- A virtual private network (VPN) creates an encrypted tunnel between a device and a VPN server, hiding the user's IP address and protecting data in transit.
- VPNs are widely used for remote work, securing public Wi-Fi connections, and bypassing geographic content restrictions.
- VPN encryption protects against passive eavesdropping but does not control what employees do with data once it reaches a destination.
- Three main VPN types, personal, remote access, and site-to-site, serve different use cases with different security trade-offs.
- For enterprise data security, VPNs protect the network perimeter but do not replace controls that monitor data behavior after access is granted.
What Is a VPN?
A VPN, or virtual private network, is a technology that creates an encrypted connection between a user's device and a remote server, routing internet traffic through that server to mask the user's IP address and protect data in transit. When connected to a VPN, outbound traffic appears to originate from the VPN server rather than the user's actual device. This prevents internet service providers (ISPs), network operators, and third parties from observing the content or origin of the traffic.
VPN technology was originally developed to give remote employees secure access to corporate networks over the public internet. Today, virtual private networks serve both enterprise and individual use cases: enabling remote work, protecting traffic on unsecured Wi-Fi, accessing geo-restricted content, and maintaining privacy from ISP-level monitoring. The term "VPN" now covers a wide range of products and protocols, from consumer privacy apps to enterprise-grade remote access infrastructure.
As organizations have shifted to cloud-first and distributed-workforce models, VPN use has increased significantly. At the same time, security teams have recognized that VPNs secure the path to data but do not govern what happens to data after access is granted, a gap that has driven interest in complementary controls.
How Does a VPN Work?
A VPN works by establishing an encrypted tunnel between a client device and a VPN server. Data sent through this tunnel is unreadable to anyone who intercepts it in transit.
The process follows these steps:
- Authentication: The client device connects to the VPN provider's server and authenticates using credentials, certificates, or a pre-shared key, depending on the protocol.
- Tunnel establishment: A secure session is negotiated using a VPN protocol (see the section below on VPN technologies). This creates the encrypted channel.
- Encryption in transit: All outbound data is encrypted before leaving the device. The VPN server decrypts the data and forwards it to the intended destination on the open internet.
- IP masking: The destination server sees the VPN server's IP address, not the user's actual device address. To external observers, the traffic appears to originate from the VPN server's location.
- Return path: Response traffic is routed back through the VPN server, encrypted, and delivered to the client device.
VPN technologies and protocols
The security of a VPN depends heavily on the protocol it uses. Common protocols include:
| Protocol | Description | Typical use |
|---|---|---|
| OpenVPN | Open-source protocol using SSL/TLS for encryption. Widely used and highly configurable. | Consumer and enterprise VPNs |
| WireGuard | Newer protocol with a smaller codebase, faster performance, and modern cryptography. | Consumer VPNs and newer enterprise solutions |
| IPSec/IKEv2 | A suite of protocols for authenticating and encrypting IP traffic. Commonly paired with L2TP or used alone. | Enterprise remote access and site-to-site VPNs |
| SSL/TLS (SSTP) | Uses HTTPS port 443, making it difficult to block; built into Windows. | Remote access behind restrictive firewalls |
| L2TP/IPSec | Layer 2 tunneling protocol combined with IPSec for encryption. Older and slower than alternatives. | Legacy enterprise deployments |
The choice of protocol affects speed, compatibility, and resistance to detection and blocking.
Types of VPN
There are three primary VPN types, each designed for a different scope and use case.
Personal VPN
A personal VPN (also called a consumer VPN) is a subscription service that individuals use to encrypt their internet traffic and mask their IP address. Users install a VPN application on their device, connect to a server in a location of their choice, and route all traffic through that server. Personal VPNs are primarily used for privacy from ISPs, security on public Wi-Fi, and access to content restricted by region.
Remote access VPN
A remote access VPN allows individual users to connect to a private corporate network from an external location. The user's device establishes an encrypted tunnel to the company's VPN gateway, which grants access to internal resources as if the device were on the local network. Remote access VPNs are the standard mechanism for secure employee connectivity in distributed work environments. They typically require authentication through the organization's identity provider and may enforce device health checks before granting access.
Site-to-site VPN
A site-to-site VPN connects two entire networks, rather than a single device to a network. Organizations use this configuration to link offices in different physical locations, allowing resources on each network to communicate securely over the public internet. A company with offices in Austin, Chicago, and London, for example, can use site-to-site VPNs so that employees at any location can access shared file servers and internal applications as if they were on a single network.
VPN vs. Proxy: Key Differences
VPNs and proxies are frequently compared because both route traffic through an intermediary server to mask a user's IP address. The key differences come down to scope and encryption.
| VPN | Proxy | |
|---|---|---|
| Encryption | Encrypts all traffic between device and server | Typically no encryption |
| Scope | Covers all internet traffic from the device | Usually limited to a single application or browser |
| IP masking | Hides IP at the network level | Hides IP at the application level |
| Authentication | Generally required | Often anonymous |
| Speed impact | Moderate; depends on protocol and server distance | Lower overhead, generally faster |
| Security | Higher; protects against passive interception | Lower; does not prevent traffic monitoring |
A proxy can conceal a user's IP address from a specific website, but it does not encrypt the data in transit. A VPN encrypts everything the device sends and receives, providing stronger protection against network-level eavesdropping.
Why VPNs Matter for Enterprise Security
VPNs address a specific, well-understood problem: Protecting data as it moves over networks the organization does not control. For enterprises, the two most relevant scenarios are remote workforce connectivity and branch network interconnection.
Before cloud-first infrastructure, corporate data lived primarily on internal servers. Employees connecting from home or traveling needed a way to access those resources without exposing them to the public internet. Remote access VPNs solved this directly: they created a secure channel back to the corporate perimeter. Organizations that rely on internally hosted applications, databases, and file servers still depend on this architecture.
VPNs also reduce exposure to a specific class of attacks. On unprotected public Wi-Fi networks, a threat actor on the same network can potentially intercept unencrypted traffic using man-in-the-middle techniques. A VPN encrypts that traffic before it reaches the shared network, removing the attacker's visibility into its contents.
For compliance purposes, several frameworks and regulations require encryption of data in transit. A VPN is one mechanism organizations use to satisfy those requirements for remote access scenarios.
Common VPN Challenges and Limitations
VPNs solve the transit problem but leave several security gaps that organizations frequently underestimate.
- VPNs do not control data behavior after access. Once a user connects to the corporate network through a VPN and downloads a file, the VPN has no visibility into what happens next. The file can be copied to a personal device, uploaded to an unsanctioned cloud service, or sent externally. Encrypting the path does not govern the destination. This is exactly the gap thatdata loss prevention (DLP) is designed to close.
- Broad network access increases blast radius. Traditional remote access VPNs often grant users access to the entire corporate network segment rather than specific applications. If a user's credentials are compromised, the attacker inherits that same broad access. This is a core reason organizations have moved toward zero trust network access (ZTNA) architectures that enforce least-privilege access at the application level.
- VPN performance degrades at scale. Routing all employee traffic through a central VPN gateway creates a bottleneck, particularly as organizations adopt cloud-hosted SaaS applications. Traffic destined for services like Microsoft 365 or Salesforce is backhauled through the corporate gateway unnecessarily, increasing latency. SASE architectures address this by converging networking and security functions at the cloud edge.
- VPN clients are a target for attackers. VPN appliances and client software have been the source of significant vulnerabilities in recent years. Organizations that delay patching VPN infrastructure expose a highly privileged entry point to exploitation.
- Free VPN providers frequently monetize user data. Consumer VPNs advertised as free services often collect and sell browsing data to advertisers, directly undermining the privacy purpose of the product. The VPN provider itself becomes a data exposure risk.
How to Evaluate and Use a VPN Effectively
For organizations deploying enterprise VPNs, and for individuals selecting a personal VPN provider, the following criteria distinguish effective implementations from inadequate ones.
For enterprise deployments
- Scope access to specific applications, not entire network segments. Configure VPN access policies to grant users access only to the internal resources they need, using firewall rules or network segmentation. This limits the exposure created by compromised credentials.
- Enforce multi-factor authentication (MFA) at the VPN gateway. A username and password alone is not sufficient for remote access to sensitive corporate resources. Require a second factor for all VPN connections.
- Maintain a VPN patching schedule. VPN appliances are high-value targets. Treat them with the same patching urgency as internet-facing servers.
- Audit VPN access logs. Log all VPN connections, including user identity, device, connection duration, and resources accessed. Feed these logs into your SIEM for anomaly detection.
- Evaluate split tunneling carefully. Split tunneling sends corporate traffic through the VPN while allowing other traffic to go directly to the internet. This reduces bandwidth overhead but may allow endpoint threats to communicate freely without going through corporate security controls.
For VPN passthrough scenarios
A VPN passthrough is a router configuration that allows VPN traffic to pass through a NAT (network address translation) device without interference. Most modern routers support VPN passthrough by default. If users report that their VPN connections fail when connecting through a specific router, enabling VPN passthrough for the relevant protocol (IPSec, PPTP, or L2TP) is typically the fix. This is a configuration setting on the router, not the VPN device itself.
For VPN device selection
When deploying dedicated VPN hardware or selecting a VPN device for remote offices, evaluate: throughput capacity at your expected encryption strength, support for your chosen VPN protocol, integration with your identity provider for authentication, and the vendor's track record on security patching.
For personal VPN selection
Look for providers with independently audited no-logs policies, a kill switch that blocks traffic if the VPN connection drops, and support for modern protocols such as WireGuard. Avoid free services.
How Cyberhaven Addresses VPN-Related Data Security Gaps
Cyberhaven's approach to VPN-related risk focuses on the data layer rather than the network layer. A VPN secures the connection, but once data leaves the network perimeter, standard VPN controls have no visibility into what happens to it.
Cyberhaven Data Loss Prevention (DLP) monitors data movement at the endpoint level, tracking what files are accessed, copied, downloaded, or transferred after a VPN session grants access to internal resources. If an employee connects via VPN, downloads sensitive data, and then uploads it to a personal cloud storage account, Cyberhaven detects and can block that transfer regardless of whether the initial access was encrypted.
Cyberhaven Data Lineage traces the origin and movement of data across the organization, which is particularly useful for investigating post-access incidents. When security teams need to determine which data a user accessed during a VPN session and where it went afterward, lineage provides the chain of custody without relying solely on network logs.
These capabilities do not replace VPN infrastructure. They address what VPNs cannot: governing data behavior after authorized access has been granted.
Frequently Asked Questions
What is a VPN?
A VPN, or virtual private network, is a technology that creates an encrypted connection between a user's device and a remote server operated by a VPN provider. All internet traffic is routed through this server, masking the user's real IP address and protecting data in transit from interception. VPNs are used for remote work, securing public Wi-Fi connections, and maintaining privacy from network-level surveillance.
How does a VPN work?
A VPN works by encrypting outbound traffic before it leaves the user's device and routing it through a VPN server. The server decrypts the data and forwards it to the intended destination. Response traffic is routed back through the server, encrypted, and delivered to the user's device. The destination sees the VPN server's IP address rather than the user's actual address. The encryption algorithm and security properties depend on the VPN protocol in use.
What is the difference between a VPN and a proxy?
The key difference between a VPN and a proxy is encryption and scope. A VPN encrypts all traffic from the device and routes it through a secure tunnel. A proxy routes requests through an intermediary server to mask the user's IP address but does not encrypt the traffic and typically only covers a single application rather than the entire device. VPNs provide stronger protection against network-level interception; proxies offer lighter-weight IP masking without encryption overhead.
What are the main types of VPN?
The three main VPN types are personal VPNs, remote access VPNs, and site-to-site VPNs. Personal VPNs are consumer services that encrypt individual internet traffic. Remote access VPNs allow individual employees to connect securely to a corporate network from external locations. Site-to-site VPNs connect entire networks across different physical locations, enabling resources to be shared between offices as if they were on the same local network.
What is a VPN passthrough?
A VPN passthrough is a setting on a router or firewall that allows VPN traffic to pass through a NAT device without being blocked or modified. Many older routers and some firewall configurations interfere with VPN protocols, particularly IPSec and PPTP. Enabling VPN passthrough on the network device resolves connection failures caused by this interference. The setting is applied on the router, not on the VPN client or server.
What are the limitations of VPNs for enterprise security?
VPNs secure data in transit but do not control what happens to data after it is accessed. They typically grant broad network access rather than least-privilege application access, increasing risk if credentials are compromised. VPN appliances require regular patching and are common attack targets. They also create performance bottlenecks as more traffic is routed to cloud-hosted services. Organizations addressing these gaps use VPNs alongside endpoint controls, data loss prevention, and zero trust network access architectures.
.avif)
.avif)
