Virtual Private Networks (VPNs) create encrypted tunnels over untrusted networks, effectively extending the local network to remote users or branch offices. Understanding the architectural differences between remote access and site-to-site is foundational.
Used by individual employees connecting from home or public Wi-Fi. The client software authenticates the user, and the tunnel terminates at the corporate gateway, granting the endpoint access to internal resources.
💡 Pro-tip: Never grant remote access VPN users full network access by default. Implement Network Access Control (NAC) to restrict tunnel endpoints to only the specific subnets required for their role.
This log shows a remote user (198.51.100.5) assigned an internal tunnel IP (10.8.0.2), mapping their remote identity to an internal network identity.
Connects entire networks (e.g., HQ to a branch office). The tunnel is established between two routers/firewalls. Endpoints on both sides are unaware of the encryption; routing tables simply point traffic into the tunnel.
⚠️ Site-to-Site VPNs can inadvertently create routing loops or backdoor paths if overlapping subnets (e.g., 192.168.1.0/24 on both sides) are not carefully managed and NAT'd.
| Type | Initiator | Use Case |
|---|---|---|
| Remote Access | Endpoint Client | Telecommuting / Mobile |
| Site-to-Site | Edge Router | Branch Office Connectivity |
| SSL Portal | Web Browser | Vendor / Limited Access |
Verify exercises to earn ★ 170 XP and unlock next lab level.