Remote-Access VPN vs Site-to-Site VPN – Full Guide 2019
Whether you’re new to VPNs (virtual private networks) or a VPN veteran, understanding the different types of VPNs available can be daunting.
VPNs were first used by businesses to extend private networks over the public internet, allowing remote workers to connect to a company’s LAN (local area network).
Initially, two basic VPN types were used to achieve this networking solution: Remote-Acess VPNs and Site-to-Site VPNs. In this article, we’ll break down the two types of VPNs, and we’ll show you how to pick between a Remote-Access VPN and a Site-to-Site VPN.
What is a Remote-Access VPN?
Remote-access VPNs are more closely related to the consumer VPNs we use to protect our personal identities and data.
Remote-access VPNs were originally introduced as a way for employees working anywhere in the world to securely connect with their company’s remote LAN. Remote workers can access secure resources on their company’s LAN as though they were plugged into the LAN.
As with all VPNs, remote-access VPNs aim to provide security for your data. With remote-access VPNs, the device of the remote user is in charge of encrypting and decrypting data that is either sent or received.
A remote-access VPN requires a NAS (network access server), or VPN gateway, to authenticate the credentials of any device attempting to sign into the VPN. It’s actually the NAS that you, a remote user, connect with when you want to use a remote-access VPN.
In general, remote access to a VPN also requires that your device be equipped with client software. This VPN client software communicates with the VPN gateway, which authenticates you as a remote user, and creates a secured “virtual” tunnel between the LAN and the gateway.
Once the tunnel is created, any data you send from this device is encapsulated and encrypted by your remote-access VPN, and then sent to the VPN gateway that sits just outside the remote LAN. The VPN gateway then decrypts your traffic and relays the data to the LAN.
Not only is all traffic sent through the virtual tunnel secured, but any traffic you receive from the local network (or its servers) also travels through this tunnel in reverse and is secured. The VPN gateway encrypts the incoming traffic (to you) which is then received by your VPN client.
Remote-access VPNs are not just a way for out-of-office employees to remotely access your company’s private network. Individuals now use remote-access VPNs offered by a number of VPN services to secure and anonymize their online activity and traffic.
What is a Site-to-Site VPN?
Whereas remote-access VPNs securely connect individual devices to a remote LAN, site-to-site VPNs securely connect two or more LANs in different physical locations. Site-to-site VPNs use the public internet to extend your company’s network across multiple office locations.
There are two common types of site-to-site VPNs: Intranet-based and Extranet-based. Intranet-based site-to-site VPNs are used to combine the LANs of multiple office locations into one single private network, which would then be known as a WAN (Wide Area Network).
Extranet-based site-to-site VPNs, on the other hand, allow your company to use the public internet to connect its LAN with those of other companies, customers, or communities. This allows your company to share information with its partners, while still securing its LAN (intranet).
With a site-to-site VPN, the VPN gateway of one remote LAN communicates with the gateway of another LAN (or HQ network) to create a secure tunnel. Unlike remote-access VPNs, the remote devices don’t need a VPN client, but rather send normal traffic through the VPN gateways.
In the absence of VPN clients, the VPN gateways are in charge of authentication of the user and the network, encryption, and the integrity of the data. The gateway receives the encrypted data, decrypts it, and then sends the data to the target device in the network.
The tunnel created by the site-to-site VPN, allows your company to share its network and resources between its main and remote branches – no matter the distance. Devices on one LAN can communicate with devices on the other LAN as though they are part of the same network.
There are two main methods for creating a site-to-site VPN: Internet-based VPN, and MPLS (Multiprotocol Label Switching) VPN. Below, we’ll briefly walk you through the basics of these two VPN techniques.
The internet VPN method combines the company’s existing network with public internet infrastructure. As described above, a VPN gateway (a router, switch, VPN-enabled firewall, or VPN concentrator) is required at both LAN locations attempting to establish a secure site-to-site tunnel.
Most internet-based site-to-site VPNs use IPSec (Internet Protocol Security), to secure traffic across the WAN. If both LANs are already connected to the internet, why not put this connection to use?
Well, IPSec leverages the preexisting internet as the backbone of its encrypted communication.
IPSec secures IP packets one at a time, and in doing so, reliably provides WAN traffic with confidentiality (all bits are encrypted), integrity (no bits were tampered with during transmission), and authentication.
Because IPSec encrypts packets at the outgoing router, the final addresses of packets remain hidden until the receiving router decrypts it.
Additionally, because the packets are encrypted during travel over the internet, the data would appear as illegible ciphertext in the event that it was captured.
While internet-based site-to-site VPNs have been available for some time, MPLS VPNs are a relatively new entry to the site-to-site VPN scene.
With MPLS, the VPN connection is created using a service-provided MPLS cloud, rather than public internet infrastructure.
Unlike internet-based site-to-site site VPNs in which a company uses its own infrastructure, MPLS VPN uses proprietary infrastructure owned by the VPN. This MPLS network, including its cloud, functions as the tunnel by which a company creates virtual connections between office sites.
MPLS VPNs stand out in regards to the quality of service and ease of set-up. Using labels for data forwarding prevents the need for extra header info that most VPNs use for encryption. This results in peak network performance, ideal for delay-sensitive applications like VoIP (Voice over IP).
MPLS providers will guarantee that the security and performance demands of your business are met. Furthermore, MPLS offers interface independence, meaning that each of your sites can have different connections (i.e. T1, Fiber Optic, DSL) to the MPLS infrastructure.
The downside of an MPLS VPN is, without a doubt, the price. MPLS site-to-site VPNs, like other private WAN technologies, are very costly – particularly if your WAN has hundreds of locations or international connections.
Which Is Right For Me?
Choosing between a remote-access VPN and a site-to-site VPN depends entirely on your needs. If you’re just looking for a personal solution to keep yourself safe and anonymous while using the internet, then a remote-access VPN is the perfect choice for you.
If you’re choosing a VPN for your business, you can’t overlook the significant financial and human resource demands required by any type of site-to-site VPN. It’s important to decide if a site-to-site VPN is the right choice before beginning such a serious investment.
We recommend that you use a highly skilled technology expert when setting up a site-to-site VPN. In fact, the majority of companies that use site-to-site VPNs have the service set up and serviced by an IT security company like Cisco, Bynet, or Checkpoint.
When deciding between remote-access and site-to-site VPNs it’s important to consider the following:
- size of your business
- resource-sharing requirements
- number of locations
- geographical location of your branches
If your business has many locations across a wide geographic area, and your employees at each location require access to the network and data on the main office’s LAN, then a site-to-site VPN is a solution to consider.
On the contrary, if your business has many employees working remotely, but not all require dedicated access to the main branch’s private LAN, then perhaps a remote-access VPN is the right choice for you.
An Example of a Company That Can Effectively Use a Remote-Access VPN
Think about a Boston-based food truck business that expands to Los Angeles and New York. While each truck will have a handful of employees, and each city will have a few trucks, only one device per truck needs secure access to HQ’s LAN to record transactions, orders, etc.
Whereas a site-to-site VPN would be overkill, and no VPN at all would be unwise, a remote-access VPN would be a cost-effective and ideal solution for this company’s needs. Any compromises in speed and performance will largely go unnoticed.
An Example of a Company that Needs a Site-to-Site VPN
How about a Shanghai-based pharmaceutical company that chooses to open labs in Tel-Aviv and Austin? The number of employees at each lab could range from the tens to the hundreds, and each worker will need access to shared servers on the main network.
Site-to-site VPNs allow multiple users’ traffic to flow through each VPN tunnel, whereas remote-access VPNs do not allow more than one user’s traffic to travel through each tunnel.
Thus, it will be easier and more efficient for both the company and its employees to use a site-to-site VPN.
While a dedicated connection could be used for each lab, the network demands (i.e. lightning-fast upstream speeds) of each lab do not necessarily justify the very large cost of operating these connections.
Rather, the company can use existing internet connections to set up an internet-based site-to-site VPN that connects the labs.
Despite the VPN’s substantial set-up and maintenance costs, it will save the company hundreds of thousands of dollars per year when compared to the cost of dedicated connections for all locations.
A remote-access VPN allows a device to securely communicate with your company’s private LAN no matter where in the world the device or the LAN may be.
A site-to-site VPN, however, securely bridges your various LANs – no matter where they are – to allow employees at all LAN locations secure access to the resources of the complete network.
A site-to-site VPN certainly provides many advantages for a relatively large company, however, it’s going to cost you a significant amount of money and human resources.
If your business is small or medium-sized, a remote-access VPN will provide your remote workers with convenient and secure access to your private servers – all for a relatively affordable price.
If a remote-access VPN is also outside your budget, don’t worry.
You can choose a Business VPN plan from a premium VPN provider such as NordVPN. Given the heaps of data that moves between across business networks and the devices on them, a comprehensive security plan including a VPN is a must.
A premium business VPN will protect your company’s data by encrypting its internet traffic and routing it through a secure tunnel. Don’t leave the office without one.
Check out the best VPNs according to Reddit.
Find great savings on VPN plans with our VPN deals and coupons.
Learn how to secure your business with The Complete Cybersecurity Guide for Small Businesses.