Key Terms
VPN
Virtual Private Network — creates an encrypted tunnel over a public network, allowing remote users or sites to communicate as if directly connected to a private network.
IPsec
Internet Protocol Security — a suite of protocols for authenticating and encrypting IP packets. Widely used for site-to-site VPN tunnels between network gateways.
TLS/SSL
Transport Layer Security — the protocol that underpins HTTPS and SSL VPNs. Provides encryption, authentication, and data integrity for network connections.
Zero Trust
A security model that never implicitly trusts any user or device — even on the internal network. Every access request is verified regardless of network location.

What a VPN actually does

A VPN creates an encrypted tunnel between your device and a VPN endpoint — either a corporate VPN gateway or a consumer VPN server. All traffic sent through the tunnel is encrypted, so anyone who intercepts the packets between you and the endpoint sees only ciphertext. Your ISP sees that you are connected to a VPN endpoint; it cannot read the contents of that traffic.

What a VPN does: encrypts traffic in transit, hides the contents of your traffic from your ISP and from eavesdroppers on intermediate networks, and — for enterprise VPNs — provides authenticated remote access to private corporate networks. For a remote employee, a VPN makes their laptop behave as if it were physically connected to the office network.

What a VPN does not do is equally important. A VPN does not protect against endpoint malware — if your device is already compromised, the VPN encrypts the attacker's traffic alongside yours. It does not protect against an attacker who has already obtained valid VPN credentials. It does not replace HTTPS for securing web application traffic — that is a separate layer. And for large organisations, scaling a VPN to thousands of simultaneous remote users creates significant infrastructure complexity and a single point of failure.

How VPN tunnelling works

Different VPN protocols use different approaches to create and secure the tunnel:

  • IPsec: Operates at the IP layer, encrypting entire IP packets. Used heavily for site-to-site VPN connections between office locations. Offers strong encryption (AES-256, SHA-2) but complex to configure correctly. IKEv2 is the modern key exchange standard for IPsec.
  • OpenVPN: SSL/TLS-based VPN that operates at Layer 3 or Layer 2. Highly flexible, runs over UDP or TCP, and can traverse firewalls and NAT. Widely deployed in enterprise remote access VPNs and many consumer VPN services. Open-source and well-audited.
  • WireGuard: A modern VPN protocol with a dramatically smaller codebase than IPsec or OpenVPN — around 4,000 lines versus hundreds of thousands. Faster handshake, lower latency, and a smaller attack surface. Gaining significant enterprise traction since reaching stable status in 2020.
  • SSL VPN (browser-based): Delivers VPN access through a standard web browser with no client software installation required. Provides access to specific internal web applications rather than full network access. Common in environments where installing a VPN client on every device is impractical.

Enterprise VPN vs consumer VPN

These are fundamentally different products that share a name. The distinction matters because they are often confused.

An enterprise VPN (Cisco AnyConnect, Palo Alto GlobalProtect, Fortinet FortiClient) is a corporate security control. It connects remote workers to the organisation's private network through an authenticated, encrypted tunnel. The company controls the VPN gateway, enforces security policies, and can inspect traffic. The goal is secure access to internal resources — file servers, databases, internal applications.

A consumer VPN (NordVPN, ExpressVPN, Mullvad) changes your visible IP address on the internet and encrypts the traffic between you and the VPN provider's server. Your ISP can no longer see your browsing activity. The VPN provider can. The goal is privacy from your ISP and public networks — not corporate security.

Security professionals need to understand both because they appear in different contexts: enterprise VPNs are a core remote access control studied in CCNA and CEH, while consumer VPN misconfigurations and vulnerabilities appear regularly in penetration testing engagements and breach reports.

The Colonial Pipeline Lesson

In 2021, Colonial Pipeline attackers used a leaked VPN credential with no MFA to gain initial access. The VPN worked exactly as designed — it just let in the wrong person. A VPN protects the channel, not the credential. Always combine VPN with MFA.

VPN limitations security teams must know

Understanding where VPNs fall short is as important as understanding what they provide. Several limitations create real-world risk in enterprise deployments:

  • Split tunnelling risk: Split tunnelling routes only corporate traffic through the VPN while allowing direct internet access for other traffic. This reduces bandwidth load on the VPN gateway but means the security controls applied to VPN traffic (firewall, IPS, web filtering) are bypassed for all non-corporate traffic. A compromised device can reach both the corporate network and untrusted internet simultaneously.
  • Infected endpoint propagation: A device with malware that connects via VPN now has authenticated access to the corporate network. The VPN encrypts and protects the malware's lateral movement traffic exactly as it does legitimate traffic.
  • VPN concentrators as single points of failure: In large organisations with thousands of remote workers, all VPN traffic funnels through VPN concentrator appliances. These become high-value attack targets and capacity bottlenecks. The mass shift to remote work in 2020 exposed vulnerabilities in several major VPN products (Pulse Secure, Citrix, Fortinet) that were actively exploited before patches were applied.
  • Credential-based attack surface: VPN credentials are high-value targets. A leaked username and password — from phishing, credential stuffing, or a previous breach — can grant full network access if MFA is not enforced. This is the Colonial Pipeline attack vector.

Zero Trust as the modern alternative

Traditional VPN architecture is built on a flawed assumption: that users inside the network perimeter can be trusted. Zero Trust rejects this entirely. In a Zero Trust model, every access request — regardless of whether it comes from inside or outside the corporate network — must be authenticated, authorised, and continuously verified.

ZTNA (Zero Trust Network Access) products implement this model by granting access to specific applications rather than broad network segments, enforcing MFA and device health checks at every access point, and continuously verifying session context rather than trusting an established VPN session indefinitely. Major ZTNA platforms include Cloudflare Access, Zscaler Private Access, and Palo Alto Prisma Access.

The practical advantages over VPN are significant: users only access what they are explicitly authorised for (principle of least privilege), a compromised credential does not grant access to the entire network, and there is no VPN concentrator to become a bottleneck or single point of failure.

VAPTIC's browser-based lab environment uses a Zero Trust-style access model — students authenticate and receive access to specific lab resources without any VPN client installation required. It demonstrates the practical shift from VPN-centric to identity-centric security architecture.

61%
Of enterprises still rely primarily on VPN for remote access
$44B
Global VPN market projected by 2027
2 of 5
Of the major breaches in 2023–2024 involved compromised VPN credentials
Train with VAPTIC
CEH v13 AI Powered
CEH v13 covers VPN enumeration, tunnelling attacks, and how attackers exploit misconfigured remote access — hands-on labs included.
Enrol Now