Securing remote access, interconnecting sites, anonymising traffic… VPN is a versatile tool, but when misused it creates a false sense of security. A practical overview of the main use cases.
A VPN (Virtual Private Network) creates an encrypted tunnel between two points on a public network. Behind this simple principle lie very different use cases, distinct architectures and security levels that are far from equivalent.
How it works
A VPN encapsulates network traffic inside an encrypted tunnel. Both endpoints authenticate each other, negotiate a session key, then exchange encrypted data that the public network cannot read or tamper with. The most widely used protocols today:
- WireGuard — modern, highly performant, minimal codebase (< 4,000 lines), recommended for new deployments
- OpenVPN — mature, open source, highly flexible, supports both UDP and TCP
- IPsec/IKEv2 — enterprise standard, native on iOS, macOS and Windows
- SSL/TLS (SSTP, SoftEther) — easily traverses restrictive firewalls
The five main VPN use cases, all relying on an encrypted tunnel traversing the Internet.
Use cases
Securing data flows
This is the fundamental use: making traffic unreadable as it transits over an uncontrolled network. On public Wi-Fi (coffee shops, airports, hotels), data travels in cleartext and can be intercepted by anyone on the same network. A VPN encrypts all traffic, rendering any captured packets useless.
This protects against man-in-the-middle attacks, content injection by malicious network equipment, and passive eavesdropping on communications.
Site interconnection
A company with multiple offices (headquarters, branches, warehouses) needs its local networks to communicate as if they formed a single unified network. A site-to-site VPN creates permanent tunnels between each site's gateways.
Teams then share the same internal resources (file servers, databases, printers) without any exposure on the Internet. It is often the alternative to MPLS leased lines — less expensive and more flexible.
Remote work and remote access
A travelling or remote employee needs to access company internal resources: ERP, development tools, file servers, business applications. Without a VPN, either these resources are exposed on the Internet (risky) or they are inaccessible.
A remote access VPN allows the employee to connect from anywhere by authenticating (credentials + certificate or 2FA), and access the corporate network as if they were at their desk. This has become a prerequisite for any hybrid work policy.
Network segmentation
In a complex architecture (microservices, multi-cloud, IoT, OT/IT segmentation), VPN enables cloisoning sensitive network segments: only authorised hosts, connected through the right tunnel, can reach those zones.
This is a practical implementation of the zero trust principle: no network is trusted by default, even internal ones. Every connection must be explicitly authorised and encrypted.
Anonymisation and bypassing restrictions
A VPN reroutes traffic through an outgoing server at a chosen location. This masks the user's real IP address and allows bypassing geographic restrictions (access to geo-locked content or services blocked by country or ISP).
Legitimate enterprise use case: simulating a user from a specific country to test the geolocation behaviour of an application, or accessing services restricted to certain territories. Note: this feature should not be confused with security — a commercial consumer VPN does not encrypt better than any other method, it simply shifts trust from the ISP to the VPN provider.
Limits to keep in mind
A VPN does not protect against everything. It does not replace:
- A firewall — VPN encrypts transit, not internal access policy
- Identity management — an open VPN tunnel with stolen credentials is as dangerous as an open door
- Patch management — a compromised host connected via VPN propagates threats across the internal network
- Fine-grained segmentation — without microsegmentation, an attacker connected to the VPN can move laterally
VPN usage must be part of a broader security strategy, not treated as a silver bullet.
Gotan supports its clients
Employee mobility and data flow security are two challenges that cannot be addressed separately. A remote employee without reliable VPN access will find workarounds — and create vulnerabilities. A poorly configured VPN creates false confidence.
Gotan supports its clients in setting up a secure connectivity infrastructure suited to their context: protocol and solution selection (WireGuard, OpenVPN, cloud-native solutions), site-to-site or remote access architecture, integration with existing identity tools, and team training in best practices. The goal: every employee can work from anywhere, without compromising company data security.