What is a VPN (Virtual Private Network)?
A VPN, or Virtual Private Network, is a technology that creates an encrypted connection between your device and a remote server. All network traffic passes through this tunnel, shielding it from interception on public or untrusted networks. The VPN server acts as an intermediary, forwarding your requests to their destination and returning responses through the same encrypted path.
Organisations use VPNs primarily for two purposes: giving remote employees access to internal systems and connecting branch offices over the public internet. Consumers also use VPNs to protect their browsing on public Wi-Fi or to access services restricted by geography.
The term “virtual” refers to the fact that the private network is created through software rather than dedicated physical cables. The “private” part comes from the encryption applied to every packet, making the traffic unreadable to anyone intercepting it along the way.
How a VPN works
A VPN establishes a tunnel between your device (the VPN client) and a VPN server. The process follows three steps.
First, the client authenticates with the VPN server using credentials, certificates or both. Second, a secure tunnel is created using a tunnelling protocol such as IPsec, SSL/TLS, or WireGuard. This protocol determines how data packets are encapsulated and encrypted. Third, all traffic from the client is routed through this tunnel to the VPN server, which decrypts the packets and forwards them to their intended destination.
The encryption ensures that anyone monitoring the network between client and server, whether on a hotel Wi-Fi network or a compromised ISP link, sees only unreadable data. The VPN server also masks the client’s original IP address, replacing it with the server’s IP in outgoing requests.
Types of VPN
There are three common VPN architectures, each designed for a different use case.
Remote access VPN connects individual users to a corporate network from outside the office. The employee runs a VPN client on their laptop or phone, which creates a tunnel to the organisation’s VPN gateway. This is the most widely deployed type for hybrid and remote work.
Site-to-site VPN connects two or more fixed locations, such as a headquarters and a branch office, over the internet. Dedicated gateways at each location maintain a persistent tunnel, allowing all devices at both sites to communicate as if they were on the same local network. SD-WAN has become a popular alternative for this use case, offering more intelligent traffic routing alongside encryption.
SSL VPN and IPsec VPN refer to the encryption protocol used for the tunnel rather than the architecture. SSL VPNs operate through a web browser or lightweight client over HTTPS (port 443), making them easy to deploy through restrictive firewalls. IPsec VPNs use dedicated protocols (typically UDP ports 500 and 4500) and generally offer higher throughput but require more configuration. Several major firewall vendors have deprecated SSL VPN in recent firmware releases due to recurring security vulnerabilities, pushing organisations toward IPsec or newer alternatives.
Where VPNs fall short for modern organisations
VPNs were designed for a world where employees worked from one office and applications ran in one data centre. That model no longer reflects how most organisations operate. Several architectural limitations have become increasingly visible.
Broad network access. A traditional VPN grants access to the entire network segment once a user authenticates. A marketing employee connecting via VPN to check email may also have a path to the finance database and the production servers. This “all-or-nothing” access model creates unnecessary risk and widens the potential impact of a compromised account.
No device verification. Standard VPN connections verify user credentials but not the security state of the connecting device. A laptop with an outdated operating system, disabled disk encryption or active malware receives the same access as a fully managed, up-to-date endpoint.
Performance under pressure. VPN concentrators become bottlenecks as remote user counts grow. All traffic must route through a central gateway, increasing latency for cloud-hosted applications. The performance gap between VPN and modern SASE architectures is most visible for organisations with distributed teams across multiple locations.
Lateral movement risk. Once inside the network, an attacker or malware can move laterally to reach systems that should have been out of scope. Micro-segmentation reduces this risk, but traditional VPN architectures make it difficult to enforce because they operate at the network layer, not the application layer.
Compliance challenges. Regulations such as NIS2 and GDPR expect organisations to enforce least-privilege access and maintain clear audit trails. Broad VPN access makes it difficult to demonstrate that users only reach the resources they actually need.
These limitations are driving many IT teams to evaluate Zero Trust Network Access as a more granular alternative to VPN for remote and hybrid access.
VPN compared to ZTNA
Zero Trust Network Access (ZTNA) takes a fundamentally different approach to secure connectivity. Rather than placing users on a network, ZTNA grants access to specific applications based on verified identity and device posture.
| VPN | ZTNA | |
|---|---|---|
| Access scope | Broad network access after authentication | Per-application access only |
| Authentication | Once at connection | Continuous verification per session |
| Device checks | Typically not enforced | Device posture verified before access |
| Lateral movement | Possible within the network segment | Blocked by design |
| Management model | Per-appliance configuration | Central cloud-based policy |
| Scalability | Hardware-dependent, gateway bottlenecks | Cloud-native, scales with user count |
| Visibility | Limited to connection-level logging | Application-level access logs per user |
For organisations evaluating the migration path, the IPsec VPN vs ZTNA comparison covers the technical trade-offs in detail. The Legacy VPN Risk Report 2026 provides data on VPN-related security incidents across the Benelux.
ZTNA is typically deployed as part of a SASE (Secure Access Service Edge) framework, which combines identity-based access with web security, firewall policies and SD-WAN in a single cloud-managed platform.
Frequently asked questions
How does a virtual private network protect your data?
A VPN creates an encrypted tunnel between your device and a VPN server. All traffic passing through this tunnel is encrypted, preventing third parties from reading or intercepting your data. The VPN server forwards your requests to their destination, masking your original IP address in the process.
What is the difference between a VPN and ZTNA?
A VPN grants broad network access once a user connects. ZTNA grants access to specific applications only, based on verified user identity and device security posture. ZTNA limits lateral movement risk because users never join the network itself, they only reach the applications assigned to their role.
Are VPNs still relevant for businesses?
VPNs remain widely deployed, but their limitations are growing more visible as organisations support hybrid work, cloud applications and stricter compliance requirements. Many European organisations are supplementing or replacing VPN with identity-based access models that offer more precise control and better audit evidence.
What are the main types of VPN?
The three main types are remote access VPN (connecting individual users to a network), site-to-site VPN (connecting two fixed locations), and protocol-based distinctions like SSL VPN and IPsec VPN that describe the encryption method used for the tunnel.
Can a VPN prevent all cyber threats?
No. A VPN encrypts your connection and masks your IP address, but it does not protect against phishing, malware, credential theft or insider threats. Organisations need additional layers such as web filtering, endpoint protection and application-level access controls to address these risks.
What is replacing VPN for enterprise remote access?
Many organisations are migrating to Zero Trust Network Access as part of a SASE framework. ZTNA provides per-application access with continuous identity and device verification, reducing the attack surface compared to broad VPN tunnels. The full ZTNA migration guide covers the phased approach.
