What Is A Site-To-Site VPN?

What Is A Site-To-Site VPN?

Updated: 08-11-2021

A site-to-site Virtual Private Network (VPN) creates an encrypted link between multiple networks. It’s mostly used to connect a central office with other branch offices in a corporate organization.

Remote offices can access an organization’s resources and network via a site-to-site VPN.

A site-to-site VPN connection enables the central office to communicate with its remote offices within a single network. It utilizes a VPN tunnel to encrypt traffic on one end and sends it over the internet to its destination, where it’s decrypted.

This article explains what a site-to-site VPN is, covering the use of site-to-site VPNs in organizations.

You’ll also learn:

  • Ways to establish a site-to-site VPN
  • Benefits of a site-to-site VPN
  • Things to consider before adopting a site-to-site VPN
  • Site-to-site VPN alternatives.
  • And more

Without much ado, here's all you need to know about a site-to-site VPN.

What Is a Site-to-Site VPN?

A site-to-site VPN securely connects two or more networks through gateway hardware. They’re commonly used by organizations in Wide Area Networks (WANs) to connect to Local Area Networks (LANs) of branch offices in different geographical locations without installing VPN software on every client device. Organizations using site-to-site VPNs have servers housed on a primary network.

Site-to-site VPNs utilize Advanced Research Projects Agency Network (ARPANET), the original packet switching network, and Transmission Control Protocol/Internet Protocol (TCP/IP) to organize data according to packets transmitted across the internet.

Difference Between Personal and Corporate VPNs

Large organizations transfer huge amounts of data, requiring a VPN that would handle such workload. Typical VPNs used for torrenting or encrypting personal data can't handle such workload.

Consumer or regular VPNs are designed for individuals who want to access the internet securely and anonymously, but they don’t meet the needs of large organizations.

A site-to-site VPN is an example of a corporate VPN that is ideal for large organizations. Below are different types of VPNs available today:

Remote access VPNs: These are consumer-grade VPNs designed to hide an individual’s IP address and secure their data online. Examples include:

  • NordVPN
  • Express VPN
  • Cyberghost VPN
  • And more

Intranet-based site-to-site VPNs: They connect multiple LANs to make a WAN, eventually pooling resources across an organization with many branches.

Extranet-based site-to-site VPNs: This is a corporate VPN designed for organizations working together and sharing specified information. However, each organization still maintains its own security and internal communication channels used by internal workers.

How To Establish a Site-to-Site VPN

You can establish site-to-site VPN connections in two ways, namely:

  • Internet VPN method
  • Multiprotocol Label Switching (MPLS) VPN method

Internet VPN method

This method utilizes the company’s own network and public infrastructure to establish a site-to-site VPN connection. It requires a VPN gateway which can be a router, firewall, or VPN concentrator at both sites.

The gateway encrypts traffic from one site and sends it through an encrypted tunnel over the internet to a peer VPN gateway.

The VPN gateway then decrypts the data and relays it to the remote user or office LAN. The main advantage of the internet-based method lies in its cost-effectiveness as compared to the MPLS method.

MPLS method

MPLS is a relatively newer method that establishes a site-to-site connection by connecting to a carrier-provided MPLS cloud instead of the internet. It does not use the organization’s network but instead uses the VPN provider infrastructure.

The provider then creates virtual connections between the organization and remote users across its own MPLS network.

Compared to the internet-based method, the primary advantage of the MPLS method is the ease of deployment and better network performance. This method works best for organizational video conferencing and Voice over Internet Protocol (VoIP).

MPLS does not route traffic via network addresses; instead, it chooses the shortest path.

Benefits of Site-to-Site VPN

Site-to-site VPNs are better than traditional VPN clients, but this depends on the needs and size of the organization. Some of the benefits of site-to-site VPNs to organizations and users include:

Traffic Encryption

All the traffic passing through a site-to-site VPN is usually encrypted from the source and decrypted when it arrives at its destination. The traffic must contain a digital certificate for authentication and a Public Key Infrastructure (PKI) for deployment purposes. For this reason, hackers and internet eavesdroppers can’t see or access the data.

Uses a Simple Network Architecture

In a site-to-site VPN, branch offices can use internal addresses to access each other's resources because the traffic remains internal. Other network architectures usually require converting internal Internet Protocol (IP) addresses to external IP addresses for the data to be accessible to users.

Access Control

In a site-to-site VPN, traffic originating from outside of the network is blocked from accessing resources inside a VPN tunnel. As a result, network resources are only accessible internally to organizational users but not external users.


A site-to-site VPN connection does not require users to install and run a VPN client software but only requires a gateway location. Therefore, it is much easier to add a new branch office to the network compared to doing the same on a remote access VPN.

Lower Latency

You can achieve lower latency with a site-to-site VPN by using MPLS route traffic rather than public internet, but this comes at a higher cost.

Other notable benefits of a site-to-site VPN include:

  • Easily deployable and can be offered as a managed service by enterprises or service providers.
  • Can be implemented over any IP-enabled network. such as the internet.
  • Organizations that use IPsec site-to-site VPNs have complete control of their WAN routing, unlike those that use MPLS.

Differences Between a Site-to-Site VPN and a Remote Access VPN

The main difference between a site-to-site VPN from a remote access VPN is the type of topology of connections.

Remote access VPN

A remote-access VPN provides a secure network connection to remote users. It is more of a temporary connection that users utilize to access data center applications from their organization's headquarters.

On the other hand, a Secure Sockets Layer (SSL) VPN connects the user’s endpoint and the VPN gateway in a remote access VPN.

When a user wants to connect to the VPN, the clients need to initiate the VPN tunnel setup. The VPN gateway on the organization's network then authenticates the user and creates a VPN tunnel with the VPN gateway as one endpoint.

After creating a VPN tunnel, the user can send encrypted data across the tunnel, and then the VPN gateway decrypts and reads the data.

The same thing happens when the user receives any data; the user’s device decrypts the data and reads it.

Site-to-site VPN

A site-to-site VPN is a permanent connection that works as an encrypted link between sites by setting up an IPsec network connection. This type of VPN connects different corporate layers.

For instance, if a corporate organization has branch offices in different locations and uses different Local Area Networks (LANs), a site-to-site VPN can utilize one VPN gateway from the central office to communicate with a VPN gateway of a branch office.

This communication involves creating a VPN tunnel between the VPN gateways. When that happens, the VPN user does not need to install any client software on their device.

Similarities Between a Site-to-Site VPN and Remote-Access VPN

  • Both connect to a VPN gateway within an organization’s network.
  • Both provide data encryption for the traffic that flows between the remote user and organization headquarters.

Differences Between Remote-Access VPN and Site-to-Site VPN

  • In a remote access VPN, the client software needs to be installed on the user’s device. On the other hand, a site-to-site VPN does not require client software to be installed on the user’s device.
  • In a remote access VPN, the user initiates the VPN tunnel setup, while in a site-to-site VPN the user is not required to initiate the VPN tunnel setup.
  • Also, in a remote access VPN, the user’s device employs a VPN tunnel to communicate with the VPN gateway. On the flip side, in a site-to-site VPN connection, the VPN gateway from one Local Area Network communicates with the VPN gateway of another Local Area Network by creating a secure VPN tunnel.

How Are Site-to-Site VPN Limited?

Site-to-site VPN connections are great for organizations that can maintain their own in-house data centers, have highly sensitive applications, and require minimal bandwidth to operate.

It uses the typical hub and spoke topology where the hub is the central office connected to multiple branch offices (the spokes). The major limitation of such a connection is that if the central office network fails, the entire network communication also fails.

Additionally, such a Wide Area Network (WAN) topology tends to experience redundancy issues regularly. The central office or hub can be overwhelmed when multiple branch offices or spokes have a high demand or request the same resource simultaneously.

Nowadays, most organizations have many remote workers and store their applications and data in the cloud. For this reason, site-to-site VPNs are becoming less popular because remote workers can access the organization’s resources directly from the cloud without having to go through an in-house data center first.

This is because such organizations have realized the need to set up different network topologies that can access the cloud or data center without bringing back all the traffic to the central office. 

Site-to-site VPN connections do not support IPv6 traffic on their virtual private gateway. IPv6, the most recent IP protocol, makes packet processing efficient and has better auto-configuration capabilities than IPv4, which site-to-site VPN connections use.

Site-to-site VPNs using standard IPsec tunnels are difficult to scale because they need to be provisioned between each IPsec VPN gateway, especially if full mesh connectivity is required.

Full mesh connectivity is a mesh network topology with all its nodes connected to each other.

This type of network topology creates an alternative route for information between users; if one node or connection fails, it won’t prevent other users from accessing information.

Dynamic routing of information in an IPsec site-to-site VPN is more complicated than when using MPLS. This is because each site-to-site VPN gateway must be an IP routing peer of the other VPN gateways.

Site-to-site VPN connections do not support multiprotocol and IP multicast traffic unless you introduce Generic Routing Encapsulation (GRE) tunnels or Virtual Tunnel Interfaces (VTI).

GRE tunnels provide a private path for the transportation of data packets on a public network, while VTI uses static routes to send traffic over an encrypted tunnel.

A lack of in-built security of site-to-site VPNs means that all connections must pass through a central office/headquarter for security inspection.

This protocol creates network latency and burdens the central office network.

Site-to-site VPN connections are independent of each other; it’s difficult for the organization to maintain and control its network traffic. As a result, web administrators may experience a rough time trying to detect and respond effectively to distributed attacks across the WAN.

It’s also difficult for network administrators to configure and manage site-to-site VPNs because they must set up and monitor each site-to-site VPN tunnel individually.

Site-to-site VPNs do not conduct content inspection but only encrypt the connection between two points.

Things To Consider Before Opting for a Site-to-Site VPN

No matter the method used to create a site-to-site VPN connection, there are a few factors that an organization needs to consider before setting up a site-to-site VPN. They include:

  • Size of the workforce.
  • Total number of locations.
  • Distance between the locations.
  • Resource-sharing needs.

How To Keep a Site-to-Site VPN Secure

To keep a site-to-site VPN secure, consider these steps:

A site-to-site VPN must have solid cryptography to protect traffic passing through its encrypted tunnel and ensure data confidentiality. Network administrators must verify that the cryptography algorithm complies with the Committee on National Security Systems Policy (CNSSP) 15.

CNSSP is the policy that specifies public standards used for cryptographic protocol and algorithms.

Site-to-site VPN network administrators must use vendor-provided patches for VPN gateways and users.

Avoid utilization of any default VPN settings and remove unused cryptography suites. This mitigates the risk of leaving encrypted VPN tunnels vulnerable to decryption.

Organizations should be aware of the vulnerabilities present in hardware and software that could compromise VPN traffic.

Overview of a Site-to-Site VPN Example Setup

Company X, based in New York, decides to open branches in Europe and Asia. The branches are located in Paris, Stockholm, Manila, and Seoul.

The company has about ten employees at the overseas branches who need to access the company resources from the headquarters in New York.

The company might decide to employ a dedicated connection from each site to the headquarters, but given that there are minimal network demands, it’s best to use a site-to-site VPN that connects all locations at once.

The cost of creating site-to-site VPN connections will be much less compared to using a dedicated connection for all overseas branches.  

Alternatives to Site-to-Site VPNs

If site-to-site VPNs aren't the best choice for you, here are other alternatives worth checking out.

Secure Access Service Edge (SASE)

SASE is an emerging cybersecurity concept that can directly access the cloud or data center without bringing back all the traffic to the central office. It is more secure than a site-to-site VPN because it incorporates advanced threat prevention, credential theft prevention, sandboxing, and data loss prevention.

It helps organizations to securely connect to their remote offices by routing traffic to public or private clouds.

SASE offers organization users immediate and uninterrupted access to resources no matter their location. With SASE, more traffic goes to the public cloud services and branch offices than the traffic traveling back to the data center.

It is a better approach compared to site-to-site VPN connections because it can handle many remote users.

SASE is a cloud-delivered service model based on entity identity, real-time context, and continuous risk assessment. Many organizations are adopting SASE because it delivers secure access to data regardless of the user's location.

Benefits of SASE

It is more flexible compared to site-to-site VPN connections. Organizations can easily implement security services such as threat prevention, data loss prevention, and firewall policies.

This method is also cost-effective, given that organizations can utilize a single platform and manage multiple product points.

Organizations can utilize SASE to simplify their IT infrastructure and consolidate their security stack into a cloud-based model.

Users can easily access organizational resources from the cloud from wherever they are, thanks to this method.

SASE implements data protection policies and prevents unauthorized access to sensitive data.

Lastly, organizations can quickly identify users, devices, and applications that access their cloud resources.

Remote Access VPN

With remote access VPNs, employees can access the organization’s LAN from wherever they are. To do so, they must install the VPN client software on their devices.

The VPN client encapsulates and encrypts traffic sent from the user to the organization’s LAN.

The organization’s VPN gateway then decrypts the traffic received from the remote user.

A remote-access VPN is best used in organizations with no more than three branch offices, each with at most five employees. It is more cost-effective for a small organization to use a remote access VPN instead of a site-to-site VPN.

However, the overall network performance and speed might be affected depending on the distance between the two locations.

Software-Defined Wide Area Network (SD-WAN)

SD-WAN is a virtual WAN architecture that simplifies the management and control of a WAN by abstracting the networking hardware. It enables the bonding of internet resources such as Digital Subscriber Line (DSL) or any other IP transport.

SD-WAN also reduces an organization's operating costs and bandwidth consumption.

Many organizations are transitioning from site-to-site VPNs and replacing MPLS circuits with public internet infrastructure used by SD-WAN.

It is important to note that SD-WAN needs a high-throughput IP tunnel to facilitate communication from remote users to the central office.

Throughput is the capacity of a given system to send data to another system within a specific timeframe.

For this reason, it’s not recommended for remote users to use a single DSL or cable modem to communicate with the central office. Great SD-WAN architecture enables high-speed communication between the remote user or branch office and the central office even if the branch office locations are far apart.

SD-WAN Features

Some common features of SD-WAN include:

  • Dynamic network path selection that depends on policies.
  • Traffic controls based on the type of application.
  • Integrated Dynamic Host Configuration Protocol (DHCP), Network Address Translation (NAT), and a Virtual Local Area Network (VLAN) to improve the security and reliability of the network.
  • Load balancing to prevent a single server from overloading and crashing, ensuring better network performance.

Cloud VPN

Cloud VPNs allow organizations to manage and secure their cloud resources, giving remote users VPN access to the resources in the cloud. This VPN is ideal for an organization with employees who rely on smartphones and laptops to access organization resources.

Users receive secure access to all applications and gain full visibility of traffic running across all ports and protocols.

However, this option is not cost-effective if an organization transitions to the cloud while using the traditional MPLS method.

Here's why:

  • MPLS routes traffic through the organization’s central office then sends it to the cloud.
  • Bandwidth increases when an organization moves its business applications to the cloud while still using the traditional MPLS method.

In that case, it is advisable to supplement MPLS with other connections. This helps manage cloud storage efficiently.

Here are some proven ways to manage MPLS while utilizing the cloud:

MPLS offloading: Involves a direct-to-internet connection and offloads traffic destined for the cloud. Thus, the MPLS circuit will only send traffic to the headquarters.

Replacing MPLS with direct-to-internet: An organization utilizing the cloud might decide to do away with the MPLS circuit at a branch office and replace it with a public internet connection.

Benefits of Cloud VPN

  • Branch offices and remote users can connect directly to the cloud, simplifying the entire process.
  • The IT maintenance personnel do not need to visit each branch office to mitigate issues physically.

A site-to-site VPN allows organizations to establish connections with their branch offices at different geographical locations over the internet. It provides remote users access to resources located at the central office or headquarters. If your organization has multiple branches spread across different geographical locations, having a site-to-site VPN would be a great idea.

Leave a Reply

Your email address will not be published. Required fields are marked *