VPNs encrypt traffic between two endpoints. Site-to-site VPNs connect offices to cloud VPCs; remote-access VPNs connect laptops to corporate networks. This module covers the protocols, their security properties, and the modern cloud-native alternatives.
VPN protocol families
| Protocol | Use case | Security posture |
|---|---|---|
| IPsec | Site-to-site, some client | Strong if configured correctly; avoid IKEv1 + weak ciphers |
| OpenVPN | Remote access, open-source | Strong with TLS 1.2+; slower than WireGuard |
| WireGuard | Modern remote-access + site-to-site | Minimal codebase (<4000 lines), modern crypto, fast |
| L2TP/IPsec | Legacy enterprise | Acceptable if IPsec configured properly |
| PPTP | LEGACY β do not use | Broken (MS-CHAPv2 cracked) |
| SSL/TLS VPNs | Cisco AnyConnect, GlobalProtect β enterprise | Strong; widely attacked (Pulse Connect, Fortinet CVEs) |
WireGuard β the modern default
# Server config (/etc/wireguard/wg0.conf)
[Interface]
PrivateKey = SERVER_PRIVATE_KEY
Address = 10.10.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.10.0.2/32
# Bring up
wg-quick up wg0
systemctl enable wg-quick@wg0WireGuard advantages: ~4000 lines of code (easy to audit), modern crypto (Curve25519, ChaCha20-Poly1305), kernel module (fast), works over UDP only.
Site-to-site VPN in cloud
- AWS Site-to-Site VPN β IPsec to your office; high-availability via 2 tunnels
- AWS Transit Gateway β hub-and-spoke for multi-VPC + multi-office
- Azure VPN Gateway β similar offering
- AWS Direct Connect / Azure ExpressRoute / GCP Cloud Interconnect β dedicated private line, no public internet
VPN security pitfalls
- Split vs full tunnel β full tunnel routes all traffic through VPN (visible to corp); split routes only corp traffic via VPN. Full is stricter control but bandwidth cost.
- Pre-shared keys β avoid for site-to-site; prefer certificate-based
- No MFA on client VPN β classic failure. Require MFA for every session
- Over-broad routing β VPN client gets full access to corp network; segment and limit
- Legacy IKEv1 β deprecated; use IKEv2 for IPsec
- Unpatched VPN appliances β Pulse Connect, Fortinet FortiOS, Cisco AnyConnect all had critical CVEs in recent years, exploited in the wild
Zero-Trust Network Access (ZTNA) β the VPN replacement
Traditional VPN gives you a private network connection; you’re “inside.” Modern zero-trust approach: every application authentication separately via identity-aware proxy. You don’t need VPN to access internal tools β each tool authenticates you via SSO + device trust + policy.
β Previous Β· Module 5
Module 5 Β· Firewall and ACL Design <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson β sign in for full access">π</span>
Next Β· Module 7 β
Module 7 Β· IPv6 Security <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson β sign in for full access">π</span>
Other modules in this track
Module 4 Β· Intermediate
Module 4 Β· Advanced Routing and VLANs <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson β sign in for full access">π</span>
Apr 19, 2026 Β· 8 minModule 8 Β· Advanced
Module 8 Β· BGP Security & RPKI <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson β sign in for full access">π</span>
Apr 22, 2026 Β· 5 minModule 3 Β· Intermediate