VPN Types and Use Cases

Every VPN answers the same question: should this traffic be trusted here?

Your laptop at a coffee shop isn't trusted on your company's network. But connect through a VPN, and suddenly it is—authenticated, encrypted, belonging. Two offices in different cities aren't naturally part of the same network. But connect them through a VPN, and they become one.

VPNs solve two distinct problems: connecting people to places, and connecting places to places. Everything else—the protocols, the configurations, the vendor marketing—flows from that distinction.

Remote Access VPNs: People to Places

Remote access VPNs connect individual users to a private network. You run VPN client software on your laptop, authenticate to a VPN server at your organization, and gain access to network resources as if you were physically in the office.

This is the VPN most people think of. It's what lets employees work from home, from hotels, from anywhere with an Internet connection.

Remote access VPNs face a fundamental choice: full tunnel or split tunnel.

Full tunnel routes all your traffic through the VPN. Every web request, every video call, every software update—all of it flows through your organization's network first. Maximum security and visibility, but your organization's network now carries your Netflix traffic.

Split tunnel routes only corporate traffic through the VPN. Access a company file server? Through the VPN. Watch YouTube? Direct to the Internet.

The pandemic forced this choice into sharp relief. Organizations that mandated full tunnel found their VPN infrastructure crushed under the weight of every employee's home Internet usage. Many switched to split tunnel out of necessity—trading some security visibility for a system that actually worked.

Site-to-Site VPNs: Places to Places

Site-to-site VPNs connect entire networks to each other. A VPN gateway at your New York office maintains a persistent encrypted tunnel to a gateway at your London office. All traffic between the sites flows through this tunnel.

The employee doesn't know a VPN is involved. That's the point. They access a file server in London the same way they'd access one down the hall. The VPN is infrastructure, invisible.

Site-to-site VPNs replaced expensive dedicated circuits. Before them, connecting offices meant paying telecommunications providers for private lines. Now you can build a wide area network over the public Internet, encrypted and authenticated.

These connections are typically always-on, automatically re-establishing if they drop. The tunnel is part of the network architecture, not something users think about.

The Protocol Divide: SSL/TLS vs. IPsec

Two protocol families dominate VPN implementations, each with different strengths.

SSL/TLS VPNs use the same protocols that secure HTTPS. They often work through a web browser—you visit a portal, authenticate, and access resources. No special software required.

This matters more than it sounds. SSL/TLS uses port 443, which every firewall allows because blocking it would break the web. SSL VPNs work from hotel networks, airport WiFi, corporate guest networks—places that block everything except web traffic.

For full network access (not just browser-based), SSL VPNs do require client software. But the protocol's ubiquity still helps with firewall traversal.

IPsec VPNs operate at the network layer, encrypting all IP traffic regardless of application. They're the standard for site-to-site connections and provide strong, well-standardized security.

IPsec is more complex to configure but more efficient at scale. Site-to-site connections between offices almost always use IPsec. Remote access can use either, with SSL winning on convenience and IPsec on raw performance.

Mobile VPNs: The Network Keeps Changing

Traditional VPNs establish a connection using a specific network interface and IP address. Switch networks—WiFi to cellular, one access point to another—and the connection breaks.

Mobile VPNs solve this. They maintain the VPN session even as the underlying network changes. Your phone can move from office WiFi to cellular to coffee shop WiFi without dropping the secure tunnel.

This isn't just convenience. For field workers, delivery drivers, or anyone moving through the world while needing secure access, a VPN that survives network transitions is the difference between usable and unusable.

Cloud VPNs: Hybrid Architecture

Cloud VPNs connect on-premises networks to cloud infrastructure. AWS, Azure, and Google Cloud all offer VPN gateway services that establish site-to-site tunnels between your data center and your cloud environment.

The cloud provider manages their end of the connection, which simplifies setup considerably. You configure your on-premises gateway, the cloud provider configures theirs, and the tunnel establishes.

This enables hybrid architectures—some workloads on-premises, others in the cloud, with secure connectivity between them. The location of a server becomes an implementation detail rather than a security boundary.

Always-On VPNs: No User Discretion

Always-on VPNs establish automatically whenever the device has network connectivity. The user doesn't choose to connect—the device always is connected.

This removes a category of risk: the user who forgets to connect, or decides not to bother, or doesn't realize they should. In high-security environments, all traffic from managed devices routes through the VPN regardless of what the user wants.

The tradeoff is flexibility. Always-on VPNs make sense for organization-owned devices with strict security requirements. They make less sense for personal devices or situations requiring network flexibility.

Clientless VPNs: Access Without Installation

Clientless VPNs provide access to specific resources through a web portal, without installing software.

Users authenticate to a portal and access applications through their browser—web apps, remote desktops, file shares. The portal proxies the connection, providing VPN-like access to resources behind the firewall.

This solves a real problem: the contractor who needs temporary access, the kiosk where you can't install software, the personal device you don't want to configure. Limited functionality compared to full VPN clients, but sometimes limited is exactly what you want.

Scaling Up: Concentrators and DMVPN

Organizations with heavy VPN usage deploy VPN concentrators—dedicated devices designed to handle thousands of concurrent connections with hardware-accelerated encryption.

Organizations with many locations face a different scaling problem. Traditional site-to-site VPNs require a tunnel between every pair of sites. Ten sites means 45 tunnels. A hundred sites means 4,950 tunnels.

Dynamic Multipoint VPN (DMVPN) solves this with a hub-and-spoke architecture. Sites connect to central hubs, and direct tunnels between spokes establish dynamically when needed. You get the manageability of hub-and-spoke with the performance of direct connections.

Choosing Correctly

The choice starts with the problem you're solving.

Connecting employees to the network: Remote access VPN. SSL/TLS for simplicity and compatibility, IPsec for performance. Split tunnel unless security requirements mandate full tunnel.

Connecting offices to each other: Site-to-site VPN with IPsec. Always-on, transparent to users.

Connecting to cloud infrastructure: Cloud provider VPN services. They're designed for exactly this.

Mobile workforce constantly changing networks: Mobile VPN that maintains sessions across transitions.

High-security environment requiring traffic control: Always-on VPN with full tunnel. No user discretion.

Temporary or limited access: Clientless VPN through a web portal.

The right VPN isn't the most secure or the most featured. It's the one that solves your actual problem without creating new ones.