VPN Technologies and Protocols

Virtual Private Network (VPN) technologies create encrypted tunnels across shared or public network infrastructure, enabling private communication between endpoints that may be geographically distributed. This page covers the major VPN protocol families, their structural mechanisms, the regulatory and compliance contexts in which they appear, and the decision criteria that distinguish one implementation from another. The scope includes both enterprise remote-access deployments and site-to-site configurations relevant to organizations operating under US federal and commercial security standards.

Definition and scope

A VPN is a logical network overlay that encapsulates and encrypts traffic between two or more endpoints, isolating that traffic from the underlying transit network. The National Institute of Standards and Technology defines VPNs in NIST Special Publication 800-77 Rev. 1 as networks that use tunneling, encryption, and authentication to extend private network connectivity across public infrastructure.

VPN deployments fall into three primary classification categories:

  1. Remote-access VPN — A single endpoint (typically a user device) connects to a centrally managed gateway, establishing authenticated, encrypted access to internal resources.
  2. Site-to-site VPN — Two fixed network gateways establish a persistent encrypted tunnel linking two discrete private networks, commonly used between corporate offices or data centers.
  3. Client-to-client (peer-to-peer) VPN — Endpoints communicate directly through a mesh or point-to-point encrypted channel without a central gateway broker, associated with protocols such as WireGuard in mesh topologies.

The scope of VPN technology intersects with several federal regulatory frameworks. The Federal Information Security Modernization Act (FISMA), codified at 44 U.S.C. § 3551 et seq., requires federal agencies to implement controls — including encrypted remote access — documented in NIST SP 800-53. Control family SC-8 (Transmission Confidentiality and Integrity) and AC-17 (Remote Access) directly govern VPN policy in federal environments (NIST SP 800-53 Rev. 5).

Organizations handling payment card data must also satisfy PCI DSS Requirement 8.5, which mandates multi-factor authentication for all non-console administrative access — a standard typically enforced through VPN gateway authentication configurations (PCI Security Standards Council, PCI DSS v4.0).

The network security providers available through this provider network reflect providers whose service categories include VPN infrastructure management, remote access architecture, and encrypted tunnel deployment.

How it works

VPN operation depends on two core processes: tunneling and cryptographic protection. Tunneling encapsulates original IP packets inside a new packet structure suited for transmission across the transit network. Cryptographic protection encrypts the encapsulated payload and authenticates both the sender and the integrity of transmitted data.

The principal protocol families in production use:

IPsec (Internet Protocol Security) — Defined by the IETF in RFC 4301, IPsec operates at Layer 3 and comprises two sub-protocols: Authentication Header (AH, RFC 4302) for integrity without encryption, and Encapsulating Security Payload (ESP, RFC 4303) for both encryption and integrity. IPsec uses the Internet Key Exchange protocol (IKEv2, RFC 7296) for automated session key negotiation. It supports two modes: Transport mode, which encrypts only the payload of an IP packet, and Tunnel mode, which encapsulates and encrypts the entire original packet — the standard configuration for gateway-to-gateway VPNs.

TLS/SSL-based VPN — Operates at Layer 4 through Layer 7, typically over TCP port 443. OpenVPN, a widely deployed open-source implementation, uses the OpenSSL library and supports both TLS and DTLS (Datagram TLS) for UDP transport. TLS VPNs traverse NAT and firewalls more reliably than IPsec because port 443 is rarely blocked. NIST SP 800-77 Rev. 1 recommends ESP in Tunnel mode with AES-256-GCM and SHA-384 for IPsec deployments requiring Suite B compliance.

WireGuard — A newer protocol using Curve25519 for key exchange, ChaCha20 for symmetric encryption, and Poly1305 for authentication. Its codebase totals approximately 4,000 lines, compared to tens of thousands of lines in OpenVPN or StrongSwan IPsec implementations, reducing the attack surface exposed to auditors. WireGuard was merged into the Linux kernel in version 5.6 (released March 2020).

L2TP/IPsec — Layer 2 Tunneling Protocol combined with IPsec encryption. L2TP provides the tunnel structure; IPsec provides the security layer. This pairing is common in legacy enterprise deployments and is natively supported in Windows, macOS, and iOS without third-party clients, though it is considered less performant than native IPsec or WireGuard implementations.

Common scenarios

VPN technologies appear in four recurring operational contexts within the US cybersecurity service sector:

Federal remote workforce access — Agencies subject to FISMA implement remote-access VPNs with PIV (Personal Identity Verification) card authentication under FIPS 201-3 standards (NIST FIPS 201-3). IPsec IKEv2 with certificate-based authentication satisfies the SP 800-77 cryptographic requirements for these environments.

Healthcare and HIPAA-regulated environments — The HIPAA Security Rule at 45 C.F.R. § 164.312(e)(1) requires transmission security controls for electronic protected health information (ePHI). VPNs are the predominant mechanism used to satisfy this requirement when data traverses public networks between covered entities and business associates.

PCI DSS cardholder data environments — Retailers and payment processors use site-to-site IPsec tunnels to connect point-of-sale networks to processing infrastructure while maintaining network segmentation requirements under PCI DSS v4.0 Requirement 1.

Zero Trust transition architectures — The Office of Management and Budget Memorandum M-22-09 (OMB M-22-09), issued in January 2022, directs federal agencies toward Zero Trust architectures that reduce reliance on traditional perimeter VPNs. In these hybrid transition states, VPNs remain operational for legacy application access while identity-based micro-segmentation is built out in parallel.

Decision boundaries

Selecting a VPN protocol or architecture involves discrete tradeoffs across performance, compatibility, auditability, and regulatory suitability. The comparison below establishes the primary decision axes:

IPsec vs. TLS-based VPN
IPsec operates below the application layer, making it transparent to applications and capable of protecting all IP traffic including non-TCP protocols (e.g., UDP-based voice and video). TLS VPNs are application-layer constructs that are easier to traverse through restrictive firewalls and require no kernel-level configuration. Environments where strict port filtering is common favor TLS. Environments with high-throughput UDP requirements favor IPsec ESP with hardware offload.

WireGuard vs. OpenVPN
WireGuard's reduced codebase simplifies third-party security audits and produces measurably lower CPU overhead per encrypted packet in benchmarks published by the Linux Kernel Mailing List archive. OpenVPN's longer operational history means it has broader penetration testing tooling and documented hardening guidance. For FIPS 140-3 compliance requirements, WireGuard's reliance on ChaCha20-Poly1305 may conflict with agency mandates that restrict ciphers to AES-based suites; IPsec with AES-256-GCM remains the FIPS-compliant default.

Site-to-site vs. remote-access architecture
Site-to-site VPNs are appropriate when two fixed network perimeters require persistent, high-throughput interconnection — branch offices, data center interconnects, or hybrid cloud egress points. Remote-access VPNs scale to variable endpoint populations but introduce endpoint trust considerations absent in gateway-to-gateway models. The Cybersecurity and Infrastructure Security Agency (CISA) Alert AA20-073A identifies unpatched VPN gateways as a high-priority attack surface, underscoring that remote-access deployments require rigorous patch management discipline independent of protocol choice.

The professional categories engaged in VPN deployment and management — network security architects, penetration testers validating tunnel integrity, and compliance auditors reviewing cryptographic configurations — are represented across the network security providers indexed through this provider network. The provider network's purpose and scope describes how service providers in these categories are classified and presented.

 ·   · 

References

Read Next

Firewall Types and Selection Guide ANA › Professional Services Authority › National Cyber › Network Security Authority Firewall Types and Selection Guide Firewalls... Intrusion Detection and Prevention Systems (IDS/IPS) ANA › Professional Services Authority › National Cyber › Network Security Authority Intrusion Detection and Prevention Systems (IDS/IPS)... DNS Security and Filtering ANA › Professional Services Authority › National Cyber › Network Security Authority DNS Security and Filtering DNS security and...