Upcoming Webinar: Least Privileged AccessSign up now
Get started - it's free!
Login
WireGuard is a registered trademark of Jason A. Donenfeld.
© 2025 Tailscale Inc. All rights reserved. Tailscale is a registered trademark of Tailscale Inc.
Go back

VPNs and Protection: Choosing the best network for security

VPN stands for virtual private network. It creates a secure connection between devices and a server and keeps any transmitted data safe from external threats.

What does VPN stand for?

VPN stands for 'virtual private network.' It's a connection that runs in the background and securely connects devices to servers.

How does a VPN protect you?

A VPN encrypts the connections that let two devices talk to each other. This can be between an organization's private networks and an employee's device, or a connection between two private networks. This secure connection provides protection from man-in-the-middle attacks.

VPNs encrypt the data that flows in these connections, preventing their exposure to outside threats.

How does a VPN work?

When you connect to a VPN, your device creates an encrypted tunnel to the VPN server.

The server then encrypts all the internet traffic passing through.

The encrypted traffic is forwarded to its final destination on the internet.

When the data returns to your device, it is decrypted and delivered back to you.

This entire process keeps that shared data private during transit and shields it from potential eavesdroppers and cyber threats.

Types of VPN

There are two main VPN types:

  1. Remote access VPN
  2. Site-to-site VPN

While they’re classified as different types, they accomplish the same outcome — the connection to the network is encrypted and protected.

Remote access VPNs

Remote access VPNs use an encrypted tunnel to connect your device to a private network. This keeps the resources directly accessible with no interference.

For IT admins the benefit to a remote access VPN is you can provide a configuration file that the employee imports into a VPN desktop client. The traffic from the computer flows directly to the enterprise’s infrastructure without traversing the unsecured internet.

Remote access VPN server for business use

Organizations that have remote users, satellite offices or devices in the field, can avoid exposing their servers to an unprotected internet connection when users connect to the internal servers. Unauthorized traffic never makes it to the server, protecting the organization from risks such as distributed denial of service (DDoS) attacks. (This reduces the need for an additional DOS protection tool).

The VPN also protects employee data from exposure over public Wi-Fi networks because the connection is encrypted.

In short, companies that offer work-from-home policies, or have expanded to field or satellite offices greatly benefit from a business VPN for its added protection and flexibility.

Remote access VPN server for consumer use

It's not just businesses that benefit from the protections offered by VPNs.

Consumer VPNs pass your web traffic through a different geographic region. The virtual network now acts as a proxy between your device and the websites, devices or resources you are trying to reach. This masks your original IP from those servers. You’re now just a part of the virtual network established by the VPN provider, and the traffic to external websites would seem to originate from the region versus an individual device.

One major benefit of using a consumer VPN is that you can remotely access content that might not be available in your region. While also provides encryption and other privacy benefits, many end users are primarily motivated by this region-exclusive content.

Site-to-site VPNs

Site-to-site VPNs act as a connection between two or more remote networks. Organizations wanting to connect office branch locations securely over the internet usually use site-to-site VPNs.

Site-to-site VPNs are also useful in multicloud infrastructure setups. Because the connection is permanent, users don't have to use a desktop application to access resources in the remote network.

Example: Tailscale offers organizations the opportunity to set up site-to-site VPN connections with the help of subnet routers.

[Watch] Subnet Routers Explained

Types of VPN protocols

There are many types of VPN protocols, which usually focus on data transfer speed and encryption types. In this section, we’ll take a closer look at five common VPN protocols. The WireGuard protocol, known for its speed and efficiency, is also significant in modern VPN technology due to its unique cryptographic techniques and performance benefits.

OpenVPN

OpenVPN uses Secure Sockets Layer (SSL) to securely transmit data. OpenVPN can run on both Transmission Control protocol (TCP) and User Datagram protocol (UDP). OpenVPN on TCP focuses on the data arriving correctly, while UDP focuses on ensuring faster data transmission.

OpenVPN is open source with an active community of maintainers to quickly address issues and security vulnerabilities.

PPTP

Point-to-Point Tunneling Protocol (PPTP) is one of the earliest VPN protocols to be developed. PPTP is extremely easy to set up with minimal knowledge and is, by default, still in use by older devices.

PPTP is commonly used among hobbyist and small-scale VPN setups.

L2TP/IPsec

L2TP/IPsec is a combination of two protocols:

  1. Layer 2 Tunneling Protocol (L2TP) provides the tunneling between networks
  2. IPsec (Internet Protocol Security) encrypts the traffic.

It's reportedly one of the slowest protocols in data transmission, which means it's not a common choice among VPN providers currently on the market.

SSTP

Secure Socket Tunneling Protocol (SSTP) is a VPN protocol created by Microsoft. It is a good choice for Windows machines. Microsoft originally developed it as a remote access VPN. It doesn't support site-to-site VPN communication.

The protocol is not open source, making it harder to audit and secure.

IKEv2

Internet Key Exchange version 2 (IKEv2) is a VPN protocol created jointly by Microsoft and Cisco. It commonly uses the IPsec protocol to improve secure communication.

IKEv2 (the successor to IKEv1) works especially well on mobile devices with improvements to its stability and broader support of encryption algorithms.

WireGuard

WireGuard® is an entirely open source VPN protocol that’s only recently emerged. Tailscale was built on this protocol because of its high-speed transmission and simplified set up. By using the latest encryption methods, WireGuard can arguably be considered more secure than other VPN protocols, and it’s also received widespread acclaim for its relative simplicity and stability.

The WireGuard team keeps the software exceptionally well updated, and they aim to make it the gold standard of VPN protocols. Maintaining secure connections between remote users and the data center is crucial as organizations evolve their cybersecurity strategies to accommodate hybrid work environments and ensure the safety of sensitive data across various platforms.

How VPN measures can protect you

Reputable VPNs employ many safety measures to keep your privacy intact. While these measures can be different from VPN to VPN, some standard ones are:

Kill switch feature

Most modern VPNs include a kill switch feature. If a user accidentally loses connection to the VPN, the VPN will automatically terminate the internet access. This keeps users' privacy by preventing any accidental leads of their real IP address.

Dynamic IP address

Dynamic IP addresses make it very hard to track your online activity and add a nice layer of security and anonymity.

In the case of a dynamic address, the VPN continuously and randomly changes your IP address.

In the case of a static address, the IP assigned to you will not change.

Split tunneling

When you don't want to send all your internet traffic through a VPN, split tunneling lets you choose what traffic to pass through the network.

This can reduce bandwidth costs and increase speeds when a VPN is not needed. It also makes the user experience better without having to continually connect and disconnect.

If an organization disables split tunneling and forces all of a device’s network traffic to pass through your network infrastructure before hitting the internet, you keep the benefit of all of your normal security tools analyzing a user’s web traffic.

Disabling split tunneling could prevent your employees from clicking malicious links and downloading malware in the first place.

Strong AES encryption

AES 256-bit encryption is one of the most secure encryption algorithms. It is approved by the United States National Security Agency (NSA) for top-secret information. This encryption keeps the communication between you and your VPN protected from everyone, including government agencies and hackers.

Most VPN providers have adopted AES 256.

Top-notch protocols

High-quality VPN providers compete to implement the latest protocols to entice corporations needing network protection.

When choosing a VPN for your organization, you should look for reputable protocols, which deliver high speeds and the best encryption available for security purposes.

Network Security

A VPN secures your network by protecting your internet traffic from interception and eavesdropping.

Additionally, a VPN hides your IP address, making it difficult for malicious actors to track your online activities. By encrypting sensitive data and protecting it from unauthorized access, a VPN helps prevent data breaches and enhances overall network security.

Selecting a VPN provider

Organizations and individual end users alike must exercise caution while choosing a VPN client. Despite their assurances, many VPN clients log data or are careless with the data they’ve collected. A VPN can also prevent an internet service provider (ISP) from tracking browsing activity.

Here are the top common threats of a rogue VPN disguised as a genuine provider.

Logging policies

An unverified VPN may log all of your browsing data, which can be harmful if anonymity and privacy are the top priorities for your organization. Audits are the best way to see if your VPN is holding up their stated logging policies.

Data leaks

The security and privacy VPNs promise is only possible when the developers use necessary standards and protocols. VPNs that adhere to stated logging policies have less vulnerable data to expose.

Bad privacy policies

Some VPNs aim to collect as much PII as possible. Carefully review a VPN provider's privacy policy regarding data collection before using their product.

Pay extra attention to policies surrounding the collection of connection logs, IP address logs, and traffic logs. These logs often contain sensitive data and browsing history and can connect individuals to accounts. This can impact individual and corporate VPN users as some work-from-home and traveling employees could be accessing sensitive company data that shouldn't be exposed.

Malware infection and security vulnerabilities

Individual consumers choosing a free or less reputable VPN put themselves at risk of malware infection. Since VPN clients are generally apps you install on your mobile device or PC, they may be malware disguised as a VPN provider. They could easily be spyware or a ransomware-infected application designed to spread through networks and cause cyberattacks. You must be careful when choosing a VPN because hackers can lure you into installing the application through attractive deals. It’s best to avoid unknown and unverified VPN providers as you can’t be certain they have pure intentions. Choosing reliable VPN services is crucial to avoid malware risks.

Using PPTP

PPTP is a popular choice for small and medium-sized enterprises, especially in a Windows environment (because Microsoft developed it). However, as we covered earlier, it's plagued with security vulnerabilities. PPTP has outdated encryption algorithms like RSA and RC4 that use 128-bit encryption, an issue that's still not resolved.

Premium providers therefore tend to acknowledge that PPTP is not a suitable solution and steer clear of it. However, you should know that some VPN providers falsely claim to use a secure protocol when in fact they use PPTP, as it's easier to set up and use. One way to determine if PPTP is being used is by sniffing the traffic when connected to the VPN. If you see connections from TCP port 1723, there's a good chance that it is.

IP address as exit node

From a consumer's perspective, VPNs are very useful for masking your IP address. VPNs use an exit node, where the node's IP becomes your new IP address. Some VPN providers randomly pick another user's IP address and use it as an exit node for your IP. This can be catastrophic if the IP address is implicated in cybercrime activity and traced back to you. Malicious VPN providers might actually use their user's IP address from a pool of IPs to hide their dubious activities.

VPN Privacy Concerns

Some privacy concerns focus on data collection. Some providers may collect user data, such as IP addresses and browsing history, and sell it to third parties.

Additionally, not all VPN providers implement robust security measures, such as strong encryption and secure protocols, to protect user data.

It is crucial to choose a reputable VPN provider that prioritizes user privacy and security.

Look for providers with:

  • Transparent privacy policies
  • No-logs policies
  • A proven track record of safeguarding user data

Installing and Using a VPN

Installing and using a VPN is relatively straightforward.

Most VPN providers offer user-friendly software and apps that can be easily installed on your device. Once installed, you can connect to a VPN server with just a few clicks and start enjoying a secure browsing experience.

Many VPN providers also offer browser extensions and mobile apps, making it convenient to use a VPN across multiple devices.

When selecting a VPN provider, consider factors such as security features, server locations, and customer support to ensure a smooth and secure VPN experience.

How Tailscale protects you

Tailscale VPN is designed to make your devices accessible from any part of the world effortlessly and securely from any network connection - even public wifi. In addition to offering all the security measures previously mentioned, some other Tailscale features are worth highlighting. Tailscale is a reliable VPN service for secure connections.

WireGuard's Noise protocol encryption

WireGuard is based on the Noise protocol framework, which is highly secure and flexible. The Noise framework has almost zero built-in protocol negotiation, reducing the risk of a downgrade attack where an attacker forces the victim to use a downgraded protocol version. This makes Tailscale a very reliable VPN in terms of security and encryption.

Daily login key rotation

Tailscale can use your existing authentication provider to protect Secure Shell Protocol (SSH) connections. SSH helps in establishing shell access to your servers in an encrypted fashion with the help of SSH keys.

Tailscale automatically helps rotate your SSH keys as frequently as every hour by making you reauthenticate to the client. Additionally, Tailscale makes it very easy to revoke SSH access to a machine.

Low latency and guaranteed privacy

Tailscale users experience extremely low latency due to its decentralized tunneling of VPN connections. This means your remote workers will experience high speeds no matter what part of the world they might be connecting from.

Also, Tailscale ensures that no traffic ever touches its servers by acting as an overlay network, where it only routes traffic between devices running Tailscale. This means reliable privacy and top speeds are always ensured for Tailscale users. Securing the user's computer is crucial to ensure privacy and security, as it creates a secure connection between the user's computer and the VPN server to protect online activity from being tracked.

Tailscale also logs data from both ends of the connection to ensure that the network traffic is not tampered with. This verifies the integrity of the web traffic and also helps in detecting manipulator-in-the-middle attacks between the user and the VPN endpoints.

Ready to try Tailscale? Download it and get started for free.

FAQs

In theory, no. Good VPNs mask your actual IP address and geolocation from the websites you visit. Even your ISP cannot see your traffic because it’s encrypted between the VPN servers and your system.

However, the same thing cannot be said for free VPNs. Because they need a way to make a profit, they usually do it by selling your VPN data consisting of things like logs, cookies of websites visited, or credentials. This exposes you to being tracked and can compromise the privacy of your data. Investing in a quality VPN is essential to ensure your activity isn’t being tracked.

It depends on your online activity. If online privacy is the top concern, yes. However, if you use a VPN only for a particular activity, like online streaming or connecting to your enterprise’s infrastructure, it’s generally not required. VPN applications can drain your device’s battery and can cause a lag in your internet connection when compared to directly connecting to the internet.

A VPN can protect you from websites that collect the passive data of visiting users. This data includes IP address and geolocation. However, a VPN cannot protect your information if you voluntarily provide your data to a website, like filling up a form with personal details.

Try Tailscale for free

Schedule a demo
Contact sales
cta phone
mercury
instacrt
Retool
duolingo
Hugging Face