The Layer 2 Tunneling Protocol (L2TP) is a VPN protocol used to establish a secure, private connection over a public network like the internet. It's one of the older protocols on the market, but its wide compatibility keeps it relevant. Fundamentally, L2TP doesn't actually encrypt your data itself. Instead, it's a tunneling protocol that creates a sealed channel between your device and a VPN server. To secure that channel, it's almost always paired with the IPsec protocol for encryption. You'll almost always see it implemented as L2TP/IPsec.
We consider L2TP/IPsec a legacy protocol that offers good security and excellent out-of-the-box compatibility; however, its performance is consistently slower than that of modern alternatives, like WireGuard or IKEv2.
How Does L2TP Work?
L2TP establishes a VPN connection through a process known as "double encapsulation." First, your data is wrapped in Point-to-Point Protocol (PPP) frames. Then, L2TP wraps those PPP frames inside its own L2TP packets and sends them over the network. Think of it like putting a letter (your data) into an envelope (PPP), and then placing that envelope inside a shipping box (L2TP) for delivery.
This process creates the tunnel, but it's the IPsec protocol that secures the box itself. IPsec handles the key exchange and encrypts the entire L2TP packet before it leaves your device, ensuring no one can see what's inside the tunnel.
The technique of double encapsulation is effective, but it also creates more processing overhead, which impacts your overall connection speed to the server or other devices.
Is L2TP Secure?
On its own, no. A standard vanilla L2TP connection provides no encryption and should not be considered secure for any purpose.
However, when implemented as L2TP/IPSec, it's considered secure. The IPsec suite is a robust, well-vetted cryptographic standard. When configured to use modern encryption like AES-256, L2TP/IPsec has no known critical vulnerabilities and provides excellent data confidentiality and integrity.
While it doesn't use the cutting-edge ciphers found in WireGuard, for general-purpose browsing and security, its implementation is more than sufficient to protect your data from ISPs and bad actors on a public network.
How Does L2TP Compare To Other Protocols?
L2TP's main advantage is its near-universal native support. You don't need to install a third-party application to use it on most devices.
- OpenVPN: L2TP is easier to set up on native devices, as OpenVPN almost always requires a dedicated app. However, OpenVPN is more flexible, often faster, and better at bypassing restrictive firewalls.
- IKEv2/IPsec: IKEv2 is a more modern protocol that is also natively supported on most devices. It's significantly faster and more reliable, especially on mobile devices, making it a better choice than L2TP for most users.
- WireGuard: WireGuard is the new benchmark for performance. It's dramatically faster, more lightweight, and uses more modern cryptography. Its main drawback is that it almost always requires a third-party app and isn't as widely supported on older hardware. You can read about our investigation into WireGuard VS OpenVPN.
Who Should Use L2TP?
Anyone who needs to quickly set up a VPN on a device that doesn't allow for third-party app installations, or in some instances, connecting to an older corporate VPN that still uses it. Outside of these cases, however, most users will experience better speed and reliability with more modern protocols like IKEv2 or WireGuard. You can check out our recommendations for the best VPNs here.
Conclusion
Given that most commercial VPN providers now offer these protocols in their easy-to-use apps, L2TP/IPsec should be viewed as a reliable fallback in specific scenarios, rather than your first choice every time.