Why It’s Time to Replace Your Traditional VPN Solution

Traditional VPN solutions are difficult to set up and even harder to maintain. In this article, we’ll discuss what makes a traditional VPN solution painful - and explore an alternative that simplifies VPN architecture, security, and administration.

Written by Justin Dunham

Traditional VPN solutions are difficult to set up and even harder to maintain. In this article, we’ll discuss what makes a traditional VPN solution painful - and explore an alternative that simplifies VPN architecture, security, and administration. 

The architecture of a traditional VPN solution

A VPN extends an organization’s network in a specific location (e.g., an office) into remote locations. It enables secure sharing of protected resources - e.g., giving company employees access to internal data and services. 

With traditional VPN architecture, a company establishes a VPN remote access point. Remote devices use a VPN client to create an encrypted SSL/TLS tunnel between the remote device and the access point. End-to-end encryption ensures that third parties can’t intercept and read sensitive information sent over the public Internet. 

Once the connection is established, the remote device sends all traffic intended for that network through this encrypted connection. The resulting network is a “hub-and-spoke” pattern, in which multiple clients connect through a common VPN endpoint. 

A central hub-and-spoke subnet router, connecting 10 client nodes and 3 servers.

A traditional hub-and-spoke VPN

Use cases for this type of traditional VPN hub-and-spoke model include: 

  • Remote access: Enables employees to connect to work resources while at home or traveling. 
  • Site-to-site: Connects one network to another to share resources. A good example is connecting a partner’s network to your own to enable collaboration on an active software development project or regular sharing or data. 

The issues with traditional VPN solutions

Traditional VPN solutions have fulfilled their purposes for many years. But they have several limitations that make them hard to manage: 

Require intensive setup and configuration

Traditional VPNs require configuring both clients on the user’s machines as well as access endpoints. Companies usually need to maintain, secure, monitor, and manage multiple access points to support the number of users that need to connect. 

The administration interfaces in a traditional VPN solution are usually complex and prone to misconfiguration. Setting up a VPN endpoint requires other ancillary services - such as a certificate authority - that introduce their own complexity and management overhead. The specialized knowledge required for a specific vendor’s product makes it difficult to staff teams who can set up and manage your VPN. 

Additionally, many traditional VPN solutions may require installing (and licensing) supplementary products to obtain additional security features. That increases administrative complexity even further. 

Hard to debug

We’ve seen first-hand how many hours it can take to track down an issue with a hub-and-spoke VPN. Our customers have shared their own painful stories with us as well. 

Vehicle insurance company Zego found out how complex these issues can be to remediate. They faced significant challenges when the COVID-19 pandemic hit and everyone started working remotely. The IT team quickly found itself beset with issues that took days to resolve. 

Hard to maintain reliability

Traditional VPNs rely on a single access point for client connectivity. That introduces single points of failure to your network. If an access point goes down, everyone connected to it is kicked off the internal network. As a result, users perceive traditional VPNs as unstable and unreliable. 

Difficult to secure

By default, a traditional VPN solution grants all-or-nothing access to a network. That provides a pathway for unauthorized users who gain VPN access to attack sensitive parts of the internal network. 

Restricting access to internal resources can be done with traditional VPNs. However, it’s often tricky to configure correctly and can carry unintended consequences. You can accomplish this using a Privileged Access Management (PAM) system or with firewall micro-segmentation. However, this requires numerous touchpoints and frequent IP range updates.

The architecture of traditional VPN solutions also makes it harder to provide access to vendors, partners, and other non-employee stakeholders. Because of the risk to the internal network, most companies only allow users to connect if they’re using a device issued and managed by the company. That can add days or weeks onto ramping up new vendors and partners delaying completion of shared projects. 

How Tailscale simplifies VPN connectivity 

By contrast, Tailscale offers a simplified approach to secure remote access. 

Based on the open source WireGuard protocol, Tailscale uses a mesh network approach to architecting private networks. In a mesh network, individual nodes don’t communicate through a centralized access point. Instead, they talk directly to one another. 

Ten nodes, each connected with each other, resulting in 90 different endpoints.

A Tailscale point-to-point mesh network minimizes latency

Compared to a traditional VPN solution, setting up a Tailscale VPN is easy. After users create a Tailscale account and join their organization, they download and set up the Tailscale VPN client. The client then obtains a public encryption key from Tailscale’s control plane that it uses with the private key that resides on the node to encrypt traffic between nodes. 

Network administrators use integrations with identity providers (IdPs) to set up Single Sign On (SSO) and Multi-Factor Authentication (MFA). Administrators can write access control lists (ACLs) and deploy them using GitOps or through Infrastructure as Code deployments to microsegment their network.

This mesh architecture has numerous benefits over a traditional VPN solution: 

  • Setup is easy and can be done within a day, not within weeks or months. 
  • Because remote connections are node-to-node, they’re both faster and more reliable. 
  • There are no VPN endpoints that serve as single points of failure. 
  • Security can be configured more granularly than in traditional VPNs. 

Tailscale’s underlying protocol, WireGuard, is open source, meaning that it’s transparent and can be validated independently by internal engineering teams and third-party security experts. 

What use cases does Tailscale cover? 

Tailscale supports a wide variety of use cases covered by a traditional VPN solution. What’s more, it provides an easy-to-use Web-based admin console that’s easier to manage than traditional VPN admin interfaces. 

Here are just a few of the use cases that Tailscale supports:

Secure remote networking 

Any of a company’s employees who have Tailscale installed can connect to one another or to company resources that are also running the Tailscale client or subnet routers.

Improve latency with split tunneling to only route internal traffic over the tailnet. When employees are working from a coffee shop or hotel, setting up exit nodes helps protect traffic, it works similarly to a privacy VPN. Subnet routers are a valuable resource when it’s not possible to install an agent on a device to ensure secure connectivity. 

Secure external services 

You can also connect securely to remote code environments like CodeSandbox and GitPod and more. 

Cloud resource connectivity 

Use Tailscale to set up connections between applications and cloud resources without exposing traffic through the public Internet. You can also easily secure ephemeral nodes - e.g., short-lived containers, functions, or entire CI/CD your developers create for dev/test purposes.

Zero trust access

In Tailscale’s mesh network, traffic between each node is protected by end-to-end encryption. Tailscale administrators can limit access to specific network resources based on a user’s identity using ACLs. Gaining access to a single resource gives the user zero visibility into network traffic between other applications. 

Connect from any device 

Tailscale supports multiple device types, including Windows and Linux computers, cloud computing resources, and IoT devices. You can configure subnet routers to secure access to devices that can’t run the Tailscale client or to secure entire networks (e.g., a virtual network in a cloud provider). 


A traditional VPN solution requires a team of experts and support engineers to configure and operationalize. Tailscale’s mesh network architecture provides enterprise-grade remote access features with less setup and ongoing maintenance, end-to-end security, and higher reliability and scalability. 

Want to give it a test drive? Sign up for a Tailscale account today and see the difference for yourself.

Get started with Tailscale today.

Frequently Asked Questions

Here are some answers to common questions.