The modern workforce doesn't sit at fixed desks in corporate offices. Engineers code from home offices. Sales teams access CRM systems from hotel rooms. Executives review financial reports on tablets during international flights. Field technicians connect to diagnostic systems from customer sites using mobile hotspots.

This distributed workforce creates a fundamental security challenge: How do you extend secure corporate network access to individuals connecting from anywhere, using diverse devices, over untrusted networks?

Site-to-site VPN, which we examined in the previous page, doesn't solve this problem. Site-to-site connects fixed locations with stable gateways and predetermined IP addresses. Remote access VPN addresses a vastly more dynamic scenario:

• Unknown source addresses: Users connect from home ISPs, coffee shop WiFi, cellular networks—source IPs are unpredictable and change frequently
• Uncontrolled endpoints: Personal laptops, tablets, and phones may not meet corporate security standards
• Diverse network conditions: Connections traverse NAT devices, restrictive firewalls, and unstable links
• Per-user authentication: Each connection must verify individual user identity, not just device identity
• Variable access requirements: Different users need access to different resources based on role and context

Remote access VPN emerged to address these challenges, enabling secure individual connectivity to corporate networks from anywhere in the world.

Remote access VPN connects individual users to a corporate network through encrypted tunnels initiated from their devices. Unlike site-to-site VPN where both endpoints are dedicated network infrastructure, remote access involves asymmetric endpoints: a sophisticated VPN gateway on the corporate side and lightweight client software on user devices.

Core Architectural Components

VPN Gateway/Concentrator: The corporate-side termination point that:

• Accepts incoming VPN connections from clients worldwide
• Authenticates users against identity providers (AD, LDAP, RADIUS, SAML)
• Assigns virtual IP addresses to connected clients
• Enforces access control policies based on user identity and device posture
• Provides high availability for business-critical remote access

Enterprise VPN gateways include Cisco AnyConnect with ASA/FTD, Palo Alto GlobalProtect, Fortinet FortiClient/FortiGate, Juniper Pulse Secure, and open-source solutions like OpenVPN Access Server.

VPN Client Software: User-side software that:

• Authenticates the user to the VPN gateway
• Establishes encrypted tunnel to gateway
• Routes traffic through the tunnel according to policy
• Maintains connection despite network changes (roaming between WiFi and cellular)
• May perform endpoint compliance checks

Authentication Infrastructure: Backend systems that verify user identity:

• Active Directory/LDAP for username/password
• RADIUS servers for centralized authentication
• SAML/OAuth identity providers for single sign-on
• Certificate authorities for client certificate authentication
• Multi-factor authentication (MFA) providers

Connection Establishment Flow

A typical remote access VPN connection follows this sequence:

1. Client Initiation: User launches VPN client, enters gateway address (or selects from list)
2. TLS Handshake: Client establishes TLS connection to gateway for initial negotiation
3. User Authentication: User provides credentials (username/password, certificate, or pre-authentication via SSO)
4. MFA Challenge: Gateway prompts for second factor (push notification, TOTP code, hardware token)
5. Endpoint Posture Check: Gateway may verify client device security status (antivirus, patch level, disk encryption)
6. Tunnel Establishment: Upon successful authentication, VPN protocol tunnel is established (IPSec, SSL, WireGuard)
7. IP Assignment: Gateway assigns virtual IP address from configured pool
8. Route/DNS Push: Gateway pushes routes and DNS settings to client
9. Traffic Flow: Client traffic flows through encrypted tunnel to corporate network

Virtual IP Addressing

Connected clients receive virtual IP addresses from within the corporate address space, enabling seamless communication with internal resources. The VPN gateway:

• Maintains pools of IP addresses for assignment (e.g., 10.100.0.0/16)
• Assigns addresses dynamically upon connection
• Routes return traffic to connected clients
• May reserve static assignments for specific users or devices

This virtual IP appears on internal systems as the user's "location," enabling access control and logging based on familiar IP-based policies.

Remote access VPN authentication is more complex than site-to-site VPN because it must verify human identity, not just device or gateway identity. Multiple authentication factors and integration with enterprise identity systems are essential.

Username and Password Authentication

The simplest authentication method involves users providing credentials verified against a directory:

RADIUS Integration:

• VPN gateway sends Access-Request to RADIUS server
• RADIUS server verifies credentials against backend (AD, LDAP, local database)
• RADIUS returns Access-Accept with attributes (group membership, VLAN, ACLs)
• Widely supported, standard protocol (RFC 2865)

LDAP/Active Directory:

• Direct LDAP bind to verify credentials
• Can query group membership for authorization
• Commonly used with Microsoft environments

Local Authentication:

• Credentials stored on VPN gateway itself
• Suitable only for very small deployments
• Difficult to manage at scale

Certificate-Based Authentication

Certificates provide stronger authentication without transmitting secrets:

• User (or device) has private key; VPN gateway has CA certificate
• During TLS handshake, client proves possession of private key
• Gateway verifies certificate chain and revocation status
• No password to phish or brute-force
• Can be combined with password for two factors

Certificate Deployment Challenges:

• Initial distribution to users
• Renewal before expiration
• Revocation when users leave or devices are lost
• Key storage security on endpoints

SAML and SSO Integration

Modern enterprises use Single Sign-On (SSO) to reduce credential fatigue and centralize authentication:

SAML (Security Assertion Markup Language):

• VPN gateway redirects user to Identity Provider (IdP)
• User authenticates to IdP (which may have its own MFA)
• IdP returns SAML assertion to VPN gateway
• Gateway trusts IdP's assertion of user identity
• Popular IdPs: Okta, Azure AD, OneLogin, Ping Identity

Benefits:

• Single authentication for all enterprise applications
• Centralized MFA enforcement
• Faster deprovisioning when users leave
• Reduced password fatigue

Machine Authentication

In addition to user authentication, organizations may authenticate the device itself:

Machine Certificates:

• Certificates deployed via MDM or GPO
• Proves device is corporate-managed
• Can be required before user authentication starts

Device Compliance Checks:

• VPN client reports device posture (OS version, patch level, antivirus status, disk encryption)
• Gateway denies access if device doesn't meet policy
• Commonly integrated with EDR, MDM solutions

Authentication Protocol Flow (RADIUS with MFA):

Client                  VPN Gateway              RADIUS               MFA Provider
   |                        |                      |                       |
   |-- Username/Password -->|                      |                       |
   |                        |-- Access-Request --->|                       |
   |                        |                      |-- Verify with AD ---->|
   |                        |                      |<-- User valid --------|
   |                        |<- Access-Challenge --|                       |
   |                        |   (trigger MFA)      |                       |
   |<-- MFA Prompt ---------|                      |                       |
   |-- MFA Response ------->|-- Access-Request --->|                       |
   |                        |   (with MFA token)   |                       |
   |                        |                      |-- Verify MFA -------->|
   |                        |                      |<-- MFA valid ---------|
   |                        |<-- Access-Accept ----|                       |
   |<-- Tunnel Established -|                      |                       |

Remote access VPN requires client software on every user device. Managing this at scale—across thousands of devices, multiple operating systems, and varied ownership models—is a significant operational challenge.

Client Deployment Methods

Enterprise Software Distribution:

• Deployed via SCCM, Intune, Jamf, or similar tools
• Pre-configured with gateway addresses, certificates, and policies
• Automatic updates through same mechanism
• Best for corporate-owned, managed devices

Web-Based Deployment:

• User visits portal, downloads appropriate client
• May involve browser-based initial authentication
• Suitable for BYOD scenarios
• Requires user action to install and update

Built-in OS Clients:

• Windows, macOS, iOS, Android have native VPN clients
• Limited feature sets compared to vendor clients
• No additional software installation
• Configuration via MDM or manual setup

Agentless/Browser-Based Access:

• Web applications accessed through reverse proxy
• No client installation required
• Limited to HTTP/HTTPS applications
• Increasingly popular for specific use cases

Client Configuration Options

VPN clients support extensive configuration to customize behavior:

• Gateway address(es): Primary and backup gateways
• Connection mode: Manual connect, always-on, connect before logon
• Authentication method: Username/password, certificate, SAML
• Split tunneling policy: Full tunnel, split tunnel, or per-app tunnel
• DNS settings: Corporate DNS servers, DNS suffix search list
• Trusted networks: Networks where VPN is not needed (corporate LAN)
• Scripts: Pre-connect and post-connect script execution

Always-On VPN

Always-on VPN ensures the tunnel is established whenever the device has network connectivity:

Benefits:

• Consistent security posture—traffic is always protected
• No user action required to connect
• IT can enforce VPN for all corporate device traffic
• Enables device management and monitoring even outside office

Challenges:

• Increased VPN gateway load
• User frustration if VPN connectivity issues prevent Internet access
• Requires robust gateway infrastructure
• May conflict with some application requirements

Implementation:

• Device starts VPN before user logon (machine tunnel)
• User tunnel established after authentication
• Captive portal handling for hotel/airport WiFi
• Fallback behavior when VPN unreachable

VPN Connect Before Logon

Some enterprise scenarios require VPN connectivity before user authentication:

• Domain-joined devices need DC access for authentication
• Cached credentials may be expired
• Group policy updates require network access
• Password changes must reach AD

Solutions:

• Machine certificate tunnel established at boot
• Basic connectivity to DCs through machine tunnel
• User tunnel established after successful domain logon
• Requires IPSec IKEv2 on Windows for full support

Client Updates and Versioning

Maintaining current client versions is essential:

• Security vulnerabilities are discovered in VPN clients
• Feature improvements enhance user experience
• Backend gateway upgrades may require client updates
• Sunset older clients to reduce support burden

Auto-update mechanisms reduce administrative burden but must balance against user disruption. Staged rollouts catch problems before full deployment.

One of the most consequential decisions in remote access VPN design is whether to implement full tunnel or split tunnel configurations. This choice fundamentally affects security posture, user experience, and infrastructure requirements.

Full Tunnel (All Traffic Through VPN)

In full tunnel mode, all client traffic—whether destined for corporate resources or the public Internet—flows through the VPN:

How it works:

• VPN client sets its virtual interface as default gateway
• DNS queries go through VPN to corporate DNS
• Internet-bound traffic exits through corporate Internet connection
• All traffic visible to corporate security tools

Advantages:

• Maximum security visibility and control
• Corporate proxy/firewall inspects all traffic
• Data Loss Prevention (DLP) can monitor all activity
• Consistent security posture regardless of user location
• No split-brain DNS issues

Disadvantages:

• All traffic consumes VPN gateway capacity
• Increased latency for Internet access (traffic hairpins through corporate)
• Egress bandwidth from corporate facility becomes bottleneck
• Streaming, video conferencing, and cloud apps suffer
• VPN becomes critical for any network activity

Split Tunnel (Selective Traffic Through VPN)

Split tunneling routes only specific traffic through VPN, allowing other traffic direct Internet access:

How it works:

• VPN client installs specific routes for corporate networks (e.g., 10.0.0.0/8)
• Traffic to those networks goes through VPN
• All other traffic uses local Internet connection directly
• DNS may be split (corporate domains via VPN, others direct)

Advantages:

• Reduced VPN gateway and bandwidth requirements
• Better performance for Internet services (Microsoft 365, Zoom, etc.)
• Lower latency for non-corporate traffic
• Scales better as remote workforce grows

Disadvantages:

• Security controls bypassed for direct Internet traffic
• No visibility into user's Internet activity
• Potential data exfiltration path
• Malware on device can access Internet unmonitored
• Complex DNS configuration required

Inverse Split Tunnel (Exclude Patterns)

A variation where most traffic goes through VPN except specific destinations:

• Full tunnel by default
• Specific cloud services (Microsoft 365, Zoom) go direct
• Balances security with performance for known-good services
• Requires maintenance of exclusion lists

Per-Application VPN

Most granular approach—specific applications tunnel through VPN:

• Corporate email client uses VPN
• Web browser for internal sites uses VPN
• Personal apps use direct Internet
• Requires application-aware VPN client
• Common in mobile device deployments (iOS, Android managed apps)

Making the Split Tunnel Decision

The choice depends on organizational context:

Favor Full Tunnel When:

• Handling sensitive data (healthcare, finance, government)
• Regulatory requirements mandate traffic monitoring
• Endpoint security is uncertain (BYOD, contractors)
• Security team requires visibility into all activity
• VPN infrastructure can handle the load

Favor Split Tunnel When:

• Remote workforce is large and VPN infrastructure is constrained
• Cloud application performance is critical
• Endpoints are well-managed with strong endpoint security
• organization has alternative visibility mechanisms (EDR, CASB)
• Users need reliable access to local network resources (printers)

Compromise Approaches:

• Full tunnel for managed devices; split tunnel (or ZTNA) for BYOD
• Split tunnel with exclusions only for verified cloud services
• Full tunnel with local LAN access enabled
• Always-on full tunnel with bandwidth-intensive apps excluded via inverse split

Remote access VPN brings endpoint devices into the corporate network perimeter. If those endpoints are compromised, the VPN becomes a highway for attackers. Endpoint security integration is therefore critical for safe remote access.

Posture Assessment

Posture assessment (also called Host Checker, Compliance Check, or Health Check) evaluates endpoint security status before granting access:

Pre-Login Assessment:

• Runs before user authentication
• Checks basic requirements (OS type, OS version)
• May block connection attempt entirely

Post-Login Assessment:

• Detailed checks after authentication
• May involve VPN client querying security software
• Can result in full access, limited access, or quarantine

Common Posture Checks

Integration with Endpoint Security Platforms

Endpoint Detection and Response (EDR):

• CrowdStrike, Carbon Black, SentinelOne, Microsoft Defender for Endpoint
• VPN gateway queries EDR for device risk score
• Recently compromised devices can be blocked
• Real-time threat intelligence affects access decisions

Mobile Device Management (MDM):

• Intune, Jamf, VMware Workspace ONE
• Enforces security policies before VPN connection
• Can wipe device or block VPN if device is lost/stolen
• Per-app VPN configurations for managed apps

Unified Endpoint Management (UEM):

• Combines MDM, patch management, endpoint protection
• Comprehensive view of device compliance
• Single integration point for VPN posture data

Continuous Posture Assessment

Traditional posture checks occur at connection time. Modern solutions implement continuous assessment:

• Periodic re-checks during connected sessions
• EDR signals in real-time if compromise detected
• Automatic session termination or access reduction if posture degrades
• Integration with SIEM for correlated threat detection

Challenges with Posture Assessment

• BYOD complexity: Personal devices may lack required security software
• False positives: Legitimate configurations may fail checks
• User frustration: Blocked access disrupts productivity
• Cat-and-mouse: Sophisticated attackers may spoof compliant posture
• Integration effort: Connecting VPN, EDR, MDM, and IdP systems requires effort

Certificate-Based Machine Identity

Beyond posture, many organizations require proof that the connecting device is corporate-managed:

• Machine certificate issued during provisioning
• Required for VPN connection (in addition to user credentials)
• Revoked when device is decommissioned
• Ensures only corporate devices connect, regardless of who has user credentials

Enterprise remote access VPN must scale to support thousands of concurrent users while maintaining performance and availability. Scaling challenges involve gateway capacity, bandwidth, and authentication infrastructure.

Gateway Capacity Planning

VPN gateways have limits on concurrent connections and throughput:

Concurrent Session Limits:

• Low-end appliances: 100-500 sessions
• Mid-range appliances: 2,000-10,000 sessions
• High-end appliances: 10,000-50,000+ sessions
• Software solutions: Dependent on underlying hardware/VM

Throughput Limits:

• Encryption requires CPU cycles (or hardware accelerators)
• AES-NI acceleration in modern CPUs helps significantly
• Typical per-gateway throughput: 1-40 Gbps depending on hardware
• Performance varies by encryption algorithm and key size

Horizontal Scaling with Load Balancing

When single gateways are insufficient, multiple gateways share load:

DNS-Based Load Balancing:

• VPN hostname resolves to multiple IP addresses
• Clients connect to different gateways based on DNS response
• Simple but limited control over distribution
• No real-time health awareness

Application Delivery Controllers (ADC):

• F5, Citrix NetScaler, HAProxy, NGINX
• Intelligent load distribution based on gateway health and load
• SSL termination can be on ADC (requires gateway trust)
• Session persistence ensures client returns to same gateway

Global Server Load Balancing (GSLB):

• Distributes users to geographically optimal gateways
• Reduces latency for global workforce
• Provides disaster recovery across regions
• Cloud-based options: AWS Route 53, Azure Traffic Manager, Cloudflare

Authentication Infrastructure Scaling

Authentication backends must handle peak connection rates:

RADIUS Server Scaling:

• Multiple RADIUS servers in round-robin
• Sufficient capacity for peak logon storms (e.g., Monday morning)
• Geographic distribution for resilience

Identity Provider Capacity:

• Cloud IdPs (Okta, Azure AD) scale automatically but verify limits
• On-premises IdPs may require capacity planning
• MFA providers have rate limits to consider

Bandwidth and Network Considerations

Internet Egress Capacity:

• Full tunnel VPN consumes egress bandwidth for all traffic
• Streaming, video conferencing multiply bandwidth needs
• Size egress for peak concurrent user load

ISP Diversity:

• Multiple ISP connections prevent single-provider outages from impacting VPN
• BGP anycast can route users to nearest gateway
• Consider DDoS protection for VPN entry points

COVID-19 Scaling Lessons

The 2020 pandemic stress-tested enterprise VPN infrastructure:

• Organizations went from 10% remote to 100% remote in days
• Many VPN gateways were immediately overwhelmed
• Split tunneling was hastily implemented to reduce load
• Geographic distribution of gateways proved valuable
• Cloud-based VPN scaled more easily than on-premises

Lessons for capacity planning:

• Plan for 100% remote as worst-case baseline
• Have capacity expansion options pre-arranged
• Test scalability periodically
• Split tunneling as emergency measure should be documented

Multiple technologies enable remote access VPN, each with distinct characteristics. Understanding these helps select the right solution for specific requirements.

IPSec (IKEv2)

Characteristics:

• Network-layer VPN (Layer 3)
• Strong encryption with IKEv2 key exchange
• Native support in Windows, iOS, macOS, Android
• Excellent performance with hardware acceleration

Pros:

• Industry standard, well-audited
• Best for always-on, full-tunnel deployments
• Windows "Always On VPN" uses IKEv2
• Efficient – low overhead

Cons:

• UDP 500/4500 may be blocked on restrictive networks
• More complex configuration than SSL VPN
• NAT traversal adds some overhead

SSL/TLS VPN

SSL VPN uses TLS (the protocol securing HTTPS) for VPN tunnels:

Characteristics:

• Uses standard HTTPS port (TCP 443)
• Traverses almost any firewall
• Often supports clientless (browser-based) mode for web apps
• Full tunnel requires client software

Popular Implementations:

• Cisco AnyConnect (SSL mode)
• Palo Alto GlobalProtect
• OpenVPN
• Fortinet FortiClient

Pros:

• Works from highly restrictive networks (hotels, conferences)
• Clientless option for simple web access
• Widely deployed and well-understood

Cons:

• TCP overhead can cause performance issues (TCP over TCP)
• Higher latency than UDP-based solutions
• Clientless mode limited to web applications

WireGuard

WireGuard is a modern VPN protocol emphasizing simplicity and performance:

Characteristics:

• Minimal codebase (~4,000 lines vs. 100,000+ for OpenVPN)
• Uses modern cryptography (Curve25519, ChaCha20, Poly1305)
• UDP-based with fast reconnection
• Built into Linux kernel; clients for all platforms

Pros:

• Excellent performance
• Simple configuration
• Fast handshake and roaming
• Auditable codebase

Cons:

• UDP may be blocked on restrictive networks
• Enterprise management features still maturing
• Less extensive logging than enterprise alternatives
• Identity tied to public keys (no built-in user authentication)

Enterprise Adoption:

• Cloudflare WARP uses WireGuard
• Tailscale builds enterprise features on WireGuard
• NordVPN, Mullvad, and other consumer VPNs support WireGuard

Zero Trust Network Access (ZTNA) as VPN Alternative

ZTNA represents a paradigm shift from network-centric to identity/application-centric access:

How it differs from VPN:

• Access granted per-application, not per-network
• No network exposure – only specific apps accessible
• Identity verified for every request
• Device posture checked continuously

ZTNA Solutions:

• Zscaler Private Access (ZPA)
• Cloudflare Access
• Palo Alto Prisma Access
• Google BeyondCorp Enterprise
• Microsoft Azure AD App Proxy

When to use ZTNA vs. VPN:

• ZTNA: Cloud-first, SaaS-heavy, well-defined application portfolio
• VPN: Legacy applications, broad network access needs, complex internal routing

Remote access VPN enables the distributed workforce that defines modern enterprise operations. Let's consolidate the key knowledge from this page:

What's Next:

The next page examines VPN Protocols in depth—the specific protocols that implement VPN functionality. You'll explore IPSec modes and components, SSL/TLS VPN protocols like OpenVPN and SSTP, the WireGuard protocol, and legacy protocols that you may still encounter. Understanding protocol details enables informed technology selection and troubleshooting.