What is the Most Secure Corporate VPN?

Virtual private networks, or VPNs, have become a popular solution to ensure secure, encrypted communications between network devices over an “tunnel” through the internet.

Individuals and organizations alike are increasingly using VPNs to improve network privacy and security, although the motivating factors for both groups are not the same. Individual end users tend to use VPNs to keep their web activity hidden from prying eyes, whereas organizations see the value in VPNs to secure remote connections that support a distributed workforce. In this article, we will discuss the value of VPNs for companies.

What is the difference between consumer and corporate VPNs

Consumer VPNs are primarily used for maintaining users’ privacy and anonymity online. This is done by mimicking their virtual presence in a specific geographic location, usually to access various services or content that they may be restricted in their actual geographic location. Other times, consumer VPNs are used to avoid firewall restrictions from the local network or ISPs.

Corporate VPNs facilitate secure remote access for employees (wherever they may be) in order for them to safely access business resources such as databases, applications, files, and documents in order to carry out day-to-day business operations.

Corporate VPNs provide employees secure access to the organization’s internal network across on-premises, hybrid, and cloud resources while providing an end-to-end encrypted communication channel between users and the resources. These are usually known as remote access VPNs. Corporate VPNs can also be used to set up secure encrypted communications between the organization’s offices across multiple locations through the public internet for sharing and accessing resources. This type of VPN is known as site-to-site. In both cases, the organization’s network resources and data are protected from the public and potential unauthorized access attempts.

Corporate VPNs: how will they be assessed?

This article will review four corporate VPN services that are available on the market to help you choose one that suits your organizational needs. The comparison will focus on the following:

• Ease of deployment and configuration: You’ll determine if any prerequisite skills are needed, how much time and effort is required to get started, and how easy and intuitive it is for you to navigate and deploy a particular VPN solution company-wide.
• Identity management or single sign-on (SSO) capabilities: This will explore the options each solution provides for user authentication and onboarding.
• Supported VPN protocols and encryption: Since the security of VPNs revolves around protocols and strength of encryption, it’s good to know how well each solution secures communications .
• Extra security features: You’ll be shown the standout security features for each platform.
• Pricing: You’ll also see the pricing models that each solution adopts and how affordable it may be in relation to the others. Always refer to company websites for the latest information.

Let’s get started!

1. Perimeter 81

Perimeter 81 is a cloud-based, software-defined network solution that provides secure access to a company’s network, applications, and data. It allows employees, partners, and vendors to securely access the resources they need while also giving the IT department granular visibility and control over network access.

Ease of Deployment and Configuration

Perimeter 81’s responsive web-based UI is pretty intuitive to navigate, but creating a network might be difficult as there’s a lot of nuances. For example, you may need to set up separate networks for site-to-site connections.

Perimeter 81 provides agent software packages for desktops and mobile applications (Android and iOS) to enable device connectivity with the Perimeter 81 network. For your organization’s users, however, obtaining client software for installation on their devices may be challenging as the download links require them to first log in to obtain the client for their respective platforms. The alternative would be for you to share all the individual links for the respective client software with all employees. This doesn’t allow for a smooth onboarding process for larger organizations.

Identity Management or SSO Capabilities

Perimeter 81 includes several provisioning options for identity management on your network. Some key provisioning options include SSO integration with providers such as Okta, OneLogin, and Microsoft Azure AD and Active Directory (AD) integration. If your existing identity management infrastructure includes any of these providers, your organizational onboarding should be simple.

Supported VPN Protocols and Encryption

Some of the supported protocols for encryption Perimeter 81 supports include SSL and TLS for safe communications between the client and the server. The IPsec protocol is used for establishing secure communication over IP-based networks, which might be vulnerable to common cyber attacks if not configured properly. The solution also uses modern variants of the Advanced Encryption Standard (AES) for data encryption, which is secure and virtually impenetrable compared to earlier versions.

Extra Security Features

Perimeter 81 includes a variety of security features to help protect a company’s network security:

• Multifactor authentication (MFA): This is for added authentication security.
• Access controls and policies: They include user and device profiles, enabling you to enforce network access restrictions for similar groups of users or types of devices.
• Real-time monitoring and alerting: This is for security threats, including unauthorized access attempts, suspicious network activity, and potential malware infections.
• DNS filtering: This enables you to restrict malicious, harmful, or inappropriate content from being accessed.
• A firewall-as-a-service (FaaS) feature: It provides a secure barrier between the company’s network and the internet as a traditional firewall would.

Pricing

The main thing to note with Perimeter 81’s pricing structure is that there are no free tiers or trial accounts available. To see how the platform works, you’d need to subscribe to at least their cheapest plan, which is $10 per user/month for a minimum of ten users and an extra $50/month for a gateway if you’re using only one network. Additionally, some key functionalities like SIEM integration and SCIM support are only supported at the higher pricing tiers.

2. OpenVPN

OpenVPN provides a self-hosted deployment for your on-premise infrastructure. You can install software packages for the supported server operating systems, or you can opt for a virtual appliance for hypervisor solutions such as VMware ESXi and Microsoft Hyper-V.

Preconfigured cloud images are also available so you can take advantage of your existing cloud infrastructure with providers such as AWS, GCP, Azure, etc, to set up your VPN server. This may be ideal if your organization needs complete control of all its infrastructure.

If you’re not looking into self-hosting your VPN server, OpenVPN also provides managed instances via OpenVPN Cloud.

This gives you more flexibility and control on how to deploy and integrate with your current infrastructure compared to solutions such as Perimeter 81, where you’re limited to their cloud offering.

Ease of Deployment and Configuration

The OpenVPN self-hosted deployment on-premises can be especially challenging because it requires a certain level of technical expertise and knowledge in Linux and networking to get it working properly.

OpenVPN allows you to set up site-to-site VPN connections to establish communication between multiple offices, but the implementation process is not straightforward and varies whether you’re using an OpenVPN cloud or a self-hosted instance.

Irrespective of the type of deployment you opt for, once you get started on configuration from the web interface, you’re guided by a simple setup wizard.

Your organization’s users can establish a secure remote connection to your network from a variety of platforms, including Windows, macOS, Linux, and mobile devices as they can be configured to work with a wide range of network types, including wireless and cellular networks.

Identity Management or SSO Capabilities

OpenVPN can handle identity management in a few different ways. Similarly to Perimeter 81, OpenVPN provides SSO integration with various providers for your organization’s existing identity management infrastructure—such as Okta, Azure AD, etc.—for user authentication and onboarding. It also allows for certificate-based client login where your users can use certificates to authenticate both the client and the server, providing a secure, smooth, and verifiable connection.

Supported VPN Protocols and Encryption

OpenVPN uses OpenSSL for encryption and authentication, considered by many to be one of the most secure libraries available. It also uses SSL and TLS to encrypt client-server communications and an AES encryption standard to encrypt data at rest and in transit.

Extra Security Features

OpenVPN has a variety of security features that are designed to protect the organization’s network, applications, and data from unauthorized access and cyber threats:

• MFA: Like Perimeter 81, OpenVPN offers multifactor authentication.
• Network segmentation: OpenVPN allows you to implement network segmentation by breaking down your virtual networks into smaller sub-networks or zones, which can be used to restrict access to certain devices or services.
• ACLs: Similarly to Perimeter 81, OpenVPN provides access controls and security policy features to help you restrict a user or group of users to specific resources on your network.
• Monitoring and alerts: An informative real-time monitoring and alerting dashboard is available to keep you updated on what’s going on within your network at all times.
• Threat and intrusion detection: OpenVPN uses Suricata to implement threat and intrusion detection within your network. This feature is free, unlike the paid offering from Perimeter 81.

Pricing

OpenVPN is free, as long as you’re using the community edition (CE). For organizational use, however, you’d probably need paid support; as such, there would be a cost associated with investing in OpenVPN.

Additionally, the CE allows interaction only via a Linux CLI, which requires technical skills to manage or operate, so you’d actually be more likely to opt for a commercial version.

On top of web access for management, the commercial versions provide features like user management and easier configuration and deployment options. The enterprise offerings include the self-hosted Access Server tier and OpenVPN Cloud, which at the time of writing costs $7 per connection per month. This can get expensive quickly as the number of connections increases.

3. ZeroTier

ZeroTier is an open source peer-to-peer virtual networking system that allows you to connect devices—such as computers, servers, and mobile devices—to virtual networks for yourself or your organization regardless of their location. It allows for easy and secure communication between devices on different networks and can be used for remote access for your employees, VPNs, and network segmentation.

Ease of Deployment and Configuration

ZeroTier is relatively easy to deploy and configure as you don’t need any special technical skills. It gets a little more complicated if you’re opting for the self-hosted community edition as this requires core Linux skills. Overall, basic knowledge of networking concepts may come in handy when dealing with ZeroTier. Otherwise, the web-based control panel has a simple design, albeit a little outdated, but it does the job.

The client can be downloaded from the ZeroTier website and run on various platforms, including Windows, Linux, MacOS, iOS, Android, FreeBSD, and even Network Attached Storage (NAS). After installation, each device will be assigned a unique network ID, which is used to connect the device to the virtual network.

Identity Management or SSO Capabilities

ZeroTier handles identity management by assigning a unique network ID to each device that joins the virtual network. This network ID is used to identify the device and determine its accessibility on the network.

When a device joins the network, it must provide a network ID in order to connect. The network ID is then verified against a list of authorized devices maintained by the ZeroTier network controller. If the device is authorized, it will be granted access to the network and assigned an IP address.

Additionally, ZeroTier supports integration with external identity providers such as Microsoft Active Directory, Okta, and others. This allows you to use your existing identity management systems to manage access to your ZeroTier networks. However, your employees won’t be able to authenticate and join via their mobile devices because—at the time of writing—ZeroTier SSO is only supported on desktop operating systems.

Supported VPN Protocols and Encryption

ZeroTier uses its own proprietary virtual networking protocol, which is designed to be highly secure and efficient as it uses a combination of AES-256 encryption, elliptic-curve cryptography, and perfect forward secrecy (PFS) to protect data in transit. The encryption keys are exchanged automatically and securely between devices when they join the network, so there’s no need for manual configuration.

Extra Security Features

ZeroTier provides several additional security features to help protect your virtual networks and devices:

• Network segmentation: Like Perimeter 81 and OpenVPN, ZeroTier allows you to implement network segmentation.
• Secure device management: You also get secure device management as ZeroTier allows you to centrally manage all your onboarded devices.
• MFA: ZeroTier uses MFA to provide an extra layer of security to protect your network and devices. However, unlike holistic solutions such as Tailscale, ZeroTier’s MFA only works for OpenID Connect SSO users.

It’s important to keep in mind that ZeroTier lacks key security features such as firewalls, security monitoring, or intrusion prevention and detection. If you’re thinking of opting for ZeroTier, you need to have a good security strategy already in place in addition to staying current with software updates.

Pricing

ZeroTier’s subscription model starts with a free Basic Package, which is limited to one admin account, twenty-five nodes, and does not support business SSO, which should be enough for a personal, home, or small office network. If you require anything beyond that, then you need the Professional Package, where you pay $10/month each per admin, $5/month for a 25 Node Pack, and $5/month per seat for a Business SSO feature.

If you’re skilled enough and comfortable without Business SSO integration for onboarding nodes, then you can set up the self-hosted open source version without any limitations on the number of admin users, nodes, and networks.

4. Tailscale

Tailscale is a software-defined overlay-network solution that allows users to create a virtual, private, and encrypted network between devices. It allows users to securely connect and access resources on their network, such as servers and applications, from anywhere in the world.

Tailscale is designed to be easy to use and set up, with minimal configuration required. The Tailscale software runs on each device and creates a secure mesh network between them, eliminating the need for traditional VPNs or complicated network configurations.

As it encrypts all traffic between devices, its secure key management feature allows only authorized devices to join the network, Tailscale is ideal for remote teams, distributed organizations, and anyone who wants to securely connect their devices and access resources from anywhere.

Ease of Deployment and Configuration

Tailscale works on Windows, MacOS, Linux, iOS, and Android devices. Tailscale provides an intuitive and easy-to-use web admin that allows users to manage, monitor, and troubleshoot their network, including adding or removing devices and controlling access to resources.

Overall, all you need to do is sign up, install the software, and sign in to get started. You don’t even need to be an IT administrator to set up, allowing employees to onboard their devices without calling for support.

Identity Management or SSO Capabilities

Tailscale allows you to use your existing SSO provider to authenticate users to your Tailnet, making it easy to manage access to your organization’s Tailscale network.

Tailscale supports various SSO providers, including Active Directory/LDAP, Google Workspace, Microsoft Azure Active Directory, Okta, OneLogin, and Auth0. While the solutions discussed above all support SSO integrations, none support as many as Tailscale.

Supported VPN Protocols and Encryption

Tailscale uses the WireGuard protocol to establish VPN connections. WireGuard is a relatively new VPN protocol that is designed to be fast, secure, and easy to set up. It’s considered to be more secure than other VPN protocols like OpenVPN and IPsec and is also known for its high performance.

Tailscale also uses strong encryption to secure data transmitted over the VPN. Specifically, it uses the ChaCha20 stream cipher for encryption, Poly1305 for authentication, and HKDF for key derivation.

Tailscale also supports PFS, which ensures that even if a long-term encryption key is compromised, past session keys will remain secure.

Extra Security Features

• End-to-end encryption: Tailscale encrypts all network traffic end to end, ensuring that data is protected from eavesdropping and tampering.
• Authentication: Tailscale uses public key infrastructure (PKI) to authenticate devices and users, ensuring that only authorized devices can join the network.
• ACLs: Tailscale provides fine-grained access controls that allow administrators to grant and revoke access to specific devices and users.
• Logging: Tailscale provides detailed logging of network activity, which can be used to detect and respond to security incidents.
• Compliance: Tailscale supports compliance with various security standards such as SOC 2, HIPAA, and PCI DSS.

Pricing

Tailscale offers a flexible pricing model based on the number of users on the network and based on certain product features. 

The Free plan can be used to explore how to set up a basic network for secure remote access. This allows up to 3 users and 100 devices on the network, end-to-end encryption, SSO, and MFA, among others.

Next is Starter, Premium, and Enterprise. These paid tiers have advanced features for larger organizations. The Free plan is essentially a free trial because it has all features enabled which allows you to test the solution for your organization’s network needs. Tailscale also offers a discount for annual billing for Enterprise plans.

Conclusion

This article has examined four popular corporate VPN services—Perimeter 81, OpenVPN, ZeroTier, and Tailscale—using key criteria to show which might best suit your organization’s needs.

If Tailscale sounds like it might meet the needs of your organization, you can download Tailscale on any device and begin exploring the possibilities for free.