VPN: Secure Remote Connections and Access

·

When an employee connects to the corporate network from a coffee shop's Wi-Fi, their data travels across an infrastructure that no one in the organisation controls. Without protection, that information moves in the clear and is exposed to interception. The Virtual Private Network (VPN) solves this problem by creating an encrypted tunnel across the public network: a channel that makes communicating over the internet, in practice, as private as being connected by a cable inside the office. It is the piece that has sustained remote work for decades and remains a first-order security control.

This article explains how a VPN actually works, what types and protocols exist, how to configure it securely and why the Zero Trust model is pushing towards architectures that complement—and even replace—the traditional VPN.

How a VPN works: tunnel and encryption

A VPN combines two mechanisms: tunnelling (encapsulation) and encryption. Encapsulation wraps the original data packets inside other packets, creating a logical tunnel between the user's device and the VPN server. Encryption turns the content into something unreadable for anyone who intercepts the traffic along the way. The result is that an attacker positioned on the intermediate network sees traffic but cannot read it or tamper with it.

Authentication is the third pillar: before raising the tunnel, both ends verify their identity through certificates, pre-shared keys or credentials reinforced with a second factor. Without solid authentication, encryption protects confidentiality but leaves the door open to anyone who impersonates a legitimate user.

VPN types: remote access and site-to-site

There are two fundamental architectures. The remote-access VPN connects an individual user to the corporate network; it is the one the teleworker uses from their laptop. The site-to-site VPN links two complete networks—for example, the head office and a branch—permanently, without end users having to do anything. A variant of the latter is the MPLS-based VPN that carriers offer to interconnect offices.

A common design decision is split tunnelling versus full tunnelling. With full tunnelling, all of the device's traffic passes through the VPN, which maximises control and inspection at the cost of saturating the corporate link. With split tunnelling, only traffic towards internal resources crosses the VPN and the rest goes directly to the internet, which improves performance but reduces security visibility.

VPN protocols: from IPsec to WireGuard

The protocol determines the security, speed and compatibility of the connection. These are the most relevant in 2026:

ProtocolEncryption / basePerformanceRecommended use
WireGuardModern cryptography (ChaCha20)Very highNew deployments, mobile, high performance
IPsec / IKEv2AES, IPsec suiteHighSite-to-site, mobile with stable reconnection
OpenVPNSSL/TLS (OpenSSL)Medium-highMaximum compatibility and flexibility
L2TP/IPsecIPsec over L2TPMediumCompatibility with legacy equipment
PPTPObsolete and insecureHighDo not use: broken encryption

WireGuard has established itself in modern deployments thanks to its small codebase (easier to audit), its current cryptography and its excellent performance, especially on mobile networks. IPsec with IKEv2 remains the standard for site-to-site links and stands out for reconnecting quickly when changing networks. OpenVPN retains its value for its portability and for traversing firewalls well, as it can operate over TCP port 443. The PPTP protocol must be banned: its encryption has been broken for years and its use constitutes a vulnerability in itself.

Secure configuration: a checklist

  1. Strong, current encryption: AES-256 or ChaCha20; discard obsolete algorithms.
  2. Mandatory MFA on remote access: encryption is useless if the credentials leak.
  3. Certificate-based authentication in addition to credentials, for managed devices.
  4. Perfect Forward Secrecy (PFS): so that compromising one key does not expose past traffic.
  5. Kill switch: cut the connection if the tunnel drops, so there are no clear-text leaks.
  6. Patching the VPN concentrator: VPN gateways have frequently been the target of critical vulnerabilities; keeping them updated is a priority.
  7. Logging and monitoring of connections to detect anomalous access.
  8. Least privilege: being inside the VPN should not equate to full access to the internal network; segment.

The limit of the VPN and the arrival of ZTNA

The traditional VPN has a structural weakness: once inside the tunnel, the user usually obtains broad access to the internal network. If an attacker steals some credentials, they inherit that implicit trust and can move laterally. The Zero Trust model (formalised by NIST in publication SP 800-207) inverts that logic: no access is trustworthy by default, not even inside the network. From there emerges ZTNA (Zero Trust Network Access), which does not grant access to the network but to specific applications, evaluating identity, device posture and context on each request. Compared with the VPN, ZTNA drastically reduces the attack surface and eliminates lateral movement. Many organisations run both together: VPN for site-to-site links and legacy cases, ZTNA for user access to applications.

Regulatory framework

The use of a VPN fits within the security-of-processing obligations of the GDPR (Article 32), which requires encrypting communications that carry personal data. The NIS2 Directive strengthens, for essential and important sectors, the security requirements for communications and remote access. At the technical level, ISO/IEC 27001 includes specific controls for network security and information transfer, and in Spain the National Security Framework (ENS) sets requirements for the protection of communications for the public sector and its suppliers.

Performance and user experience

A VPN that protects but gets in the way ends up being disabled or pushing users to look for insecure shortcuts. That is why performance is not an incidental detail but part of effective security. Several factors condition the perceived speed: the distance to the VPN concentrator (the farther the server, the higher the latency), the encryption capacity of the gateway hardware, the chosen protocol and the decision between full or split tunnelling. WireGuard, thanks to its lightweight design, usually offers the best experience on mobile connections and on reconnections after network changes, an everyday scenario for anyone alternating between Wi-Fi and mobile data.

The design must balance control and fluency. Forcing all traffic through the tunnel maximises security visibility but saturates the corporate link and degrades services such as video calls, which would travel needlessly to the head office and back. Split tunnelling relieves that bottleneck by routing only corporate traffic, at the expense of losing visibility over the rest. The right choice depends on each organisation's risk profile and the type of data its remote users handle. Properly sizing the concentrator's bandwidth and distributing entry points geographically prevents the VPN from becoming the bottleneck that employees learn to bypass.

Common mistakes

Frequently asked questions

Does a VPN make me anonymous? Not entirely. A VPN encrypts the traffic and hides your IP address from third parties, but the service provider can see your activity. Privacy depends on the trust you place in whoever operates the VPN.

VPN or ZTNA? They are not mutually exclusive. ZTNA is preferable for granular user access to applications; the VPN remains practical for site-to-site links and legacy environments. Many architectures combine both during the transition.

Which protocol should I choose for a new deployment? WireGuard for performance and simplicity, or IPsec/IKEv2 if you need robust reconnection on the move and compatibility with existing network equipment.

Does a VPN slow down the connection? Encryption and the rerouting of traffic introduce some latency. WireGuard minimises it; split tunnelling also helps by not forcing all traffic through the tunnel.

Conclusion

The VPN is still a valid tool, but its role is changing. Encrypting the tunnel solves confidentiality along the way, not trust within the network: that is why a well-built VPN in 2026 carries mandatory MFA, modern encryption such as WireGuard or IPsec, segmentation that prevents lateral movement and a religiously patched gateway. And that is why, more and more, the VPN coexists with Zero Trust architectures that grant access to applications instead of to entire networks. The organisation that understands this evolution stops treating remote access as an "inside or outside" switch and starts seeing it as a decision that is re-evaluated on every connection. At Summum Sistemas we design the secure remote access appropriate to each case, from the site-to-site tunnel to the migration towards ZTNA.