VPN Setup Guide for Business: Remote Access, Site-to-Site, and Zero Trust
Every business with remote workers needs secure access to internal resources. A VPN - virtual private network - creates an encrypted tunnel between a user's device and your corporate network, protecting data in transit and controlling who can access what. But the VPN landscape in 2026 is more complex than "just set up a VPN." You have three fundamentally different architectures to choose from, each with different security properties, user experiences, and operational requirements.
This guide covers the three VPN architectures - remote access, site-to-site, and zero trust network access (ZTNA) - along with protocol selection, deployment options, security hardening, and the monitoring that keeps your VPN from becoming a liability instead of a security control.
Understanding VPN Types
Before choosing a solution, understand what problem you are solving. Different VPN types address different connectivity needs.
Remote access VPN
A remote access VPN connects individual users to the corporate network from any location. The user's device runs a VPN client that establishes an encrypted tunnel to a VPN gateway at the corporate network edge. Once connected, the user can access internal resources - file servers, intranet applications, databases, and internal tools - as if they were physically in the office.
Remote access VPNs are the most common business VPN type. They solve the core problem of giving employees secure access to internal systems from home, coffee shops, airports, and client sites. The trade-off is that they grant network-level access - once connected, the user is "on the network" and can reach anything the network allows, which creates a lateral movement risk if credentials are compromised.
Site-to-site VPN
A site-to-site VPN connects two or more networks together - typically linking branch offices to headquarters, or connecting on-premises networks to cloud VPCs. Unlike remote access VPNs that serve individual users, site-to-site VPNs run between network gateways and are always on. All traffic between the connected networks flows through the encrypted tunnel automatically.
Site-to-site VPNs are essential for multi-location businesses that need shared access to centralized resources. They are also the standard method for connecting on-premises data centers to cloud environments (AWS VPC, Azure VNet, GCP VPC) without exposing traffic to the public internet.
Zero trust network access (ZTNA)
ZTNA is not technically a VPN, but it solves the same problem - secure remote access to corporate resources - with a fundamentally different security model. Instead of granting network-level access (put the user on the network and let them reach anything), ZTNA grants application-level access (the user can reach specific applications, and only those applications, after passing identity and device verification for each access request).
| Feature | Remote Access VPN | Site-to-Site VPN | ZTNA |
|---|---|---|---|
| Access scope | Full network | Full network | Per-application |
| Authentication | At connection | Mutual certificate | Per-request |
| Lateral movement risk | High | High | Minimal |
| User experience | Client required | Transparent | Often clientless |
| Legacy app support | Full | Full | Limited |
| Best for | General remote access | Multi-site connectivity | Application-level access |
Choosing a VPN Protocol
The VPN protocol determines how encryption, authentication, and tunneling work. Your protocol choice affects performance, security, compatibility, and ease of configuration.
WireGuard - the recommended default
WireGuard is the clear winner for new deployments in 2026. It uses modern cryptography (Curve25519, ChaCha20, Poly1305, BLAKE2s), has a minimal codebase of approximately 4,000 lines (compared to 100,000+ for OpenVPN), offers lower latency and higher throughput than alternatives, and is built into the Linux kernel with native support on Windows, macOS, iOS, and Android.
WireGuard establishes connections in milliseconds and handles network transitions (Wi-Fi to cellular) seamlessly. For mobile workers who switch networks frequently, this eliminates the reconnection delays that make traditional VPNs frustrating to use.
IKEv2/IPsec - the enterprise standard
IKEv2 with IPsec encryption is built into every major operating system and most enterprise firewalls. It handles network mobility well (MOBIKE protocol), supports certificate-based authentication natively, and integrates with enterprise PKI infrastructure. Choose IKEv2/IPsec when your organization already has IPsec infrastructure, you need native OS support without third-party clients, or compliance requirements mandate FIPS-validated encryption.
OpenVPN - the legacy workhorse
OpenVPN has been the default open-source VPN for over two decades. It works, it is proven, and it runs on everything. But for new deployments, WireGuard offers better performance, simpler configuration, and a smaller attack surface. Use OpenVPN when integrating with existing OpenVPN infrastructure or when you need TCP fallback for networks that block UDP (WireGuard is UDP-only).
Deployment Options
Self-hosted VPN server
Running your own VPN server gives you maximum control over configuration, logging, and data sovereignty. WireGuard can be deployed on any Linux server in minutes. This approach works well for small-to-mid businesses with IT staff who can manage the server, organizations with data sovereignty requirements, and teams that want full control over VPN configuration and logging.
# WireGuard server setup on Ubuntu # Install WireGuard apt update && apt install wireguard -y # Generate server keys wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key # Create server config cat > /etc/wireguard/wg0.conf << EOF [Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = $(cat /etc/wireguard/server_private.key) PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE EOF # Enable and start systemctl enable wg-quick@wg0 systemctl start wg-quick@wg0
Cloud-based VPN gateway
AWS Client VPN, Azure VPN Gateway, and GCP Cloud VPN provide managed VPN services that integrate with your cloud infrastructure. They handle high availability, scaling, and maintenance. Best for organizations with cloud-primary infrastructure. Costs typically range from $75-400/month plus data transfer charges.
VPN-as-a-Service
Platforms like Cloudflare Access, Zscaler Private Access, and Tailscale provide VPN or ZTNA functionality as a managed service. No hardware, no server management, no PKI infrastructure. Pricing is typically per-user ($5-15/user/month). Best for organizations that want to minimize operational overhead and do not need on-premises infrastructure control.
Security Hardening
A VPN is a security control, but a misconfigured VPN can become a security vulnerability. Hardening ensures your VPN provides the protection it is supposed to.
Multi-factor authentication
VPN credentials are high-value targets. A stolen VPN credential gives an attacker access to your entire internal network. MFA should be mandatory for every VPN connection - no exceptions. Combine certificate-based device authentication with user credentials and a TOTP or push-based second factor. Hardware security keys (FIDO2) provide the strongest protection against phishing attacks that target VPN credentials.
Split tunneling decisions
Full tunnel routes all traffic through the VPN - corporate and personal. Split tunnel routes only corporate traffic through the VPN and sends everything else directly to the internet. Full tunnel provides maximum security and visibility but increases VPN bandwidth consumption and slows personal browsing. Split tunnel improves performance and reduces bandwidth costs but means personal traffic is not inspected or protected by corporate security controls.
For most businesses, split tunneling with a well-defined corporate traffic list is the right balance. Route traffic destined for corporate IP ranges, internal DNS domains, and cloud resources through the VPN. Let everything else go direct.
DNS leak prevention
Configure the VPN client to use corporate DNS servers for all resolution while connected. DNS leaks - where DNS queries bypass the VPN tunnel and go to the user's ISP DNS - expose which internal resources users are accessing and can be exploited for man-in-the-middle attacks. Test for DNS leaks after configuration by connecting to the VPN and verifying that all DNS queries resolve through corporate servers.
Session management
Implement session timeouts and re-authentication requirements. A VPN session that stays active for 72 hours after the user walks away from their laptop is a risk. Configure idle timeouts (15-30 minutes), maximum session duration (8-12 hours), and require re-authentication after session expiry. For ZTNA solutions, per-request authentication eliminates this risk entirely.
Network segmentation
VPN users should not have unrestricted access to the entire internal network. Segment VPN access by role - standard employees get access to file shares, intranet, and their department's applications. IT administrators get broader access. Contractors get access to only the specific resources required for their engagement. Apply firewall rules to the VPN subnet that enforce these access boundaries.
Monitoring and Troubleshooting
VPN issues are one of the most common IT support tickets. Proactive monitoring reduces ticket volume, and structured troubleshooting resolves issues faster.
What to monitor
- Connection success rate: Track the percentage of connection attempts that succeed. A declining success rate indicates server capacity issues, certificate problems, or network changes that affect connectivity.
- Active sessions: Monitor concurrent connections against capacity. Alert at 80% capacity to prevent connection failures during peak hours.
- Bandwidth utilization: Track per-user and aggregate bandwidth. Identify users consuming disproportionate bandwidth and investigate whether it is legitimate (large file transfers) or concerning (data exfiltration).
- Failed authentication attempts: Multiple failed attempts from a single IP or targeting multiple accounts may indicate a brute-force or credential-stuffing attack.
- Geographic anomalies: Alert when a user connects from a location that is unusual for them. A user who typically connects from New York suddenly connecting from Eastern Europe warrants investigation.
- Session duration: Unusually long sessions - particularly outside business hours - may indicate compromised credentials being used for persistent access.
Common issues and solutions
The majority of VPN support tickets fall into predictable categories: connection timeouts (usually firewall or ISP issues blocking UDP), slow performance (overloaded VPN server, full tunnel when split would suffice), frequent disconnections (aggressive Wi-Fi roaming or MTU issues), and authentication failures (expired certificates, password changes not synced). Build a troubleshooting guide for your help desk that covers these scenarios with step-by-step resolution instructions.
Get IT Infrastructure Insights Delivered Weekly
VPN setup guides, network security best practices, and infrastructure automation tips. No spam, unsubscribe anytime.
VPN tickets drowning your help desk?
HelpBot resolves common VPN issues automatically - connection troubleshooting, password resets, certificate enrollment, and access requests. 14-day free trial.
Start Free TrialAutomate VPN and Network Support with HelpBot
VPN connection issues, access requests, and password resets are the top three IT tickets in remote-first companies. HelpBot handles them automatically, resolving 60-70% of Tier 1 tickets without human intervention.
Start Your Free Trial