS, Linux, Android, iOS | Fast reconnection, MOBIKE support, strong IPsec security | Mobile users, unstable networks, low-latency requirements |
Summary and Recommendations
Azure supports OpenVPN, SSTP, and IKEv2 for Point-to-Site VPNs. Choose based on device mix, network restrictions, and user scenarios:- OpenVPN: Best for cross-platform compatibility and modern TLS-based security. Use UDP for best performance; choose TCP when you must traverse restrictive networks.
- SSTP: Optimal when you need to guarantee connectivity through strict firewalls/proxies (TCP 443) and primarily support Windows clients.
- IKEv2: Best for mobile users and situations requiring rapid reconnection and stable IPsec security.
When designing your P2S solution in Azure, you can enable multiple protocols on the same VPN Gateway to support diverse client needs—for example, offer OpenVPN for cross-platform users and IKEv2 for mobile users who need fast reconnection.
- Azure Point-to-Site VPN overview
- OpenVPN project
- IKEv2 and MOBIKE RFCs (RFC 5996 and updates)