There is a lot of misunderstanding and misrepresentation regarding encryption strength and how most VPN providers talk about it. In fact, we would say that most of them don't have any idea what they are talking about, or if they have, they try to fool possible users in believing that they are more secure than other VPN services …
Let's see some examples from live VPN sites :
What does 2048 bit Encrypted connection mean ? And what about 128-2048bit security ? Let's try to clarify it as simply as possible….which in itself is challenging when discussing encryption! . We will do our best.
Firstly, encryption strength is related to a type of service. So we have to know if we are talking about PPTP or L2TP or OpenVPN or SSH. Once we know the type of service that we are talking about, we can better assess the information that the VPN provider gives to us related to its strength.
So focusing first on PPTP…. it can (and should) offer a maximum strength of 128 bits. Encryption using PPTP is provided by the use of Microsoft Point-to-Point Encryption (MPPE) protocol that can just handle 40-bit, 56-bit and 128-bit session keys. So when talking about PPTP, don't be fooled: 128 bits is the maximum strength that you can expect.
Anyhow, security wise, the biggest problem with PPTP is not related to the length of its key (there are other protocols very secure with similar key lengths), but to its underlying implementation that has several flaws. You can read more here.
Although OpenVPN can be configured in several ways, let's focus on the most typical one found in many VPN providers.
In this typical configuration, first the peers taking part in the communication (you and the VPN server to which you are trying to connect) will authenticate to each other. Once this has been done and the VPN tunnel is established, the proper flow of encrypted data from and to your computer will begin.
The authentication process will usually take place using Public-Key Cryptography and/or username and password. When you read about 2048 bit keys, or 4096 bit keys or something like this, you are reading about the key used during the authentication phase of the communication.
But once authentication has happened and because Public-Key algorithms are really slow, OpenVPN will switch to Symmetric Cryptography to actually encrypt the data that is sent between you and the VPN server. This encryption will take place using a given type of symmetric algorithm (AES, Blowfish, Twofish …) and with a given key length (128bit, 192bit, 256bit, 448bit …).
Most probably this last key length is the one you would worry more about along with the type of algorithm that the VPN provider is using. As you can see none of these symmetric key lengths get anywhere close to those 2048bit ot 4096bit keys that some VPN providers boast.
Having longer symmetric keys will increase security at a performance cost (more or less depending on the algorithm selected). All depends on how paranoid we are and the options that the VPN service provider gives to us.
Hope we have clarified things a bit