Nmedia - Fotolia

Get started Bring yourself up to speed with our introductory content.

Remote access vs. site-to-site VPN: What's the difference?

A remote access VPN connects remote users from any location to a corporate network. A site-to-site VPN, meanwhile, connects individual networks to each other.

Remote working has become pervasive in business processes. While remote work, or teleworking, has been around for...

years -- and the technology has become largely standardized -- its importance to businesses increased significantly in 2020. Remote access to corporate networks and internal resources is now the norm, rather than the exception, for public and private businesses of all types and sizes.

As such, the primary remote access technology is the virtual private network, or VPN. In this article, we'll compare two different types of VPNs that make remote work possible: a remote access vs. site-to-site VPN.

First, a VPN is a virtual network, as opposed to a physical network. Connections are made using information from internet protocols, such as an IP address, to establish an encrypted tunnel between two endpoints. Data packets are transmitted via the internet over a variable set of routes, based on available network paths, to a receiving end that reassembles the packets into their original format.

By contrast, a physical network requires a hard-wired connection between endpoints, using a single communication link, like a private data channel. VPN traffic is typically secured using encryption, often with a security appliance on each end of the connection.

When pitting a remote access vs. site-to-site VPN and choosing between the two configurations, data center network managers must consider the roles they want VPN technology to play.

What is a remote access VPN?

Most widely used today for remote workers, especially employees working from home, remote access VPNs connect individual users, or clients, to private corporate host networks. Typically, remote access users include travelers, teleworkers and mobile users who need to access their company's internal network securely over the internet.

In a remote access VPN, every host accessed by remote users must have VPN client software. Whenever the remote user prepares to send traffic, VPN client software in a router encapsulates and encrypts that traffic before sending it over the internet to a VPN gateway at the edge of the target corporate network.

Upon receipt, that VPN gateway behaves just like in a site-to-site VPN. If the target host inside the corporate network returns a response, the VPN gateway performs the reverse process to send an encrypted response back to the VPN client over the internet. Firewalls may also be present to further protect network traffic from unauthorized intruders.

remote access vs. site-to-site VPN

What is a site-to-site VPN?

By contrast, site-to-site VPNs connect multiple networks to each other, typically a branch office network to a company headquarters network. In a site-to-site VPN configuration, hosts do not have VPN client software; they send and receive normal TCP/IP traffic through a VPN gateway.

The VPN gateway encapsulates and encrypts outbound traffic, sending it through a VPN tunnel over the internet to a peer VPN gateway at the target site. Upon receipt, the peer VPN gateway strips the headers, decrypts the content and relays the data packets toward the target host inside its private network.

Remote access VPN security protocols

When comparing a remote access vs. site-to-site VPN, security is an important factor. Multiple remote access VPN configuration protocols can be used. Each approach requires VPN client software on every remote system, as well as a VPN gateway at the corporate headquarters network. The corporate host supports the same protocols and options or extensions to facilitate access from remote user networks.

The most common secure tunneling protocol used in VPNs of each type is the IPsec encapsulating payload protocol. IPsec is an extension to the standard IP security standard used by the internet and most corporate networks today. Most routers and firewalls now support IPsec.

Alternatives to IPsec VPNs are Secure Sockets Layer (SSL) VPNs. These are often referred to as clientless in that they do not require the use of specialized software on the remote user's computer. In an SSL VPN, the remote user connects to the network through a web browser. Information is encrypted either with SSL or the Transport Layer Security protocol.

Site-to-site VPNs typically use the IPsec protocol. Another site-to-site VPN protocol is MPLS, but MPLS does not provide encryption.

ipsec vs. ssl vpn

Benefits of remote access VPNs

Remote access VPNs enable remote users to connect to a corporate host network from any location, which makes them beneficial for enterprises with employees and customers who are highly mobile. Data transmitted through remote access VPNs is encrypted, which means remote users can take advantage of public Wi-Fi connections or other places where traffic isn't generally secured.

Benefits of site-to-site VPNs

Site-to-site VPNs connect individual networks to each other, so they are well suited for organizations with multiple locations. Information can be sent securely through site-to-site VPNs, and they can handle mission-critical traffic, such as VoIP communications, which requires low latency and good quality of service.

Site-to-site VPNs also offload encryption and processing overheads from host PCs or devices to a separate security or router component. Additionally, they reduce the need for users to constantly log in or log out of a VPN connection.

Planning considerations for VPNs

When planning remote access VPNs, network administrators should make sure they have a sufficient number of VPN software licenses and sufficient network bandwidth to ensure throughput and minimal latency for remote users. From an operational perspective, periodically use network sniffing and monitoring equipment to ensure the integrity of network traffic.

This was last published in August 2020

Dig Deeper on Network Security