OpenWeb is a proprietary protocol developed by Astrill in 2009. It is based on TCP and is encrypted in multiple security encryption and authentication layers. It is a connection-less protocol, so you can switch between servers within seconds, without waiting for VPN software to reconnect. It is very lightweight and performs well in countries with elevated censorship.
OpenWeb is very hard to detect by DPI (deep packet inspection). Traffic looks like regular website browsing, so nobody can say you are using Internet over VPN. OpenWeb traffic is encrypted with AES-256, which is an industry standard.
StealthVPN is another proprietary protocol by Astrill. It is inspired by OpenVPN and performs an additional obfuscation of traffic which makes it undetectable for automated firewall systems. StealthVPN is very stable and it can work with both UDP and TCP modes. Just like OpenWeb, it is only available with official Astrill VPN software.
StealthVPN data streams are protected with AES-256 and authentication is done with certificates. This makes the protocol not only very secure, but also very stable. Connection is kept alive throughout the duration of a session and all traffic from your computer is routed through Astrill VPN, so there are no IP or DNS leaks.
WireGuard is an extremely simple yet fast and modern VPN protocol that utilizes very strong cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be more performant than OpenVPN. WireGuard is designed as a general purpose VPN, fit for many different circumstances.
WireGuard uses state-of-the-art cryptography, like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions. It makes conservative and reasonable choices and has been reviewed by cryptographers. WireGuard is the result of a lengthy and thoroughly considered academic process, resulting in the technical whitepaper, an academic research paper which clearly defines the protocol and the intense considerations that went into each decision.
OpenVPN is a very flexible protocol that is widely supported across platforms. It can work over UDP, which provides fast speed, or TCP, which provides higher reliability and stability. You can connect to OpenVPN with 3rd party clients and set up VPN connection without the need of any Astrill software. Since OpenVPN does not aim to hide its traffic, it is easily detectable by automated firewall systems and frequently blocked and throttled. E.g. it is often blocked in China.
OpenVPN is an open-source protocol which is often analysed by security experts from all around the world for vulnerabilities and exploits and it is frequently updated and improved. It can use wide range of encryption algorithms like AES, BlowFish, Camelia and others. The protocol is very secure.
OpenConnect is an open-source VPN protocol. It was originally written as an open-source replacement for Cisco's proprietary AnyConnect SSL VPN client, which is supported by several Cisco routers. It can work over both UDP and TCP.
OpenConnect VPNs utilize TLS to authenticate and configure routing, then DTLS to efficiently encrypt and transport the tunneled VPN traffic, and can fall back to TLS-based transport where firewalls block UDP-based traffic. As usual, AES-128 and AES-256 are used for data layer encryption.
Cisco IPSec is a modification of IKEv1/IPSec made by Cisco and Microsoft. It is a secure and fast protocol that works very well on iOS devices and Linux. IPSec operates in two modes - transport mode and tunneling mode. The transport mode encrypts the contents of the data packet and the tunneling mode encrypts the entire data packet.
Cisco IPSec uses strong key exchange algorithms (up to 2048 bit) and also a very strong AES-256bit encryption after encryption key is established. IPSec is not designed to mask VPN connection, so it can be susceptible to firewall filtering.
IKEv2/IPSec is an evolution of the IKEv1 standard developed by Microsoft and Cisco. It provides improved ability to reconnect when changing networks. For Blackberry users this is the only official way to connect your device to VPN.
Our configuration of IKEv2/IPSec combines strong key exchange over 2048bit Diffie-Hellman groups, AES-256bit encryption and SHA256 hashes for integrity checks. IKEv2 is considered a high VPN security standard but just as any other IPSec implementation it does not aim to hide VPN activity, therefore it may be prone to firewall filtering
L2TP stands for Layer 2 Tunneling Protocol. It is an evolution of PPTP (Point-to-Point Tunneling Protocol - now considered unsafe) and works on many devices. We suggest use of L2TP only on devices which cannot run Astrill software and do not support any other more suitable VPN protocol.
L2TP is most often used together with IPSec (Internet Protocol security) which guarantees very strong encryption on packet level at the expense of speed. L2TP operates on a fixed UDP ports 500/4500 which makes it easily blockable by firewalls (e.g. in China)
SSTP stands for Secure Socket Tunneling Protocol. It is Microsoft proprietary protocol and used to be available for Windows only. Recently Linux and Android 3rd party clients were released. As it uses TCP over TCP it doesn't provide very fast speeds.
SSTP uses SSL (Secure Sockets Layer) over a fixed TCP port 443 which makes it appear as general HTTPS traffic and hard to block by firewalls. SSTP is considered to be a very safe protocol.