Skip to main content

The challenges of traditional corporate VPNs – And how to overcome them

· 4 min read
Mikhail Bragin

A VPN is a crucial tool for helping businesses address the unique security concerns of remote work, but implementation remains challenging.

Setting up a corporate VPN is a challenging, yet essential, endeavor in the era of remote work. While easily configurable consumer-grade VPN services might seem like a viable alternative, they lack customizability and are poorly suited to enterprise environments with hundreds or even thousands of remote workers and devices.

A bespoke enterprise-grade VPN is by far the most customizable and secure option. However, they can also be notoriously difficult to set up. The process typically begins with a proof of concept, at which point the IT team will design the network architecture for the VPN.

This typically starts with deciding which IP ranges will be given to VPN users. Furthermore, all networks and devices need to know about the new IP ranges, as does the VPN server itself. Then, all firewalls need to be reconfigured to accommodate the new IP range. Without proper configuration, all internal systems could end up being exposed to all internal users, which is a serious risk factor given the need for zero-trust security.

The whole process of going from proof of concept to a fully-functioning custom-built corporate VPN can take weeks or even months, depending on the size of the network. It also requires the specialized knowledge and skills of infrastructure engineers.

Next comes the launching phase where, all too often, unforeseen issues appear, such as ones with previous configurations and client-side deployments. As such, you often end up needing to educate end users on how to use complicated software.

What about site-to-site VPNs?

Site-to-site VPNs are even more complicated to deploy and configure, as they involve setting up connections between multiple proprietary networks, such as those belonging to different branches or service regions.

When building a site-to-site VPN, it is first necessary to look at the hardware and software at each site. In most cases, these systems need to be fully interoperable with one another and all communicate via the same supported protocols. Sometimes, vendor lock-in can still be an issue, in which case you may run into complications when using protocols not supported by your vendor. In other cases, you may need to pay for additional hardware capacity to encrypt and decrypt your network traffic.

Once you have a clear picture of the computing environment of each site you want to connect, you will need to design your networking architecture. This involves deciding how you are going to route traffic, which traffic will go through your VPN tunnels, and how you will manage your firewalls and other networking appliances. Handling complex firewall rules alone is something that often requires specialist teams.

Configuring VPN tunnels is no easy task, and neither is setting up a secure way to exchange keys or changing settings. This can cause reliability and security issues, with end users being among the first to suffer from a poor user experience. Such systems also lack intuitive paths for troubleshooting.

Finally, when connecting to the cloud, there is a high chance of compatibility issues arising. It may not be possible to automatically update IP ranges either. In the worst-case scenario, vital everyday business operations can be brought to a standstill due to issues with the VPN.

How network decentralization can help

A traditional corporate VPN routes all traffic through a centralized VPN gateway. However, if the server encounters a problem that leads to unscheduled downtime, the disruption would make it impossible for remote workers to do their jobs.

The best approach to countering the limitations and challenges of traditional VPNs is to instead use point-to-point connections. This also improves network performance, since the traffic does not have to go through a VPN server and thus complete a much longer round trip.

Whereas traditional VPNs use the castle-and-moat model, decentralized alternatives rely on signaling servers to find other machines and negotiate connections. This way, there is no need to reconfigure firewalls or set up VPN gateways either.

netbird is a zero-config VPN that lets you connect your remote teams, infrastructure, and edge environments in just a few minutes.

Join our beta program today to see how it works at