What a VPN actually does
A virtual private network connects users, offices, cloud networks or partners over an encrypted tunnel. The goal is to protect traffic over networks you do not control, such as the public internet, hotel Wi-Fi or a broadband underlay.
Business VPNs usually fall into two families. Site-to-site VPNs connect networks, such as a branch firewall to a data-centre firewall. Remote-access VPNs connect individual users or devices to corporate applications.
Common VPN types
| Type | Where it fits | Watch-outs |
|---|---|---|
| IPsec site-to-site | Branch, data centre, partner and cloud network tunnels. | Key rotation, routing, tunnel failover, NAT traversal and crypto policy drift. |
| SSL/TLS remote access | User access from laptops or managed endpoints. | MFA, posture checks, client health, split tunnelling and least privilege. |
| Clientless portal VPN | Browser access to selected web apps. | Limited app support and risk of over-exposing internal web systems. |
| Cloud VPN | Connecting enterprise networks to cloud VPCs/VNets. | Throughput limits, route propagation, availability zones and HA design. |
VPN vs zero trust access
Traditional VPNs often put an authenticated user onto a broad internal network. Zero trust network access narrows the model: the user, device, identity, application and context are evaluated before access is granted to a specific resource.
That does not make VPNs obsolete overnight. Site-to-site tunnels, cloud network tunnels and emergency remote access still exist. But remote workforce access should be reviewed carefully if a VPN gives users more network reach than they need.
Performance and operations
VPN throughput depends on firewall capacity, encryption overhead, packet size, latency, route path and whether traffic is hairpinned through a central site. A 1 Gbps internet link does not mean a firewall can encrypt 1 Gbps of VPN traffic with all security features enabled.
Operations also matter: certificate expiry, shared secrets, stale user accounts, unmanaged devices and forgotten partner tunnels are common failure and risk sources.
VPN buyer checklist
Sources and further reading
- IETF RFC 4301: Security Architecture for IP
- IETF RFC 8446: TLS 1.3
- NIST SP 800-77 Rev. 1: Guide to IPsec VPNs
- TechDirectory: SD-WAN enterprise guide