VPN
VPN (Virtual Private Network) is a technology that creates an encrypted tunnel over a public network (typically the internet) to connect users to a corporate network or to mask their internet traffic. Common protocols: WireGuard, OpenVPN, IPsec/IKEv2, SSL VPN. In modern enterprise security, VPN is increasingly being replaced by ZTNA (Zero Trust Network Access).
What Is a VPN (Virtual Private Network)?
A VPN (Virtual Private Network) creates an encrypted communication tunnel over a public network — typically the internet — to connect users or networks securely as if they were on the same private network. VPNs are foundational technology for remote work, branch connectivity, hybrid cloud architectures, and consumer privacy.
In enterprise environments, VPNs split into two main use cases: remote access VPN (a single user connecting to a corporate network) and site-to-site VPN (two networks linked over encrypted tunnels). In 2026, remote access VPN is increasingly being replaced by ZTNA (Zero Trust Network Access) for security reasons — VPN gateway vulnerabilities have become a leading ransomware entry point.
VPN Definition
A VPN (Virtual Private Network) is a technology that creates an encrypted tunnel between endpoints over a public network, providing confidentiality, integrity, and authenticity for traffic that crosses untrusted infrastructure. Common protocols include WireGuard, OpenVPN, IPsec/IKEv2, and SSL VPN.
How a VPN Works
- Tunnel establishment — VPN client and gateway authenticate each other (certificates, pre-shared keys, or username + MFA).
- Key exchange — both sides agree on session keys via Diffie-Hellman or Curve25519.
- Encryption — all traffic between the endpoints is encrypted (typically AES-256 or ChaCha20).
- Routing — VPN client routes traffic through the tunnel; the user appears to be inside the destination network.
- Termination — gateway decrypts and forwards traffic to the destination, returning responses through the same tunnel.
VPN Protocols
| Protocol | Strength | Use case | Notes |
|---|---|---|---|
| WireGuard | Modern, fast, simple | Best default for new deployments | Native in Linux kernel since 5.6 |
| OpenVPN | Mature, configurable | Wide support, older clients | Slower than WireGuard |
| IPsec/IKEv2 | Standard for enterprise | Site-to-site, mobile | Standard in Cisco/Fortinet/Palo Alto |
| SSL VPN | TLS-based, clientless | Browser-only access | Often replaced by ZTNA |
| L2TP/IPsec | Legacy | Older Microsoft/Cisco | Still common in legacy environments |
| PPTP | Avoid | Cryptographically broken | Don’t deploy |
VPN Use Cases
- Remote access — employees connecting from home or while travelling.
- Site-to-site — connecting branch offices, data centres, or cloud VPCs.
- Cloud connectivity — AWS Site-to-Site VPN, Azure VPN Gateway, GCP Cloud VPN as part of hybrid architectures.
- Privacy and bypassing geo-restrictions — consumer VPNs.
- Bypassing censorship — access to blocked sites in restrictive jurisdictions.
VPN vs ZTNA — Why ZTNA Is Replacing VPN
- VPN model — once connected, the user has network-level access; lateral movement is easy if a credential or device is compromised.
- ZTNA model — every access request is application-level, verified against identity, device posture, and policy in real time; users never see the underlying network.
Top ZTNA products in 2026: Cloudflare Access, Zscaler Private Access, Microsoft Entra Private Access, Netskope, Palo Alto Prisma Access.
VPN Security Risks
- VPN gateway vulnerabilities — Fortinet, Ivanti, Palo Alto, Cisco, Citrix gateways have been repeatedly exploited by ransomware groups (CVE-2024-21887, CVE-2024-3400, CVE-2023-27997, CVE-2023-3519).
- Stolen credentials — without MFA, a phished VPN password gives full network access.
- Compromised endpoint — once a malware-infected laptop connects, the malware reaches the corporate network.
- Flat network access — many VPN deployments grant access to everything once connected.
Best Practices for Enterprise VPN
- Phishing-resistant MFA on every VPN connection (FIDO2 keys, certificates, not SMS-OTP).
- Aggressive patching of VPN gateways — within 24 hours of critical CVE disclosure.
- Segmentation — don’t grant flat network access; restrict VPN users to specific subnets and applications.
- EDR/XDR coverage of all VPN-connected endpoints.
- Logging and monitoring of every VPN session, with alerting on impossible-travel and anomalous activity.
- Migration to ZTNA for remote access; keep IPsec for site-to-site.
Related Terms
- ZTNA — Zero Trust Network Access
- Zero Trust
- Encryption
- Firewall
- Remote Desktop Protocol (RDP)
Explore Our Services
- Network security — VPN, ZTNA, segmentation, firewall management
- Penetration testing — verify VPN gateway hardening
- SOC as a Service — 24/7 monitoring of VPN sessions
Frequently asked questions
+ What is a VPN in simple terms?
A VPN (Virtual Private Network) creates an encrypted tunnel between two devices over the public internet, making the connection appear as if both endpoints were on the same private network. Two main use cases: (1) **Remote access VPN** — a single user (laptop, phone) connects to a corporate network from home or travel, (2) **Site-to-site VPN** — two offices or a branch and a data centre are linked over encrypted tunnels. VPNs are also widely marketed to consumers as privacy tools (NordVPN, ExpressVPN, ProtonVPN), where they hide the user's IP address and encrypt traffic from local networks. Enterprise VPN is a different product class with deeper integration.
+ What are the main VPN protocols?
Five common protocols: (1) **WireGuard** — modern, lightweight, fastest, simpler codebase; default choice for new deployments since ~2020, (2) **OpenVPN** — older but still widely used; runs over TCP or UDP, configurable, slower than WireGuard, (3) **IPsec/IKEv2** — standard for site-to-site VPNs and many enterprise remote access products (Cisco AnyConnect, Fortinet, Palo Alto GlobalProtect), (4) **SSL VPN** — uses TLS, often used in clientless mode through a browser, (5) **L2TP/IPsec** — older Microsoft/Cisco standard, still common in legacy environments. Avoid: PPTP (cryptographically broken), GRE without encryption. Modern best practice: WireGuard for new deployments, IPsec/IKEv2 for legacy compatibility, replace SSL VPN with ZTNA where possible.
+ What is the difference between VPN and ZTNA?
Different security models: **VPN** gives the device *full network access* once connected — like plugging into the LAN remotely. If credentials are stolen or the device is compromised, the attacker reaches everything. **ZTNA (Zero Trust Network Access)** gives the user *application-level access* per request, verified each time against identity, device posture, and policy. Practical example: a VPN-connected user can scan the entire 10.0.0.0/8 corporate network; a ZTNA-connected user can reach only the specific applications policy allows, with continuous verification. Industry analysts (Gartner, Forrester) recommend replacing remote-access VPNs with ZTNA for new deployments. Top ZTNA products: Cloudflare Access, Zscaler Private Access, Microsoft Entra Private Access, Netskope, Palo Alto Prisma Access.
+ Are VPNs still secure for enterprise use in 2026?
Yes, but with caveats. The protocols themselves (WireGuard, IPsec, OpenVPN) remain cryptographically strong. The risk is in **VPN gateways** — appliances from Fortinet, Ivanti (Pulse Secure), Palo Alto, Cisco, Citrix have suffered numerous critical vulnerabilities exploited by ransomware groups: CVE-2024-21887 (Ivanti), CVE-2024-3400 (Palo Alto), CVE-2023-27997 (Fortinet), CVE-2023-3519 (Citrix). VPN gateway exposure to the public internet is now a leading initial-access vector for ransomware. Best practice: aggressive patching (within 24h of critical CVE), MFA on every connection, segmentation behind the VPN (don't grant flat network access), or migrate to ZTNA. Many cyber insurers in 2026 now exclude or surcharge VPN-only access models.
+ What is the difference between site-to-site and remote access VPN?
**Site-to-site VPN** connects two networks permanently — typically a branch office to headquarters or a data centre to a cloud VPC. Built on IPsec/IKEv2 between routers or firewalls, transparent to users (no VPN client needed). **Remote access VPN** connects a single user's device to a corporate network — laptop with VPN client (Cisco AnyConnect, Fortinet FortiClient, OpenVPN Connect, WireGuard), authenticates with username/password + MFA. Modern enterprises increasingly replace remote access VPN with ZTNA, while site-to-site VPN persists for hybrid cloud connectivity (AWS Site-to-Site VPN, Azure VPN Gateway, GCP Cloud VPN) and branch networks.
+ Should you use a consumer VPN for privacy?
Consumer VPNs (NordVPN, ExpressVPN, ProtonVPN, Mullvad, IVPN) hide your IP address from websites and encrypt traffic on hostile networks (public Wi-Fi). Useful for: (1) accessing geo-blocked content (with risk of breaking ToS), (2) using public Wi-Fi safely, (3) basic privacy from your local ISP, (4) bypassing internet censorship in restrictive countries. Limitations: (1) the VPN provider can see all your traffic — choose providers with audited no-log policies (Mullvad, Proton, IVPN), (2) doesn't protect from website-level tracking (cookies, fingerprinting) — use a privacy browser, (3) doesn't make you anonymous (Tor is for anonymity), (4) some sites block known VPN IPs. Free VPNs almost always have monetisation problems — avoid.
+ How does enterprise VPN authentication work?
Modern enterprise VPN authentication should always include MFA. Common patterns: (1) **Username/password + TOTP** (Google Authenticator, Microsoft Authenticator) or hardware token (YubiKey, RSA SecurID), (2) **SAML/OIDC SSO** integration with corporate identity (Entra ID, Okta, ADFS) — the VPN gateway redirects to identity provider, which enforces MFA, (3) **Certificate-based authentication** — device certificates installed via MDM, much harder to phish than passwords, (4) **Posture checking** — VPN client verifies device meets policy (encryption enabled, EDR running, OS patched) before granting access. Anti-pattern: SMS-OTP can be phished via real-time relay (Evilginx, Modlishka); prefer phishing-resistant MFA (FIDO2, certificate-based).