What is a VPN — site-to-site vs point-to-site, and when it actually matters

What is a VPN?

VPN stands for Virtual Private Network. In simple terms, it creates an encrypted tunnel between two points over the public internet — allowing private data to travel safely across a network that wouldn't otherwise be trusted.

Without a VPN, data travelling between your computer and a remote server passes through whatever network infrastructure exists between them — internet service providers, public Wi-Fi access points, potentially hostile infrastructure. A VPN encrypts that data at the source and decrypts it only at the intended destination, so anything intercepted along the way is unreadable.

There are two fundamentally different VPN architectures, and they serve very different purposes:

Site-to-site VPN

A site-to-site VPN connects two entire networks to each other — typically two office locations, or an office and a data centre, or a headquarters and a branch. Once the VPN is established, all devices on both networks can communicate as if they're on the same local network, even though they're physically in different locations.

This type of VPN is set up at the network level, usually through dedicated hardware (routers or firewalls with VPN capability). Individual users don't need to do anything — the connection is always on.

• Use case: A company with two offices wants employees in both locations to access shared file servers, internal tools, and printers as if they were in the same building.
• Use case: A business wants to connect its office network to cloud infrastructure (AWS, Azure, GCP) securely and permanently — so servers in the cloud behave as if they're part of the internal network.
• Who sets it up: A network engineer or IT provider, typically using enterprise networking equipment.

Point-to-site VPN

A point-to-site VPN (also called a remote access VPN) connects an individual device — a laptop, a phone — to a private network. The user installs a VPN client, connects to the company's VPN server, and their device behaves as if it's physically inside the company network.

This is the architecture used when remote employees need to access internal resources — file shares, databases, internal web applications, development environments — that aren't exposed to the public internet.

• Use case: A developer working from home needs to access a database on a company server that's not publicly accessible. They connect via the company VPN and gain secure access.
• Use case: An employee travelling and working from a hotel Wi-Fi needs to connect to internal systems. The VPN encrypts their traffic and gives them secure access.
• Examples: WireGuard, OpenVPN, Cisco AnyConnect, Tailscale — these are common protocols and products used for point-to-site VPN.

This is the type of VPN most businesses encounter first. It's also the type that consumer VPN products (NordVPN, ExpressVPN, Mullvad) are loosely based on — though consumer VPNs route your traffic through a commercial VPN provider's servers rather than your company's network.

When a VPN matters

A VPN is genuinely valuable in specific scenarios:

• Remote access to internal systems: If your business runs servers or services that aren't (and shouldn't be) publicly accessible, a VPN is the right way for remote employees to reach them securely.
• Working on untrusted networks: Public Wi-Fi in hotels, airports, and cafés is inherently untrustworthy. A VPN encrypts your traffic so it can't be intercepted by others on the same network.
• Multi-site organisations: If your business has several offices that need to share internal resources, a site-to-site VPN creates that connection transparently.
• Compliance requirements: Some regulatory frameworks mandate encryption in transit for sensitive data — a VPN can satisfy part of that requirement.

When a VPN doesn't matter much

VPNs are often oversold. For many small businesses, a VPN is not the right tool — or not the priority:

• SaaS-only businesses: If all your tools are cloud-based (Gmail, Notion, Salesforce, Slack, Figma) and none of your services are self-hosted, there's no "private network" to tunnel into. A VPN adds complexity without adding much security.
• Already using HTTPS everywhere: Modern web traffic is already encrypted end-to-end using TLS (the "S" in HTTPS). A VPN encrypts the metadata around the request — which can matter in some contexts, but less so for typical business browsing.
• Consumer VPNs for "privacy": Consumer VPN products shift trust from your ISP to the VPN provider. For businesses, this is rarely a meaningful security improvement unless the VPN provider's privacy guarantees are significantly stronger.

Common misconceptions

• "A VPN makes me anonymous online." — Not really. A VPN masks your IP address and encrypts your traffic from your ISP, but your VPN provider can see your traffic. If you're logged into Google or Facebook, they still know who you are regardless of VPN.
• "A VPN protects against malware." — It doesn't. A VPN only encrypts network traffic. It doesn't scan files, block malicious websites, or prevent you from downloading something harmful.
• "All VPNs are the same." — Enterprise VPNs used to connect remote workers to company infrastructure are a completely different product from consumer VPNs used to bypass geoblocking. The name is the same; the purpose and architecture are entirely different.
• "You need a VPN for GDPR compliance." — GDPR requires appropriate security measures for personal data. A VPN may be part of that — but HTTPS, access controls, and encryption at rest are usually more relevant first steps.