Nmedia - Fotolia

Remote access vs. site-to-site VPN: What's the difference?

A remote access VPN connects remote users from any location to a corporate network. A site-to-site VPN, meanwhile, connects individual networks to each other.

Remote access to corporate networks and internal resources has become the norm, rather than the exception, for public and private businesses of all types and sizes.

The primary way businesses enable remote access is with a virtual private network, or VPN. In this article, we compare two different types of VPNs that make remote work possible: a remote access VPN and a site-to-site VPN.

What is a VPN?

A VPN is a virtual network, as opposed to a physical network. VPNs create connections using information from internet protocols, such as an IP address, to establish an encrypted tunnel between two endpoints.

Data packets are transmitted via the internet over a variable set of routes, based on available network paths, to a receiving end that reassembles the packets into their original format. VPN traffic is typically secured using encryption, often with a security appliance on each end of the connection.

By contrast, a physical network requires a hard-wired connection between endpoints, using a single communication link, like a private data channel.

What is a remote access VPN?

Remote access VPNs connect individual users, or clients, to private corporate host networks. These types of VPNs are most widely used for remote workers, especially employees working from home.

In a remote access VPN, every host accessed by remote users must have VPN client software. Whenever a remote user prepares to send traffic, VPN client software in a router encapsulates and encrypts that traffic before sending it over the internet. The traffic then goes to a VPN gateway at the edge of the target corporate network.

If the target host inside the corporate network responds, the VPN gateway performs the reverse process to send an encrypted response back to the VPN client over the internet.

Firewalls may also be present to further protect network traffic from unauthorized intruders.

Compare remote access VPN architecture to site-to-site VPN architecture.
Remote access VPNs connect remote users to a corporate office, while site-to-site VPNs connect multiple networks to each other.

Remote access VPN use cases

Typically, remote access VPN users include travelers, teleworkers and mobile users. These users need to access their company's internal network securely over the internet, and remote access VPNs can create that secure connection.

In these cases, remote devices with VPN clients connect to the corporate network via a secure tunnel. From there, remote users can access network resources and applications hosted on the on-premises network.

What is a site-to-site VPN?

Site-to-site VPNs connect multiple networks to each other, typically a branch office network to a company headquarters network.

In a site-to-site VPN configuration, hosts do not have VPN client software. Instead, they send and receive normal TCP/IP traffic through a VPN gateway.

The VPN gateway encapsulates and encrypts outbound traffic, sending it through a VPN tunnel over the internet to a peer VPN gateway at the target site. When the peer VPN gateway receives the traffic, it strips the headers, decrypts the content and relays the data packets toward the target host inside its private network.

Site-to-site VPN use cases

Site-to-site VPNs are typically used to connect two networks in different locations. For example, a global company might use a site-to-site VPN to connect branch offices in Berlin, Hong Kong and London to its headquarters based in the U.S.

Site-to-site VPN configuration is more permanent than remote access VPN configuration, which temporarily connects a remote device to another network.

Remote access VPN security protocols

Security is an important factor when comparing a remote access VPN and site-to-site VPN. Network and security teams can use multiple remote access VPN configuration protocols.

Each approach requires VPN client software on every remote system, as well as a VPN gateway at the corporate headquarters network. The corporate host supports the same protocols and options or extensions to facilitate access from remote user networks.

IPsec

The most commonly used secure tunneling protocol is the IPsec encapsulating payload protocol. IPsec is an extension to the standard IP security standard currently used by the internet and most corporate networks. Most routers and firewalls now support IPsec.

Site-to-site VPNs typically use the IPsec protocol. Another site-to-site VPN protocol is MPLS, but MPLS does not provide encryption.

Compare IPsec VPNs and SSL VPNs.
Compare IPsec VPNs and SSL VPNs.

Secure Sockets Layer (SSL)

SSL VPNs offer an alternative to IPsec VPNs. These are often referred to as clientless because they don't require the use of specialized software on the remote user's computer.

In an SSL VPN, the remote user connects to the network through a web browser. Information is encrypted either with SSL or the Transport Layer Security protocol.

Benefits of remote access VPNs

Some of the benefits of remote access VPNs include the following:

  • remote- and mobile-friendly
  • data security
  • cost-effective

Remote- and mobile-friendly. Remote access VPNs enable remote users to connect to a corporate host network from any location. This is beneficial for enterprises with employees and customers who are highly mobile.

When choosing between remote access VPN and site-to-site VPN configurations, network managers must consider the roles they want VPN technology to play.

Data security. Data transmitted through remote access VPNs is encrypted, which means remote users can take advantage of public Wi-Fi connections or other places where traffic isn't generally secured.

Cost-effective. VPN packages are typically inexpensive, making them affordable to businesses of all sizes. Most of the expense comes from license fees for each user.

Benefits of site-to-site VPNs

Some of the benefits of site-to-site VPNs include the following:

  • suitable for organizations with multiple sites
  • support mission-critical traffic
  • data security

Suitable for organizations with multiple sites. Site-to-site VPNs connect individual networks to each other, so they are well suited for organizations with multiple locations.

Support mission-critical traffic. Information can be sent securely through site-to-site VPNs, and they can handle mission-critical traffic, such as VoIP communications, which requires low latency and good quality of service.

Data security. Site-to-site VPNs also offload encryption and processing overheads from host PCs or devices to a separate security or router component. Additionally, they reduce the need for users to constantly log in or log out of a VPN connection.

Planning considerations for VPNs

When choosing between remote access VPN and site-to-site VPN configurations, network managers must consider the roles they want VPN technology to play.

For remote access VPN strategies, network administrators should make sure they have a sufficient number of VPN software licenses and sufficient network bandwidth to ensure throughput and minimal latency for remote users.

From an operational perspective, teams should periodically use network sniffing and monitoring equipment to ensure the integrity of network traffic.

Next Steps

The future of VPNs in a post-pandemic world

Dig Deeper on Network security