What Are The Different Types Of VPNs?

What Are The Different Types Of VPNs?

Updated: 08-10-2021

Virtual Private Networks (VPNs) come in different types, but it's not easy to tell the difference not unless you take a deeper look. VPNs can be categorized based on the technology or protocol they employ. You can also decide on the type of VPN service you need based on your personal or business needs.

Some large organizations use VPNs to provide remote workers with network access or connect branches in other parts of the world into a unified, secure network. Alternatively, such organizations give remote workers access to network resources by using VPN applications that rely on the organization's internal servers.

But, all these cannot be achieved using one type of VPN, which is why you'll find different VPN services dedicated to serving the specific needs of individuals and organizations.

Here is a preview of what's to come:

  • Difference between VPN service and VPN technology
  • VPN mechanisms
  • Trusted VPNs
  • Secure VPNs
  • Hybrid VPNs
  • Remote access VPNs
  • Site-to-site VPNs
  • Client-based VPNs
  • Dynamic Multipoint Virtual Private Network (DMVPN)
  • Mediated VPN
  • Ethernet VPN (EVPN)
  • Software VPN
  • Hardware VPN
  • Software VPN vs. Hardware VPN
  • Differences between a VPN and an IP VPN
  • Difference between a VPN server and VPN service

Difference Between VPN Service and VPN Technology

To better understand the types of VPNs available, you need to know the difference between a VPN service and a VPN technology.

VPN technology is the technology used to create secure and private communication channels between the user's device and the destination by utilizing various VPN protocols.

VPN service is the whole VPN package consisting of various VPN technologies and the features they offer. Such features include customer support, configuration tutorials, FAQ sections, etc.

VPN Mechanisms

They're two types of VPN mechanisms; a VPN service can use either or both simultaneously. The first mechanism uses private circuits leased from a secure and trusted telecommunications provider to create a trusted VPN.

On the other hand, the second mechanism sends encrypted traffic over the internet or a network controlled by external Internet Service Providers (ISPs) to create a secure VPN.

Note that secure VPNs and trusted VPNs can co-exist in a single package, which was the case when the internet was not universal. Back then, the user had to trust the VPN provider to maintain the circuits' integrity to transfer traffic. More recently, service providers have opted for a new kind of trusted VPNs that uses the internet rather than raw telephone systems used in the past.

The new type of trusted VPNs doesn't provide security but gives users a way to create network segments used in Wide Area Networks (WANs). It is a requirement that the network administrator knows the extent of the VPN and the kind of traffic sent over the paths/circuits regardless of the VPN type in use.

To have a better understanding of these VPN mechanisms, here's a detailed explanation:

Trusted VPNs

As earlier mentioned, trusted VPNs use leased private circuits to send traffic. However, over the years, the implementation of trusted VPNs has changed from privately leased circuits from telecommunication providers to private Internet Protocol (IP) networks leased from ISPs.

Trusted VPNs move traffic over a set of paths with specified properties. The paths are usually controlled by one ISP or a group of trusted ISPs. This allows users to handle their own routing and implement their own private IP addressing schemes. In addition, the users trust the ISPs not to change any of the VPN paths or insert their own traffic on the VPN.

Trusted VPN Technologies

Technologies used in a trusted VPN can be separated into Layer 2 and Layer 3 VPNs.

Layer 2 VPN technologies include:

  • Asynchronous Transfer Mode (ATM) circuits.
  • Frame relay circuits.
  • Transport of layer 2 frames over MPLS.

Layer 3 VPN technologies include:

  • MPLS with constrained distribution of routing information through Border Gateway Protocol (BGP).

MPLS/VPN Service Implementation

MPLS operates at a network layer known as "Layer 2.5," an intermediate between the data link and the network layer. It emulates the same properties found in a circuit-switched network over a packet-switched network. Large corporations using trusted VPNs are slowly moving from ATM to MPLS/VPN technology.

In an MPLS/VPN technology, a Provider Edge (PE) Egress router, which uses a specific Label Switched Path (LSP), assigns different labels to each packet of information.

After that, the labels are switched across the core until they reach the Ingress PE router, the end destination.

MPLS establishes a trusted VPN network by providing a separate private routing table for every user; this process is known as Virtual Routing and Forwarding (VRF).

ATM Circuits Implementation

ATM is a packet-switching protocol that works at the data link layer. It supports voice and data communications and uses fixed-sized packets instead of variable-sized packets. This VPN mechanism does not employ the routing mechanism used in data link technologies such as Ethernet. Instead, it establishes point-to-point connections between two endpoints and begins the data interchange function.

Frame-Relay Circuits Implementation

Frame relay is a packet-switching technology used mainly for WAN links. The packets have identifiers that ensure they're routed to the right destination.

The identifier makes it possible for service providers to implement service guarantees, such as bandwidth and latency. Frame relay circuits are easy to configure and are less expensive than leased circuits. In addition, they can run over MPLS and obtain traffic prioritization and management benefits.

Trusted VPN Requirements

Here are the requirements of a trusted VPN:

  • Only the trusted VPN provider can create or modify a path in the VPN.
  • Only the trusted VPN provider can change, inject or delete path on any given path in the VPN.
  • It's essential to establish the routing and addressing that will be used before the creation of the VPN.

Secure VPNs

As the name suggests, secure VPNs transmit sensitive information over the internet securely. This is because a secure VPN encrypts all the traffic to such a level that if anyone replicates the traffic, they won't access or read its contents.

Secure VPNs are particularly used in remote access connections where a remote user uses an external network not controlled by an organization's network administrator, such as Wi-Fi from a hotel room, airport, or home network.

Secure VPN Technologies

Below are the technologies used in a secure VPN:

IPsec With Encryption

This type of VPN technology can either be used in the tunnel or transport mode. In addition, you can use Internet Key Exchange (IKE) to set up security associations or do it manually.

IPsec Within L2TP

This type of VPN technology is specifically used in the deployment of client-server remote-access VPNs.

SSL 3.0 Or TLS With Encryption

SSL 3.0 is the only technology supported by a secure VPN not standardized by the Internet Engineering Task Force (IETF).

Secure VPN Requirements

Here are the requirements of a secure VPN:

  • All the traffic passing through a secure VPN needs to be encrypted and authenticated.
  • All parties (both the sender and destination) need to agree on the security properties of the VPN.
  • It should be impossible for an attacker to affect or change the security properties of the VPN.

Hybrid VPN

When a secure VPN sends traffic over a trusted VPN network, it creates a hybrid VPN. When two kinds of secure VPNs are combined into one gateway, e.g., IPsec and Secure Sockets Layer (SSL), they still form a hybrid VPN.

Secure VPNs and trusted VPNs serve different purposes. The main difference between the two is that secure VPNs only provide enhanced security but with no assurance of paths, while trusted VPNs provide assurance of paths, such as QoS, but with no guaranteed security. To tackle the weaknesses of the two mechanisms, many organizations opt for hybrid VPNs.

Hybrid VPN Technologies

Below are the technologies used in a hybrid VPN:

  • Any supported secure VPN technologies that run over any supported trusted VPN technology.

For a hybrid VPN, only the parts based on secure VPNs are secure. For this reason, do not expect an increase in security if you add a secure VPN to a trusted VPN; the secure VPN will acquire the advantages of a trusted VPN, such as the QoS features.

Hybrid VPN Requirements

Here are the requirements of a hybrid VPN:

  • There should be a clear address boundary of the secure VPN within the trusted VPN.

In-Depth Look Into The Different Types Of VPNs

There are various types of VPNs, as discussed below:

Remote Access VPN

This type of VPN securely connects a user's device to the corporate network. Users can request information from the corporate server using their devices, e.g., smartphones, tablets, and laptops, and receive responses while their online identity remains secure.

Remote access VPNs offer remote workers secure access to the enterprise network regardless of their physical location. But for this type of VPN connection to work, users need to install dedicated VPN applications on their devices.

Site-to-site VPN

This type of VPN securely connects an organizational head office to branch offices across the globe over the internet. It's the best type of VPN when it is impractical or difficult to achieve direct network connections between branch offices.

Establishing and maintain a site-to-site VPN connection requires specialized equipment. Think of a site-to-site VPN as a VPN that connects different networks to achieve the same goal: the secure transfer of resources within the networks.

Site-to-site VPNs come in two types:

Intranet VPN

This type of site-to-site VPN provides internal connectivity within an organization. It extends internal organizational resources from the headquarters to regional or branch offices. Intranet VPNs are usually created in secure tunnels via an IP network.

Intranet VPN connects new sites easily and reduces WAN bandwidth costs. It also enables WAN link redundancy, which increases the network uptime.

Extranet VPN

This type of site-to-site VPN extends the intranet VPN limit by giving authorized external users access to intranet VPN servers.

Extranet VPN protocols

Extranet employs the same protocols used in implementing intranet. These protocols include the IPsec/GRE network layer protocol and the L2TP/L2F data link layer protocol. The main difference is that extranet users are granted access permission after connecting to the network, while intranet users are not granted such permission.

Client-Based VPN

This is a VPN connection created between a user and a remote network using an application. First, the user has to manually launch the application and provide authentication with a username and password. Then, the application creates an encrypted tunnel between the user's device and the remote network.

Dynamic Multipoint Virtual Private Network (DMVPN)

DMVPN is a routing technique used to build a VPN network with multiple sites without configuring all the devices. Think of it as a 'hub-and-spoke' network where the spokes communicate without going through the hub.

IPsec encrypts DMVPN traffic and is an excellent alternative to MPLS VPN.

VPN routers and firewall concentrators usually run DMVPN service by connecting the corporate headquarter VPN hub with remote sites configured in the router. It is a 'hub-and-spoke' network where each spoke (site) connects directly with other spokes no matter their physical location as long as each spoke is configured to connect to the hub (the company's headquarters VPN device).

When two sites need to exchange data, they first contact the hub, obtain information about the other end, and then create a dynamic IPsec VPN tunnel.

In a DMVPN setup, traffic between remote sites does not need to pass through the hub, eliminating additional bandwidth requirements. This also eliminates additional network relays and lowers VPN circuits costs.

DMVPN Technologies

  • Multipoint GRE (mGRE).
  • Next Hop Resolution Protocol (NHRP).
  • Routing (RIP, EIGRP, OSPF, BGP).
  • IPsec (recommended).

Mediated VPN

This is a VPN topology that connects two or more participants to a central switchboard server managed by a third party to create a VPN connection between them. The switchboard server or the mediator manages several VPNs and identifies each individual by their authentication credentials, e.g., username and password.

The mediator assigns IP addresses to each participant and encrypts data through the switchboard server. It's different from a standard VPN service where users connect to a VPN concentrator managed by the organization.

Ethernet VPN (EVPN)

This type of VPN enables users to connect to dispersed customer sites via a Layer 2 virtual bridge. It consists of Customer Edge (CE) devices such as routers and switches connected to Provider Edge (PE) routers. PE routers often include the MPLS edge switch (MES), which acts as the MPLS infrastructure edge.

Multiple EVPNs can be deployed within a single service provider network to provide network connectivity to customers while maintaining the privacy of traffic shared within the network. In addition, EVPNs use the BGP control plane infrastructure to provide greater scale and the ability to separate devices from each other.

EVPN Functionalities

EVPNs provide the following functionalities:

  • Support segmented service tunnels across many domains.
  • Support peer-to-peer services between a pair of CE devices operating in an all-active mode.
  • Provides auto-discovery and signaling using one protocol based on BGP.
  • Provides local switching.
  • Provides flexible cross-connect services.
  • Provides multi-homing services to CE devices.

Software VPN

A software VPN connects a client application installed on the user's device to an encrypted VPN server owned by the corporation or a commercial VPN provider. Most web browsers and operating systems support VPN protocols, thus making it possible for software-based applications to establish VPN connections on the client device.

There are some operating systems with pre-installed VPN client software; the user only needs to establish a VPN connection by providing some vital information such as VPN server address and the kind of VPN connection they need. On the other hand, third-party software VPNs are those not built into the OS and usually classified based on their protocols.

Hardware VPN

This standalone device has a dedicated processor that runs all VPN functions and multiple other security functions. Some of the security functions include encryption, authentication, and Role-based Access Control (RBAC). One example of a modern-day hardware VPN is a VPN router used to secure traffic in large organizations.

Software VPN vs Hardware VPN differences

Software VPNs and Hardware VPNs differ in terms of cost, deployment, and scalability. But the main difference between the two is that software VPNs connect the client application to a secure VPN server. In contrast, hardware VPNs are basically devices with processors and virtual security elements.

Software VPNs are cheaper, easier to set up, and have better scalability compared to hardware VPNs. They don't require an expert to set up, and the network administrator can easily add more instances. All a user needs to do is install the VPN client application if it's not already installed on their device.

Hardware VPNs are ideal for large organizations that need extra data security on their internal network connections. However, they require an expert to do the manual configuration.

Differences Between A VPN And An IP VPN

VPNs allow users to connect to their primary network remotely using the public internet. Remote workers can also use VPNs to connect to their organization's intranet and access shared resources on their work computers.

On the other hand, IP VPNs establish seamless connectivity to the primary network across an ISP by using MPLS technology to avoid public gateway and prioritize internet traffic.

The major difference between the two lies on the OSI model layer on which they're classed. VPNs usually fall under layers 3 and 4 because they establish a connection via the public internet and use a public gateway to connect.

As a result, they're more vulnerable to Distributed Denial of Service (DDoS) attacks that flood the network and consume available bandwidth.

IP VPNs usually fall in Layer 2 because they establish a private connection to each remote site and avoid the public internet.

They use MPLS capabilities to prioritize an organization's internet traffic such that mission-critical applications receive the bandwidth they need and less important traffic is put on hold.

VPNs are ideal for individuals or small businesses with no remote employees. On the other hand, IP VPNs are ideal for medium to large organizations with multiple remote employees and branches. Also, they're best used to transfer internet traffic that requires prioritization.

Difference Between A VPN Server And VPN Service

A VPN server and a VPN service may seem similar because they operate using the same technology, but they have distinct differences and serve different purposes. Below is an illustration that may help you understand the differences between the two terms:

If you're a worker who travels from one location to another regularly but needs to access your work computer in the office, then a VPN server would be ideal. You can compare a VPN server to application software that runs on your work computer 24/7, waiting for a remote connection from you, the user.

When you establish a connection to the VPN server, you receive access to your work computer and corporate resources in the office network just as if you're present in person at the office.

On the other hand, you use a VPN service when you intend to connect to the internet anonymously without having to worry about ISPs and the government snooping on your internet activity. You'll need a commercial VPN provider that will hide your original IP address and send your traffic to an already set up VPN server in a country of your choice.

The VPN server is designed to relay data securely between your device and the destination/website you want to access. You may need to pay a small fee to use a commercial VPN service, given that free VPNs cannot be trusted.

Note that you cannot use a commercial VPN to connect to your work computer remotely. You'll need to set up the work computer to be a VPN server, but this does not guarantee online anonymity because the remote computer IP would still be visible to the outside world.


There are various types of VPNs serving different needs. For example, individuals who just want to browse the internet anonymously can opt for client-based VPNs. In contrast, organizations concerned about their data security can opt for business-oriented VPNs, such as remote access VPNs or site-to-site VPNs.

If you're concerned about online privacy, you need to have a clear idea of the VPN types available and choose one that meets your needs and expectations.

Leave a Reply

Your email address will not be published. Required fields are marked *